Symantec NIS and tampered MBR/Boot Sector

  • Thread starter Thread starter Ar Q
  • Start date Start date
A

Ar Q

My friend's harddrive/computer became kind of slow lately. She wanted me to
found out if it is software issue or hardware malfunction. So I took her
hard drive and hooked it to my computer (copy my hd image to her hd first).
As some of you know, I have maximized my Norton Internet Security
activations, so I immediately delete the NIS program. Then I run some
diagnosis and play some popular video games. Her hard drive looks pretty
good to me. I returned it to her and told her the problem is more like
software issue.

But now she only got blue screen using that hd. Taking it back to my place,
the hd works fine again. I did some research on this issue and found some
articles from Internet. Apparently, Symantec's activation technology is to
write some data to MBR/Boot sector to track the number of activations having
done and which may cause tampered hard drives inaccessible once the maximum
number is reached. But the articles I read don't have information on how to
reverse the effect. Will any of you knowing this matter point me to some web
pages? (I just want to put her MBR/Boot Sector back to as it was, not
reducing the activation count on her hard drive since she doesn't use NIS.)
Thanks.

(And now I officially hate Symantec.All I want to do is to impress the girl
and instead it makes me look bad. All the craps on activation just make the
paid customers miserable.)

Ar Q
 
(And now I officially hate Symantec.All I want to do is to impress the girl
and instead it makes me look bad. All the craps on activation just make the
paid customers miserable.)
Click to expand...

Symantec does NOT keep a drive from booting because you pirate a copy of
it - they would be in all sorts of of trouble for that.

You did screw up her computer, your image is not valid for her computer,
your windows licenses is not valid for her computer, your software
licenses are not valid for her computer.

--
Leythos - (e-mail address removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.futurehardware.in/595578-2.htm all
exposed to children (the link I've include does not directly display his
filth). You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Ar Q said:
My friend's harddrive/computer became kind of slow lately. She wanted me to
found out if it is software issue or hardware malfunction. So I took her
hard drive and hooked it to my computer (copy my hd image to her hd first).
As some of you know, I have maximized my Norton Internet Security
activations, so I immediately delete the NIS program. Then I run some
diagnosis and play some popular video games. Her hard drive looks pretty
good to me. I returned it to her and told her the problem is more like
software issue.

But now she only got blue screen using that hd. Taking it back to my place,
the hd works fine again. I did some research on this issue and found some
articles from Internet. Apparently, Symantec's activation technology is to
write some data to MBR/Boot sector to track the number of activations having
done and which may cause tampered hard drives inaccessible once the maximum
number is reached. But the articles I read don't have information on how to
reverse the effect. Will any of you knowing this matter point me to some web
pages? (I just want to put her MBR/Boot Sector back to as it was, not
reducing the activation count on her hard drive since she doesn't use NIS.)
Thanks.

(And now I officially hate Symantec.All I want to do is to impress the girl
and instead it makes me look bad. All the craps on activation just make the
paid customers miserable.)

Ar Q
Click to expand...

I didn't see anywhere where you said that before you overwrote her hard
drive with yours that you imaged her drive so you could restore it after
your testing. Did you do that? If you didn't image her drive before you
began messing with it ... and restore it afterward, then you royally screwed
up. That'll damn sure impress her.

The first thing one does when debugging suspected hardware/software problems
is take an image of the hard drive as it exists, just as a CYA measure. That
image is stored on media external to the computer under test, ie. on a
network computer or on another hard disk temporarily installed in the test
computer.
 
Leythos said:
You did screw up her computer, your image is not valid for her computer,
your windows licenses is not valid for her computer, your software
licenses are not valid for her computer.
Click to expand...

I should be more specific. I don't intend for her computer to use my
licneses. She has her own. Before I operated on her computer, I made an
image of her computer and restored that image after I have done my
diagnosis/evaluation on her hard drive. What I didn't account for is that
Symantec tampered the MBR/Boot Sector. It goes beyond the one partition I
backed up/played/restored and has an inreversable effect on MBR/Boot Sector.

By the way, I bought her a new hard drive. And her old hd can be used on my
computer perfectly. (This is also not Microsoft's fault. I have done similar
operations for others many times. But this is the first time I have NIS 2006
installed on my computer. Before that I had NIS 2003 which doesn't have
activations. So the similar operations are OK then.)

Ar Q
 
I should be more specific. I don't intend for her computer to use my
licneses. She has her own. Before I operated on her computer, I made an
image of her computer and restored that image after I have done my
diagnosis/evaluation on her hard drive. What I didn't account for is that
Symantec tampered the MBR/Boot Sector. It goes beyond the one partition I
backed up/played/restored and has an inreversable effect on MBR/Boot Sector.

By the way, I bought her a new hard drive. And her old hd can be used on my
computer perfectly. (This is also not Microsoft's fault. I have done similar
operations for others many times. But this is the first time I have NIS 2006
installed on my computer. Before that I had NIS 2003 which doesn't have
activations. So the similar operations are OK then.)
Click to expand...

If you Imaged her drive then there is nothing that would not have been
restored - so it appears you imaged part of her drive and that's always
a mistake. When you are going to clone a drive you need to clone the
ENTIRE DRIVE not just a portion of it - this would have eliminated your
problem.

Restoring your drive to hers was and is a mistake, cloning it, then a
wipe/restore and then restore datafiles would have been enough.

--
Leythos - (e-mail address removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.futurehardware.in/595578-2.htm all
exposed to children (the link I've include does not directly display his
filth). You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
I should be more specific. I don't intend for her computer to use my
licneses. She has her own. Before I operated on her computer, I made an
image of her computer and restored that image after I have done my
diagnosis/evaluation on her hard drive. What I didn't account for is
that Symantec tampered the MBR/Boot Sector. It goes beyond the one
partition I backed up/played/restored and has an inreversable effect on
MBR/Boot Sector.

By the way, I bought her a new hard drive. And her old hd can be used on
my computer perfectly. (This is also not Microsoft's fault. I have done
similar operations for others many times. But this is the first time I
have NIS 2006 installed on my computer. Before that I had NIS 2003 which
doesn't have activations. So the similar operations are OK then.)

Ar Q
Click to expand...

A little knowledge is a dangerous thing. :-)


--
Registered Linux User 413057.
Both Mandriva 2007.1 and Ubuntu 7.04
You can have it all. My empire of hurt.

Liverpool F.C.-more European Cups than all
the other English teams put together :-)
 
Ar Q said:
My friend's harddrive/computer became kind of slow lately. She wanted me to
found out if it is software issue or hardware malfunction. So I took her
hard drive and hooked it to my computer (copy my hd image to her hd first).
As some of you know, I have maximized my Norton Internet Security
activations, so I immediately delete the NIS program. Then I run some
diagnosis and play some popular video games. Her hard drive looks pretty
good to me. I returned it to her and told her the problem is more like
software issue.

But now she only got blue screen using that hd. Taking it back to my place,
the hd works fine again. I did some research on this issue and found some
articles from Internet. Apparently, Symantec's activation technology is to
write some data to MBR/Boot sector to track the number of activations having
done and which may cause tampered hard drives inaccessible once the maximum
number is reached. But the articles I read don't have information on how to
reverse the effect. Will any of you knowing this matter point me to some web
pages? (I just want to put her MBR/Boot Sector back to as it was, not
reducing the activation count on her hard drive since she doesn't use NIS.)
Thanks.

(And now I officially hate Symantec.All I want to do is to impress the girl
and instead it makes me look bad. All the craps on activation just make the
paid customers miserable.)
Click to expand...

Download a Win98 boot disk
http://bootdisk.com/bootdisk.htm install to a floppy or a Bootable USB
Pen drive (with this http://tinyurl.com/ydao7p )

And run FDISK /MBR - will reset the MBR

Or in the XP resource console FIXMBR is suppose to do the same thing.
 
Download a Win98 boot disk
http://bootdisk.com/bootdisk.htm install to a floppy or a Bootable USB
Pen drive (with this http://tinyurl.com/ydao7p )

And run FDISK /MBR - will reset the MBR

Or in the XP resource console FIXMBR is suppose to do the same thing.
Click to expand...

This is the first thing I tried. It didn't work. All my hard drives (and
hers, I taught her that) have 4 partitions for multi-boot.

MS said FDISK /MBR or FIXMBR won't work on those multi-boot hard drives. I
tried anyway. Thanks for your input.

Ar Q
 
This is the first thing I tried. It didn't work. All my hard drives (and
hers, I taught her that) have 4 partitions for multi-boot.
Click to expand...

0 Sector contains all of the partition info, FDISK will clear out any
trash; Doesn't matter how many partitions a drive has.

But since it didn't work, you at least know nothing is residing in the
MBR.
 
0 Sector contains all of the partition info, FDISK will clear out any
trash; Doesn't matter how many partitions a drive has.

But since it didn't work, you at least know nothing is residing in the
MBR.
--
Click to expand...

Normally, for those corrupted or non-multi-boot hard disks, using FDISK /MBR
will rewrite the MBR code and zero-out the partition table. The only
exception is that the disk's last two bytes of MBR sector are 55h followed
by AAh. I used some Disk Editors to read the MBR. The signature on her hard
disk is indeed AA55h. (So after using FDISK /MBR command, no action is
taken. The partition table is still in tact.)

For people who want to read more on this topic, using the link on the bottom
of this post. Pay special attention to the figure "Structure of a Master
Boot Record" on top and Section titled "Editing/replacing MBR Contents". You
see that there are many redundant bytes in MBR as shown in the top figure.
Symantec's activation technology is to change some bytes of those in MBR.

http://en.wikipedia.org/wiki/Mbr

Ar Q
 
This is the first thing I tried. It didn't work. All my hard drives (and
hers, I taught her that) have 4 partitions for multi-boot.
MS said FDISK /MBR or FIXMBR won't work on those multi-boot hard drives. I
tried anyway. Thanks for your input.
Click to expand...

Sounds like you'll have to reinstall the 3rd party boot loader, and
avoid programs that write to track 0, without checking to see if
the sectors are already in use.

Regards, Dave Hodgins
 
Ar Q said:
Normally, for those corrupted or non-multi-boot hard disks, using FDISK /MBR
will rewrite the MBR code and zero-out the partition table. The only
exception is that the disk's last two bytes of MBR sector are 55h followed
by AAh. I used some Disk Editors to read the MBR. The signature on her hard
disk is indeed AA55h. (So after using FDISK /MBR command, no action is
taken. The partition table is still in tact.)

For people who want to read more on this topic, using the link on the bottom
of this post. Pay special attention to the figure "Structure of a Master
Boot Record" on top and Section titled "Editing/replacing MBR Contents". You
see that there are many redundant bytes in MBR as shown in the top figure.
Symantec's activation technology is to change some bytes of those in MBR.
Click to expand...
http://en.wikipedia.org/wiki/Mbr
Click to expand...

No, now I'm not saying the program isn't writing to the MBR for copy
protection as a few programs do do that.

But the above link:
use the FDISK program from a Windows 98, or other FAT32 capable boot
disk, as a safer alternative; to ensure only the code area, not the
partition table, is overwritten.)

Anyhow if you want to look and even remove anything from the MBR Use
MBRtools http://www.diydatarecovery.nl/mbrtool.htm to back up your MBR
first

Then use Norton Diskedit from a Win98 boot disk (or Pen dive)
http://download.yousendit.com/3FB6051C5AC06C62

Diskedit starts in read only mode and you can't make any changes
unless you demand it (by config changes).

Diskedit is a very nice tool to look at your HD with, and you can
snoop thru your MBR to see what's there.
 
Back
Top