jaclaz Posted August 3, 2010 Share Posted August 3, 2010 (edited) BINGO!!!! Good. Should I still be checking?NO, it seems like we've found the actual thing. Date is 11/10/2008.Now we have to find out how to fix the thingy.If everything is like I presume, the actual original bootsector is at LBA 20482940, to check, post first 200 sectors of the partition.From the original bootsector we should be able to understand if not only the start position but also the end position was changed.The other check is to (opening the \\.\PhysicalDrive and NOT the partition) to go near the end of the partition, say sector 1,465,140,000 and from it start searching for the backup bootsector, in search use hex string EB52904E54465320.I need the sector number where you find it.With the new (please read old ) verified addresses it should be just a matter of changing a couple of numbers in the MBR.jaclaz Edited August 3, 2010 by jaclaz Link to comment Share on other sites More sharing options...
SkylineRB26DETT Posted August 3, 2010 Author Share Posted August 3, 2010 If everything is like I presume, the actual original bootsector is at LBA 20482940, to check, post first 200 sectors of the partition.From the original bootsector we should be able to understand if not only the start position but also the end position was changed.Attached. The other check is to (opening the \\.\PhysicalDrive and NOT the partition) to go near the end of the partition, say sector 1,465,140,000 and from it start searching for the backup bootsector, in search use hex string EB52904E54465320.I need the sector number where you find it.String EB52904E54465320 shows up in sectors 1,465,144,064 and 1,465,145,343. B)first 200 of partition2.zip Link to comment Share on other sites More sharing options...
jaclaz Posted August 3, 2010 Share Posted August 3, 2010 Attached. No joy. Try searching the same EB52904E54465320 starting form first sectors of partition.It is very possible that the "shift" is bigger than expected.If you find it, post that sector (and it's position).String EB52904E54465320 shows up in sectors 1,465,144,064 and 1,465,145,343.Good The one on 1,465,144,064 should be the "current" one (backup bootsector of "current" partition).The one on 1,465,145,343 might be the "original" one (backup bootsector of "original" partition), which should mean that (if the actual partition size is exactly the same) that the shift is of 1,465,145,343-1,465,144,064=279 sectors and not of the 128-63=65 sectors I guessed.Post these two sectors.jaclaz Link to comment Share on other sites More sharing options...
SkylineRB26DETT Posted August 3, 2010 Author Share Posted August 3, 2010 (edited) No joy. Try searching the same EB52904E54465320 starting form first sectors of partition.It is very possible that the "shift" is bigger than expected.If you find it, post that sector (and it's position).What I did before was open the first 200 sectors of partition 2 and not the physical drive. The partition does begin with EB52904E54465320. When I open the physical drive to sector 20482940...the 200 sectors are all empty.Ok so when I open partition 2 the first string is EB52904E54465320 then I search and find it again on sector 1221, which is attached. The one on 1,465,144,064 should be the "current" one (backup bootsector of "current" partition).The one on 1,465,145,343 might be the "original" one (backup bootsector of "original" partition), which should mean that (if the actual partition size is exactly the same) that the shift is of 1,465,145,343-1,465,144,064=279 sectors and not of the 128-63=65 sectors I guessed.Post these two sectors.1,465,145,343-1,465,144,064=1,279Sectors attached.1465144064 and 1465145343.zip1221.zip Edited August 3, 2010 by SkylineRB26DETT Link to comment Share on other sites More sharing options...
jaclaz Posted August 3, 2010 Share Posted August 3, 2010 1,465,145,343-1,465,144,064=1,279Yep slip of the fingers.The good news are that "1221" and "1,465,145,343" do match (as well as "0" and "1,465,144,064")In the bootsectors:"Sectors before" are 20,484,096"Total Sectors" are 1,444,661,247 (+1 outside the actual filesystem: the backup bootsector)20,484,096+1,444,661,247=1,465,145,343 Now all that it should be needed is to use a partition editor, like PTEDIT32 or beeblebrox, or maybe this one (just found):http://www.dtidata.com/ntfs_partition_repair.htmand change the values:07-80-1023-254-63-1024-254-63-20482875-1444661190to07-80-1023-254-63-1024-254-63-20484096-1444661248Please note that the current first sectors of the "current broken" partition will remain untouched but will be in a "no-man's-land" between first and second partition, and that the sector 1,465,144,064 will remain - unindexed - inside the partition.Maybe, once hopefully everything has gone back to normality, it would be a good idea to fill them with 00's, just to avoid confusion should there be any future occasions of attempting recovery.Obviously, crossing fingers, holding a rabbit foot and the like when editing the MBR is advised...jaclaz Link to comment Share on other sites More sharing options...
SkylineRB26DETT Posted August 3, 2010 Author Share Posted August 3, 2010 and change the values:07-80-1023-254-63-1024-254-63-20482875-1444661190to07-80-1023-254-63-1024-254-63-20484096-1444661248This is what it comes up as...Does it seem correct? Main difference is that it shows 1023 instead of 1024 like you posted. If everything seems alright then I'm about to change... 20482875 to 20484096 -and-1444661190 to 1444661248Holding a rabbit's foot btw. Link to comment Share on other sites More sharing options...
SkylineRB26DETT Posted August 3, 2010 Author Share Posted August 3, 2010 It works it woks!!! You are the man with the master plan!!!So now...fill everything from 20482875-20484095 and 1465144064 with zero's? Link to comment Share on other sites More sharing options...
jaclaz Posted August 3, 2010 Share Posted August 3, 2010 (edited) Does it seem correct? Main difference is that it shows 1023 instead of 1024 like you posted. If everything seems alright then I'm about to change... 20482875 to 20484096 -and-1444661190 to 1444661248Holding a rabbit's foot btw. Yep, another slip of the finger , 1023 is of course right, the only things to be changed are the red numbers with the bolded italics ones.You may need to re-boot to see the effect. Anyway re-check the MBR with Tiny Hexer and PTview (just in case).jaclaz Edited August 3, 2010 by jaclaz Link to comment Share on other sites More sharing options...
jaclaz Posted August 3, 2010 Share Posted August 3, 2010 It works it woks!!! You are the man with the master plan!!!Good , another happy bunny in the basket :http://www.msfn.org/board/index.php?showtopic=128727&st=10So now...fill everything from 20482875-20484095 and 1465144064 with zero's?Yep, that's the idea. It's optional, but it won't do any harm.jaclaz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now