Corrupted TrueCrypt boot loader - quick help needed

Discussion in 'encryption problems' started by syncmaster913n, Apr 12, 2012.

Thread Status:
Not open for further replies.
  1. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    I got myself in a somewhat funny situation.

    I was playing around with WinHex (you can already see where this is going), and I mistook the "Fill disk sectors" option for "wipe unused space", while in fact it fills ALL the sectors. I wanted to see how it worked and I started it, and it quickly returned an error saying that it cannot write to the disk cause it is in use. I got a bit suspicious at this point and checked the first sectors on the drive, and yup - seems the boot loader sectors were deleted before the program stopped the overwriting process.

    I have the ISO of the rescue disk and all my important data is backed up, so I am not particularly worried. However, I do not have a working CD/DVD writer at the moment and it would be a bit of a pain to get to one right now to burn the rescue disc ISO. I am currently logged into the computer and am tip-toeing around my applications, afraid that something might cause a system crash and force a restart :D

    I was wondering if anyone knows of a way to restore the boot loader while being logged into windows, without having to use the rescue disc? I looked around the TC options and searched online a bit, but found nothing.

    The only option I can think of is to decrypt the whole drive right now and then encrypt it again, to have TC fill the boot sectors again. Any other alternatives I might have?
     
  2. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    How many of the boot load sectors? This worked for me in a VMWare test environment for sectors 0-61 (31,744 bytes):

    1) Open the raw drive in Winhex (like you mentioned above). Open the ISO file in Winhex.
    2) The TrueCrypt bootloader and key data is located at the 2nd occurrence of ê.|.. TrueCrypt Boot Loader...ú3ÀŽØŽÐ¼ at byte location 117,760 on my TrueCrypt v7.1a Rescue CD. I copied 31,744 bytes (117760 - 149503) from the Rescue CD and pasted them into the raw drive at byte 0.
    3a) And it looks like there are some bytes needed from another part of the Rescue CD that holds the original system loader.
    3b) The original system loader is located at 85504 on my Rescue CD and I needed 72 bytes of it from 85,944 - 86,015. These 72 bytes needed to be pasted into the raw drive at byte 440.
     
    Last edited: Apr 12, 2012
  3. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Ha, that is a good idea, thanks a lot for the hint. I will go this route. Btw I am not sure how to tell how many sectors were actually deleted; all I can say is that none of the info that is usually there ("TrueCrypt Boot Loader", the instructions for what to do when the boot loader is corrupted etc.) are not present there.
     
  4. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    Hold on, I missed something...somewhere...
     
  5. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    I think the whole thing was deleted, as none of the contents of the top sector of my drive can be found anywhere in the rescue disc.
     
  6. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    The rescue disc is empty?

    I found what I missed. It seems that the TrueCrypt bootloader on the rescue disc doesn't contain partition info. I had to go and copy some bytes from the rescue CD's copy of the original bootloader and also paste those into the raw drive.

    It sounds like this won't help you anymore but I updated the post above with the extra step.
     
  7. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    No no, the ISO is not empty. It just doesn't contain anything from my drive's first sector - which leads me to believe that my entire boot loader is gone, not just a part of it.

    I will take another look at the ISO according to your updated instructions. If everything is clear then I will attempt this. Otherwise I will probably opt for just decrypting and re-encrypting the whole drive (although now I am not 100% sure if this will work). Either way it goes, thanks a lot for your help - I've learned something new :thumb:
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    WinHex while being very Low level to the absolute digit, is an extremely sensitive hex editor and very unforgiving. Not long ago i was experimenting with the MBR partition table, trying to duplicate a code replacement that a very nasty MBR infector injects that disables users PCs, and even though as precaution i copied the normal code before tampering with the values, found myself locked out of the system with no backup to recover.

    I hope your recovery attempt returns better results for you.
     
  9. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Yeah I hope so too. Sometimes it's cool though to learn a lesson the hard way, breaks the monotony ;) luckily for me I have everything backed up, so even if something does go bad - I'll just take the opportunity to install a 64bit version of my system, since I might upgrade my RAM soon (running on 2GB atm). So no harm done.

    After analyzing the ISO file and tateu's instructions, I've decided to do the following:

    1. Decrypt my drive.
    2. Restore my Windows 7 boot loader. I'll need to find a backup of the loader somewhere though. Maybe from the windows DVD. Perhaps I can skip this step though, what do you think?
    3. Hopefully launch the computer successfully and encrypt again.
     
    Last edited: Apr 12, 2012
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Yeah, in my opinion theres not nearly enough ongoing discussion as regards this type of damage control & others to help users better learn of working choices they have in order to safely and reliably recover from these type of disasters. They almost only ever come up when someone like yourself experiences a major mishap then only a select few are ever worth trying without risking losing everything in the system.

    Seems like you already have your plan laid out though, good thing.
     
  11. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Unfortunately had some bad luck. 10 minutes before the decryption of my drive was over I got the blue screen of death for no apparent reason; first time I've seen it in a few months. Currently i'm locked out from my PC and i'm on my laptop trying to mount the ISO rescue disk to a USB flash drive.

    Take this as a lesson boys and gals - when encrypting your drive, don't go the lazy /noisocheck parameter way; make sure you burn your rescue disc onto a CD :)
     
  12. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    For some reason no program wants to recognize my rescue disc as an ISO file, even though the extension is correct. Anyone has had a similar experience? I might just need to reformat my computer (first I will try to restore the MBR from the windows DVD, but I'm not sure how this will go given that decryption of the drive was not finished).
     
  13. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I will state the obvious because I haven't noticed any discussion on the topic, however you are running the TC iso at start up correct from the BIOS? No "program" should recognize it as its not a program. Once the bootup CD loads, in the Rescue Disk screen, select Repair Options > Restore TrueCrypt Boot Loader. Then press 'Y' to confirm the action, remove the Rescue Disk from your CD/DVD drive and restart your computer.

    Just make sure you treat the ISO CD as you would a windows OS CD.;)

    [edit] I just reread you not having a working CD/DVD optical drive. disregard this post. Though in the future you can purchase a good one for only a couple of bucks, while they are old tech it doesnt hurt to have a portable one lying around. Though I'll keep this post up for anyone in the future who searches for a similar problem.
     
  14. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Hey

    When I said that the ISO is not recognized, I meant that it is not beeing recognized on the laptop I am currently working on. For example, when I tried to make a bootable USB from that ISO file and selected the ISO file from my drive, the software returned an error "this file is not recognized as a proper ISO file, please try a different file". I had the same problem with 4 different software I tried, as well as with Daemon Tools. The software simply refuses to treat this file as a proper ISO.

    EDIT: I actually do have a CD/DVD writer, it just so happens that it was damaged a few days earlier and I had no time to take care of it. I thought "hey, I haven't used this thing in like 4 years, it can wait". WRONG :)
     
  15. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    How did you configure the USB drive? Did you move the TC ISO over as root?
     
  16. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Do this, courtesy of bob7 on the TC Forum:

    PD

    Edit: Be aware that some USB/SD devices won't take the MBR formatting. If so, try another device. I had an SD Card that wouldn't work, no matter what (it was an el cheapo brand)...I swapped it for a name brand and all was well.
     
    Last edited: Apr 13, 2012
  17. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    I didnt actually do it myself, I was just using software that automated the process (select ISO from the disk, choose target USB stick, and let the software do the rest).

    Thanks PD, I will try this.
     
  18. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Cant get the grubinst_gui to work. I get an error about a bad partition table (it is fat32 formatted). It gives me a hint to run the program with a --skip-mbr-test parameter but this doesnt help at all. I'm not giving up yet though :) Doing a slow format of the USB stick right now and will try again. I think this might be necessary after all the previous attempts to make this pendrive bootable with other software earlier.
     
  19. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Running as Admin? You're trying to make a USB boot key (from another computer) for your TC Rescue .iso, right? Try a bunch of different USB drives. On Win7 32bit running as Admin, I only had one cheapo SD Card fail to take the creation process.

    PD
     
  20. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Yes, I launch cmd as admin. The difference between launching it in admin/non admin is that without admin priviliges the software doesnt see any of the pendrives connected.

    I am using a nice 4GB pendrive, never used before. I have other pendrives available, but they are all encrypted and contain backups of my important data, and to be honest I am afraid right now to decrypt and move the data somewhere else for the purpose of testing a new USB. Let's see how the slow format goes.

    I am running win 7 32 as well.

    EDIT: slow format didn't help, still getting the same error. I'm going to my parents' where there are probably like 20 different USB drives lying around, hopefully one of them will "click".

    Thanks for the help, I'll keep you updated.
     
    Last edited: Apr 13, 2012
  21. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Last edited: Apr 13, 2012
  22. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Managed to load the rescue disc on my PC.

    Restoring the TC bootloader didn't help.

    Restoring the original system loader didn't help.

    Now I insert the Windows 7 64bit installation disc....and the PC doesn't load from it. I get the "boot from CD:" and press enter, the disc spins for about 15 seconds and then the PC returns an error: "DISC BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER".

    Same thing happens with the 32bit disc. I am getting kind of worried.

    Any hints?

    EDIT: I'm decrypting the whole drive via the rescue disk. This will take 24 hours...
     
    Last edited: Apr 13, 2012
  23. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Turns out the reason I couldnt boot from the windows DVD is that my DVD drive is having somse issues... apparently it cannot read original pressed discs for some reason. I had to make a burned copy of the Windows DVD using a friend's laptop, and then my PC booted from that disc with no trouble. Just goes to show that when ~ Snipped as per TOS ~ hits the fan, it blows in all directions :) From now on I will play with WinHex only isnide a VM.
     
    Last edited by a moderator: Apr 15, 2012
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Truer words couldn't have been better expressed.

    Glad it did finally work out for you, and of course as luck would have it, you can always count on when in such a pinch of that level for every single avenue of rescue to seem worlds away no matter which way you turn.
     
    Last edited by a moderator: Apr 15, 2012
  25. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Amen.

    I'm also going to burn this http://www.ubcd4win.com/ and keep it glued to my monitor, lol. And need a new DVD reader/writer.
     
    Last edited: Apr 15, 2012
Loading...
Thread Status:
Not open for further replies.