You are here

How to pwn with U3 Hack

35 posts / 0 new
Last post
nanobreaker
Offline
Last seen: 10 years 9 months ago
Joined: 2005-12-09 23:02
How to pwn with U3 Hack

I think everyone (techies mainly) should buy U3 Flash Drives not for the launchpad itself, but for the autorun mechanism. After growing quite bored with the bulky u3 launchpad, i've explored the art of cd partition replacement. By doing this i have been able to:

Autorun a favorite app launcher
&
Autorun an encrypted volume

Here are the simple steps i've taken:

1. I used SmithTech's App Launcher with Universal Customizer to replace my old Kingston cd partition.

2. Then I used app launcher to autorun RK Launcher and Truecrypt (also adding the automount favorites paramater)

Now when i insert my flash drive, Rk Launcher starts up and i get a dialog box that asks for my volume's password. The truecrypt volume contains information-sensitive apps like: keepass, firefox portable, gaim, and sunbird. If my flash drive should ever get stolen, i'd feel safe knowing that my data is safe.

Screenshots

If you have any questions or comments, fire away!

SmithTech
SmithTech's picture
Offline
Last seen: 5 months 3 weeks ago
Developer
Joined: 2006-11-24 18:06
A Note: The AppLauncher can

A Note:
The AppLauncher can be run on non-U3 drives as well.
use the autorun.inf file the same way PAM does.
e.g.
[Autorun]
Open=.\applauncher.exe -a
Action=Run App Launcher
Icon=.\toughdrive.ico

"Because they stand on a wall and say, 'Nothing is going to hurt you tonight. Not on my watch.'" (A Few Good Men)
Coincidence is God's way of remaining anonymous.(Albert Einstein)

JDub
Offline
Last seen: 14 years 7 months ago
Joined: 2008-02-06 08:57
I guess Im a little confused...

First: Is this also for non-U3 thumb drives? I know that it says it is but when I perform the steps and run the U3 Customizer, it loads for a little and then says error, cannot find U3 device. So I think to myself that you have to have a U3 device originally. I am really confused. Please help.

Simeon
Simeon's picture
Offline
Last seen: 7 years 11 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
I havent tried it

but o Smithtechs site there is one for u3 and one for other Apps. Do you have the right one?

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

JDub
Offline
Last seen: 14 years 7 months ago
Joined: 2008-02-06 08:57
Yeah...

I downloaded the one first thats a .zip file from smitech. It had two files it on. One was applauncher.exe and autorun.inf. I unplug then re-insert my thumb drive and it pops up with a window that asks me what I want to do with it. I'm trying to steer clear from that popup window and have it FULLY autorun(pop drive in and with no user interaction applications run by iteself). Is this what you guys are explaining to do or is that just only for U3?

Tim Clark
Tim Clark's picture
Offline
Last seen: 11 years 5 months ago
Joined: 2006-06-18 13:55
Just only for U3

Just only for U3

Tim

Things have got to get better, they can't get worse, or can they?

SmithTech
SmithTech's picture
Offline
Last seen: 5 months 3 weeks ago
Developer
Joined: 2006-11-24 18:06
No way around it

If your using XP (I believe SP2 or newer) or Vista you can not get around windows poping up the window asking you what you want to do. Its a security feature added I think with SP2.
U3 gets around it by tricking windows into thinking there is a CD-Rom drive on the flash drive so it will read and run information in the autorun.inf.
The U3 customizer can not be run on a normal usb drive to install U3, you will get errors.
The applauncher.exe is only really useful if you want to launch multiple apps, that is its primary purpose. So when windows asks you what you want to do, you tell it to run the applauncher (configured in the autorun.inf) and applauncher will launch the apps you want.
If you only want to run 1 single app you can just use the autorun.inf but either way your going to have to tell windows to do something.

"Because they stand on a wall and say, 'Nothing is going to hurt you tonight. Not on my watch.'" (A Few Good Men)
Coincidence is God's way of remaining anonymous.(Albert Einstein)

rab040ma
Offline
Last seen: 2 months 12 hours ago
Joined: 2007-08-27 13:35
There are a few ways to tell

There are a few ways to tell windows not to autorun. An admin who turns them off for USB drives is just as likely to turn them off for CdRom drives too. So the U3 CDrom autorun trick doesn't always work.

MC

rab040ma
Offline
Last seen: 2 months 12 hours ago
Joined: 2007-08-27 13:35
U3 features

The OP was describing how he modified a U3 drive. The steps he followed work on a U3 drive.

On the other hand, the app launcher from SmithTech will run on any removable drive.

The advantage of the U3 technique is that it creates a partition on the drive that Windows sees as a read-only CD-rom drive. Sometimes such a drive can auto-run more consistently than a USB drive. Thus starting app launcher from the U3 partition might let you get it to autorun more consistently. On the other hand, auto-run opens you to security risks (just imagine what could happen if someone inserted a USB photoframe or music player that had an autorun to launch a virus). So public computers SHOULD have it disabled.

If you have a plain USB drive, just set up the regular USB autorun to start app launcher. The main difference will be that you might have to manually start it a bit more often. But manually starting is just a few keystrokes, so you're not missing much.

edit: Yikes, this is an old topic. I didn't realize we were bumping it.

MC

JDub
Offline
Last seen: 14 years 7 months ago
Joined: 2008-02-06 08:57
Ok, I got a U3 thumb drive now...

I did all the steps. I removed and plugged the thumbdrive in after pre-setting applications in applauncher. The first time I plugged it in it autoloaded the program I set in applauncher. Now when I remove it and try it again, it prompts me with "What do you want to do with it" and nothing starts up. I have tried it on 3 different WinXpSP2 computer and they all did the same thing. Worked the first time but after that it prompts me and auto loads nothing. What am I doing wrong? I would think it would auto load several times.

Flubster
Offline
Last seen: 15 years 7 months ago
Joined: 2007-02-22 10:52
Couple of questions? How did

Couple of questions?

How did you get round the fact that the data partition (the main drive not the u3 autorun drive) can change letter?

So....

You've created an iso with App Launcher as the "autorun" app. Did you include the config file within the iso, if so how did you get it to run an app from the data drive (without using hard coded drive letters) or have you gone about it a different way.

I've been looking to create a launcher which all it does is launch an application from the data drive, but as this letter keeps changing between machines, it won't run from the drive.

Any Ideas or hints on the best way to get around it? Did you add more than just the app launcher within the iso for the run drive?

Flubster

SmithTech
SmithTech's picture
Offline
Last seen: 5 months 3 weeks ago
Developer
Joined: 2006-11-24 18:06
The AppLauncher gets the

The AppLauncher gets the drive letter it is currently running from.
Starting with that drive it searches each drive in turn looking for one of the following.
:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
:\PortableApps\PStart\PStart.exe
:\Programs\PStart\PStart.exe
:\applauncher.ini
Finding any of these it uses that drive letter to launch either PAM, PStart, or which ever apps are configured in the applauncher.ini
The source is available on the same webpage as the AppLauncher if you care to download it.
App Launcher

SmithTech

"Because they stand on a wall and say, 'Nothing is going to hurt you tonight. Not on my watch.'" (A Few Good Men)
Coincidence is God's way of remaining anonymous.(Albert Einstein)

Patrick Patience
Offline
Last seen: 2 years 9 months ago
DeveloperModerator
Joined: 2007-02-20 19:26
Awesome.

This looks great, would you be able to procide instuctions to get the PortableApps Menu to work with TrueCrypt?

nanobreaker
Offline
Last seen: 10 years 9 months ago
Joined: 2005-12-09 23:02
i forgot

i've already addressed this in another post Blum

-
There are only 10 types of people in the world: Those who understand binary, and those who don't. - Anonymous

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
help :)

What program do you use first?

1. I used SmithTech's App Launcher with Universal Customizer to replace my old Kingston cd partition.

Im a little new to this, and a little lost, trying to read as much as i can to get my new sandisk Cruzer Titanium 4 GB to work like yours.

Iv btw tested if you can uninstall and install the U3 software on it, and it works without any problem. Needet 2 tries but it worked.
But im interested in getting the usb drive to work as yours!
Hope you can help me out a little.

Dearly Regards DanishCow

nanobreaker
Offline
Last seen: 10 years 9 months ago
Joined: 2005-12-09 23:02
step 1 explained

1. Download the App Launcher ISO from Smithtech's site
2. Download Universal Customizer
3. Extract both folders (i use 7-Zip, it's fast)
4. Open the App Launcher folder & rename LaunchPad.iso to "U3CUSTOM.ISO"
5. Copy the newly renamed ISO to the BIN folder of the UniversalCustomizer folder
6. If it asks to overwrite, say yes
7. Insert your flash drive and Run Universal customizer
Optional: The program will backup and restore all your files on your flash drive during the process. Instead, i like to cut all my files to the desktop and then cut them back from the desktop to the drive after customizing; it feels faster that way.

DanishCow, your flash drive is awesome XD. I'm planning to get one of those in the future.

-
There are only 10 types of people in the world: Those who understand binary, and those who don't. - Anonymous

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
Il try that, thx

Thx for the help Nano im going to start trying right away.
Not entirely sure if i need to start with a clean key or have the u3 launcher installed.
Il try without first and see what i get out of it Smile
BTW i always use 7-Zip Wink I have used alot of the opensource and portable programs but just on my harddrive.
You techies i must say are on a higher level then myself. This forum is crawling with advanced high level brainies!!! Smile

Dearly Regards DanishCow

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
okey...

Now I got something to do something.
I have 2 drives now when i push the usb in insted of 1... What happent?
one of the drives is named applauncher and the other named removable disk...
so... Hmm, so this is what should be happening i wonder? Smile
Is what im doing reverseble?
Ohh man, im in deep waters right now, hehe Wink

Il work more on it.

Dearly Regards DanishCow

Simeon
Simeon's picture
Offline
Last seen: 7 years 11 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
2 drives

Now the PC thinks you have 2 drives plugged in.
One is the iso with the launcher (named applauncher).
This one provides the autorun functionality.
The other drive is "the rest" of your actual drive with your data on it.

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
thx

im getting the idea of it...
Looks great, getting the hang of it Smile
Just a little slow in the upstart, not as when i was young, sigh..

Thx all

Dearly Regards DanishCow

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
RKLauncher.exe Unable to locate DLL

Im getting an error with the RK launcher.

The dynamic link library gdiplus.dll could not be found in the specified path J:RKlauncher;.;C:\WinNT\system32;C:\WINNT\system;C\WINNT;CWINNT\system32;C:\WINNT;C:\
WINNT\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin.

Well, just tells me im missing a DLL file of what i can get out of it.

So...

Ahh found something from a guy on the RK forum and im running win2000 :
To make RK Launcher work on Windows2000 you need "gdiplus.dll". You can get the file online and just place it in the RK Launcher folder (and it works fine), but when you go to drag; say Firefox onto the dock, it bugs out and won't let you add it to the dock.

thanks
/.teh

---
The DLL can be downloaded from here, and it worked Smile

http://www.dll-files.com/dllindex/dll-files.shtml?gdiplus

Looks very nice, so now it comes to getting it to work as i want Smile

Dearly Regards DanishCow

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
is it possible?

Is it possible to make the drive that stores the programs like Portable Apps Launcher to make it encryptet with Truecrypt and after you write your pass it will start up all the appz and give you access?
Without needing to have a drive that is encryptet and one that is not.

Dearly Regards DanishCow

nanobreaker
Offline
Last seen: 10 years 9 months ago
Joined: 2005-12-09 23:02
im not sure

what you are trying to say. If you mean having truecrypt encrypt certain program folders, then give you access to them (from PA Menu) after inserting your password, then this may be found in my other post

-
There are only 10 types of people in the world: Those who understand binary, and those who don't. - Anonymous

DanishCow
Offline
Last seen: 15 years 1 month ago
Joined: 2006-04-22 14:36
I mean having truecrypt

I mean having truecrypt encrypt the whole drive, and not just some folders.
So all my data is encryptet, im not sure if this can be done becouse the launcher would not get access to the Menu (Pstart, PAM or RKlauncher) before the password would be aceptet by Truecrypt.
Could this mayby be done by doing something with the Iso, like having truecrypt start first and then when the pass has been aceptet start App Launcher so the menu's starts?

Iv installed PStart, PAM and RKlauncher to see what I want to use in futere.

These are first hand impresion of the 3 menu's

Pstart have the most features, but the design I think is not as well done as the other two.

PAM is the only option of those 3 that are opensource and have a better design then Pstart. Features needet, but are going to be added surely in the futere, the beta is going strong for the next version with more features.

RKlauncher have the nicet look, but lags some features In my oppinion.

So now i need to find out what to use and not to use.
Im thinking right now of using PAM and RKlauncher together, right now all the 3 programs start op when i insert my usb key.
I could use the PAM to programs and RKlauncher for games... But it is still in the thinkbox Smile

BTW. I have a quick quistion for you Nano as always, and i relly appriciat your help and brain watts;)

The App Launcher have 3 Applications it can start.
Application 1,2,3 but under this, there is a line called Application 1,2,3 Argument, what is that used for?

Dearly Regards :DanishCow

SmithTech
SmithTech's picture
Offline
Last seen: 5 months 3 weeks ago
Developer
Joined: 2006-11-24 18:06
Technically you could put

Technically you could put TrueCrypt in the ISO.
The problem would be telling it what drive to decrypt and if it needs write access to a settings file etc.
It's an interesting idea, I will look into it when I have some free time.

As far as the argument option, some apps except an "argument" to open in a particular mode or function.
eg. IrfanView will open in thumbnail mode if you pass it the /thumbs argument

Don't complain if you bought a Hyundai and it doesn't perform like a Porsche

"Because they stand on a wall and say, 'Nothing is going to hurt you tonight. Not on my watch.'" (A Few Good Men)
Coincidence is God's way of remaining anonymous.(Albert Einstein)

nanobreaker
Offline
Last seen: 10 years 9 months ago
Joined: 2005-12-09 23:02
arguments,

they are as smithtech said.
I just wanted to add that i used the "/a favorites" argument under truecrypt to automount my favorite (and only) volume..

-
There are only 10 types of people in the world: Those who understand binary, and those who don't. - Anonymous

dragonmage
Offline
Last seen: 9 years 9 months ago
Joined: 2007-01-15 02:25
If it were possible

If it were possible to add a delay into AppLauncher you could auto mount the volume like nano was talking about and then have a delay before PAM starts , right?

jjblackisback
Offline
Last seen: 11 years 3 weeks ago
Joined: 2007-05-06 08:53
How do you

delay truecrypt with applauncher? Is there a argument you can use?

SmithTech
SmithTech's picture
Offline
Last seen: 5 months 3 weeks ago
Developer
Joined: 2006-11-24 18:06
Not possible at this

Not possible at this time.
Now that I am finished studying for my MCSD, I may look into doing something for running apps on an encrypted volume.
Maybe a special version of app launcher that would be called by the first version since the encrypted volume would have a new drive letter.

-----------------------------------------------------------------------------------------------
Because they stand on a wall and say nothing is going to hurt you tonight. Not on my watch.

"Because they stand on a wall and say, 'Nothing is going to hurt you tonight. Not on my watch.'" (A Few Good Men)
Coincidence is God's way of remaining anonymous.(Albert Einstein)

Bensawsome
Offline
Last seen: 7 months 1 week ago
Joined: 2006-04-22 19:27
Could this be done with a

Could this be done with a non U3 drive? It would be sort of easy. All you would have to do is make 2 partitions a usb drive and a CD partition. Is there any way to make the computer think the partition is a cd?

Thanks
Bensawsome
AKA BJ

(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
('')_('') signature to help him gain world domination

"We can mean anything. We three, we the people, or my personal favorite: WEEEEEEEEEE!!!!"

"It's not winning th

 iLike Macs, iPwn, However you put it... Apple is better ^_^ 
"Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world..."

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 12 years 12 months ago
Joined: 2006-01-06 21:27
.

Your signature is too long; Drupal is automatically cutting it off.
Get rid of the ASCII bunny.
----
Ryan McCue.
Blog.
So all that Airbus-delay trouble over here in Europe is because of YOU!
Simeon.

"If you're not part of the solution, you're part of the precipitate."

GuidoZ
Offline
Last seen: 11 years 4 months ago
Joined: 2009-08-23 20:46
More ways to hack up U3!

I've been playing with autoruns and flash drives since before U3 drives were even available. I still have some of the original UD-RW drives from Hagiwara lying around. (Test models, 1GB each with a resizable U3-like partition.) I've used them for years to show why physical security is just as important as network security.

You can read more about my findings and creations here: http://www.GuidoZ.com/U3/

--
Peace. ~G

RMB Fixed
Offline
Last seen: 12 years 8 months ago
Joined: 2006-10-24 10:30
...

File Find_U3_ISO.exe received on 2009.08.28 18:09:41 (UTC)
Result: 21/41 (51.22%)
http://www.virustotal.com/analisis/c4102503f2947bddad8acbe9c2158d4d92ab7...

Hmmm....

GuidoZ
Offline
Last seen: 11 years 4 months ago
Joined: 2009-08-23 20:46
To answer your "Hmm..."

Here's what I posted on another site with a similar comment...

-------------------------
Wow, was just sent a note from a friend saying people were talking about my U3 tools (among others) being infected. I do care to comment! Nothing is an infection, unless labeled as such. There are some EXE hacking/hiding tools I have hosted that antivirus programs may pick up as just that – Hacktool type things. Not a single thing is a trojan. PERIOD. If you are using one of the big bad five (Norton, McAfee, Panda, Trend Micro, CA), then I can’t help you. They are riddled with false positives, such as the compiler I’ve used (Quick Batch File Compiler), gets tagged as a trojan because it sees a compiled/compressed EXE and freaks out. I use EVERY ONE of the tools on my U3 page myself, and made them MYSELF. No infections. No issues. Scan it on http://www.virustotal.com to see what comes up. I personally use ESET NOD32 and Kaspersky and rarely have false positives. Google me – you’ll see I’m a standup kind of guy. Smile (Check my Gmail which is UberGuidoZ@ for a bunch of security mailing lists I participate in.) It’s also not too difficult to find my full name, which will lead to my LinkedIn and Facebook profiles, which includes hundreds of positive recommendations from customer, both local and nationwide.

I have been fighting the ignorant antivirus programs for over a decade… wouldn’t expect it to be different now. Get a real antivirus and you won’t have as many issues. (Don’t take my word for it – Google about the big 5 I mentioned, adding your favorite review words, like “suck”, “bloat”, “false positive”, etc.)

Again, you can always feel free to contact me if you feel something I have posted is misrepresented. My contact information is listed on the site! Try asking before you go pointing fingers. Online or in person, it’s rude. I’m always happy to help and stand behind what I have provided.
-------------------------

Frankly, I'm sick and tired of crappy antivirus products ruining my reputation. I use EVERYTHING ON THAT PAGE myself, and made it myself. I know for a fact it's not infected. (I use the best rated antivirus programs - ESET NOD32 and Kaspersky, both of which show the file is CLEAN. Google them, look at AVComparatives and VBulletin for true antivirus results.)

I'm considered a malware expert in many circles and teach classes on how to fight and protect yourself. If you feel something I have posted is misrepresented, by all means contact me. My information is provided, like I have said previously. Email me: U3 at guidoz dot com - you'll get a reply from me. Hell, I'll even give you a phone number if you'd like to chat. Google me and you'll see I'm a stand up kind of guy!

--
Peace. ~G

luciechat
Offline
Last seen: 11 years 4 months ago
Joined: 2011-05-15 03:12
i think ..

i have this problem too,thank you fou your question.i have solve mon problem .

Log in or register to post comments