
19-11-2009 09:30{ downloading sql server 2008
19-11-2009 10:19}

20-11-2009 08:21{ google search for sql server backup compression algo description
20-11-2009 08:50}

20-11-2009 11:35{ 
 + install sql server 2008
 ! create a test DB
 + create a compressed and uncompressed backup file
 + analyse the compressed backup file
 + investigate the used dlls
  > seems that sqlservr.exe has it all inside?
 + load sqlservr.exe into ida
20-11-2009 14:51}

22-01-2010 05:37{ 
 + start sql console
  > net start MSSQLSERVER
 + copy the backup sample(s) to penryn 
  > was on flash /sql
 + test the recovery of test DB from compressed backup
 + backup the DB again uncompressed and compare
 ! try killing _main and running the exe
  > crashes for some reason...
 + load sqlservr.exe into ida 5.6
  + install ida 5.6
  + load sqlservr.exe with pdb
  + add hexrays and reload
 + find a suspicious function
  > ?DecompressData@XpressCompression@@QAEHQBEIIPAE@Z
 > wait while ida loads it...
22-01-2010 06:43}

22-01-2010 08:29{
 + hook the suspicious function and try restoring from compressed backup
  > works! decoder receives 52 77 67 00 70 ... and decodes it to TAPE...; nice
 - inject a dll into sqlservr.exe
 - hook a XpressDecode function
 - debug log of parameters
 - decompiling the XpressDecode
22-01-2010 09:08}

25-01-2010 03:11{
 + stop the sql server
 ! add a import to 1.dll
 + create a fake sqlos.dll
  + find tracer sources
  + patch addimport.cpp to work with sqlos.dll
  + patch trace.cpp to only do a simple test
 + rename real sqlos.dll to sqlos0.dll and replace with a fake
 + start the sql service # success! trace.log created
 + hook XpressDecode and log arguments
  + patch sqlservr.exe .text atts to rwx
  + find the decompiling samples
  + find XpressDecode address and prolog code
   > 02A66B5B
  + hook the function  
  + test run with backup decompression
  + BUG: stdcall stuff
  + add argument logging and retest
 + export the functions
  + c
   + XpressDecode
   + sub_2A66641
   + sub_2A667FE
   + unk_335A900
  + asm
  + bin
 + bin2hex
 + extract a compressed data block
 + link the binary functions
  + patch
 + decoding test
  + BUG: sub ebp,xxx instead of sub esp,xxx 
  + BUG: 2nd call reloc miss
  > huh? works...
 + test whether table is necessary
  > guess not
 + try a longer block
  > works? 
 + load a compressed file into ida and try to file block structure
 + decode a complete backup file
  + format parse # 3 record types for now
  + really decode
   + compressed records
   + SFMB-512
   + 0x84 pad record
   + 0x8C record
 + try loading y.bak into MSSQL # works?!
 + test with a different compressed file # master.bak2 
  + BUG: unexpected quit at 8C record # added 8C length handling
 + make a release archive
 + upload
 + post
25-01-2010 08:35}