ARM GDB script

GDB is not quite friendly for someone who is used to ollydbg , immunity or ida but GDB script is an amazing tool for analyse code if you know some nifty trick. For some reverse engineering job, I was lucky to have a go at it and here are a few notes for the future me:

#Saving breakpoints
define bsave
    save-breakpoints san.bp
end
#Restore breakpoints
define brestore
  source san.bp
end

#Logging stuffs to a file
define sanLog
  set logging file /var/root/san.out
  set logging on
end
#Logging without stdout
define sanLogNoSTDOUT
  set logging redirect on
  set logging file /var/root/san.out
  set logging on
end

define gothoughAllinstruction
        while(1)
        if ($pc < 0x00C25494)  #size of main code
                p/x $pc
                ni             #next instruction
        else
                n              #if the code is outside of main (import lib for ex) then get past it ASAP
        end
end

define sanMod
#       i reg r0 r1 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 sp lr pc   #print out all registers
        if ($pc == 0x00859fff)   
                printf "something meaningful here:"
                x/s $r0 #print r0 register in string form
                x/x $r1  #print r1 in hex form
        end
        thread apply 1 where   #if there are multiple thread, this would run "where"(similar to "i stacks") on thread 1(eg main thread (you can get this info by running "i threads"))
        printf "\n--------------------------------------------------\n"
end

In IDA, we can use this information to color the code and see which instruction the device goes through:

 

from idautils import *
from idc import *

def main():
#  SetColor(int("0039EAE8",16), CIC_ITEM, 0xF4A430)
  print "Color it up!"
  f = open('c:\\blah\\firstrun.out','r')
  for i in f:
    if (i[0:2] == "0x"):
      SetColor(int(i[2:10],16), CIC_ITEM, 0xF4A430)

if __name__ == '__main__':
  main()

Enable Concurrent Sessions in Windows 7 (x86)+(x64)

Nifty trick to enable multiple mstsc session on a windows 7 machine:
(HxD is best for this sort of job ;) )

x86 Hex edit

find: 
00 3B 86 20 03 00 00 0F ** ** ** **
replace: 
00 B8 00 01 00 00 90 89 86 20 03 00

find: 
FF 43 50 C7
replace: 
FF 90 50 C7

find: 
F8 74 2F 68 ** **
replace: 
F8 E9 2C 00 00 00


x64 Hex edit

find: 
8B 87 38 06 00 00 39 87 ** ** ** ** ** ** ** ** ** **
replace: 
B8 00 01 00 00 90 89 87 38 06 00 00 90 90 90 90 90 90

find: 
60 BB 01 00 00 00
replace: 
60 BB 00 00 00 00

find: 
50 00 74 18 48 8D
replace: 
50 00 EB 18 48 8D

Taken from http://www.winmatrix.com/forums/index.php?//topic/22479-enable-concurrent-sessions-in-windows-7-x86x64/

zigbee stuffs

killerbee framework for zigbee exploitation

zbid --> show zigbee devices
zbwireshark -i <id> -f <channel> to sniff
zbfind for channel hoping and search for available devices

Notes for iphone gdb stuffs

Mach-O remove signature block: 

removing LC_CODE_SIGNATURE——————————————————————————————
Make sure you have got the files thinned (ditto --arch i386) before proceeding.

To remove a code signature you need to do the following steps:

 - Modify the number of load commands (Starts at offset 0x10, 4B size). Reduce it by one.
==> Run otool -l on binary will result in 1 less load commands.

- Size of the load commands (Starts at offset 0x14/20, 4B size) -->  subtract by 0x10
- Modify the 16 Bytes from the load command entry for LC_CODE_SIGNATURE.
       Replace them with 16 x 0x00.
       Intel: 0x1D00000010000000
       PPC: 0x0000001D00000010
- Remove the actual code signature.
       This starts with 0xFADE0CC0.
       Replace the entire code signature with 0x00 bytes.

otool -l <executable>   to list out load commands

eg:
otool -l <app>  | grep ENCR -A 4
  cmd LC_ENCRYPTION_INFO
  cmdsize 20
 cryptoff  8192  (0x2000)
 cryptsize 10715136 (size)
 cryptid   1


search for ENCRYPTION like above
if encryptid = 1 --> most likely it is encrypted

0x1000 --> header size

dump memory out.bin (cryptoff+0x1000) (cryptoff+0x1000+cryptsize)
paste it in using HxD, offset (cryptoff+0x1000)

change LC_ENCRYPTION_INFO cryptid to 0 using HxD.

class-dump <executable> is useful once the encrypted executable is decrypted.

ldid and ldone helps signing code.

You may want to restart Iphone/Ipad if you get Killed: 9 error or  EXC_BAD_ACCESS in gdb when replacing the executable. Try ldone before reboot.

URL of the day:
https://dnsdb.isc.org/


Self reminder

 #/usr/bin/env python  
 import getopt  
 import struct  
 import immutils  
 from immlib import *  
 import immlib  
 import binascii  
 class code_hook(LogBpHook):  
      def __init__(self):  
           self.imm = Debugger()  
           LogBpHook.__init__(self)  
           return  
 #     def splitString(s,block):  
 #          return [s[i:i+block] for i in range(0,block,255)]  
      def run(self,regs):  
 #          try:  
 #               self.imm.log(str(regs['EIP']))  
                if (regs['EIP'] == 0x0x00XXXXXX):  
                     self.imm.log("Password is-->" +self.imm.readString(self.imm.readLong(regs['EBP']-4)))   
                if (regs['EIP'] == 0x0x00XXXXXX):  
                     output = str(self.imm.readMemory(regs['EAX'],self.imm.readLong(regs['EAX']-4)))  
 #                    self.imm.log(output)  
 #                    for k in [output[i:i+255] for i in range(0, len(output), 255)]:  
                     ch=code_hook()  
                     for k in [output[i:i+255] for i in range(0,len(output),255)]:  
                          self.imm.log(str(k))  
 #                    self.imm.log("SHA256 of -->" +binascii.hexlify(self.imm.readLong(regs['EAX'])))   
                if (regs['EIP'] == 0x0x00XXXXXX):  
                     self.imm.log("IV is -->" +self.imm.readMemory(self.imm.readLong(regs['EAX']+0xC),8))   
 #          except:  
 #               self.imm.log("peopeo")  
 #          return  
 def main(args):  
           code_hooker = code_hook()  
           code_hooker.add("break point on password",0x00XXXXXX)            
           code_hooker.add("break point on hash 256",0x00XXXXXX)  
           code_hooker.add("break point on 3des iv",0x00XXXXXX            
           return ">> my hook is ready!"  

Pulling out precious Lost/ Disappeared/ Evaporated Breakpoints from udd file for immunity and ollydbg

So I came across this problem when I reloaded the app in Immunity and all my breakpoints were gone. I went into Immunity folder, backed up the udd and bak files and had a look at them in Hxd. Turn out that my breakpoints were still in the udd file but for some weird reason, Immunity refused to load it up. Hence I scripted the following python script to extract the breakpoints and notes for me out of the annoying udd files. Code only tested with my udd file so you may wanna modify it a bit to get it to work.
Well this is a simple python script I scripted up to extract the breakpoints out of udd files.

 import binascii  
 import sys  
 if(len(sys.argv) < 2):  
      print "ExtractBP.py <name of extracted binary bp file>"  
 else:  
      f = open(sys.argv[1],'r')  
      a = f.read()  
      b = a.split("\nUs6")  
      print "Addresses\t-->\tNote(If presented)"  
      for c in b[1:]:  
           if c!='':  
                print binascii.hexlify((c[4:6]+chr(ord(c[6])+64)+c[7:8])[::-1])+"\t-->\t"+c[8:-1]  

Cool sites

Good blog about hacking tools:

http://holisticinfosec.blogspot.com.au/
2011 tools:

Good blog:
http://www.room362.com/blog/author/r362
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/


Tools to look at:
http://code.google.com/p/psychofolder/
http://code.google.com/p/fm-fsf/
http://labs.portcullis.co.uk/application/bsql-hacker/
http://www.mavitunasecurity.com/communityedition/#!prettyPhoto
http://intrepidusgroup.com/insight/mallory/

Eclipse + ZAP Proxy + ArchLinux

Install jdk: pacman -S openjdk6


Install eclipse: pacman -S eclipse 


Get Subclipse:

http://subclipse.tigris.org/update_1.8.x

Select everything except Integration for Mylyn.

Go to Windows/Open Perspective/Others --> SVN

Check out trunk from http://zaproxy.googlecode.com/svn/

Add build.xml to ant

You are done!

PS: Tmux = screen+Terminator. GET TMUX now! :)

Random tips and tricks

Runas without domain trust:

runas /user:custdomain\account /netonly cmd

Fiddler NTLM Auth:
Under OnBeforeRequest: 

oSession.oFlags["x-AutoAuth"]="DOMAIN\\Username:Password";

ssh sharing connection in linux (avoid re-typing the password to connect to the same server again by leveraging existing connection:

Modify ~/.ssh/config or /etc/ssh/ssh_config:

ControlPath ~/.ssh/control-%r@%h:%p
ControlMaster auto
ControlPersist 1

Jpeg to mov in Android

Hi! Hello... Oh well this is the first post so noone probably read this anyway =)
Anyway, let's get down to business ;)
I am working on a small project with a friend and we hit a small huddle- converting series of JPEG to movie...
So of course, the first logical thing one would think to make a movie out of JPEGs images is to somehow stitch them one by one after each other for each frame. For that, QuickTime Mov is the easiest way to get things done.


I have found many libraries or other people's code but to be honest, I didn't really know or understand what i was looking at so i read up a bit on the mov file structure.
This Url will explain to you exactly what a mov file contains: 

http://wiki.multimedia.cx/index.php?title=QuickTime_container

Easy enough? Now let's have a look at a simple mov file that was generated by someone else's code:

After looking at the hexdump of this mov file and others with more than 1 frame, i have noted down the data atoms that are the same and the one that changed such as frame count, information regarding start position of each frame, size of each frame, etc... So I put together the following ugly code as a Proof of Concept code to make a mov file out of jpegs. I'm not a programmer and more of a script-coder so this haxor job seems a bit ugly but it may help you to understand how to create a mov file out of series of JPEGs. Next is to convert this into proper classes with proper functions. plz excuse my poor coding =)

 package bomblah.imageToMov;  
 import java.io.ByteArrayOutputStream;  
 import java.io.File;  
 import java.io.FileOutputStream;  
 import java.io.OutputStream;  
 import android.app.Activity;  
 import android.app.AlertDialog;  
 import android.os.Bundle;  
 import android.os.Environment;  
 import android.graphics.BitmapFactory;  
 import android.graphics.Bitmap;  
 public class ImageToMovActivity extends Activity {  
   /** Called when the activity is first created. */  
      public ByteArrayOutputStream returnStream = new ByteArrayOutputStream();  
      @Override  
   public void onCreate(Bundle savedInstanceState) {  
     super.onCreate(savedInstanceState);  
     setContentView(R.layout.main);  
     String rootPath = Environment.getExternalStorageDirectory().toString();  
    int frameCount = 1;  
    byte startOfMov[] = {  
         (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x14, (byte)0x66, (byte)0x74,  
         (byte)0x79, (byte)0x70, (byte)0x71, (byte)0x74, (byte)0x20, (byte)0x20,  
         (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x71, (byte)0x74,  
         (byte)0x20, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x08,  
         (byte)0x77, (byte)0x69, (byte)0x64, (byte)0x65  
    };  
    int sizeOfMdata= 0;//SIZE of mdata (Size of all JPEG + 8)   
    String mdat = "mdat";  
    //JPEG1  
    //JPEG2  
    int sizeOfMoov = 0;  
    String moov = "moov";  
  byte mvhd[] = {  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x6C, (byte)0x6D, (byte)0x76,  
       (byte)0x68, (byte)0x64, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x45, (byte)0xD8, (byte)0x56, (byte)0x11, (byte)0x45, (byte)0xD8,  
       (byte)0x56, (byte)0x11, (byte)0x00, (byte)0x00, (byte)0x03, (byte)0xE8,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x64, (byte)0x00, (byte)0x01,  
       (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02  
  };  
    int sizeOfTrak = 0;  
    String trak = "trak";  
    byte sizeOfhtkd[] = {  
              (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x5C  
    };  
    String tkhd = "tkhd";  
    byte dateTime[] = {  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x45, (byte)0xD8,  
       (byte)0x56, (byte)0x11, (byte)0x45, (byte)0xD8, (byte)0x56, (byte)0x11,  
       (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
       (byte)0x00, (byte)0x00  
    };  
    int duration = frameCount*100;  
  byte continueOfTkhd[] = {  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x0A, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x40, (byte)0x00  
      };  
  int movieWidth = 0;  
  int movieHeight = 0;  
  byte restOfTkhd[] = {  
       (byte)0x00, (byte)0x00  
  };  
  int sizeOfMdia = 0;  
  String mdia = "mdia";  
  int sizeOfMdhd = 32;  
  String mdhd = "mdhd";  
  byte beginMdhd[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x45, (byte)0xD8,  
      (byte)0x56, (byte)0x11, (byte)0x45, (byte)0xD8, (byte)0x56, (byte)0x11,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x0A  
  };  
  //frameCount here  
  byte restOfMdhd[] = {  
            (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00  
  };  
  int sizeOfHdlr = 44;  
  String hdlr = "hdlr";  
  byte restOfHdlr[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x6D, (byte)0x68,  
      (byte)0x6C, (byte)0x72, (byte)0x76, (byte)0x69, (byte)0x64, (byte)0x65,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x56, (byte)0x69, (byte)0x64, (byte)0x65, (byte)0x6F, (byte)0x48,  
      (byte)0x61, (byte)0x6E, (byte)0x64, (byte)0x6C, (byte)0x65, (byte)0x72  
  };  
  int sizeOfMinf = 0;  
  String minf = "minf";  
  byte beginOfMinf[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x14, (byte)0x76, (byte)0x6D,  
      (byte)0x68, (byte)0x64, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x2C,  
      (byte)0x68, (byte)0x64, (byte)0x6C, (byte)0x72, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x6D, (byte)0x68, (byte)0x6C, (byte)0x72,  
      (byte)0x76, (byte)0x69, (byte)0x64, (byte)0x65, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x56, (byte)0x69,  
      (byte)0x64, (byte)0x65, (byte)0x6F, (byte)0x48, (byte)0x61, (byte)0x6E,  
      (byte)0x64, (byte)0x6C, (byte)0x65, (byte)0x72, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x28, (byte)0x64, (byte)0x69, (byte)0x6E, (byte)0x66,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x20, (byte)0x64, (byte)0x72,  
      (byte)0x65, (byte)0x66, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x10, (byte)0x75, (byte)0x72, (byte)0x6C, (byte)0x20,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00  
  };  
  int sizeOfStbl = 0;  
  String stbl = "stbl";  
  byte beginOfStbl[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x66, (byte)0x73, (byte)0x74,  
      (byte)0x73, (byte)0x64, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x56, (byte)0x6A, (byte)0x70, (byte)0x65, (byte)0x67,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x63, (byte)0x68, (byte)0x61, (byte)0x64, (byte)0x00, (byte)0x00,  
      (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x00,  
      (byte)0x00, (byte)0xB0, (byte)0x00, (byte)0x90, (byte)0x00, (byte)0x48,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x48, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00  
  };  
  //frameCount here  
  byte continueOfStbl1[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x18, (byte)0xFF, (byte)0xFF,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x18, (byte)0x73, (byte)0x74,  
      (byte)0x74, (byte)0x73, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01  
  };  
  //frameCount here  
  byte continueOfStbl2[] = {  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x1C, (byte)0x73, (byte)0x74, (byte)0x73, (byte)0x63,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,  
                (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,  
                (byte)0x00, (byte)0x01  
  };  
  int SizeOfStsz = 0;  
  String stsz = "stsz";  
  byte beginOfStsz[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,  
      (byte)0x00, (byte)0x00  
  };  
  //frameCount here  
  //sizeOfJPEG1  
  //sizeOfJPEG2  
  //sizeOfJPEG3  
  int sizeOfStco = 0;  
  String stco = "stco";  
  byte beginOfStco[] = {  
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00  
  };  
  //frameCount  
  int firstOffset = 36;  
  //for next offset = 28+sizeOfJPEG1;  
  int totalSizeOfJPEG = 0;  
            String[] files = new String[3];  
            files[0]="/mnt/sdcard/freezmo/20111211012629.jpg";  
            files[1]="/mnt/sdcard/freezmo/20111211012639.jpg";  
            files[2]="/mnt/sdcard/freezmo/20111211012644.jpg";  
            frameCount = 2;  
     try{  
     ByteArrayOutputStream[] tempStream = new ByteArrayOutputStream[frameCount];  
     int[] sizeStream = new int[frameCount];  
     // Bitmap[] bitmapArray = new Bitmap[frameCount];  
     for (int i = 0; i<frameCount;i++){  
          tempStream[i]=new ByteArrayOutputStream();  //initialise tempStreams  
     //      bitmapArray[i]=new Bitmap();  
          Bitmap a= BitmapFactory.decodeFile(files[i]);  
          movieWidth = a.getWidth();  
          movieHeight = a.getHeight();  
          a.compress(Bitmap.CompressFormat.JPEG, 100, tempStream[i]);  
          int len = getStreamLength(tempStream[i]);  
          sizeStream[i] = len;  
          totalSizeOfJPEG += len;  
     }  
    //  printf("totalSizeOfJPEG="+Integer.toString(totalSizeOfJPEG),this);  
     returnStream.write(startOfMov);  
     returnStream.write(intToByteArray(totalSizeOfJPEG+8));  
     returnStream.write(mdat.getBytes());  
     for (int i=0;i<frameCount;i++){  
     returnStream.write(tempStream[i].toByteArray());  
     }  
     //recursive would be nice here.  Will do it later =p This is just a haxor job to test
     ByteArrayOutputStream moovStream = new ByteArrayOutputStream();  
     moovStream.write(moov.getBytes());  
     moovStream.write(mvhd);  
     ByteArrayOutputStream trakStream = new ByteArrayOutputStream();  
     trakStream.write(trak.getBytes());  
     trakStream.write(intToByteArray(92));  
     trakStream.write(tkhd.getBytes());  
     trakStream.write(dateTime);  
     trakStream.write(intToByteArray(frameCount*100));  
     trakStream.write(continueOfTkhd);  
     trakStream.write(intToByteArray(movieWidth));  
     trakStream.write(intToByteArray(movieHeight));  
     trakStream.write(restOfTkhd);  
          ByteArrayOutputStream mdiaStream = new ByteArrayOutputStream();  
          mdiaStream.write(mdia.getBytes());  
          mdiaStream.write(intToByteArray(sizeOfMdhd));  
          mdiaStream.write(mdhd.getBytes());  
          mdiaStream.write(beginMdhd);  
          mdiaStream.write(intToByteArray(frameCount));  
          mdiaStream.write(restOfMdhd);  
          mdiaStream.write(intToByteArray(sizeOfHdlr));  
          mdiaStream.write(hdlr.getBytes());  
          mdiaStream.write(restOfHdlr);  
               ByteArrayOutputStream minfStream = new ByteArrayOutputStream();  
               minfStream.write(minf.getBytes());  
               minfStream.write(beginOfMinf);  
                    ByteArrayOutputStream stblStream = new ByteArrayOutputStream();  
                    stblStream.write(stbl.getBytes());  
                    stblStream.write(beginOfStbl);  
                    stblStream.write(intToByteArray(frameCount));  
                    stblStream.write(continueOfStbl1);  
                    stblStream.write(intToByteArray(frameCount));  
                    stblStream.write(continueOfStbl2);  
                         ByteArrayOutputStream stszStream = new ByteArrayOutputStream();  
                         stszStream.write(stsz.getBytes());  
                         stszStream.write(beginOfStsz);  
                         stszStream.write(intToByteArray(frameCount));  
                         for (int i=0;i<frameCount;i++){  
                              stszStream.write(intToByteArray(sizeStream[i]));  
                         }  
                    stblStream.write(intToByteArray(getStreamLength(stszStream)+4));  
                    stblStream.write(stszStream.toByteArray());  
                         ByteArrayOutputStream stcoStream = new ByteArrayOutputStream();  
                         stcoStream.write(stco.getBytes());  
                         stcoStream.write(beginOfStco);  
                         stcoStream.write(intToByteArray(frameCount));  
                         stcoStream.write(intToByteArray(firstOffset));  
                         int offSet=firstOffset;  
                         for (int i=1;i<frameCount;i++){  
                              stcoStream.write(intToByteArray(offSet+sizeStream[i]));  
                              offSet+=sizeStream[i];  
                         }  
                    stblStream.write(intToByteArray(getStreamLength(stcoStream)+4));  
                    stblStream.write(stcoStream.toByteArray());  
               minfStream.write(intToByteArray(getStreamLength(stblStream)+4));  
               minfStream.write(stblStream.toByteArray());  
          //writeSizeOfMinf  
          mdiaStream.write(intToByteArray(getStreamLength(minfStream)+4));  
          mdiaStream.write(minfStream.toByteArray());  
     trakStream.write(intToByteArray(getStreamLength(mdiaStream)+4));  
     trakStream.write(mdiaStream.toByteArray());  
     moovStream.write(intToByteArray(getStreamLength(trakStream)+4));  
     moovStream.write(trakStream.toByteArray());  
     returnStream.write(intToByteArray(getStreamLength(moovStream)+4));  
     returnStream.write(moovStream.toByteArray());  
     // bitmapArray[0] = BitmapFactory.decodeFile("/mnt/sdcard/freezmo/19700101100000.jpg");  
     //new File(rootPath + "/freezmo").mkdirs();  
     printf("finished returnStream",this);  
        File file = new File(rootPath, "/StopMotion/freezmo.mov");  
        OutputStream outStream = new FileOutputStream(file);  
        outStream.write(returnStream.toByteArray());  
        outStream.flush();  
        outStream.close();  
     }catch (Exception e) {  
           }     
   }  
      public byte[] intToByteArray(int value) {  
           return new byte[]{  
           (byte)(value >>> 24), (byte)(value >> 16 & 0xff), (byte)(value >> 8 & 0xff), (byte)(value & 0xff) };  
           }  
   public int getStreamLength(ByteArrayOutputStream stream){  
        return stream.toByteArray().length;        
   }  
    public void printf(String alertText, Activity activity) {  
             AlertDialog.Builder builder = new AlertDialog.Builder(activity);  
             builder.setMessage(alertText).setNeutralButton("Close", null);  
             AlertDialog alert = builder.create();  
             alert.show();  
        }  
 }