Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 171-180.TXT < prev next >

Wrap

Text File | 2000-05-25 | 66KB | 1,751 lines

======================================================== +HCU Maillist Issue: 171 03/21/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: "HELP the confused" #2 Subject: A few things re: Int 3 and ntoskrnl ARTICLES: -----#1------------------------------------------------- Subject: "HELP the confused" Hi, sorry to take up your time, but i am having a problem that i believe you may be able to help. I have installed softice 2.62 in dos, so that i can study and follow +Orc's tutorials but when i run a dos game(eg, pooldemo) and try to enter softice via hot key "ctrl-D" i get a screen that is UN-READABLE consisting of funny characters and symbols. When i leave the game and try "ctrl-D" again i get the normal softice control panel(like normal), this type of occurrance happens for other games i try to crack aswell, also the same happens for softice 2.8 for dos. Softice 2.62 is run outside of windows95, i 'm using the windows integrated dos7. my monitor is vga. Please..if you are aware of what i'm going on about, let me know how to correct this. Thankyou for time and help. MDH -----#2------------------------------------------------- Subject: A few things re: Int 3 and ntoskrnl Hello, Just a few remarks regarding some recents posts. First, a slight = correction to Stone's (as always) excellent and scholarly post concerning in memory = process modification. At the end he writes, >A last side note should be mentioned here. While I was doing this code I >encountered a bug in windows NT workstation 4.0 build 1381. It might >exist >on other versions too. Code inside windows looks like this: >mov eax, [offset of Context Storeing space in debugger code] > ; this is obvioulsy a parameter >mov ebx, [Temporaly variable containing ring level of debugger] >test eax,ebx >jnz insuficient_security >everything Ok. >Obviously this is wrong. To overcome this bug make sure that the offset >where you store your context and'ed with 3 is 0. I don't think that this is a bug. My very deep suspicion is that it is = an alignment check. If you look through winnt.h you see that the MIPS, PPC,= and ALPHA CONTEXT structs require various alignments (either 8 or 16 bytes). = x86s are not usually so picky about alignment, but in some places they are = (the prime example being the stack -- it's either 2 byte or 4 byte aligned depending= on the processor mode). winnt.h doesn't make any mention of alignment for x86 = context structs, but I have a dim memory of reading that they had to be somewhere= (maybe in Pietrek?). Given that these structs have some sort of deep connection= with the processor architecture (sounds fancy doesn't it? -- maybe it's even = true), alignment might be necessary. Stone, could you give me the address in = ntoskrnl where this check is (I didn't feel like searching for it :-)? I'm = curious about it now. Never mind, I found it. Here's the code from ntoskrnl demonstrating that= it's an alignment check. Stone: you should have SoftICE load the exports (or= better the symbols) for ntoskrnl :-). ; first put the desired alignment into ecx 801966E5 mov ecx, 4 ; now make sure we've got an address in ring3 space 801966EA mov eax, MmUserProbeAddress ; 7FFF0000 801966EF mov esi, [ebp+lpContext] 801966F2 cmp eax, esi 801966F4 ja short loc_801966FA 801966F6 mov eax, [eax] 801966F8 jmp short loc_801966FC ; some stuff 801966FA mov eax, [esi] 801966FC mov [ebp+var_28], eax 801966FF mov edi, 0CCh ; size of CONTEXT struct 80196704 cmp [ebp+var_19], 0 80196708 jz short loc_8019672E 8019670A test edi, edi 8019670C jz short loc_8019672E ; here's the alignment check 8019670E dec ecx 8019670F test esi, ecx 80196711 jz short loc_8019671A 80196713 call ExRaiseDatatypeMisalignment ; Bingo ! So, the error here is not properly documenting the need for this = alignment. Regarding the SoftICE int 3 debate. If SoftICE doesn't use int 3's = (opcode 0xCC) for regular bpx's, then how does it do them? I take the answer to = be that it couldn't. It couldn't use the debug registers and obviously doesn't. = That leaves only int 1, which would be a bizarre and unnecessary choice. = Further, I quote from the SoftICE Command Reference v3.0 for the command BPX: If you try to set a BPX at an address that is in ROM, a breakpoint = register is automatically used for the breakpoint instead of the NORMAL PLACEMENT OF = AN INT 3 at the target address ... (p. 43). I think this settles it. Quine =====End of Issue 171=================================== ======================================================== +HCU Maillist Issue: 172 03/22/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Fwd: Re: IE 4 Bug (Crash with frames) #2 Subject: re:HELP the confused #3 Subject: API hooking again ARTICLES: -----#1------------------------------------------------- Subject: Fwd: Re: IE 4 Bug (Crash with frames) Hello HCUers, maybe this is interesting to some (all) of you. Fravia+ take a look if you don't know already... Have a nice day Keep on Thor+ >Approved-By: ************** >X-Mailer: ELM [version 2.4ME+ PL37 (25)] >Date: Thu, 19 Mar 1998 11:14:01 -0800 >Reply-To: System Administrator ************************* >Sender: Bugtraq List ********************** >From: System Administrator ************************* >Subject: Re: IE 4 Bug (Crash with frames) >X-To: ************* >To: ******************** > >History records that Lloyd Vancil wrote: >> >I fust found a way to crash IE 4 using frames: >> >Make a file 'test.htm' with the following content >> >and view it with IE 4. Under Win95 IE 4 will >> >crash. >> > >> > >> > >> > >> >Thomas Weidauer >> >> Kills Netscape Communicator on a mac too >> Naturalitch! A forever loop in a web page.... >> 3.01 on Solaris loads the page but any further load it dies. >> >> Why would you want to do this anyway? > > >I found that the loop is not necessary. Name the page ie4test.html and >leave the frame links as test.htm (which need not exist), and it still >crashes IE4. The entire content is inside a HTML comment anyway, so the >correct action for ANY browser is to treat the entire page as a no-op. > > > >-- > Phil V. Stracchino | Personal opinions expressed by me do not represent > MIS Administrator | official positions or policies of Cardima Inc., > Cardima, Inc. | unless so specified. Similarly, support by me of > *************** | any organization, platform or position does not > (510) 354-0123 | imply support or recognition thereof by Cardima Inc. > Keep on Thor+ -----#2------------------------------------------------- Subject: re:HELP the confused Hi, about getting a strange apperance of softice (dos versions). I had the same problem when I started. I found out that it was the graphic card that was causing the problem. I tried different graphic cards (luckily for me I knew the owner of a store) and found that S3 cards worked fine while I didn't have any luck with cirrus Logic cards. Almost all vesa graphic cards i tried worked fine also, the problem was mainly on PCI cards. /+Indian_Trail -----#3------------------------------------------------- Subject: API hooking again I was poking around with API hooking the last few days and came up with a few ideas. While they are nowhere as advanced as Stone's, I thought they might be interesting none the less: The main points we have to do while hooking an API function are getting our code into the process' address space and writing it's address to the reloc's in the RVA. Since I am naturally lazy, I thought we might be able to have windows do that for us, assuming that we want to hook a function in a DLL which is NOT YET loaded into memory at all. I simply replaced the original DLL with a self-created one, renamed the original DLL to hooked.dll. and exported functions with the same name... the following pseudo asm should explain it: ..DATA hookedDLL db 'hooked.dll',0 hookedHandle dd ? function1Name db 'ExportedFunction',0 func1Addr dd ? ReturnAddr dd ? TempEBP dd ? ..CODE ExportedFunction PROC push eax push ebp mov ebp, esp mov [TempEAX], eax mov eax, [ebp+08] mov [ReturnAddr], eax push ebx push ecx push edx push offset hookedDLL call LoadLibraryA mov [hookedHandle], eax ; the following part is not authentic, I am too tired right now ; to look up the original order of the arguments for GetProcAddress push eax push offset function1name call GetProcAddress ;----- mov [func1Addr], eax pop edx pop ecx pop ebx pop ebp pop eax pop eax ; Get rid of the addidtional return-to address on the ; stack mov eax, [TempEAX] call dword ptr [func1Addr] push eax push ebx push ecx push edx push [hookedHandle] call FreeLibrary pop edx pop ecx pop ebx pop eax push [ReturnAddr] ret ExportedFunction ENDP This has to be repeated for ALL exported functions of course :-) So what I'm doing is the following (please point out any mistakes in the above ASM listing, but I don't know whether they are in the original code, I am writing this out of my head): - Save all registers - Save original return-to address - Load the original library - Find the right Address for the particular function - get rid of the extra return-to address on the stack - restore registers - call the Address we just got - decrease the reference count by one - push the saved return-to address - ret IMO this should work, even though it is awfully slow due to the loading of the dll from the HD. Unfortunately, it doesn't work :-(, it never gets past the execution of more than 1 call ... then I get the whole junkload of PageFault/ GPF's in nice 1-2 combinations ;-) I haven't toyed around with it more extensively, but it might be a good idea to save the flags register as well as si/di...well, I dunno... gotta play around with it some more. I do know that this way of hooking API has (if it works at all) many drawbacks (DLL won't pass self-checks, slowdown etc.) but I just wanted to know whether it is possible to hook it this way :-) One way to get by the major drawback would be never to let the reference count for the dll drop to zero until the program is fully executed, this way the HD reading would fall away... I don't know whether there are functions to look at the reference count of a particular DLL, gotta check that some time tomorrow (yawn) This way of hooking could btw easily be used to generate an automatic DLL-hooker (smirk) which can inject whatever code you like into your fake DLL, for example a messagebox with the functionname and the param's on the stack... a cheap & easy spy for unknown API's... Well, I'm goin to sleep, sorry for all the typos, and please tell me what you think about all this and whether you got any ideas why it's not workin yet... (yawn again) HalVar P.S.: If you think this method is Bullsh*t, dirty & unelegant, you're probably right... plz let me know nonetheless :-) ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 172=================================== ======================================================== +HCU Maillist Issue: 173 03/23/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: +HCU ML Issue 170 #2 Subject: Crippled protection help #3 Subject: CCh #4 Subject: Re: Api-hooking again ARTICLES: -----#1------------------------------------------------- Subject: Re: +HCU ML Issue 170 >Hmmm, int 9 ? it does not read keyboard through int x16 or >reading/writing directly to the hardware port ? It does read/write directly to the hardware port, but does this in a hooked interrupt. 0000:0024 points to the new keyboard handler. This seems to be quite common in many old Dos games... >anyway, about the brpt. above i think you better set an execution >breakpoint on the contents of vector 9, i mean *(24h). It is no problem to put a bpx directly on the first instruction of the keyboard handler, but it doesn't return to the address from where it's called apparently... the code which the return address on the stack points to doesn't really make sense, and the prog pushes a new ret address... I have to look at it again tomorrow, the last two days I tinkered with stuff that won't work ... ;-) and now I'm frustraded with Win, I'll go back to Dos once more, to relax :-) HalVar ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Crippled protection help hi i have never write to this list b4 but i think it was time. i am trying to crack Font Lab is a Save dissabled protection. i mostly do Serials and Time limits and such i almost never done a crippled b4. i need some help on this one, if i do Save As.. the save as dialog opnes after i chosse a name the nag box pops up telling me that this is just a demo i tried back tracing to see where does it check if it's a demo or not, my teory is that it can be cracked because it opens the Save As.. dialog but i migth be wrong, please help any suggestions will be apreciated. Thanks. P.S. i don't know if this program has been cracked b4 i just want to do it for the learning of it. P.S.S. Excuse my English. nIabI ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: CCh I had a look through the SICE 3.22 u/g and found this: "Execution Breakpoints: SoftICE replaces an existing instruction with INT 3. You can use the BPX command to set execution breakpoints." So I assume that SICE/95 will trip on stepping over the call in my test program. But what about SICE/DOS? Has anyone else tried it? Is there a bug in my program? ~~ Ghiribizzo -----#4------------------------------------------------- Subject: Re: Api-hooking again The idea with renaming the original DLL and making a new one that would call this renamed one is indeed an old idea. Microsoft infact released such source code for kernel32.dll in their SDK. This method obviously has it's right because atleast for the case of kernel32.dll the work is done and the method more generally applies than the method I have previously promoted on this list. Halvar even though your code might be buggy at this point - do carry on with it - MS made it work.. so can you. As Halvar points out or atleast touches upon this method will get very cumbersome for big DLL's. For small DLL's that often house copyprotection routines I believe that a method of replacing DLL's and possibly chaining original functions in this manner will prove itself to be a better approach. As for reloc problems a simple way of countering this is the "delta-offset" technique. Obviously it's easier if Windows can handle it for you but hey. There is no need to get hung up on windows all the time. An approach that might turn out to be even better than this one would be appending code and moving the entrypoint (as wrappers do) and then change the chunkRVA of the imported function. This way you do not come to rely on the debugapi. Downside is that it's vounerable to CRC's unlike the debug approach. The debug approach is a large weapon and as with all large weapons they should be considered with great care. The methods outline above and Halvar's approach might be considerered before venturing into big guns :). A kind thanks to Quine for verifying my soft-ice intution/tests with actually consulting a manual. Also Quine is obviously right about my "bug" being a alignment check - as for his guessing to the reason for such a check, I believe he is wrong. I will get back to this. Crack your OS! Stone / United Cracking Force '98 =====End of Issue 173=================================== ======================================================== +HCU Maillist Issue: 174 03/24/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Personal Firewall #2 Subject: OpenNT #3 Subject: privacy #4 Subject: Help needed with Pro Motion 3.0 #5 Subject: gthorne with a fun dns trick #6 Subject: pcbdemo ***sigh*** again ARTICLES: -----#1------------------------------------------------- Subject: Personal Firewall Hello Everyone I have downloaded a personal Firewall program, PCSECURE V1.1 at ********************** Iam interested in some comments on the subject of Firewalls. 1.A waste of time having a personal Firewall program, like this? 2.Firewalls are not very effective under Windows95 operating system? 3.There is no real protection with Firewalls, all can be hacked? cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: OpenNT Hi, I recently have got the OpenNT 2.1 demo and read about the way how chown had done a key-generator for OpenNT 2.0. The bad thing is now that for OpenNT 2.1 this won't work as fine as for OpenNT 2.0. The keys seem to have to fullfill an other property to be valid. I have tried to hack it now for some days and really can't imagine what I should do now. Is there someone out there who might can have a look at it and give me a short tip how to continue? Thanks M -----#3------------------------------------------------- Subject: privacy IS THERE ANY MAILING-LIST ABOUT PRIVACY AND ANONYMOUS ON NET SUBJECT? I DONT KNOW IF SOMEONE POSTED SOMETHING ABOUT THAT,BUT I TAKE ALL NFO ABOUT THAT,TELNET,FTP,WWW ANONYMITY. THANX ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: Help needed with Pro Motion 3.0 Hello, I've been working on Pro Motion 3.0 available from ******************* (1 MB), and I need some help. Pro Motion is a paint/animation package wich is very easy to use, even I succeeded to draw some cool images. The program is cripped and the disabled functions are: User cannot copy image or brush to clipboard. User can only save images as .ico files Trying to do anything of the above will result in a messagebox informing you that it is a demo. Great I thought when I saw the messagebox hoping I had found a place to enter. I traced the code and found that the code below is alwas executed everytime the user selects something from a menu. :00411A4C E88FFFFFFF call 004119E0 :00411A51 85C0 test eax, eax :00411A53 7407 je 00411A5C :00411A55 8B10 mov edx, dword ptr [eax] :00411A57 FF522C call [edx+2C] Edx+2c = 411714 | | :00411714 80782900 cmp byte ptr [eax+29], 00 :00411718 741A je 00411734 :0041171A 6683B89200000000 cmp word ptr [eax+00000092], 0000 :00411722 7410 je 00411734 :00411724 8BC8 mov ecx, eax :00411726 8BD0 mov edx, eax :00411728 8B8194000000 mov eax, dword ptr [ecx+00000094] :0041172E FF9190000000 call dword ptr [ecx+00000090] The call 004119E0 returns with an adress in EAX wich is used at 41172E where we are calling the routine stored at [ecx+90]. The adress at [Ecx+90] is written only on start up, so if we change it we will keep the change until we exit the program. The call at 41172E is the caller to the different routines, we always get here wether we selected 'new', 'edit palette' or 'copy frame to clipboard'. I traced the top caller (call 004119E0) but didn't find any suspicious compares or alternative paths. My guess is that the programmer replaced the correct adress with the adress to the error routine. In the dissassembled listing I found that there was a routine wich calls the below API's. Openclipboard openclipboard EmptyClipboard SetClipboardData SetClipboardData CloseClipboard This looks like the API's that can be used to copy a bitmap to the clipboard. But when I redirect the program to that routine the program crashes. The crash takes place inside a call that's between Emptyclipboard and SetclipboardData. It seems that the crashing call is supposed to get the parameters for SetClipboardData. The call is base indirect adress = Call [ebx+48]. The save problem: Pro Motion opens up a save dialogue by calling GetOpenFileName. The following formats are available in that dialogue: PCX 1 Deluxe Paint Image *.iff *.lbm 2 BMP 3 ICO 4 GIF 5 Each of them are given a value from one to five. Then the program checks that value and different parts of the code is executed depening on the value. Only value four leads to CreateFile and Writefile. I can choose save as BMP and then in softice change value three to four. That will result in a file called xxxbmp.ico. I think this is pretty odd because if only the code for ico files are available there would be no need to check if the user has chosen any other format. Also the fact that each format has his own error routine is suspicious. Also one animation format is disabled. I have no experience (yet) in programming Windows, so I can't add the code I need. Though I believe that would be the easiest approach. I've also looked for a crack but there seem that no one has cracked it yet. I think it possible to unlock this program, but how is mystery. If anyone has the time to help me or have any tips I'd be most grateful Thanxz /+Indian_Tral -----#5------------------------------------------------- Subject: gthorne with a fun dns trick Message Body = if you dont know this one, try it: warez.phantom.com try nslookup on it... in my opinion someone at internic had a sense of humour +gthorne -----#6------------------------------------------------- Subject: pcbdemo ***sigh*** again Hi every1... I am still trying to get this program to print with no real success. I have patched it so that now when you click "print" on any curcuit board file, it will bring up a messagebox saying "printing.." and the printer will feed in paper but it still wont print anything on the paper, though the printhead moves... Spyder, did you get it to print any file with no problems? I would appreciate it if you could tell me where to patch it, so I may see the light & move on..... BTW.. the other 2 patches I made to get it to "nearly print" were: 0001.9202 jmp 9D4B <--- changed to NOP 0001.920B jmp 9D4B <--- changed to NOP along with the first 2 patches I made... [ I must be sounding pretty dopey by now.. :) ] cheers, HaQue =====End of Issue 174=================================== ======================================================== +HCU Maillist Issue: 175 03/25/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Privacy, ICQ #2 Subject: re: pcbdemo ***sigh*** again #3 Subject: re:personal firewall ARTICLES: -----#1------------------------------------------------- Subject: Privacy, ICQ Good evening to all. I wrote the other day to ask if anybody used the Junkbuster proxy. So far no replies apart from Ghir... who mentioned some points about Fravia's anonymity pages. A long time ago, someone wrote about ICQ and its possible uses. One great draw back with ICQ is that it shows your current IP to everybody. This might scare some people off. I have set it up using Junkbuster as a local proxy i.e localhost. The IP address of localhost is usually 127.0.0.1 on all machines, and this is what shows in the ICQ information screen. I don't know if this would make it impossible to carry out file transfers, but chat should work because I believe that the identity is resolved with the ICQ number and not the IP address. Would this make ICQ chat completely anonymous? Any thoughts or more information would be most welcome. Regards, Zipper49 ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: re: pcbdemo ***sigh*** again >I am still trying to get this program to print >with no real success. I have patched it so that >now when you click "print" on any curcuit board >file, it will bring up a messagebox saying >"printing.." and the printer will feed in >paper but it still wont print anything on the >paper, though the printhead moves... That does sound rather strange, maybe it's a bug <grin>. >Spyder, did you get it to print any file with no >problems? I would appreciate it if you could >tell me where to patch it, so I may see the >light & move on..... I didn't mess with it much but I did print modified versions of the demo PCBs to winfax (to save trees) and saw complete images. patches with .exe file offsets follow, please do figure out what they do (I can't remember myself anymore). 0000990C: 74 90 0000990D: 09 90 0000991B: E9 90 0000991C: 3D 90 0000991D: 0B 90 0000A1F6: 74 90 0000A1F7: 09 90 0000A205: E9 90 0000A206: 0E 90 0000A207: 01 90 00014FBD: 68 EB 00014FBE: 11 EE 00015981: 68 EB 00015982: 11 EF I didn't look much at the program, but if you really want to layout your own PCBs there are better programs for free (easytrax is one, DOS based but more capable). Sypder... -----#3------------------------------------------------- Subject: re:personal firewall greetings all, I am not an expert on firewalls however I have downloaded pc-secure and have been using it for awhile.It seems to be the best of the lot I've tried so far and protects resonably well as well as providing a pop-up window for all new incoming connection attempts.However there are two points about firewalls that I do know,it is relatively easy for someone with a linux box to spoof the address of a ip that the firewall trusts(easy to find one if they frequent irc or such)and standard ping is allowed thru unless explicitly turned off so you have two weaknesses there.I remember an exploit I beleive was on fydoors page (not sure,maybe in phrack) in which data could be sent along with ping to comprimise the system.I'm sure there are plenty more I don't know at this time but if you'd like to we can play around with it and see what we can come up with. Cheers,Warlord =====End of Issue 175=================================== ======================================================== +HCU Maillist Issue: 176 03/26/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: gthorne - on icq, spoofing, and how they track you #2 Subject: ICQ #3 Subject: primitives #4 Subject: primitives #5 Subject: GetThreadContext alignement revisited & beta of final part of In memory patching.. ARTICLES: -----#1------------------------------------------------- Subject: gthorne - on icq, spoofing, and how they track you Message Body = first of all i want to mention that newer versions of icq allow you to hide your ip from the other end - but it is a direct network app, so like i said in a previous message - the computer must know the ip it is connecting to, and just because icq allows you to check a box removing the ip from the other person's 'viewscreen' --- it is still available to you since it is in your machine's memory it is therefore like any other networking app my next topic is what can be spoofed in win95 or other os's first i will recall the previous postings and mention that it is possible to fool a remote machine completely with linux what your ip is in win98, it requires that you have control over the dns server, so you have to be a hacker to spoof or run your own dns server win95 can only alter your ident (see the little spoof app in netwar on my site - also called eye-dent for those of you who have it) which is not much protection at all since your ip is till the same well enough about what has already been said... here are a few points most people don't think about what IS able to be spoofed is JAVA (and therefore javascript) how do i know? i do it. what i mean by this is that a foreign machine knows your ip implicitly (as i said about icq) and on a server, the remote server has some environment variable accessible from perl to track you these are: $HTTP_REFERER, $HTTP_USER_AGENT, $REMOTE_ADDR (which usually is the same as $REMOTE_HOST), $REMOTE_IDENT, and $REMOTE_USER some of these you will recall from fravia's site as being the same baic ones in javascript - and so they are, webserver variables arent entirely alien to the web client variables so check there for explanations note that i do not cover cookies here - but all they can track us number of your accesses to a site or what data you type in directly (and of course any of these user variables) $REMOTE_ADDR ($REMOTE_HOST) is your ip - and as i said it is truly known to the other machine - or you have no network connection linux boxes can fool this since the spoof technique uses its own way to access the net - let me just leave it at that, the details are kind of complicated java (and therefore javascript which calls java to get your ip) relies on what your machine reports its ip to be since it loads from your pc, that is the data it knows to check if you are on a lan where all machines are set an ip that is permanent, and all machines interact with eachother and the internet, this is the same as the remote ip what i need to point out however, is that on my own machine setup, i have a intranet ip and a separate internet ip this is due to the fact that my intranet has a standard tcp schema with permanent ip addresses to identify itself to other machines in the intranet (i can use any ip... even one used by someone else on the internet to identify myself.. since it is not an internet dns needed to resolve my ip at all) this can be set simply in the permanent networking properties of your win95 control panel under tcp/ip network properties if you have installed the microsoft tcp/ip protocol when i dial up to the net of course, i have a dynamic internet ip assigned by my provider. dynamic being great because it changes, and is kind of hard to track on a many-user system who really dialed that ip address (and in safety for yourself make sure to have a private line or dial *67, before the call so normal people cant *69 and track you while you are online and using the phoneline - fbi can still track you dont be too comfortable) therefore my machine has 2 ip addresses... one for the internet and one for the intranet to make a long story come to a close, the machine on the other end knows your true ip so without a deep method of spoofing, you cannot cover this java, however, reports your intranet ip - so sites that record your ip data based on java or javascript, get what you tell them is your ip since i wrote this much i will probably miror this in refined form on my website in the netwar section do take care, and i hope this answers alot of questions that have been asked before +gthorne -----#2------------------------------------------------- Subject: ICQ I'm currently trying out ICQ. There is an option to withhold your IP address within setup. As I'm new to ICQ, there's not much I can tell you apart from it's a good idea to setup a 'fake' ICQ to test it out. Maybe there's information about how it all works (perhaps similar to the RFC fro IRC) which may reveal security loopholes for us to exploit and watch out for. However, I get the impression it's just being run by one company (though I may be wrong) and therefore, the information may be harder to come by. But you should have a look and a play around with it. Perhaps you'll get all the answers you want. Warlord mentions some security holes. One I've seen (perhaps not the one he is referring to) is on the Amiga. In one of the most commonly used packages, the ping command has some undocumented features which allows you to send commands to the receiving computer. A friend of mine received such a ping - luckily for him, he had his Amiga's format command independently protected. Needless to say, he changed some of the default settings... ~~ Ghiribizzo -----#3------------------------------------------------- Subject: primitives In lesson 3.1 Master +Orc indicated that many of the protection schemes are derived from the twelve primatives. One of these was referred to in this lesson. Being reasonably new to the game I thought that these would be an excellent place to study. Can anybody help with the identity of the other 11? Regards Vrax ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: primitives In lesson 3.1 Master +Orc indicated that many of the protection schemes are derived from the twelve primatives. One of these was referred to in this lesson. Being reasonably new to the game I thought that these would be an excellent place to study. Can anybody help with the identity of the other 11? Regards Vrax ______________________________________________________ Get Your Private, Free Email at ********************** -----#5------------------------------------------------- Subject: GetThreadContext alignement revisited & beta of final part of In memory patching.. I'll probably bore the shit out of most of you since this will tend towards the advanced and since it's not of any practical importance.. Quine suggested that my "bug" in NT was due to an alignment problem and indeed Quine was right. The reason for this alignment he suggested had something to do with the processor. I'm suspisious of the correctness of this suggestion. Let me however start somewhere else. Quine brings out the stack as an example of something on the x86'er that has to be aligned. I disagree. Obviously the "size" instructions push and pop instructions is aligned but nothing hinders you from having a stack pointer that has a skew number. E.g. you can do: dec esp push eax pop eax inc esp and the like as much as you want. The point is that the address of the ESP need not be aligned and that the PUSH/POP is of fixed size is the same point as saying that the DEC instruction is aligned. This ofcause has no meaning in terms of why the Context structure needs to be aligned.. Let us plunge deeper into the problem. My childhood knowledge leed me to believe that the x86'er does not store the contexts of suspended threads in registers. This would simply use too much space in the processor. Instead it stores it in ordinary ram - just imagine 200 threads with each a context of cch bytes. For the sake of the argument I looked up how windows 95 processes these suspended threads contexts. Indeed windows has the context of a thread stored in memory - not only once, but twice. Once inside ring 0 and once in a kernel32 heap (ring 3). Now that the ram-address where this context is stored during suspension of the thread needs to be aligned does not sound too horrible. What puzzles me is why we need to align an address in order to get a copy of it? That we do is no mystery thanks to Quine. But why? Investigating a little further I found that infact what windows NT does is to make a copy of it's stored thread context. And puzzleling is that the instructions used is rep movsb & rep movsd (for speed reasons done in two "sets"). Why on earth would anybody require the destination for such instructions to be aligned? Welps..I'm really puzzled. My only suggestions is that it aligns because these functions of int 2eh is also used by kernel32 and kernel32 leaves it to these function to allocate heap space - which if I'm not entirely off is aligned to size 4. Or that it's simply a sign of that MS used the same C code for multiple platforms....... It'd be nice if somebody where to debug windows 95 to find out what it actually does. My windows 95 is no longer running I debugged it into swiss cheese.. :) And to something entirely different. As promised I've written a beta edition of my last part of the "in memory patching" essay/doc. Fravia: Please don't publish it on your page yet. I'll have the final version done by this time next week provided I get feedback. Anyways because of the great feedback I got last time I released a beta here.. I again release my beta here hoping that ya'll will tell me how to make it better.. Happy reading! ----- DOC START The MessageHook Approach I'll skip relatively lightly over the in-depth technical issues of this method. It is simply far beyond this text to go into it. Maybe someday I'll write a book or something :) sorry.. The above method has it's advantages - and disadvantages. It's cumbersome. Indeed in many instances access to foreign addressing spaces can be gained easier. I will now examine one such method. The method was first described in MSJ 1994. I first noticed the potency of this method examing Grudge's crack for SubSpace. My sourcecodes and approach as such bares many resemblances with Grudge's initial work. Most likely you've all encountered Windows Messageing system at one point or another. Breakpoints on "BMSG", HWND command in Winice is indeed breakpoints on messages and list possible recievers of messages. The whole idea behind messages goes back to the fact that we have a multitasking operating system. Several tasks needs to share equipment that can only be used by one at the time. The obvious example is the mouse - the user will have only ONE mouse total, not one for each thread. Another is the keyboard, keyboard input is often ment for only one of the running threads. A total breakdown of the windows messageing and windowing system is far far beyound the scope of this small text. It'll suffice to say that any window made by any thread in any process is controlled thru messages from the windows operating system. Again we'll exploit that Windows is an overbloated operating system - or well as I would rather put it - a very potently equipped OS. The feature we'll be exploiting here is that of a Hook in the message system. For many reasons Microsoft decieded that even at ring 3 people should be able to intercept messages send to windows. Because they wanted this hook to be usuable for Computer Based Training they decieded that a hook would be no good if it did not have direct access to the addressing space of the process belonging to the thread it captured a message for. So they decieded that a MessageHookHandling procedure should be loaded into any process-space in which it captured a message. Further developers must've felt generous the day they designed this. They allowed a hook not just to one process - but to all! Let's get a bit more technical on this. The API that installs the hook is: User32!SetWindowsHookExA The first problem about using this API to hook windows messages globally is the way it gain access to the address space of the thread which it intercepted a message to. To get real deep on this issue is again far beyound the scope of this text, but it has to do with how modules is mapped in pages thru out the various memory contexts (Process addressing spaces). The result is that you cannot have the hook within the EXE file that installs the hook - rather you need to have it in a DLL. In other words we start out by loading the DLL in which we have our hook, then find the address of our hook procedure in it and feed this to SetWindowsHookExA. The next problem we encounter is that of designing a MessageHandler. Since a LOT of messages is send out to windows system wide all the time it's important that we design our routine to be relatively fast or we'll be slowing the system. The easist way of doing this is only acting upon messages of a specific type. Choosing type depends on how you wish to time your patch. You can in this way time it to hit on keyboard activity in a window, mouse activity, windows being put to background and so on so forth. I've choosen the real simple one <insert here> which is among other things always called upon creating a window. This allows me to patch right after the "main" window of the program is created. Obviously I might end up patching more than once since this message type can be send many times. The next problem is that we need to hinder that we patch all processes. Again I abuse the concept of modules. By getting the current module filename and compareing it to the filename of the file we desire to patch I can identify weather this message was send to the target or to another program windows. And the last problem is ofcause that we cannot keep messages from the target's windows and expect it to perform like it's supposed to. What we do is that we chain other possible hooks using the neatly provided API: user32!CallNextHookEx One final things is worth noting Exiting the process who "owns" the hook will destroy it - in other words we cannot shut down until we're sure we've patched the program and we cannot shut down if need multiple patches (as patching e.g. kernel32.dll (which is a bad idea anyway) would require. The good thing about it is that we can simply call ExitProcess when we're done and windows will take down the hook for us with no further adue... Pretty clever MS! Since we in the hook-procedure have direct access to the addressing space of the target process we wouldn't need to use WriteProcessMemory, however it's a very good idea to do so. First and foremost WPM as described earlier overrides pageprotection. Second and also important - there is a difference in how pages in a process is handled between Windows 95 and Windows NT. If you patch a program's pages in Win NT (if it's not shared) it'll be copied and then the copy will be patched - thus the patch will not affect other processes utillizing the same module. In windows 95 this is not so. However WriteProcessMemory in Windows 95 has build in this mechanism ensuring that if you use WriteProcessMemory you'll not suffer differences between NT and 95. (This is not true if you patch above the 2g limit - which I btw cannot see why you'd do) Here at the end I'll shortly describe the caveats of this method. It requires a window. Without a window in the target process you can't do didly with this method. However you can use this method to inject a DLL into the address space after the window has disappeared and then patch the IAT to make a API-hook of it like in the Debug-approach section. Sourcecodes is avaible at: ************************************** NOT FULLY COMMENTED YET! :) --------------- Litterature MadMax (1998) - Cracking using kernel32??, by MadMax Feb 1998. ****************** Natzgul (1998) - Unknown tittle, by Natzgul Jan 1998. ****************** Iceman (1998) - Tweaking with Windows 95 memory, by Iceman jan 1998 ***************************** Pietrek, Matt - Windows 95 System Programming Secrets, IDG books 1995. MSJ (1995) - Microsoft Systems Journal May 1995, Jeffrey Ritcher. Various sourcecodes by Me :).. all can be found on my page ************************ ------------------------------------------------------------------------ ----- Thanks must go to: Patriarch / PWA, friend roomate and local expert. Random / Xforce, God of the PE-format Net Walker / Brazil Quine / HCU Acpizer / UCF, nah.. couldn't use what you send me.. but thnx anyways. United Cracking Force, my personal benefactor. All of which I had many enlightning discussions with. Also I'd like to thank HalVar/HCU WayneKerr/F4CG LordByte/UCF Madmax/HCU and many others for their encouragements email: ************ ***************** Stone/UCF'98 2nd&mi! ------ DOC END kind regards Stone / United Cracking Force '98 2nd&mi "Most people have a favorite Color. Call me sick, but I have a favorite data structure" - Matt Pietrek =====End of Issue 176=================================== ======================================================== +HCU Maillist Issue: 177 03/27/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: primitives and +HCU matters (fravia+) #2 Subject: OpenNT 2.1 #3 Subject: Re Re Personal Firewall ARTICLES: -----#1------------------------------------------------- Subject: primitives and +HCU matters (fravia+) Dear Vrax, you wrote: >In lesson 3.1 Master +Orc indicated that many >of the protection schemes >are derived from the twelve primatives You touched a very interesting question. I was puzzled (more than two years ago) by the same problem and asked more than once some explanations, +ORC never answered this question, probably because it had a not so innocent stalking meaning :-). So i searched for this, and it was a long, difficult searching session. There are only three references I have found (in 1997): all three of them East-european: a cracking discussion in Hungary, a short text about floppy protections from the University of Prag server and another primitive (that what +ORC calls 'best before': protections that are triggered at a certain date, no matter if and how much you have used the target, based on the date of other files on your machine, not on the system date), discussed in a long thread on Usenet by people that wrote part in english and part in polnish. Three of the contributors wrote there that there "are" 12 primitives, just like +ORC. So I used this knowledge to try to stalk +ORC himself, at the time I still believed he was Horak (the author of the KGB sniffer), but I got nowhere, and I still know only two of the primitives, and I doubt that the remaining 10 are anywhere to be found but in east europe (if ever :-( Anyway I came to the conclusion that the 'primitives' +ORC's spoke about are nothing else than the commonest OLD protections, from the CP-M prehistory, so that they would be probably of no use in these overbloated days... yet one never knows, if anybody knows anything about this, by all means get in contact with me, I'm very interested in this matter. I take this occasion to tell all readers of the HCU maillist that Master +ORC cannot be contacted at the moment, after having paranoidically renounced to his hotmail address (else I would have bounced him Vrax's question about the 'primitives'). +Alistair has finished his 'courses' and seems to have disappeared as well. +ORC has charged Aesculapius to take care of the HCU now, and he is therefore teaching and preparing the 'strainer' for next year +HCU, that will be published on my page this April. +ORC will (should?) take over in September when +he will come back to Europe having finally finished his long sabbatical year. We'll see. I will be in holydays between 4-20 april, +gthorne has the keys of my page if needs be. later friends, awaiting good essays from you +all fravia+ -----#2------------------------------------------------- Subject: OpenNT 2.1 Hi again, I'm still trying my luck to get this #$º$%& OpenNT 2.1 version to run... The keys for 2.0 really doesn't work in any way. However, I have used a brute force attack and generated a lot of keys hoping to find some valid ones... not so lucky with this. So please can someone of the gurus here give me a tip how to continue? I really have done everything I know about... Hopefully someone will answer. -----#3------------------------------------------------- Subject: Re Re Personal Firewall Hello Everyone Hello Warload >>I'm sure there are plenty more I don't know at >>this time but if you'd like to we can play around with it and see >>whatwe can come up with. Well I do not have Internet access at home and therefore Iam restricted to how much playing around I can do. I apologise for this. But Iam interested in learning as much as possible with regards to security and other matters. Also Iam looking forward to any future contributions that you may offer and thank you for the information you have already provided. cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 177=================================== ======================================================== +HCU Maillist Issue: 178 03/28/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Dos-debugger detection & a thougt about ORC #2 Subject: My messagehook - source avaible #3 Subject: C/C++ Win32 Compiler ARTICLES: -----#1------------------------------------------------- Subject: Dos-debugger detection & a thougt about ORC Hi, I read an article about self-modifying code under DOS a couple of days ago, and (as probably most advanced crackers know) you're supposed to put an unconditional jump in front of your modified code, since this will flush the CPU's prefetch queue on 386/486. This could possibly be exploited to get a single-stepper-detection for DOS. I haven't tried it yet, but this might work on 386 & 486. For the Pentium, we'd have to go to a little further lenght to get this right. Pseudocode: cli ; Disable interrupts mov ax, 9090h mov bx, offset CriticalCode mov di, bx stosw ; NOP out the xor, the CPU won't notice since CriticalCode ; the code is already prefetched xor ax, ax cmp ax, 90h je DeBuggerDetected jmp DeBuggerNotDetected The processor on 386/486 will prefetch this whole code. The processor will prefetch the code, so that the NOP'ing out of the XOR won't have an effect. But if a debugger executes code in-between the stosb and the xor, the prefetch queue will most likely be flushed, and the NOP will be executed instead of the XOR, leading to ax=90 at our comparison instead of ax = 0. On the Pentium, Intel fixed this bug. To achieve the same goal now, (If I understood everything right), we'd have to find the PHYSICAL address for CriticalCode, then get ourselves ANOTHER Segment:Offset address which corresponds to the same physical address... I am not sure about this part though, the writer just told the reader that he doesn't have to worry about that stuff any more on a Pentium. A thought about ORC's western european heritage: I recently read an interview with Vesselin Bontchev (Bulgarian AV- Celebrity), where he talked about whole teams of programmers in the Soviet Union which were specialized in deprotecting and changing of copyright notes in commercial programs, which were EMPLOYED BY THE GOVERNMENT. It would be quite interesting to get more information about this program, since the idea of "12 basic prototypes" for protections sounds like something I'd be teaching someone who's going to learn a job... Just a couple of thoughts, correct me & shout at me if I'm horribly wrong :-) Halvar ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: My messagehook - source avaible Many thanks to all who have commented on my messagehook doc. The sourcecodes are avaible now: ******************************************** The final version of "In memory patching" will be out around the mid of the next week. enjoy, Stone / United Cracking Force '98 -----#3------------------------------------------------- Subject: C/C++ Win32 Compiler Sorry if this is off-topic, I just know that I was searching fo something like this for a long time: I had been searching for a C/C++ compiler which would a) not clog up my VERY limited HD space b) produce Win32 code Well, I finally found something interesting: A freeware w32-C++ compiler which is only 1.6 mb :-) It is not yet totally unbuggy etc, and the docs are hardly existant, but it's a nice compiler which (from what I've heard) optimizes the code pretty well: *************************************************** Have fun :-) BTW: I constantly stumble over huge amounts of cracking/virus discussions in the russian-speaking parts of the usenet; does anyone in here speak russian and know about the quality of these discussions ? And if they're worth it, does anyone know a basic guide to russian & cyrillic letters ? HalVar ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 178=================================== ======================================================== +HCU Maillist Issue: 179 03/29/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Privacy ARTICLES: -----#1------------------------------------------------- Subject: Privacy Once again a privacy subject! is there a maillist on the subject:privacy,ip masquerading,firewall setup,anonymous,intrusion,port intrusion,isp & router and so on? I mean a maillist not really about cracking discussion,and were fine to not mix everything in everything!and also fine 'coz i suspect that this maillist is too much released a to pubc and some huges knowledges people doesn't want to spread around those hints! +Fravia by his probable 100000 mails/days concerning all lamerest stuffs know what i mean. ok,if anyone can help on that,just mail me ******************** thanks to all ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 179=================================== ======================================================== +HCU Maillist Issue: 180 03/30/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: OpenNT 2.1 #2 Subject: Not-English discussion groups #3 Subject: Re: Privacy ARTICLES: -----#1------------------------------------------------- Subject: OpenNT 2.1 OK. I got my CD and re-using chown's key generator (slightly modified) I got the following: AAAAAABFRjU => Server AAAAAABa=Dk => Mystery 133 AAAAAAE3NBM => WorkStation AAAAAAFWiYY => Unknown AAAAAAFXHCU => SDK AAAAAAAFKxC => bad key? Now I'm not too convinced by this as the demo key's I have received give 'bad key' i.e. return of zero from one of the functions. In obtaining these serials I've basically used chown's program and hoped for the best - I've just assumed that everything has more or less stayed the same i.e. the return codes etc. etc. However, I can't (supposedly ;) test this as I don't have NT, but rather than fooling the script I've secured a copy of NT server 4 and will install soon anyway. If whoever has been posting (use a sig!) has success (or otherwise) with these please post a message. If you use IDA on MYDLL.DLL you get a beautiful disassembly - you also notice that things have changed since chown originally cracked this. Also using one of our newer tools 'wisdec' by Natzgul (thanks!) by decompiling the install script we can see some of the interaction: 000079A9: 0022 IF 00000001 != NumLocal[0004] THEN GOTO LABEL_0159 000079B7: 0023 StrCompare (StrLocal[0004],"") 000079BF: 0128 NumVar[0056] = LAST_RESULT != 00000000 000079D1: 0022 IF NumVar[0056] = 00000000 THEN GOTO LABEL_014A 000079DF: 00B4 MYDLL.verifyKey (StrLocal[0004]) 000079E7: 0021 NumVar[0057] = LAST_RESULT 000079EF: 0021 NumLocal[0005] = NumVar[0057] 000079F7: 006E NumToStr (StrLocal[0002],NumLocal[0005]) 000079FF: 00B4 MYDLL.whatIsThis (StrLocal[0004]) 00007A07: 0021 NumVar[0056] = LAST_RESULT 00007A0F: 0021 NumVar[004A] = NumVar[0056] 00007A17: 0128 NumVar[0056] = NumLocal[0005] = 00000000 00007A29: 0128 NumVar[0057] = NumVar[004A] = 0000012D 00007A3B: 0128 NumVar[0058] = NumVar[004A] = 0000012E 00007A4D: 0126 NumVar[0059] = NumVar[0057] || NumVar[0058] 00007A58: 0128 NumVar[0057] = NumVar[004A] = 0000012F 00007A6A: 0126 NumVar[0058] = NumVar[0059] || NumVar[0057] 00007A75: 0128 NumVar[0057] = NumVar[004A] = 00000130 00007A87: 0126 NumVar[0059] = NumVar[0058] || NumVar[0057] 00007A92: 0127 NumVar[0057] = NumVar[0056] && NumVar[0059] 00007A9D: 0022 IF NumVar[0057] = 00000000 THEN GOTO LABEL_0147 00007AAB: 0021 NumLocal[0002] = 00000001 00007AB5: 0013 StrLocal[0008] = StrLocal[0004] 00007ABD: 00B4 MYDLL.isDemoKey (StrLocal[0008]) 00007AC5: 0021 NumVar[0056] = LAST_RESULT 00007ACD: 0021 NumVar[0044] = NumVar[0056] 00007AD5: 0128 NumVar[0056] = NumVar[0044] = 00000001 00007AE7: 0022 IF NumVar[0056] = 00000000 THEN GOTO LABEL_0145 00007AF5: 0021 NumVar[0041] = 00000001 00007AFF: 0021 NumVar[0042] = 00000001 <LABEL_0145> REF: 00007AE7 | 00007B11: 002C Goto (LABEL_0149) <LABEL_0147> REF: 00007A9D | 00007B1A: 0021 NumLocal[0002] = 00000000 00007B24: 0091 CtrlSetText (StrLocal[0001],000003E8,"") 00007B31: 0013 StrLocal[000A] = "Workstation/Server Key Invalid" I'm sure that you can get something working when you get the IDA disassembly and if not, I'm sure you could crack it the 'conventional' way. BTW, has anybody had problems with wisdec? I've tried to use it about 5 times and this is the first time it has worked. The other times it has halted at around 27% with a 'richedit insertion' error. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Not-English discussion groups To: HalVar and others. Hi, Do not worry: you have nothing to lose no to be able to watch Russian cracks/virii discussion groups: they are numerous and of low quality, and refer to English sources, but the situation may change in the future. What you can find of good there (Russia) are smuggled software on FTP sites (look for ftp. ... .ru or .su), just browse their FTP, all titles are in English. But they do not like it and are now introducing passwords. More advanced discussion level is in Slovak, may be also in Poland. Good cracking tools from Russia are explained by participation of professionals or semi-professionals in the process: if they were in the West, they would not stay jobless: there are enough places in Micro$ for everybody to earn decently his living. It may be that some individuals were engaged in deprotection activities on the state level, but it is highly unprobable that they would share their experience in discussions groups or Web sites. I am almost sure that all big software companies anywhere in the world have such individuals in their service and for their service; and all industrial countries have some professionals for reverse engeeering, and probably they have created their powerful tools for themselves. In fact, what is being discussed in the user groups, it is on the artisan level and time-consuming. But we must thank all participants for free contri- butions in our hard society. Many interesting Japanese/Chinese/Korean FTP sites, in their native language, are being found. No knowledge about their discussion groups: I have to install their fonts on my browsers, which can now browse all fonts except from FarEast. The computer memory is becoming cheap, and one can afford installing many information-processing robots. Lcc C++ compiler (and others) has been lately offered on CD by a French cheap magazine WindowsNews. No interesting discussion groups in French German, Italian or Spanish. Interesting commercial channels (with passwords: see .sk site) are in Nordic languages. Nothing interesting in Hebrew or MiddleEast languages: only politics. Cultural programs may be found on some Indian Websites, with free Devanagari (Hindi) fonts. AZ111. -----#3------------------------------------------------- Subject: Re: Privacy >is there a maillist on the subject:privacy,ip masquerading,firewall >setup,anonymous,intrusion,port intrusion,isp & router and so on? There are plenty of documents about that floating around. rhino9.org used to have some, Phrack is a good source etc. Once you get past the basics, subscribe to bugtraq and read. There are a couple of smaller maillists around, but many of them are full of lemurs who run 'sploits from rootshell and go on IRC and brag about everything... I'm not saying there are no better mailinglists, I just don't know of any. >maillist is too much released a to pubc and some huges knowledges >people >doesn't want to spread around those hints! Be assured that the information on hacking & intrusion is spread out VERY well :-) For most parts it consists of Unix and TCP/IP programming, get a good book on unix, install Linux or FreeBSD, learn C, get a book on sockets programming which includes raw sockets and a doc on UDP and TCP packets and youre pretty much set. Halvar ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 180===================================