Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 191-200.TXT < prev next >

Wrap

Text File | 2000-05-25 | 44KB | 1,200 lines

======================================================== +HCU Maillist Issue: 191 04/12/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: answer to the question about the differences between WinIce and SoftIce #2 Subject: WINICE and SOFTICE confusions for newer users #3 Subject: gthorne - 'spycatcher' #4 Subject: van eck ARTICLES: -----#1------------------------------------------------- Subject: answer to the question about the differences between WinIce and SoftIce j;Sô┬r▒╤╝æyV╦kuτ Reply-To: biGhEAd ********************* Priority: Normal Message-ID: ************************** To: ************* Subject: answer to the question about the differences between WinIce and SoftIce Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit As I know, there're four Numega's SoftIce verisons for the four popular OS of PC: DOS, Windows 3.1(WIN16), Windows 95&Windows NT(WIN32). WinIce just means the Windows version. Ha...., too easy, isn't it? +biGhEAd(4/11/98) -----#2------------------------------------------------- Subject: WINICE and SOFTICE confusions for newer users Message Body = winice is simply the 'other name' for any version of softice that is not the DOS-only version (softice for WinNT, for Win3.1, for Win'95) I can see how that would be confusing to people who are not familiar with the pseudonym many programs have pseudonyms, often hidden for example, if you see reference for 'GODOT' it is referring to a version 3 winice photoshop 4 is known as the 'big electric cat' (ever hold down the alt key while loading the about-box/splash-screen?) no wonder since it is such a memory hog... win95 called CHICAGO (the not-entirely-hidden ID code used by win95 apps to identify themselves as win95 native) newer versions called NASHVILLE and CAIRO just for the sake of having identity crisis alleviated when people talk about win95 upgrades (or just being silly maybe... who knows or cares) the list goes on and on and on +gthorne -----#3------------------------------------------------- Subject: gthorne - 'spycatcher' Message Body = interesting book AZ111, i recently noticed i have at least 2 copies of it in hardback among my collection so many novels i never remember what i have already purchased unless i go through all those attic crates before running to the bookstore anymore (same with my software collection which is a problem i am sure many of you have had in the past (or now even ;) sometimes i wonder whether it would be worth it to hire a high school student as a librarian... +gthorne the collector (read: never seems to get rid of anything) -----#4------------------------------------------------- Subject: van eck Ghiribizzo, that subject that you have recently wrote about is quite interesting. Just one question, if the tempest specs are so classified and basically anything on the subject, where do you get this info? I would be happy if you could provide me with some more info on this. :) =====End of Issue 191=================================== ======================================================== +HCU Maillist Issue: 192 04/13/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: A rose by any other name... #2 Subject: van Eck device #3 Subject: NT, OpenNT and lack of time #4 Subject: RE: gthorne - regarding computer deletion and lack of security #5 Subject: van Eck ARTICLES: -----#1------------------------------------------------- Subject: A rose by any other name... SoftICE was the name of the original DOS debugger. Later versions were made for win3.1x and then win95/98/NT. The win versions are 'nicknamed' winice. I don't know if that is the official name. At least on my sice documentation (3.22/95) it still calls it SoftICE. A lot of the executable files etc are called winice.xxx Since win95 has become the dominant OS for cracking, most people freely interchange the two terms. It's a quirk I haven't really noticed before, but it's nothing to worry about really. ~~ Ghiribizzo A sice by any other name... ...would trace as deeply... -----#2------------------------------------------------- Subject: van Eck device Right. Briefly put, the device resembles a TV with an antenna attached to it. You need a directional antenna, this allows you to pick out a single pc in a whole building full of them. The signals from the antenna will need to be re-synced to display on the monitor. The whole lot will need some shielding to prevent inteference (shielded cables etc.). If you want to save it onto video, you may need a time base corrector as well. If you want to go for cheap, you can probably use your TV. All you need to do is 'tune' the signal in with a sync generator and you can record the results direct to video. Not very portable though :) You can buy them pre-built from various shops (prices and quality vary). I bet there's even a 'how to build a van Eck device' tutorial on the web somewhere! :) I've been discussing it with a friend who's much more into electronics than I am. He thinks there may be difficulties in sorting out the RGB signal, but I think there shouldn't be too much trouble. I'll let you know in the summer if I get round to building one. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: NT, OpenNT and lack of time Grrr. After getting a source for NT Server 4, I decided to wipe my hard disk completely... bad move. The CD didn't arrive till much later than expected and the free time I had to install the whole lot was gone. Well, after a few days/weeks of having a crippled computer, I finally found time to reinstall a lot of stuff AND got the CD. I've done a partial install of NT and even had time to have a look at OpenNT. Well, I now see what Muso meant. Here's what I've got so far: #The serial check at setup is passed (for the serials I gave) #The serial is checked at runtime (and fails). posix.exe is responsible, though others are involved. Interesting way of putting in the 10 sec delay. #My given keys had expired but the prog was not sensitive to clock adjusts. #posix.exe and mydll.dll has some very suspicious code in common. I suspect it to be the verify routines. Well, that's all I could get in the free time I had. I've uninstalled the lot now anyway. If I get time during the summer, I'll have a look at it (if no other more appealing targets arrive). Good luck, Muso. You may wan't to rip code from posix.exe if you're after the keygnerator. You could also possibly hack the mydll.dll to do the same thing as it seems that the 'true' verify routine is simple wrapped by a secondary interface for the setup. IDA comes into it's own on this one. ~~ Ghiribizzo -----#4------------------------------------------------- Subject: RE: gthorne - regarding computer deletion and lack of security > is it any wonder why the US military (probably in the > TEMPEST specification on comupter security) only > considers a hard drive clean after being overwritten 7 > times completely with zeroes? Actually, overwriting with zeroes is maybe not good enough. One should overwrite with different patterns like: 00 FF AA 55 and possibly some random values also. Jack of Shadows Windows NT crashed. I am the Blue Screen of Death. No one hears your screams. -----#5------------------------------------------------- Subject: van Eck To: mystery writer >>> Ghiribizzo, that subject that you have recently wrote about is quite interesting. Just one question, if the tempest specs are so classified and basically anything on the subject, where do you get this info? I would be happy if you could provide me with some more info on this. :) <<< Well the Tempest specs are classified, but many people have written papers about e/m leakage. We don't even know if the US gov are at the forefront of this area. I really don't know all that much about it. Do a web search, you'll find what you need soon enough. There are also many good books (I was recommended one called 'information warfare' or 'information warrior', you'll find recommendations when you look around) also there's a privacy emailing list which has good stuff on it. Hope this helps. ~~ Ghiribizzo =====End of Issue 192=================================== ======================================================== +HCU Maillist Issue: 193 04/14/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: OpenNT 2.1 #2 Subject: Re: computer deletion #3 Subject: Speaking of Winice and more... ARTICLES: -----#1------------------------------------------------- Subject: OpenNT 2.1 Hi it's Muso, after Ghiribizzo had a look at OpenNT again, I'm happy that he discovered the same 'strange' behaviour. These guys really have done a pretty interesting protection-scheme (that means one that accepts the old-keys in the first step but rejects them in the second...). However, as Ghiribizzo noted there is a 10 second delay, which can be passed by setting it just to 0 (I used this to test my key I have generated with the OpenNT 2.0 keygenerator). I know that they use some DES encryption technique (you can see references to a DES-Endinge in the code). I have the 'feeling' that the protection scheme didn't change a lot but that the keys now must fullfill some other properties. Among those properties stuff like the following might be possible: - they keys have a special cross-sum (sorry I don't know if that word exists) - the first X chars are a random seed which leeds to the rest of the chars by iterating as often as chars are missing - etc. I could think off about thousand different properties such a key must fullfill to be accepted by the posix.exe program. I will use IDA on posix.exe and have a look if I can find something interesting. So -----#2------------------------------------------------- Subject: Re: computer deletion I finally remembered where I read about the 3 pass overwrite. It was back in the old DOS days and a Norton Utility - "WipeInfo". Here's a bit of text from the manual: ~~Begin text <fontfamily><param>Times New Roman</param>When a new file overlays an old one, it may not fill the last allocated cluster, leaving an area at the end called slack. Slack is very likely to contain residual data from deleted files. Although it doesn't show up in your directories and files, your hard disks and floppies could he full of data you don't want prying eyes to see. A bit-wise snoop could use a program like Disk Editor to read the data right out of your clusters. To make matters worse, even when you overwrite bytes, traces of the old data may be left "underneath" the new data. Why? The disk recording head can't set in exactly the same position every time it accesses a track. The minute differences are well within the hardware's own tolerances, so a drive may not he aware of old data in the track. But devices can be (and are) constructed for picking up these forgotten fragments of data. For all these reasons you would be wise to wipe, and not just delete, confidential data from your disk. That's where Wipe Information comes in. Wiping consists of completely overwriting an area on your disk with a value of your choice, such as 0. So, when you delete a confidential file, wipe it instead. When you prepare a diskette to be sent to a client, a colleague, or anyone else, wipe the diskette before copying new files onto it. If you are concerned about people using devices to lift data from the edges of wiped tracks, wipe the disk several times using different values. The more times you wipe it, the better your chance of opubterating data at the edges of the track. The U. S. Department of Defense has developed standards for wiping confidential data from disks (DOD 5220.22M): l. Overwrite the area first with Os, and then 1s, at least three times. 2. Overwrite the area with a random value. 3. Verify the last write. If for some reason this verification test fails, an attention message informs you that the disk should not be considered completely wiped. </fontfamily> ~~ End Text The manuals that come with Norton are actually quite good - especially the 'Disk Explorer' manual. I don't know if you can still get them. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Speaking of Winice and more... F. =====End of Issue 193=================================== ======================================================== +HCU Maillist Issue: 194 04/15/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: IDA #2 Subject: Rubberduck #3 Subject: IDA serial reversing #4 Subject: none #5 Subject: Re: what's new in ida 3.74 #6 Subject: Problems with the list ARTICLES: -----#1------------------------------------------------- Subject: IDA I think that IDA Pro is one of the most incredible tools available to crackers at the minute (thanks Hackmore). One problem at the moment is the large idb files it generates makes it difficult to transport between crackers. However I think one alternative is to supply the changes made (i.e. renamed functions/locations and changes in data/code/etc.) Rather than just exchanging by a list I was wondering whether we could use IDA to automate part of the process. Applying the changes would be easier as we can use the 'g' command to jump to a location and apply the changes e.g. 'n' - if we can parse an external change file. I suspect the IDC language can handle this. Reading a list of names may be more difficult as I don't think there is a command to simply jump to the next named location etc. Now I haven't had much experience in IDC programming which is why I am appealing to the more experienced IDCers amoung you here. As I have mentioned in a recent post, I am short of time at present, but this is something I will follow up. Anybody want to work with me on this? Also, does anyone know what new features have been added to 3.74? Is it very buggy or not? There seems to be a big fuss about it on the Cracking Forum at the moment but I'm so happy with 3.7 that I haven't really thought about upgrading. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Rubberduck Hi to everyone, i've meet a new challenge with a "wonderful apps" for all acid-fans! Rubberduck 2.0 demo the 0.85/1.02 was still a bit nasty to register,since a keymaker come out to a perfect reg,but now 2.0 is here and all i would know if: is this tool possible to be registered still as demo said,bcoz some inside tell strange things,i'm not really a newbie in crack but want opinion from other dudes here! can get it at: ************************************************* Hope hear from this soon! enjoy... ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: IDA serial reversing Have any of you looked at Ghost 4.1b? It's available from the makers (<500kb download) do a web-search for homepage as I've forgotten it. Download the 'registered' upgrade version not demo. I decided to take the long approach and use IDA to reverse a lot of it. Then I decided it would save a lot of time to do some live work. Unfortunately it uses a dos extender and can't be debugged straight off using sice (all versions) TD or debug. Anybody got some ideas to get around this? The protection itself is quite interesting as it is DOS and you can also figure a lot about the serial composition just from poking around in IDA. I just downloaded AZPR (following thread from the Forum). It doesn't seem as good as FZC but is commercial so has protection! I thought I'd do the same thing and get some practice at IDA reversing and spent 20 minutes with NTIce. I found the meat of the protection and have reverse the first phase of the protection. The next two look a bit more involved so I stopped there. AZPR.idb is <2mb ghost.idb is <8mb if anyone wants them. ~~ Ghiribizzo -----#4------------------------------------------------- Subject: none Hello Everyone FYI, an article in a newspaper. "Software pirates beware. Vans with special aerials might soon be patrolling the streets of your town to track down unlicenced computer programs, or so London's New Scientist weekly claims." "Experts in Cambridge, England, are said to have developed a way of incorporating a code in the electromagnetic waves emitted by computers. The code can be read up to 40m away from the computer , it seems." "Computer specialists Markus Kuhn and Ross Anderson have devised a trick by which to include the serial number of a computer program in text. A modified TV set receives the signals emitted by your computer to make the hidden serial number visible, Mr Kuhn says." However, Microsoft has refused to take up an offer to use the technique, worried electronic eavesdropping might give the company a bad name." ( Abit late for that type of thinking.) "That said, the attempt to eavesdrop in this way might well be doomed to failure. Researchers have also developed software to reduce the screen contrast and so to protect the data from eavesdroppers." "Mr Kuhn claims this procedure obscures the radiation emitted so effectively that it cannot even be deciphered by a monitor placed right next to the computer." cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** -----#5------------------------------------------------- Subject: Re: what's new in ida 3.74 Oops. I forgot they sent me an email telling me what was new. Nice to have a bug fixed version, but I don't really have any major problems with it. I can also do without the new functions so I'll stick to 3.74.. unless someone tells me that it really is worth the upgrade. ~~ Ghiribizzo What is new... -------------------- This is mainly a maintenance release version. We have fixed all known bugs, when they could be reproduced. Interface : the text selection with shift-arrows is now cancelled as soon as a non shifted cursor movement occurs. For the convenience of selecting whole segments, functions or similar objects, the ALT-L method still works. Text Search is now able to use regular expressions. It is now possible to insert or remove an undefined byte from the middle of a structure. This features allows to recover gracefully from an incomplete initial structure definition. A small assembler for 80x86 processors has been added. This feature allows you to patch the input program directly. Two new IDC functions have been added: GetInputFile() - returns name of the input file Exec(cmd) - executes OS command See IDC.IDC for complete language information. The ARM 7xx family of processor is now supported. Note : the ARM module is currently available free of charge but isn't included in the on-line version. Please request it directly if you are interested. -----#6------------------------------------------------- Subject: Problems with the list Hi all! Lately, the server which handles the maillist had some problems and a few letters were lost (sorry Gthorne, yours letters just gone) or truncated. Sorry, for the inconvenience, hope they will fix the server soon. However, I will soon resign as list manager and try to pass the list to another HCU member. This probably will cause some temporary problems like missing issues, lost letters etc. Please, bear with us. Thanks Zer0+ =====End of Issue 194=================================== ======================================================== +HCU Maillist Issue: 195 04/16/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Packing & Unpacking #2 Subject: list problems #3 Subject: RE: new tricks (was none) #4 Subject: 3m satellite program #5 Subject: IDA v3.74 and .IDC updates #6 Subject: Van ecch ARTICLES: -----#1------------------------------------------------- Subject: Packing & Unpacking Hey all, I know this is for those RE fans out there a dumb question, but I seriously don't know any better: If I write a packer, what would prevent anyone from simply unpacking it manually ? How would I create a "hard" packer ? The first answers that pop into my mind would be: - Divert from standard rules. Rule No. 1: Don't have the first RET be the end of your decrypting routine - Anti Debugging tricks. Unfortunately, there are not too many under Win95. SEH would be a feature to lock out all Ring-3 Debugger, the thing would still be vulnerable against SICE though. Most Anti Debugging tricks are unfortunately in DOS and get you into serious trouble in a PMODE environment... - Mess Up the original executable so that the presence of the decrypting routine is required for the prog to run. Change it in a way that can't be easily undone. I don't know, but all these things will be pretty helpless against someone who sits down with SICE for some time and thinks a bit... Anyone out there who can point me to some resources about how to make unpacking hard ? HalVar ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: list problems Yes, I've noticed that my daily cracking 'fixes' have been delayed a few times :) If the list ever goes down for a significant length of time you can always use the RE Forum: ******************************************* The advantages are speedier turnaround (instantaneous!) and greater readership, but the tone is a bit different from here. Still, if the list goes down, it's better than nothing. I'd like to thank Zer0 for maintaining the list up till now. He's done a great job and I'm sure we've all benefitted from the list. Thanks. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: RE: new tricks (was none) whered you here this?? well I guess if they start puttin this stuff into software then itll be harder for crackers to do their job... TecH_bOi -----#4------------------------------------------------- Subject: 3m satellite program Hello all, I was wondering if anyone wanted to try to crack a funny little program (about 500kb) which is quite restricted, because it is only for dealers in Access cards. It seems that it allows one to program these cards and watch satellite TV for free. Someone sent it to me while I was on #cracking on efnet. Anyway, I thought it would be easy, just the usual looking for the calculations of the key, but I trace, and I trace, and I can't bpx on any function, I get no find on string searches on IDA and WDASM. Very funny. Using smartcheck, I get that the program uses ZERO win32 functions. It seems to me that it verifies each keystroke, but I am not sure. In any case, if someone's interested, pls e-mail me at ************** and I will send the program as an attached file. However, besides telling me where to patch, or making the patch yourself, please explain to me a little how you found it, what I had to be looking for, etc. Not a +HCU article, but just a little explanation. Thanks, WAFNA -----#5------------------------------------------------- Subject: IDA v3.74 and .IDC updates > I think that IDA Pro is one of the most incredible tools available to couldnt have said any better ;-) > large idb files it generates makes it difficult to transport between crackers. 1. they're not so big if you compress them (either with the built-in gzip or your favourite compressor). 2. if your partner already has the executable or its .IDB in question, it's enough to transfer the .IDC version of the database (which can be very well compressed as it is a text file). the trick is to comment out the Segments() and GenInfo() calls in the main() function and then load this .IDC script into IDA (of course open your .IDB first ;-). or you can do a clean start by deleting all segments and executing the full .IDC script. > Also, does anyone know what new features have been added to 3.74? Is it > very buggy or not? There seems to be a big fuss about it on the Cracking > Forum at the moment but I'm so happy with 3.7 that I haven't really thought > about upgrading. as far as i can tell it has no serious bugs, in fact they did fix some old ones indeed ;-). and they didnt change the .IDB version number either so you can still interact with users of v3.7 if you have to. > I decided to take the long approach and use IDA to reverse a lot of it. > Then I decided it would save a lot of time to do some live work. > Unfortunately it uses a dos extender and can't be debugged straight off > using sice (all versions) TD or debug. Anybody got some ideas to get around > this? well, sorry to correct you, but DOS extended apps can be debugged with winice ;-), it just takes a bit more work on your side. for an extensive doc see ************************************* they say that only the NT version can do the trick, however i did successfully use even the win 3.1 version for such a purpose (in fact, that winice is still my favourite one when it comes to debugging DOS4GW extended programs... ;-) i guess i even mentioned it in my softice doc that's available on Fravia's site. > Oops. I forgot they sent me an email telling me what was new. Nice to have > a bug fixed version, but I don't really have any major problems with it. I > can also do without the new functions so I'll stick to 3.74.. unless > someone tells me that it really is worth the upgrade. declare a structure with 20-30 members (like the BreakPoint structure in winice ;-), then define this structure in the data area of your program where each field has say 20-30 references, then press ctrl-x at your structure's start address and see how many of the xrefs show up there... this bug can be quite annoying when you use the ctrl-x window for quickly getting to the cross-referees (and one more reason to go to 3.74 ;-) well, i'm not saying that v3.74 is perfect, eg PUSHA/POPA still doesnt modify the internal stack pointer at all... > The ARM 7xx family of processor is now supported. Note : the ARM > module is currently available free of charge but isn't included in > the on-line version. Please request it directly if you are > interested. if anyone got this module please share it with us. i tried to get it a couple of times in vain (yes, i am a registered user and they fucking ignored my requests, although this didnt use to be the case earlier...). regards, the owl -----#6------------------------------------------------- Subject: Van ecch --Sorry to jump in so late on this, I was out of town for awhile. OK, about Van Eck. This stuff may be a little dated, but it should give you some ideas what is going on. (hmmm, I haven't heard the term VanEck in over five years...) Van Eck devices capture transient radiation emitted by the photon gun in your monitor...i.e. it is a "monitor-monitor", being that it re-creates on a second monitor (hooked up to the VanEck device) the images being painted on the first. Apparently this was a real problem with computers in the early 80's, back when there were still some home-builds out there and the FCC hadn't figured out that computer monitor rads interfered with standard televsion reception (so your neighbor got your WordStar layout over his 6 o'clock news). Range is usually a few miles/km, but with more sophisticated (lab-quality) all-band receiving equipment you could have basically unlimited range. Once the FCC and similar agencies started shielding monitors, the effectiveness of VanEck devices apparently went down...but now with the high-freq SVGA monitors it is back in use. Note that alternate emissions may be recorded; one source claims he could hear keyboard inputs (and cursors blinking) using a high-end scanner. Van Eck devices can be defeated for specific machines by using a scanner etc to test for emmission frequencies, then build a transmitter using those frquencies to jam the computer emissions. Also a place called Deco (deco industries?) once produced something called a VT-75 that jams VanEck emissions. Also computer facilities configured to the Tempest specification are considered immune; Tempest has many ratings (I think the NT C2 rating is part of this...A1 is the highest, D is the lowest; anti-emissions are probably only present in A-class systems). Home-builds: You can experiment with B&W TVs and scanners; supposedly if you use a B&W TV and hook up a sync generator (this can be jerry-rigged with 2 555 timer chips, but I have no idea how) you can intercept signals from a few blocks. Commercial systems have a range of miles and can isolate one terminal out of thousands...it's all in the antenna, kind of like using a shotgun mic to isolate a single conversation... Where to get them? I've heard Datasafe and Consumertronics Co; SPY Supply apparently sells plans (these are from old notes, these places may not exist). Plans run maybe $100 US , devices $1000-$25000 US. ----- Ghiribizzo: About IDA, how about echanging .diff files (using fc or somesuch) if the idb files are the same size? or maybe just the .nam file (snatched in mid-edit, before you quit IDA) _m ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 195=================================== ======================================================== +HCU Maillist Issue: 196 04/17/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Dos Extender #2 Subject: Ghost 4.1b - A game of Higher or Lower #3 Subject: gthorne-testing #4 Subject: Advanced API Debugging infos requested. #5 Subject: re: .idc updates #6 Subject: IDA 3.75 released ARTICLES: -----#1------------------------------------------------- Subject: Dos Extender >Then I decided it would save a lot of time to do some live work. >Unfortunately it uses a dos extender and can't be debugged straight off >using sice (all versions) TD or debug. Anybody got some ideas to get around >this? What kind of DOS extender does it use ? If it complies with the DPMI standard, it is usually no problem to run in a Win95 DOS box and use Winice to debug it. If the program utilizes the standard commands and it is the extender itself that's screwing it up, strip the extender from the prog. The DOS-Box in Win95 automatically offers DPMI services. If it doesn't and forcefully sets the CPU to pmode, you'll probably be in for quite a ride. I haven't tried it myself yet, but you'd probably have to a) disable the switch to pmode and then either 1) break each time it tries to mess around with the pmode directly and create the descriptors it is trying to create by in the LDT and give the progrsam back it's selectors... It's going to be a pain and a mess. If the program tries to write to the GDT, you'll have to find a way around that, too... I seriously doubt this is possible at all...well, forget this idea, it's bull; take 2: 2) Majorly fumble around with the programs own code, replaceing all the code that will prevent it from running in W95 with DPMI compliant calls. A lot of work, but with IDA at hand not that much of a problem. Either way, my method is NOT clean and certainly not worth the effort unless it is ABSOLUTELY necessary... HalVar ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Ghost 4.1b - A game of Higher or Lower Well, I the prosect of coding a brute forcer didn't appeal to me so I took another look at the key hashing algorithm and spotted a weakness. It did not require a fixed length key and was approximately a linear function (well maybe not linear, I didn't bother to run stats on it and plot it or anything, but at least roughly increasing) so it wasn't too hard to get the serial by hand in NTice - numerical analysis does have its uses! It took me less than a minute. This has been one of the most enjoyable cracks I've ever done and the game at the end was just a bonus. Thank you Ghostsoft. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: gthorne-testing Message Body = testing posting please ignore this message -----#4------------------------------------------------- Subject: Advanced API Debugging infos requested. Hi all, In order to improve the tracer of ProcDump, I need info on how to use the following APIs : SetUnhandledExceptionFilter & UnhandledExceptionFilter. Any help about it will be welcome.... Please don't paste me the API help... It is useless and I have already looked at it. Moreover if someone could send me the PSAPI.DLL include file (might be in NT SDK), it would be really appreciated. G-RoM "If it can run, it can be defeated." -----#5------------------------------------------------- Subject: re: .idc updates >>Unfortunately it uses a dos extender and can't be debugged straight off ^^^^^^^^^^^^ I thought that there were ways you could debug dos extended programs with a little work. Someone wrote a tutorial about a year ago and did this (yamato?). I was wrong. Using NTice you can just debug it straight away. I just placed a CCh at the point I wanted to break in at and it worked! Thanks for the link, it has actually changed a little: ************************************ Ghost uses a serial/key hash compare type protection (i.e. serials and key are hashed with different algos and the hashes should match). By using NTice I could just sniff one of them and then use brute force to get the other to match. (of course you could also write inline asm to get the prog to show the hash). IDA proved itself again by providing most of the asm necessary to build the brute forcer. Cracking Ghost this way has been an excellent exercise and I recommend it to all of you (esp. those of you like me who are getting rusty on DOS cracking!). Nice to have to reverse little procs instead of just seeing GetStrLengthA etc. Thanks to OWLs advice, I've made an .idc file which has my disassembly in for those who want to look at the protection who don't have the time to reverse it themselves. The file is ghost.zip and is available at my site (unlinked). It is 336K - a big improvement on the 8 meg idb file! >(and one more reason to go to 3.74 ;-) looks like another 10mb d/l ;( >>> if anyone got this module please share it with us. i tried to get it a couple of times in vain (yes, i am a registered user and they fucking ignored my requests, although this didnt use to be the case earlier...). <<< Do you have a password to access their site? If so you can d/l from there. ******************** Also, there's a mailing list for IDA to inform you of updates. I can't remember how I got on it. Does anyone know what the difference is between the freeware version and the normal version? Or the student version? I asked for pricing information and I need to pay 21% more because of VAT from the Europe distro site :( ~~ Ghiribizzo -----#6------------------------------------------------- Subject: IDA 3.75 released They've learned not to give out the demo this time! (see comments on the forum for new features etc.) ~~ Ghiribizzo =====End of Issue 196=================================== ======================================================== +HCU Maillist Issue: 197 04/18/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: re: dos extender ARTICLES: -----#1------------------------------------------------- Subject: re: dos extender >>> What kind of DOS extender does it use ? If it complies with the DPMI standard, it is usually no problem to run in a Win95 DOS box and use Winice to debug it. <<< The program used Phar-lap DOS extender, but the problem was that it was built into the program so I would have had to locate the DPMI startup code etc. However, NTice deals with it perfectly so I didn't need to bother. ~~ Ghiribizzo =====End of Issue 197=================================== ======================================================== +HCU Maillist Issue: 198 04/20/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Again on my satellite program ARTICLES: -----#1------------------------------------------------- Subject: Again on my satellite program Hello all, this is what I received from Pepper of PC, who is quite good at cracking: >>>>>>>>>>>>>> That prog is a beast - no idea at all. I only can break into with BPX ShowWindow but that helps nothing. I only saw progs like that once or twice - seems to be seldom used compiler or whatever... Also: VB4 progs mostly I end up. You see - one cannot crack everything. I have 2 or 3 progs I work since months without success... Pepper >>>>>>>>>>>>>> anyone else wants to try my program? In summary, it's 500KB long, and it's used by satellite access card dealers to program the cards. While I'm not in Europe, and therefore unable to use the program for anything, I think it's quite a good cracking challenge. So far, about three people on this mailing list have asked for the program. If anyone else wants it, please e-mail me at ************** Thanks, WAFNA =====End of Issue 198=================================== ======================================================== +HCU Maillist Issue: 199 04/21/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Dongle ARTICLES: -----#1------------------------------------------------- Subject: Dongle Hello I search informations on dongle named ACTIVATOR by Software Secutity Inc. Thanks for your help. =====End of Issue 199=================================== ======================================================== +HCU Maillist Issue: 200 04/22/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Dongles ! ARTICLES: -----#1------------------------------------------------- Subject: Dongles ! Since we talkin bout dongles: I'm trying to crack a progiie (dongle protected) that does'n break on bpio. I don't have the time to make that dongle procedure detector pluged ino the lpt port and it starts to get me nervous. Has anyone of You seen a proggie that woldNOT brake on bpio ??? It is HASP protected proggie called Norma and I don't know if You can dl the demo but if U are interested i can try to send the minimized version. By the way, could polish readers contact me ?? I don't know anyone on polish cracking scene, but i've seen some polich adds. Kubak ********************** =====End of Issue 200===================================