Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 101-110.TXT < prev next >

Wrap

Text File | 2000-05-25 | 73.3 KB | 1,979 lines

======================================================== +HCU Maillist Issue: 101 12/29/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: stegonated image cracking ARTICLES: -----#1------------------------------------------------- Subject: stegonated image cracking Hi all! Is anyone else working on cracking the latest stegonated image on fravia's+ page? If so, I'd like to discuss methods with you...see if we can crack it together. Cya, +ReZiDeNt =====End of Issue 101=================================== ======================================================== +HCU Maillist Issue: 102 12/30/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: fravia's presents for the new year! #2 Subject: Timelock 3 DLL ARTICLES: -----#1------------------------------------------------- Subject: fravia's presents for the new year! 1) In case this is of any use to you: ********************************************************* and for pcanywhere 8.0, norton utilities 2.0 w95 and norton safe, on the web: **************************************** and../misc/noru201.exe and then after 201 has downloaded .../misc/niru202.exe.. and last but definitely not least ..../misc/nsw100.exe.................. happy new year!!!! later fravia+ (original present by KashmirRED) 2) So you can't crack Fabian's Steganos? Should I repack the images with a shorter password? Hint: think that the FINAL "product" formel is ************ later fravia+ -----#2------------------------------------------------- Subject: Timelock 3 DLL Hi All Nice to see a frequent cracking news item in my mailbox. Has anyone taken a look at the new timelock 3 dll now=20 starting to become used a little ... Imsi . turbocad 4, windelete. Taken a quick look at the thing unlike 2 the usual search for=20 real password echo seems to be fixed from them. Some nice little export refs aknowledging the cracking crews are looking :). seems to take a few strange code routes and is a new ball game I believe.. when I get a sec will take a look. Copies hidden files to root and win\sys dir which are full of junk also has a elan type LIC file copied to progs dir which gets written to on each run of app .. Rezident here we go again !.. and copies massess of registry classes nfo to confuse the installer tracers...but I found um .... =46ile now used seems to be called tl3inj or something of=20 that nature... Any one had any luck dumping a password from a hasp dongle need it to re enable a go limited version of a memohasp key and CRC's is their a usual pattern for 16 bit progs..? Tnx KaziL =====End of Issue 102=================================== ======================================================== +HCU Maillist Issue: 103 12/31/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: MSIE defeating #2 Subject: stegonography #3 Subject: Softice Update ARTICLES: -----#1------------------------------------------------- Subject: MSIE defeating Anyone would like to work on this? later fravia+ ----forwarded mailman to fravia - fravia to HCUmllist main Hello. It's been awhile since I've written Fravia. I just wanted to mention that the MSIE detector function (uagent.indexOf("MSIE") == 25) on all the java scripts can be defeated by hexing urlmon.dll. It would be interesting if you discovered a better way to detect the browser... mailman ----end forwarded -----#2------------------------------------------------- Subject: stegonography Hello Alt+F4, > Has anyone cracked the pictures on the steganography page? > The text file includes a lot of goodies (Even a Cosmological view of > the closest 2300 galaxies!), but no link to the advanced Steg page. > Presumabley I either did something wrong, missed out on something, > or Fravia was just joking. I would be interested if anyone else has > had these problems(Some of the links connect to fravia.org, which I > can't connect to, so maybe the advanced page is there ) Yes, I have cracked the first round of images. It took be about an hour - but there was no link to the advanced page. I asked fravia+ about this and he told me he hadn't had the time to put one up, as he didn't expect anyone to crack the pictures for awhile. There is now an advanced page, the link for which is hidden in a different set of images: the ones at the bottom of the stegonography page. This one is much harder to crack, however, and I have not been able to do it yet. fravia+ has told us that he used an eight character password (using only letters) - since the password is case-sensitive there should be 52 ^ 8 possible combinations. There is no way I could try all of those, I need to use my computer :-) Having said that, I suspect there is a another way of getting the password. I'm pretty certain I know that Stegonos hides the encypted password in the image...or at least the checksum of the password... Cya, +ReZiDeNt -----#3------------------------------------------------- Subject: Softice Update Hello everyone Has anyone downloaded the Softice update SI322P95.exe, size 1.56M bytes? I have several times over the last couple of months, but everytime I run the exe I get the error message " not the correct size or file corrupt". cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 103=================================== ======================================================== +HCU Maillist Issue: 104 01/01/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: steg #2 Subject: news ARTICLES: -----#1------------------------------------------------- Subject: steg Hi +Alt-f4, hi All! :) > Has anyone cracked the pictures on the steganography page? I-DID-IT!!! :))) 20 mins of brute force... :) I'm very proud of my little proggie! :))) Did you use brute force too or find another method? byez, .+MaLaTTiA. -----#2------------------------------------------------- Subject: news Hi All :) We've reached issue 100! It's great, don't you think? I've added the new issues to the +hcu ml page and didn't hide the spammer's addresses in issue 99. Ehe. I hope some antispammers will read it :)) I'm collecting some links and adding them in my main page: ************************************************* If you want your address to be added (or want me to delete it from the list) just mail me at ***************** Ah, I've also added a link to the last version of my patching engine... I'm working on the new one just now, but I think the old one is good enough to be distributed, so if you have some time to spare give a look at it and tell me what you think about it... :) Unfortunately, I haven't worked so much on the c version of wlc's mazemap, because I didn't have enough time... but I can tell you it'll take quite a long time because I'd like to provide READABLE c sources (and usually mine aren't! :) and a full database... so I'll have to read again all the old essays, maybe after the exams! :)) Last thing: I know that most of you like cracks more than keygens, but I've made a nice key generator for mirc 5.11 and I suggest it to all newbies, it's quite easy and, if +fravia agrees, it could be good for an essay... if you want me to write one... well... ok, but you'll have to wait a bit! Let's see if you are faster... ;) ----- UPDATE: I've tried to upload my pages to fortunecity, but it has some problems now... I'll put them online asap, check the main page in these days! byez, .+MaLaTTiA. =====End of Issue 104=================================== ======================================================== +HCU Maillist Issue: 105 01/02/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: .+MaLaTTiA. essay awaited, of course #2 Subject: re: msie detection (+gthorne) #3 Subject: Stegonography...I'm confused about those images #4 Subject: re: Stego #5 Subject: none ARTICLES: -----#1------------------------------------------------- Subject: .+MaLaTTiA. essay awaited, of course yes, .+MaLaTTiA., I would like to host your essay, of course, may be only one thing: if you can just use LOT of word explanations and not too much code, so that people understand how to do THEIR proggies, not how to copy yours... later fravia+ -----#2------------------------------------------------- Subject: re: msie detection (+gthorne) ever tried this in javascript code? (just another way to detect it) var MyBrowser = navigator.appName; if (MyBrowser == "Microsoft Internet Explorer") { // Do Something Here } else { // Do Something Here } The result is similar to the uagent command, but obviously very readable +gthorne -----#3------------------------------------------------- Subject: Stegonography...I'm confused about those images Hello fravia+, > So you can't crack Fabian's Steganos? > Should I repack the images with > a shorter password? > Hint: think that the FINAL "product" > formel is ************ Perhaps I'm being dense here - but what does the final form have to do with it? You need the password to decrypt the file...unless the final form aids in the analysis of the stegonated file? If this is the case then the length of the password is surely irrelevant....I'm afraid I am somewhat confused :-) Cya, +ReZiDeNt -----#4------------------------------------------------- Subject: re: Stego > >I-DID-IT!!! :))) 20 mins of brute force... :) I'm very proud of my little >proggie! :))) Did you use brute force too or find another method? >byez, > > .+MaLaTTiA. Brute force, that checked for "http" in the output text. The next one looks much harder(no source code for a start) Hopefully +ReZiDeNt is right, and the password is kept somehow in the file(or at the very least a checksum), because we won't be able to brute force it otherwise(Unless someone wants to buy some Field Programmable Gate Array's, and we can attack it from a hardware side :) I think fravia+ has cheated slighly, he has changed the field of play from stegongraphy to encryption. Never mind, we will learn something anyway..... Hopefully when we finish this, we won't find an either harder link to the advanced page(PGP prehaps? :) +Alt-F4 -----#5------------------------------------------------- Subject: none Hey guys - I've been playing with Mijenix's Freespace (fs10eval1.exe) for a while, and then I read Uncle Van's cute little essay on Power Desk. It's pretty much the same protection scheme, and I was thinking about writing an essay about two additional ways of cracking Mijenix programs, since Uncle Van's approach appears to be a little more complex than necessary (even though I'm thankful for it because it has taught me something). The first solution is quite easy, and I've sucessfully implemented it. It consists in patching the program at a location that is between the time the protection routines get decrypted and the time the protection routine gets called. Basically, you "conquer" some useless instructions and use those bytes to patch the program in memory. ------- That's nice and fine and does the job, but then I was thinking maybe one could crack the decryption routine directly. Further investigation shows that you get to the decryption routine by bpx'ing frespace.exe at cs:405068. There you have a transformation of a sequence of 204B bytes from the program file into the protection routine. The source byte sequence starts at ds offset E2009e, the result byte sequence starts at ds offset E2415a. Here's the SoftICE listing for the decryption routine: 014F:00405068 660FB60C08 MOVZX CX,BYTE PTR [ECX+EAX]; get source ; byte 014F:0040506D 8B442408 MOV EAX,[ESP+08] 014F:00405071 668908 MOV [EAX],CX 014F:00405074 66B80800 MOV AX,0008 014F:00405078 FF4210 INC DWORD PTR [EDX+10] 014F:0040507B C3 RET 014F:00405E9F 83C408 ADD ESP,08 014F:00405EA2 33C0 XOR EAX,EAX 014F:00405EA4 668B07 MOV AX,[EDI]; re-get ; source byte 014F:00405EA7 8ACB MOV CL,BL 014F:00405EA9 D3E0 SHL EAX,CL ;<< HERE>> 014F:00405EAB 83C308 ADD EBX,08 014F:00405EAE 09442410 OR [ESP+10],EAX 014F:00405EB2 83FB08 CMP EBX,08 014F:00405EB5 72DF JB 00405E96 (NO JUMP) 014F:00405EB7 8A442410 MOV AL,[ESP+10] 014F:00405EBB 45 INC EBP 014F:00405EBC 81FD00800000 CMP EBP,00008000 014F:00405EC2 88443519 MOV [ESI+EBP+19],AL ;dump result byte 014F:00405EC6 7510 JNZ 00405ED8 (JUMP ) 014F:00405ED8 C16C241008 SHR DWORD PTR [ESP+10],08 014F:00405EDD 83EB08 SUB EBX,08 014F:00405EE0 E964FFFFFF JMP 00405E49 (JUMP ) 014F:00405E49 837C242000 CMP DWORD PTR [ESP+20],00 014F:00405E4E 0F8E60030000 JLE 004061B4 (NO JUMP) 014F:00405E54 83FB01 CMP EBX,01 014F:00405E57 7324 JAE 00405E7D (JUMP ) 014F:00405E7D F644241001 TEST BYTE PTR [ESP+10],01 014F:00405E82 7461 JZ 00405EE5 (NO JUMP) 014F:00405E84 4B DEC EBX 014F:00405E85 FF4C2420 DEC DWORD PTR [ESP+20] 014F:00405E89 C16C241001 SHR DWORD PTR [ESP+10],01 014F:00405E8E 83FB08 CMP EBX,08 014F:00405E91 7324 JAE 00405EB7 (NO JUMP) 014F:00405E93 8D7E18 LEA EDI,[ESI+18] 014F:00405E96 57 PUSH EDI 014F:00405E97 8B06 MOV EAX,[ESI] 014F:00405E99 50 PUSH EAX 014F:00405E9A E8B1F1FFFF CALL 00405050 Break due to BPX #014F:00405068 014F:00405068 660FB60C08 MOVZX CX,BYTE PTR [ECX+EAX]; ; nextsource byte All the protection-relevant bytes run through this routine. There are several locations that should be patched, let's take this one for an example: Source sequence: DD 23 40 AF D0 AF c7 C1 (At memory offset e204bc, same sequence appears in the .exe file) Result sequence: 74 47 83 F8 0A 7E 1E 83 (At memory offset E24b01) [There are a couple more locations to be patched, but the theoretical problem is the same: langer Rede kurzer Sinn <--- (obligatory German language reference):-)] Source byte "DD," after a violent rape occuring at cs:405ea9, ends up being transformed into result byte "74". The offending instruction is: 014F:00405EA9 D3E0 SHL EAX,CL (EAX holds the source byte, in this case "DD", CL varies, but in this case=2) Further investigation shows that it might be a good idea to have an "EB 47" instead of a "74 47" in the result sequence. ----------- HERE's MY QUESTION: to all you hex / binary / maths afficionados: <<<<Which source byte would, after the instruction "SHL EAX,2", lead to a result of "EB" in AL?>>>>> ---------- If there is a solution, please give a rationale. That would help patching the remaining locations.:-) I guess the problem is: if SHL,x is defined as putting x zeroes to the right end of the binary value of EAX, how do you manage to get a non-zero value there? Happy new year, swann ********************* (Lemme add that I'm really thankful to work with you guys; For a while I thought the essays were getting boring and repetitive, but recently there's been some really good stuff.) =====End of Issue 105=================================== ======================================================== +HCU Maillist Issue: 106 01/03/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: of interest... #2 Subject: newserver cancellation #3 Subject: shl eax,cl #4 Subject: Anon IRC #5 Subject: press cards #6 Subject: server side registrations #7 Subject: PDF files #8 Subject: Some Stenography Tips #9 Subject: stegonography #10 Subject: HCU repository ARTICLES: -----#1------------------------------------------------- Subject: of interest... Two things: 1) Opera web browser--an interesting alternative to Netscape and MSIE (we won't bring up mosaic, now will we?). Supposedly more stable. It is very quick and easy to use; should be open to a little re-configuration via BRW as well (though the Netscape about: tricks do not all work). ********************* 2)MS Web Developer resource--has some intersting articles, though of course they are a little watered down. Stuff of interest: writing your own "Quick View" application, extending the shell, etc. Most of this stuff is visual-style crap that none of us would ever use, but it is a free resource and this url bypasses M$oft's insipid "register to view" screen. ************************************************ One article in here mentioned writing a "copy handler" dll...for all of you who have tried to "copy" a printer or hdd to your desktop and got that "Do you want to create a shortcut instead?" box, a copy handler is responsible for that. Apparently you can write copy handlers to hook access to specific files or file types (using your normal masking techniques), then either allow or deny access to the files. Possible applications: re-write (or replace) explorer's main copy handler so that you can copy files such as wdsmxxx.tmp, or so that hidden files are displayed/marked/whatever, or hook and deny access to *.* on the machine of someone you hate. _m ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: newserver cancellation >I don't quite understand this (and I'm not going to try >it until I do :-)) - do you mean it deletes all the messages for the >selected group from ALL the newservers on the Internet?! I don't know >much about how newgroups operate, could you possibly elaborate?> >+ReZiDeNt Usenet posts can be cancelled manually. It basically involves faking the message so that it appears that you were the author (you can cancel your own posts). I suppost UCE just makes it easier especially for cancelling entire newsgroups. I think the mechanism for cancellation removes the message from all news servers. In any case, you should be able to find it in the RFC. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: shl eax,cl >Which source byte would, after the instruction "SHL EAX,2", lead to >a result of "EB" in AL? Shifting left and right will multiply or divide a number by a factor of 2. Compare with shifting digits in decimal multiplying numbers by 10. I'm not sure about this, but from what I can remember the bit on the right when doing a shl is taken from the carry flag (or perhaps some other flag - but I remember it to be carry). Try looking in your opcode ref or experimenting. ~~ Ghiribizzo -----#4------------------------------------------------- Subject: Anon IRC >Can anybody tell me how get on IRC anonymous ? With a fake IP or >something ? >Code-X You can't. The hostname is always inserted by the IRC servers in order to prevent abuse from people that cannot be traced. I rarely use IRC, but when I do, I log on from a capered ISP account. ~~ Ghiribizzo BTW sorry for the large number of posts today, but I've just subscribed to the mailing list and have just digested the last 100 or so issues! While I'm at it check out: ***************************** -----#5------------------------------------------------- Subject: press cards >This card is INCREDIBLY valuable. If there are cops, they'll usually >leave you alone, and treat you BY FAR better than all the others. >Even if they decide to take you to a police station for interrogation >purposes, you can insist that you only attended to write an article >about it. > >For all you people out of college: I don't know how to get a Card like >that in your case, sorry, but if you can get one, get it ! > >HalVar I made one myself. I have the plastic badge/clip thing and have several different cards which can be inserted into them. The fake press card is useful. Try pretending to be a computer magazine journalist at a computer convention :) ~~ Ghiribizzo -----#6------------------------------------------------- Subject: server side registrations >However, there is already something similar with the ziplock, which >uses RSA encryption. >On second thought, why bother with all this....... just release the >crippled program and sell the real thing..... >WAFNA Although the idea of secure servers were always on the cards. I never thought that they would ever take off. After all, can they justify the extra costs? I suspect many who pirate would NEVER pay for the software and once someone has paid for it, the software usually ends up as WAREZ. ~~ Ghiribizzo -----#7------------------------------------------------- Subject: PDF files >(Now Fravia can ripp of the text from Ghiribizzo's tutorials and publish >them :) > >Zer0+ Hey, Zer0, I heard that :) BTW have you got my password? I haven't checked whether they are hashed yet? Hopefully they are. Fravia is free to publish my tutorials anytime, but only in PDF format. Take a look at my PDF cracking tutorial. I may work to finish it as I found some really annoying PDF's by CRC32 which have read password enabled!!? Zer0, do you have the old issues of this mailing list saved. I got some from the repositry but all the URLs had been removed. If so, please email them to me at the usual address. ~~ Ghiribizzo -----#8------------------------------------------------- Subject: Some Stenography Tips I've put some stenography hints on my homepage (ghiric18.zip). You'll have to work a little for them though :) ~~ ***************************** -----#9------------------------------------------------- Subject: stegonography Hello +Alt-F4 and +MaLLaTiA, > The next one looks much harder(no source code for a start) > Hopefully +ReZiDeNt is right, and the password is kept somehow in > the file(or at the very least a checksum), because we won't be able > to brute force it otherwise(Unless someone wants to buy some Field > Programmable Gate Array's, and we can attack it from a hardware side I'm afraid attacking it from the checksum point of view is useless IMO. I wrote a little proggie to calculate a checksum of all the permutations of a to z in an 8 letter string. After less than 10,000 iterations (out of several billion), IIRC, there were already over 80 strings that had the same checksum as the valid password for the *second* image (yes, I got the correct password, but 'psychologically' - I guessed it)... But there *must* be another way that I am missing... Cya, +ReZiDeNt -----#10------------------------------------------------ Subject: HCU repository I have made a new (temporary) HCU search page, to try out my new search applet. It is theoretically quicker, because it loads all the issues in one zip file, instead of lots of html files, but the proof is in the pudding... It's only got issues 1-75 so far, and I haven't stripped away any emails etc. Also, do you think it would be a good idea to ask for a password at the start? This way, the page is limited to the people reading the list, or those that can crack the java(Wouldn't be very hard) This page will probably NOT stay up long. There is little point in having 2 pages, when .+MaLaTTiA. has been doing such a fine job. Anyway, .+MaLaTTiA. ,if you want to organize something then email me: alt-f4 at usa dot net The page is *************************************************** I don't know how good this web provider is, (Only had an account a couple of days), but they let you use a ftp-client to upload, and they claim to allow 50 megs! I would be intersted in any comments(eg: too slow), that anyone has.... +Alt-F4 ps: Sorry i took so long .+MaLaTTiA.! It was done several weeks ago, but I didn't have a spare web account to use.... ____________________________________________________________________ Get free e-mail and a permanent address at ************************* =====End of Issue 106=================================== ======================================================== +HCU Maillist Issue: 107 01/04/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: hcu repository (re: java/javascript security from +gthorne) #2 Subject: Fravia's Stenography Page #3 Subject: Answers to Ghiribizzo and Swann #4 Subject: Contraband 9g #5 Subject: New essay format on Fravia's page #6 Subject: Mathematica 3.01 #7 Subject: HCU ML issues 101-104 #8 Subject: Steganos & S-tools 4 #9 Subject: Re: Stegonagraphy #10 Subject: none ARTICLES: -----#1------------------------------------------------- Subject: hcu repository (re: java/javascript security from +gthorne) For any web security to work, and easily, make a username and password that do not check eachother (or just one password to entry) Simply enough, encrypt them together and make an html filename from the two that is the filename you should give the search page in this respect, it is unguessable - especially when the page is in an unreadable directory example: nfviuyh.htm and bad password will not have to be checked, the encryption code will generate a (whatever).htm and the result will be a 404:not found unless they have the right username and pass code it is easily implemented in perl and c, and just as easy in java or javascript as with any protection, eliminating the chance for a 'compare entered word to the real password' will significantly increase the level of the protection it is funny that so many people try to write javascript code that encrypts and compares with a real code (i cracked one yesterday that did exactly that because it was so silly i had to) if you guys really need it i can write a page to do this for you, but i bet you guys will have no trouble (assuming that i have not been completely incomprehensible, it is 4:30am here ;) +gthorne -----#2------------------------------------------------- Subject: Fravia's Stenography Page It's quite spooky. I pressed reload the other day and the page was updated to say that Fravia lied about the advanced steg page. Then today, I pressed reload and the page changed again saying that the old password was too easy and that it had been changed again (the advanced steg page has been relocated). We must be uploading at the same times! In case you were wondering, the first password was 'steganos' - the name of the program used to hide and encrypt the data. Too obvious - I got it first time. Does anyone know why Fravia is doing this? Surely anyone using the above programs would first encrypt using a REAL encryption program which makes reverse engineering the weaknesses in the native schemes irrelevant. In my example (which contains some tips! [bait]) I encrypted using PGP conventionally. Had I not given a password (and used a good password) then you wouldn't simply be able to get the plaintext in the same way. Steganography is to hide secrets, not to protect them - that's the job of cryptography. (see also my encryption essay!) ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Answers to Ghiribizzo and Swann Hi! Ghiribizzo wrote: >>(Now Fravia can ripp of the text from Ghiribizzo's tutorials and publish >>them :) >> >>Zer0+ >Hey, Zer0, I heard that :) BTW have you got my password? I haven't checked >whether they are hashed yet? Hopefully they are. I have promised at the end of my pdf assay that I will to try to find the owner passwords Ghiribizzo used to lock his tutorials. The documents (4,5,7 If I remember well) had no user password so the text could be read, but had an owner password (same in all) which protects the document from copying, printing etc.. Having a cracked Acrobat Reader cracking the owner password gives us nothing more than some satisfaction, but I have decided to work on it just for fun. To make it it short, I could not find out the correct owner password and I think in some sense it is impossible to do. As usual I threw away all my notes (bad habit), but I try to reconstruct my analysis. The owner password is padded or truncated to a 32 byte long string and passed through MD5 hash function. The first 5 byte of the output (40 bit US export restriction) is used as a key in the RC4 function to encrypt the user password (its known in this case) to get the owner key. If you want to get the owner password you can try to find out first the 5 byte long key used in the RC4 encryption. You know the plaintext and the encrypted text and you need the key. I have no idea how safe the RC4 algorithm against plain text attacks, being a not very much discussed proprietary algorithm ( though you can find the source code of it on the net, thanks to an anonymous cracker :), but it is certainly beyond my math capabilities to attack it :(. It is estimated that cracking a 40 bit RC4 by brute force attack needs 10 000 $ computer time (what ever it means). I run a test to find the 40 bit RC4 key, but it turned out that my 200 PPRO has to be run for months even if I optimize the algorithm I have found on the net (well, I am not Michael Abrash). Even if you have the key you have to work backward through the MD5 hash to get the owner pw. The MD5 hash is designed by Ron Rivest (he made RC4 too) to stand against this type of backward attacks and is considered to be safe. The final thing convinced me not to work on it is that the password can be 32 bytes long meaning 60^32 different possibilities (if we take 60 printable characters). The password is hashed to 40 bits meaning only 255^5 result. This means that billions of passwords hash to the same key so probably billions of strings can serve as the owner password. Unless Ghiribizzo used a meaningful password there is no way to tell which one of them was actually used. So taken all these things together I decided to give up finding the original owner password :). PS to Ghiribizzo: I will send the old issues tomorrow. Swann wrote: ><<<<Which source byte would, after the instruction "SHL EAX,2", >lead to a result of "EB" in AL?>>>>> >---------- >If there is a solution, please give a rationale. That would help >patching the remaining locations.:-) >I guess the problem is: if SHL,x is defined as putting x zeroes >to the right end of the binary value of EAX, how do you manage to >get a non-zero value there? You can't! At least not with SHL. In your example the bytes are not just shifted but later ORed with [ESP+10] and thats where the bytes like 47 and 83 are probably comming from (they can not be the result of an SHL either.) So if you want to get EB try to modify the value at [ESP+10], too. Bye Zer0+ -----#4------------------------------------------------- Subject: Contraband 9g Contraband 9g First I performed a binary compare of the two images. I noted that the differences were in the range 3F-150B. That's 5324 bytes. We can be quite sure that the actual number of bytes is very close to this number because there is a 0.5 chance of being one byte more, 0.25 chance of being 2 bytes more etc. We know the length of the file is 587 bytes so 5324/587 gives 9. Now, we know from looking at the source code that: Block size = 8 + (digit 2 of PIN) mod 4 i.e. PIN(2) = 1 (mod 4) => PIN(2) = 1, 5 or 9 (considering digits only) I became rather lazy now and opted for the brute force method. Since there are only 10 digits to search through, I just did this by hand. I tried values x100 until I got an output file of the right length. Now as the encryption used by Contraband is merely a simple XOR with a one byte key, decrypting the file is trivial. However, since we are told that the file contains URLs and ';;?u`` matches marvellously the ******* we are expecting we can perform a known plaintext attack. I decrypted using a utility I wrote a while ago, but you can do the same using HIEW by XORing the first byte with 'h' and then noting the value 'O'. Then xor the rest of the file using the value 'O' to get it in decrypted form. It wouldn't be difficult to write a program to automate a lot of these steps as a lot of the code you need is already written for you in the source of Contraband itself! ~~ Ghiribizzo -----#5------------------------------------------------- Subject: New essay format on Fravia's page What do you guys think of the new format for the essays (the one with coloured blocks down the LHS of the screen)? Personally I hate it. Apart from the garish colours, the bar is absolutely useless and takes up valuable screen real estate. When I saw it the first time, I was reminded of the first time I installed windows and it started with a yellow arrow bouncing on the task bar telling me 'Press this button to start' and pointing to a button blatantly labelled 'start'. Come on Fravia, do we need a big black bar marked 'essay' to be able to find it? We're supposed to be crackers for heaven's sake! I think people have a general tendency to go over the top with HTML, especially with annoying popup messages etc. Thankfully I browse with images, Java and Javascript turned off! :) Don't get me wrong Fravia, I love your page and am grateful for the work you put in. Just take it as constructive criticism :) ~~ Ghiribizzo -----#6------------------------------------------------- Subject: Mathematica 3.01 Has anyone cracked this program? I was working on it a few weeks ago, but shelved it to work on some other projects (and was distracted by Fravia's stegged BMPs :) I remember a bit of what I did. I was working at it from the 'enter serial' side of things and had located the call which stated whether a fuction was valid or not. I remember experimenting and forcing it to return a zero would allow the program to run, and re-enabled save, but the calculations were not made (though I seem to remember having problems getting it to work before time expired). I think it is actually easier to crack in a different way (when the key file is read at startup) but I haven't tried that yet. If any of you have cracked this already, please email me. If you'd like this software, you can also go to mathematica's homepage and get the nice people to email a CD to your door! :) Now that I've stopped with the steganography, perhaps I will generate the will power to crack mathematica again. ~~ Ghiribizzo -----#7------------------------------------------------- Subject: HCU ML issues 101-104 Would someone please send me issues 101-104 of the mailing list, please. Send to ********************** ~~ Ghiribizzo -----#8------------------------------------------------- Subject: Steganos & S-tools 4 I took a cursory look at these two programs. Steganos claimed to use RC4 I haven't bothered but you could test this claim by using the supplied SDK and encode a file using steganos then extract by writing your own utility. The file should be encoded in RC4. Decode the file (you'll need to get source code from the net) - then decompress it using zlib (dll supplied, also on the web) and you should get your plaintext back. [No, I haven't bothered! :)] S-Tools 4 uses the cryptlib library which contains a number of encryption schemes. Also uses zlib to compress. I've written to the author of Steganos requesting information as to how he implemented the encryption. However, with both these programs, unless the author(s) wanted to deliberately put a back door in by encoding the password into the carrier file, there is no reason to do so. Of course, there could be an accidental weakness in the implementation, but I don't think there is and am too lazy to check anyway. Perhaps the URL is located in one of Fravia's 'normal' images and he wanted us to have a look. I normally browse with graphics off so I don't have the files to compare to any ones which may have been changed (nor can I be bothered to check each one!). If you have the time and inclination to do so, please tell me if you find anything. Oh, BTW for those who wrote saying that there were no tips in my stegged graphics file, the BMP file and 'congratulations' message were both just decoys - keep looking! :) ~~ Ghiribizzo -----#9------------------------------------------------- Subject: Re: Stegonagraphy Hello +ReZiDeNt and +MaLLaTiA, I can confirm that the program does use a checksum for the program. It is at 40D850, and returns an 8 bit checksum. The formula is basically Get each char char1 *1 char2 *2 char3 *3 char4 *4 char5 *5 xor all of these together... % 256 = checksum Unfortunately, like +Rezident says, It doesn't help much, just reduces the possiblitiles by 256. Right now I am looking into how the file name is stored in the file... If either of you have any other ideas we should discuss them. I am sure if we combine our resources we can do this..... +Alt-F4 ____________________________________________________________________ Get free e-mail and a permanent address at ************************* -----#10------------------------------------------------ Subject: none hey +ReZiDeNt >(yes, I got the correct password, but 'psychologically' >- I guessed it)... Did you guess the new one, or the old one? I just guessed the old one as well(There wasn't that many 8 letter words on the page :) Hopefully the new one won't be guessable..... +Alt-F4 ____________________________________________________________________ Get free e-mail and a permanent address at ************************* =====End of Issue 107=================================== ======================================================== +HCU Maillist Issue: 108 01/05/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: I'm still here, somewhere! #2 Subject: answers to Ghiribizzo, by fravia+ #3 Subject: Zero can you read my address? #4 Subject: incoming essay #5 Subject: ml repository #6 Subject: Stegz again! :) #7 Subject: stego riddle #8 Subject: PDF ownder keys #9 Subject: ATTN: +Alt-F4 #10 Subject: Alistair sends Orc has charged me ARTICLES: -----#1------------------------------------------------- Subject: I'm still here, somewhere! Ghiribizzo: >I've just read some of the HCU mailing list and saw that you had a >list of people who downloaded IDA. Do you still have that list? If >so, would you please send me a copy. Thanks. Sorry for answering this in the HCU-NL but you sent it to me through my friends E-mail address, (which he canceled on 01/01/98) and you didn't include a return address. I noticed you have just subscribed to the HCU-NL, and I had no other way to reply. If you, or anyone else, needs to contact me, please use my hotmail address or I will NOT recieve what you send. To answer your question, I DID NOT make a list of people who downloaded Ida Pro. I simply posted my REAL E-mail address on my web-site when I gave the program away, and counted the "Thank You" notes I recieved in responce. Just before Christmas, my hard drive decided to commit suicide, so I've lost EVERYTHING! The "Thank You" notes went into cyber-space along with everything else I had on my hard drive. Until I can scrape up enough money to buy a new hard drive or, even better, a new computer, my only access to the net will be when I'm able to use a friends computer, which is only a few hours each week. So if you, or anyone, writes to me, please be patient until I can reply. Hackmore Readrite ******************** ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: answers to Ghiribizzo, by fravia+ Ghiribizzo, I followed your work and your deeds for a while. and I must say that you seem to be the exact contrary of the sort of +crackers we are trying to grow up. This can be checked by anybody just reading your works and your emailings on DejaNews. If you ever flood once more our general maillist with your showing offs and auto-publicity I'll tell +Zero to cut you off and you'll loose a good source of material you can brag with on usenet. In the future try to refrain from showing off, make an effort to contribute normally (and more humbly: grow up and learn from really great crackers) and, please, try to avoid uttering nonsense about things you don't have any idea about. I, personally, wont ever again contact you until you will have demonstrate to me that you can work normally, it's a pity that Mammon's good post-it system and the good idea of opening other open universities and stego pages, which I of course enecourage everybody to do, has been ripped off by you and turned into a llame poor-man show off, a sort of mockery show that I believe most dislike. (But I may be wrong of course, other may like you and your approach). I don't fravia+ -----#3------------------------------------------------- Subject: Zero can you read my address? ADD *************************** --------------------------------------------------------------------------- -----#4------------------------------------------------- Subject: incoming essay Hi +Fravia, hi all! :) > yes, .+MaLaTTiA., I would like to host your essay, thanx a lot! :) > of course, may be only one thing: if you can > just use LOT of word explanations and not too much > code, so that people understand how to do THEIR > proggies, not how to copy yours... Sure! I think I won't add any code by me this time... I would like to go a step farther in keygens explaining... I'd like to make everyone understand how important is to *really* know what the program does, "abstract" it and reproduce it in a higher level language, instead of just copying asm code without giving any sense to it... Anyway, I'm afraid I'll need some time to write it down... I promised myself to wait to buy a cd-writer until I pass an exam... *ARGH*! I'll have to study a bit this time :) byez, .+MaLaTTiA. -----#5------------------------------------------------- Subject: ml repository Hi +Alt-f4! Hi All! :)) > I have made a new (temporary) HCU search page, to try out my new search applet. > It is theoretically quicker, because it loads all the issues in one zip file, instead of lots > of html files, but the proof is in the pudding... Good work! I'll give a look at it asap! :) I think it's great you can download just one zip file... it's even easier to maintain! > Also, do you think it would be a good idea to ask for a password at the start? Uhmmm... I don't know... I think it's difficult enough to reach that page (just give a look to the hits :) and, imho, it would be nice to let non-subscribers read the issues (in their "limited" format, of course) > This way, the page is limited to the people reading the list, or those that can > crack the java(Wouldn't be very hard) Ah... I didn't read this part before answering :) Yes, it could be a nice cracking exercise...:)) Let's see if the other guys agree... :) > This page will probably NOT stay up long. I think I'll give a look at it while uploading this mail... I hope it won't be too late... :) > There is little point in having 2 pages, when .+MaLaTTiA. has been doing such a fine job. Thanx again, your work and your words are precious for me and for the ml! :) > I would be intersted in any comments(eg: too slow), that anyone has.... I'll let you know asaI connect! :) > ps: > Sorry i took so long .+MaLaTTiA.! It was done several weeks ago, > but I didn't have a spare web account to use.... Don't worry... the most important thing is that now the work is done... and I'm sure it's a good work ;)) byez, .+MaLaTTiA. -----#6------------------------------------------------- Subject: Stegz again! :) Hi +Alt-f4! Hi All! :)) I'm sorry (for you) I'm writing SO much... I hope you won't complain O:-) > >proggie! :))) Did you use brute force too or find another method? > Brute force, that checked for "http" in the output text. Naaa... can't believe it! I used a different method! So I can send my essay to +Fravia (hey +F, I've got ANOTHER essay for you! :)) Yes, I used brute force, but without checking the decrypted file... just knew the passwords in the two examples were the same and used a program which generated the passwords, spawning seek.exe with each of them... redirected the output to a file called "tmp" then searched "ext": "Preparing to process files.......Press any key when ready. Extraction complete! data rests in outfile.txt" :))) > Hopefully +ReZiDeNt is right, and the password is kept somehow in the > file(or at the very least a checksum), Well, look at what I've written to +Rez: THERE IS a checksum, but unfortunately it's unuseful for us (anyway, you can find the procedure that generates it at address 40403b). I've tried to give a look at the encryption phase, but I'm afraid it will be difficult to recover the password from there... Maybe the best thing is jump the password check (404067) and then try to see what the proggie is going to do with our pw, trying to change it accordingly to the output we want to have (the ************ text file) > I think fravia+ has cheated slighly, he has changed the field of play from > stegongraphy to encryption. Yes, and I like it: I've borrowed a book about steganography just 2 weeks ago, and now I know more than what is written in that book... I start thinking +Fravia knows me... it can't be a coincidence! ;)) > Never mind, we will learn something anyway..... I'm always happy to learn, and I love all this mathematical exercises!!! :)) byez, .+MaLaTTiA. -----#7------------------------------------------------- Subject: stego riddle Hi +ReZiDeNt, hi All! :) > I'm afraid attacking it from the checksum point of view is useless > IMO. I wrote a little proggie to calculate a checksum of all the > permutations of a to z in an 8 letter string. After less than 10,000 > iterations (out of several billion), IIRC, there were already over 80 > strings that had the same checksum as the valid password for the > *second* image The one stegonated with steganos? I've given a look to the algos used to make up the checksum (it was c8, if I remember), and I've tried to check out what the program really does: it builds up the checksum from eight values (I hope I understood it right, tell me if I'm wrong!) read from the file... so I thought: "The pw should be in those files, encoded in some way", but I haven't seen yet if I'm right... I just saw that the "original" bytes are 3d 36 6f be b8 a1 a1 7a the "stegonated" ones (with the pw "aaaaaaaa") are 3c 36 6e bf b8 a0 a0 7a and the "stegonated" ones (with +fravia's pw) are 3c 36 6e bf b8 a0 a1 7b .... too few changes to hide a password... mah... >(yes, I got the correct password, but 'psychologically' > - I guessed it)... Well, THAT's a hint!!! I guessed it too now... :) It was really too easy, unfortunately I guessed it too late... I'll have to wait a bit to see the advanced pages! :) > But there *must* be another way that I am missing... Sure, we should use +fravia's hints: there MUST be a place in the program in which it reads the bytes from the stegonated file and decrypt them in some way (using the entered password). If we know the output should be ********* we should find the right value for the pw/checksum or other that makes, for instance, the first byte become a "h", and so on... byez, .+MaLaTTiA. -----#8------------------------------------------------- Subject: PDF ownder keys Fravia wrote: >The owner password is padded or truncated to a 32 byte long string and >passed through MD5 hash function. The first 5 byte of the output >(40 bit US export restriction) is used as a key in the RC4 function >to encrypt the user password (its known in this case) to get the >owner key. As I say, I haven't looked into the implementation of PDF security in any detail, but even if you had the full 128bit hash of my password it would be impossible to reverse. The trick is not to reverse MD5 (futile) but rather use it and hope for a short password. However, the password IS short so anyone with spare computer time and simple hash passwords and compare the hash of the guess to the correct hash and saving the password when you get it. Unfortunately, I used the same password for each one as I (wrongly) assumed that Adobe would have the sense to include a random seed to each encryption session so that even if the same password is used, different PDF files would need to be cracked anyway, though apparently they haven't. So even if the read security were enabled, by simply brute forcing the 40bit RC4 password (feasible) you could open any file using the same password. Or you could test the password for a checksum and then run the passwords that pass the checksum through MD5 for a hash compare. >If you want to get the owner password you can try to >find out first the 5 byte long key used in the RC4 encryption. You >know the plaintext and the encrypted text and you need the key. I have >no idea how safe the RC4 algorithm against plain text attacks, being a >not very much discussed proprietary algorithm ( though you can find the >source code of it on the net, thanks to an anonymous cracker :), but >it is certainly beyond my math capabilities to attack it :(. It is >estimated that cracking a 40 bit RC4 by brute force attack needs >10 000 $ computer time (what ever it means). I run a test to >find the 40 bit RC4 key, but it turned out that my 200 PPRO has to be >run for months even if I optimize the algorithm I have found on the >net (well, I am not Michael Abrash). The data streams are encrypted with RC4 and reader decrypts these when you start, i.e. you already know the 5 byte key. Therefore there is no attack as you already know plaintext, ciphertext and key. I remember that RC4 was posted to alt.cypherphunks but it is available from a lot of sources now. I guess that it must have been a hacker who stole the algorithm. The 10 000 $ quote probably is advertising puff. The cost decreases with every advance of computer technology. 40 bits isn't beyond the realms of possiblility. I remember some guys who were factoring their boss' PGP key - they did this at work and had a hell of a time explaining why one of the number crunchers was apparently idle for a week!! ~~ Ghiribizzo -----#9------------------------------------------------- Subject: ATTN: +Alt-F4 +Alt-F4, After breaking both S-tools and Steganos algos, I wrote a short tutorial on it. I've included it below. I've PGP'd it with only an 8 byte key and the file is a plain ASCII URL reference. :) -----BEGIN PGP MESSAGE----- Version: 2.6.2i pgAAAFijYpfZhWu4A3Gz5b/FZ4JpyZ+E/KsMe6X0O4piu8Vw4PFkRcMXR3bJJV2z 1LbSgmlqEJ4FabvmKKluGZP4+irWGxXRUSlHnVfY8GXPv+J8AEqP/7+FMjjb =KvU7 -----END PGP MESSAGE----- -----#10------------------------------------------------ Subject: Alistair sends Orc has charged me ADD *************************************************************************************************** --------------------------------------------------------------------------- =====End of Issue 108=================================== ======================================================== +HCU Maillist Issue: 109 01/06/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Fravia's answers to Ghiribizzo #2 Subject: nesbitt sharelock #3 Subject: new essay format #4 Subject: Re: Fravia's Flame #5 Subject: 1) hotmail caveats 2) Alistair "teachings", by fravia+ #6 Subject: Cut off #7 Subject: Fravia:Ghiribizzo 1:1 Final result ARTICLES: -----#1------------------------------------------------- Subject: Fravia's answers to Ghiribizzo --Actually, I don't mind Ghiribizzo's presence so much. If nothing else it keeps us from empty issues ;) I cannot judge his tutorials as the pdf files do not open in Acrobat (no, I didn't do the PDF project...I have GhostView for that stuff ;) and I haven't had a chance to put them on a GhostView machine. As for all else, boasting/competition/et al, it would of course be nice for all of us to co-operate as a force rather than go off on our own...but that is one of the hazards of operating on the internet, non? 'Course, I never do chat/IRC, so I may be missing a lot. mammon_ PS Guys, don't give away too many steganos answers...I've been too busy to attack that one yet! ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: nesbitt sharelock Here is a letter from razzia, which was not sent to the ************* address :( , but I think he intended it for the list. Hi, if u ever come across a program that uses sharelock as its protection (you will know if it uses shrlk.dll) then make sure to pay a visit to **************** i had such a program, it was called keyboard navigator, and i had tried for days to get an unlock code, without result. then i found the above page. after that it was done in minutes. on that page you will read nesbitt bragging about his sharelock, and that he got 4 stars from zdnet. impressive at first sight. "Stop software piracy! Get paid for your software!" sharelock is yours for 200 us dollars, but nesbitt was kind enough to make a trial version of his program available. this includes full docs in nice windows help format, a KEYGENERATOR (yes, i am not kidding!), and a keygen.dll if u would want to make keygens of your own. only thing a cracker needs to do is set one breakpoint and fish out the "private string" that is needed for the keygenerator. keyboard navigators algo used "KarlinChadSarah" as its private string. probably the name of his kids... i didnt know what to think of all this. is it funny or sad ? this guy payed 200 dollars to nessbit, used his kids names as the secret private string, and then trusting on zdnets 4 stars he thought his program was save. and nesbitt gives away the full docs telling exactly how to get the (secret) private string and even a keygenerator to get a unlock code... happy new year all razzia [mcc98] ____________________________________________________________________ Get free e-mail and a permanent address at ************************* -----#3------------------------------------------------- Subject: new essay format Hi Ghiribizzo! Hi All! :) First of all, let me tell you that I liked very much your approach to Contraband decrypting, it's really cool! (I used a REAL brute force method... :) > What do you guys think of the new format for the essays (the one with > coloured blocks down the LHS of the screen)? Personally I hate it. Apart > from the garish colours, Well, the colors are not really beautiful, but I think that it's useful to use a standard format for the pages. > the bar is absolutely useless and takes up valuable screen real estate. USELESS? Please, let me quote some source code of the page: <CENTER>Title</CENTER> <CENTER><FONT COLOR="FFFFFF">Rating</FONT></CENTER> <CENTER>Introduction</CENTER> <CENTER>Tools Required</CENTER> <CENTER>Program History</CENTER> ....and so on. Don't you think that a STANDARD like this could help +fravia and all the ones who are working on a reorganization of the pages (like me O:-)) to build up (maybe AUTOMATICALLY!) a database and a program that lets you read all the essays dividing them by the Author, the tools used, the difficulty and so on? :) Well, imho they're REALLY GREAT (the colors can be changed if you don't like them ;)) and I'd like to help +Fravia (if he agrees) to put the old pages in that format too... I know it's a hard work, but if only we divide the number of pages between the subscribers of the ml the work can be a lot easier! Then building a program which scans a directory reading the files and building a database wouldn't be so hard... Hey, would you like to help me? > When I saw it the first time, I was reminded > of the first time I installed windows and it started with a yellow arrow ehe. :)) Yes, it's not so beautiful to talk about "standards" in this case :) > Come on Fravia, do we need a big black bar marked 'essay' to be able to > find it? We're supposed to be crackers for heaven's sake! Uhmm... you're right, we don't need it, but how can we ask a program to find the beginning of the essay's text without any kind of "bookmark"? :) byez, .+MaLaTTiA. -----#4------------------------------------------------- Subject: Re: Fravia's Flame Fravia, I know you don't like me. Though I confess I am surprised and saddened by your flame. I certainly have not meant to show off in any of my tutorials and my posts to the mailing list. Having read them again, I still do not see any showing off. However, the writer may often see things differently and I ask if others could comment on this and tell me whether they find my articles are 'showing off'. This issue concerns me and I appreciate your help. Regarding the issue of publicity. I gave the URL of my homepage twice: once in my first batch of post so that everyone would know where to find me and the second time it was part of my sig. I have also made references to my past tutorials when I thought that they'd be relevant to the topic being discussed. As for the number of articles. I stated that I had just subscribed to the mailing list and had just read most of the past issues. That is why there were so many articles: I had over a hundred issues to respond to. The number of articles I post are decreasing, if you are worried about my 'flooding'. I rarely post to USENET. Though I think if you do a search, most of my posts will be announcements when I release a new tutorial. When you mention this mailing list as being a source of information I can brag about, I truly don't know what you are talking about. I haven't posted anything to USENET recently, let alone anything relating to this mailing list. I hope you will tell me what you mean or acknowledge that what I have just said is true. As for humility in learning from the really great crackers, I learn from anyone. From newbies to experienced crackers. Would you care to name who you consider are really great crackers? Yourself? ORC? The HCU? Concerning mammon: I've seen his discussion server, though I don't know anything about his 'University' - I will take a look when I have some time. I write tutorials so that hopefully someone can learn from them - not to show off. I started the discussion server as a replacement to the chat channel and guest book as I considered it a more appropriate medium to spread messages and to help crackers learn from each other. I had hoped that USENET could be the medium, but there is too much spam and is too transient. The discussion server allows ANYONE to ask a question and ANYONE to give help. There is no distinction between new crackers and experienced crackers. I don't label anyone there - I treat all crackers equally. I don't claim to be a 'really great cracker'. I don't claim that I'm always right. I don't know what you were referring to when you talked about 'uttering complete nonsense' but I do make mistakes. I make no claim to infallibility. I have tried to keep this post purely defensive. It is tempting for me to counter attack as I am very angry at your flame. But I don't like to do so and do not wish to continue this sort of thread any longer. I hope that you have the humility to apologise for your insults and your insinuation that I am using this mailing list as 'source material to brag with on USENET'. ~~ Ghiribizzo To others: sorry to deny you a 'flame war' I know that it's a great spectator sport... perhaps I should go back and write a more attacking riposte :) BTW: This is the first post to the mailing list after reading Fravia's flame. though some other articles may have been from me from last night. -----#5------------------------------------------------- Subject: 1) hotmail caveats 2) Alistair "teachings", by fravia+ 1) As you probably all already know, hotmail has been fagocited by Microsoft. Since many among you use hotmail, please do not exchange from there all too interesting info (not that it would matter much anyway, since they control the CISCO routers as well unfortunately :-( Maybe cryptological and stegonographical studied will be really needed this year. Yet we have begonnen too late, I fear. Hotmail main tracks (the 'transparent ID') could be beaten through easy tricks (like +ORC's "throw away" web trials) but this worked only assuming that nobody cared much for the 'content' of your mailings. Obviously a 'microsofted' hotmail is a lot less 'easy ground' for us. And this brings us to number 2. +Alistair has helped us in the past already and is trying to reach us in order to teach (if I understood it correctly) us the first 1998 +HCU lesson: >Alistair sends: +ORC has charged me to teach you the first anonymity lesson for 1998.< So +Alistair is somehow monitoring this global maillist. and at the same time I believe he has already started "teaching us". The method he has chosen has (IMO) much to do with perl tricks. (Of course there are some inetersting perl consideration about anonymous 'one-line' messages like +Alistair's ones. Yet this seems to be (in +Older ones' opinion) restricted material: >first of all +Zero push all hcukers on secure list< so I'll mail there and not on this list my first impressions, yet I'm not very happy with all this. I'll publish here a request to +Alistair, since he will surely monitor this list and I don't have any other method (short of publishing an extra plea page) to reach this powerful friend (teacher?): I know I already owe you a lot for the IMF incident, yet I would like to ask you +Alistair, please, to consider allowing your (and the following :-) teachings to go PUBLIC. I believe (as you well know) that information should NOT be restricted (unless this serves some nice purposes and helps, not hinders teachings, as in my stego easy riddles). So here is my plea to you and +ORC: Please consider making the 1998 +HCU lessons public. Worthy people like Aesculapius and Mammon and Quine (just to cite three very good crackers that could teach us as well as learn, but there are MANY more worthy ones, as you can easily check) deserve this knowledge (IMHO). In fact I believe that the 'one year' strainer is a little too 'slow' given tyhe amazing pace of changes on the web. Look how things rash change in few months! later fravia+ -----#6------------------------------------------------- Subject: Cut off I didn't get a copy of the mailing list today. I assume that I've been cut off. I don't know if I can still post, but I thought I'd try to leave a note to inform everyone of the situation. ~~ Ghiribizzo -----#7------------------------------------------------- Subject: Fravia:Ghiribizzo 1:1 Final result Hi all! Well, boys we know now that you don't like each other very much, but I hope you will discuss the differences in private mail and not on the list. Otherwise ...(insert serious threats from listadmin here) Ghiribizzo thought that he is out of the list, but thats not true. I personally did not find anything offensive in his postings. The list was delayed because of the misterious posts from Alistair (well, I cant read your address, sorry.) I also had to salvage a lost post from razzia. Bye Zer0+ =====End of Issue 109=================================== ======================================================== +HCU Maillist Issue: 110 01/07/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Anon IRC #2 Subject: reply to mammon_ from ~GB~ (Re: PDF) #3 Subject: Re: Tutorial format & Databases #4 Subject: Re: hotmail caveats #5 Subject: Additions to my steg program ARTICLES: -----#1------------------------------------------------- Subject: Anon IRC >You can't. The hostname is always inserted by the IRC servers in order >to prevent abuse from people that cannot be traced. >I rarely use IRC, but when I do, I log on from a capered ISP account. AFAIK it is possible to somewhat disguise your IP by using the FTP-bounce-attack or Wingate bouncing. THIS IS NOT REALLY ANONYMOUS, since all ftps and some Wingates log you, but nonetheless useful :-) ---cut--- It's a nasty bug. :( It's one some of us knew about a long time ago and managed to get some of the worst holes fixed. But it's still there. :( The problem is that you can transmit data (or receive it) from any port by giving ftpd a PORT command that is different than the one you "normally" would. Simple example: find a server that allows uploads upload a file containing SMTP dialog to send a message do a PORT victim-ip,25 do a RETR filename ----cut---- This can be used to telnet to an IRC port on a server, or more effectively for System Entry purposes. To get information about WINgate, try x-treme.org or something. WINgate is a program that lets multiple computers use one connection, and if you telnet to a WINgate you get a prompt. Now just enter hostname & port, and it'll connect you. Multiple bounces from ftp to Wingate and over several computers are possible assuming the lag doesn't bother you. HalVar P.S: I have to notice more and more that there is fewer and fewer knowlehdge to be found on irc. I used to frequent it quite a lot, but no more now. ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: reply to mammon_ from ~GB~ (Re: PDF) >I cannot judge his tutorials as the pdf files do not open in Acrobat (no, I >didn't do the PDF project...I have GhostView for that stuff ;) You need version 3.0 of acrobat to view the earlier pdf files. The later ones without security (i.e. post pdf project :) are compatible with acrobat 2.0. >'Course, I never do chat/IRC, so I may be missing a lot. I don't use IRC much either. I've been on twice since for less than 30 minutes in total. From my experience on IRC, mammon_, you're missing absolutely nothing. IRC = Immature Rabid Chatters ? I had to think a bit to find a word for C which didn't involve ***'s :) ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Re: Tutorial format & Databases I suppose if you wanted the markers only to make organisation and archiving easier the following markers would also do the trick: <bigger>< < and these would not appear on the screen. I had the idea of putting the tutorials in a database but shelved it after I saw that one had already been made. I thought of creating a standard so that each author also submitted a 'database card' which had all the details on it in some ASCII form so that each new data entry could be added to the end of a list and we could write our own program for our favourite platform to view and sort the data. This way, new entries can be added out of sequence and entries can be taken in or out at will and can be customised by each owner. I've not looked at the database already submitted, maybe this has already been done. </bigger>For the database, have you got a 'keywords' entry? I remember searching ages for Chown's beautify essay and would loved to have been able to type in something like "dll brute force" to find it. In truth the worst thing I find about the new format is when printing hard copies. Well ink cartridges aren't cheap, you know! :) ~~ Ghiribizzo -----#4------------------------------------------------- Subject: Re: hotmail caveats Hotmail and other mail providers have never been secure. I know definitely that bigfoot has given out details in the past. Though if you keep your activities legal and low-key you should be OK. If you want true privacy, get and learn to use PGP (the de facto encryption standard on the internet). Then set up an anonymous account; you need to do the following: 1) Get a capered ISP account to go onto the internet 2) Go to a motel room or some other place away from your home with a modem 3) Generate a nym account with one of the servers and point your email address into a newsgroup. Be sure to use encryption and good remailers. Read the instructions of the nymserver to learn how to set up. Also there are programs out there which automate some of the process. (Private Idaho is one of them) 4) You have now got an anonymous email account. You can throw away the capered ISP account and go back home. First 2 steps are just for added security. You only need to do it once, so it may be worth it. After this you can access your email via USENET - but it IS a pain. Choose a reasonably busy newsgroup to prevent stalkers from logging newsgroup accesses. alt.anonymous.messages (or something similar) was made for this. Instead of directing to USENET you can direct to your own email address, but this is less secure. ~~ Ghiribizzo -----#5------------------------------------------------- Subject: Additions to my steg program My steg program also has a max file size limit as you may have noticed. Try to keep BMP size and data size small. You may find the BMP file format useful for steg: ****************************** I've discontinued working on my projects due to something that has cropped up in 'real' life. I'll try to keep up with this mailing list, but work on cracking and steg will probably slow or stop. BTW, I realised that I may have taken a completely wrong approach to cracking mathematica, but I'll leave it for now. ~~ Ghiribizzo =====End of Issue 110===================================