home *** CD-ROM | disk | FTP | other *** search
Wrap
Text File | 2000-05-25 | 38.4 KB | 1,039 lines
======================================================== +HCU Maillist Issue: 131 02/01/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: RE: RE: RE: RE: ARTICLES: -----#1------------------------------------------------- Subject: RE: RE: RE: RE: ><<<<< >From what I remember this is just needs a READWRITE flag set in the source >code. But I can't remember where I read this. >>>>> I think the position of the RW flag in the sourcecode well.. I don't think all compilers / linkers support it. btw - should you happen to know how to do it with my beloved TASM/TLINK please tell me. I couldn't find a way to do it in some code I made at a point and chose to set the flag manually after linking. The way this is done - and yes you should know this if you wish to append code / data to PE files, the essays I've seen so far has either just seen that the flags were set correct or been lucky that they were - the flag is positioned as the last byte in the ObjectTableEntry for the object. Set it to 0E0h and you'll have read, write, exe which basically means you'll be able to do what ever you like. As for using VirtualProtect / or VirtualProtectEx API's to remove the protection it obviously requires that this function is in the imports or that you've importeted it yourself thru GetProcAddress (it's in the kernel32.dll which is mapped in all processes so you don't need to load :) ) So the above mentioned method of changing flags in the PE file directly is well suited for "foreign targets". Also since all well behaved aplications run in ring 3 modifying this flag won't pose a general endangerment of the system - only the process itself.. (which IMHO is done by all patching anyways) - though.. avoid changing the flags if there is no obvious reason to do so. <<<<<<<<< >I've always thought it strange that protectionists never tried to search >for softice given how easy it can be done and how difficult (if not >impossible) it would be to hide from a determined programmer. >I wrote to Quine about this not long ago as he pre-empted one of my >'concept' protection schemes: basically heavy softice detection with PE >wrapping. I thought that since most crackers have little experience in >unpacking PE packed files it would be quite safe also tools were limited at >the time, but with Quine's SoftDump... >>>>>>>>>> Even with Quine's SoftDump or long time avaible dumpers by Patriarch or Jammer it's still pretty hard to unpack PE's. Imports might be mangled, resources, relocations etc. there is a lot of work to be done. And - well.. the PE header is more than 200 bytes large and it needs to be consistent (atleast if you wish the unpacked file to run on NT) Speaking of this - do anybody know how to get from a IAT entry to the name/ordinal of an imported function and DLL name? (the IAT entry is the exported entrypoint mapped the current process Virtual Addressing space - you can assume that I have axx. to this mapping because it's relatively easy to force yourself into other processes addressing space :) ) > <<<< >I agree that going to ring 0 is hardly ever necessary. But I remember >reading the above paragraph somewhere recently. Was it something you wrote? >Do you know where it is from? >>>> The paragraph you're refering to could very well be mine - I wrote something similar to Hanno's Exemailing list in respons to the fact that some PE-encrypters are using these unfortunate techniques. Lord Caligo published it on his webpage - *************************** where you can find it if you're interested in an old mans views and thoughts of encrypting PE-files. If you have not previously dealt with the PE-file only the intro will make sense to you. On a totally different note - +RCG's VxD techniques to hook certain functions is IMHO ill behaved cracking. There is no need for ring 0 in the specific situation and in the general case there are many other ways of intercepting "hostile" api's. This does however not change the fact that I found the essay interesting and fairly well written - it's just not a method that should be taken into consideration before all else fails - and all MEANS all.. and there are extremely many tricks that can be applied to solve situations where +RGC's solution would be possible. Maybe if you guys find it particularly interesting I'll write a doc or something on "Pseudo residency and hooking API's from ring 3".. :) Stone / United Cracking Force '98 > > =====End of Issue 131=================================== ======================================================== +HCU Maillist Issue: 132 02/02/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Pseudo residency and hooking API's from ring 3".. #2 Subject: Re....Re #3 Subject: Netscape #4 Subject: Netscape Source #5 Subject: Symantec's protection ARTICLES: -----#1------------------------------------------------- Subject: Pseudo residency and hooking API's from ring 3".. Stone, I'm VERY interested in your essay Pseudo residency and hooking API's from ring 3 please do by all means write it as soon as you have some time... later fravia+ -----#2------------------------------------------------- Subject: Re....Re Hi Stone, I would like very much your comments/critics about the bad use of the VxD for cracking purposes. You know how many protections were being defeated in our beloved MSDOS using TSR programs, because in some cases, there were no other solution. I know that protections in W95/NT are far from these levels of sophistication, but I think soon protectionits will begin to use more powerful technics, in fact a good protection using Hasp/Sentinel can't be removed if you haven't certain privileges like IO access/ interception. BTW 99% of us use a ring 0 utility to reverse programs. I know you and Quine don't agree with me because you are using NT, sure you are right, because I have never use it before and sure many things I don't care about under W95 can be dangerous in NT. All right, my advice is not to use such technics to crack programs, but at least you must know it can be an extreme solution. Finally, would you describe briefly your idea to intercept API using only an standart application, I'm very interesting to know it. regards +rcg rcg__(at)usa(point)net PD. Please forget my latinmail address, our high technology is so good. :-( ____________________________________________________________________ Get free e-mail and a permanent address at ************************* -----#3------------------------------------------------- Subject: Netscape Just a bit of info. Netscape says they will be releasing their client source code by the end of the first quarter '98. That should make for some interesting ideas. Joe Dark -----#4------------------------------------------------- Subject: Netscape Source Ok, I just read on.. they plan on releasing the source code for Netscape Communicator 5.0 Joe Dark Maybe we'll be able to fix some of the bugs its bound to have. -----#5------------------------------------------------- Subject: Symantec's protection Hi there Rezident !!! Way back You wrote about unlocking NU trial. I have recently spent some time on it and I can't jump over anything, i just end i the same place all the time. Can You or someon e else tip me on that. BTW: it uses some strange procedure calling method anyone noticed that ??? Greets KUBAK =====End of Issue 132=================================== ======================================================== +HCU Maillist Issue: 133 02/03/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: Pseudo residency #2 Subject: new project ARTICLES: -----#1------------------------------------------------- Subject: Re: Pseudo residency > Stone, > I'm VERY interested in your essay > Pseudo residency and hooking API's from ring 3 > please do by all means write it as soon as > you have some time... I'm sorry to say that I do not intend to write an essay - however I might write a doc if I find the time.. :) > Hi Stone, I would like very much your comments/critics > about the bad use of the VxD for cracking purposes. > You know how many protections were being defeated in > our beloved MSDOS using TSR programs, because in some > cases, there were no other solution. I know that > protections in W95/NT are far from these levels of > sophistication, but I think soon protectionits will > begin to use more powerful technics, in fact a good > protection using Hasp/Sentinel can't be removed > if you haven't certain privileges like IO access/ > interception. > BTW 99% of us use a ring 0 utility to reverse > programs. It's a well known fact that a system debugger (which IMHO is the most important cracking tool) is by definition a ring 0 utillity. However there is a reason that I don't have my very much loved winice loaded by default on either my windows 95 or windows NT. They are a source of instabillity - a source that I can live with when cracking but a source that I'm not happy to have when I use my PC as a general purpose tools - write school papers etc. > I know you and Quine don't agree with me because > you are using NT, sure you are right, because > I have never use it before and sure many things > I don't care about under W95 can be dangerous in NT. > All right, my advice is not to use such technics > to crack programs, but at least you must know > it can be an extreme solution. Obviously the ring 0 approach can be used as an extreme solution. But as you point out windows copyprotection is not yet far developed and I've yet to see a program that required the use of a ring 0 component after I had been done with it. The exception is ofcause when copyprotection is build directly in ring 0 and for various reasons can't just be peeled off. Ring 0 protections obviously have great strength but they do also come at a great price. A price so high it's my firm belief that it shouldn't be done. The analogy you make to MSDOS TSR's doesn't quite hold. You are in windows offerend plenty other angles of attack - angles that did not exist in MSDOS. The hole import system is something begging for abuse - and that is abuse from ring 3! Another solution on the windows 95 platform is that of unprotected memory areas. While this is to some extend analog to using ring 0 schemes it's not quite as dangerous. (I'll publish some sourcecodes on this topic on my webpage next time I get around to update it). The essense of what I'm saying here is that Ring 0 should only be used when it's strictly unavoidble. And in 99.9% of all application-cracking the finished crack should rely only on ring 3 code. My reluctance to give ring 0 code it's rights in cracking does not mean that I did not find your essay interesting - it is. In short the method of hooking API's from ring 3 relies on forcing yourself upon the virtual address space of the "target" and setting it's IAT to suit your own purposes :) Atleast 5 methods exist in which you can get around this from ring 3! Stone / United Cracking Force '98 -----#2------------------------------------------------- Subject: new project Hi all, I started to work on a project that combines to difficult things like encryption and visual basic. It is similar to the Instant browse scheme - the 1997 HCU strainer. It is called Component Source and it has several software components in a CD. We choose a particular component and we have to phone giving a reference ID program to get a working password that will enable the decryption process. The program is written in VB4 and the CD are available for free at ************************ Has anyone already worked on it? Greets +PopJack ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 133=================================== ======================================================== +HCU Maillist Issue: 134 02/04/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: none #2 Subject: VxD's in protection and deprotection - and ring 3 meassures! #3 Subject: Marx Crypto Box #4 Subject: VRamDir #5 Subject: Component Source ARTICLES: -----#1------------------------------------------------- Subject: none Hello KUBAK, > Way back You wrote about unlocking NU trial. I have recently spent > some time on it and I can't jump over anything, i just end i the > same place all the time. Can You or someon e else tip me on that. > BTW: it uses some strange procedure calling method anyone noticed > that ??? I could try to dig out my writings on this, but I suggest you go to the snippets page at fravia+'s page of reverse engineering, where ThunderLord has written a nice piece about how to do it. The URL is: ************************************************* Hope it helps! Cya, +ReZiDeNt -----#2------------------------------------------------- Subject: VxD's in protection and deprotection - and ring 3 meassures! I'm sorry to say, Fravia, but I'm not much of a essay writter. I might write a doc though when I get the time. +RCG: I do not believe that your analogy with MSDOS TSR quite holds. First in the MSDOS days we were dealing with a single task system. That is the crackers responsibility was limited to the program in question. TSR could simply be loaded prior to running the program and unloaded afterwards or be made in the form of a loader. While this it to some extend true with dynamic VxD's too the problem I see is that other processes has this VxD running as well. Further more the API interface provided in DOS was the interupt structure making this angle of attack a natural one - however in windows the API interface is not one of interupts and such an angle no longer becomes natural in a sense. And as a last comment to this analogy I think it's important to remember that in all but the early days TSR cracks was thought off as a lesser fortunate cracks than the bytepatch. (E.g. many games groups spend countless hours removing int 2fh protections schemes while a small commonly avaible TSR works quite well (cd2emu, fakecd and others - this was not a coincidence) A key distinction that I'd like to enter here is the time of the cracking and the time of the use. While cracking I see no problem in using a ring 0 tool. We are expecting instabillity while cracking - heck in the MSdos days I used to say that it wasn't a fun crack if I didn't have to reboot atleast once. Another thing is the time of use. The goal of the cracking process must be to provide the best possible solution at all times for the end user. This to me means providing something as close as possible to what he/she would've gotten had he/she bought the program legitimately. Adding a factor of instability to his/her entire system is IMHO as far away from this principle as you can get. The crackers use of ring 0 tools while cracking it is not a violation of above mentioned principle. However I cannot rule out that a program might come along where a ring 0 angle is the only angle of attack. However I'd have to say that I've been around - I've seen a few heavy protection schemes in my time and all but those who themselves relied on VxD's I was able to resolve without the use of "use time" ring 0 code. The amount of avaible ring 3 interception techniques is massive and they should be exhausted prior to whimping out and going ring 0. The use of ring 0 techniques for protection purposes is IMHO a surrender of the programmer. It's plain bad karma. It's like selling a carstereo without telling the custumor you removed the airbag to install it. However - knowledge is never bad. So I fully support spreading knowledge about VxD's telling how they could be used by a cracker or in a protection scheme. However in the same breath we should give the instructions of proper use of such techniques (which in 99.9% of all cases is no use) Well - enough about why not to use ring 0 and on to how you can actually avoid using it. As each PE file is loaded each DLL it uses is mapped into it's virtual addressing space and a table of addresses for each requested API-function is made (this table is called the IAT). The trick is to force your own code into the addressing space of the process you where you wish to do damage :) ... then find the IAT and redirect the entries you wish to hook to your own code - possibly even chaining the original API. Since the IAT need not be at a fixed address we're forced to enter the process prior to the imports being loaded. Many methods of doing this from ring 3 exists. 5 atleast - not all well suited from a cracking point of view. Well.. it's beyond this forum to get more greasy than this.. so I'll leave it at that. While on the subject of abusive ring 3 code. I'll put the source code for a windows 95 trainer on my WebNote later tonight. The technique that this uses can also serve as a ring 3 substitute. kind regards Stone / United Cracking Force '98 > -----#3------------------------------------------------- Subject: Marx Crypto Box Dr. Fuhrball, I hope you're on the mailing list... >>>> The device uses a pic16 processor (low voltage with 2mhz oscillator) and an 8kbit eeprom, both devices made by Microchip Inc. But it's even better, because when I soldered enough wires to the microprocessor and stuck it in the pic burner, I was able to read out the entire contents of the processor chip. This is secure????? And the same thing goes for the data inside the eeprom. <<<< I've never actually seen a dongle before. From your description it seems that there are two main components, the PIC and the E^2 module. Reading the E^2 isn't much of a problem, but I don't understand the PIC. Which PIC was it? I thought they all had code protection?! Surely they set the flag! Though having seen their software protection in your essay it wouldn't surprise me if they hadn't... Could you elaborate on the data in the PIC and E^2? I'm just wondering why it would need an extra 8kbit of storage. How does the PIC address the external memory? I didn't think it could do this at least not the PIC16C85 (I suppose technically you could use a couple of bits on a port for I/O but the software on the PIC to handle this would be horrendous!). If you've discovered a new and EASY (i.e. cheap) way to bypass the code protection flag I'd be VERY interested to hear it. :) ~~ Ghiribizzo -----#4------------------------------------------------- Subject: VRamDir When I first cracked Vramdir, I didn't have IDA so I just searched for 40771B and changed that to give me more time (in fact I changed it to give me less time - 2 minutes so that I could check that it worked). After reading the recent essay on VRamdir, I decided to download it again and take another look. I tried the same trick again (you could write a generic patcher to search and replace the string). I noticed something rather interesting: If you change the 6840771b00 to 68cccccccc to give you lots of time, the information is written straight to disk (i.e. vramdir doesn't work) If you change it to the value around 2 minutes (I can't remember exactly what I chose) you get the message as expected (I didn't test for whether it works properly to begin with) At first I thought it might be some checksum so I changed a random byte in the file, but it worked as normal. Not a checksum over the whole file then. I changed string to 684077ff66 and it works! 684077ff99 doesn't work. I haven't looked into why this happens, yet, but I thought I'd mention it in case anyone was interested. The thing is - the author could have hidden the fact that the program wasn't working much better and then I would have thought I had cracked it and would go on merrily using the program... ~~ Ghiribizzo -----#5------------------------------------------------- Subject: Component Source Hi +PopJack and everyone else, I have also just started to look at Component Source. My concern is that the decryption may require a brute force approach. Anyone with any information on the encryption/decryption method used? Regards All basE+mEtaL =====End of Issue 134=================================== ======================================================== +HCU Maillist Issue: 135 02/05/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Modifying the file... #2 Subject: RE: PIC processors #3 Subject: Marx Crypto Box ARTICLES: -----#1------------------------------------------------- Subject: Modifying the file... Hi! My friend Cruhead and I were talking about a protection, a program which could modify itself on disk, when running... The main idea is: You run the proggie The proggie check some things, and then write some data into itself on the HDD... The program then exits... We'd like to use just one EXE, without any dll's or any other files... Does anybody know anything about this? Thanx! Pero -----#2------------------------------------------------- Subject: RE: PIC processors It turns out that Dr. Fuhrball is not on the mailing list. I contacted him by email and this is his reply (edited). I won't post any more messages from this thread unless someone really wants me to as it is straying from software reverse engineering and you may not be interested. >>>> Begin message >it? I thought they all had code protection?! Surely they set the flag! >Though having seen their software protection in your essay it wouldn't >surprise me if they hadn't... answer 1) these people really are total morons. Sad really answer 2) they set the protection flag, and did not verify that they could no longer read the data back out. Even sadder. and the chip is a pic16c55 and the eeprom is a 93aa76 >(I suppose technically you could use a couple of bits on a port for I/O but >the software on the PIC to handle this would be horrendous!). The eeprom is where among other things the 540 bytes of memory storage for the key is used. Also the pre-calculated and/or/xor/... for the two encryption methods is stored. And you bet that serial e squared are icky devices. Just sent fravia the first rev of the dongle hardware essay.... >If you've discovered a new and EASY (i.e. cheap) way to bypass the code >protection flag I'd be VERY interested to hear it. :) there are definitely people out there that can lift the code out of these devices reguardless of the protection flag. for example interesting-devices.com and the various paul maxwell king sites but its time fravia and crew start expanding their horizions into the fun business of dallas 5000's and atmel 89c52's. These guys think they are good, we will see. There have got to be others than AXA and BG. <<<< End message ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Marx Crypto Box Hi Ghiribizzo and all I've seen your comments on the dongle and it reminded me of the chips used in sattelite video decryption (the 18c84 and family) There are proggies made to emulate and program those chips. Just have a look at *************************** and links related. Maybe it is just a long shot but it is worth the try. Greets +PopJack ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 135=================================== ======================================================== +HCU Maillist Issue: 136 02/06/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: Modifying the file #2 Subject: Component Source #3 Subject: PICs #4 Subject: nesbitt sharelock ARTICLES: -----#1------------------------------------------------- Subject: Re: Modifying the file You would need to consider the implications of file sharing etc. but one way is: Consider a COM file in DOS. Read from memory the name of the file (from PSP) Check to see if can get file If not reconstuct the path and try again open and write file as usual. Putting counters in the exe file itself has some advantages (e.g. against filemon). If you're writing in HLL e.g. C++ try this: #include <iostream.h> void main(int argc, char **argv) { for (int i=0; i<argc; i++) cout << "argument " << i << ": " << argv[i] <<endl; } The one to watch out for is argument zero. I'm sure you get the idea.. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Component Source Hi +Popjack/Base+Metal I've been having a look at the Component Source protection/encryption system over the last day or two. I agree it would be an interesting one to try. From what I can see so far, the decryption routine is written in Visual C++ 4/5 and stored in the OLE Control file "CSDEC32.OCX". This appears to be quite convenient since it does away with the need to reverse all that horrible VB code. Initially, the Unlock Code is concatenated and strupr'd. Then a routine is called to replace each letter/number with an integer equivalent (taken from a list). First point: The U/LCode doesn't allow for i,1,o or 0's, presumably to prevent users from becoming confused when entering a code. This leaves 31 characters. From this point on, there are two main routines (other than the inevitable ReadFile and WriteFile ones). Following the location and creation of a temporary file with the base "SRC", the routine proceeds generate a series of pseudo random numbers seeded by the Order Reference. These are then "combined" with the Encoded Unlock Code using the first routine. The second main routine seems (although I haven't been able to confirm this yet) to do the actual decryption, using the original Combined Encoded Unlock Code and further values generated from it. Have you or anyone else any other info regarding this? I agree that a Brute force technique may be required but I suspect that we may be able to avoid attempting to decrypt the entire file. There is a good chance that the encrypted file is infact an executable (in most cases) and once it is decrypted, the VB parent just executes it's contents. Any further suggestions or help would be greatfully appreciated since I've been spending way too much time staring at pages of disassembly of math code. ------ Noose -----#3------------------------------------------------- Subject: PICs I'll take a look at the satellite site. Though I doubt that they actually managed to read the info from the PIC itself. In fact this method wouldn't be that good for stealing subscriptions as you would need a valid card in the first place. A friend of mine has broken the satellite encryption system. Although he's got some microprocessors to do the job now, I must say, it's an awesome sight to see wires leading from the satellite box into his computer as it decrypts data on the fly! I just wish I had an ICE... :( There ARE ways of reading from a PIC. The last time I checked none of them were easy or cheap :( ~~ Ghiribizzo -----#4------------------------------------------------- Subject: nesbitt sharelock I found an app that uses nesbitt sharelock, but I was not able to get the private key, keyboard navigator the program that Razzia talked about in issue 109 was really easy to find the key, all you had to do is open the file in a HexEditor. If anyone can help me on how I should look for the key(on where I should breakpoint), it would help. The program is MouseTool 1.53 ******************** The only thing different is that it uses an ocx control (ShrLk20.ocx). Ace --------------------------------------------------- Get free personalized email at ******************** =====End of Issue 136=================================== ======================================================== +HCU Maillist Issue: 137 02/07/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Component Source #2 Subject: Re: Subject: Undercover Investigators on IRC #3 Subject: followup on server hackers ARTICLES: -----#1------------------------------------------------- Subject: Component Source I've looked a bit further into the CSDec32.ocx file and I'm under the impression that this is either a DES encryption or a variant of it. If it is, then it appears to be a fairly sturdy encryption (high bit-length keys) which would be v. hard to brute-force. One thought does occur to me though. It may be possible to reduce the decryption down to a smaller routine which does not attempt to convert a typed Unlock Code to the DES Key required, but instead uses a direct decryption of the data (also avoiding decrypting the entire program would help). Even then, I can't imagine that this would take a "sensible" amount of time. Any thoughts? ------ Noose -----#2------------------------------------------------- Subject: Re: Subject: Undercover Investigators on IRC Hi Code-X, read your message in +HCU Maillist and due to the *****┤s instead of the URL i have one question: Can you send me the URL via ICQ (UIN 5777852) or perhaps per email? NiKai ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: followup on server hackers just for fun - here is the latest on the hacking that was done on the server i USED to love getting my email at... *apparently the feds arent real good at this one ;) * here is the message i got when i logged in today: This computer system is for authorized users only. Individuals using this system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded or examined by any authorized person, including law enforcement, as system personnel deem appropriate. In the course of monitoring individuals improperly using the system or in the course of system maintenance, the activities of authorized users may also be monitored and recorded. Any material so recorded may be disclosed as appropriate. Anyone using this system consents to these terms. --- as much as i hate some kid ruining an otherwise very nice server i used to use for everything - i gotta laugh at these obviously useless 'trackers' since they obviously have no clue what happened to them ....but there are so many more useful uses of a computer system than deleting all its files... (especially since there are ways to turn the user accounts there into full unix shells...) +gthorne /**************************************************\ Greythorne The Technomancer WebSite: ***************************** OrcPaks: ****************************************** \**************************************************/ =====End of Issue 137=================================== ======================================================== +HCU Maillist Issue: 138 02/08/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: none ARTICLES: -----#1------------------------------------------------- Subject: none Hi there, it's an easy sunday morning and after surfing deep in Fravias pages, I found the gate to this list. So this is my first posting to this fine list here. I read through all the archives of this list to get a feeling about you all and I think it's time to throw in some thoughts. 1. I tried to get my hands on the component-source stuff too, but wasn't very successful with it. As Noose said they might use some DES encryption this would imply several things: DES is a symetric encryption method, meaning for en/decryption you use the same keys only in reverse order. Because the stuff is on a CD- Rom there must be a 'master en/decryption pair'. I think the keys you have to enter will generate these 'master keys' and than use them to actually decrypt the stuff on the CD-Rom. Maybe this is a way to go. 2. Beside the component-source stuff, I have 'hacked' (or better make it work within some constraints) the FlexLM stuff. I hope you know this commercial license system. It's mostly used for high-price software which runs on several different platforms. I didn't try to hack the keys or something like this. FlexLM uses the network-adaptor ethernet address to identify a machine. So if you have a valid key for one machine it's very easy to use the same key on an other machine. I have done this unter NT. The way to go is, to write a fake-network-driver which will response with the wrong ethernet-address, if asked for it. That's it. The drawback is of course that you need a valid key from somewhere... and you have to install the fake-driver to your actual driver. However, I think there a lot of commercial licensing systems which use the ethernet-address. How about a generic driver which can find out from which application the request came from, makes a look-up in a small database and responses with the appropiate ethernet-address but uses the correct ethernet-address if you want to do networking. 3. And last but not least, I have made some licensing system myself. It's not complete yet but it does work quite good. I would like to know if there are some people out there, how =====End of Issue 138=================================== ======================================================== +HCU Maillist Issue: 139 02/09/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: PIC's microchip and others ARTICLES: -----#1------------------------------------------------- Subject: PIC's microchip and others Hi all, An excelent article with references can be found at *********************************************** Regards basE+mEtaL =====End of Issue 139=================================== ======================================================== +HCU Maillist Issue: 140 02/10/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: winhelp32 and evtl. linking (fravia) #2 Subject: info #3 Subject: Re: nesbitt sharelock ARTICLES: -----#1------------------------------------------------- Subject: winhelp32 and evtl. linking (fravia) complete and latest version of winhelp32 with the search bug fixed (borland) ***************************************************************** 5.6 mega unzip to 24 mega well, if you already knew it, you knew it :-) +Zer0, +Malattia, d'you want me to link to the hcu maillist repository? If so, d'you want me to do it in BEST/MIDDLE/NOT EVIDENT position? This could boost cracker partecipation and/or boost lamers, I dunnow. later fravia+ -----#2------------------------------------------------- Subject: info I need some info about the Dongle _Hard Lock E-Y-E FAST III made in = Glenco..Thanks. My E-Mail ************** -----#3------------------------------------------------- Subject: Re: nesbitt sharelock Hi Ace, i d/l yesterday MouseTool and worked on it. I tried to register it with WinIce, but i didn┤t find the key. At my second attempt i had to patch MouseTool because MouseTool caused a GPF (i don┤t know why). I patched at 4084EB one byte from 7C to EB. Then i patched Shrlk20.dll, because there┤s the whole war of the bytes. In Shrlk20 i went to the Modul "DoRegistration". There i patched at E729D9 one byte from 74 to 75. The nag-screen is gone now. But where is the key? Perhaps one of the advanced cracker can help. I hope this little description can help you. BTW, i am the next 3 weeks in holiday. So long, see (read) you in March. NiKai ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 140===================================