How to Hack Cyber-Time Software

by Waphle/Managahtzul

In this article, I will explain what Cyber-Time is, the coolest way to hack it, and how anyone can get the admin password in no time flat.

Then I go into detail about some other hacks that also need to be fixed.  And I finish with some nonsensical ravings of a teenager with girl problems.

Cyber-Time Software is the preferred time-restriction program used by Internet cafe's and other net clubs that offer access to T1 networks on suped-up computers for a $5/hour fee.  The reason it is so popular is that the site (www.cybertimesoftware.com) offers a fully operational download.

The software has two main parts: a server-side to sell hours and monitor customer usage, and a client-side that will lock a computer until a customer logs in.

The installation requires that the client-side computer have read/write access to the installation directory on the server.  That translates to the client computer having access to:

  • The password hash of Cyber-Time.
  • The ability to run server programs from the client computer.

I found the hash to be stored in: C:\CT5\DB GLOBAL INFORMATION.DBF

(C:\CT5 is default installation.)

The hash is kinda embedded at the end of the rather small file.  (It contains the admin login name and password only.)  I couldn't find a hash cruncher that could make heads or tales of it, so I did what any 2600 reader would do.  I made my own.

It took a few hours to understand how the algorithm was encrypting the passwords/accounts but the fact that it didn't add any random characters to the hash made it a lot easier.  So here's the coding table for alphanumeric accounts and passwords.

I didn't want to mess around with all the ASCII possibilities.  Compare the position of a hash character in the string so it will correlate to the character at left.  (i.e., password ABCDE = hash 6T2FG, clever; but obviously not enough.)

Encryption Table for Master Admin Account/Password

A = 6SZ~~~~m~maSZ~~
B = 8T0++++B+BbT0++
C = <Z2____C_CVZ2__
D = ,04FFFFvFvW04FF
E = /2]GGGGwGwX2]GG
F = |4{HHHHxHxY4{HH
G = :]~IIIIyly)}~II
H = o{+JJJJ)J(*{+JJ
I = p~_KKKK&K&^~_KK
J = q+FLLLL%L%$+FLL
K = r_GMMMM£M£!_GMM
L = sFHaaaaNaNnFHaa
M = tGlbbbbObOUGIbb
N = zHJVVVVuVuAHJVV
O = 1IKWWWWcWcDIKWW
P = 3JLXXXXdXdEJLXX
Q = [KMYYYY5Y56KMYY
R = }La))))7)78La))
S = #Mb****9*9<Mb**
T = =aV^^^^>^>,aV^^
U = -bW$$$$.$./bW$$
V = eVX!!!!\!\|VX!!
W = fWYnnnn;n;:WYnn
X = gX)UUUU@U@oX)UU
Y = hY*AAAAPAPpY*AA
Z = i)^DDDDQDQq)^DD
1 = K&£5555r5rS&£55
2 = k^!6666S6Ss^!66
3 = L%N7777s7sT%N77
4 = I$n8888T8Tt$n88
5 = M£O9999t9tZ£O99
6 = m!U<<<<Z<Zz!U<<
7 = aNu>>>>z>z0Nu>>
8 = BnA,,,,0,01nA,,
9 = bOc....1.12Oc..
0 = j*$EEEERERr*$EE

The best way to get customer login names and passwords is to do a search for the backups (*.CTB) that store the passwords in cleartext.  Or once the Admin password is snatched, use the customer server program to view the passwords.

Note that all that was done to hack Cyber-Time so far was to download the program, read the manual, and use Notepad to look through all the files as the hack required the use of InCtrl5 (www.nttoolbox.com).

InCtrl5 is very useful for detecting Trojans and stuff that likes to do things sneaky without telling you (like adding a line to your AUTOEXEC.BAT that formats your computer).

Cyber-Time's server-side has an anonymous function that will only let you make about 240 transactions before the package expires.  So I set to find it.  And, using InCtrl5, I found that it was making changes to two keys in Registry:

  1. HKEY_LOCAL_MACHINE\SOFTWARE\CT5\BDE_MODE

  2. HKEY_LOCAL_MACHINE\System/CurrentControlSet\Control\WinBuild\\BuildAddr

As I learned more about InCtrl5, I got it to actively listen to the changes as I kept making transactions with a fictitious customer and I figured out (quite simply) the correlation between the key data and the remaining days had a pattern.

So I once again made a coding table.  Now, on my computer the chart let me make up the "number" bXs for 999 that did let me make 999 saves to my fictitious customers.  But when I tried to impress by buddies at "cyberhouse" by adding the extra saves to the software... it crashed and said the package had expired.  So I am pretty sure that every installation creates a new coding table, but still, you can use the above method to just decode it each time.

Date Tracking Counter Encryption Table

    100     10     1
9     b      X     s
8     B      w     S
7     a      W     r
6     m      v     R
5     M      V     q
4     l      C     Q
3     L      v     p
2     k      B     P
1     K      a     o
0     m      @

Example: bXs = 999
         l@Q = 404

A capital N will mean negative.

Well, that about covers the elite hacks.  The rest are pretty lame, but they are effective and if you're thinking about purchasing the software you should at least know of them.

The evaluation copy will alert you that you are using a demo copy every time you login.  When this happens, stick in a CD that has AutoRun on it.  The AutoRun will play over the prompt and you can play whatever's on it.  Another method is to login, click O.K. on the silly prompt, double-click on the game to be played, then logout, re-login, and wait at the message for the game to load.  This will work on any game that takes a few seconds to load a CGI intro.

If your cafe has the registered version Cyber-Time, the demo warning will not appear.  Most owner's can't refuse the urge to put their own little message in its place.

The second way to defeat it is to login and (if running NT) logout of the computer and click Cancel.  This will get you into the computer, but all the useful shortcuts are gone.

The third way is to login, the (turn the volume down) restart the computer and hitting Ctrl+Alt+Del like crazy until you get the Task Manager up, then close the CUSTOMERMONITOR.EXE program.  And of course, if they are witty they will change its name to something like KEYBOARDDRIVER.EXE, etc.  But you're not stupid, are you?

The fourth way is totally wrong and may or may not have the effect of letting you on the system.  Just work your way up to the server's C:\CT5 directory and delete everything.  That will cause some damage and will probably freeze the server.  Thus when your time expires nobody will be kicked off but the server will be totally fubar and will need a backup to restore from if not a full installation.

The fifth way is almost as bad for the computer.  Give the system a hard reboot, and either rename the C:\CT5 directory, or do the Task Manager ploy.

And of course, if you know the admin or an employee password you can just login and the program will close.  You won't show up on the customer usage screen logged in as admin.  Rather, the client-side customer monitor will simply close itself thus allowing you to play undetected.

Anyway, I am tempted to say this took me weeks of time to accomplish, but in truth I started on this about two days ago and I've had amazing luck or intuition or something but it has been a rush the whole time and I'm really not as smart as what it may look like.

And if I may, I would like to say that my girl is stressing me.  Anything I do pisses her off and she never seems happy to see me.  I told her about my hacking a long time ago and she didn't like it so I stopped.  But not anymore since she doesn't seem to want me.  I've taken up a few old habits and I can't stop ripping till midnight!  Oh... wait, that was like three hours ago...

Another thing, small update...  It has been four days now, and I made a few final changes to this article and would like to mention that I've shaved my head and eyebrows in an effort to express my frustration with the opposite sex.
Return to $2600 Index