Disclaimer : This Guide is for educational purposes only, I suggest you buy yourself a original Mac. Also please do not post links to the Torrent’s as they will be removed.
U will need
* Vista Already installed on your Primary Hard Disk.
* Mac iATKOS v1.0 DVD. (Do not ask me where you can download this)
* Windows Vista Boot DVD (Just incase something goes wrong)
Installation
* Install Windows Vista on the First Partition of your Hard Disk. I
* Right click on My Computer and Click on Manage. Select Disk Management. Now Create a new Volume for Mac OSX by shrinking an existing volume. You need atleast 5GB of space and the new volume should show up as Unallocated.
* Make sure that the partition shows up as Unallocated, else repeat the previous step.
* Now restart the machine and boot into the Mac Leopard DVD that you burned using the iATKOS v1.0 DVD Image.
* Press F8 as the countdown begins and type -v at the prompt and hit enter.
* You should see scrolling text on the screen now.
* After a while you should be looking at the Mac Leopard Installer. Follow the instructions on Screen.
* Once the Loading Bar vanishes Select Utilities -> Disk Utility .
* Select the Volume you created previously and format it as MAC OSX Journaled Extended. Once the formatting is done the volume is ready for installation.
* Now Close Disk Utility and Select Utilities -> Darwin Boot. Type Y at the prompt.
* At the prompt when it asks for the Disk Number enter 0. For the Partition Number if your Mac Leopard Partition is 2nd on the disk, then enter 2 and so on.
* Accept the following prompts and you should see a success prompt saying that so many block of data were written successfully.
* Now get back to the Leopard Install Screen. Choose the partition that you made in the beginning and follow the instructions on screen.
Please don’t select any patches etc during the installation, this is normally the reason for most failed installations. Just the plain install would do.
* Once the Install is done, reboot with the Mac DVD in the drive. Press F8 at Darwin Boot Loader and type -s and press enter.
* Execute the following commands :
fdisk -e /dev/rdisk0
flag 1
quit
reboot
* Now before the PC restarts remove the DVD. At this point you should be able to boot into Windows Vista normally.
* Now that we have almost everything running fine, lets proceed with the dual boot setup.
* Boot into Windows Vista. Copy the chain0 file from the Leopard DVD to C:
* Open the “Command prompt” with “Elevated Admin” privileges from the Start Menu.
* Type the following into the prompt
bcdedit /copy {current} /d “Mac OS X”
bcdedit /enum active
bcdedit /set {GUID} PATH \chain0
In the first command type {current} as it is, literally..nothing else..just {current} with the brackets. In the 3rd command however, replace the {GUID} with the alphanumeric GUID you see in the enumerated list under MAC OS X. You can see this list on your terminal as soon as you type the 2nd command above.
* Close the Command Prompt and Restart Windows Vista.
* You Should now be looking at a screen with two options to boot into Mac OSX or Vista.
* Select Mac OSX to see if you can boot into it. You should see the familiar Darwin boot Loading screen with the timer going down. If you dont do anything, then it counts to zero and again shows the menu screen with Windows Vista and MAC OSX options. Dont panic!
Again select MAC OS X, and now as the timer counts down, Press F8. You would see a list of partitions on your disk with their names. Select the partition with MAC OSX installed by using up/down arrows and press ENTER.
* your Mac should be booting up as you read this..
Disclaimer : This Guide is for educational purposes only, I suggest you buy yourself a original Mac. Also please do not post links to the Torrent’s as they will be removed.
Download the Installation ISO(PC-EFI built in) from Mininova. You can find it by performing a search for iATKOS v1.0i (Its about 2.09 GB).
Once you are done, with downloading burn the ISO at very slow speeds to the DVD.
Pop in the DVD and boot into it from BIOS and follow the Onscreen Instructions.
Select the Appropriate Packages, based on your hardware and then proceed.
Installation might take about an hour or so, so grab yourself a cup of coffee while you install Leopard.
Your CPU must satisfy to use this installation method..
* Non Core Intel Processors, no PC-EFI for you.
* Core Based Processors, for PC-EFI to work.
* AMD processors are not supported at this time.
Download the Installation ISO(PC-EFI built in) from Mininova. You can find it by performing a search for iATKOS v1.0i (Its about 2.09 GB).
Once you are done, with downloading burn the ISO at very slow speeds to the DVD.
Pop in the DVD and boot into it from BIOS and follow the Onscreen Instructions.
Select the Appropriate Packages, based on your hardware and then proceed.
Installation might take about an hour or so, so grab yourself a cup of coffee while you install Leopard.
Your CPU must satisfy to use this installation method..
* Non Core Intel Processors, no PC-EFI for you.
* Core Based Processors, for PC-EFI to work.
* AMD processors are not supported at this time.
Installing Leopard.........
* Burn the DVD Image onto a Single Layer DVD-R using a software like Nero.
* Format the USB Flash Drive and the drive label should be “Patcher” without the quotes. Please note it has to be “Patcher” only and nothing else for the patch to work when we apply it later.
* Extract the Zip file and put its contents into the USB Flash Drive.
* Now your USB Drive should contain a folder called “files”, if it doesn’t then check to see where you have gone wrong.
* Now that you have the Patched DVD with you, you can now install Leopard. Pop in the DVD into the drive and boot into it by pressing F12 at the BIOS Prompt.
* Boot into the DVD and the installer should now load. It take a while though, so be patient.
* Select your Language and make sure you select Customize and you need to deselect all the packages that are displayed.
* Leopard will now install. This can take a while, so go grab yourself a coffee.
* It will ask you to Reboot, so go ahead and Reboot. Before rebooting make sure that USB Flash Drive is connected to the PC.
* Now that you have got Leopard installed, you need to patch it. Before we do that Boot into the Leopard DVD like the way you did before.
* Wait for the Darwin Bootloader to load. Once it loads up press F8. You should now see a prompt. Type -s and hit enter. The DVD will now load in Verbose mode. Watch for any errors. It should load without a problem because you have already installed Leopard.
* Once the setup is loaded select your Language. Once done you should now be seeing the Welcome Screen. Once there navigate to Utilities-Terminal.
* Once the terminal loads up, you now need to browse to your USB Drive, so follow the steps below, typing it exactly as it appears below in the Terminal. In the command line type the following as they appear herecd ..
cd ..
cd Volumes
cd Patcher
cd files Notice the space between cd and the 2 dots.
* Now its the time to run the patcher to make sure Leopard will work on your PC. Type the following into the Terminal. ./9a581PostPatch.sh
* The Patch should now run. You can answer Yes while removing the ACPUPowerManagement.kext
* After the Script is done, you should now be able to Boot into Leopard after you restart.
* Burn the DVD Image onto a Single Layer DVD-R using a software like Nero.
* Format the USB Flash Drive and the drive label should be “Patcher” without the quotes. Please note it has to be “Patcher” only and nothing else for the patch to work when we apply it later.
* Extract the Zip file and put its contents into the USB Flash Drive.
* Now your USB Drive should contain a folder called “files”, if it doesn’t then check to see where you have gone wrong.
* Now that you have the Patched DVD with you, you can now install Leopard. Pop in the DVD into the drive and boot into it by pressing F12 at the BIOS Prompt.
* Boot into the DVD and the installer should now load. It take a while though, so be patient.
* Select your Language and make sure you select Customize and you need to deselect all the packages that are displayed.
* Leopard will now install. This can take a while, so go grab yourself a coffee.
* It will ask you to Reboot, so go ahead and Reboot. Before rebooting make sure that USB Flash Drive is connected to the PC.
* Now that you have got Leopard installed, you need to patch it. Before we do that Boot into the Leopard DVD like the way you did before.
* Wait for the Darwin Bootloader to load. Once it loads up press F8. You should now see a prompt. Type -s and hit enter. The DVD will now load in Verbose mode. Watch for any errors. It should load without a problem because you have already installed Leopard.
* Once the setup is loaded select your Language. Once done you should now be seeing the Welcome Screen. Once there navigate to Utilities-Terminal.
* Once the terminal loads up, you now need to browse to your USB Drive, so follow the steps below, typing it exactly as it appears below in the Terminal. In the command line type the following as they appear herecd ..
cd ..
cd Volumes
cd Patcher
cd files Notice the space between cd and the 2 dots.
* Now its the time to run the patcher to make sure Leopard will work on your PC. Type the following into the Terminal. ./9a581PostPatch.sh
* The Patch should now run. You can answer Yes while removing the ACPUPowerManagement.kext
* After the Script is done, you should now be able to Boot into Leopard after you restart.
iMPORTANT: DOWNLOADING MAC OSX86 (a prepatched MAC OSX 10.4.8 install image) IS ILLEGAL. Don’t ask me where you can download OSX86, not in a comment, not by e-mail, not by phone, not by sending a telegram and not by any other way you can imagine.
You need a processor that supports at least SSE2 to make this work.
You can check this with a program called CPU-Z (http://cpuid.com/cpuz.php).
Got at least SSE2? Go on and install MAC OSX 10.4.8 on your computer (If you already have a working 10.4.8 configuration, scroll down to read the steps about updating to 10.4.9):
1. Get a prepatched MAC OSX 10.4.8 install image.
2. Burn the image to an empty DVD recordable (+R or –R)
Use your favorite burn program for this (I recommend Nero Burning Rom or Alcohol 120%)
3. Make sure that you’ve backupped all important data on your computer. In the next few steps we’re going to format your hard disk and install OSX, this means that good old Windows and all data on the hard disk will be removed.
4. Insert the OSX install disk and reboot your computer.
5. Make sure you boot the DVD. When the grey Apple stops spinning (this can take upto 15 minutes), select your Language (I’ll choose English for this guide)
6. On the top of the screen, click ‘Utilities’ and then ‘Disk Utility’.
7. Disk Utility starts. Select your Hard Disk (the whole Hard Disk, not just a partition). Hit the erase tab and set the Volume Format to “Mac OS extended (journaled)”. Hit Erase.
8. Wait until the process finishes and close Disk Utility (by clicking the red dot at the top left corner of the screen).
9. Follow the installation steps on your screen, select the HD with the partition you made in step 6 and don’t forget to choose ‘customize’ if your install DVD has a customize button. In the Customization window, select either the Intel or OSX. Choose more packages if they apply.
10. After finishing the installation, wait for the computer to reboot, remove the install disk and start playing with your native MAC OSX installation!
11. You now have a fully working MAC OSX 10.4.8 system.
You need a processor that supports at least SSE2 to make this work.
You can check this with a program called CPU-Z (http://cpuid.com/cpuz.php).
Got at least SSE2? Go on and install MAC OSX 10.4.8 on your computer (If you already have a working 10.4.8 configuration, scroll down to read the steps about updating to 10.4.9):
1. Get a prepatched MAC OSX 10.4.8 install image.
2. Burn the image to an empty DVD recordable (+R or –R)
Use your favorite burn program for this (I recommend Nero Burning Rom or Alcohol 120%)
3. Make sure that you’ve backupped all important data on your computer. In the next few steps we’re going to format your hard disk and install OSX, this means that good old Windows and all data on the hard disk will be removed.
4. Insert the OSX install disk and reboot your computer.
5. Make sure you boot the DVD. When the grey Apple stops spinning (this can take upto 15 minutes), select your Language (I’ll choose English for this guide)
6. On the top of the screen, click ‘Utilities’ and then ‘Disk Utility’.
7. Disk Utility starts. Select your Hard Disk (the whole Hard Disk, not just a partition). Hit the erase tab and set the Volume Format to “Mac OS extended (journaled)”. Hit Erase.
8. Wait until the process finishes and close Disk Utility (by clicking the red dot at the top left corner of the screen).
9. Follow the installation steps on your screen, select the HD with the partition you made in step 6 and don’t forget to choose ‘customize’ if your install DVD has a customize button. In the Customization window, select either the Intel or OSX. Choose more packages if they apply.
10. After finishing the installation, wait for the computer to reboot, remove the install disk and start playing with your native MAC OSX installation!
11. You now have a fully working MAC OSX 10.4.8 system.
[----Stay anonymous on the web------]
..By MAx member of :MPD: (c) 1998 MAx [4d5044]
Note..This tutorial will teach a average day user how to keep all his
Esentual info limited so attacks from Hackers cant be made
SHouth outs: Myth leader of MPD u rule dude,All members of MPD, and
everyone else who i should shout out too u know who u are.
The topics..
1.What are packets.
2.Getting a http proxy.
3.How http proxy work.
4.How to secrure http packets.
5.How to edit what o's and mozilla info send.
6.Getting a socket proxy.
7.How socket proxy work.
8.Cookies.
9.Final note.
-----------------------------------------------------------------------
1.What are packets.
Packets are very simple on the net There are millions of user's now for
secrurity and other reasons there must be ways of establishing difference
between user's Thus is done by packets, Packets are used when ever u connect
to a remote server/system Its identify's who is connecting.
An example of a http packet.( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now ill tell u what it is saying if u dont know.
*Note*(Http packets is the way u are sending info through the web
browser whenever u connect to a server/mechine/site )
[connected from MAx.mpd.com]-This is my host
[206.14.13.32]- is my ip
(Mozilla/4.05)- is the version of mozilla im using
(X11;I;Linux 2.0.32 i586)- Is The O's(operating system) And version of
the o's im running
[On december 2, 1998 at 14:34:45] - is day/year/time
Now u know how it works this is one way Hackers get all the info they
need on your computer to hack it.
Now we dont want this anymore THus anonymous proxies where invented to
give keep user's on the net secrure.Using anonymous proxies isnt
100% secrure as the hacker can still do means on getting your real
ip/host/os ill talk about that later but it makes it very hard for a hacker
to get your ip/host once behind a proxy.
Now http isnt the only means of packets there are also socket packets which
ill talk about later.
2.How http proxy work.
A http proxy works like server it is actuelly and what it does is when
setup in your browser when ever u want to go to sites.It will connect
to there proxy server first then the proxy server conncts to the site
u want to go to THus leaving no evendence of u on the site just the
proxy server.(Dont worry once u setup a proxy dont think u always have
to type in the proxy in first then go to there and type the site u want
too go to. :)It dont work like that once u have entered the proxy settings
in ya browser it will auto do the proxy for u all u have to do is surf the
net.(Setting up a http proxy descussed later)
3. Getting a http proxy
Http proxies are very easyly found on the net as there are many
commited Http proxy server's around that are free.
Ill give a list of some http proxies for your all sorry if your
country proxy isn't here just search on the net for (Http proxy)
and ull find one.
***Austria*** Port
cache02.netway.at :80
mail.ppl.co.at :8080
speth08.wu-wien.ac.at :8080
pong.ping.at :8080
***Australia***
proxy.gwbbs.net.au :80
chrome.one.net.au :8080
proxy.newave.net.au :8080
ws.edi.com.au :80
mimas.scu.edu.au :80
proxy.omcs.com.au :8080
jethro.meriden.pas.com.au:8080
albany.jrc.net.au :80
basil.acr.net.au :8080
***Belgium***
cache-mar.belbone.be :80
***Bulgaria***
conan.gocis.bg :8080
***Brazil***
200.250.14.5)ct-nt-02.cybertelecom.com.br :8080
sanan.com.br :8080
***Canada***
proxy.collegemv.qc.ca :8080
srvprx.cspaysbleuets.qc.ca :80
valliere.csvalliere.qc.ca :80
keeper.albertc.on.ca :8080
cproxy1.justice.gc.ca :80
proxy.cslouis-hemon.qc.ca :8080
gateway.kwantlen.bc.ca :80
***Switzerland***
cache1.worldcom.ch :8080
cache2.worldcom.ch :8080
cache3.worldcom.ch :8080
web-cache-2.cern.ch :80
proxy.span.ch :8080
gip-lausanne-nc.globalip.ch :80
gip-lausanne-cf2.globalip.ch :8080
gip-lausanne-cf1.globalip.ch :8080
proxy2.iso.ch :8080
proxy.iprolink.ch :80
***China***
proxy.szptt.net.cn :8080
***United States***
hpux.mesd.k12.or.us :8080
gatekeeper.ci.slc.ut.us :8080
episd.elpaso.k12.tx.us :8080
svc.logan.k12.ut.us :8001
proxy.eup.k12.mi.us :8080
svc.nues.k12.ut.us :8001
proxy.eup.k12.mi.us :8080
(207.78.252.100)oakweb.oak-web.washington-ch.oh.us :80
homnibus.nvc.cc.ca.us :80
et.mohave.cc.az.us :80
(ok id say i gave out enough if ya local country not there go search
the net and if cant find use another country one that is close to u)
4.How to secrure Http packets
Like i said before this is a normal http packet
( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now to Make your ip and host anonymous to web browsing we are going to
use http proxy with ya browser.THis is done by going to ya options
and finding the info on proxy settings in thus put in all
avalable places in proxy setting etc.ftp,http,secruity,
Except leave sockets part blank THis isnt a socket proxy its a http
Now after setting up a proxy in the proxy settings and putting in the
port too.Our new packets will look like this.
( [Connect from The_proxies_host]
[The_proxies_ip] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now u might be thinking cool :) No longer have everdence of me on there
server but dam they know my o's and version of mozilla later on ill
descuse how to change that.U might also be thinking WOW now i can surf
100% secure on the net.U are not totally right.IF a hacker had a real
grunge on u.He has now the proxy u are using there ip/host
now if he wants to get your info that badly he would have to hack
the proxy server comapare the log time of the time u loged to the hacker's
site too the logs of your connection to the proxy server.THus is a real
big job and if pick a good proxy server they will be very secure from
attack's So your pritty much safe.
5.How to edit the o's and mozilla info send.
Ok if your using Ie this is how u would do it.
To see Original Settings
GOTO HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95; (Your Orginial Settings))
(Skip this Part here)
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductName = Microsoft Windows 95
Version = Windows 95
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
(Your Orignial Settings Here) = IEAK(Your Orignial Settings Here)
Example
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Myth [Unix-Base] = IEAKMyth [Unix-Base]
*Note (this info on how to change the mozilla and version shown was
given to me from Myth i didn't make it.)
6.Getting a socket proxy.
Ok now socket proxies work like Http proxies the only diff is
socket proxies are used with programs like (icq,mirc) And the packets
are send through sockets not http.Getting a socket proxy is alot harder
because Socket proxy server's have to be dedicated to a sertain program
so its very limiting to the amount of user's he will get.
Http is always used its using the web everyone uses it so http proxies
are always going to be in need.
TO find a socket proxy u can search the net typing in (Socket proxy)
or try for sertain program's names like (Icq proxy).
Hopefully u will get one
socket proxies are useful as alot of attacks on user's are done
by kids with nukes,spring,ping,smurf,etc etc And thus will anoy a user
in mirc or from icq both these programs give any user possability to
get a user's ip/host.
thats why if u use these u will want a socket proxy.
Alot of people go why dont u just use ident or jizz or something
for mirc and icq.Well the reason u don't as there are expolits out
there to crash spoofed hosts/ip for programs like jizz and ident
a proxy is more stable way and more prevention then a spoofer program.
..By MAx member of :MPD: (c) 1998 MAx [4d5044]
Note..This tutorial will teach a average day user how to keep all his
Esentual info limited so attacks from Hackers cant be made
SHouth outs: Myth leader of MPD u rule dude,All members of MPD, and
everyone else who i should shout out too u know who u are.
The topics..
1.What are packets.
2.Getting a http proxy.
3.How http proxy work.
4.How to secrure http packets.
5.How to edit what o's and mozilla info send.
6.Getting a socket proxy.
7.How socket proxy work.
8.Cookies.
9.Final note.
-----------------------------------------------------------------------
1.What are packets.
Packets are very simple on the net There are millions of user's now for
secrurity and other reasons there must be ways of establishing difference
between user's Thus is done by packets, Packets are used when ever u connect
to a remote server/system Its identify's who is connecting.
An example of a http packet.( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now ill tell u what it is saying if u dont know.
*Note*(Http packets is the way u are sending info through the web
browser whenever u connect to a server/mechine/site )
[connected from MAx.mpd.com]-This is my host
[206.14.13.32]- is my ip
(Mozilla/4.05)- is the version of mozilla im using
(X11;I;Linux 2.0.32 i586)- Is The O's(operating system) And version of
the o's im running
[On december 2, 1998 at 14:34:45] - is day/year/time
Now u know how it works this is one way Hackers get all the info they
need on your computer to hack it.
Now we dont want this anymore THus anonymous proxies where invented to
give keep user's on the net secrure.Using anonymous proxies isnt
100% secrure as the hacker can still do means on getting your real
ip/host/os ill talk about that later but it makes it very hard for a hacker
to get your ip/host once behind a proxy.
Now http isnt the only means of packets there are also socket packets which
ill talk about later.
2.How http proxy work.
A http proxy works like server it is actuelly and what it does is when
setup in your browser when ever u want to go to sites.It will connect
to there proxy server first then the proxy server conncts to the site
u want to go to THus leaving no evendence of u on the site just the
proxy server.(Dont worry once u setup a proxy dont think u always have
to type in the proxy in first then go to there and type the site u want
too go to. :)It dont work like that once u have entered the proxy settings
in ya browser it will auto do the proxy for u all u have to do is surf the
net.(Setting up a http proxy descussed later)
3. Getting a http proxy
Http proxies are very easyly found on the net as there are many
commited Http proxy server's around that are free.
Ill give a list of some http proxies for your all sorry if your
country proxy isn't here just search on the net for (Http proxy)
and ull find one.
***Austria*** Port
cache02.netway.at :80
mail.ppl.co.at :8080
speth08.wu-wien.ac.at :8080
pong.ping.at :8080
***Australia***
proxy.gwbbs.net.au :80
chrome.one.net.au :8080
proxy.newave.net.au :8080
ws.edi.com.au :80
mimas.scu.edu.au :80
proxy.omcs.com.au :8080
jethro.meriden.pas.com.au:8080
albany.jrc.net.au :80
basil.acr.net.au :8080
***Belgium***
cache-mar.belbone.be :80
***Bulgaria***
conan.gocis.bg :8080
***Brazil***
200.250.14.5)ct-nt-02.cybertelecom.com.br :8080
sanan.com.br :8080
***Canada***
proxy.collegemv.qc.ca :8080
srvprx.cspaysbleuets.qc.ca :80
valliere.csvalliere.qc.ca :80
keeper.albertc.on.ca :8080
cproxy1.justice.gc.ca :80
proxy.cslouis-hemon.qc.ca :8080
gateway.kwantlen.bc.ca :80
***Switzerland***
cache1.worldcom.ch :8080
cache2.worldcom.ch :8080
cache3.worldcom.ch :8080
web-cache-2.cern.ch :80
proxy.span.ch :8080
gip-lausanne-nc.globalip.ch :80
gip-lausanne-cf2.globalip.ch :8080
gip-lausanne-cf1.globalip.ch :8080
proxy2.iso.ch :8080
proxy.iprolink.ch :80
***China***
proxy.szptt.net.cn :8080
***United States***
hpux.mesd.k12.or.us :8080
gatekeeper.ci.slc.ut.us :8080
episd.elpaso.k12.tx.us :8080
svc.logan.k12.ut.us :8001
proxy.eup.k12.mi.us :8080
svc.nues.k12.ut.us :8001
proxy.eup.k12.mi.us :8080
(207.78.252.100)oakweb.oak-web.washington-ch.oh.us :80
homnibus.nvc.cc.ca.us :80
et.mohave.cc.az.us :80
(ok id say i gave out enough if ya local country not there go search
the net and if cant find use another country one that is close to u)
4.How to secrure Http packets
Like i said before this is a normal http packet
( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now to Make your ip and host anonymous to web browsing we are going to
use http proxy with ya browser.THis is done by going to ya options
and finding the info on proxy settings in thus put in all
avalable places in proxy setting etc.ftp,http,secruity,
Except leave sockets part blank THis isnt a socket proxy its a http
Now after setting up a proxy in the proxy settings and putting in the
port too.Our new packets will look like this.
( [Connect from The_proxies_host]
[The_proxies_ip] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now u might be thinking cool :) No longer have everdence of me on there
server but dam they know my o's and version of mozilla later on ill
descuse how to change that.U might also be thinking WOW now i can surf
100% secure on the net.U are not totally right.IF a hacker had a real
grunge on u.He has now the proxy u are using there ip/host
now if he wants to get your info that badly he would have to hack
the proxy server comapare the log time of the time u loged to the hacker's
site too the logs of your connection to the proxy server.THus is a real
big job and if pick a good proxy server they will be very secure from
attack's So your pritty much safe.
5.How to edit the o's and mozilla info send.
Ok if your using Ie this is how u would do it.
To see Original Settings
GOTO HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95; (Your Orginial Settings))
(Skip this Part here)
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductName = Microsoft Windows 95
Version = Windows 95
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
(Your Orignial Settings Here) = IEAK(Your Orignial Settings Here)
Example
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Myth [Unix-Base] = IEAKMyth [Unix-Base]
*Note (this info on how to change the mozilla and version shown was
given to me from Myth i didn't make it.)
6.Getting a socket proxy.
Ok now socket proxies work like Http proxies the only diff is
socket proxies are used with programs like (icq,mirc) And the packets
are send through sockets not http.Getting a socket proxy is alot harder
because Socket proxy server's have to be dedicated to a sertain program
so its very limiting to the amount of user's he will get.
Http is always used its using the web everyone uses it so http proxies
are always going to be in need.
TO find a socket proxy u can search the net typing in (Socket proxy)
or try for sertain program's names like (Icq proxy).
Hopefully u will get one
socket proxies are useful as alot of attacks on user's are done
by kids with nukes,spring,ping,smurf,etc etc And thus will anoy a user
in mirc or from icq both these programs give any user possability to
get a user's ip/host.
thats why if u use these u will want a socket proxy.
Alot of people go why dont u just use ident or jizz or something
for mirc and icq.Well the reason u don't as there are expolits out
there to crash spoofed hosts/ip for programs like jizz and ident
a proxy is more stable way and more prevention then a spoofer program.
Introducing into the world of cracking
A beginners tutorial written by ByteBurn
Intro:
What is cracking?
Cracking is how i like to say a art a xpression.Everyone can handle it.But not everyone can do the best of it.If you like to crack you`ll see that it isnt easy to understand at first but after recieving some experience and knowledge it is incredible.If you have learned the real cracking you arent only a cracker.You are more then a cracker.With the art of cracking you`ll gain more knowledge about your PC the programms you running on it and how they work.You`ll understand how a programm works and how to manipulate it that it can be usefull for you.And it dont mean that it`s illegal.
Offcourse it`s not 100% legal but it can be usefull for you in your later life.You have experience about the ASM-Code understand the function of programms and other applications and maybe it bring you up to a programmer?Who knows.But at first you`ve to learn it step by step.I`ll help you with my tutorials and i hope you understand the way how i explain it.Excuse my english i know its not the best but i`ll do my best.
Step one:
What do we need to crack?May i need some knowledge about assembler or anything else?
No.I made this tutorial for all the beginners in the net who dont understand anything about
ASM-Code or the internal function of applications.Like you and everyone else i also started with cracking some time ago.And it tooks much of my life time to what i know today about cracking.
I think there are many tutorials which are good and i dont wanna say anything against them.
But i think the most tutorials are quick written memory killer with which you cant do anything.
I always had the problem that i dont understand what they mean.Like what is a nop or what mean the je,eax,jump signs.What they mean with jump to badboy and replace the jump if not equal with the jump if equal command.All these things and many more makes me sometimes worry about what i want to learn.I thought that i`ll gave up and forget the thing with cracking.But everytime if i do that some time later i cant and have to learn the way of cracking.Yes sometimes you`ll think oh man what do you mean it doesnt work!But dont give up.Everyone passed this point of time and you`re not the first and will not be the last one.You have to learn again and again.And then at any time you`ll see that it was good what you`re doing all the time and you`ll be proud about it.
The software we`ll need:
At first the only thing we`ll need is W32Dasm8.9 (a Windows disassembler) and HIEW (its a good Hex-Editor i think it`ll be the best for you at first).Thats all.In the following tutorials (i hope there`ll be any of me) i`ll explain how to work with soft-ice and how to handle the asm-code.But at first you need as a beginning cracker only the two things.
Some knowledge at first:
As you know its not very easy to handle all the asm-codes and i think you dont know much about them.So i`ll explain the most needed commands.
There we have to know that every two numbers in asm-code are representing one byte.
Like the number 75564345 = 4bytes.The 75 is one byte the 56 is one byte the 43 is one and the 45 is one byte.So we have 4 bytes leading the command at this point.If we want to replace them later we now know that we have to replace always two numbers with two other numbers.Like the 75 (in hexadezimal it stand for jne.Jne means jump if not equal) we can change to 74 (in hexadezimal it stand for je.Je means jump if equal).This in most of times is enough to crack a game or to register a programm so it`ll not say "sorry invalid password" or something else (please dont think its so easy i take it as a very simply protection).Cause if we change the value of 75 (jump if not equal [means that the application is checking something like if there is a cd present in drive or is it the same password like saved in the programm and if it isnt right like there is no cd in drive or the password you entered is not valid it will jump to "BadBoy" and the programm pop up you the error message] by the way "BadBoy" is in cracker language something like the one dude who call the error message)
to 74 (jump if equal so the programm think there is a cd in drive or the password is valid and will jump to "GoodBoy".GoodBoy is the one who makes the way clear).You`ve to manipulate the application so it think there is a cd present or password is valid and it continious with the programm.Remember that the exe runs up to down.So the commands which call the error messages are placed before the error messages.The only thing i mean is that if you found the error message (i`ll explain later how to do it) you have always look up in the asm-code not down.Its like you.If you read a book or a text you start on line one and read your way down.The programm do the same.It checks from line one of the asm-code to the end of the code if there is all correct.And if it found at line 9 a error it jumps down to the "BadBoy".It cant jumps up cause there he checked everything and there arent complications.So if you found the error message look up (before it) and you`ll find the command which call the error message on the screen.Ok now some things about the numbers and things you`ll see if you disassemble a exe (here are only the needfullest things you`ve to know at this point of time):
je (hexadezimal is 74) = Jump if equal
jne (hexadezimal is 75) = Jump if not equal
nop (hexadezimal is 90) = No operation
call (no random hexadezimal) = call a operation
jmp (no random hexadezimal) = jump to string/operation
This are the five basics we`ll need at first.The other i`ll explain in later tutorials when you gain more experience in asm-code.
Ok now we`ll take a look what does they do in a asm-code string.
Je (Jump if equal) jumps to a operation if he found what he check.
Example:
The game need a cd to start the main game.So the "jump if equal" je command check if there is a cd in drive.If there is a cd in drive he`ll continous and give a information away to the commands after him.Thats a equal operation.The cd was found (equal) and it continous in asm-code (jump if equal).
Jne (Jump if not equal) jumps to a operation (most times BadBoys that mean,to the error message you`ll recieve on your screen) if he dont found what he check.
Example:
The game need a cd to start the main game.So the "jump if not equal"jne command check if there is a cd present in drive.If not he`ll jump to a "BadBoy" and you`ll recieve the error message on screen like "Cannot find CD in drive.Please insert CD and click on OK."
Thats a "jump if not equal"operation.The check failed (cause he dont find a CD in drive) and he jump to the "BadBoy" and the "BadBoy" end the load process and let the error message be shown on your screen.
Nop (no operation) a nop command kill the current operation like checking after CD in drive or checking if password valid.
Example:
The game need a cd to start the main game.Its like before cause you set the nop command.
You can replace the jne/je/call/jmp commands with a nop command.The nop will then disable the jne/je/call/jmp command this mean that the programm dont check if a cd is present in drive and continous in asm-code.The game run (you can do that but its also a style for simply cd protections).
Call (Call a operation) a call command do what his name say.He call a command what can be a error message,a nag screen...This you can disable with a nop command.
Example:
I dont know what i can say more.
Jmp (Jump to a string/operation) a jmp command is like a call (not the same but...you can say it is) he dont call commands but jump to them.
Example:
The jmp jumps to a string/operation which will call a error message or to a BadBoy...The jmp
you can also disable with a nop command.
I think thats all you`ve to know for now about the commands in asm-code.In this tutorial we`ll handle only with these few commands.Thats enough for you at first to crack simply protections (no matter if cd or password).
About protection shemes:
There are enough protection styles you`ve to learn about and to learn how to disable them.
We have "normal" cd protections (a game is looking if there is a cd present if not it`ll not start the game),password protections (you`ve to enter a valid password [most times you find them in trial versions] if you dont enter a valid password you cant register or start the application),
time locks (most times in trial versions.You have some time to test a programm like three weeks and after the time it wont start/show a error message/you`ve to enter a password to unlock it),and in unusually times you`ve to get a unlock software from the programmer (the programm wont work without the +software of the distruber.This kind of protection is hard to find).Thats are the most usual protection shemes you`ll find on your way to a real cracker.
The easyest protections for us to crack are windows error message boxes (i think so).
Its a windows message box which will be shown on your screen with any text if you havent got a cd present or a valid password.This kind of protections you can see in EA applications like NFS/Fifa Soccer/NHL....Its very easy to crack cause the only thing you`ve to do is to kill the window (most times with a nop command or change je to jne /jne to je).Also we can find this kind of protections at password locked applications.If you enter a invalid password you`ll recieve a windows message box too which include a text like "invalid password" or something else.Then we`ve ingame error messages which are harder to crack.Cause W32Dasm show you only the windows box messages and not the ingame messages.For this kind of protection we need soft-ice debugger (i`ll explain in later tutorials how to use soft-ice).This kind of protection you can see in games like Commandos/Grand TheftAuto/Descent Freespace.And the timelock protections can be shown to you as a windows box and as a "ingame" error message(i`ll call them NAG screens).Those kind of protection you can see in Paint Shop Pro.
In this tutorial i`ll show you how to disable the windows message boxes with W32Dasm version 8.9 and with Hiew.We`ll crack WinRAR and WinRAR95 (may be a game too like Anno1602 or anything else i dont know how much time i`ll get and if the tutorial wont be too long).
Beginning with cracking:
Now lets start with the main thing you want to learn.Cracking.I`ll show you now how to handle the basic commands of W32Dasm89 and Hiew.We`ll crack now WinRAR95.exe (we`ll make a full registered version of the trial).At first we start the programm.We`re in.
What can we see?At first we can see on top of the window "WinRAR (unregistered version)"
Thats very good for us cause the "unregistered version" status behind the "WinRAR" tell us
that it is unregistered and that it`ll be not shown if it registered.Now we click on "Options"
and then on "Register".Now you can see a windows box (these kind of boxes i mean which are easy to crack for us).Now enter in the text boxes what you want like as a name "Test" and as a number "12345" and click on ok.You`ll hear a sound and another windows box pops up which tell you "Registration Failed".Thats all we want to know.Close WinRAR95 and go to your Ms-Dos box.Now in Norton Commander (you can use windows commander too) make from your WinRAR95.exe two copies.One of them named WinRAR95.w32 (for W32Dasm89) and one named WinRAR95.exx (a saved copy if you change wrong bytes).
Now i`ll exlpain why we do these copies.Its very easy.If you disassemble a exe like WinRAR95 and you`re working in W32Dasm89 you cant run the WinRAR95.exe as the same time in Hiew or in Windows Explorer.You make a second copy named WinRAR95.w32 (you can call it like you want no matter but its good that you see its for W32Dasm89).This copy you`ll disassemble with W32Dasm89 and you can everytime start the original exe in Windows or change the bytes in Hiew.The second copy WinRAR95.exx is only a save recovery copy.If you change wrong bytes in Hiew or anything else so that it wont run you can rename the WinRAR95.exe with WinRAR95.exx.And try it again (remember its always "try and error" technique).Ok if you make the two copies start W32Dasm89.Now click on the first button on the top (or click on Disassembler and then on "Open file to disassemble".A window pops up and you can chose the file you want to be disassembled.
Change your directory to your WinRAR directory and click on WinRAR95.w32.
Now W32Dasm starting the disassembling process (if you have low system memory or low HD memory it`ll take some time).You can always click on the button in the midle of the screen called "Cancel Disassembly" which will abort the disassembling process.If the exe is disassembled it may be that you see no "normal" signs but WinDings written lines.
Dont worry you can change your font.Click on "Disassembler" then on "Font" and at least on "Select Font".Now you can chose the font you`ll use in W32Dasm89.I think the best one is Arial.Change the font.Now you have your selected font present in W32Dasm89.Click a second time on "Disassembler" "Font" and then on "Save default Font" (if you dont do that at your next disassembling file you`ve to change the font a second time).Now you see the asm-code.It will not tell you much cause you dont know what all the commands mean.Now click on the button next to the "Print" button called "Strn Ref" (String Data References).A window pops up.Now you can see all the error messages you can recieve from the exe.Do you remember what does WinRAR said if you entered the wrong code?It said "Registration Failed".Now look at the text and search for the message.Got it?Double click on it.In W32Dasm you`ll be warped to the position in the asm-code where it let pops up the error message you`ll recieve on your screen when you entered the wrong code.
If you make it right you`ve to look at a screen like this:
:00413A8F 6A6A push 0000006A
:00413A91 E863640000 call 00419EF9
:00413A96 59 pop ecx
:00413A97 50 push eax
:00413A98 FF7508 push [ebp+08]
* R e f e r e n c e T o : U S E R 3 2 . M e s s a g e B o x A , O r d : 0 0 0 0 h
|
:00413A9B E8120B0100 Call 004245B2
:00413AA0 33C0 xor eax, eax
:00413AA2 A358674200 mov dword ptr [00425758], eax
:00413AA7 A338564200 mov dword ptr [00425638], eax
:00413AAC A34C564200 mov dword ptr [0042564C], eax
:00413AB1 EB56 jmp 00413B09
* Referenced by a (U)nconditional or (C)onditional Jump at Adress: <---------This is our one
|:00413A82(C)
|
* P o s s i b l e S t r i n g D a t a R e f f r o m D a t a O b j - > " Wi n R A R "
:00413AB3 68D86A4200 push 00426AD8
:00413AB8 FF359C644200 push dword ptr [0042649C]
* R e f e r e n c e T o : U S E R 3 2 . S e t Wi n d o wT e x t A , O r d : 0 0 0 0 h
:00413ABE E86B0A0100 Call 0042452E
* P o s s i b l e R e f e r e n c e t o S t r i n g R e s o u r c e I D = 0 0 0 4 8 : " n o r m a l "
:00413AC3 6A30 push 00000030
* P o s s i b l e R e f e r e n c e t o D i a l o g : A R C I N F O D L G , C O N T R O L _ I D : 0 0 6 C , " "
This asm-code you`ve to see on your screen if you doubleclick on "Registration Failed".
Now you can remember what i said some lines before.The asm runs from top to bottem (i like call it T2B hehe).That means that the jne/je we have to change is anywhere up.But who
we know which it is?Now we can try to change everyone we see (like try and error) or we use the "Goto CD Loc" (Goto code location) button on the top.We click on it and a little window pop up.On bottem right of the window is a text box "Code Offset (Hex)".Now we take a look on the asm-code.We can see the line "* Referenced by a (U)nconditional or
(C)onditional Jump At Adress:" then the line next where is the adress we have to know
"|:00413A82 (C)".Thats the number we have to enter in the code location window its 00413A82.At this adress we`ll find the jump which will send us every time to the error message if we enter the wrong code.Click on ok in the code location window.
Now you are anywhere up in the asm-code.The Bar is on the line which let us jump to the message.Its a jne (jump if not equal).The Bar changed his color to green (he`ll do that only at jump/calls.Now look down on the bottem of the screen.There is a line which looks like:
Line:34985 Pg 467 of 998 Code Data @:00413A82 @Offset00013082h in File:Winrar95.w32
The only thing what we`ve to remember is the number after the @Offset.Its 00013082 (the Bar have to be on the jne).Write it down (you dont have to remember all the 000 its enough when you remember only 13082.Ok now go to HIEW (you dont have to close W32Dasm).Its no matter which kind of exe you start (if H.exe or H95.exe).In HIEW (its like Norton Commander) you can trace through the directorys.Go to your WinRAR directory and click on your WinRAR95.exe.Hmm dont know what that is huh?Click on F4 (select mode window) and then chose "decode".The screen change.You can now see all the jne/je/eax..commands
and have to click on F5.On the top left corner you can now enter the @Offset number (you wrote it down a few seconds before).Here its no matter if you type the 000 or if you type only 13082.Type 13082.You are at the jne command.Now click on F3 (edit).Now you`re able to change the value.Change it from 75(jne) to 74(je) and click on F9(update).Then click on F10.
You have changed the value of jne.Now you can test if it work.Click on your WinRAR95.exe.
The programm start.Now do the same like before.Go to registration and enter any name and code.Click on ok.What happens?No more error messages?A pop up window display that your registration was successfull.The message on the top next to WinRAR was killed (Unregistered Version) and you`re fully registered.Ok.That was the one way.But there is a second.Also we can kill the Unregistered status on the top of the window.We`ll do that now.
Load your uncracked save copy of WinRAR95.If you start it you can see on the top a message which tells you that its a (unregistered version).Go to W32Dasm and load your WinRAR95.w32 file.Now click on String Data References Button.Look for "(unregistered version)" (it have to be exatly (unregistered version) cause there are two of them!).Do you found it?Doubleclick on it.You was warped to the point where is it.Its like before.You have to do the same thing like before.You see the "*Referenced by a (U)nconditional or (C)onditional Jump At Adress:" line?Click on "Goto code location"button and enter the number.Its
00418AAA and click on ok.You was warped to the point which let the asm-code jump to the message if it is not registered.Its also a jne (jump if not equal) command.Write down the @Offset number its 000180AA (you can leave the 000 alone).Go to HIEW, load your WinRAR95.exe, click on F4 (decode), then on F5 (goto), enter 180AA and click on enter.
You`re at the jne command.Change the value of jne to je (75 to 74) save it and leave HIEW.
Remember that if you want to manipulate a exe like WinRAR you have to close winRAR on Windows desktop or you`ll recieve a message like "error only read mode".Now if you changed the value you can test if it works.Start your WinRAR95.exe and you see that the message is no more.We killed it.Now you have no message on the top and you can enter any name and code and it`ll unlock WinRAR95.The same way you`ve to do on normal WinRAR.Everytime if you want to crack a simply protection you can use this way.Change jne/je to je/jne.Or to nop it.
Remember the basics:
You have to remember the basics.If you want to crack a game or a application start it and look which kind of error message you recieve.If it is a Windows Message Box you can crack it with W32Dasm.If it is a ingame error message you`ll better crack it with soft-ice debugger.
Remember the error message and make to recovery files of the start.exe.One called *.exx (if you nop or manipulate anything wrong so it wont run or have any errors you can rename it with the original exx file) and one called *.w32 (this file is for W32Dasm you have to use it for disassembling it with Wdasm).Then go to W32Dasm and disassemble the w32 file of your start.exe.If it is disassembled click on String Data References button and look out for the error message (you can also click on search and enter your keyword like sorry or unable...)
you recieved on the screen.If you find it doubleclick on it.On the asm-code enter the *Referenced by a (U)nconditional or (C)onditional Jump At Adress: number in the Goto code location window.Once you was warped to the location write down the @Offset number (you can leave the 000).Start HIEW and load the exe.Click on F4 goto decode.Click on F5 enter the @Offset number (no matter if you do that with the 000 or without them).If you was warped to the place where is hidden the jne/je/jmp/nop you can change the jne to je or the je to jne or you can nop a jmp/call (you can also nop a je/jne command but before you do that try if it run with changing the value).Save it and leave HIEW.Start your programm and see if it works.If not you make something wrong.Try to nop or change other values.If there is no Referenced by a (U)nconditional or (C)onditional Jump At Adress: number you have to trace some lines up and look out for call/jmp/jne/je commands you can nop or change.
How to nop:
Now i`ll explain how to nop commands.Nop stand for "No Operation".If you get any call/jne/jmp/je command you can nop it.The rules for nop are:every two numbers are one byte.That means if we have a number like E8992344 we have there 4bytes which wanna be changed.E8 is one byte 99 is one byte 23 is one byte and 44 is one byte.Replace the number with 90909090.If you do that in HIEW dont be worry when you enter the first 90 that it flips one line down.Enter three 90 again and save it.Also you can nop a 7456 (je) with 9090
or a 7589 (jne) with 9090.No matter if it is a jne/je/jmp/call.Sometimes you`ll see je/jne commands in numbers like F5848976 (i dont know if it is the correct command but i want to show you what to do if you see anytime a long je/jne command like this) at this point you can change only the 84 after F5 (84 is like 74 = je) to 85 and otherwise (85 to 84).What i`ll say is that you dont have to nop it.Most times you have to nop call commands.Or jmp (jump)
commands.
Last words:
Thats the end of my tutorial.I think i forget much of what i want to say but if i do i`ll say it in next tutorials.My next tutorials will contain how to handle soft-ice debugger / how to read the asm-code under W32Dasm and get the valid code from it / how to get keys from programms with soft-ice / how to crack with soft-ice / explain more of asm-code and many more.I hope you enjoyed my tutorial i know it wasnt easy cause my english is more then bad.I hope you now know a little bit more about cracking.And if you have some questions or any ideas for my next tutorials what i can do better then please mail me at : ByteBurn@onecooldude.com
You can reach me on IRC EFnet #DHR.I am not often online but when i am online i am always in the DHR channel which stand for Dephenderz/DephStarz.They are always looking for cracker/gfxA/coder and the other stuff what can be usefull for a crew.So i hope we`ll meet at EFnet!My greetings goes to: Mues_Lee,NetLeaDer,ByteFaker,insEOK`98,_Anubis_, LordRaiden,scamp,KingR-TLF,Anne,Linda,Laurie to all cracking groups to every cracker and to every newbie who want to be a good cracker.AND THE DHR CREW!The tutorial was written in 3hours (with brakes about some days)in this time i enjoyed the music of DJ Q-Bert
the great privat tape of Hermann (Flying Steps B-Boy member) thanks for share it to me,Cold Cutz Crew Elite DJ`s and the other East-Coast dudes who make the best music in da world.
So i`ll end here crab any girl and do something fine hehe.Happy cracking peace out chill`in.
Rock the Planet and be TRU 2 THE GAME!
West Berlin City
DHCP FAQ
Filed under
(
HACKING CRACKING MAC OS WINDOWS LINUX NETWORK PASSWORD
)
DHCP FAQ
Author
John Wobus, jmwobus@syr.edu (corrections welcome)
Date
3/28/96
This file
http://web.syr.edu/~jmwobus/comfaqs/dhcp.faq.html
Questions
1. General
1. What is DHCP?
2. What is DHCP's purpose?
3. Who Created It? How Was It Created?
4. How is it different that BOOTP or RARP?
5. Why shouldn't clients assign IP numbers without the use of a
server?
6. Can DHCP support statically defined addresses?
7. Can a BOOTP client boot from a DHCP server?
8. Can a DHCP client boot from a BOOTP server?
9. Is a DHCP server "supposed to" be able to support a BOOTP
client?
10. Is a DHCP client "supposed to" be able to use a BOOTP server?
11. Can a DHCP client update its DNS entry through DHCP?
12. Can a DHCP server back up another DHCP server?
13. When will the server to server protocol be defined?
14. Is there a DHCP mailing list?
15. In a subnetted environment, how does the DHCP server discover
what subnet a request has come from?
16. Where is DHCP defined?
17. What other sources of information are available?
18. Can DHCP support remote access?
19. Can a client have a home address and still float?
20. How can I relay DHCP if my router does not support it?
21. How do I migrate my site from BOOTP to DHCP?
22. Can you limit which MAC addresses are allowed to roam?
23. What are the Gotcha's?
2. Info on Implementations
1. What features or restrictions can a DHCP server have?
2. What freeware DHCP servers are available?
3. What commercial DHCP servers are available?
4. Which vendors of client software currently support DHCP?
5. What are the DHCP plans of major client-software vendors?
6. What Routers forward DHCP requests?
7. What Routers include DHCP servers?
8. What Servers forward DHCP requests?
9. Which implementations support or require the broadcast flag?
10. How can I run Windows 95 without a DHCP server?
11. Do any servers limit the MAC addresses that may roam?
12. What are the Gotcha's specific to various implementations?
Answers
1. General
1. What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol".
2. What is DHCP's purpose?
DHCP's purpose is to enable individual computers on an IP
network to extract their configurations from a server (the
'DHCP server') or servers, in particular, servers that have
no exact information about the individual computers until
they request the information. The overall purpose of this is
to reduce the work necessary to administer a large IP
network.
3. Who Created It? How Was It Created?
DHCP was created by the Dynamic Host Configuration Working
Group of the Internet Engineering Task Force (IETF; a
volunteer organization which defines protocols for use on the
Internet). As such, it's definition is recorded in an
Internet RFC and the Internet Activities Board (IAB) is
asserting its status as to Internet Standardization. As of
this writing (March 1996), DHCP is an Internet Proposed
Standard Protocl and is Elective. BOOTP is an Internet Draft
Standard Protocol and is Recommended. For more information on
Internet standardization, see RFC1920 (March 1996).
4. How is it different that BOOTP or RARP?
DHCP is based on BOOTP and maintains some backward
compatibility. The main difference is that BOOTP was designed
for manual pre-configuration of the host information in a
server database, while DHCP allows for dynamic allocation of
network addresses and configurations to newly attached hosts.
Additionally, DHCP allows for recovery and reallocation of
network addresses through a leasing mechanism.
RARP is a protocol used by Sun and other vendors that allows
a computer to find out its own IP number, which is one of the
protocol parameters typically passed to the client system by
DHCP or BOOTP. RARP doesn't support other parameters and
using it, a server can only serve a single LAN. DHCP and
BOOTP are designed so they can be routed.
5. Why shouldn't clients assign IP numbers without the use of a
server?
It is theoretically possible for client-machines to find
addresses to use by picking an address out of the blue and
broadcasting a request of all the other client machines to
see if they are using them. Appletalk is designed around this
idea, and Apple's MacTCP can be configured to do this for IP.
However, this method of IP address assignment has
disadvantages.
1. A computer that needs a permanently-assigned IP number
might be turned off and lose its number to a machine
coming up. This has problems both for finding services
and for security.
2. A network might be temporarily divided into two
non-communicating networks while a network component is
not functioning. During this time, two different
client-machines might end up claiming the same IP
number. When the network comes back, they start
malfunctioning.
3. If such dynamic assignment is to be confined to ranges
of IP addresses, then the ranges are configured in each
desktop machine rather than being centrally
administered. This can lead both to hidden configuration
errors and to difficulty in changing the range. Another
problem with the use of such ranges is keeping it easy
to move a computer from one subnet to another.
6. Can DHCP support statically defined addresses?
Yes. At least there is nothing in the protocol to preclude
this and one expects it to be a feature of any DHCP server.
This is really a server matter and the client should work
either way. The RFC refers to this as manual allocation.
7. Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also
handle BOOTP queries.
8. Can a DHCP client boot from a BOOTP server?
Only if the DHCP client were specifically written to make use
of the answer from a BOOTP server. It would presumeably treat
a BOOTP reply as an unending lease on the IP address.
In particular, the TCP/IP stack included with Windows 95 Does
not have this capability.
9. Is a DHCP server "supposed to" be able to support a BOOTP
client?
The RFC on such interoperability (1541) is clear: "In
summary, a DHCP server: ... MAY support BOOTP clients,"
(section 2). The word "MAY" indicates such support, however
useful, is left as an option.
10. Is a DHCP client "supposed to" be able to use a BOOTP server?
The RFC on such interoperability (1541) is clear: "A DHCP
client MAY use a reply from a BOOTP server if the
configuration returned from the BOOTP server is acceptable to
the DHCP client." (section 3). The word "MAY" indicates such
support, however useful, is left as an option.
11. Can a DHCP client update its DNS entry through DHCP?
No. There has been some discussion about adding this ability
to DHCP.
(Note: as far as I can tell, the DNS needs no protocol update
since the server already tells the clients how long they can
use the information they receive; what is really needed is a
DNS server that can make fuller use of this feature and that
cooperates with a DHCP server, perhaps through the use of
some new "DHCP-server-to-DNS-server" protocol).
12. Can a DHCP server back up another DHCP server?
This is the purpose of the "server to server protocol" (see
next question). I know of no other way that you can keep a
"hot" spare server in synch with your production server.
However, it is possible that some server vendors have
addressed this issue with their own features.
13. When will the server to server protocol be defined?
The DHC WG of the IETF is actively investigating the issues
in inter-server communication. The protocol should be defined
"soon".
14. Is there a DHCP mailing list?
There are several:
List Purpose
---- -------
dhcp-v4@bucknell.edu General discussion: a good list for
server administrators.
dhcp-bake@bucknell.edu DHCP bakeoffs
dhcp-impl@bucknell.edu Implementations
dhcp-serve@bucknell.edu Server to server protocol
dhcp-dns@bucknell.edu DNS-DHCP issues
dhcp-v6@bucknell.edu DHCP for IPv6
The lists are run by listserv@bucknell.edu which can be used to
subscribe and sign off. Archives for the dhcp-v4 list (which
used to be called the host-conf list) are stored at
ftp://ftp.bucknell.edu/pub/dhcp/.
15. In a subnetted environment, how does the DHCP server discover
what subnet a request has come from?
DHCP client messages are sent to off-net servers by DHCP
relay agents, which are often a part of an IP router. The
DHCP relay agent records the subnet from which the message
was received in the DHCP message header for use by the DHCP
server.
Note: a DHCP relay agent is the same thing as a BOOTP relay
agent, and the latter phrase is more commonly used.
16. Where is DHCP defined?
In Internet RFCs.
RFC1541
R. Droms, "Dynamic Host Configuration Protocol",
10/27/1993.
RFC1534
R. Droms, "Interoperation Between DHCP and BOOTP",
10/08/1993.
RFC1533
S. Alexander, R. Droms, "DHCP Options and BOOTP
Vendor Extensions", 10/08/1993.
A web site for RFCs is:
http://ds.internic.net/ds/dspg1intdoc.html
17. What other sources of information are available?
See the dhcp-v4 mailing list mentioned above as well as its
archives.
DHCP - Dynamic Host Configuration Protocol
http://www.bucknell.edu/~droms/dhcp/
Problems and Solutions of DHCP: Experiences with DHCP
implementation and Operation
A. Tominaga, O. Nakamura, F. Teraoka, J. Murai.
http://info.isoc.org/HMP/PAPER/127/html/paper.htm
l
DHCP Resources
Alan Dobkin.
http://NWS.CC.Emory.Edu/WebStaff/Alan/Net-Man/Com
puting/DHCP/
Internet Drafts
Internet drafts are works in progress intended to
update the current RFCs or specify additional
functionality, and sometimes there is one or more
draft related to DHCP. All Internet Drafts are
available from various sites: the US East Cost site
is ftp://ds.internic.net/internet-drafts/; a web
site is http://ds.internic.net/ds/dsintdrafts.html.
The DHCP-related drafts currently have filenames of
the form "draft-ietf-dhc-SOMETHING". These
DHCP-related drafts are also stored at
ftp://ftp.bucknell.edu/pub/dhcp/, and are
available through
http://www.bucknell.edu/~droms/dhcp/. I cannot be
more specific about the documents because they are
by their nature temporary.
18. Can DHCP support remote access?
PPP has its own non-DHCP way in which communications servers
can hand clients an IP address called IPCP (IP Control
Protocol) but doesn't have the same flexibility as DHCP or
BOOTP in handing out other parameters. Such a communications
server may support the use of DHCP to acquire the IP
addresses it gives out. This is sometimes called doing DHCP
by proxy for the client. I know that Windows NT's remote
access support does this.
A feature of DHCP under development (DHCPinform) is a method
by which a DHCP server can supply parameters to a client that
already has an IP number. With this, a PPP client could get
its IP number using IPCP, then get the rest of its parameters
using this feature of DHCP.
SLIP has no standard way in which a server can hand a client
an IP address, but many communications servers support
non-standard ways of doing this that can be utilized by
scripts, etc. Thus, like communications servers supporting
PPP, such communications servers could also support the use
of DHCP to acquire the IP addressees to give out.
I am not currently aware of any way in which DHCP can support
client-computers served solely by PPP or SLIP. Such a
computer doesn't have the IEEE-style MAC address that DHCP
requires to act as its key to determining which
client-computer is which within the same subnet.
Communications servers that acquire IP numbers for their
clients via DHCP run into the same roadblock in that they
have just one MAC address, but need to acquire more than one
IP address. One way such a communications server can get
around this problem is through the use of a set of unique
pseudo-MAC addresses for the purposes of its communications
with the DHCP server. Another way (used by Shiva) is to use a
different "client ID type" for your hardware address. Client
ID type 1 means you're using MAC addresses. However, client
ID type 0 means an ASCII string.
19. Can a client have a home address and still float?
There is nothing in the protocol to keep a client that
already has a leased or permanent IP number from getting
a(nother) lease on a temporary basis on another subnet (i.e.,
for that laptop which is almost always in one office, but
occiasionally is plugged in in a conference room or class
room). Thus it is left to the server implementation to
support such a feature. I've heard that Microsoft's NT-based
server can do it.
20. How can I relay DHCP if my router does not support it?
A server on a net(subnet) can relay DHCP or BOOTP for that
net and Windows NT is an example of a server with that
capability.
21. How do I migrate my site from BOOTP to DHCP?
I don't have an answer for this, but will offer a little
discussion. The answer depends a lot on what BOOTP server you
are using and how you are maintaining it. If you depend
heavily on BOOTP server software to support your existing
clients, then the demand to support clients that support DHCP
but not BOOTP presents you with problems. In general, you are
faced with the choice:
1. Find a server that is administered like your BOOTP
server only that also serves DHCP. For example, one
popular BOOTP server, the CMU server, has been patched
so that it will answer DHCP queries.
2. Run both a DHCP and a BOOTP server. It would be good if
I could find out the gotcha's of such a setup.
3. Adapt your site's administration to one of the available
DHCP/BOOTP servers.
4. Handle the non-BOOTP clients specially, e.g. turn off
DHCP and configure them statically: not a good solution,
but certainly one that can be done to handle the first
few non-BOOTP clients at your site.
22. Can you limit which MAC addresses are allowed to roam?
Sites may choose to require central pre-configuration for all
computers that will be able to acquire a dynamic address. A
DHCP server could be designed to implement such a
requirement, presumeably as an option to the server
administerator. See section below on servers that implement
this.
23. What are the Gotcha's?
o A malicious user could make trouble by putting up an
unofficial DHCP server.
# The immediate problem would be a server passing out
numbers already belonging to some computer yielding
the potential for two or more "innocent bystander"
nodes ending up with the same IP number. Net result
is problems using the nodes, possibly intermittent
of one or the other is sometimes turned off.
# A lot of problems are possible if a renegade server
manages to get a client to accept its lease
offering, and feeds the client its own version of
other booting parameters. One scenario is a client
that loads its OS over the network via tftp being
directed to a different file (possibly on a
different server), thus allowing the perpetrator to
take over the client. Given that boot parameters
are often made to control many different things
about the computers' operation and communication,
many other scenarios are just as serious.
Note that BOOTP has the same vulnerabilities.
o The "broadcast flag": DHCP includes a way in which
client implementations unable to receive a packet with a
specific IP address can ask the server or relay agent to
use the broadcast IP address in the replies (a "flag"
set by the client in the requests). The definition of
DHCP states that implementations "should" honor this
flag, but it doesn't say they "must". Some Microsoft
TCP/IP implementations used this flag, which meant in
practical terms, relay agents and servers had to
implement it. A number of BOOTP-relay-agent
implementations (e.g. in routers) handled DHCP just fine
except for the need for this feature, thus they
announced new versions stated to handle DHCP.
o Some of the virtual LAN schemes, i.e., those that use
the packet's IP number to decide which "virtual LAN" a
client-computer is on for the purposes of TCP/IP, don't
work when using DHCP to dynamically assign addresses.
DHCP servers and relay agents use their knowledge of
what LAN the client-station is on to select the subnet
number for the client-station's new IP address whereas
such switches use the subnet number sent by the
client-station to decide which (virtual) LAN to put the
station on.
o Routers are sometimes configured so that one LAN on one
port has multiple network (or subnet) numbers. When the
router is relaying requests from such a LAN to the DHCP
server, it must pass along as IP number that is
associated with one of the network (or subnet) numbers.
The only way the DHCP server can allocate addresses on
one of the LAN's other network (or subnet) numbers is if
the DHCP server is specifically written to have a
feature to handle such cases, and it has a configuration
describing the situation.
o The knowledge that a particular IP number is associated
with a particular node is often used for various
functions. Examples are: for security purposes, for
network management, and even for identifying resources.
Furthermore, if the DNS's names are going to identify IP
numbers, the numbers, the IP numbers have to be stable.
Dynamic configuration of the IP numbers undercuts such
methods. For this reason, some sites try to keep the
continued use of dynamically allocatable IP numbers to a
minimum.
o With two or more servers serving a LAN, clients that are
moved around (e.g. mobile clients) can end up with
redundant leases. Consider a home site with two DHCP
servers, a remote site with DHCP services, and a mobile
client. The client first connects to the home site and
receives an address from one of the two serves. He/she
then travels to the remote site (without releasing the
lease at the home site) and attempts to use the acquired
address. It is of course NAK'ed and the client receives
an address appropriate for the remote site. The client
then returns home and tries to use the address from the
remote site. It is NAK'ed but now the client broadcasts
a DHCPDISCOVER to get a address. The server that holds
the previous lease will offer the address back to the
client but there is no guarantee that the client will
accept that address; consequently, it is possible for
the client to acquire an address on the other server and
therefore have two leases within the site. The problem
can be solved by using only one server per subnet/site
and can be mitigated by short lease lengths. But in a
very mobile environment, it is possible for these
transient servers to consume more than their fair share
of addresses.
2. Info on Implementations
1. What features or restrictions can a DHCP server have?
While the DHCP server protocol is designed to support dynamic
management of IP addresses, there is nothing to stop someone
from implementing a server that uses the DHCP protocol, but
does not provide that kind of support. In particular, the
maintainer of a BOOTP server-implementation might find it
helpful to enhance their BOOTP server to allow DHCP clients
that cannot speak "BOOTP" to retrieve statically defined
addresses via DHCP. The following terminology has become
common to describe three kinds of IP address
allocation/management. These are independent "features": a
particular server can offer or not offer any of them:
o Manual allocation: the server's administrator creates a
configuration for the server that includes the MAC
address and IP address of each DHCP client that will be
able to get an address: functionally equivalent to BOOTP
though the protocol is incompatible.
o Automatic allocation: the server's administrator creates
a configuration for the server that includes only IP
addresses, which it gives out to clients. An IP address,
once associated with a MAC address, is permanently
associated with it until the server's administrator
intervenes.
o Dynamic allocation: like automatic allocation except
that the server will track leases and give IP addresses
whose lease has expired to other DHCP clients.
Other features which a DHCP server may or may not have:
o Support for BOOTP clients.
o Support for the broadcast bit.
o Administrator-setable lease times.
o Administrator-setable lease times on manually allocated
addresses.
o Ability to limit what MAC addresses will be served with
dynamic addresses.
o Allows administrator to configure additional DHCP
option-types.
o Interaction with a DNS server. Note that there are a
number of interactions that one might support and that a
standard set & method is in the works.
o Interaction with some other type of name server, e.g.
NIS.
o Allows manual allocation of two or more alternative IP
numbers to a single MAC address, whose use depends upon
the gateway address through which the request is
relayed.
o Ability to associate two or more dynamic address pools
on separate IP networks (or subnets) with a single
gateway address. This is the basic support for
"secondary nets", e.g. a router that is acting as a
BOOTP relay for an interface which has addresses for
more than one IP network or subnet.
o Support for User Class Information option.
o Support for Vendor Class Information option.
o Administrator-setable T1/T2 lengths.
o Interaction with another DHCP server. Note that there
are a number of interactions that one might support and
that a standard set & method is in the works.
o Use of PING (ICMP Echo Request) to check an address
prior to dynamically allocating it.
o Server grace period on lease times.
Following are some features related not to the functions that
the server is capable of carrying out, but to the way that it
is administered.
o Ability to import files listing manually allocated
addresses (as opposed to a system which requires you to
type the entire configuration into its own input
utility). Even better is the ability to make the server
do this via a command that can be used in a script,
rdist, rsh, etc.
o Graphical administration.
o Central administration of multiple servers.
2. What freeware DHCP servers are available?
(This is not necessarily a complete list)
950415 Bootp server:
Bootp 2.4.3 (not DHCP, but with the "DHCP patches" mentioned
below, can handle DHCP requests)
ftp://ftp.mc.com/pub/bootp-2.4.3.tar.Z
950425 Bootp server version 2.4.3 with "samba" DHCP patches
(does manual allocation of IP addresses)
http://www.sghms.ac.uk/~mpreston/bootp_dhcp.tar.Z
(within http://www.sghms.ac.uk/~mpreston/tools.htm")
950706 "samba" DHCP patches for bootp server:
(does manual allocation of IP addresses)
ftp://nimbus.anu.edu.au:/pub/tridge/samba/contributed/DHCP.patch
(note: I've heard that the patched server will crash if it receives
one particular optional packet, the DHCP Release packet)
950711 Patched bootp server supporting DHCP-based "automatic" allocation:
(gives addresses dynamically, but never takes them away)
ftp://ftp.ntplx.net/pub/networking/bootp/bootp-DD2.4.3.tar.gz
951219 BOOTP server and patches for DHCP
ftp://africa.geomic.uni-oldenburg.de/pub/people/joey/dhcp/bootpd/
960112 OS/2 port of BOOTP server with patches for manual DHCP support
ftp://ftp.leo.org/pub/comp/os/os2/tcpip/systools/bootpd-243-dhcp.zip
960130 Rose-Hulman Institute of Technology "Mondo-DB" LAN administration
project: modified DHCP server planned
http://www.rose-hulman.edu/~allard/Mondo-DB/index.html
950630 WIDE Project:
Akihiro Tominaga (tomy@sfc.wide.ad.jp)
WIDE Project
Keio Univ.
Japan
ftp://sh.wide.ad.jp/WIDE/free-ware/dhcp/dhcp-1.2.1.tar.gz
Check Archie for dhcp-1.2.1 because lots of sites distribute it.
Beta version:
ftp://sh.wide.ad.jp/WIDE/free-ware/dhcp/dhcp-1.3beta.tar.gz
960308 Internet Software Consortium DHCP/BOOTP Server (ISC dhcpd beta 0)
ftp://www.isc.org/pub/dhcp/DHCPD-BETA-0.tar.gz
http://www.isc.org/isc
960308 Carnegie Mellon University DHCP/BOOTP server (SunOS, dhcp-3.3.6)
ftp://ftp.net.cmu.edu/pub/dhcp/dhcp-3.3.6.tar.gz
3. What commercial DHCP servers are available?
(This is not necessarily a complete list)
950425 Silicon Graphics
950613 NetWare/IP 2.1 will NOT support DHCP but support for enhanced
bootp will be provided. I'm guessing this means DHCP-format
packets, but no address leasing.
950714 FTP Software (Services OnNet Product)
http://www.ftp.com/mkt_info/services.html
950714 Microsoft Windows NT
http://www.microsoft.com/NTServer/
http://www.microsoft.com/BackOffice/techbriefs/tech1000.htm
950714 Hewlett Packard HP-UX
950906 IBM: included in Warp Server which is in beta
951010 Wollongong: included in next release of PathWay for OpenVMS which is in
beta
951010 TGV: DHCP/BOOTP server will be included in Multinet for VMS v3.5.
http://www.tgv.com/
951121 TGV: MultiNet 3.5 for OpenVMS includes DHCP server.
mailto:sales@tgv.com
http://www.tgv.com/
951207 IBM: DHCP server included in AIX 4.1.4 server packages.
Also includes custom DNS server that is "DHCP knowledgeable".
http://www.ibmlink.ibm.com/(search for DHCP in SalesManual)
951219 Puzzle Systems: WEBserv (NLM(s) that do DHCP, BOOTP, HTTP, and FTP)
mailto:info@puzzle.com
http://www.puzzle.com/
951220 ON Technology: IPTrack is a Novell Server-based DHCP/BOOTP server (NLM)
http://www.on.com/on/onprods/iptrack.html/
951220 Process Software: server for OpenVMS included in TCPware for OpenVMS
http://www.process.com/
960108 Sun Solstice LAN Management Package (SolarNet)
http://www.sun.com/cgi-bin/show?sunsoft/Products/Networking-products/pro
ducts/pcadmin.html
http://www.sun.com/cgi-bin/show?products-n-solutions/sw/solstice/network
/prod_spec_solstice_solarnet.html
960110 Quadritek Systems, Inc. (DHCP server included in next release)
http://www.qtek.com/qsi-qip.html
960130 Network TeleSystems: Shadow (PC-based)
http://www.ntsi.com/nts_shadow.html
960130 Digital: RoamAbout Mobile IP Client/Server Network Software V2.0
http://www.digital.com/info/Customer-Update/940620001.txt.html
960208 Competitive Automation's : SunOS4.x, Solaris2.x,
DECOSF3.x,4.x, HP-UX 9 & 10 DHCP/BOOTP servers.
http://www.join.com/
960209 Microsoft Windows NT Server
http://www.microsoft.com/NTServer/
http://www.microsoft.com/BackOffice/techbriefs/tech1000.htm
ftp://ftp.microsoft.com/bussys/winnt/winnt-docs/papers/tcpipimp.doc
960312 Nevod Inc. Proxy IP/DHCP Server (PIP) Beta-1.0
http://www.nevod.com/pip/index.html
960327 Xedia: IP/Assist 1.0 feature for their switches includes DHCP service.
http://www.xedia.com
960328 Novell: Netware IP 2.2 includes a DHCP server.
ftp://ftp.novell.com/updates/unixconn/nwip22/nips22.exe
4. Which vendors of client software currently support DHCP?
(This is not necessarily a complete list)
950417 Shiva: proxy client for remote users (in Lanrovers and Netmodems)
950421 Microsoft: Windows for Workgroups
950425 Sun
950425 Silicon Graphics
950425 Hewlett-Packard
950502 NetManage: Chameleon 4.5
950630 Beame & Whiteside Software: resells Dirk Koeppen EDV-Beratungs-GmbH's
TCP/IP BOOT-PROM
950705 Microsoft: MS-TCP/IP 3.11a & MS-TCP/IP 3.11b
950711 Microsoft: Windows NT 3.5
950711 Microsoft: Windows for Workgroups 3.11a
950711 Frontier Technologies: in SuperTCP for Windows
http:www.frontiertech.com
info@frontiertech.com
950712 Beame & Whiteside: BW-Connect NFS for DOS & Windows
950725 IBM: a future release of AIX
950728 Sun: PCNFS for Windows
950802 Wollongong: PathWay Access ver 3.2 (Windows)
http://www.twg.com/
950802 WRQ: Reflection Network Series products (version 5) for Windows
http://www.wrq.com/
950814 Competitive Automation: SunOS4.x, Solaris2.x and
DECOSF3.x,4.x clients
950906 IBM: included in Warp Server which is in beta
950915 Stampede: included in Remote Office Gold
951113 Persoft: TCP Addition and Portable TCP
http://www.persoft.com
951207 Dirk Koeppen EDV-Beratungs-GmbH: TCP/IP DHCP Boot ROMs (TCP/IP
BOOT-PROM) www.dunkel.de/dksoft
951207 IBM: AIX 4.1.4 client and server packages include a DHCP client.
http://www.ibmlink.ibm.com/(search for DHCP in SalesManual)
951220 Attachmate: IRMA TCP Suite Version 3.1
960130 Digital: RoamAbout Mobile IP Client/Server Network Software V2.0
http://www.digital.com/info/Customer-Update/940620001.txt.html
960209 FTP Software: OnNet 2.0 (Windows)
http://www.ftp.com/
960209 FTP Software: PC/TCP 4.0 (DOS)
http://www.ftp.com/
960305 TGV: will be included in MultiNet for Windows V1.2
http://www.tgv.com/
960312 Core Systems: Internet-Connect for Windows 95 Version 2.1 has DHCP
proxy client.
http://ns1.win.net/~core/Coresys/homepage.html
960312 Novell: I heard a report that they offer a client.
960313 Apple: Open Transport 1.1 included with System 7.5.3 & runs on
68030, 68040, and PowerPC Macintoshes.
960314 Apple: Open Transport 1.1 shrink wrap version will be offered.
5. What are the DHCP plans of major client-software vendors?
Apple MacOS
MacTCP's successor, Open Transport, supports DHCP.
Open Transport 1.1 ships with System 7.5 Update 2.0
(which updates MacOS to version 7.5.3, released
March 11, 1996) and supports any 68030, 68040, or
PowerPC Macintosh. A shrink wrap version of Open
Transport is planned.
Microsoft Windows95
supports it and does not support BOOTP. I heard a
rumor that BOOTP support will be added.
Novell LAN Workplace for DOS
has plans for client support later in 1995.
IBM OS/2
will support it; I have no news on when or what
version.
6. What Routers forward DHCP requests?
(This is not necessarily a complete list).
Note that in general, these routers probably already had
BOOTP forwarding, but lacked the support for the BOOTP
broadcast flag (see "broadcast flag" under What are the
Gotcha's? above). It is likely that many other routers also
support BOOTP forwarding.
Cisco
(from Cisco FAQ) Routers running GSYS version
9.21(4) and 10.0(3) as well as later releases.
Wellfleet/Bay
(from Wellfleet FAQ) DHCP is supported by enabling
BOOTP support (with transmission and/or reception
as needed).
3Com Netbuilder
Version 7.2 software can support DHCP relaying
through the use of its generic UDP Helper service.
Version 8.0 and later officially supports DHCP.
Xyplex
Version 5.5 of their routing software supports
DHCP.
ALANTEC
The switches' "router" function has have been
handling BOOTP forwarding since around 1993.
Support for the broadcast flag introduced in a
maintenance release of 2.5 of their software and is
in version 2.6 and later.
IBM 2210
I've confirmed that Version 1 Release 2 has a BOOTP
relay agent. I haven't found out anything about
support for the broadcast flag.
7. What Routers include DHCP servers?
DHCP requires disk storage (or some other form of reliable
non-volatile storage), making the task of DHCP service
compatible with servers but incompatible with dedicated
routers. There are a number of server types that can be
configured to both route and serve DHCP (especially
all-in-one "Internet Gateways" designed to be web servers,
firewalls, etc.), but no dedicated routers.
8. What Servers forward DHCP requests?
o DHCP Relay Agent supplied with Windows NT Resource Kit
(version 3.51).
o For Novell servers, there are NLMs that forward BOOTP
requests, thus DHCP requests. The "forward BOOTP NLM" is
included in Netware 4.1. You can get this support in
Netware 3.11 and 3.12 also, but you must apply the
TCP31A.EXE patch which is located on Netwire. Here are
two such NLMs that are available online:
# ftp://netlab2.usu.edu/misc/bootpfd.zip(unsupported
Novell software, 1993)
# ftp://netlab2.usu.edu/misc/bootp311.zip(unsupported
Novell software, 1991)
9. Which implementations support or require the broadcast flag?
The broadcast flag is an optional element of DHCP, but a
client which sets it works only with a server or relay that
supports it.
o Clients
Microsoft Windows NT
DHCP client support added with version 3.5
sets the broadcast flag. Version 3.51 and
later no longer set it. The exception is in
the remote access support: it sets the flag
when it uses DHCP to acquire addresses to
hand out to its PPP clients.
tcp/ip-32 for Microsoft Windows for Workgroups (WFW)
Version 3.11a sets it, but version 3.11B
doesn't.
Microsoft Windows 95
Does not set the broadcast flag.
10. How can I run Windows 95 without a DHCP server?
Not really a DHCP question, but it has been asked a lot,
particularly by sites for which changing from BOOTP
represents a lot of work. Some choices:
o Use no server at all for the Windows 95 clients: set the
addresses in each client's setup.
o Install a non-Microsoft TCP/IP stack for Windows 95 that
supports BOOTP.
o Switch from your current BOOTP server to one that
supports both BOOTP and DHCP.
A Document that addresses this question is the Windows 95tm
Networking FAQ,
http://www-leland.stanford.edu/~llurch/win95netbugs/faq.htm
l
11. Do any servers limit the MAC addresses that may roam?
o IBM's AIX and OS/2 WARP DHCP servers.
12. What are the Gotcha's specific to various implementations?
In many cases, new releases have solved the problems that
have been identified with various DHCP implementations.
o There have been servers that are inflexible as to the
list of configuration parameters they were able to
serve. If your client requires certain parameters, you
could find such a server unusable.
o I hate to cast wide suspicions, but I've heard
occasional word on client DHCP implementations that do
not implement the entire protocol. Doing so requires
that the software module be able to wake up again after
a specified period of time and "renew the lease", i.e.,
ask to continue using the IP number. This is at least
one feature of DHCP that is very hard to implement in
some simpler systems.
o There are a number of issues regarding the patched bootp
servers. These have been reported to re DD2.4.3:
# 'When run from inetd, I had problems with "Could
not bind port" and DHCP request failure. I don't
know why, and the problem went away when bootpd is
run as a daemon.'
# 'Unless you set "dl" to some value in the bootptab
file, the DHCP lease time, renewal time and
prebinding time will be rubbish, which will cause
occasional renewal problems.'
o Early Microsoft DHCP client implementations required the
broadcast bit. Current ones do not.
o Early Apple Open Transport implementations did not
always fill out packets to BOOTP's 300-byte minimum,
thus BOOTP forwarding agents that follow the BOOTP RFC
and discard such packets end up discarding such DHCP
packets, causing some of the functions to fail. Open
Transport 1.1 fixes this.
INTRODUCTION
fakecd is a program that simulates a CD-ROM drive with a directory of
a hard drive. Its intended purpose is to allow running of CD-based
software entirely from a hard drive. This gives you the following ad-
vantages:
1. speed: Hard drives are much faster than CD-ROMs. If you need much
data from your mass storage device in a short time your
CD-ROM may be a bottleneck. This can result in "slide shows"
in certain games. However, your CPU horsepower or your
video interface may be the problem if a CD-based program
is slow. With fakecd you can eliminate one potential bottle-
neck and watch how the program runs with a very fast "CD-ROM
drive".
2. memory: You don't need to load a CD-ROM driver or MSCDEX for fakecd
to work (although they can coexist). If your program needs
much conventional memory this may allow you to run the pro-
gram at all.
This is the first public release of the program. It is public domain.
It was tested with MS-DOS 6.0 and Novell-DOS 7.0 and some CD-based
games. It works in Windows 3.x since these Windows versions use DOS
services to access the CD-ROM. It was not tested with OS/2 or
Windows 95. The worst thing that could possibly happen is that you are
unable to access some drives after fakecd was installed. Uninstalling
fakecd should remove the problem. If not, a simple reboot will work.
Since fakecd does not write anything to any drive, it will NOT corrupt
any data on your hard disks.
An (almost identical) beta version of this program has been tested by
some people with their games, including "Mortal Kombat II", "Dark
Forces", "Virtual Pool" and "Legend of Kyrandia I and III". There
were no problems reported.
If you find any problems with fakecd (does not install, does not uninstall,
gives wrong error messages, ...) send an e-mail message to
ingo.warnke@rz.uni-rostock.de
HOW TO USE
First, you must copy the content of your CD-ROM to a directory on your
hard disk. You may use any file managing utility or the DOS xcopy command:
xcopy e:\ c:\prog-cd /s /h
where e: is your CD-ROM drive and c:\prog-cd the destination directory.
Then you must run fakecd. fakecd is a TSR (memory resident) program. It
will need some 9K of memory during installation and less than 2 KB during
operation (including environment) and can be loaded high (with command
"lh fakecd ...").
The syntax of the fakecd command line is
fakecd /H[elp] | /? | /U[ninstall] | DIRECTORY [/L:x]
/Help and /?
will give you a short description of each option.
/Uninstall
will remove a previously installed fakecd from memory. This may be
impossible if some other TSR program was installed after fakecd. You
can have only one copy of fakecd resident in memory at one time. If you
want to use fakecd with other parameters, you must first uninstall the
old copy of fakecd and then install the new one. If you have several
CD-based programs on your hard drive you can make batch files like
c:\utils\fakecd c:\prog1-cd /l:e
e:
prog1
c:
c:\utils\fakecd /u
This will load fakecd and simulate the directory c:\prog1-cd as CD-ROM
drive E:. After the execution of prog1 the resident copy of fakecd is
removed. You can later execute another copy of fakecd to simulate the
same directory in another drive or a completely different directory.
DIRECTORY
is the name of the directory that will be the root directory of the
simulated CD-ROM drive. It may be specified as a full path
(c:\games\kyr1-cd) or as relative path (..\kyr3-cd). The drive on
which the directory resides should be a local hard disk. It should
work with a compressed drive (tested with Stacker) but will probably
not work with a network drive. This is due to the mechanism used by
fakecd to make the directory look like a drive to DOS.
/L:x
gives the drive letter (x) for the simulated CD-ROM drive. x must be in
the range from A up to the drive specified with LASTDRIVE. It should be
an unused drive since if your simulated CD-ROM will be C: you will not
be able to access any files on your hard drive C: (which will probably
include your DOS commands, COMMAND.COM and maybe fakecd).
If there is no /L:x parameter, fakecd uses a default value for x.
If MSCDEX is installed, x will be your first CD-ROM drive letter. If
MSCDEX is not installed, x will be your first unused drive letter.
I recommend that you always use the same drive letter for your CD-ROM.
Some programs are run directly from the CD and have some configuration
files on a predetermined place on your hard disk (most often on drive c:).
These programs should not worry if they are started from different drive
letters each time you run them. Other programs copy a small number of
files to your hard disk at installation time and one of these files must
be executed to start the program. This way they can store config files and
(in case of games) savegames to a user selected place on the hard disk.
These programs must find the CD-ROM drive with their CD in it. Some programs
(Legend of Kyrandia series) use CD-ROM specific methods to find the CD-ROM
drive and they work with fakecd if started from different drive letters each
time they are run. Other programs (Monty Python's CWOT and Dark Forces)
store the drive letter from which they were installed. If you start them
with fakecd from a different drive letter they will not find their data and
refuse to run.
CD-AUDIO
Some games use audio tracks for music. This music is not in a computer
readable form. It was not copied to the hard disk with the other files
and it can not be done (at least not in a form useful for fakecd). So you
will not hear that music. fakecd will however make the program believe that
everything is fine. (Note: I could test this feature with only one program.
So I need desperately feedback about programs that use audio tracks and
how they work with fakecd!)
I hope you will find fakecd a useful program. If you have comments,
suggestions or bug reports, then send me an e-mail and I will (try to!)
correct any errors.
Ingo Warnke
e-mail to:
ingo.warnke@rz.uni-rostock.de
fakecd is a program that simulates a CD-ROM drive with a directory of
a hard drive. Its intended purpose is to allow running of CD-based
software entirely from a hard drive. This gives you the following ad-
vantages:
1. speed: Hard drives are much faster than CD-ROMs. If you need much
data from your mass storage device in a short time your
CD-ROM may be a bottleneck. This can result in "slide shows"
in certain games. However, your CPU horsepower or your
video interface may be the problem if a CD-based program
is slow. With fakecd you can eliminate one potential bottle-
neck and watch how the program runs with a very fast "CD-ROM
drive".
2. memory: You don't need to load a CD-ROM driver or MSCDEX for fakecd
to work (although they can coexist). If your program needs
much conventional memory this may allow you to run the pro-
gram at all.
This is the first public release of the program. It is public domain.
It was tested with MS-DOS 6.0 and Novell-DOS 7.0 and some CD-based
games. It works in Windows 3.x since these Windows versions use DOS
services to access the CD-ROM. It was not tested with OS/2 or
Windows 95. The worst thing that could possibly happen is that you are
unable to access some drives after fakecd was installed. Uninstalling
fakecd should remove the problem. If not, a simple reboot will work.
Since fakecd does not write anything to any drive, it will NOT corrupt
any data on your hard disks.
An (almost identical) beta version of this program has been tested by
some people with their games, including "Mortal Kombat II", "Dark
Forces", "Virtual Pool" and "Legend of Kyrandia I and III". There
were no problems reported.
If you find any problems with fakecd (does not install, does not uninstall,
gives wrong error messages, ...) send an e-mail message to
ingo.warnke@rz.uni-rostock.de
HOW TO USE
First, you must copy the content of your CD-ROM to a directory on your
hard disk. You may use any file managing utility or the DOS xcopy command:
xcopy e:\ c:\prog-cd /s /h
where e: is your CD-ROM drive and c:\prog-cd the destination directory.
Then you must run fakecd. fakecd is a TSR (memory resident) program. It
will need some 9K of memory during installation and less than 2 KB during
operation (including environment) and can be loaded high (with command
"lh fakecd ...").
The syntax of the fakecd command line is
fakecd /H[elp] | /? | /U[ninstall] | DIRECTORY [/L:x]
/Help and /?
will give you a short description of each option.
/Uninstall
will remove a previously installed fakecd from memory. This may be
impossible if some other TSR program was installed after fakecd. You
can have only one copy of fakecd resident in memory at one time. If you
want to use fakecd with other parameters, you must first uninstall the
old copy of fakecd and then install the new one. If you have several
CD-based programs on your hard drive you can make batch files like
c:\utils\fakecd c:\prog1-cd /l:e
e:
prog1
c:
c:\utils\fakecd /u
This will load fakecd and simulate the directory c:\prog1-cd as CD-ROM
drive E:. After the execution of prog1 the resident copy of fakecd is
removed. You can later execute another copy of fakecd to simulate the
same directory in another drive or a completely different directory.
DIRECTORY
is the name of the directory that will be the root directory of the
simulated CD-ROM drive. It may be specified as a full path
(c:\games\kyr1-cd) or as relative path (..\kyr3-cd). The drive on
which the directory resides should be a local hard disk. It should
work with a compressed drive (tested with Stacker) but will probably
not work with a network drive. This is due to the mechanism used by
fakecd to make the directory look like a drive to DOS.
/L:x
gives the drive letter (x) for the simulated CD-ROM drive. x must be in
the range from A up to the drive specified with LASTDRIVE. It should be
an unused drive since if your simulated CD-ROM will be C: you will not
be able to access any files on your hard drive C: (which will probably
include your DOS commands, COMMAND.COM and maybe fakecd).
If there is no /L:x parameter, fakecd uses a default value for x.
If MSCDEX is installed, x will be your first CD-ROM drive letter. If
MSCDEX is not installed, x will be your first unused drive letter.
I recommend that you always use the same drive letter for your CD-ROM.
Some programs are run directly from the CD and have some configuration
files on a predetermined place on your hard disk (most often on drive c:).
These programs should not worry if they are started from different drive
letters each time you run them. Other programs copy a small number of
files to your hard disk at installation time and one of these files must
be executed to start the program. This way they can store config files and
(in case of games) savegames to a user selected place on the hard disk.
These programs must find the CD-ROM drive with their CD in it. Some programs
(Legend of Kyrandia series) use CD-ROM specific methods to find the CD-ROM
drive and they work with fakecd if started from different drive letters each
time they are run. Other programs (Monty Python's CWOT and Dark Forces)
store the drive letter from which they were installed. If you start them
with fakecd from a different drive letter they will not find their data and
refuse to run.
CD-AUDIO
Some games use audio tracks for music. This music is not in a computer
readable form. It was not copied to the hard disk with the other files
and it can not be done (at least not in a form useful for fakecd). So you
will not hear that music. fakecd will however make the program believe that
everything is fine. (Note: I could test this feature with only one program.
So I need desperately feedback about programs that use audio tracks and
how they work with fakecd!)
I hope you will find fakecd a useful program. If you have comments,
suggestions or bug reports, then send me an e-mail and I will (try to!)
correct any errors.
Ingo Warnke
e-mail to:
ingo.warnke@rz.uni-rostock.de
Introduction To Win95 Cracking
Introduction to Win95 Cracking
A few words before beginning
Giving credits, where credit is due ! So, i'd like to give a really BIG
thanks to ED!SON of United Cracking Force for his tutorial about
Windows 95 cracking, without it i won't be here telling you how to
crack a program under win 95.
Giving ALL the credits... all i learned about cracking is with the help
of great tutorials : 5 Minutes 4 a Crack /NeverOne, Amateur Crackist
Tutorial /Specular Vision, Cracking for Masses /FraVia, Old Red Cracker
Tutorials /+ORC (A Must), The Ancient Art Of Cracking & Cracking 101
/Buckaroo Banzai, The Cracking Manual /Cyborg, The Uncle Joe CrackBook
/Uncle Joe (heh, what did you expect ?). But also with 40 Hex
Magazines, The Crypt Newsletters, Virus Laboratories And Distribution.
Note : a lot of the explaination i'll give you in Introduction parts
are ripped from some tutorials upper, it's because i wanted to have
something complete you can start with. Tnx again to those who wrot'em.
For this tutorial you'll need :
ACDSee32 V2.0 Beta
Soft-Ice 3.00
HexWorkShop
Introduction to Cracking
You might be wondering what type of programming skills you need to
become a cracker. Knowing a higher level language such as Basic,
Pascal, or C++ will help you somewhat in that you will have an
understanding of what's involved in the process of writing a program
and how certain aspects of a program function. If you don't have any
programming skills, you have a long road ahead of you. But even if you
can program in a high level language, in order to crack you have to
know assembly... It really doesn't matter what language a program was
written in in order to crack it, because all programs do the same
thing. And that is issue commands to the microprocessor. And all
programs when broken down to their simplest form are nothing more than
a collection of 80XXX instructions and program specific data. This is
the level of assembly language. In assembly you have total control of
the system. This is also the level that the debugger operates at.
You don't have to become a master at assembly to crack a program, but
it helps. You do need to learn some rudimentary principles, and you
absolutely have to become familiar with the registers of the cpu and
how the 8088 instruction set uses them. There is no way around this.
How proficient you are at assembly will determine how good of a cracker
you become. You can get by on learning a few basic instructions, how to
use a debugger, and one or two simple techniques. This will allow you
to remove a few shareware nag screens, and maybe you'll luck out and
remove the copy protection from a game or two, but that's it.
You can then dynamically interact with the program and run it one line
of code at a time, and see exactly what the program is doing in real
time as each line of code is executed. You will also be able to
re-assemble instructions (in memory only), edit the contents of memory
locations, manipulate the cpu's registers, and see the effects your
modifications have on the program as it's running. This is also where
all your system crashes will occur... There is a lot of trial and error
involved in cracking.
As you get better, you'll have to write programs that will implement
your patches if you decide to distribute them. The patches themselves
don't have to be written in assembly.
The sources code I included in this manual are extremely simple.
They're written in assembly because that's the only language I know how
to program in, but if you are already proficient in a higher level
language, it should be trivial for you to duplicate it's methods in
your preferred language.
Quick Introduction To Soft-Ice 3.0
Okay, okay, i already heard you : Hey exact, you've ripped the ED!SON
introduction. Yes, i've taken it ;) Why should i do something if
someone already did ? So for all of you that didn't have the chance to
have that intro, i've a little remixed it, and here it is...
Cracking a Windows program is most often more simple than a program
running in Dos. In Windows, it's hard to hide anything from anyone who
really looks for information, as long as Windows own functions are
used. The first (and often only) tool you need is Soft-Ice, a powerfull
debugger from NuMega (http://www.numega.com). Some people find it hard
to use, but i will tell you how to do efficient debugging with it.
To use Sice, you must load it before windows, to do that, just add the
"Drive:\Path\WINICE.EXE" at the end of your "AUTOEXEC.BAT". Normally,
the Sice Setup should have already done it. I advise you to make a
multi-config in that way, you can load Sice only when you need it.
Example of multi-config :
;--- Config.sys
[menu]
menuitem SICE,Load Soft-Ice Debugger Behind Windows
menuitem NORM,Normal Mode
menudefault NORM,5
[SICE]
[NORM]
[common]
DEVICE=C:\WIN96\HIMEM.SYS
DOS=HIGH
DEVICE=C:\cd\drivers\MTMCDAI.SYS /D:MTMIDE01
FILES=40
;--- EOF Config.sys
;--- Autoexec.bat
@ECHO OFF
SET BLASTER=A220 I5 D1 H5 P330 T6
SET MIDI=SYNTH:1 MAP:E
SET PATH=C:\WIN96;C:\WIN96\COMMAND;C:\DOS;D:\NC
SET TEMP=C:\TEMP
SET SOUND=C:\VIBRA16
C:\VIBRA16\DIAGNOSE /S
C:\VIBRA16\MIXERSET /P /Q
PROMPT $p$g
goto %config%
:SICE
C:\Progra~1\SoftIc~1\WINICE.EXE
goto common
:NORM
goto common
:common
;--- EOF Autoexec.bat
In the config.sys the [menu] indicates that's a multiconfig, it will
display the two menuitem and wait for the user to select. When
selected, the part of the config file refering to it is runned and
followed by the [common] one. In the autoexec.bat there's a %config%
variable set to the user'selection and is used to select witch part of
your bat you will execute.
So, udpate your system files if they need so, and reboot your machine.
If you don't understand why these config files look like this, refer to
the MS-DOS Help (Type HELP at the dos prompt).
Now that Sice is loaded into memory, press "CTRL-D" to to pop it up.
Here is a little description of the windows you can see on Sice screen
:
+----------------------+-------------------------------------------+
| CPU Registers Window | "WR" En/Disable, "R", "Alt-R" Edit. |
+----------------------+-------------------------------------------+
| FPU Registers Window | "WF" En/Disable. |
+----------------------+-------------------------------------------+
| Locals Windows | "WL" En/Disable, "Alt-L" Focus. |
+----------------------+-------------------------------------------+
| Watch Window | "WW" En/Disable, "Alt-W" Focus. |
+----------------------+-------------------------------------------+
| Data Window | "WD" En/Disable, "E", "Alt-D" to Edit. |
+----------------------+-------------------------------------------+
| Code Window | "WC" En/Disable, "A" Edit, "Alt-C" Focus. |
+----------------------+-------------------------------------------+
| Command Window | Type Commands and read output here. |
+----------------------+-------------------------------------------+
| Help Line | Get summary help on what you are typing. |
+----------------------+-------------------------------------------+
The register window contains the general purpose and flags registers of
the cpu. You will notice that the general purpose registers contain
hexadecimal values. These values are just what happened to be in there
when you brought up the debugger. You will also notice that some of the
flags are highlighted while some are not. The highlighted flags are the
ones that are SET. While the ones that are not highlighted are CLEARED.
Generally, the register are also highlighted when they change value.
From this window you will be able to manipulate the contents of the
cpu's registers. You will change the values of the registers while
debugging a program in order to change the behavior of the running
program. Say you come across a JNZ instruction (jump if not zero), that
instruction makes the decision on whether or not to make the jump based
on the state of the (Z)ero flag. You can modify the condition of the
(Z)ero flag in order to alter the flow of the programs code. By the
same token, you can modify the general purpose registers in the same
manner. Say the AX register contains 0000, and the program bases it's
actions on that value, modifying the AX register to contain a new value
will also have the effect of modifing the flow of the code. After you
become comfortable with using Sice you'll begin to appreciate just how
powerful this window is, and you'll aslo discover soon enough just how
totally it can screw your system if you fuck up.
The data window will display data as it exists in memory. From this
window you can usually display, search, edit, fill, and clear entire
ranges of memory. The two most common commands for this window are
display and edit. The search command is also useful in cracking. Sice
offers you 4 data windows, you can toggle from one to another using the
"data" command. You can also change the type of data this window is
displaying using the "format" command. You can scroll into the data
window using ALT and arrows or PgUp/PgDn keys.
The code window is the window in which you will interact with the
running program. This is the most complex window, and it is where the
bulk of debugging occurs. The layout of the window is pretty simple,
the group of 12 numbers with the colon in the middle of them to the far
left of the window is the address:offset of that line of code. Each
line of code in this window is an instruction that the program will
issue to the microprocessor, and the parameters for that instruction.
The registers that contain the address for the current instruction
waiting to be executed are the CS:EIP registers (code segment and
instruction pointer). This line is highlighted, if you havent it in the
code window use the "." command to retrieve it. You will also notice a
group of hex numbers to the right of the addresses, this group of
numbers is the hexadecimal equivalent of the mnemonic instructions. The
next group of words and numbers to the right of the hex numbers are the
mnemonic instructions themselves. You can scroll into the code window
using ALT and arrows or PgUp/PgDn keys.
For most examples, we'll only need to have the CPU Registers Window,
the Data and the code one. Disable others. I'm in 60 lines mode. So if
all windows are disabled to have the same screen as me do (comment are
preceded by a semi-colon) :
+--------------------+-------------------------------------+
| :lines 60 | ; Set 60 lines mode |
+--------------------+-------------------------------------+
| :color f a 4f 1f e | ; Set psychedelic colors (Optional) |
+--------------------+-------------------------------------+
| :wd 22 | ; Enable Data Window 22 lines long |
+--------------------+-------------------------------------+
| :wc 25 | ; Enable Code Window 25 lines long |
+--------------------+-------------------------------------+
| :wr | ; Enable Register Window |
+--------------------+-------------------------------------+
| :code on | ; Display instruction bytes |
+--------------------+-------------------------------------+
This can seems you strange to have to type all these commands each time
you'll start Sice. In fact, all these command can be done in the
winice.dat file (in your sice directory). Let'see what is in mine :
+-----------------------------------------------+--------------------------+
| ;--- Example of Winice.dat | |
+-----------------------------------------------+--------------------------+
| ; General Variables | |
+-----------------------------------------------+--------------------------+
| NMI=ON | |
+-----------------------------------------------+--------------------------+
| SIWVIDRANGE=ON | |
+-----------------------------------------------+--------------------------+
| LOWERCASE=OFF | ; Disable lowercase |
| | assembly |
+-----------------------------------------------+--------------------------+
| MOUSE=ON | ; Enable mouse |
+-----------------------------------------------+--------------------------+
| NOLEDS=OFF | ; Disable led switching |
+-----------------------------------------------+--------------------------+
| NOPAGE=OFF | |
+-----------------------------------------------+--------------------------+
| PENTIUM=ON | ; Pentium Op-Codes |
+-----------------------------------------------+--------------------------+
| THREADP=ON | ; Following Thread |
| | Process |
+-----------------------------------------------+--------------------------+
| VERBOSE=ON | |
+-----------------------------------------------+--------------------------+
| PHYSMB=16 | ; Exact Memory Size |
+-----------------------------------------------+--------------------------+
| SYM=256 | ; Memoy allocated to |
| | symbols |
+-----------------------------------------------+--------------------------+
| HST=16 | ; Memory allocated to |
| | history |
+-----------------------------------------------+--------------------------+
| TRA=92 | ; Memory allocated to |
| | back trace buffer |
+-----------------------------------------------+--------------------------+
| ; Startup sequence | |
+-----------------------------------------------+--------------------------+
| INIT="lines 60;color f a 4f 1f e;wd 22;wc | |
| 22;wr;code on;x;" | |
+-----------------------------------------------+--------------------------+
| ; Function Keys | |
+-----------------------------------------------+--------------------------+
| F5="^G;" | ; Run (CTRL-D) |
+-----------------------------------------------+--------------------------+
| F8="^T;" | ; Step into functions |
| | (Trace) |
+-----------------------------------------------+--------------------------+
| F10="^P;" | ; Step Over functions |
| | (Procedure) |
+-----------------------------------------------+--------------------------+
| F11="^G @SS:ESP;" | ; Step out of function |
+-----------------------------------------------+--------------------------+
| ; Export Symbols | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\kernel32.dll | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\user32.dll | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\gdi32.dll | |
+-----------------------------------------------+--------------------------+
| ;--- EOF Winice.dat | |
+-----------------------------------------------+--------------------------+
Okay, i think, it speaks by itself. Just a little note for defining
function keys, all commands preceded by ^ are invisible, and all those
followed by a ; are executed (the ; indicates an ENTER). Dont forget to
load the Export Symbols !
Cracking ACDSee 32 V2.0 Beta
Loading ACDSee32.exe into Soft-Ice And Breaking At The Right Point.
Run the Symbol Loader, do "File/Open Module" or you can also click on
the first button on the left of the tool bar and browse until you can
select the file ACDSee32.exe. Now, to start debugging you must to do
"Module/Loads..." or click the "Load button" (next to the "Open" one).
Perhaps Sice poped-up, saying Break Due To Load Module, or something
like that, leave it by pressing "CTRL-D" or typing "X" followed by
"ENTER". You should disable the "Break At WinMain Option" to dont
pop-up Sice each time you load a module (the little lamp button).
OK, let's go. In ACDSee, click on "Tools/Register..." Fill up the boxes
with what you want. (I've filled them with Name:"Out Rage Pirates" and
Registration:"112233445566"). Generally programs must read the content
of the boxes with one of these functions :
+----------------+----------------------------------+
| 16-bit | 32-bit |
+----------------+----------------------------------+
| GetWindowText | GetWindowTextA, GetWindowTextW |
+----------------+----------------------------------+
| GetDlgItemText | GetDlgItemTextA, GetDlgItemTextW |
+----------------+----------------------------------+
The last letter of the 32 functions tells if the function uses one-byte
or double-byte strings. Double-byte code is RARE. So, now we gonna
enter Sice pressing CTRL-D and set breakpoints on the getting content
of edit boxes :
:bpx GetWindowText
:bpx GetWindowTexta
:bpx GetWindowTextw
:bpx GetDlgItemText
:bpx GetDlgItemTexta
:bpx GetDlgItemTextw
Oki, there's no need to set BPs (BreakPointS) 0 and 3 since we know it
is a 32-bit application, but i've put them here to be exhaustive. If
you encounter problems settings these breakpoints, make sure that the
export symbols are loaded in Soft-Ice : edit the file winice.dat and
check if the semi-colons are removed from the exp= that follows the
"Example of export symbols that can be included for chicago" near the
end of file. Generally, you only need to keep kernel32.dll, user32.dll,
gdi32.dll. If you get an error message "No LDT", make sure you dont run
any other DOS application in the background,
It's not sure that Sice will pop-up, and not all program are calling
these Windows functions.
Continue the program ("CTRL-D"), and click the OK button. It worked,
we're back to Sice ! press "CTRL-D" to continue the process, back to
Sice again ! re-re-press "CTRL-D", no more Sice pop-up. Normal, there's
only two textboxes... Click OK to get back to the registration window.
And now, let's throw an eye into Sice, CTRL-D. There's comments for the
two break points :
Break due to BPX USER32!GetDlgItemTextA (ET=4.70 seconds)
Break due to BPX USER32!GetDlgItemTextA (ET=269.77 microseconds)
It's BP 04 let's delete other BPs :
:bl ; BPs list
00) BPX USER!GetWindowText
01) BPX USER32!GetWindowTexta
02) BPX USER32!CharNextExW
03) BPX USER!GetDlgItemText
04) BPX USER32!GetDlgItemTextA
05) BPX USER32!AppendMenuW
:bc 0 1 2 3 5 ; Clear BPs #0, 1, 2, 3 and 5.
We'll do it again. Press "CTRL-D" to leave Soft-Ice, and click the OK
button. Magic, we're back in it... Let's do a little focus : where are
we, and what's the hell now ? We are at the start of the "Get Dialog
Item Text A" function, and we are going to find where it is called.
Since we know that when we do a far call to something the next logical
instruction address is stored on the stack, we gonna set a BP on that
address and execute the program until we reach it. G command will
continue the program at the current CS:EIP, and set a temporary BP to
the address indexed (@) in SS:ESP. There's a function key that
automatically do it, normally, it's F11.
:G @SS:ESP
Finding Where The Registation Code Is Checked
Ok, we are back into Sice at the instruction following the call to
DlgItemTextA. We gonna take a look on what's happenning before and
after. Use CTRL-UP and CTRL-DOWN to move into the code window. If you
dont have the code window on your screen you can make it appears by
typing WC (WC 20 will set the code windows to be 20 lines long). You
should see something like following (i've added blank lines and
comments for clarity and future explainations) :
; Get The Name Into Buffer (ESP+8)
0040367B 8D442418 LEA EAX, [ESP + 18] ; Buffer(For Name) Address
0040367F 6A1E PUSH 0000001E ; Max String Size
00403681 8BB42408010000 MOV ESI, [ESP + 00000108]
00403688 50 PUSH EAX ; Buffer Address
00403689 6A6B PUSH 0000006B ; Control ID
0040368B 8B3D94DA4900 MOV EDI,[USER32!GetDlgItemTextA]
00403691 56 PUSH ESI ; Dialog Handle
00403692 FFD7 CALL EDI ; Call GetDlgItemTextA
; Get The Registration Code Into Buffer (ESP+38)
>00403694 8D442438 LEA EAX, [ESP + 38] ; Buffer(Registration) Addy
00403698 68C8000000 PUSH 000000C8 ; Max String Size
0040369D 50 PUSH EAX ; Buffer Address
0040369E 6882000000 PUSH 00000082 ; Control ID
004036A3 56 PUSH ESI ; Dialog Handle
004036A4 FFD7 CALL EDI ; Call GetDlgItemTextA
; Registration Checking
>004036A6 8D442438 LEA EAX, [ESP + 38] ; Registration Buffer
004036AA 8D4C2418 LEA ECX, [ESP + 18] ; Name Buffer
004036AE 50 PUSH EAX ; Save Datas
004036AF 51 PUSH ECX
!004036B0 E80BF9FFFF CALL 00402FC0 ; Registration Check
004036B5 83C408 ADD ESP, 00000008 ; Free Stack
004036B8 85C0 TEST EAX, EAX
004036BA 7E6E JLE 0040372A ; EAX=0 Means Bad Reg...
; Do Something, sure... ;)
004036BC 8D442438 LEA EAX, [ESP + 38]
004036C0 8D4C2418 LEA ECX, [ESP + 18]
004036C4 50 PUSH EAX
004036C5 51 PUSH ECX
004036C6 E895FAFFFF CALL 00403160
004036CB 83C408 ADD ESP, 00000008
004036CE 833D44F0480000 CMP DWORD PTR [0048F044], 00000000
004036D5 740B JE 004036E2
004036D7 A144F04800 MOV EAX, [0048F044]
004036DC 8BC8 MOV ECX, EAX
004036DE 8B18 MOV EBX, [EAX]
004036E0 FF13 CALL DWORD PTR [EBX]
004036E2 833D40F0480000 CMP DWORD PTR [0048F040], 00000000
004036E9 740C JE 004036F7
004036EB A140F04800 MOV EAX, [0048F040]
004036F0 8BC8 MOV ECX, EAX
004036F2 8B18 MOV EBX, [EAX]
004036F4 FF5314 CALL [EBX+14]
; Close Registration Windows, And pops : "Thanks Registering"
004036F7 6A01 PUSH 00000001
004036F9 56 PUSH ESI
004036FA FF15F4DA4900 CALL [USER32!EndDialog]
00403700 6A00 PUSH 00000000
00403702 6820324000 PUSH 00403220
00403707 56 PUSH ESI
00403708 FF15F8DA4900 CALL [USER32!GetParent]
0040370E 50 PUSH EAX
0040370F 68E4000000 PUSH 000000E4
00403714 A148F04800 MOV EAX, [0048F048]
00403719 50 PUSH EAX
0040371A FF1544DB4900 CALL [USER32!DialogBoxParamA]
00403720 B801000000 MOV EAX, 00000001
00403725 E92EFFFFFF JMP 00403658
; Pops up a window saying : "Your name and registration code do not match."
0040372A 6A00 PUSH 00000000
0040372C A104F34800 MOV EAX, [0048F304]
00403731 50 PUSH EAX
00403732 68ACF34800 PUSH 0048F3AC
00403737 56 PUSH ESI
00403738 FF15E4DA4900 CALL [USER32!MessageBoxA]
0040373E 6882000000 PUSH 00000082
00403743 56 PUSH ESI
00403744 FF15F0DA4900 CALL [USER32!GetDlgItem]
0040374A 50 PUSH EAX
0040374B FF1548DB4900 CALL [USER32!SetFocus]
00403751 B801000000 MOV EAX, 00000001
00403756 E9FDFEFFFF JMP 00403658
Let's do a some analysis on what we are seeing. We are at 0157:00403694
(Your segment address may be different, it depends on what you load,
update my values with yours). The previous instruction is the call to
the GetDlgItmeTextA. Again, you can scroll in the code windows with
"CTRL-UP", "CTRL-PGUP", "CTRL-DOWN" and "CTRL-PGDOWN". You can also
make the Focus to the code window by pressing "Alt-C" and use the UP,
DOWN, PGUP, PGDOWN to scroll it.
In C, the call to the GetDlgItemTextA should look like this :
int GetWindowText (int windowhandle, char *buffer, int maxlen);
So the push eax is the buffer address, let's have a look :
:d esp+18 ; You can also use "db esp+18" for byte display
We've got it, it's our name ! We saw that in few intructions, there
will be second call to the GetDlgItemTextA, the CALL EDI at
0157:004036A4. We dont want Sice to break, so we will disable it :
:bd 4 ; Disable BP 4
After that second call, there's another one followed by a test on the
eax value... humm suspicious, is there any check inside that routine ?
That's what we gonna determine fastly. We gonna trace the code stepping
over function calls. Press P (Procedure trace) then ENTER (normally
it's F10 key). Press it several times.
After you've reached 0157:004036A6 (the second call) our registration
code appears in the data window (if it is big enought, else you can
scroll it down using Alt-DOWN) our predictions were right ;). You are
now reaching the TEST AX,AX intruction (0157:004036BA), then there's a
branch to another routine (0157:0040372A), the program will follow it
and soon you will get a message saying that your registration code is
wrong... (0157:00403738).
So now we are sure that the call before the test was done to check the
data we've enterred, and that the branch choose the direction to the
Registration Not Match message. What if we change the direction the
program took?
Let's go, enable BP 4.
:be 4 ; Enable BP 4
Leave Sice (CTRL-D), click on OK to get back to the registration
window, and click on OK again to pop-up into Sice. Press CTRL-D another
time to go to the second GetDlgItemTextA call and press F11 to go out
of that function call. Now step to the branch (F10 until you reach
0157:004036BA). And change the zero flag value to disable it:
:r fl z ; Toggle Zero Register FLag
Then leave the proggy to himself (CTRL-D). We've done it ! The
beautifull message appears : thanks for supporting our products, etc,
etc...
Hu Oh, Hey, what's that stupid program ? If i click on the little eye
(the about button in the toolbar), it's telling me it is not registered
!!!? Fucking damn thing, we gonna gotcha !
Oki, let's think two seconds... what's the matter ? Well everything
seems like if ACDSee checks the name and the registration at every
times it shows them. So, to avoid this problem, we've got to give him
the answer he wait each times he call the registration checker.
First of all, we must verify our affirmations, we must know if the
routine wich is called by the about button is effectively the piece of
code into this call. Go into Soft-Ice using the BP we've set on the
GetDlgItemTexta (go to the registration window and press enter), and
press F11. Now, we're going to put another BP into the call.
:bpx 0157:00402FC0 ; Change the address in regard to yours
Now we gonna try, leave Soft-Ice (it will pop-up two times because BP 4
is still enabled, we're not interrested into these breaks), close the
registration window by clicking cancel and finally click on the about
button... Yep! back in Sice, we were right !!! So everything we've got
to do now is to send back a satisfying answer to the calling code...
Patching ACDSee
Actually in your code window, you should have something like the
following piece of code. All we've got to do is to leave this routine
with EAX different from 0...
; Check Name Lenght
>00402FC0 56 PUSH ESI
00402FC1 8B742408 MOV ESI, [ESP + 08]
00402FC5 56 PUSH ESI
00402FC6 E835000000 CALL 00403000 ; check name length (1st)
00402FCB 83C404 ADD ESP, 00000004
!00402FCE 85C0 TEST EAX, EAX
!00402FD0 7504 JNE 00402FD6 ; branch is followed
!00402FD2 33C0 XOR EAX, EAX ; Set EAX to 0 (BAD!)
00402FD4 5E POP ESI
00402FD5 C3 RET ; Exit 1
; Check Registration Code
:00402FD6 8B44240C MOV EAX, [ESP + 0C]
:00402FDA 50 PUSH EAX
:00402FDB 56 PUSH ESI
:00402FDC 6848F34800 PUSH 0048F348 ; "-294378973"
:00402FE1 E86AE70100 CALL 00421750 ; The key is herein (2nd)
:00402FE6 83C40C ADD ESP, 0000000C
:00402FE9 83F801 CMP EAX, 00000001
:00402FEC 1BC0 SBB EAX, EAX
:00402FEE 5E POP ESI
:00402FEF 40 INC EAX
:00402FF0 C3 RET ; Exit 2
So what we gonna do is erase the three instructions that works on EAX
with our own code. Dont forget to change the address in regard to your.
Erasing the branch will assure us that only our code will be followed.
There's thousand of way to modify this code, i choosed the following :
:a 0157:00402FCE ; Assemble
0157:00402FCE mov eax,1
0157:00402FD3 nop
0157:00402FD3 ; Press escape to stop assembling
:bc 0 ; Clear BP on 0157:00402FC0
And now let's check our work ! Press CTRL-D, welldone, the thanks for
registering message appears... Okay, now click on the about button...
(suspens) !!!YES!!! we've registered it.
Oki let's do our work, now we've only got to make the patch...
What we need to know is where are these instructions in the
ACDSee32.exe file. I've use HexWorkShop for win95 and found them making
a search for 85C0750433C0 (the instructions Opcodes, if Sice doesnt
show the type "CODE ON") the one interesting us are at offset 23CE. Now
we must make a little proggy to replace these bytes with our code. Here
it is :
;--- ORP-A32B.ASM
Title Patch For ACDSee 32 2.0 Beta
.Model Huge
.386
.Stack 100h
.Code
mov ax,cs
mov ds,ax
mov es,ax
mov ax,3d02h
mov dx,offset cs:fname ; DX=*FileName
int 21h ; DOS/FileOpen
jc errorlbl ; Jump On Errors
mov word ptr [offset cs:fname],ax ; BX=Handle
mov bx,ax
mov ax,4200h
xor cx,cx ; Segment
mov dx,23ceh ; Offset
int 21h ; DOS/FileSeekSet
jc errorlbl ; Error !
mov ax,4000h
mov bx,word ptr [offset fname] ; BX=Handle
mov cx,6 ; Lenght
mov dx,offset patch ; Buffer
int 21h ; DOS/WriteFile
jc errorlbl
mov ax,3e00h
mov bx,word ptr [offset fname] ; BX=Handle
int 21h ; DOS/CloseFile
jc errorlbl
mov dx,offset cs:text2
jmp getout
errorlbl:
mov dx,offset cs:text1 ; Print
getout: mov ah,9
int 21h
mov ah,4ch ; Get Out Of Here !
int 21h
patch db 0B8H,001H,000H,000H,000H,090H ; MOV EAX,00000001 - NOP
fname db 'ACDSEE32.EXE',0
text1 db 0ah,0dh,'Error Handling File'
text2 db 0ah,0dh,'Patch By Exact /oRP',0ah,0dh,'$'
end;--- EOF ORP-A32B.ASM
You can compile it with tasm 3.1 and tlink 5.1 (they can be found on my
home page) in that manner :
TASM /m9 /n /q orp-a32b
TLINK /3 /x orp-a32b
I think there is not so much comment to add at the source, anyway if
you have any problems understanding what happening in there, you must
find a book about programming (you can also try to get Helppc).
Final Note
Ok, this is the End...
A really BIG thanks is going to ACP of UCF for sending me W32DASM !
Have Fun With This Stuff !
eXact /oRP
aka sice_boy
Introduction to Win95 Cracking
A few words before beginning
Giving credits, where credit is due ! So, i'd like to give a really BIG
thanks to ED!SON of United Cracking Force for his tutorial about
Windows 95 cracking, without it i won't be here telling you how to
crack a program under win 95.
Giving ALL the credits... all i learned about cracking is with the help
of great tutorials : 5 Minutes 4 a Crack /NeverOne, Amateur Crackist
Tutorial /Specular Vision, Cracking for Masses /FraVia, Old Red Cracker
Tutorials /+ORC (A Must), The Ancient Art Of Cracking & Cracking 101
/Buckaroo Banzai, The Cracking Manual /Cyborg, The Uncle Joe CrackBook
/Uncle Joe (heh, what did you expect ?). But also with 40 Hex
Magazines, The Crypt Newsletters, Virus Laboratories And Distribution.
Note : a lot of the explaination i'll give you in Introduction parts
are ripped from some tutorials upper, it's because i wanted to have
something complete you can start with. Tnx again to those who wrot'em.
For this tutorial you'll need :
ACDSee32 V2.0 Beta
Soft-Ice 3.00
HexWorkShop
Introduction to Cracking
You might be wondering what type of programming skills you need to
become a cracker. Knowing a higher level language such as Basic,
Pascal, or C++ will help you somewhat in that you will have an
understanding of what's involved in the process of writing a program
and how certain aspects of a program function. If you don't have any
programming skills, you have a long road ahead of you. But even if you
can program in a high level language, in order to crack you have to
know assembly... It really doesn't matter what language a program was
written in in order to crack it, because all programs do the same
thing. And that is issue commands to the microprocessor. And all
programs when broken down to their simplest form are nothing more than
a collection of 80XXX instructions and program specific data. This is
the level of assembly language. In assembly you have total control of
the system. This is also the level that the debugger operates at.
You don't have to become a master at assembly to crack a program, but
it helps. You do need to learn some rudimentary principles, and you
absolutely have to become familiar with the registers of the cpu and
how the 8088 instruction set uses them. There is no way around this.
How proficient you are at assembly will determine how good of a cracker
you become. You can get by on learning a few basic instructions, how to
use a debugger, and one or two simple techniques. This will allow you
to remove a few shareware nag screens, and maybe you'll luck out and
remove the copy protection from a game or two, but that's it.
You can then dynamically interact with the program and run it one line
of code at a time, and see exactly what the program is doing in real
time as each line of code is executed. You will also be able to
re-assemble instructions (in memory only), edit the contents of memory
locations, manipulate the cpu's registers, and see the effects your
modifications have on the program as it's running. This is also where
all your system crashes will occur... There is a lot of trial and error
involved in cracking.
As you get better, you'll have to write programs that will implement
your patches if you decide to distribute them. The patches themselves
don't have to be written in assembly.
The sources code I included in this manual are extremely simple.
They're written in assembly because that's the only language I know how
to program in, but if you are already proficient in a higher level
language, it should be trivial for you to duplicate it's methods in
your preferred language.
Quick Introduction To Soft-Ice 3.0
Okay, okay, i already heard you : Hey exact, you've ripped the ED!SON
introduction. Yes, i've taken it ;) Why should i do something if
someone already did ? So for all of you that didn't have the chance to
have that intro, i've a little remixed it, and here it is...
Cracking a Windows program is most often more simple than a program
running in Dos. In Windows, it's hard to hide anything from anyone who
really looks for information, as long as Windows own functions are
used. The first (and often only) tool you need is Soft-Ice, a powerfull
debugger from NuMega (http://www.numega.com). Some people find it hard
to use, but i will tell you how to do efficient debugging with it.
To use Sice, you must load it before windows, to do that, just add the
"Drive:\Path\WINICE.EXE" at the end of your "AUTOEXEC.BAT". Normally,
the Sice Setup should have already done it. I advise you to make a
multi-config in that way, you can load Sice only when you need it.
Example of multi-config :
;--- Config.sys
[menu]
menuitem SICE,Load Soft-Ice Debugger Behind Windows
menuitem NORM,Normal Mode
menudefault NORM,5
[SICE]
[NORM]
[common]
DEVICE=C:\WIN96\HIMEM.SYS
DOS=HIGH
DEVICE=C:\cd\drivers\MTMCDAI.SYS /D:MTMIDE01
FILES=40
;--- EOF Config.sys
;--- Autoexec.bat
@ECHO OFF
SET BLASTER=A220 I5 D1 H5 P330 T6
SET MIDI=SYNTH:1 MAP:E
SET PATH=C:\WIN96;C:\WIN96\COMMAND;C:\DOS;D:\NC
SET TEMP=C:\TEMP
SET SOUND=C:\VIBRA16
C:\VIBRA16\DIAGNOSE /S
C:\VIBRA16\MIXERSET /P /Q
PROMPT $p$g
goto %config%
:SICE
C:\Progra~1\SoftIc~1\WINICE.EXE
goto common
:NORM
goto common
:common
;--- EOF Autoexec.bat
In the config.sys the [menu] indicates that's a multiconfig, it will
display the two menuitem and wait for the user to select. When
selected, the part of the config file refering to it is runned and
followed by the [common] one. In the autoexec.bat there's a %config%
variable set to the user'selection and is used to select witch part of
your bat you will execute.
So, udpate your system files if they need so, and reboot your machine.
If you don't understand why these config files look like this, refer to
the MS-DOS Help (Type HELP at the dos prompt).
Now that Sice is loaded into memory, press "CTRL-D" to to pop it up.
Here is a little description of the windows you can see on Sice screen
:
+----------------------+-------------------------------------------+
| CPU Registers Window | "WR" En/Disable, "R", "Alt-R" Edit. |
+----------------------+-------------------------------------------+
| FPU Registers Window | "WF" En/Disable. |
+----------------------+-------------------------------------------+
| Locals Windows | "WL" En/Disable, "Alt-L" Focus. |
+----------------------+-------------------------------------------+
| Watch Window | "WW" En/Disable, "Alt-W" Focus. |
+----------------------+-------------------------------------------+
| Data Window | "WD" En/Disable, "E", "Alt-D" to Edit. |
+----------------------+-------------------------------------------+
| Code Window | "WC" En/Disable, "A" Edit, "Alt-C" Focus. |
+----------------------+-------------------------------------------+
| Command Window | Type Commands and read output here. |
+----------------------+-------------------------------------------+
| Help Line | Get summary help on what you are typing. |
+----------------------+-------------------------------------------+
The register window contains the general purpose and flags registers of
the cpu. You will notice that the general purpose registers contain
hexadecimal values. These values are just what happened to be in there
when you brought up the debugger. You will also notice that some of the
flags are highlighted while some are not. The highlighted flags are the
ones that are SET. While the ones that are not highlighted are CLEARED.
Generally, the register are also highlighted when they change value.
From this window you will be able to manipulate the contents of the
cpu's registers. You will change the values of the registers while
debugging a program in order to change the behavior of the running
program. Say you come across a JNZ instruction (jump if not zero), that
instruction makes the decision on whether or not to make the jump based
on the state of the (Z)ero flag. You can modify the condition of the
(Z)ero flag in order to alter the flow of the programs code. By the
same token, you can modify the general purpose registers in the same
manner. Say the AX register contains 0000, and the program bases it's
actions on that value, modifying the AX register to contain a new value
will also have the effect of modifing the flow of the code. After you
become comfortable with using Sice you'll begin to appreciate just how
powerful this window is, and you'll aslo discover soon enough just how
totally it can screw your system if you fuck up.
The data window will display data as it exists in memory. From this
window you can usually display, search, edit, fill, and clear entire
ranges of memory. The two most common commands for this window are
display and edit. The search command is also useful in cracking. Sice
offers you 4 data windows, you can toggle from one to another using the
"data" command. You can also change the type of data this window is
displaying using the "format" command. You can scroll into the data
window using ALT and arrows or PgUp/PgDn keys.
The code window is the window in which you will interact with the
running program. This is the most complex window, and it is where the
bulk of debugging occurs. The layout of the window is pretty simple,
the group of 12 numbers with the colon in the middle of them to the far
left of the window is the address:offset of that line of code. Each
line of code in this window is an instruction that the program will
issue to the microprocessor, and the parameters for that instruction.
The registers that contain the address for the current instruction
waiting to be executed are the CS:EIP registers (code segment and
instruction pointer). This line is highlighted, if you havent it in the
code window use the "." command to retrieve it. You will also notice a
group of hex numbers to the right of the addresses, this group of
numbers is the hexadecimal equivalent of the mnemonic instructions. The
next group of words and numbers to the right of the hex numbers are the
mnemonic instructions themselves. You can scroll into the code window
using ALT and arrows or PgUp/PgDn keys.
For most examples, we'll only need to have the CPU Registers Window,
the Data and the code one. Disable others. I'm in 60 lines mode. So if
all windows are disabled to have the same screen as me do (comment are
preceded by a semi-colon) :
+--------------------+-------------------------------------+
| :lines 60 | ; Set 60 lines mode |
+--------------------+-------------------------------------+
| :color f a 4f 1f e | ; Set psychedelic colors (Optional) |
+--------------------+-------------------------------------+
| :wd 22 | ; Enable Data Window 22 lines long |
+--------------------+-------------------------------------+
| :wc 25 | ; Enable Code Window 25 lines long |
+--------------------+-------------------------------------+
| :wr | ; Enable Register Window |
+--------------------+-------------------------------------+
| :code on | ; Display instruction bytes |
+--------------------+-------------------------------------+
This can seems you strange to have to type all these commands each time
you'll start Sice. In fact, all these command can be done in the
winice.dat file (in your sice directory). Let'see what is in mine :
+-----------------------------------------------+--------------------------+
| ;--- Example of Winice.dat | |
+-----------------------------------------------+--------------------------+
| ; General Variables | |
+-----------------------------------------------+--------------------------+
| NMI=ON | |
+-----------------------------------------------+--------------------------+
| SIWVIDRANGE=ON | |
+-----------------------------------------------+--------------------------+
| LOWERCASE=OFF | ; Disable lowercase |
| | assembly |
+-----------------------------------------------+--------------------------+
| MOUSE=ON | ; Enable mouse |
+-----------------------------------------------+--------------------------+
| NOLEDS=OFF | ; Disable led switching |
+-----------------------------------------------+--------------------------+
| NOPAGE=OFF | |
+-----------------------------------------------+--------------------------+
| PENTIUM=ON | ; Pentium Op-Codes |
+-----------------------------------------------+--------------------------+
| THREADP=ON | ; Following Thread |
| | Process |
+-----------------------------------------------+--------------------------+
| VERBOSE=ON | |
+-----------------------------------------------+--------------------------+
| PHYSMB=16 | ; Exact Memory Size |
+-----------------------------------------------+--------------------------+
| SYM=256 | ; Memoy allocated to |
| | symbols |
+-----------------------------------------------+--------------------------+
| HST=16 | ; Memory allocated to |
| | history |
+-----------------------------------------------+--------------------------+
| TRA=92 | ; Memory allocated to |
| | back trace buffer |
+-----------------------------------------------+--------------------------+
| ; Startup sequence | |
+-----------------------------------------------+--------------------------+
| INIT="lines 60;color f a 4f 1f e;wd 22;wc | |
| 22;wr;code on;x;" | |
+-----------------------------------------------+--------------------------+
| ; Function Keys | |
+-----------------------------------------------+--------------------------+
| F5="^G;" | ; Run (CTRL-D) |
+-----------------------------------------------+--------------------------+
| F8="^T;" | ; Step into functions |
| | (Trace) |
+-----------------------------------------------+--------------------------+
| F10="^P;" | ; Step Over functions |
| | (Procedure) |
+-----------------------------------------------+--------------------------+
| F11="^G @SS:ESP;" | ; Step out of function |
+-----------------------------------------------+--------------------------+
| ; Export Symbols | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\kernel32.dll | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\user32.dll | |
+-----------------------------------------------+--------------------------+
| EXP=c:\win96\system\gdi32.dll | |
+-----------------------------------------------+--------------------------+
| ;--- EOF Winice.dat | |
+-----------------------------------------------+--------------------------+
Okay, i think, it speaks by itself. Just a little note for defining
function keys, all commands preceded by ^ are invisible, and all those
followed by a ; are executed (the ; indicates an ENTER). Dont forget to
load the Export Symbols !
Cracking ACDSee 32 V2.0 Beta
Loading ACDSee32.exe into Soft-Ice And Breaking At The Right Point.
Run the Symbol Loader, do "File/Open Module" or you can also click on
the first button on the left of the tool bar and browse until you can
select the file ACDSee32.exe. Now, to start debugging you must to do
"Module/Loads..." or click the "Load button" (next to the "Open" one).
Perhaps Sice poped-up, saying Break Due To Load Module, or something
like that, leave it by pressing "CTRL-D" or typing "X" followed by
"ENTER". You should disable the "Break At WinMain Option" to dont
pop-up Sice each time you load a module (the little lamp button).
OK, let's go. In ACDSee, click on "Tools/Register..." Fill up the boxes
with what you want. (I've filled them with Name:"Out Rage Pirates" and
Registration:"112233445566"). Generally programs must read the content
of the boxes with one of these functions :
+----------------+----------------------------------+
| 16-bit | 32-bit |
+----------------+----------------------------------+
| GetWindowText | GetWindowTextA, GetWindowTextW |
+----------------+----------------------------------+
| GetDlgItemText | GetDlgItemTextA, GetDlgItemTextW |
+----------------+----------------------------------+
The last letter of the 32 functions tells if the function uses one-byte
or double-byte strings. Double-byte code is RARE. So, now we gonna
enter Sice pressing CTRL-D and set breakpoints on the getting content
of edit boxes :
:bpx GetWindowText
:bpx GetWindowTexta
:bpx GetWindowTextw
:bpx GetDlgItemText
:bpx GetDlgItemTexta
:bpx GetDlgItemTextw
Oki, there's no need to set BPs (BreakPointS) 0 and 3 since we know it
is a 32-bit application, but i've put them here to be exhaustive. If
you encounter problems settings these breakpoints, make sure that the
export symbols are loaded in Soft-Ice : edit the file winice.dat and
check if the semi-colons are removed from the exp= that follows the
"Example of export symbols that can be included for chicago" near the
end of file. Generally, you only need to keep kernel32.dll, user32.dll,
gdi32.dll. If you get an error message "No LDT", make sure you dont run
any other DOS application in the background,
It's not sure that Sice will pop-up, and not all program are calling
these Windows functions.
Continue the program ("CTRL-D"), and click the OK button. It worked,
we're back to Sice ! press "CTRL-D" to continue the process, back to
Sice again ! re-re-press "CTRL-D", no more Sice pop-up. Normal, there's
only two textboxes... Click OK to get back to the registration window.
And now, let's throw an eye into Sice, CTRL-D. There's comments for the
two break points :
Break due to BPX USER32!GetDlgItemTextA (ET=4.70 seconds)
Break due to BPX USER32!GetDlgItemTextA (ET=269.77 microseconds)
It's BP 04 let's delete other BPs :
:bl ; BPs list
00) BPX USER!GetWindowText
01) BPX USER32!GetWindowTexta
02) BPX USER32!CharNextExW
03) BPX USER!GetDlgItemText
04) BPX USER32!GetDlgItemTextA
05) BPX USER32!AppendMenuW
:bc 0 1 2 3 5 ; Clear BPs #0, 1, 2, 3 and 5.
We'll do it again. Press "CTRL-D" to leave Soft-Ice, and click the OK
button. Magic, we're back in it... Let's do a little focus : where are
we, and what's the hell now ? We are at the start of the "Get Dialog
Item Text A" function, and we are going to find where it is called.
Since we know that when we do a far call to something the next logical
instruction address is stored on the stack, we gonna set a BP on that
address and execute the program until we reach it. G command will
continue the program at the current CS:EIP, and set a temporary BP to
the address indexed (@) in SS:ESP. There's a function key that
automatically do it, normally, it's F11.
:G @SS:ESP
Finding Where The Registation Code Is Checked
Ok, we are back into Sice at the instruction following the call to
DlgItemTextA. We gonna take a look on what's happenning before and
after. Use CTRL-UP and CTRL-DOWN to move into the code window. If you
dont have the code window on your screen you can make it appears by
typing WC (WC 20 will set the code windows to be 20 lines long). You
should see something like following (i've added blank lines and
comments for clarity and future explainations) :
; Get The Name Into Buffer (ESP+8)
0040367B 8D442418 LEA EAX, [ESP + 18] ; Buffer(For Name) Address
0040367F 6A1E PUSH 0000001E ; Max String Size
00403681 8BB42408010000 MOV ESI, [ESP + 00000108]
00403688 50 PUSH EAX ; Buffer Address
00403689 6A6B PUSH 0000006B ; Control ID
0040368B 8B3D94DA4900 MOV EDI,[USER32!GetDlgItemTextA]
00403691 56 PUSH ESI ; Dialog Handle
00403692 FFD7 CALL EDI ; Call GetDlgItemTextA
; Get The Registration Code Into Buffer (ESP+38)
>00403694 8D442438 LEA EAX, [ESP + 38] ; Buffer(Registration) Addy
00403698 68C8000000 PUSH 000000C8 ; Max String Size
0040369D 50 PUSH EAX ; Buffer Address
0040369E 6882000000 PUSH 00000082 ; Control ID
004036A3 56 PUSH ESI ; Dialog Handle
004036A4 FFD7 CALL EDI ; Call GetDlgItemTextA
; Registration Checking
>004036A6 8D442438 LEA EAX, [ESP + 38] ; Registration Buffer
004036AA 8D4C2418 LEA ECX, [ESP + 18] ; Name Buffer
004036AE 50 PUSH EAX ; Save Datas
004036AF 51 PUSH ECX
!004036B0 E80BF9FFFF CALL 00402FC0 ; Registration Check
004036B5 83C408 ADD ESP, 00000008 ; Free Stack
004036B8 85C0 TEST EAX, EAX
004036BA 7E6E JLE 0040372A ; EAX=0 Means Bad Reg...
; Do Something, sure... ;)
004036BC 8D442438 LEA EAX, [ESP + 38]
004036C0 8D4C2418 LEA ECX, [ESP + 18]
004036C4 50 PUSH EAX
004036C5 51 PUSH ECX
004036C6 E895FAFFFF CALL 00403160
004036CB 83C408 ADD ESP, 00000008
004036CE 833D44F0480000 CMP DWORD PTR [0048F044], 00000000
004036D5 740B JE 004036E2
004036D7 A144F04800 MOV EAX, [0048F044]
004036DC 8BC8 MOV ECX, EAX
004036DE 8B18 MOV EBX, [EAX]
004036E0 FF13 CALL DWORD PTR [EBX]
004036E2 833D40F0480000 CMP DWORD PTR [0048F040], 00000000
004036E9 740C JE 004036F7
004036EB A140F04800 MOV EAX, [0048F040]
004036F0 8BC8 MOV ECX, EAX
004036F2 8B18 MOV EBX, [EAX]
004036F4 FF5314 CALL [EBX+14]
; Close Registration Windows, And pops : "Thanks Registering"
004036F7 6A01 PUSH 00000001
004036F9 56 PUSH ESI
004036FA FF15F4DA4900 CALL [USER32!EndDialog]
00403700 6A00 PUSH 00000000
00403702 6820324000 PUSH 00403220
00403707 56 PUSH ESI
00403708 FF15F8DA4900 CALL [USER32!GetParent]
0040370E 50 PUSH EAX
0040370F 68E4000000 PUSH 000000E4
00403714 A148F04800 MOV EAX, [0048F048]
00403719 50 PUSH EAX
0040371A FF1544DB4900 CALL [USER32!DialogBoxParamA]
00403720 B801000000 MOV EAX, 00000001
00403725 E92EFFFFFF JMP 00403658
; Pops up a window saying : "Your name and registration code do not match."
0040372A 6A00 PUSH 00000000
0040372C A104F34800 MOV EAX, [0048F304]
00403731 50 PUSH EAX
00403732 68ACF34800 PUSH 0048F3AC
00403737 56 PUSH ESI
00403738 FF15E4DA4900 CALL [USER32!MessageBoxA]
0040373E 6882000000 PUSH 00000082
00403743 56 PUSH ESI
00403744 FF15F0DA4900 CALL [USER32!GetDlgItem]
0040374A 50 PUSH EAX
0040374B FF1548DB4900 CALL [USER32!SetFocus]
00403751 B801000000 MOV EAX, 00000001
00403756 E9FDFEFFFF JMP 00403658
Let's do a some analysis on what we are seeing. We are at 0157:00403694
(Your segment address may be different, it depends on what you load,
update my values with yours). The previous instruction is the call to
the GetDlgItmeTextA. Again, you can scroll in the code windows with
"CTRL-UP", "CTRL-PGUP", "CTRL-DOWN" and "CTRL-PGDOWN". You can also
make the Focus to the code window by pressing "Alt-C" and use the UP,
DOWN, PGUP, PGDOWN to scroll it.
In C, the call to the GetDlgItemTextA should look like this :
int GetWindowText (int windowhandle, char *buffer, int maxlen);
So the push eax is the buffer address, let's have a look :
:d esp+18 ; You can also use "db esp+18" for byte display
We've got it, it's our name ! We saw that in few intructions, there
will be second call to the GetDlgItemTextA, the CALL EDI at
0157:004036A4. We dont want Sice to break, so we will disable it :
:bd 4 ; Disable BP 4
After that second call, there's another one followed by a test on the
eax value... humm suspicious, is there any check inside that routine ?
That's what we gonna determine fastly. We gonna trace the code stepping
over function calls. Press P (Procedure trace) then ENTER (normally
it's F10 key). Press it several times.
After you've reached 0157:004036A6 (the second call) our registration
code appears in the data window (if it is big enought, else you can
scroll it down using Alt-DOWN) our predictions were right ;). You are
now reaching the TEST AX,AX intruction (0157:004036BA), then there's a
branch to another routine (0157:0040372A), the program will follow it
and soon you will get a message saying that your registration code is
wrong... (0157:00403738).
So now we are sure that the call before the test was done to check the
data we've enterred, and that the branch choose the direction to the
Registration Not Match message. What if we change the direction the
program took?
Let's go, enable BP 4.
:be 4 ; Enable BP 4
Leave Sice (CTRL-D), click on OK to get back to the registration
window, and click on OK again to pop-up into Sice. Press CTRL-D another
time to go to the second GetDlgItemTextA call and press F11 to go out
of that function call. Now step to the branch (F10 until you reach
0157:004036BA). And change the zero flag value to disable it:
:r fl z ; Toggle Zero Register FLag
Then leave the proggy to himself (CTRL-D). We've done it ! The
beautifull message appears : thanks for supporting our products, etc,
etc...
Hu Oh, Hey, what's that stupid program ? If i click on the little eye
(the about button in the toolbar), it's telling me it is not registered
!!!? Fucking damn thing, we gonna gotcha !
Oki, let's think two seconds... what's the matter ? Well everything
seems like if ACDSee checks the name and the registration at every
times it shows them. So, to avoid this problem, we've got to give him
the answer he wait each times he call the registration checker.
First of all, we must verify our affirmations, we must know if the
routine wich is called by the about button is effectively the piece of
code into this call. Go into Soft-Ice using the BP we've set on the
GetDlgItemTexta (go to the registration window and press enter), and
press F11. Now, we're going to put another BP into the call.
:bpx 0157:00402FC0 ; Change the address in regard to yours
Now we gonna try, leave Soft-Ice (it will pop-up two times because BP 4
is still enabled, we're not interrested into these breaks), close the
registration window by clicking cancel and finally click on the about
button... Yep! back in Sice, we were right !!! So everything we've got
to do now is to send back a satisfying answer to the calling code...
Patching ACDSee
Actually in your code window, you should have something like the
following piece of code. All we've got to do is to leave this routine
with EAX different from 0...
; Check Name Lenght
>00402FC0 56 PUSH ESI
00402FC1 8B742408 MOV ESI, [ESP + 08]
00402FC5 56 PUSH ESI
00402FC6 E835000000 CALL 00403000 ; check name length (1st)
00402FCB 83C404 ADD ESP, 00000004
!00402FCE 85C0 TEST EAX, EAX
!00402FD0 7504 JNE 00402FD6 ; branch is followed
!00402FD2 33C0 XOR EAX, EAX ; Set EAX to 0 (BAD!)
00402FD4 5E POP ESI
00402FD5 C3 RET ; Exit 1
; Check Registration Code
:00402FD6 8B44240C MOV EAX, [ESP + 0C]
:00402FDA 50 PUSH EAX
:00402FDB 56 PUSH ESI
:00402FDC 6848F34800 PUSH 0048F348 ; "-294378973"
:00402FE1 E86AE70100 CALL 00421750 ; The key is herein (2nd)
:00402FE6 83C40C ADD ESP, 0000000C
:00402FE9 83F801 CMP EAX, 00000001
:00402FEC 1BC0 SBB EAX, EAX
:00402FEE 5E POP ESI
:00402FEF 40 INC EAX
:00402FF0 C3 RET ; Exit 2
So what we gonna do is erase the three instructions that works on EAX
with our own code. Dont forget to change the address in regard to your.
Erasing the branch will assure us that only our code will be followed.
There's thousand of way to modify this code, i choosed the following :
:a 0157:00402FCE ; Assemble
0157:00402FCE mov eax,1
0157:00402FD3 nop
0157:00402FD3 ; Press escape to stop assembling
:bc 0 ; Clear BP on 0157:00402FC0
And now let's check our work ! Press CTRL-D, welldone, the thanks for
registering message appears... Okay, now click on the about button...
(suspens) !!!YES!!! we've registered it.
Oki let's do our work, now we've only got to make the patch...
What we need to know is where are these instructions in the
ACDSee32.exe file. I've use HexWorkShop for win95 and found them making
a search for 85C0750433C0 (the instructions Opcodes, if Sice doesnt
show the type "CODE ON") the one interesting us are at offset 23CE. Now
we must make a little proggy to replace these bytes with our code. Here
it is :
;--- ORP-A32B.ASM
Title Patch For ACDSee 32 2.0 Beta
.Model Huge
.386
.Stack 100h
.Code
mov ax,cs
mov ds,ax
mov es,ax
mov ax,3d02h
mov dx,offset cs:fname ; DX=*FileName
int 21h ; DOS/FileOpen
jc errorlbl ; Jump On Errors
mov word ptr [offset cs:fname],ax ; BX=Handle
mov bx,ax
mov ax,4200h
xor cx,cx ; Segment
mov dx,23ceh ; Offset
int 21h ; DOS/FileSeekSet
jc errorlbl ; Error !
mov ax,4000h
mov bx,word ptr [offset fname] ; BX=Handle
mov cx,6 ; Lenght
mov dx,offset patch ; Buffer
int 21h ; DOS/WriteFile
jc errorlbl
mov ax,3e00h
mov bx,word ptr [offset fname] ; BX=Handle
int 21h ; DOS/CloseFile
jc errorlbl
mov dx,offset cs:text2
jmp getout
errorlbl:
mov dx,offset cs:text1 ; Print
getout: mov ah,9
int 21h
mov ah,4ch ; Get Out Of Here !
int 21h
patch db 0B8H,001H,000H,000H,000H,090H ; MOV EAX,00000001 - NOP
fname db 'ACDSEE32.EXE',0
text1 db 0ah,0dh,'Error Handling File'
text2 db 0ah,0dh,'Patch By Exact /oRP',0ah,0dh,'$'
end;--- EOF ORP-A32B.ASM
You can compile it with tasm 3.1 and tlink 5.1 (they can be found on my
home page) in that manner :
TASM /m9 /n /q orp-a32b
TLINK /3 /x orp-a32b
I think there is not so much comment to add at the source, anyway if
you have any problems understanding what happening in there, you must
find a book about programming (you can also try to get Helppc).
Final Note
Ok, this is the End...
A really BIG thanks is going to ACP of UCF for sending me W32DASM !
Have Fun With This Stuff !
eXact /oRP
aka sice_boy
Subscribe to:
Posts (Atom)
