in a corporation environment
'98 ~ '99
Reverser's Anonymity Academy
REM WIN.BAT You may fire Winice, type winice or start windows normally typing win.com
[Paths] WinDir=C:\WINDOWS WinBootDir=C:\WINDOWS HostWinBootDrv=C [Options] BootMulti=1 BootGUI=1 Network=1
(1) Where should you keep the files the slave masters would not want you to use/have on your PC? Put all the programs you should NOT have installed on your PC inside C:\WINDOWS or C:\WINDOWS\SYSTEM, never create subdirectories. The total mess and confusion (which is anyway a charachteristic of the poor OS we are compelled to use) can in this case be turned to our advantage :-)
(2) How to defeat censorship software checking for files deemed "illegal" by the slave masters and yet use the programs Quite a lot of software allows the slave masters to know if you have or if you have not in your harddisk files deemed "illegal" by them. Change the names of the *.exe files! If necessary edit the *.dll files too (this is slightly more complicated, since you'll have to hexedit a little the calling programs and procedures) Change the names of *.exe and *.dll files to non significant names like hggq67.exe 87771ll.dll etcetera The censorship software used by your corporation will not be able to fetch them this way (this idea was pilfered from +ORC's 4.2 :-)
(3) DLL taming Modify ("tame") the *.dlls and get some "secret snoopers" for free :-) As you will probably already have seen/studied in the students' essays section, a very useful form of reversing is "object oriented reversing". Dynamic-link libraries modifying (dll-taming) is one of the most promising reversing activities, as many essays of our student section attest. Modern windoze's applications rely quite a lot onto *.dlls that are already inside your system, and keep a very interesting interchange of parameters (and data) with their functions. Nothing more simple (and obvious) than modifying these *.dlls in order to redirect those data wherever you fancy. This is *.dll taming. I won't go into too much details on the technical aspect of dll taming. The tools and techniques you'll use are, of course, the same that have been thoroughly explained in the student section (and on my tools page). If you are (or will be) a reverse engineer it won't be all too difficult, believe me.
Most of the programs and applications that the slave masters use in order to snoop onto you or to perform their "mysterious activities" (the one that you would like to "study"), do rely on *.dlls that are located like sitting ducks inside your /windows and /windows/system directory (MSPWL32.DLL for enhanced password cache security, to cite but one :-)
Well, here is one of the very few sectors where YOUR competentces should be by far superior to the capacities of your system administrators: it's our field: reversing!
"Take home" your target *.dlls and, working on your own machines, modify them until they will work the way YOU want (and not the way the applications of the system administrators expect them to :-)
You don't even need to worry much about eventual length differences between the untamed and the tamed dll... I have never seen any application checking the length of the *.dlls (there are much too many variants and versions of the main dlls... windoze is a total mess, never forget it :-), yet, if you want to go "NUMMERSICHER", don't alter their length and just patch them "inside", using the many tricks, like "snake-patching", explained in the student section.
Once you are ready (and you have thoroughly tested them) reinsert the transformed *.dll onto your machine, at work.
Nobody but you will know it (hopefully) yet you will now have some powerful tools as allies in your battle! You may have redirected the output (with the data you are interested in) to the screen or to a file (careful!) or to the printer, you may have tsrred an activation switch, or you may keep a copy of the tamed dll under another name inside your windows directory, and just batch it on or off when you need it (so that most of the time the real, untamed dll will be the one working, and your tamed one will sleep inside the directory under another non-meaningful name until your simple dos batch "awakes" it :-)
Imagine (just imagine, of course :-) that you modify the OpenPasswordCache function of the above mentioned mspwl.dll so that you will be notified (with the possibilities of having a look at the parameters) every time that function will be called... well: you are NOT using Winice or another debugger in order to get those data, so there is no "alien" application running onto your system. Everything looks "normal" from the sysad standpoint: -"stupid user sits in front of his stupid screen and our SuperhyperSnoopo version 4.2 checks what the hell he is really doing, how long and how much!". Ah! Your screen gets all the activities of their SuperhyperSnoopo version 4.2 instead! (or whatever they use... most of the time it will be an overbloated *.dll intensive app :-)
See: you are playing at a level that most system administrators cannot even understand (they would not dream of modifying a windows *.dll, they have enough problems with the "normal" bugged Micro$oft's own ones :-) and you can, if you tame wisely and if you choose wisely your target dlls, gather a LOT of information on your system in this way.
(4) Batch alternative on how to defeat censorship software checking for files deemed "illegal" by the slave masters when you do not need to use the programs Create two batch file (inside c:\windows as well), that will change on-the-fly, when you run it, the extension of all the executable you should NOT have installed on your PC to *.myn and back to real: When you are offline (or when you feel like it) REM re3444g1.BAT REM fuck the censors, recreate cd c:\windows\system ren GHHA12.myn ultima_9.exe ren GHGG12.myn chess730.exe ren GHHA12.myn snooplan.exe ren GHHA12.myn bombchef.exe REM OK, recreated names Before being online (or going home at the evening) REM ob3444g1.BAT REM deceive the censors, obscure cd c:\windows\system ren ultima_9.exeG HHA12.myn ren chess730.exe GHGG12.myn ren snooplan.exe GHHA12.myn ren bombchef.exe GHHA12.myn REM OK, obscured names
(5) How to install everything you want without a CD-ROM Buy a zip drive and use the 100 Megabyte zip cartridge in order to install whatever you like on your PC even without a CD-ROM, and in order to save/keep/move files as you fancy without leaving much traces behind you. The zip connects trhrough the parallel port and its data transfer ratio is acceptable. You may even RUN programs from there WITHOUT LEAVING ANY PHYSICAL TRACE INSIDE YOUR PC.
(6) How to download files on the web without leaving traces on the http:// grep filelog of the slave masters Never download from http:// sites, they would immediatly get your traces through the log files. Get all the files that you want through ftp-mail. (7) Visit the site with the warez you are interested in with your browser, but DO NOT DOWNLOAD. 2) Write down the exact name of the *.zip file you want. 3) Get it through ftpmail emailed to you (this leaves traces, but it is selten monitored because few know that you can freely download this way... you may eventually use the path option to get the files emailed to your home account or to an absent colleague whose password you happen to have found) GOOD FTPMAILERS: (just send to each of them an email with the word "help" in the subject and in the body. Keep in mind that some of them at times simply do not work... just try again later): MAIL SERVER MIT firstname.lastname@example.org DEARN DE BITFTP@DEARN PRINCETON BITFTP@PUCC (files until 17.825.792 bytes!) BRYANT email@example.com DNA AFFRC JP firstname.lastname@example.org W3MAIL GMD.DE email@example.com (Max 5 Megabytes) WWWMAIL CIESIN firstname.lastname@example.org NETMOR email@example.com (QUERIES INSIDE FTP SITES!) GARBO FI firstname.lastname@example.org GETWEB HEALTHNET email@example.com MOGLI DE firstname.lastname@example.org (the best one for images)
(8) How to download images I assume that there is no track on the loggings if you just save images using the right mouse button... but you may choose to get the images ftpmailed to you as well. See point 5 and use email@example.com
(9) How to get administrator rights (privileges) Use some resident keyboard trapper on a PC of a collegue that has NOTHING to do with you. Damage (slightly) some obvious booting function of that PC, wait until the sysad's slaves come and repair it. Fetch the administrator slave's password afterwards and use it THE SAME DAY (they have most of the time rotating passwords). A good idea is to give privileges, inside your intranet, to a WHOLE bunch of people at the same time, try always to be a fish among many.
(A) How to disable Webnannys censorships Web nannys are censorship programs whose stupidity goes beyond belief... they block anything that is deemed "dangerous" by their puritan idiotic programmers... whole geocities (for instance Athen) have been banned "en block" because somebody used somewhere the image of a pepper with the name "hot.gif". Few corporations are so stupid to use this shit, but you never know... should they use these programs, here is how to destroy them :-)
A.1. Cyber Patrol You need a special cracking program, you'll find it on the web: name= cypatrol.zip A.2. Net Nanny A.2.1) Windows 95 CTRL+ALT+DEL (Get close program menu) Choose OCRAWARE End Task A.2.2) Windows 3.1/DOS C:\ edit config.sys type rem in front of DEVICE=C:\NN\NNDRV.SYS A.3. Cybersitter A.3.1) Disable totally CD /WINDOWS copy win.cyb win.ini A.3.2) Block action (still logging, see 8.3.3 below) CTRL+ALT+DEL end task Tcpwait create c:\windows\temp_holder move the file cywin0.opt there restart internet applications... Cybersitter does not block anymore A.3.3) Remove any record from the log file Find file cywin.alt (usually inside c:\windows) remove read only switch notepad cywin.alt remove any line that begins with the word blocked save the file remake it read only
(B) How to check what's going on in your system Start using the instruments that you ALREADY HAVE inside the huge windows conundrum (if you don't have them, bring them from home): C:\WINDOWS\NETSTAT.EXE netstat > letsee and then edit letssee C:\Program Files\Common Files\Microsoft Shared\MSinfo\MSINFO32.EXE (active modules) C:\WINDOWS\WINIPCFG.EXE Then fetch these two files: ps kill And use them to see/terminate the applications that are working on your system... you'll find an explanation inside LordClito's "old" essay on my student page.
(C) First and foremost Winice is a good weapon! Install Winice 3.2. (there is a whole project of the student section that explains how to fetch and use this most powerful debugger. You'll find softice everywhere on the web: search, or buy it, it's a very good tool and deserves it) Find the correct drivers for your PC (you may download them from Numega's site if you do not have them). No checking software in a intranet can resist the CTRL+D shot :-)
(D) Remove all limits that the sysads have imposed on you Use the policy editor (you'll not find it inside your machine at work, you'll find it HOME, on your own windows 95 cd-rom under \Admin\Apptools\Poledit or you'll easily fetch it from the web). Push F8 during boot choose start without register informations (therefore start without limits) start poledit open register configuration delete all limits IF YOU DO NOT SEE any start menu, have a look at CONFIG.SYS, you'll find there the command switches /n eliminate it and restart anew. ...And if you don't see EVEN THIS, take a look at the c:\msdos.sys again (thanks Ivan :-) and may be you'll see among: [Options] BootMulti=1 BootGUI=1 Network=1 etcetera the following: BootKeys=0 -this one causes the same shit, so you have to change it to: Bootkeys=1 Or remove it... but this would NOT be so clever, would it?
(D) Another trick: the SAFE MODE boot As anyone (should) know, you can boot the windows bazaar in SAFE MODE (press F8 at start until the windows' choose your boot menu appears).
If you do choose safe mode, you'll notice pretty interesting new possibilities, which were disabled in the "normal" booting configuration. Among other things you'll be able to choose the "update information tool" and have a look at what your sysads have made in the last months (and which *.dll you should "intercept", see point three :-)
As long as you are in safe mode you are, moreover, relatively 'safe', so experiment around a little and take note of everything in sight!
(E) Blowfishes are for ever Well, let's not forget all the advantages of a quick and reliable encryptor. I use blowfish advanced 97 beta 1 (see the reversing essay by Jon).
Blowfish advanced 97 by Markus Hahn hahn(at)flix(point)de is an extremely powerful (and quick) encryptor, that will blowfish all the files you want, at work and at home, in a couple of seconds. You may (probably) get a beta version from Markus' page at http://www-hze.rz.fht-esslingen.de/~tis5maha/software.html
A legitime question: should you be paranoid? Actually no, you should not. Most of the files and data that we have on our harddisks are perfectly legal (reversing software is not an illegal activity, you may want to read my Is reverse engineering legal? essay), and there is no real need to encrypt anything whatsoever. Yet there are (at least) two sound reasons to blowfish a lot nevertheless: 1) it's great spass to have everything you do encrypted at work just to avoid ANY administrator's sniffing. Of course, once they find all your text files blowfished they will know that you have something to hide (once more a good dos batch can transform all those funny secret.txt.bfa names into something more "neutral" like Cirrus.drv :-) yet the mere fact that they wont be able to know what you are hiding is fun enough :-) 2) it's a good PRACTICE. Once you get used to routinely blowfish your data, you'll learn also to KEEP those data in some places (and not everywhere inside your PC, and you'll get used to encrypt sensible data, which, in an epoque like the one we are living in, is a very sensible thing to do anyway.
No matter what the reason is, we are always constantly trying to get to a computer connected to Internet. One possibility is to get Internet connection from Public computers. There are a couple of good advantages. 1. You could do any kind of activity in a more obscure way (no great worry of trace-back from uninvited sources, high degree of anonymity) 2. You’ll enjoy a free Internet service (and the Web should be free, nicht wahr?) It is still hard to get a shell account free and without giving much information about yourself, but this access still helps you keep up with news and stuff with minimized activities. Hey, it is a gateway… J But it is not as unobstructed as it sounds. Most of these public places (Libraries mainly) do use restriction methods to keep people from having a total control of services. Some of them use a limitation software called KIOSK, for instance, which basically prevents user from accessing certain features of a menu, for example the "General Preferences" of "Options" in Netscape, or the "Connect To" field of some Windoze's telnet programs (you should know the POWER of telnetting if you are reading these pages). Now this really bores, because there are times when you don’t even have access to the basic Programs and Settings menus of the Start Button. Now, how would one run programs, install programs, and read files from these restricted systems if they don’t even let you boot (Boot passwords)? Impossible! Not really #1 One of the more remarkable things on these public computers is that they often "forget" a nice 'old' program called TaskMan. This is a small program activated by pressing Ctrl+Esc at the Password Screen (yes, try to figure out what is the purpose :). This program will allow you the Run Application option, and from there you could try your luck with Programs. GRP (which’ll pop up all the groups of Windows that’d have otherwise been hidden through censorware like IKIOSK.) And then there’s COMMAND.COM. Mind you, you should always have a system disk with you not to boot from it (Network Computers) but to run some important programs like COMMAND.COM on your own #2 You know, they could have killed TaskMan after finding out what you have been doing with it (or even 'beforehand' if the sysads are smart, which, fortunately, does not happen all too often). What do we do now?! No worry, there’s still another way. These public computers using Windoze95 as OS always have something on their menu (duh!): confusion and random behaviour: source of bugs and source of delights (for us crackers :) Chances are they’ll have at least one single program, somewhere, which requires a standard file input from a disk. NotePad may be disabled, Write may have been crippled, but the censors won't probably have maimed that 'vital tool': Windows Explorer. Let's say good old 'cracker's TaskMan' is dead, so WindowsExplorer is probably the only other file utility on the marketplace of your library computer. Well, one possible way to get to it is to start one of these standard file input files [write, Notepad, Netscape (if 'they' did not disable the 'delicate' menu options, etc) and when you get to the "Open File" or "Save" or "Save AS" sections, just go ahead to one of the yellow folders and click the RIGHT mouse button on it. What do you see?! Well, there’s the silly M$ 'rightclick' list: "Open Explore" (YES!!!), "Cut", "Paste", "Send To", "Delete" and more... The big point is that You now have access to Windows Explorer. From then on... well... #3 But again, our nasty censors and sysads world is not as forgiving as the we hoped it would be. Now, what if they have also removed EXPLORER from the RightClickOnFolderList? "Man, that’s it. Die public computers are too heavy censored... I give up". Eh? Not so fast sunny boy... There’s one more way. There is still one more option: the "Open" section in the RightClickOnFolder! You could click on anything and it would open it through the software you want it to. Could even be a software 'sort of'... try ProgramManager... you’ll be surprised.