 Hello everybody, I hope you won't be too much upset from my English because it is not my mother tongue, so if you don't understand something, you just ask and interrupt me without problems. My name is Fravia and I guess not many people here knows who I am. For those who don't, I am a cracker in the software reverse engineering sense. On the jargon there is a definition of crackers that are something like evil hackers, it's a very old definition of cracker. If you make now an Alta Vista search or something like that on a good search engine, you will meet 100,000 of cracker definitions that are more correct. Now crackers reverse engineer code, they do not possess the source code, the real source code of. So without knowing what's the source code of a target of an application you want to reverse, you manage to rebuild, to reconstruct these source code. Most crackers do that mainly in order to defeat software protections, which is very easy as you will see today. In reality, this is but the first step in reverse engineering. It is great fun because you got these CD-ROMs with hundreds of programs that have a 30 days limit or some other protection and when you defeat them, you can use that program for ever and ever, which is a repeat very easy, we'll see how to do it today. But what is more interesting is for instance to change a target, to change an application. Let's say you are using Netscape and you are not happy with it. So you want for instance that the default standard buttons go somewhere else while you change them. You want another color. Well, you do it. You want Netscape with your pre-configuration, you do it. You just change the code of Netscape. Now that's very easy now because Netscape went public with the source code. It was not so easy two or three years ago but we have done it nevertheless and there are still now some punctured copies of Netscape 3, which have been heavily modified and which are quite interesting tools actually, but any program and any application can be modified as much as you want once you understand how it works. In order to understand how an application works, you need some tools and I will explain you which tools you need and you need a lot of patience and some feeling as well. Now, I don't know actually how much the people that are listening to me now understand about assembly and assembly code but assembly code, I hope some of you do now, assembly code is the half of omega of reversing because sometimes you just need to change one single byte. In a huge application that may have a million bytes, for instance, the 74 here is one byte in an application named TechFact 95, sorry. The byte 74 is next decimal byte, 74 means jump is equal. If we change only this byte, this one, to EB, that means jump anyway, the wall protection scheme, which is quite a heavy one and complicated of this application, it is six million bytes long, is fudged and the protection is no more there. Just because you change the 74 to EB, now the point is how do you find it, this single byte? It is not difficult. We used to say you should never underestimate enough the protectors because they don't understand nothing of assembly and they program with visual basic of these overblotted languages so they don't understand nothing at all. So they do huge protections with checks and has the correct serial number, did he get the second serial number and the third one as well. And then somewhere in the code, you have one single check, is everything okay? Yes or no? We change it. Now protection schemes, basting, is not for kids, but it's very easy as you will see. But you can go beyond it because there are other things you can reverse which are quite interesting per se. For instance, search engines, algorithms, just to make you an example, if you search for Fravia on Alta Vista, you will get automatically at the first place the list of my mirrors. This is not easy because Alta Vista uses very complicated algorithms to avoid spam, to avoid people that want their page in the first position. As you probably know, most idiot and morons look only at the first 10, maybe 20 occurrences of a search in Alta Vista or elsewhere. So there is people that make a lot of money pushing sites up on Alta Vista or on Exide or on other search engines. Each search engine has different algorithms that use to establish which site should be relevant in a search. Now it is not very important for cracking purposes, but it may be very important if you are a lawyer, for instance, and you want your lawyer cabinet at the first place. I repeat, there is people making a lot of money with that out there, but once more these people don't understand much about assembly, so you, once you learn the relevant techniques that I will explain you, or at least I will try to, you can do it much more easily than they. So if you want your own site in the first position in Alta Vista, when somebody looks for, I don't know what, you can have it. Just to make you an example, I will tell you what Exide, Exide is a search engine, makes. Exide, I'm sorry if I read something, but I don't remember everything, so this is perhaps a little... Exide has not all its stuff on a huge computer, but onto several computers, as Alta Vista and many search engines. On one search on Exide, one computer may be done. So the same search two seconds afterwards can give different results. That are used for spamming search engines would bring us a little outside our path, but they're very interesting because, for instance, there are algorithms that check that the same word is not too near to the same word. So if you have more than seven words between the two keywords, if you have more than that, your site will be listed in the search engines, for instance, in Alta Vista. If you have less than seven, then you're trying to spam and your site will not be listed. So these kinds of things, if you put keywords in the alt tag of bullets or these kinds of small images that you use on your page, some search engines will accept that, other search engines will not. So these kinds of things are very nice, very interesting, and are very easy to understand once you look at the relevant sites. So you do your search, you look at which ten sites come first on a given search, and then you look at the source code, HTML, and you understand why most of the time. So there are other things that can be reversed, not only software, I repeat. For instance, to make you another interesting example, barcodes on any object that you have, there is a barcode. Now barcodes are quite interesting because they have not so secret now, but two or three years ago it was quite secret, a very interesting mechanism to do that. I don't know if somebody here knows it, if not, I will quickly explain it because it's very nice and barcodes are everywhere, and I want just to underline that not only software reversing is fun, but anything around you that has a hidden meaning, like barcodes. So now have a look at the barcode, perhaps you have a bottle there or something like that. The last time a bottle, you have 13 numbers, but as you can see on the right part of the barcode, do you hear me? On the right part of the barcode, each number has a corresponding line, so zero here is a big line and a small line, zero here, on the right part. On the left part, the same zero has a completely different graphical meaning. So the point is that the first number in barcodes gives you the sequence that is used in the graphic characters. So for instance, four means A, I hope I remember it correctly, A, B, A, A, B, B, and then the other six are called C. So this different graphic character. And C is a not A graphic character, and B is the XOR A graphic character. Once more, that is assembly. If you XOR something, then you have the completely ... Zero, zero, zero, zero, one, one, one, one, and then you can XOR and not XOR, it may be mathematical or a mathematical operation you can do with zeros and one. And these are used in barcode heavily to make ... why is that interesting? It is interesting because once you know of this work, you could come to the idea to print your own barcode on some adhesive paper, to put them, for instance, on a nice pentium tree computer in a huge mall, and then you go out and maybe ... I mean, could happen. There are many programs out there that will help you to make very effective barcodes. And remember that from the machine point of view that you have barcodes with orange colors or with numbers per hand written doesn't make any difference. You make them nice just for the eventual human vision, but the machine are very, very careless because they must read barcodes on wood, on hard paper, on plastic. So the whole thing is that you do them correctly for the shop where you want to experiment. So that's another thing. I mean, all these is just to ... if you are interested in all these kind of things, I will give you now the address, the internet address where you can further your studies. That's it. Either you make a search for my own site, but there are many, many good sites out there. I'm not going to make publicity for myself, but you will find them. And there is especially a very interesting essay about barcodes that you will easily find where you can also download the relevant software to prepare them. So that was now about crackers once more. I mean, there is at the moment, maybe somebody here knows, I don't know how many among you are crackers, but there is at the moment, I wouldn't say fight, but quite a big difference between real crackers, people that are just defeating protection codes and releasing key generators and these kind of things, and what we call ourselves, that is reverser. So people that explain how these things works. These barcodes is sometimes hard to fold. My site is under attack since 1998, and they tried everything to bring it down from scene attacks to downloading microcode to the Cisco routers. They don't sit with it, but they are trying it because they hate the guys of us. But that's once more just web law that you may be excused if you're not interested in. Anyway, there are very good crackers that understand immediately, feel actually, where a protection scheme is in a target. Some people say that the protectors add the protection scheme at the end. So they prepare the program, and the program is smooth. And then they say, haha, someone is going to steal it. So we better add the protection. And this added protection is like something ugly on this code. So you see it, you feel it, especially if you use the profiles. And I'm going to the tools now, the tools you will like to use, if you will start this activity. But perhaps you have a program, and you don't know where is the protection. There are many kinds of protections. So first thing, you run the program and you understand what's the protection there. Most common protection nowadays is the 30 day protection. But there are many others. There are Cinderella protections, that is, a protection that will make your target not more utisable at a given day, let's say at January 2000, won't work anymore. Then there are Quiver protection, that is, when you can use it 30 times, it doesn't matter when. But after 40 times, use the stop. Then there are other kinds of time protection. For instance, many flight simulators. You can fly games, but the games are very interesting protection at times. Fly simulators where you can fly for, say, two seconds, or 20 seconds, and then stop. That's another kind of protection. There is a counter, obviously, you just find the counter and then, or you will see that. And then, now more and more widespread, there are crippled programs protection. That is, you have a program where you cannot save or where you cannot open something, these kind of things. They are very easy to defeat, by the way. So now, depending on the protection of your programs, somewhere in the cold, you will have the point where the protection scan snaps. Now to get the cold, first of all, you need a disassembler. Now, at this moment, two main disassemblers. A very professional one that's named EDA38, Interactive Disassembler, the best one, but it's a little complicated for beginners. Just know that it exists, and you will enjoy it a lot when you use it, because you can make scripts, you can make a lot of things I want to go into now, but for beginners I would suggest WDASM, of course, these disassemblers are protected, but that's not a great problem. WDASM is another disassembler, which is very beginner-friendly, and I would suggest you begin with that one. You will find it everywhere on the web, but on my side. But everywhere on the web, and it is very easy to find anything on the web once you learn how to search. Once you learn how to search, you will quickly find any program, any image, and now almost any sound you want to find. How to search is hard per se, and there are many places on the web where you can learn it. Let's say that once more, if you know how the search engines work, or even better, if you write your own bare search boards, which is quite easy, actually, you can find some skeleton of these boards on my side, and you can just copy them with them. If you do that, you will find anything everywhere. You will find very, very interesting information, by the way, very, very reserved information if you want to search it, because banks, military establishments, all these kind of people just put the things somewhere. And they forget them somewhere, and you can find everything, and anyway, you will easily find these assemblies with dust. These assemblies will give you these assemblies of code, so it will be very, very big, maybe perhaps, so, paint shop code, five, last version, I think five or four, a very recent one, it's 40 megabyte in this assembly. So it's a big five, but if that's the matter, then you search relevant parts very quickly, for instance, this number here, inside that fact, 48, 478, correspond to the three unregistered. That's how I got it, so you just search, it's very stupid, you just search for unregistered, you start your huge disassembly, you find it here, and you see, aha, it's moving the stream unregistered somewhere, right? And then you look, look at the ball, and you see, man, here's a jump, if something happens, then it jumps away from this unregistered, and it jumps to life-saving battery. So, now, man, if I could always prevent this jump, yes, you can, you just change it to the beat. How do you change them? You change them with an X editor, I think many of you know that, there are many good X editors, most crackers use Eve, I personally use X workshop, there is a very old DOS, X editor is very good, PS edit is, yeah, there are many, you will find them, you will use them, and it will be very quick to find this point and to change the dancing of all. Now, yes? How do you correspond with the three systems, 0.0781 and the unregistered? So, how do you find the point in the end? How do you find this jump? No, how do you find the point unregistered? Because inside code are all strings, and string number 480718 is unregistered, string number, not a number, correspond to licensed battery. Now, this is a very stupid protection of course, modern protection don't write unregistered anymore, they build it than anything, but it's the same thing, it's very easy to find them as well, I will show you afterwards. This is a very simple one, and I will explain what happens here, just to give you a feeling of the problem. I know that's maybe a little boring for people that have that problem, but the point of the thing is to understand how it works. The first thing that happens here is a compare bar, so it's looking if in this memory location there is a 0 or not. That's what's happening here. Now, if there is a 0, everything is okay. Well, the guy is registered, it's good. If there is not a 0, then you get this bad gay flag, that is this 0 one in the middle, then it does other things, then it goes and calls routine that will show you you are unregistered, you shouldn't register it, you know what, and then it goes away with this jump. It goes away for everything, program for me. So that's what happens if you don't have a 0 there, but if you have a 0, then you jump to the good guy part. And in the good guy part, then you have another quote that shows you, wow, that's a good guy, and you get, I can't say it now, but you get a good guy flag as well, so in register piece you get a 0. So that's what's happening in this little snippet of code, where you have everything because the moment you find the unregistered 3, you look a little above, you look a little below because you see it. I mean it's like shooting records. And I have been telling these things at programmers again and again, and on my side there is a whole section on how to protect better, with very good, very good advices for programmers that want to protect their programs. The problem is that no matter what you do, somewhere in assembly, it is very easy to find where your protection is. No matter what, there is no protection until now, at least that I know of, that has not been buffed. Very complicated protection as well, where you don't have any name at all, but you find that nevertheless. Because there is another way to find things. This is the dead listing way. So you have the listing of your program, so you sit somewhere in the shadow with a pencil, you look at it and you say, ha ha, it's here. But there is another way, and that's the live way to crack or to reverse. You use another program named debugger, and the name of the powerful one is softice. You use softice. Softice is very useful for other things as well. You want to cheat on online games, and with softice, you are the emperor of, it doesn't matter which game. With softice, you can see these things happen when a program runs. So you see this line going through, then you see it start changing, and then you can experiment. What happens if I change it? Let's say, look at it, then you see it. You see it at the moment, because Windows runs inside softice. You run softice before, and then Windows, Windows 98, Windows NT, doesn't matter which Windows, runs inside softice. So at any moment, you can block completely doing control day. Where is it? Right there. Yeah. That is softice running in Windows 98. As you can see, in this very moment, I can see which code is executing in this moment in Windows. Windows has been frozen, dead, and I am on the code line that was executed in this very moment. So I can see everything. How many tasks are running, which tasks, which Windows, how big are the Windows, how small are the Windows. That's not an important thing when you run, because let's say that your unregistered message is not with the stream unregistered. The stream is built manually. You have a look at the window of unregistered, where it appears, and you see that it's 311 pixels. Well, it doesn't matter if you wrote or didn't write unregistered, just look for 311 pixels somewhere with me, because it has to write 311 somewhere, and you find the window, and then you find the unregistered. That's another way. Same thing with the color. Which color is the window? Blue, pixia? Where is it? So there are 100 ways to get your protection. It is very easy. It is, I believe, just the first step. I would like to underline this. Now, I wanted to tell you... Yes, sure. That is beautiful, because then you have checksum as well to defeat. What happens is that the very moment you just do it before, you don't even look for the protection. First of all, you just change a bit about it somewhere, and then immediately you say, aha, somebody is trying to change my program, because he has done a surgery, but you find out immediately. And then you begin your... They don't do it anymore. It's so easy to defeat. They don't use that anymore. What they are trying to do now, the best protection I know of at the moment, is Qt FTP. Qt FTP, the last version, has very good protection. I won't tell you which one. If you are interested, you can find out. A very, very good protection that secretly connects to the web and gives to the guys a Qt FTP, the fact that you are using an unregistered version. This is the kind of thing that Microsoft does too, by the way. So they have hidden code that connects and gives away facts and data that you have in your hard disk. You probably know that, because there was quite a big history about Windows 98 doing exactly this four or five months ago. Just to make you an example of these things, and I will, here it is. Yes. Depending if you are using... And other things. I'm concentrating on Windows, because that's what we want to crack. There is... Yeah. I mean, there are very, very big applications. Everyone is using them. They are lousy. They are not good. But the wind is blowing in that way, so crackers should study that kind of protections. There are some Linux protections now, and some of them are explained on my side, by the way. There is a part about Linux cracking, but let's say that we concentrate on Windows applications because most protection schemes and most interesting ones are there. Now, if you probably all know that inside Excel 97, there is a DOOM game. There is a hidden DOOM game. There is a sequence of code that you can do, and then start DOOM game inside Excel. Inside Word 97, there is a flipper. So, there is a sequence of code, if you want, I can tell it to you. So, for the DOOM game, you want to know it? Interested? Or not? Or you can do it afterwards for the one day. If you want DOOM in Excel, then it's this way, choose Create New Document. Choose Create New Document in Excel 97, yeah? Go to line 95. Select the wall line 95, clicking left so you get the wall line in Excel, yeah? Then you do tab. When you do tab, you are on 95B. Now, you choose about Microsoft Excel in the menu. You do control shift, and then you choose technical support, and then start a DOOM window, and you can play DOOM. It's not a complete DOOM. It's a very small edition. It's an Easter egg. So, something that the Microsoft people have put inside Excel for the spasslet. The point is, that's the alarming thing. If they put something like that inside Excel, who knows in a bank or in a military establishment somewhere in Europe what the hell there is inside Excel? I'm not so sure that it wouldn't be quite interesting for Microsoft or in general for our American friends to know what, for instance, the European Central Bank is doing right now. And there is so much overblotted code inside Excel that you can use yourself. You can hide there everything you want. There are parts of Excel that are never used. They are just remaining from debugging sessions. They never took off. Million of bytes that may be never used. So, inside these huge applications, with very few people that know assembly, there are good chances that you can smuggle, put things inside that do you something useful for you. Now, that's exactly what's happening now everywhere. People are using the DLL, the Dynamic Libraries, Windows, part of Dynamic Libraries where there is code that's not used to put other things inside. Let's say, for example, it's quite interesting. Let's say you work in a corporation and you fear that somebody is looking what you're doing and which programs you are installing on your computer or what are you doing during the day? Well, the best way, in my opinion, is to put the programs you want to use inside some DLL or some other program. I mean, you can just name your game with a funny name, put it in the Windows directory where there is everything and nobody knows what, and you can use it and probably nobody would automatically check it because they have Sniffer programs, as you know, in all corporations that check the content of your artist. But what you can do as well is to use routines. Let's say you find an interesting routine inside Excel or inside Word. Word is legitimate. They gave it to you on your workplace so you can use Word. Nobody can say anything. Now, you use some part of Word you're not supposed to to sniff around, which you can do. And this is very interesting because no system administrator, or some, very few, will come to the idea that you're using their program to sniff on them. That is what you can do actually. Once you understand how you can hook a routine, how you can change the routine, how you can pass different parameters to a routine, all these things are very easy because at the very moment, I don't want this thing. I want the other one. I get another one. That matters to me as well. That's the point. So I just changed these numbers. Now have a look. Please make your phone, please. Just sorry. I promised you that I will finish with Assembler code after this next thing, but I want you to understand it once for all. Have a look at the first line. This first line is compared by point memory location, this one with zero. I told you that before. It corresponds to the accidental numbers, 80, 3D, 1A, F3, 4C, 0, 0, 0, 0, 0. Why? Yes, why? These extraditional numbers correspond to binary code, of course. As you can see, the tree is always 0, 0, 1, 1. If it is in 3D or in F3, it's the same thing. So now this is compared by point, this memory location, and you can see that that memory location, it's there in inverted order. So this memory location here, it's in the extraditional code. And this last 0 here is compared 0. So 83D means compared by pointer. Now, in general, 80 means compared. There are many sequences that begin with 80, and all of them means compare something with something else. If you will begin to reverse software someday, if you're interested in that, you will build your own tables, reversal table, where you will have 83D compared by pointer, 80 to the dot, dot, dot. And you will, in that way, very quickly be able to reconstruct, change, modify code. I won't annoy you anymore with assembly, but I wanted to underline how important it can be nowadays for a series of things, not only for software protections, but for, as our cryptography friends knows for cryptography, for, let's say, algorithm in general. So search engines, algorithm, that kind of things, basting or understanding and for other things as well. Let's see if I finish it. Ah, yeah. I told you before that inside any application or target, there are a lot of things that should not be there or that have been forgotten inside. It is great fun to have a look at them. Really great fun. Just to make you an example, for those of you that don't know it, inside Netscape, there are the following periods. I read them to you. Sorry, there are legal restrictions on arithmetic coding. There is no way you can get this message, but it is inside Netscape. Then you have, ooh, like check for new mail and stuff. Ooh, like get new mail and stuff. Then you have unscramble, naughty jokes. That's inside Netscape. Then you have, ooh, like see this license file and stuff. Then you have the book of Mozilla. Inside Netscape, you have the whole book of Mozilla. That's the reason Netscape is called Mozilla. And the beast shall come forth surrounded by a rolling cloud of vengeance. The house of the unbelievers shall be wroth and they shall be scorched to the earth. Their tugs shall blink until the end of the days. That's inside Netscape. You can get it in the browser. You can get it in the browser, yeah. But all these things, some of them you see. I mean, the question is, how can anyone nowadays know that the program you buy, legitimately buy, I mean, if you want, doesn't have inside things that can be dangerous or complicated for you. If you use another tool that I didn't list before, that is RegMonitor. You have three main tools that you use to see what happens inside your computer. FileMonitor, RegMonitor, and VxDMonitor. Inside your Windows computer. If you use Linux, you have to use other things. But, I mean, for Windows, yeah. If you use RegMonitor and then you start Windows, you have something like three megabytes of accesses to register out in changing, making things in the register. You don't even notice that every program is doing. If you use FileMonitor, you see File being opened. Temporary File being made. A hell of a lot of things that are going on and you're not even supposed to know. Just to make you an example, inside your Windows 95 computer, those of you that are using Windows still now, there are two files named MM256 and the other one, I forgot. Somebody knows? No, no one of you? I'll tell you right now because that's quite interesting things. In these files are all the locations you have been on Internet have been listed there. You can have a look at them if you don't believe me. It's quite funny. MM256. and MM2048. These files are inside every computer that uses Windows 95. There are eight copies of these files. Each one of them can be between half a megabyte and three megabyte big. That's the reason you have this. It looks very small. In these files is everything, every program you have started, every website you have visited. This is something that Microsoft thinks you're not even supposed to know. Now everybody knows that now, but three years ago, four years ago, it was not like that. Some people found out that and they had a look and watched that. We had to have a look at the source code to understand what that was. By the way, these files are there to help you so that your Microsoft Internet Explorer can access more quickly some signs. In fact, in truth, these files can be used to snoop on your uses by any system administrator if you're using Windows 95 computer. Don't think that in Windows 98 the things are different. Only the names are different. If you have a look, for instance, I lost it here now, but anyway... Anyway, an interesting experiment that you can do right now when you go back to your computer, those of you that are using Windows, is to have a look at the user.file. Probably you already know it, but if you never did it, do it right now and it will be really great fun. You will find the user dot inside your Windows directory if you use Windows 95 98. You just copy it somewhere else with another name because you cannot touch it. It's continuously accessed by the system and you have a look at it and you will be quite surprised by what you will find inside the user dot if you never had a look at that. So, now... I have some slightly more complicated protection schemes to touch. Or we can speak about searching information which is... I mean, you have a choice. Anytime you want a stolen program, you can crack it yourself or you can find it already cracked. There are people, as you probably know, that are just doing that. They are cracking programs every day, and putting them somewhere on the web. If you have a search for apps or wealth or games, you will find them. I mean, anyone, any application. It's not very interesting, in my opinion, to use application that way, but if you know how to search, you don't need at all to reverse protection schemes. The reason you should learn that, in my opinion, is that it is not limited to protection schemes. Once you have learned how a program works, that you don't know the source code of, then you can modify it. That's fun. That's great fun. Because my, for instance, my copy of Microsoft Exchange that I'm compelled to use at work is completely different from the real copy of Microsoft Exchange. So, when I use it, I have completely different menu with options that Microsoft people don't even know of. That's great fun. What I want to communicate to you is that to change the software you use gives you cosmic power. That's true. You can do anything. Sometime, personally, I even think that, in fact, at Linux, you have the source code that it brings the fun off. I mean, you already know what's going on. So, it's much more fun when you get a new program with Qt FTP to go back to this protection. It was really interesting because the program is very, very clever and he has learned from the previous cracks. So, every time he made a Qt FTP new version, we have crack at it and explain how you do it. And he wrote to me every time, his letters and said, you got me once more, but I will show you. And the last version is really, very good and he has improved quite a lot. So, we have decided not to publish any more because it deserves respect because it's a very good protection, which is very rare because most of the time they don't really understand nothing about protecting software. And the commercial protections that you can find on the web are even worse. There is a wall section, I said, about commercial protection where I demonstrate that there is not a single one of them worth buying. That is a warning for programmers. And I mean, they are really stupid, really stupid. Some of them are even worse than this one. Could you please give the address of your... Yes, you can find it by searching, but if not, I'll give you the address right now. That's this... I have many mirrors. The main one is in America, and that is HTTP-129-105-1165-Fravya... ...-Fravya... Is that the word? ...-index, HTM, because Elsie won't be able to read it. But there are mirrors in Europe, and three of them actually are quite good. And you will find all of them just... If you make a search on Alta Vista for Fravya, you'll find it immediately. I must say that I'm very happy to... I didn't say that at the beginning. It was very delicate for me to be here with you, but it's the first time that I participate to a CCC camp, even if we are friends since 95, because I began corresponding with some friends of mine in the CCC 95. And I had the impression that these things work very well, and just wondering why so few crackers and so many hackers are there, but that's not a matter. Do you have any questions, or do you want me to go just like that and anything that you're interested in? Sorry? What about dongle cracking? Dongle cracking is three years ago, four years ago, people thought that, ah, dongle, that is really La Bête Noire. That's not true. All of them, as Aladdin, Hasb, the main one, have been completely reversed. You will find them everywhere. And it is not complicated. The problem is they don't use the dongle correctly. That's the point. Usually, you should do it this way. Programmers are stupid. You should never underestimate them enough. Normally, you have a dongle, so you should send data, data should be changed, and then back. And then it would be a little more complicated to understand what's happening inside. But they don't do it. They just check that the dongle is there. Is it there or not? Jump equal? Jump. I tell you this. No, not always. But very, very often. Very, very often. So now, even if they didn't, it is possible, of course, by try and error, to reconstruct what happens. The most easy way, I'll tell you, is to buy the dongle, have a look at it, and crack it. Then you will easily understand what's happening in all the dongle of the same series you don't have. But I have not the impression that dongle cracking has solved anything, because, as you probably know, dongle are quite hassle for programmers because clients don't want them, and then you have to have these physical things inside, and then you have always problems if you have a zip drive, if you have a printer or something. So dongle are not very much used, and 4 out of 5, I would say, maybe 3 out of 5, have just a very simple east dongle there check, in software. It is in part already now changing, but once more, I would refer you to the relevant part of my site, where there is a world project on dongle cracking, I mean, it's not very updated, I think the last essay was published in January or February, but there is quite a lot on the alading and asked dongle. At the moment we are concentrated, if you are interested, on the FlexLM protections, which is all this is not very relevant now, I don't think I should go into particular. If you are interested, you can find all this information for free everywhere on the web, and there are many sites. If you are a beginner, there is a site that is even better than mine, which is something I shouldn't say, but it is true, and is a site by an English friend of mine that you probably already know, is the Sandman, the Sandman site is for beginners. So there you really can, you really have very stupid protections explained step by step, so that you really how to use soft eyes, how to use an ex editor, this kind of very simple things, and you will start cracking your own applications in one week time, your own simple application in one week time. Now, which is quite interesting because I still remember the first time I you really succeed in doing reversing programmers, finding out what you want to find out, it's quite a feeling, I can tell you. The address of the Sandman you can find all these addresses if you just make a search on AltaVista, but anyway it's www. pro web p-r-o-w-e-b c-o u-k dash then tilde green way green way you must understand that all these signs change continuously for obvious reasons, so you always better check on AltaVista and then you will find it much quicker than so what did we, ah yes another, maybe we can finish this with this, another interesting and recent development in this is the removing banners campaign, so we are finding out how to eliminate all these idiotical commercial banners that you have on internet, and we have already published quite a lot of essays that explain you how you can do it, of course if you use the browser without images you don't have them but there is another way which is quite interesting to use your browser with images and you don't see any banner at all, it requires preparing a file on your hard disk named hosts where you put the numbers, the the address of the obnoxious banners and they will be eliminated once for all there are many technicos for that and this is developing now quite interesting because you can open your own free page, you know there are many free pages providers that give you pages, 50 megabytes 20 megabytes, but then compel you to have these idiotical things and then you can build your page with javascript and some small html tricks so that this publicity does not appear so you have the butter and you eat it as well which is quite interesting in my opinion sorry no, there is no protection that is unbreakable, the cryptography the problem is that somehow this target has to run, so at a given moment you will have somewhere in the memory the code, the correct one then you just intercept it they can do whatever they want but if it runs it has to run because it is a problem they get it, it is no way so if you have a look at the protection situation and developments at the moment you will see that cryptography is not so much used there are some very interesting protection that use cryptography but I will say that the best protection at the moment are protections that are using some hidden features of Windows that are not known so the programmer experimented himself with some funny API he finds out that when he does that he gets this value, nobody knows that because nobody knows how Windows works actually so he used that very few programs do that very few programmers do that so that's anyway you can find it out if you study enough the problem is that some protection are boring so it's so boring you don't want to protect it anymore sometimes but that's I will say the main problem is that protection is boring you had a couple of nice ideas how to search the web not using these search machines that you usually take searching can be divided in three phases as you probably know searching which is very basic so you go to a search machine and then you search apart from the fact that the search machine takes note of the fact that you search that and that and has huge database for that but it is not very effective the second phase is combing that is you search people that have already searched so you are interested in Greta Garbo you search the three or four mad guys in the world that have for two years searched everything about Greta Garbo and they have somewhere a page with all possible links updated to Greta Garbo stuff so that's one step more than just searching Greta Garbo you search the people the third step is somehow more complicated it is luring you make a fake page on Greta Garbo you just put some photos there and then you look where the people come from that look at your page and some of them you will fish come from interesting places that speak about Greta Garbo that's the third step now it takes more time it's the most effective one now you must understand that Alta Vista covers at the moment I think one fifth of the web Alta Vista and Norton Light are the two search engines the most powerful one so four fifth are not covered so you must find them yourself now you can use your own Perl script to do it you can even just use search strings on an automated script that's pretty easy there are many ways that I'll explain elsewhere and you will see that it is not easy to find everything but you can have a good go at that sorry I don't hear anything wait you look at your server logins in your server logins it's everything about where people are coming from sorry sorry I don't understand you can look where they come from because the last page the last page they visit is inside I mean obviously some of them will not come directly to you but I'm speaking on great numbers let's say you have 10,000 visitors in one week and let's say that 8,000 are people that nothing to do with Greta Garbo and let's say that 2,000 are interested in Greta Garbo and let's say that 200 of these 2,000 come from a page you didn't know of maybe there's nothing on that page nothing interesting I mean it's just phishing well you can avoid it there are many tricks to avoid giving smearing information you can use you can be pseudo anonymous at times but you will be surprised how few people do that how few, really I have a site where I have 80,000 hits per day on the main site and I can tell you I always find personally incredible that so few people care about hiding themselves little some of the information on my site is quite not completely legal nature and you have sheriffs of America people that don't give a shit about hiding themselves probably you say in this disassembly you can read out the code but how do you assemble it back what, how do you don't assemble it back the very moment you have a look the code on the disassembly now you take your X editor you hear me you take an X editor and the code is completely different there you have only this red part you see this red part all in a line so now you know that this 74 comes after this sequence there will be 1000 of 74 inside the code but this 7422 comes after this sequence so you now search inside your X editor for this sequence follow it by that if you are lucky you find only one occurrence if you are unlucky you find two or three but then you look at what's following I mean you find it moment you find it somewhere in this X editor you just change 74 to EB and then you save the file it's the same file as before you don't even change the length of the file that is slightly more complicated but not so much you can add things normally you don't add anything you make a jump to the part of the code that is not used there you write your routine and then you jump back here so you can add as much as you want with two jumps that's what you would do but in this case it is not necessary because you change one byte with one byte so no problem note this byte 7422 74 is jump equal and 22 is 22 bytes 624 1, 2, 3, 4 if you count 22 bytes you go to 624 you must understand the beauty of assembly as well search it I would advise you to use Google because Google has something very, very interesting they have Cache page that is even if a page disappears on the web you have good chances you can find it on Google it is an interesting tool that I would suggest you to use that is inference inference is a tool that use 4 or 5 search engines at the same time there are many like that but inference will give you a result page already formatted that sometime is quite interesting quite useful Google writing down nobody can you didn't use Google until now look my personal best top 10 Alta Vista use Alta Vista if you learn how to search advance and Alta Vista you will find a lot of things Alta Vista is very good to find specific things so you put a line with 100 characters that exist only in one page and you need to find that page you can put in Alta Vista my mama got a lot very very long if you have it exactly as it is your commas stays correctly then you only have one page that page you want so if you have somewhere on a paper a old page where where was that how can I find it you just put it in Alta Vista and find it immediately sorry Alta Vista and Google at cache pages so you can find things that have disappeared in the web there's two more things about Google it's counting the links to a page so that's the future for example 80 technologies they're in Canada they're making VGA cards and they're completely screwed up the main nobody can remember in Google if you say ATI they'll automatically get there because they have billions of links on this page Google will always give you one or two or three words the most linked to page and they have a feature that has a small red bar if you click on that bar you see all the pages that link to this one page so you can go backwards in between this you can make with Alta Vista now we put then H you can add two images images two points and then for instance red cut then you will get all the images on the web that have a red cut in the name now many of them will be about red cuts the algorithms are completely different but you must be aware of the fact that the algorithms of all search engines are state secrets in theory and are completely different they don't want you even to understand them because if you do you can push your page up that's the reason most of them Google up as well are using rotating algorithms so sometimes it is true in Google the links relevance is very high and not always all these things are very specific anyway I will add another one if you allow me that is inference when we are still on searching the underlying importance of use net as you probably know deja vu is a search engine dedicated to use net for those of you that never used it have a look and have a try because you will discover a lot of things if you do a search on use net on anything you are interested in the chance are that you find people you don't even know that exist speaking about that right now somewhere on their email and then if you follow those people and you have a look at where did they post and what they post sooner or later you will find their pages you will find the links so you will have knowledge so use net in a search strategy use net and deja vu are very important as well I will add also Norton light in a very recent time Norton light has developed at the moment database that is bigger since one month Norton light and fast fast is a search engine European search engine made by the same people that made the FTP search in Trondheim Norway fast is very good as well search engines but I mean you will quickly reduce to two or three that you will know how to use very well because it takes some time each one of the particularity but as soon as you you must build your search strategy without losing time in order to get the things you want very quickly without losing time which is very difficult because there are so many things on the web that you are continuously trying to find the other and you lose your path often that's another things I will maybe close after that that is the ACMILE search and FTP retrieval so as you probably know some of you at least I hope you can get anything for free download everything for free without being connected from internet to FTP so you send an e-mail to FTP the one you choose, the one you like best there are 20 of them and you tell them I want to have these 20 megabyte huge files somewhere in Japan if you access that directly with your FTP connection you will lose it, it will break it it will take you two hours to download it FTPMI will do it for you for free and send it to you already made I never understand why people don't use that so use FTPMI use the mail feature these kind of things to browse the web it's fun if you know what you do but to download online it's criminal if you have to pay it's not a point in doing it do it for free so those of you that don't know that do the following send an e-mail with help both in the subject line text to FTP mail and FTP point S O N A E point C yes, S E S E Quickest FTPMI that I know of there are many others and if you want a mail feature to get pages and small programs you can use the 3S the one which is very good as many as you want E G T P you send a help both in the text and the subject and you get instructions on how they work it's very easy, you just tell them what you want from the web where is it and where do you want it to be sent one of the advantages of using FTPMI is that they are accessing the resource you want, not you so on the logings there they will have of course it's written they will have your logings but they don't care and I know that they destroy them every week so that's mean, it's not completely anonymous but it's quite an interesting thing another trick you may be interested in if you want to look at the page without your system administrator knowing what you're doing you let Babylon translators from Alta Vista translate it so you do it that way automatically translating Alta Vista you have a translator who wants a page in the world translated from Portuguese to English so there is nothing Portuguese so the page will be in English and who will be on the logings Alta Vista translator has huge logings that are destroyed every week as well so in this way the administrator will see he's using Alta Vista it will be you can decide how you want it normally it will be UU encoded but you can have it zippered as well the modern ones, the three-ester one can send you a zippered file zippered as attachment but normally most FTP mild server will send it to you UU encoded and you have to reconstruct it besides there is a limit in the sending packets of 300 bytes each then if you have a 50 megabyte file that you want or if you are downloading millions of porn images from Japan then you have to reconstruct everything but there are automated scripts and programs that will reconstruct it so you don't do anything at all actually you just send your request at morning and after two hours you get everything for free it is impossible to give you a correct answer because it depends on many things what is your email program which system are you using and which systems are you crossing but anyway, don't worry just try it and if you send help they will give you all the options possible options and you will see that you have you can graduate until it works correctly normally I get small files as attachment I in a zippered format and big file encoded format and then I have to decode it but that is up to you and up to your program it depends also how much load they have sometime the Trieste server has within 10 minutes sometime in 2-3 hours there is a classific every day updated of which one are the quickest one at the moment if you are interested I can give it to you but I would suggest that you just begin one of them with a very simple query where you know that the file exists and what you want exactly and then you calibrate it well German low doesn't matter nothing at all because what is important is European low and European low is quite how would you say Nebulos as you may know there are different interests between Americans European and Japanese so the three have completely different legal they are tackling this thing in a completely different way the Americans are very very severe and don't agree at all that you should reverse engineer anything at all the European grosser model allow you to reverse engineer everything as long as you have bought it it is really yours as long as you don't sell it you don't sell the code or you don't use the code for your application so if you are doing that for studies or for your interest or in order to not have any problems on your computer you can say this lazy program makes problem on my computer I have to reverse engineer it because I want it to run correctly well it's ok as long as you bought it legitimately and as long as you don't sell the code of course well let's look it this way sorry normally you have a thing where you have I accept I don't accept and then if you click on accept theoretically you have accepted some conditions and in these conditions most of the programs being American there is you shall not reverse engineer that it is very easy to change I accept to I don't accept take it you don't even need to look at the code before there is a problem that's what you should do because there is no point in going illegal with that there is a program named customizer I have it here on the computer who wants I can give it to you which is very nice because it ungrays grayed menu options and allows you to change any text so you point the customizer the moment you have this I accept you point it on I accept you see the string I accept you change it I don't accept it at all and then you click I cannot see I cannot see the problem so you didn't accept it and that's all there are some programs where if you open the you break the seal on the CD cover now this way is not to break the seal but to open the CD on the other way there is no point in having physically a program I cannot see why you cannot take the same problem from the net if you buy it if you buy it there is no problem you open it I don't get the point if you have a sealed program then you bought it so what's the problem either you have a sealed program or you don't have it if you have a sealed program and you open it well you bought it so you can open it there are some where you break the seal you accept the licensing conditions yes but why cannot I have the same program from the web instead of buying it to take it from the world yes I don't see why you should buy anything at all actually no I mean it I mean there is no point unless unless you are very happy with the program I've done it I always if I really use a program I always why not I mean not very expensive for instance the disassembly of a dozen that I used I bought it I sent the money to them and I bought it after three or four years because I was really convinced there was a good program I'm not joking I tell you any one of you that software the protection is just a game for kids so it's fun to use something but if you really like a program normally you will want to have it you want to update it you will want to have documentation you will want to be sometimes some of these programs if you do something with them they put the fact that they are not registered inside so that's not nice either I mean of course you can they protect everything but I think one of the things I would say you update very often I'm very happy with a very old x workshop version and I see that every two months there is a new x workshop now version that probably has to do the fact that its protection is cracked but I don't see the point in updating everything continuously most of the time you just lose information you lose things I don't know if you agree with me so that's where I think hardware I don't know anything about it I'm not a hacker I don't even know how to begin those about several files that Microsoft could use to get information about you is it known what files these are Windows 98 had because they took that off now but until April had an automatical an automatical connection every time you went on the web and during this connection the data that Windows 98 had got read on your hard disk were transmitted to Microsoft there was a great fuss like the Germans say about that three months ago and Microsoft has promised that they have changed it who knows if they did but the problem is that you can't accept this data even if you are working with sniffers and everything because they are set in a very clever way actually I haven't got the code yet now but you can find it explained there is a very interesting American site that you probably know of named JigGirl the JigGirl site where we'll find all these kind of things explained very well I just you know addresses are such a suck they change so often is HTTP www.jig g-e-e-k strict t-re that's it girl .com www.jiggirl.com so that's you will yes well you must understand that I am seeing all these things from the pure software approach so I refuse to use hardware to intercept that there are of course hardware ways to do it what you can do with any dangle is to have a look very simple have a look at what happens if you have the dangle look at what happens if you don't have dangle it is slightly more complicated if you don't have dangle at all in that case you have to reconstruct what dangle would do so you use software for that instead of sending the data to the output you send them to your to your wrapper and you see what happens it's quite boring but most of the time I've been told that works there are many dangle emulators I have them on my pages as well and you can download them and use them the problem is that they change dangle continuously because of that because of people cracking them so you have a dangle new version for alabim for ask for everything every two weeks but the principle is always the same so normally the point is very easy you get your target you look at it you look what it does and you change it that's it the whole assembly thinks it's great fun once you got into it because it really gives you the possibility to get the gut of something with one byte which is great fun these programmers they make very complicated protections and then they check if the protection with two or three things that's really what amazing as well so are you happy with that? yep