40Hex Number 8 Volume 2 Issue 4 File 002 -=-=-=-=-=-=- Eat PUTAV by Demogorgon of PHALCON/SKISM -=-=-=-=-=-=- Even though pk-zip 2.0 will be out soon and all the methods in this article will be obsolete, I decided to write about them anyway. I am sure you are familiar with the old program called makeav, which attempted to brute force hack pkzip registration serial numbers. Sure, it worked, but it was quite slow. Then, Hal released the program findav, which did the same task several thousand times faster. Dark Angel took apart the program findav in order to make a few modifications. Naturally, Hal included several routines in his code in order to make it very difficult to take apart. Dark Angel captured a memory image of findav after it loaded into memory, wrote it back to disk as a com file, and then changed all of the offsets so that all references to the data segment were changed to their address in the code segment. Dark Angel made several modifications, the most important of which was so that findav would not quit out after finding a serial number. The new version finds every serial number, and logs them to disk. -=-=-=-=-=-=- An Experiment in Distributed Processing -=-=-=-=-=-=- The next day, Garbageheap and I took the modified findav down to the nearest university. We started it running on twenty 80386 systems on their network, each working on a different segment of the 4 billion possible serial numbers. The goal was to find every serial number that worked for McAfee Associates, so that we could then determine which one was the one he uses. When an authenticity verified pkzip file is extracted, pkunzip generates a 3 letter, 3 number validation string that is dependent on the serial number used to validate it. A single registration name has millions of valid serial numbers, but each of these serial numbers has one unique validation string. For Example: PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help PKUNZIP Reg. U.S. Pat. and Tm. Off. Searching ZIP: EARLOBE.ZIP Exploding: NUL -AV Authentic files Verified! # ATU314 Zip Source: McAFEE ASSOCIATES ^^^^^^ PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help PKUNZIP Reg. U.S. Pat. and Tm. Off. Searching ZIP: EARLOBE.ZIP Exploding: NUL -AV Authentic files Verified! # SXQ414 Zip Source: McAFEE ASSOCIATES ^^^^^^ Therefore, the task was to find which of the serial numbers we had found for McAfee produces the validation string "NWN405". To do this, we ran every serial number through a program called checkav which Dark Angel wrote to determine what validation number corresponds to which serial number. Of course, a task like this would be nearly impossible on your machine at home, but thanks to my local university, we were able to use twenty machines at once. -=-=-=-=-=-=- Yet Another Way To Eat PUTAV -=-=-=-=-=-=- Because there is never only one way to do something, I decided to put in another way to get whatever validation string you want out of pkzip. All you need to do is include some ^H characters in your registration name to backspace over the validation string and create a new one. Naturally, you can not enter ^H characters when you run putav, so you enter the correct number of some other character, go into memory with td, and change them to 08h, the ^H character. That way, when pkunzip runs and gives you a validation string, it will backspace over it and show your own. For example: >>>>> PUTAV.EXE PUTAV - Put Authenticity Verification in PKZIP.EXE Copyright 1990 PKWARE, Inc. All rights reserved. Enter company name exactly as it appears on the PKWARE documentation. Company Name : ^A^A^A^A^A^A^A^A^A^A^A# BOB666 Earlobe industries Enter serial number exactly as it appears on the PKWARE documentation. Serial Number: 23453244 >>>>> After typing earlobe industries and hitting return, break into turbo debug and change the ^A's (01) to ^H's (08). Remember to put in 11 backspaces. You can use the same method to find the serial number for your string with findav. The only useful application of all this is to duplicate an existing pkzip registration. You could do that before, but now you can do it better. Changing the validation string only really makes a difference if you are trying to duplicate an archive that is known to have a certain one, like McAfee's. +++++