DOs and DON’Ts for malware/virus/botnet writer/user.

( Disclaimer: I am not supportive of virus/malware programming. )
Note: I have not blogged for 3 week, because I am quite busy recently. Originally, I am posting 3 post in one go, instead of 2 post, but the last post, which is a paper on the structure of KeServiceDescriptorTable(Shadow), and its related structure/method/functions, is not yet finished. I will be away for a week, so you can expect this paper around 1 to 2 weeks from now.
Regarding MzBot, as I mentioned, I am quite busy. So if you really want to add in feature, I can perhaps send you the source ( for the usermode part. ), or you can mod the EXE like how you mod Maple.

Although I have left the world of writing everything that’s evil and nasty, but just recently, I came across many poorly written virus. Just to name a few, some how this spyware called spylocked got stuck on my brother’s box. ( It’s a hijackware actually. ). What it does is pretty simple, it will constantly alert the user that there’s “spyware” in the computer, but the fact is, the only spyware around is itself, all it want you to do is to pay $$$ to the author, for a fake anti-spyware. It also make itself hard to uninstall.

There’s also the case of Mark Russinovich came across a botnet client that rename mIRC.exe as explorer.exe, and run whatever command that’s issued in the channel that it joined.

Anyway, enough ranting about noob virus that doesn’t work properly, here’s the tips:

– Don’t be evil
Remember, white hat dudes are always around. Unless you are hacking retard, or else someone will definitly catch you.

– Don’t use Visual Basic
This is common sense, Visual Basic is the big no-no when it comes to programming anything but fancy GUI that does practically nothing. All “virus” written in Visual Basic is source inclusive, I know you don’t mind people peeking at your virus’ source right? You released your virus under GPLv2? Cool! Do worry if your victim’s in a lack of MSVBVM60.DLL.

– Don’t use mIRC
We heard of the case of Zango sueing PC Tools, maybe mIRC will sue McAfee or something, who knows? Anyway, there are too many dudes out there abusing mIRC to write “botnet”, so the security dudes’ got fed up, they don’t allow mIRC to pass normally.

– Don’t target POSIX boxes
POSIX boxes are too portable, you have to ensure that your virus works on a toaster, before you can ensure that it works on NetBSD… =Z

– Don’t use commercial packers
Watch out! If you do, your virus will be stuck in someone’s unpacking tutorial!

– Don’t think they can’t find you if you do DLL injection
Spylocked’s main executable’s a DLL that runs in explorer’s process space. The author must be a mentally disabled to be satisfied with that level of protection.

– Don’t name it as picture.jpg.exe
We live in the twenty-first centuary, people’s not as dumb as to fall for some old social engineering tricks. Be more creative, there are other ways of getting people to run your code. Or even better, get your victim’s Windows to run the code for you, if you are lucky, you might just come across a bug that would allow code injection in any Windows computer.

– Don’t use other’s virus
AV Vendors are faster than you, always.

– Do make it clear that Ctrl-Alt-Del isn’t working
Things that you can do:
+ Delete taskmgr.exe
+ Screw OpenProcess()
+ Screw QuerySystemInformation()
+ Access I/O port 0x64 whenever they open Task Manager
+ Hammer _EPROCESS
+ Set PspCidTable a bomb
+ Mess the mm to give you an Address Space
+ Anything else that works

– Do delete your main executable
Renting a “house” on a foreign computer is too expensive, why not borrow other process’ executable? ntoskrnl.exe seemed to be a good choice. Don’t forget to delete your main executable after you injected into some other program.

– Do delay a bit before you do whatever that you are going to do
Please don’t
mov al, 0FEh
out 64h, al
the moment you get your code in your victim’s box. The rootkit philosophy is to be hidden, not to destroy. It would be more valuable to hide your code, than to give them coupons to free reboots, or free system reformat. It’s better that they don’t know.

– Do give dudes’ at Symantec/McAfee/F-Secure/ fun!
Imagine, those dudes sit in front of their computer the whole day disassembling lousy virus written by some noob with an absense of a main body of neurons. ( aka: Brain ) Very sadly, this is their job… Just in case your virus gets into these guys’ hands, please do ensure that they are well entertained! A completely metamorphic packaging, inclusive of built-in Virtualization method, with a dosage of high memory VM call… preferably some stack call method. That should do the job of enlightening their job.

– Do inject/intercept packet in NDIS if you need network
Local firewall in your victim’s box just doesn’t give a damm about the packets, if you send them by direct packet injection into the miniport driver’s queue.

About Memory Management and Memory Allocation

Introduction
One of the many functions of an Operating System is to manage the memory, and distribute them amongst running processes and threads.

The operating system does this by having a pool of memory, that means unused memory, then assign memory from the pool to any program/process that request for it.

This act of assigning memory from the pool, to the program/process is called memory allocation

Two method of memory allocation
– Direct Memory Mapping
This method directly notify the operating system that you need an amount of RAM, and the operating system would assign it to you.
The disadvantage of this is that system call ( direct notification to the operating system ) is an expensive process, as in it is slow. Further more, there are often restrictions that one have to allocate to page size, or it will be rounded up to page boundary. ( Normal page size is 4k on x86 CPU if I am not wrong. ) Another advantage is that you get to set the I/O privilege of the pages.
Example of implementation:
mmap(); // POSIX
VirtualAlloc(); // Windows

– Allocate from heap
This method is to preallocate a few page ( called the program heap ), then whenever a request for memory is issued, it will see if the free space in heap is big enough to fulfill the request. If it is, then it will directly assign those memory from the heap to the program. Otherwise, it will allocate more page, then assign the memory. Note that this method happens outside of the Operating System.
Disadvantage is that there’s an extra layer, and does not allow you to specify the I/O privilege of the pages that you are allocating. The advantage is that one can allocate any size of memory, without the limitation of page size. Also, it is faster, as most of the time it doesn’t involve in system calls.
Exampe of implementation:
mallloc(); // ANSI C

Benchmarking
The easiest way to understand the performance of these memory allocation routine is to do a benchmark.
I conducted one on my laptop ( For specs, see previous post. ). The contesters are:
– mmap() on Linux // PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE
– malloc() on Linux
– VirtualAlloc() on Windows // MEM_COMMIT, PAGE_EXECUTE_READWRITE
– malloc() on Windows

The software versions are:
Linux kernel 2.6.18, glibc 2.3.6
Windows XP SP2

The procedure as follow:
1. Start timing.
2. Allocate x byte.
3. Access the first byte of the allocated memory.
4. Free the memory.
5. Repeat step 2~4 for a total of 2048 times.
6. Stop timing and record reading.

Timing is done with the following API/Function:
gettimeofday(); // POSIX/Linux
QueryPerformanceCounter(); // Windows

Hmm, probably accurate enough, although:
Sleep(10); Resulted in around 89xx microsecond
while
usleep(10*1000); Resulted in around 100xx microsecond
// Note: Sleep() is a Windows API, while usleep() is a POSIX one.

The program is compiled with Visual C++ 6 on Windows, and gcc on Linux. ( duh! )

Benchmarking Result
Let’s visualize it:

Click to enlarge?

Seemed that malloc() on Windows is sort of messed up after 64kb allocation
Perhaps Microsoft should fix it?

It even spoilt the graph, that we only see the green line.

This is the graph without malloc() on Windows:

Click to enlarge?

Seemed that all 3 function scaled O(1) before 128kb.

I wondered how malloc() on Windows scaled.

So this is the third graph with all 4 function, but only with test case
Click to enlarge?

As seen from the graph, all the 3 function from the previous graph scaled O(1), while malloc() on Windows goes at out of control at around 16kb.

Conclusion

On Linux: Use malloc to save trouble, it scales quite well. Use mmap if you want to do advanced memory management.
On Windows: Use malloc before 16kb size, use VirtualAlloc() for bigger page size.

MzBot2 API Beta 2

This have been sitting on my Desktop for a long time, and now I am itching to release it.
This probably will help people making their own bot, or customize MzBot… etc
( Hint: This can be used to bypass ACTools, figure it out yourself! )

Who:
By Zuan, of course. All files signed, do check it.

What:
This is a DLL ( with .lib or .h ), that would use MzBot to provide bypassed SendInput function call.

When:
Now!

Where:
Zuan’s blog!
DL Link: http://filexoom.com/files/2006/12/20/49476/MzBot2%20API%20Beta%202.zip

http://www.divshare.com/download/623977-461

How:
If you know how to do dynamic DLL loading, then you probably know what to do… ( Most of you should know dynamic DLL loading… )
If you don’t, and use BC++ or VC++, then you can use the header file. ( One extra layer with the header, so not so recommended. )
If you use other language, ( except Java and some “You-just-shouldn’t-write-a-bot-with-it” language. ) then you probably can make use of the .lib and .def file…

APIs:
InitMzBot() (DLL) / MzBot_Init() (.h) — Init the module, locate MzBot process, if it return 0, means failed.
AltSendInput() (DLL) / MzBot_SendInput() (.h) — Bypassed function for you to play with. =) Do not call if not init.-ed.

Review on Acer Aspire 5612ZWLMi + Debian Linux

I have been with this laptop for around one and a half month.
So it is a time to write a review on it.

Specification:
– CPU: Intel Core Duo T2060, clocked at 1600MHz. ( It is marketed as “Intel Pentium Dual-core processor T2060” )
– RAM: 1GB DDR2
– Harddisk: 80GB
– Display card: Intel GMA950
– CD-ROM: CD-RW + DVD-R
– Network chipset: Ethernet: Broadcom Corporation BCM4401-B0 100Base-TX; Wireless: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller
– Audio chipset: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller
– Preloaded OS: Windows Vista Home Premium

The first thing I do is to get Vista off my laptop, since it will turn some dual-core CPU into an ancient 80386…

Ok, let me save the crap for later, and comment on Linux’ support on the laptop’s various hardware. Just to note that my kernel version is 2.6.18, and I am using Debian GNU/Linux 4.0 ( Codename `Etch` )

– CPU => OK
This CPU worked quite well. Just that the speedstep wasn’t setup properly by the system by default. A few modprobe solved it:
modprobe cpufreq_ondemand
modprobe speedstep_centrino
echo ondemand > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor


– RAM and Harddisk => Good
Of course it works.. -_-”

– Display Card => Good
Auto-detected by default. I didn’t install 915 resolution, because 1024*768 is good enough for me. Beryl worked well with this chipset.

– CD-ROM => Good
Auto-detected by default. Burn CD without trouble. ( Using k3b. )
k3b’s auto burning speed’s around 10x.

– Network Chipset ( Ethernet ）=> Good
Auto-detected by defualt. No problem till now.

– Network Chipset ( Wireless ) => OK
Auto-detected by defualt. But there are transmission power problem. Able to access the network within 10~15 meter from the access point. ( Using Linux’ native driver. )
You might also want to try the ndiswrapper driver, maybe it will work better.

– Audio Chipset => Good
Auto-detected by defualt. No problem till now

– Hotkeys => Doesn’t work
Extra keys on the laptop ( Those on the left most and beside the power button ), that provide shortcut to some functions ( Eg: E-mail, Browser, media player ) doesn’t work, but who cares? =)

– Preloaded OS => Worst + Lousy
echo “Windows Vista” > /dev/null ; install linux

Is it just in TJC, or systems all over Singapore is like that?

This post’s regarding various security holes I see in the schools’ computer system. Please note that I am not trying to hack the school’s system. ( I promised Mr. Low that I won’t. ) This is posted here in the hope that they will fix it. Also, I did not actively audit the system, these are just some that I come across without auditing.

Wireless system
When I first came into Temasek Junior College, I met the IT assistance/manager ( His name is Yang Le, or however it should be spelt ), and he bet with me that I cannot retrieve the schools wireless password. He also claimed that the password is secure, because it is long…

However, a standard WPE password must be 26 character long, and is made up of hexidecimal. Therefore, his password is as strong as all the other WEP passwords. His claim of his password being more secure is a false claim.

Anyway, the bet is still on, so that day, I spent half an hour coding a simple keylogger on my previous laptop, a Compaq Presario 1500. It took me 5 minute to start up my comp, another 5 minute to start up Visual Studio 2003, and another 7 minute to create a new project. ( That laptop retired just one month ago, since it is too old. )

A keylogger’s done in 10 minutes time, abusing the GetAsyncKeyState() API is quite fun indeed. I am quite amazed that one of my classmate, S??????n recognized that it is C++ language. ( Name censored for privacy. )

I keylogged him ( The IT Assistance ), and obtained the wireless password. Which is just as what my classmates found out from our senior, the factory defualt for 3com wireless accesspoint.

Later, I talked to Mr. Low, the IT manager ( or whatever position he held. ). He told me that it is the factory defualt, not for security, but because it is troublesome to change every of the accesspoint in the school.

The nature of wireless network allowed every single computer on the network, or in some circumstances, any computer within the range of the transmitter, to recieve what everyone’s talking about on the network. Since the signal’s transmitted into the air.

With this nature of wireless network, information is easily accessible. Therefore, the extra security measurements need to be in place.

The e-learning portal – The MaTrix
I am quite pleased that the e-learning portal have a basic form of encryption in place to prevent password from being transmitted as plain text. They also ensured that the password cannot be derived from what is sent across the net.

How they achieved this is described below:
1. When the login page is displayed, the server generate a seed and send you.
2. When you login, the password is encrypted with digestive algorithms like md5. Furthermore, to prevent brute force of md5 with precomputed table, the salt/seed is added to the password.
3. Together with the username and seed, the password in the form of hash is sent to the server.
4. The server md5 the password from the database, with the seed, then compare the result to the one recieved from your browser.
5. It set the cookie if it matches.

The method is quite good, but not without weakness:
1. We now know that the passwords are stored in plain text, which is not a good practice. ( Maybe not, seemed that the password’s passed md5() twice… )
2. We don’t need the password to login, we just take the hash, username, and seed ( that we obtain by some ways ), then we can send it to the server like how legitimate logins are made, the server would acknowledge the login, and we are in.

To fix no. 2, the server should set a timeout for each seed.

The Student Portal
I am quite pleased that the student portal is taking the same strategy as The MaTrix, md5 the password before it is send onto the net.

Yang Le ( Or however his name may be spelled. ) did a good job in writing the Student Portal. It is more advanced in security than the MaTrix, as it made use of the ASP Session ID properly.

I dare not say that the Student Portal is secure, but I would say that it is secure comparatively to the MaTrix.

There is a vulnerablity in the staff/student directory page, that allowed arbitrary remote SQL code execution. By submitting a specially crafted string as the keyword, the attacker can do anything to the database, that includes… sadly… drop database;.

To fix it, the search page should convert special characters, such as “‘”, “:”, “;”, into escaped form, eg: “\'” ( Examples in this sentense is without the double quotation — ” )

Another vulnerablity with the student portal is that the search page doesn’t not limit the interval of your search query. This could be a potential vulnerablity to DDOS, probably given the power of 2 to 3 computer, any attacker can crash the Student Portal SQL server or even the web server, if they are the same box.

To Yang Le, in case he is reading my blog: I am waiting…. For a proper legal statement of the student portal.

After all, I have not even started. This is just some bugs that I spotted while in school. Perhaps I will start the real auditing when Mr. Low give me the permission…

————————————————————
The weird thing about my blog is that it does not have any link to other’s blog, eg: my classmate’s blog.

My blog is going to have a link section!

Those who want to be linked, please leave a comment.

For h4xx0rs, I don’t want to link your “life” blog, sorry. Techical blog only. ( A mixed one’s alright.. perhaps… )

Some info on cryptography

Erm, first of all, this blog is NOT dead, I didn’t post for quite sometime is because I am really busy with my school works…

Seemed that many doesn’t know how to verify files….

Many’s impression of crytpography is that you have a key, that you can use to encrypt and decrypt. Like this:
“This is a message” ==> Encrypt with Key ( 561173 ) ==> “VGhpcyBpcyBhIG1lc3NhZ2U=” ==> Decrypt with the same Key ( 561173 ) ==> “This is a message”
( This is just a demo, erm… no Base64 is harmed?! )

The above type of cryptography is called symmetrical cryptography, meaning that the key that is used to encrypt can decrypt the data. With this type of cryptography, it is hard to keep the key secure. If the oth
er side need to decode the message, he will need the key, and if the key is send along with the message, then whoever’s evasdropping can get the key also…

Therefore, there’s a new type of cryptography… I mean, newer than symmetrical cryptography, but older than most of us anyway. ( and yes, that includes YoYo too, one of the leet-est member I ever have in DA, and he’s 38 last year. )

It is called asymmetrical cryptography, as the name suggest, the key to encrypt, and to decrypt is different. Furthermore, you cannot derive one key from another.

How is this applied? Let’s take an example:
Bob wants to send a message to Alice.
Alice generate a pair of key. She send the encryption key to Bob. ( Eavesdropper gets the key too… )
Bob encrypt the message with the encryption key, he then send it. ( Eavesdropper can’t decrypt it, since the encryption key cannot decrypt, and the decryption key cannot be derived from the encryption key. )
Alice gets the message and decrypt it.

Let me introduce some terminology:
– Public Key is the key that you would allow everyone to know. In the case of signing files, it will be the decryption key. In the case of encrypting files, it will be the encryption key.
– Private Key, opposite of public key. No one, except you, should have it.

Also to note, most modern cryptography algorithms allows encryption or decryption with a key. Meaning that it is not fixed that this key can only be used for encryption or decryption. If you use a key to encrypt, then you would need the other key to decrypt. And vice versa.
Ok, enough Cryptography-101… I mean enough basic stuff, let’s move on to real applications.
Cryptography software allows us to:
– Create a pair of key
– Encrypt a file, that only the recipient can
– Sign a file
.. etc..

The software that I propose is Gnu Privacy Guard, also known as GPG. This software is compatible with PGP.
Although it is a CLi software, but you won’t need to touch the CLi interface anyway… There are GUIs out there.

For Windows:
Please go to http://www.gpg4win.org/ and download the software.
Here’s a step by step on how to verify a signed file:
1. You need to import the author’s public key.
– Start GPA.
– If prompted to generate key pair, it is up to you that when you want to do it, or if you want to do it at all.

Default Startup Scene.

Now Click Server->Retrieve Key:

Next, key in the key ID.

Then, it will tell you that it got the key. ( It requires internet access to fetch the key. )

Just to ensure nobody meddled with the key, you can verify the fingerprint:

Ok, now we are done with importing the keys.

2. Verifying the file.
– Go to the directory where the file is.
– Right click -> GPGee -> Verify/Decrypt File

– Then, it will tell you if the signature and the file is valid, or not.

– OK, now you are done!

For more information on my public key, visit the About page.
Feel free to tell me if any of you created any key pairs, so I can add them in also.

There are also many information on cryptography software like GPG, Google It!

====================================================================

Just some side news here:
– GMS GG rev 1000, MzBot survived it.
– Debian GNU/Linux 4.0 ( Codename `Etch` ) Released! Finally! I have been waiting for it for 5 month! Beta testing it for 3 month! ( and met no bugs… LoL! )
– Gonna help in the K Desktop Environment Project, possible areas:
+ Kig, part of the KDE Edu package. If possible, I will persuade the school to drop GSP.
+ Plasma, the shell. I got some idea for Application Launching methods….
+ Chinese i18n
But before that, I gotta brush up my Qt skills…. The last time I did Qt C++ programming was…I can remember then…
…
That was my PSLE year… before I started fiddling this 10-year old online game called MapleStory, before I started writing mailing spammer/flooder….

MzBot 2.0 Beta 2

I was very busy over the past few weeks, so I didn’t really do any MzBot development.

Today, I freed up 2 hour, and added in 2 extra command, and 1 IPC.

Sorry, some rants here:File system is the WORST IPC I have ever tried!

Ok, let me introduce the new features:
– ss command, this command will allow you to send keyboard scan code. Eg:
ss 29
Would help you press the Ctrl key once, which is the attack key.
– mc command, this command will allow you to stimulate a left mouse click. Eg:
mc
Would help you to LeftClick once
– File system IPC. Now your programme can send command to MzBot! With this feature, you can now write a GUI to MzBot, by sending MzBot commands (vs) to it.
Also, you can write your own bot by sending the ss and mc command to MzBot!
How you can do this is:
– Try to access C:\toBzM.comm.instr
– If the file is empty, or not found, MzBot is probably ready.
– Write whatever command you want MzBot to do in the file
– Close the file.
– When the file is empty, or not found again, MzBot have done the command.

By the way, starting from this version, all MzBot from me will be signed, meaning that you can check the integrity of the file.

Note: If your programme is using MzBot for botting function, please do add in “Botting component powered by MzBot”

Download points:
http://filexoom.com/files/2006/12/20/49476/MzBot_Lite-2.0.0-Beta2.zip
http://filexoom.com/files/2006/12/20/49476/MzBot_Lite-2.0.0-Beta2.rar

A warning about the future

Please do read through this blog entry. This is very important! It not only about game hacking, it is also about the freedom to use your computer!

Current situation
If the Terms of Service is not in place, it is actually fully legal for anyone to modify the memory of any online game to achieve the so-called effect as hacking.

Also, as nProtect GameGuard doesn’t come with an End-User License Agreement, we are free to do anything to it. It is perfectly legal.

Also, our playing field with the anti-hacking software is almost leveled. In the ring0, in ring 3, all they have got is 1 extra undocumented API, which doesn’t really affect alot.

Furthermore, we are able to cheat in game, because they are putting data that aren’t supposed to be in our computer, into our computer. Just to save the computational resource on their side.

All because it is on our computer, and we own our computer.

What happens after Windows Vista is introduced
Perspective from a game cheater ( or hacker ):
There are various new technology introduced, that may be disadvantageous to us.

– PatchGuard
All our kernel hooking technic is now impossible, as it will immediately trigger a Bug Check, or in slang, we call it Blue Screen of Death.

Even MzBot will cease to work, since it alters kernel structures, which is checked by PatchGuard, and will be offer a reboot immediately if it is found altered.

Dual’s SaruenGang, which make use of a clever MSR hook, will cease to work also, since PatchGuard will check almost all CPU registers and structures, including LDT, GDT ( Now you cannot make 0x00400000 a ring0 segment. ), CRx ( All control registers ) and IDT ( Interrupt Descriptor Table ).
Please do take note that it is not the programme that is blocked.

It is the method that is blocked.

You may think that you can bypass PatchGuard, but all public methods are patched almost immediately.
Finding your own method is very hard, and is probably beyond almost all of us noobs.
Leeching a method is probably also very difficult.

Also to note, in the Windows Vista End User License Agreement, it state that you are not supposed to work around any technical restriction. That means you are not supposed to bypass PatchGuard. By bypassing PatchGuard, you invalidate your Windows Vista license, and you may be charged and thrown in jail for unauthorized use of software. ( Unlike cheating in online game, you only get banned. )

– Address Space Layout Randomization
This may change the address of every hack every reboot, meaning each time you restart your computer, address of “hacks” like godmode and vacs will change.

– What’s gonna come in Vista Service Pack 1
There’s some APIs that are designed for Anti-Virus company in Vista Service Pack 1. Some APIs are to set application “invulnerable” to memory editing, meaning that the operating system ( Windows Vista ) will disallow any program to edit MapleStory’s memory.

Details about this API is still unclear, maybe they will disable all DLL injection to that process or just add another internal kernel structure that NtProtectVirtualMemory will check to prevent other processes from setting that process’ page to writable… etc… There are too many possibility. However, most probably it will be very very hard to bypass, and probably will involved PatchGuard in the process too.

– TC ( Trusted Computing )
This is the most lethal and fatal to all game cheaters. However, this won’t get implemented so soon. And yes, this is the technology (Palladium) that Microsoft claimed that will stop all virus, malware and spyware… ( But the fact is: It doesn’t stop any virus/malware/spyware… )

You can read more about TC here ( I recommend you to read it all, although it is quite long, but you can do it later, some people just aren’t patient on important stuff… ):
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Also to note, the above is written by a Professor of Security Engineering at the Computer Laboratory in University of Cambridge.

Maybe you will wonder, so what if TC allows music publisher to delete pirated MP3s on my computer without my consent, or what if Trusted Computing allows Microsoft to format my computer if they think my Windows is pirated ( Very oftenly, Microsoft mistaken a fully licensed Windows for a pirated one. )

We should pay attention to a technology in TC, that is memory curtaining. That is, the CPU will disallow anyone from reading a piece of memory, not to mention writing to it. This is implemented from hardware level, and is very easy to bypass: ( Try it at your own risk. )
– Shutdown your computer
– Yank the CPU off the main board, get a hammer and smash it to pieces.
– Yank the TPM ( Trusted Platform Module ) off the main board.
And you are done, but your computer won’t start anyway…
The memory curtain feature is impossible to bypass, unless you follow the steps above ( destroy the hardware ), or miracles happened.

You might think: Ha! Luckily, they haven’t implement it in the hardware yet. When they start selling hardwares with these terrible features, I can just refuse to buy them!

Then too bad, you are wrong. All PCs sold in 2006 comes with the TC, some in 2005 comes with the TC. Just that the software ( Windows ) didn’t activate/use it, so you can still do all the vac and godmode in game.

– Regarding Cheat Engine for Windows Vista
Many just think that we should just wait for Cheat Engine for Windows Vista to come out. However, this thought is too naive.

However, yes, the Cheat Engine for 64-bit Windows Vista will come. Cheat Engine itself does a lot of Direct Kernel Object Manipulation and modifying CPU registers. However, this is not possible on Windows Vista, so it would take a lot of time to make CE run on Windows Vista. Or perhaps Dark Byte just doesn’t want to port Cheat Engine to such a limited platform.

Various efforts by ordinary users in Cheat Engine Forum or other forums to create an Undetected Cheat Engine would probably lead to nothing in the end. Since there’s too many to be done, and very possibly beyond them. ( Making CE run on Vista is not simple find and replace… )

Even if such a Cheat Engine is made, it probably will be very limited, and easily defeated by nProtect GameGuard, as iNCA can afford to pay Microsoft. And this time, we cannot bypass by replacing “detected strings”.

Further adding onto this, the future Cheat Engine that run on Windows Vista won’t be able to help you get ride of various Windows Vista “technical restrictions”.

Therefore, we can conclude Windows Vista is a very hostile environment for Cheat Engine.

From a normal user’s view:
– TC
As we mentioned earlier, TC will stop you from piracy, and even stop legitimate users from using their computers.

– Forced to upgrade to Windows Vista by incompatibility
When a user starts to use Windows Vista, it will force all users around him/her to upgrade to Vista, which cost alot.
Microsoft will also stop support for Windows XP, and stop providing updates, so people are forced to upgrade to Vista.
By hook or crook, they will make you upgrade to Vista.

– Forced to upgrade your hardware.
Vista have a very high requirement for hardware, and with the “XP” hardware, Windows Vista would lag, and therefore encourage you to buy new hardware.
Many are upgrading their hardware just because of Windows Vista.
( For Singaporean: An example would be the IT Show from 8th March – 11th March 2007 )

All in all
With the introduction of these new technology(s) like Windows Vista and TC, our computer is no longer ours. Cheating in online game due to game author abusing our CPU ( those data should be processed in their computer, the server. ) will be the history. They will be free to abuse our CPU anyway they like.

What can we do?
We can do nothing, Microsoft and other company’s just rich, they have got their market monopoly, we can do nothing but let them control our computer, and let them control how we use the computer as well…

Or maybe not, we can voice our opinion to the company(s), we have to show them: We want our freedom back! We want our computer to obey us, not them!

But how?
– We can refuse to downgrade to Windows Vista, so the game company will not drop the support for Windows XP. ( On Windows XP, we have partial control on our computer, that’s why nProtect GameGuard can still stand. On an Operating System that we truly have control on, nProtect would be dead… )

– Throw Microsoft complaint letters on PatchGuard, TC, and various technology that take away our freedom. ( Erm… don’t get emotional and use vulgar? )

– Reject any service that use TC, so TC will not be wide spread. ( We cannot reject computer that support TC, since they quietly put it in our computers… The chance’s over. )

– Inform others about the danger of Windows Vista. ( Recommended for everyone. )

– Use free Operating Systems, for those who are courageous to do it. But mind you, you might not like it, since most games only run on Windows. You know it is hard to break out of software monopoly.

– Join free software development. ( For the leets only. ) Just for your information, Cheat Engine is a piece of Free Software, it is released under APL, which is considered an open-source license.
Helping open source software development is good learning opportunity for those who really want to learn computing/computer science.
There are many other open source projects other than Cheat Engine, go look around and see which you can join. Eg:
– The K Desktop Environment project.
– The ReactOS project. ( This is a clone of Windows, for those who want more knowledge on rootkitting and Windows Internal, go for this one. )
– The Linux Kernel. ( Probably for anyone at Dark Byte’s level. )
and there are more, just google around.

( Note to those who are attracted to Windows Vista’s theme: Go for a Mac instead, Vista’s theme’s just a rip off of Mac OS X. )

My WS’ alive again!

Maybe it is just too much dust that accumulated on the DIMM slot, that the MOBO failed to recognise the DDR…
Anyway, after “washing up” the main board, my WS’ up and running again.

To those who replied to my previous post:
You only plug out the HD and to rescue data when you confirm that comp’s beyond repair.
MzBot source code ain’t that important that I would have to immediately plug out the HD and “rescue” the data. I can do it later when I really confirm that the box’ really beyond any repair. ( happens rarely, you don’t find your CPU+Mobo+RAM+Graphic card dead all at the same time… )
Even if I do rescue the data, I won’t be able to work on it anyway, both the router and my laptop’s Linux box.
Note that you don’t really have to put it as slave, when you have 2 IDE channel, all depends on the situation….
The bad thing’s that all the 4 slot in IDE is occupied in my other comp ( router + my dad’s workstation. ), there’s 4 hd and 1 cd rom. So if I really want to backup, I have to unplug something…

Oops! My WS’s dead!

There’s a bad news for me, that is my workstation for hacking works is dead. ( MzBot source’s in it, by the way. )
Almost all UCEs, cheats and bots by me’s written on it.
Except MzBot version 1, since it was done in Taiwan.

Spec:
– Intel Pentium 4 2.0GHz
It is a Willamette core, no wonder my dad compaint about the electricity bill… Also, it is without Virtualization extension. ( IVT wasn’t even available in Northwood.. LoLx. )
– DDR 512MB
Originally, I had 768MB of it, but the 256MB stick burnt off… So I am left with 512MB
– nVidia GeForce 4 MX440
This is the third card that I used on this comp, the first one was a nVidia GeForce 2 MX400 ( Inno3D ), the second one’s a nVidia GeForce 6800LE ( Asus ), but it burnt somehow, so I send it for repair, that’s why I am using a backup GeForce4 MX440.

This morning, when I tried to start it, the screen remain signal-less and the box gives no beep…

3 possibilities to rule out: Mainboard, RAM and Video Card. ( Erm… isn’t that almost everything? )
Seemed to me that the possiblity of Mainboard being dead’s the lowest…
Perhaps it is just the time that this box’ gonna stop functioning. It have been tortured 14 hours a day since year 2004. ( Or earlier )

Anyway, the development of MzBot might be halted until this box’ back working again.
( I am on my laptop now… )