Even though pk-zip 2.0 will be out soon and all the methods in
this article will be obsolete, I decided to write about them anyway. I
am sure you are familiar with the old program called makeav, which
attempted to brute force hack pkzip registration serial numbers. Sure,
it worked, but it was quite slow. Then, Hal released the program
findav, which did the same task several thousand times faster. Dark
Angel took apart the program findav in order to make a few
modifications. Naturally, Hal included several routines in his code in
order to make it very difficult to take apart. Dark Angel captured a
memory image of findav after it loaded into memory, wrote it back to
disk as a com file, and then changed all of the offsets so that all
references to the data segment were changed to their address in the code
segment. Dark Angel made several modifications, the most important of
which was so that findav would not quit out after finding a serial
number. The new version finds every serial number, and logs them to
disk.
-=-=-=-=-=-=-
An Experiment in Distributed Processing
-=-=-=-=-=-=-
The next day, Garbageheap and I took the modified findav down to
the nearest university. We started it running on twenty 80386 systems
on their network, each working on a different segment of the 4 billion
possible serial numbers. The goal was to find every serial number that
worked for McAfee Associates, so that we could then determine which one
was the one he uses. When an authenticity verified pkzip file is
extracted, pkunzip generates a 3 letter, 3 number validation string that
is dependent on the serial number used to validate it. A single
registration name has millions of valid serial numbers, but each of
these serial numbers has one unique validation string.
For Example:
PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Searching ZIP: EARLOBE.ZIP
Exploding: NUL -AV
Authentic files Verified! # ATU314 Zip Source: McAFEE ASSOCIATES
^^^^^^
PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Searching ZIP: EARLOBE.ZIP
Exploding: NUL -AV
Authentic files Verified! # SXQ414 Zip Source: McAFEE ASSOCIATES
^^^^^^
Therefore, the task was to find which of the serial numbers we had
found for McAfee produces the validation string "NWN405". To do this,
we ran every serial number through a program called checkav which Dark
Angel wrote to determine what validation number corresponds to which
serial number. Of course, a task like this would be nearly impossible
on your machine at home, but thanks to my local university, we were able
to use twenty machines at once.
-=-=-=-=-=-=-
Yet Another Way To Eat PUTAV
-=-=-=-=-=-=-
Because there is never only one way to do something, I decided to
put in another way to get whatever validation string you want out of
pkzip. All you need to do is include some ^H characters in your
registration name to backspace over the validation string and create a
new one. Naturally, you can not enter ^H characters when you run
putav, so you enter the correct number of some other character, go
into memory with td, and change them to 08h, the ^H character. That
way, when pkunzip runs and gives you a validation string, it will
backspace over it and show your own. For example:
>>>>> PUTAV.EXE
PUTAV - Put Authenticity Verification in PKZIP.EXE
Copyright 1990 PKWARE, Inc. All rights reserved.
Enter company name exactly as it appears on the PKWARE documentation.
Company Name : ^A^A^A^A^A^A^A^A^A^A^A# BOB666 Earlobe industries
Enter serial number exactly as it appears on the PKWARE documentation.
Serial Number: 23453244
>>>>>
After typing earlobe industries and hitting return, break into
turbo debug and change the ^A's (01) to ^H's (08). Remember to put in
11 backspaces. You can use the same method to find the serial number for
your string with findav.
The only useful application of all this is to duplicate an existing
pkzip registration. You could do that before, but now you can do it
better. Changing the validation string only really makes a difference
if you are trying to duplicate an archive that is known to have a certain
one, like McAfee's.
40Hex Number 8 Volume 2 Issue 4 File 003
-=PHALCON/SKISM=- Presents FindAv P/S Style!
PD War Collection Program 2
By Hal Of Pheonix
Modified by: Dark Angel of PHALCON/SKISM
FindAV version 1.5
Released 27 Jul 92
By Dark Angel of PHALCON/SKISM
In the beginning, there was MakeAV and all its counterparts. These programs
used a brute-force approach to find PKZIP serial numbers. They ran PUTAV,
PKZIP, and PKUNZIP repeatedly until a legitimate serial number was found.
Although they worked, these programs required hours, often days of running, as
well as much wear and tear on the hard drive head. Then FindAV was released
by HAL of PHOENIX.
FindAV was many, many times faster than MakeAV. Instead of running the PKWare
files over and over again, FindAV used an algorithmic approach similar to the
one used by PKWare when calculating serial numbers for registered clients. It
was a marvelous program, but it, too, had its limitations. The continual
display of numbers was aesthetically pleasing, but it took much valuable
processor time, slowing down the search for the holy serial number. E-FindAV
was released, once again speeding the search time by a large factor. E-FindAV
monitored the running of FindAV, turning off the display until the serial
number was found. This was a tremendous improvement. However, the user had
to sit through a tedious, lengthy, entirely unecessary introduction screen
before E-FindAV would execute FindAV. This was unacceptable. Additionally,
E-FindAV failed to fix some fundamental problems with FindAV.
For one, FindAV stopped after finding the first serial number. While this is
fine for most people, it is not desirable when finding existing serial
number/validation string combinations. Second, FindAV had a few bugs. The
first bug occured only in 386 mode. FindAV would "miss" some legitimate
serial numbers which it would catch in 8086 mode. This was, once again,
undesirable when looking for existing serial number/validation string
combinations. FindAV would also run into an infinite loop in certain
instances in 8086 mode. This, too, was unacceptable. Third, FindAV would not
log the serial numbers found in a file. Thus, the user had to manually copy
the number onto a sheet of paper and transfer it to a file for later
reference. Fourth, FindAV would not let the user start searching for a serial
number from any number except 1000. If the user wished to find starting from,
say, 2 billion, he or she would be forced to create a MAKEAV.DAT file and
hex-edit the appropriate values. Last, both FindAV and E-FindAV used
rudimentary disassembly-proof code which precluded users from adding features
to the program.
FindAV version 1.5 fixes these problems. It is essentially the same program
as the originally released version by HAL of PHOENIX, but with all the fixes
and enhancements mentioned above.
Command line options:
/B - begin at number
You can now start the search from any number, be it 0, 4,294,967,295 or
anything in between. This serves several purposes. Should the data file be
corrupted, it is not necessary to hexedit the data file to restart from the
last position. This option also facilitates the coordinated running of FindAV
on multiple machines. In this manner, each machine can start the search at a
different point. The value following the /B overrides the value in the
FindAV.DAT data file.
Syntax:
FindAV /B ###
Example:
FindAV /B 478293
/S - supress output
Searches may be expedited somewhat with this supress output option. This
eliminates the unecessary on-screen reporting of a sucessful finding. Logging
via the AVS.DAT file is preserved. The 'D'isplay command continues to function
under this mode.
Syntax:
FindAV /S
Valid keystrokes in FindAV:
ESC - Terminate calculation
Pressing the ESC key causes FindAV to terminate after saving the status of the
run in FindAV.DAT.
'D' - Display
Pressing the 'D' key causes FindAV to display the current search number on the
screen. This function was originally part of the main loop. However, it
consumed countless clock cycles, so it was eliminated to save precious time.
Files created by FindAV 1.5:
AVS.DAT - log file
The AVS.DAT file is created by FindAV. FindAV uses this file to record all
sucessful serial number finds. It consists of the company name followed by
multiple lines of serial numbers. If FindAV detects the file in the directory,
it will append serial numbers to the end.
FINDAV.DAT - save file
The FindAV.DAT file is created by FindAV when the user terminates calculation. It contains the company name as well as the current search number. It is useful when the user does not wish to search an entire range in one running. FindAV will automatically resume operation if it detects FindAV in the current directory.
FindAV 1.5 has data file compatability with version 1.0.