������� ������� �� �� ������� ������� �� ��� ������� ������� Rel 2�5

�� �� ������� ������� ������� �� ������ ������ �� ��

������ ������� ������� ������� �� ������ ������ ������
�� ��� �� �� �� �� �� �� ������� �� ��� ������� �� ���

Code and Idea by Saruman / DFR Engineering

P U B L I C B E T A R E L E A S E ( aka BETA-5 )

Contents

The WHAT? WHY? and HOWs?

Silly Documentation

Hardcore "Auto"[2] Hacking

Advanced Usage

THIS CRAPPY PIECE OF SHIT ISN'T WORKING!

Contact Me

Credits

History

The Concept of Freeware / Copyright Notice

Footnotes

(=[ The WHAT?, WHY? and HOWs? ]============================================)

WHAT? ... RAHacker[1] is a program to attack CRC32 codes. CRC32 is a

Cyclic Redundancy Code, once calculated it's IRREVERSIBLE! CRC32
is usually used by communication protocols and archivers to detect
errors in a bit stream, but it's also used by varius software as a
method of storing passwords.

WHY? .... RAHacker can be looked upon as a tool to play with and as a
laboratory to learn about CRCs. You can use it to test your own
passwords, are thay safe from lexicon hacking? For how long can they
withstand a brute-force attack? You will see that a badly choosen
password can be breached in seconds, while a good password may survive
 even the most intent hacker[1]. I said 'may', because a password stored
as a CRC32 checksum is reduced from any length down to just four bytes
(characters), and as you may gather from that: - many passwords
have the same CRC! - this is important, because if you choose a password
of 20 characters, it may have an equalient in just five characters, and
thus can be easily cracked.

HOW? ..... RAHacker is stupid! I cannot describe the program in any

other way. As there is no way to 'reverse engineer' a password since
it has been encoded you must go the other way around. We call it
Brute Force - cause that's exactly what it's all about. With enough
computing power and patience ANY CRC32 encoded password WILL fall,
and in your hands you have [to my knowledge] the best tool on the
market to do it. Okey, so I'm not NSA, I'm not even a very good
coder, but this program was fun to make and I hope you have some
fun using it.

(=[ Silly Documentation ]==================================================)

When RAH starts it will look for a file called RAHACK20.INI - its
configuration file.

-- 8< ------ 8< --- example RAHACK20.INI --8<---

[RAHACKER]
Sound = YES
AutoSave = NO
UpperPassword = YES

BadPassFile =
ReportFile = RAHACK20.RPT
Lexicon = WORDLIST.TXT
UserFile = USERS.BBS

BarColor = 46
AsciiSet = ABCDEFGHIJKLMNOPQRSTUVWXYZ
PassSeparator = ""
-- 8< ------ 8< --- snipp --- 8< -----

Explanation.

SOUND YES/NO
Beep when passwords found?

AUTOSAVE YES/NO
Save snapshot when password found?

UPPERPASSWORD YES/NO
Should be set to YES if you are hacking RA Passwords. Only change this
if you _REALLY_ know what you are doing!

BADPASSFILE <filename>
All found passwords will be saved in this file. Make sure you do not use
this file as input at the same time. This function may be very bugged,
use with care.

REPORTFILE <filename>
Standard filename for reports
LEXICON <filename>
Path and filename of your lexicon

USERFILE <filename>
Path and filename of the default userfile.

BARCOLOR 0-255
Color of the selector bar. (Bra Att Ha(TM) Funktion ;-=)

ASCIISET Characterset
Default valid characters for bruteforce attack.

PASSSEPARATOR Character
Character to insert between words in CombiLexicon attack,
usually set to " " or "". Notice that is _does_ say
passseparator with THREE 's':es .. sigh...

RAHacker should work fine even without a configuration file.

(Yeah sure; and the world is flat, Windows'95 is great and buts may fly!)

RAH will look for a file called RAHACK20.DAT, which is a file

containing a snapshot of your previous visit. This file is not crucial
and it will not exist until you use SAVE or a password is found and
AUTOSAVE is on, if it was found though, you will be asked if you
want to resume the last session.

If there is no RAHACK20.DAT, this is probably your first visit in the

realm of RAHACKER and thus he will look for a file called USERS.BBS,
which is the file in which RA stores all user information. If this
file is not found you will face a requester asking for its complete
path and filename. There should be an example file in the distribution
archive, try 'FAMOUS.BBS' and see if that kicks...

When the userfile has been loaded you will be faced with a list of
all users, it looks something like this:

�=�[ RA-Hacker v2.00� - Saruman / DFR Engineering ]�=�������������������������Ŀ

� �
� ��=�[ Users ]�=�����������������������������������������������������������Ŀ �
� � 65535 Eddy Jansson Saruman � �
� � 6000 Kristoffer Andergrim Neuromancer � �
� � 6000 Gunnar Rettne Echo � �
� � 6000 Fredrik Nikala Pajala � �
� � 1000 Peter Fors Hostile � �
� � 5000 Robert Risberg Dogge � �
� � 100 Magnus Stenman Benefactor � �
� � 100 LarS eRlAndSsoN dARK RIdER � �
� � 100 Patrick Andersson Infophreak � �
� � 1000 Christian Sierau Mad Max � �
� � 1000 Jonas Nilsson Bacardi � �
� � 100 Andreas Westling The Firepanter � �
� � 100 Roger Vuolle Roger Vuolle � �
� � 1000 Thomas Tydal Tydal � �
� � 100 Klas Niva Android � �
� � 100 Andreas Karlsson Hermes � �
� � 5000 Emil Lantz Emil Lantz � �
� � 100 Mats Mattila Mr Motorola � �
� � 100 Anders Bergsten Spit � �
� ���������������������������������������������������������������������������� �
��������������������������������������������������������������������������������
1Help 2Report 3Tag 4Load 5Save 6 7Search 8Hack! 9 10Quit

You should see a selector bar positioned on the first user. This is the
"main" command-center, here you inspect users, choose which should be
attacked etc... You can 'tag' (aka mark or flag) a user by pressing
'INSERT', you will notice a little 'flag' appearing on the left when
you do so. Okay, try tagging a couple of users and press 'ENTER'.

You will be presented to a window that looks like this:

�=�[ RA-Hacker v2.00� - Saruman / DFR Engineering ]�=�������������������������Ŀ

� �
� ��=�[ Users ]�=�����������������������������������������������������������Ŀ �
� ��65535 Eddy Jansson Saruman � �
� �� 6000 Kristoffer Andergrim Neuromancer � �
� �� 6000 Gunnar Rettne Echo � �
� � 6000 Fredrik Nikala Pajala � �
� � 1000 P��=�[ Hack 3 Users by Hand ]�=��������������������������Ŀ � �
� � 5000 R� � � �
� � 100 M� Password to try: love ۰����������������������������� � � �
� � 100 L� � � �
� � 100 P�������������������������������������������������������Ŀ� � �
� � 1000 C�� Sorry, "SNOPP" gave nothing. �� � �
� � 1000 J��������������������������������������������������������‫ٳ‬ � �
� � 100 A���������������������������������������������������������� � �
� � 100 Roger Vuolle Roger Vuolle � �

I have choosen three users to hack, myself amongst them :), anyway. you
just enter a password and it will be encrypted and tested on every
tagged user when you press enter, if you guessed correctly .. Blaammm!
You got him! :-)

"Does this not impress you?" as David Copperfield would have said, well
I thought not. Although quite fun, hacking by hand is not very efficient,
but more on that later.

In most of my dialogboxes you must press 'ESC' to escape back one level,
("I will say this only once, so listen carefully" ;)

On the bottom of the screen there's a little line of mysterious text.

Now what could that mean...'1Help', '2Report' etc?.. Well, thats some
functionkeys you could try, F1 for a little help scroller, F2 to
save/print a report etc.. I'll go through them now:

F2 Report

Used to write a report file which basically is just a textfile

with all users you have hacked and their respective password.
Press ALT+F2 for a Sort meny, not very useful, just a fun
thing to have.

F3 Tag

Now this is a handy little gadget. F3 is used to select a range

 of users to tag. Enter '1000' and press enter to tag all users
with accesslevel onethousand, enter '>0' to tag all users, or
you could try '<65535' which usually tags all users except the
sysop. Press ALT+F3 to de-select users.

F4 Load

You will be asked for a USERS.BBS compatible file to load, all

previus users will be discarded. Press ALT+F4 to append users
instead.

|F5 Save
|
| Create a snapshot of your current progress (tagged users, passwords
| hacked etc...) Once a USERS.BBS file has been snapshot:ed you don't
| really need it any more, not for hacking it anyway. New in Beta-5
| is the ability to save under a different name (ALT+F5), this can be
| used in case of an emergency when you don't want to overwrite the old
| snapshot. Remember, RAH will still only look for and load RAHACK20.DAT
| you've got to rename any other snapshot file if you want to load it..

F7 Search

Enter a searchstring, RAH will scan the userlist for a match, both
on name, handle and password. Press ALT+F7 to countinue a search.

F8 Hack!

See below, this is where the fun starts.

ALT+F8/F9 Export/Import

You can export the userbase to a plain ascii file. I've implemented
the Export function to aid 3:d party developers and persons developing
tools in the same category as this program. Import can be used to
read other userlists than RA, this means that this program can be
used to attack _ALL_ sorts of CRC32 codes. All you have to do is
write a converter from the 'original file format' to this simple
format that RA-HACKER can import.

The format is as follows (plain ascii file):

Line one must read "RAHACKER EXPORTED FILE VERSION 1"

Now comes the following data for each user.

Access Level (in hex if first character is a dollar sign)

Users full Name
Users Handle
Users Password CRC (in hex if first character is a dollar sign)
Users Password (blank if not known)

repeated until end of file and no more users.

F10 Quit

Guess what? RAHacker will close down. Note: You will be asked if you
are sure you want to exist, make sure you have saved you progress or
 you may loose many hours of work.

|ALT+F10 Shell
|
| Shell to DOS with a minimum of memory available (no swapping)
| Might come in handy ... or something.. I don't know!

There are more keys you could try, for instance you can see some
debug-information if yuu press TAB, and you can change the password
of a user by pressing CTRL+ENTER. There are also two undocumented
functions which are undocumented just because they are extremely
"beta:ish" and you really don't need them anyway, trust me on that.

(=[ Hardcore "Auto"[2] Hacking ]==============================================)

Press F8 and you will face this menu:

� �� 6000 Kristoffer��������������������������������������Ŀ � �
� �� 6000 Gunnar Ret� � � �
� �� 6000 Fredrik Ni� Start Lexicon Attack � � �
� � 1000 Peter Fors� � � �
� � 5000 Robert Ris� Start Num-Counter Attack � � �
� � 100 Magnus Ste� � � �
� � 100 LarS eRlAn� Start Alpha-Counter Attack � � �
� � 100 Patrick An� � � �
� � 1000 Christian � Start User/Handle Attack � � �
� � 1000 Jonas Nils� � � �
� � 100 Andreas We� Start Random String Attack � � �
� � 100 Roger Vuol� � � �
� � 1000 Thomas Tyd���������������������������������������� � �

I'll go through the choices in turn...

LEXICON ATTACK

This is _exactly_ what it sounds like, you will be prompted for a

vanilla textfile, one word per line. RAH will read each word in turn
and test it upon all tagged users passwords. This is a very simple
attack but in my honest oppinion it's also the best, atleast if you
take in account the 'hits per time' ratio. When all words have been
tested once the attack will start over, but this time RAH will take
one word and combine with EACH AND EVERY OTHER and test that new
COMBINATION as a password. This is a _very_ tedious attack, and you'd
usually want to interrupt it. if it took one minute to do the 'straight'
lexicon attack, it will take one minute^(words in the wordlist) to
do this combi-attack... (Or something like that, I'm no math genious,
but the point is that .. IT TAKES AGES! )

NUMERIC COUNTER ATTACK

This one is silly^H^H^Hmple, you define a range and a counter attack

from <start> to <end> will be initiated, this is effiecient to break
passwords made up of simple things like a persons phonenumber, social
security number or maybe really stupid passwords like '1234' and such.

ALPHA COUNTER ATTACK

This is the most "complex" of the attack methods available in RAH.

 It's your typical 'state-of-the-art' brute force alphanumberic counter
attack =)

� � 6000 Fredrik Ni� Start Lexicon Attack � � �

� � 1000��=�[ Configure Brute Force Attack ]�=��������������������Ŀ � �
� � 5000� � � �
� � 100� Starting Password: UW0 � � �
� � 100� Ending Password: ZZZZZZZZZZZZZZZZZZZZ � � �
� � 100� � � �
� � 1000� Define Valid Characters � � �
� � 1000� � � �
� � 100� Start Bruteforce Attack � � �
� � 100� � � �
� � 1000������������������������������������������������������������ � �

Starting password is just that, make sure that only characters defined
as valid (see below) are used. NOTE: There are always one 'invisible'
character last on this string, thus if you enter 'A' the first string
to be tested will be 'AA', this is a speedoptimization, the last character
will never be saved as it is used in a tight loop that always goes
all the way through the set. Okey, so its a little technical humbo-jumbo,
just keep in mind that you usually would NOT want to change the starting
password, but if you do you must be aware of this.

Ending Password should usually not be tampered with, I didn't even feel
like implementing it, but I did. You can guess what it's used for.

Define Valid Characters will pop-up this little requester:

� ��=�[ Users��=�[ Define Valid Characters ]�=���������������Ŀ�������������Ŀ �

� ��65535 Edd� # # # # # # # # # #
 # # � � �
� �� 6000 Kri� # # # # # # # # # # # # # # # � � �
� � 6000 Gun� � ! " # $ % & ' ( ) * + , - . / � � �
� � 6000 Fre� 0 1 2 3 4 5 6 7 8 9 : ; < = > ? � � �
� � 1000��=� @ A B C D E F G H I J K L M N O �����Ŀ � �
� � 5000� � P Q R S T U V W X Y Z [ \ ] ^ _ � � � �
� � 100� St� ` a b c d e f g h i j k l m n o � � � �
� � 100� � p q r s t u v w x y z { | } ~ � � � �
� � 100� � � � � � � � � � � � � � � � � � � � � �
� � 1000� � � � � � � � � � � � � � � � � � � � � �
� � 1000� � � � � � � � � � � � � � � � � � � � � �
� � 100� � � � � � � � � � � � � � � � � � � � � �
� � 100� � � � � � � � � � � � � � � � � � � � � �
� � 1000���ij � � � � � � � � � � � � � � � � ������� � �
� � 100 Kla� � � � � � � � � � � � � � � � � � � �
� � 100 And� � � � � � � � � � � � � � � � � � � �
� � 5000 Emi�������������������������������������������������� � �

Move around with the arrowkeys, press ENTER to toggle a character.

Note how the SPACE character has been replaced with a '�' so that you
can see if it's flagged or not. ** NOTE: You should NOT flag
lowercase characters! If you flag both upper and lowercase character
you will slow down the hacking process 50% - atleast!

Press ESC when you are done, you will probably be faced with this dialog:

� � 100� ��=�[ Are you sure you want to do this? ]�=�Ŀ � � �

� � 1000� � � � � �
� � 1000� � Yepp! No! � � � �
� � 100� � � � � �
� � 100� ���������������������������������������������� � � �
� � 1000������������������������������������������������������������ � �

This needs a little explanation. RAH will keep track of the 'highest'
ascii string tested as a password on each user. This is done so that you
will not have to do redundant hacking. Well, this is not exactly
fool-proof. If you for example remove some characters from the valid
characters definition you will 'distrub' these high-marks. I have
choosen to solve this in a quite drastic manner; I simply zero all
highmark pointers if you redefine the valid characters. This _may_
change in future versions, but that's not very likely.

Okey... when you are done with your settings you can choose 'Start
BruteForce attack' ... this will pop-up

� � 6000 Fredrik Ni� Start Lexicon Attack � � �

� � 1000��=�[ Brute Attack on 30 Users ]�=������������������������Ŀ � �
� � 5000� � � �
� � 100� Passwords Found: 0 � � �
� � 100� Current String: VRZZ � � �
� � 100� Total Combos: 41,472 � � �
� � 1000� Time Elapsed: 00:00:02 � � �
� � 1000� Combos/s: 622,080 � � �
� � 100� � � �
� � 100���������������������������������������������������������Ŀ� � �
� � 1000�� �� � �
� � 100����������������������������������������������������������‫ٳ‬ � �
� � 100������������������������������������������������������������ � �
� � 5000 Emil Lantz Emil Lantz 1512 � �

RAHacker will start the bruteforce attack. The progress information can
be updated by pressing 'SPACE'. You will be notified when a password
is found. If sound isn't set to 'OFF' in the inifile you will also
hear a little beep. The attack will continue until all users have been
hacked or the password reach 'ending password' as discussed earlier.

USER/HANDLE ATTACK

Some users are _really_ stupid. I mean that, either the do not care about
their passwords or thay are utterly ignorant... or possibly a little of both.
This attack method is aimed on those kind of [l]users. U/H attack will
try the following as a password against all users:

The Users Full Name

The Users First Name
The Users Surname
The Users Handle
+ all of the above but reversed (my handle is 'namuraS' reversed)

This is a very quick attack, and you need not supply any parameters.
It's not very efficient, but who knows, you may get lucky.

(Though for the next version, add 'Location' and 'Phonenumber' to the list
above...)

RANDOM STRING ATTACK

Stupid attack. Can be used if you run a brute force attack on one computer,
and this one on another in parallel.

� � 6000 Fredrik N�=�[ Random String Attack ]�=���������Ŀ� � �

� � 1000 Peter For� �� � �
� � 5000 Robert Ri� <- String Length 08 -> �� � �
� � 100 Magnus St� �� � �
� � 100 LarS eRlA� Choose Valid Characters �� � �
� � 100 Patrick A� �� � �
� � 1000 Christian� Start Attack �� � �
� � 1000 Jonas Nil� �� � �
� � 100 Andreas W���������������������������������������‫ٳ‬ � �

Use LEFT/RIGHT arrow keys to decrease/increase the string length.

Use 'Choose Valid Characters' as discussed above, and press Start Attack
to start. This attack will only end when you press ESC or all users
has been successfully hacked.

|(=[ Advanced Usage ]==========================================================)

|
|Some of use are not running under a multitasking environment (by the
|way, I have no idea of how RAH will work under such environments, but my
|guess is that it will _HOG_ much time.. but hey, you get what you pay
|for..) ... hurm.. oh yeah.. Say you'd like to do some hacking, but you
|want another program to kick in as soon as the hacking is done... there
|is way now (as of Beta-5). If there are a file called 'RAHQUIT.NOW' in
|the same directory as the executable, RAH will quit to DOS as soon as
|any of the attachmethods (excluding name/handle) has completed (ie all
|users has been hacked). I'm thinking of adding more semaphores in the
|future, like when one method is done another will continue, or maybe that
|when all marked users has been hacked RAH will automatically marked all
|non-hacked users and start hacking them too... (so you could sort if
|prioritize for example a few 'high-access' users, but when they are
|hacked no time will be wasted..)
|
|You are welcome to contact me with ideas.

(=[ THIS CRAP PIECE OF SHIT ISN'T WORKING! ]=================================)

Yes it is.

"no it ISN'T!".

Yes it is!.

"NO it IS NOT!".

Y E S I T I S!

"NO IT'S FUCKING B.A.D (Broken As Designed)"

Okay, so it isn't working then - fix it! (It works for me, that implies
that it should work on all MS-DOS running machines in the universe :-)

No! It is NOT standing still when you do not press space. You use space to
UPDATE the screen, not to keep the program running... <stupid users.. hurm>

And -YES- autosave of hacked words into separate lexicon will fuck up if
you run SHARE. Hu, I don't care.. filesharing/filemodes sucks ... Fix it
yourself instead of whining about it..

Yes, you can do that - Full source is included!

(=[ Contact Me ]==============================================================)

That's about it - Happy hacking!

You may contact me to discuss most anything. I'm ofcourse available on

my own board, SaruCiTY +46-16-515209 (Fido 2:206/403) or you can mail
me on my email account saruman@saru.ct.se - If you think this program
is a cool-thing-to-play-with, please be in touch; I'd be happy to hear
your thoughts and suggestions even if it just to tell me how much I
suck and what a fool I am to release such a program to the public,
maybe information doesn't want to be free - but -I- want it to!

PS

Crippleware SUCKS!

(=[ Credits ]==============================================================)

I'd like to thank my buddy Neuromancer for support and suggestions.

I'd also like to thank all of my other friends for coming and visiting
me, I'm a little asocial and I really like those occational contacts
with the outside world... <g>
 I must not forget to thank Raptor for his help in developing some of the
time critical code in the AlphaCounter, thanks pal.

More Hellos to:

Gunnar Rettne, Mattias Aspman, G�ran "Gurra" Nyl�n.

Johan Johansson, Dafvid Hagstr�m, Edvin Zetterberg, Jonas Nilsson,
Daniel Gustafsson, Mikko Verlinna, Christopher Isene, DFR! CREW!,
Fredrik Nikala, Andreas Larsen (long time, no see...), Dynamic,
Andreas Engberg, B�ver Hatar Klubben, Rutger Klubben, "visomvillhacherry...
cokep�statoilnuklubben", "visomvillhajoltcolap�statoilnuklubben" & all nice
girls around the globe. (Femail? Brunette? Intelligent? Rich? CALL ME! <g>)

(=[ History ]=================================================================)

This is BETA-5, the seconde public beta version.

Development started 95-07-20, for more information... See WHATS.NEW

(=[ The Concept of FreeWare / Copyright Notice ]==============================)

This is free to spread and use as long as you include this documentation,
the configuration file(s) and do not alter the executable or anything
else. This program may not be used by Lasse B Lundin, Bror Hellman or
Bo Bendtsen.

You may distribute "hacked" versions based the included sourcecode - but
you may only do so if you ALSO include the _UNMODIFIED_ SOURCE.ZIP file
*AND* the original SRM_PGP.ZIP *AND* The full source of your version.

This program may NOT be used by anyone even REMOTELY connected to

Microsoft or any Microsoft owned company! (Special "I'm love Microsoft
but I want to hack too" Licences are sold for as much as Windows'95
has made (in gross) up to the date of the license purchase)

"Danskar borde inte f� ha kompilatorer!"[3]

(=[ Footnotes ]===============================================================)

[1] I've have choosen to use the word "Hacker" in this documentation,
but I know that some may object to that use, I know I do.

[2] No! That has _nothing what so ever_ to do with breaking into cars.

[3] In English: "Danish people should not be allowed to own compilers"[4]

[4] Bo Bendtsen, need I say more??

END_OF_DOCUMENTATION