OK, back from a tiny little break…

This quickie tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching. (I didn’t say cracking)

Types of Jumps/Calls

Here I will just describe the different types of jumps and calls which you will come across:

Short Jumps

Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian . These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.

Long Jumps

Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only 1 byte is used to identify it as a long unconditional jump and the other 4 are used to show it’s target’s relative position, as with the conditional jumps.

Calls

There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it’s current position. The other type gives a reference to a memory location, register or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: ‘call dword ptr [eax * edx + 2]‘. Long jumps can also be made using this method, but I didn’t say that earlier as to avoid repetition.

Tables

Here is a brief list of all the different types of jumps/calls and their appropriate op-codes. Where different jumps have the same Op-Codes I have grouped them:

(I’m making this as pretty as possible for you below, because wordpress tables suck in this theme)

Jump Description Short Op-Code Long Op-Code

call procedure call E8xxxxxxxx N/A

jmp u nconditional jump EBxx E9xxxxxxxx

ja/jnbe jump if above 77xx 0F87xxxxxxxx

jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx

jb/jc/jnae jump if below 72xx 0F82xxxxxxxx

jbe/jna jump if below or equal 76xx 0F86xxxxxxxx

jcxz/jecxz jump if cx/ecx equals zero E3xx N/A

je/jz jump if equal/zero 74xx 0F84xxxxxxxx

jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx

jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx

jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx

jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx

jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx

jno jump if not overflow 71xx 0F81xxxxxxxx

jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx

jns jump if not signed 79xx 0F89xxxxxxxx

jo jump if overflow 70xx 0F80xxxxxxxx

jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx

js jump if sign 78xx 0F88xxxxxxxx

Calculating Offsets (finding in the xx’s in table)

You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:

For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it the memory location of the next instruction after your call/jump i.e.:

(target mem address) – (mem location of next instruction after call/jump)

Example

If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:

4020d0 – 401093 = 103d

We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.

For jumps and calls to locations *before* the current location in memory you take the address you want to call/jump to and subtract it from the memory location of the next instruction after your call/jump, then subtract 1 and finally perform a logical NOT on the result i.e.

NOT(mem address of next instruction – target mem address – 1)

Example

If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:

NOT(402190 – 401184 – 1 ) = ffffeff4

We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.

If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM/OlyDbg which shows you the op-codes and try and work out the results yourself. Also as an end note you don’t have to perform these calculations if you have enough room to make your jump or call instruction into an absolute jump call by doing the following as represented in assembler:

mov eax, 4020d0

call eax (or jmp eax)

Final Note

WTF Get’r Done, and make life easier and use a program to do this hence OlyDbg

Well I had a heck of a time figuring out which ones I wanted to lock down but after a bit of research which one Vory / Mafiya  has what, here’s the choice I made to make myself a mental note, since below is a breakdown on which side to choose when you are on Level 3 of each Episode, this is totally up to you, because I’m listing all of the stats of each item :

Episode 1 – Baklany

Collection: Tattoos

Mastery Item: Burzuk SUV (Vehicle) (36 Attack, 52 Defense)

Vory

Chapter 1:

Concealable Camera (Consumable)

Untraceable Cell Phone (Consumable)

Chapter 2:

Cherepakha Compact (Vehicle) (18 Attack, 25 Defense)

Dossier on Dmitri (Consumable)

Chapter 3:

RU-7 .45 Pistol (Weapon) (25 Attack, 23 Defense)

---

Mafiya

Chapter 1:

Concealable Camera (Consumable)

Untraceable Cell Phone (Consumable)

Chapter 2:

Molotok Pistol (Weapon) (22 Attack, 26 Defense)

Dossier on Dmitri (Consumable)

Chapter 3:

RU-7 .45 Pistol (Weapon) (25 Attack, 23 Defense)

---

Episode 2 – Boets

Collection: Dolls

Mastery Item:  Boss Karpov’s Pistol (Weapon) (50 Attack, 38 Defense)

Vory

Chapter 1:

Ballistic Knife (Weapon) (20 Attack, 28 Defense)

Chapter 2:

Set of Photos of Karpov (Consumable)

Severnyy Olen Snowbike (Vehicle) (32 Attack, 20 Defense)

Chapter 3:

PNV (Armor) (21 Attack, 31 Defense)

---

Mafiya

Chapter 1:

Ballistic Knife (Weapon) (20 Attack, 28 Defense)

Chapter 2:

Set of Photos of Karpov (Consumable)

RAS-15 (30 Attack, 18 Defense)

Chapter 3:

PNV (Armor) (21 Attack, 31 Defense)

---

Episode 3 – Brigadir

Collection: Russian Leaders

Mastery Item: Ex-KGB Bodyguard (Armor) (48 Attack, 30 Defense)

Vory

Chapter 1:

Armored Briefcase (Armor) (25 Attack, 36 Defense)

Chapter 2:

Bank Guard Uniform (Consumable)

Taiga Combat Shotgun (Weapon) (32 Attack, 20 Defense)

Chapter 3:

Shchuka Speed Boat (Vehicle) (36 Attack, 22 Defense)

---

Mafiya

Chapter 1:

Armored Briefcase (Armor) (25 Attack, 36 Defense)

Chapter 2:

Bank Guard Uniform (Consumable)

Volk Luxury Sedan (Vehicle) (24 Attack, 36 Defense)

Chapter 3:

Shchuka Speed Boat (Vehicle) (36 Attack, 22 Defense)

---

Episode 4 – Avtoritet

Collection: Drinks

Mastery Item: Cossack Armored Vest (Armor) (18 Attack, 48 Defense)

Vory

Chapter 1:

Ru-78 Heavy Machine Gun (Weapon) (36 Attack, 12 Defense)

Chapter 2:

Officer Corps Paycheck (Consumable)

Shturmovik (Armor) (45 Attack, 28 Defense)

Chapter 3:

Razoritel Grenade Launcher (Weapon) (34 Attack, 15 Defense)

---

Mafiya

Chapter 1:

Ru-78 Heavy Machine Gun (Weapon) (36 Attack, 12 Defense)

Chapter 2:

Officer Corps Paycheck (Consumable)

The Orel Armored Helicopter (Vehicle) (24 Attack, 40 Defense)

Chapter 3:

Razoritel Grenade Launcher (Weapon) (34 Attack, 15 Defense)

---

Episode 5 – Vor

Collection: Soviet Memorabilia

Mastery Item: ZPR Pulemut (Weapon) (28 Attack, 65 Defense)

Vory

Chapter 1:

Arkticheskij Gus’ (Vehicle) (22 Attack, 42 Defense)

Chapter 2:

Ubijca Assault Rifle (Weapon) (43 Attack,18 Defense)

Stick of Dynamite (Consumable)

Chapter 3:

Osa 17 Snowmobile (Vehicle) (38 Attack, 24 Defense)

---

Mafiya

Chapter 1:

Arkticheskij Gus’ (Vehicle) (22 Attack, 42 Defense)

Chapter 2:

Klyk-9 Machine Pistol (Weapon) (21 Attack, 43 Defense)

Stick of Dynamite (Consumable)

Chapter 3:

Osa 17 Snowmobile (vehicle) (38 Attack, 24 Defense)

---

Episode 6 – Pakhan

Collection: Faberge Egg

Mastery Item: The Drakon (Vehicle) (54 Attack, 22 Defense)

Vory

Chapter 1:

Executive Overcoat (22 Attack, 45 Defense)

Chapter 2:

Konstantin Cargo Carrier (Vehicle) (18 Attack, 44 Defense)

Mansion Details (Consumable)

Chapter 3:

Zoloto Sports Car (Vehicle) (43 Attack, 22 Defense)

---

Mafiya

Chapter 1:

Executive Overcoat (Armor) (22 Attack, 45 Defense)

Chapter 2:

Zmeya Carbon Blade (Weapon) (28 Attack, 44 Defense)

Mansion Details (Consumable)

Chapter 3:

Zoloto Sports Car (Vehicle) (43 Attack, 22 Defense)

---

Episode 1 & 2 wasn’t such a big choice, because you can get better lOOt items in Cuba than these, so I choose:

Episode 3 – 5: Vory

Episode 6: Mafiya

Hope this helps some out on figuring which way to go, this blog will remain here to leave comments or if you have questions, or simply bookmark it for later reference!

WTF Get’r Done!

DISCLAIMER

This write-up is intended for IT Professionals and systems administrators with experience servicing computer hardware. It is not intended for home users, hackers, or computer thieves attempting to crack the password on a stolen PC. Please do not attempt any of these procedures if you are unfamiliar with computer hardware, and please use this information responsibly. WTFNix.com is not responsible for the use or misuse of this material, including loss of data, damage to hardware, or personal injury. I am not held responsible nor is the Datacenter, nor ICANN.

You agree to the terms above, read on, if you don’t take a hike over to extremetube.com or youporn.com then

BIOS passwords can add an extra layer of security for desktop and laptop computers. They are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. Unfortunately, BIOS passwords can also be a liability if a user forgets their password, or changes the password to intentionally lock out the corporate IT department. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in the warranty. Never fear, all is not lost. There are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS.

Before attempting to bypass the BIOS password on a computer, please take a minute to contact the hardware manufacturer support staff directly and ask for their recommended methods of bypassing the BIOS security. In the event the manufacturer cannot (or will not) help you, there are a number of methods that can be used to bypass or reset the BIOS password yourself. They include:

• Using a manufacturers backdoor password to access the BIOS
• Use password cracking software
• Reset the CMOS using the jumpers or solder beads.
• Removing the CMOS battery for at least 10 minutes
• Overloading the keyboard buffer

Using a professional service

Please remember that most BIOS passwords do not protect the hard drive, so if you need to recover the data, simply remove the hard drive and install it in an identical system, or configure it as a slave drive in an existing system. The exception to this are laptops, especially IBM Thinkpads, which silently lock the hard drive if the supervisor password is enabled. If the supervisor password is reset without resetting the and hard drive as well, you will be unable to access the data on the drive.

Backdoor passwords

Many BIOS manufacturers have provided backdoor passwords that can be used to access the BIOS setup in the event you have lost your password. These passwords are case sensitive, so you may wish to try a variety of combinations. Keep in mind that the key associated to “_” in the US keyboard corresponds to “?” in some European keyboards. Laptops typically have better BIOS security than desktop systems, and we are not aware of any backdoor passwords that will work with name brand laptops.

WARNING: Some BIOS configurations will lock you out of the system completely if you type in an incorrect password more than 3 times. Read your manufacturers documentation for the BIOS setting before you begin typing in passwords

Award BIOS backdoor passwords:

ALFAROME ALLy aLLy aLLY ALLY aPAf _award AWARD_SW AWARD?SW AWARD SW AWARD PW AWKWARD awkward BIOSTAR CONCAT CONDO Condo d8on djonet HLT J64 J256 J262 j332 j322 KDD Lkwpeter LKWPETER PINT pint SER SKY_FOX SYXZ syxz shift + syxz TTPTHA ZAAADA ZBAAACA ZJAAADC 01322222

589589 589721 595595 598598

AMI BIOS backdoor passwords:

AMI AAAMMMIII BIOS PASSWORD HEWITT RAND AMI?SW AMI_SW LKWPETER A.M.I. CONDO

PHOENIX BIOS backdoor passwords:

phoenix, PHOENIX, CMOS, BIOS

MISC. COMMON PASSWORDS

ALFAROME BIOSTAR biostar biosstar CMOS cmos LKWPETER lkwpeter setup SETUP Syxz Wodj

OTHER BIOS PASSWORDS BY MANUFACTURER

Manufacturer Password

VOBIS & IBM merlin

Dell Dell

Biostar Biostar

Compaq Compaq

Enox xo11nE

Epox central

Freetech Posterie

IWill iwill

Jetway spooml

Packard Bell bell9

QDI QDI

Siemens SKY_FOX

TMC BIGO

Toshiba Toshiba

TOSHIBA BIOS

Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot

IBM APTIVA BIOS

Press both mouse buttons repeatedly during the boot

Password cracking software

The following software can be used to either crack or reset the BIOS on many chipsets. If your PC is locked with a BIOS administrator password that will not allow access to the floppy drive, these utilities may not work. Also, since these utilities do not come from the manufacturer, use them cautiously and at your own risk.

Cmos password recovery tools

!BIOS

RemPass

KILLCMOS

Using the Motherboard “Clear CMOS” Jumper or Dipswitch settings

Many motherboards feature a set of jumpers or dipswitches that will clear the CMOS and wipe all of the custom settings including BIOS passwords. The locations of these jumpers / dipswitches will vary depending on the motherboard manufacturer and ideally you should always refer to the motherboard or computer manufacturers documentation. If the documentation is unavailable, the jumpers/dipswitches can sometimes be found along the edge of the motherboard, next to the CMOS battery, or near the processor. Some manufacturers may label the jumper / dipswitch CLEAR – CLEAR CMOS – CLR – CLRPWD – PASSWD – PASSWORD – PWD. On laptop computers, the dipswitches are usually found under the keyboard or within a compartment at the bottom of the laptop.

Please remember to unplug your PC and use a grounding strip before reaching into your PC and touching the motherboard. Once you locate and rest the jumper switches, turn the computer on and check if the password has been cleared. If it has, turn the computer off and return the jumpers or dipswitches to its original position.

Removing the CMOS Battery

The CMOS settings on most systems are buffered by a small battery that is attached to the motherboard. (It looks like a small watch battery). If you unplug the PC and remove the battery for 10-15 minutes, the CMOS may reset itself and the password should be blank. (Along with any other machine specific settings, so be sure you are familiar with manually reconfiguring the BIOS settings before you do this.) Some manufacturers backup the power to the CMOS chipset by using a capacitor, so if your first attempt fails, leave the battery out (with the system unplugged) for at least 24 hours. Some batteries are actually soldered onto the motherboard making this task more difficult. Unsoldering the battery incorrectly may damage your motherboard and other components, so please don’t attempt this if you are inexperienced. Another option may be to remove the CMOS chip from the motherboard for a period of time.

Note: Removing the battery to reset the CMOS will not work for all PC’s, and almost all of the newer laptops store their BIOS passwords in a manner which does not require continuous power, so removing the CMOS battery may not work at all. IBM Thinkpad laptops lock the hard drive as well as the BIOS when the supervisor password is set. If you reset the BIOS password, but cannot reset the hard drive password, you may not be able to access the drive and it will remain locked, even if you place it in a new laptop. IBM Thinkpads have special jumper switches on the motherboard, and these should be used to reset the system.

Overloading the KeyBoard Buffer

On some older computer systems, you can force the CMOS to enter its setup screen on boot by overloading the keyboard buffer. This can be done by booting with the keyboard or mouse unattached to the systems, or on some systems by hitting the ESC key over 100 times in rapid succession.

Jumping the Solder Beads on the CMOS

It is also possible to reset the CMOS by connecting or “jumping” specific solder beads on the chipset. There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads can vary by manufacturer, so please check your computer and motherboard documentation for details. This technique is not recommended for the inexperienced and should be only be used as a “last ditch” effort.

Using a professional service

If the manufacturer of the laptop or desktop PC can’t or won’t reset the BIOS password, you still have the option of using a professional service. Password Crackers, Inc., offers a variety of services for desktop and laptop computers for between $100 and $400. For most of these services, you’ll need to provide some type of legitimate proof of ownership. This may be difficult if you’ve acquired the computer second hand or from an online auction. (Craigslist.org)

WTF Get’r Done!

Are you one of those people that never throw anything away?  If you are then you may be one of the smart ones.  There is a new market that has emerged here of late and that market is demanding to have vintage clothing.  Actually more to the point they want vintage T-shirts.  This is something that has started to boom in recent years as the old style of clothing is starting to make a major come back for the youth of this country. So that means that all of the people in the world that have saved all those old clothes and successfully fought their mothers from throwing them in the donation box may be sitting on a gold mine.  Who would have ever thought that some of the horrible things that we used to wear would ever come back into style.  It may seem like a nightmare to some but it is a dream come true for many.

The dealers of vintage T-shirts are having a ball with this market.  They know that there is a lot of stuff out there that can be sold and that there is even more people that want it.  The demand for these items has tripled in the past six months making them one of the most sought after clothing items in the market today. The problem is that there is not a lot of places where one can find such items to resell.  In the very beginning of the boom there was more than enough of these vintage T-shirts laying around resale shops the world over, but since the surge there is a shortage as most of the shops now know the value and they are taking advantage of the boom like the rest of the population.

If you are lucky enough to have one of these items then you have paid the price that somebody would want for it.  The price range is rather high right now because the demand is so high and the supply so low.  There is some hope though that you may be able to pick something like this up without having to pay too high a price.  That is if you do not mind wearing something that is not technically vintage but it has all the right looks and such.  This is how many of the people are getting around the supply problem and they are making the best of it.  This stands to reason because not everyone can afford the price that the vintage T-shirts are commanding right now.

For most the vintage T-shirt is a dream.  The most popular styles are the concert T-shirts from the seventies and eighties.  The most well known bands are commanding prices of nearly one thousand dollars or more.  A record was set recently when an original Rolling Stones concert T-shirt sold for almost ten thousand dollars.  This is something that was bound to happen eventually but those of us who were there for these shirts when they were new are no less amazed.  This is taking into consideration that some of these clothes were less than ten dollars when they were brand new.

Right now the vintage T-shirts market is very hot.  If you are looking for the best deals then you need to get going.  These items are flying off the shelves and people are hungry for more.  If you happen to find one at a tag sale or what have you then you should certainly pick it up as it may very well be worth it’s weight in gold.  This is only the beginning and you should hold on to see what the next big thing is.

WTF I’m off topic of *nix but oh well, it’s about the ole vintages that are out there