Documentation for The Nowhere Utilities --------------------------------------- Introduction ------------ During my time a viral developer, I've quickly discovered many operations that are quite useful for creating virii, trojans, and logic bombs that DOS and most popular utility programs (PC-Tools, Norton Utilities, etc.) either can't do or require too much time to do. Some other operations, such as being able to alter the effective size of a file, are useful in many non-viral situations. So I developed a set of thirteen utilities, presented here, to help the aspiring rogue programmer in his quest for electronic mayhem. (Several of these are derived from ideas originally used in the now infamous C-Virus.) So without further adieu, I give you (drum roll) **The Nowhere Utilities**! General notes ------------- The following applies to all of the Nowhere Utilities: all will give a command summary if "/?" is given as the first parameter; all utilities preserve file date, time, and attributes, unless they are specifically meant to change them (FIXATTR and FIXTIME in specific); all utilities will work on read-only files (they automatically remove the attribute if any writing needs to be performed and reset it when .COM format for faster load times. All of the utilities were finished); and all programs are in the written entirely in Borland C++ v3.0 using the tiny memory model (needed to create .COM files), and all were written by myself, Nowhere Man, with some suggestions and comments provided by friends, especially Rigor Mortis, Leeking Virus, and Guido Sanchez. Thanks guys. Now, on with the utilities... The utilities and their many uses --------------------------------- Included in this set of utilities are ten separate programs. Below is a list of them, as well a short summary of what they do and possible uses for them. In addition to the summaries below, running any Nowhere Utility with /? as a parameter displays the syntax for the program. CIPHER ------ CIPHER is just that: a cipher. Give CIPHER a 32-bit decimal number as a key, followed by one or more file names (wildcards allowed), and it will encrypt the files. To unencrypt them, run CIPHER again with the same key. As you've probably guessed, CIPHER uses an XOR-type encryption method, but I've thrown a few modifications in to make it harder to crack. Suggested uses: to encrypt things you don't want other people to see (duh). I'd advise encrypting any sensitive data that could be used against you in court, such as passwords, card numbers, and phreaking codes (assuming, of course, you actually keep these things in files). When you need these things, simply decipher them. Nowhere Utilities v2.0 - 1- (C) 1992 Nowhere Man and [NuKE] This way if the feds ever seize your computer while your at work or school, there is no data for them to use as evidence during your trial. This is also good for encrypting important E-Mail: tell the receiver, either over the phone or on a different board, what the key will be. Then run CIPHER on the program and use DBGSCRPT (see below) to generate a DEBUG script to re-create the file. Do an ASCII upload of the DEBUG script. The receive can just run the script through DEBUG, use CIPHER to decrypt it, and the read the message, run the file, whatever. Great for use on untrustworthy or suspicious boards, or places where the sysop likes to snoop through other peoples' private mail. CRYPTCOM -------- CRYPTCOM is handy utility that allows you to encrypt .COM files but still leave them executable. To invoke CRYPTCOM, just type "CRYPTCOM" followed by one or more files that you wish to protect; wildcards are allowed, and the ".COM" extension is assumed if none is given. They key is chosen by CRYPTCOM automatically, so you don't need to supply one. This program works by encrypting your .COM program and adding some decryption code to the end. The file decrypts itself in RAM at run-time, leaving the actual file unaltered with each execution of the encrypted program. Suggested use: encrypting virii to slip past virus scanners. It's rather obvious what to do: just run CRYPTCOM on the virus. It is now unscannable, and it still runs normally. However, just like the PKLITE trick of old, all subsequent infections will contain the original virus, so basically, this just gets the virus in the front door. Unlike PKLITE, though, no scanner (as of yet, at least) can decrypt a CRYPTCOMed file and scan it, so you don't have to worry about recent versions of SCAN catching you. (Also see NOLZEXE below for another tactic.) DBGSCRPT -------- DBGSCRPT creates, as its name suggests, DEBUG scripts. DBGSCRPT takes two arguments: the input file and the name of the file to contain the script. To re-create the original file from the script, just type "DEBUG < (scriptname)" and watch it do it's work. Note that wildcards are not allowed by this program, and also note that DEBUG will not allow itself to write .EXE files. If you are creating a script from an .EXE file, rename it to a different extension before running DBGSCRPT, and instruct whomever is receiving the script to change it back to an .EXE when DEBUG is done. Suggested uses: creating scripts from binary files to include in text files or E-Mail. This way you could post your latest creation on your favorite virus board without having to upload anything and without having to post your valuable source. You can also include it in text files you put out (magazines, etc.) so you don't have to distribute the virus in a separate file; the reader just cuts out the script and runs it through DEBUG (40-Hex magazine is fond of this technique). Again, no source code needs to change hands. Quite useful, in the right situations. Nowhere Utilities v2.0 - 2- (C) 1992 Nowhere Man and [NuKE] DECRYPT ------- DECRYPT is, as far as I know, a one-of-a-kind utility -- it will crack almost all 8-bit and many 16-bit encryption schemes. There's only one catch: you must know at least five consecutive characters in the original (unencrypted) data. This string is passed as the first parameter. The remaining arguments are the names of files to be decrypted, wildcards allowed. DECRYPT will go through each file given, attempting to decrypt it with a special proprietary algorithm which will crack most standard 8- and 16-bit encryption schemes in under ten seconds. If the file can be decrypted then DECRYPT will tell you which encryption method and what key was used, and a file with the same base name as the original and an extension of .DEC will be created containing the decrypted contents of the file. Sometimes DECRYPT will give a false positive, an invalid decryption; this is a normal side-effect of the ultra-quick algorithm it uses (if you do get a false positive, chances are the file couldn't be decrypted anyway). DECRYPT has many uses. It's great for decrypting a virus attached to a program, so long as you know a string in the virus ("*.COM" is a good bet), or can be used to view those annoying encrypted data files that too many programs seem to come with. Please note that not every file can be decrypted; DECRYPT will break the most common algorithms used in most low-security applications (ie: adding/subtracting a constant, XORing by a constant, etc.). Also make sure that the file you're dealing with is indeed encrypted. Not every unreadable file is encoded, and unless you're pretty sure your just wasting your time (albeit very little of it). Files must be under 32k for DECRYPT to work (DECRYPT loads the entire file into memory for speed, so larger files will overflow the buffer). Outside of these restrictions, DECRYPT is a valuable tool for any aspiring hacker. FAKEFILE -------- Picture this: you've just written up a great trojan or virus and you've placed it into an executable file (or REPLACEd one). What's the problem? Well, wouldn't you be suspicious if you downloaded a ZIP file that was supposed to be a "Great shareware text editor" and all that was in it was one lousy 5k .EXE? Ignoring the problem of documentation, FAKEFILE is a great way to create phoney data files to go with your virii and trojans. Now instead of renaming .ROL files to .DATs (as I've observed in one lame trojan), you can make your own. FAKEFILE takes two or more arguments. The first one is the size of the dummy file. Here you can either give a fixed number, or use the -r switch, which will make each file a random length between 100 and 33767 bytes. The remaining parameters are the names of the fake files to create. Wildcards are not allowed (duh). In addition to filling the files with random bullshit, if FAKEFILE recognizes the extension on your filename (.EXE, .GIF, .OBJ, etc.) then it will add a fake header to the file to make it "legit" to programs that read those types of files. For example, if you typed "FAKEFILE 30345 HOTSEX.GIF" FAKEFILE would create a 30345-byte file containing the header "GIF87a" and 30339 bytes of random data. Of course when you go to view the "GIF" you'll get errors... Another tip: avoid "even" file sizes for most files. It may seem suspicious, depending on the nature of the files. Nowhere Utilities v2.0 - 3- (C) 1992 Nowhere Man and [NuKE] As you might have guessed by now, there is another, and in my .GIFs, .ROLs, even whole utilities, .EXE and all, and upload them opinion, very lame, use for this utility. You can create fake to boards for extra file points. I HIGHLY DISCOURAGE THIS. If everyone went around doing this then you'd spend most of your time downloading crap, and BBSing would die. Of course this is a great use if your dealing with a real lame board; upload tons of dummy games and .GIFs under several user names. The other users will get pissed at the sysop, and his board will go down in no time. PLEASE ONLY DO THIS TO LAMERS; good boards deserve to live. Again, heed my warning and don't be an asshole; if you ever do download a wasteful file on any board, please report it to the sysop. If you are a sysop and are reading this, I'd encourage you to blacklist anyone who does such a stupid thing. FAKEWARE -------- If you're like me, then lame k-rad k00l "ELITE" boards probably annoy the shit out of you. What better way to say "I hate you" then with a virus, the gift that keeps on giving... Unfortunately, some of these people actually know that games have more than one file, etc. and won't run suspicious looking programs. FAKEWARE takes care of all of this. With one command you can create a realistic looking .ZIP of a "0-30 day ware" containing a virus or trojan of your choice. First, prepare the virus or trojan by RESIZEing or REPLACEing it. Then just execute "FAKEWARE (trojan/virus name)." In a minute or two FAKEWARE will have generated a completely bogus game, right down to the .ZIP comment. FAKEWARE creates a fake title for your game, then creates between five and twenty-five fake data files of random length and content (and compressibility!). It includes your virus or trojan under as the main .EXE, and even generates a fake .NFO file from either RAZOR, INC, or TDT, complete with program description, cracking information, and greets to all those cool pir8 doodz you know and love. FAKEWARE executes PKZIP (which must be in the current directory or in your PATH in order for FAKEWARE to work correctly), and adds a .ZIP comment, an ad for a completely fake, yet very realistic, warez board. All temporary file are deleted, of course. Now just upload the .ZIP as the game that FAKEWARE tells you and you're all set; all you have to do now is get the loser to run it... FAKWARE will also generate a fake .EXE if no argument is given, allowing you to send up tons of bogus wares to a stupid board to discredit the sysop and create chaos. Unlike some other utilities, I couldn't care less if you misuse it; I never did like warez boards anyway... FIXATTR ------- This program lets you alter the attributes of files. Quite simple and very legitimate. You can use either "+", "-", or "=", followed by one or more of the following letters: A, H, R, and S. Using a plus sign will add the specified attributes to the files' current attributes; a minus sign will remove those attributes, if set; and the equals sign Nowhere Utilities v2.0 - 4- (C) 1992 Nowhere Man and [NuKE] will set the files' attributes to the ones given, removing any existing ones. The letters above stand for (A)rchive, (H)idden, (R)ead-only, and (S)ystem, respectively. Attributes for subdirectories cannot be modified, but wildcards and multiple file names may be given after the attributes. This is essentially the same as the DOS 5.0 or 4DOS ATTRIB command, but it is usable by anyone, even those without DOS 5.0 or 4DOS. Suggested uses: hiding and/or write-protecting sensitive files (or unhiding those pesky hidden files that some games still use), or whatever else you can think of that requires attribute changes. This utility is pretty basic, so I'm sure you'll think of other applications for it. FIXTIME ------- FIXTIME is a basic "touch" utility, similar to those found under UNIX and those that come with compilers such as Turbo C and Microsoft C (although FIXTIME is superior to most compiler "touch" programs, as it lets you set the file time to anything; more on that later). FIXTIME can either take zero, one, or two arguments, followed by one or more file names (wildcards allowed). If no other arguments are given besides the file name(s), FIXTIME will set the time stamp of any and all matching files to the current system time and date (which may not be correct, if you're one of those people too lazy to set your system clock). If a time is given, it must precede the file name(s) and be in the standard 24- hour format (hh:mm:ss). All applicable files will have their times set to that time; if no date is give then the system date will be used. If a date is specified, it must precede the file name(s) and be in the American date format (MM-DD-YY or MM/DD/YY, where the year is any year between 1980 and 1999). As usual, no other aspects of the file (size, attributes, etc.) are changed. Suggested uses: to alter the time on documents that are past due :-), to fix the date/time stamp of files to which you have added a virus (though good virii always preserve the file's date and time), or to change the date for any other purpose you can come up with (to prevent someone from telling when you've written something, to change the file times of files you've edited/modified, etc.). None of these ideas really needs much elaboration; just be sure that if you're going to want to change a file back that you remember to write down the original time and date first... NOLZEXE ------- Don't you just hate it how executable-file compressors always leave an annoying signature to show they've been used? Until now the only way to remove these signatures to prevent people from UNLZEXEing or PKLITE -Xing your program was to go in by hand with DEBUG or any other hex editor and rip them out. Well, I've come up with this handy-dandy utility to automatically destroy these headers for you, preventing SCAN from detecting your PKLITEd virii and stopping assholes from trying to disassemble or reverse-engineer your code. When invoking NOLZEXE, all you must provide as parameters are the names of files you wish to protect. Wildcards are allowed, and if no extension is given Nowhere Utilities v2.0 - 5- (C) 1992 Nowhere Man and [NuKE] then .EXE is assumed (though .COM files are supported, too). NOLZEXE will then go through the files and completely cover all compressor headers with random bytes; if a file is not compressed nothing will happen to it. Versions 0.90 and 0.91 of LZEXE (the only versions currently released) and all versions of PKLITE are supported. (If anyone out there has found any other executable-file compressors that they'd like to see supported in the next version, see below on where to contact me.) The files will still execute properly and are otherwise unchanged; however no virus scanner, CHK4LZE, or CHK4LITE program will pick them out of the crowd. Suggested uses: as mentioned above, to remove the headers on LZEXEd and PKLITEd virii to prevent scanning (my ever-popular C-Virus used similar techniques), and to stop people from disassembling or reverse-engineering your products (use the compressor on them and then use NOLZEXE). This is also useful on trojans, as it can stop CHK4BMB-type utilities from picking up your damaging code; compress the trojan then NOLZEXE it. If your compressor refuses to work on the file because it's too small (all to often the case with virii), please read my notes about the subject under RESIZE below. REPLACE ------- Based upon an idea I had originally used in C-Virus, REPLACE performs a great service to trojan- and virus-disseminators everywhere. To put it bluntly, it just replaces one file (presumably a legitimate one) with another (presumably a nasty one). On a more detailed level, what REPLACE does is delete the original file, copy the new file to the original's name, then reset the attributes, date, time, and size as they were on the original file. Essentially, the new file has become the old one. For example, you could "REPLACE LEMMINGS.EXE DIR-2.COM" and then distribute "Lemmings" to all of the lame k-rad pir8 boards in the area (good pirate boards wouldn't take such an old game to begin with). As shown, .COMs may replace .EXEs, and vice-versa, with one exception: and .EXE which REPLACEs a .COM must be smaller than 64k, or else DOS will give an error when it is executed. Also note that REPLACEing a file with a larger one will cause excess bytes in the new file to be clipped (ie: if you replace a 1000 byte file with a 2000 byte one only the first 1000 bytes of the 2000 byte file will be copied), so don't try it on executable files. To run REPLACE, just provide two arguments, the first being the name of the old file and the second the name of the new one, the file to be replaced and the replacer, respectively. Wildcards are NOT allowed. Also, remember the size warnings in the previous paragraphs to avoid embarrassing mistakes (imagine how humiliating it would be to upload a trojan to Ross Greenberg's shitty BBS and have it get an error!). Have fun with this one. RESIZE ------ RESIZE is a file resizer: it lets you alter the size of an existing file, either making it larger or smaller. RESIZE may be invoked in several different ways. If the first parameter is "-r" then random byte filling is used (if the file size is being increased then Nowhere Utilities v2.0 - 6- (C) 1992 Nowhere Man and [NuKE] the extra space is padded with random bytes); otherwise blanks are used as padding. The other parameter, besides file name(s) is the size variation. This may be either relative or absolute. To modify a file's size absolutely, you just give a number; the file's size is then changed to that number. If you want the size to be relative, then you give the size of the change (in bytes), preceded by either a "+" (to make the file bigger) or "-" (to decrease it by the same amount). The remaining parameters are file names, wildcards allowed. Note that if you elect to make a file smaller, then the excess data will be forever lost, so don't go around trimming things without good cause thinking that you'll be saving disk space or something idiotic like that. If you do you'll deserve it. You might wonder "Why the -r option?" Well, it's there because if you try to PKZIP or otherwise compress a RESIZEd file that was blank-padded, then it will compress down to its original size (less whatever it would have gone down to had it not been RESIZEd). If you saw a 1000000 byte file in an archive being compress to 2000 bytes, I think you'd be just a bit suspicious (though I know at least one (ex-)sysop who wasn't, hehehe). With the random bytes the compressor is unable to pack that area much, keeping the illusion that the file is larger than it really is. Also, in case you were wondering, RESIZEd executable files will still run normally, RESIZEd .GIFs will still view properly, and so on. Suggested uses for RESIZE: to increase the size of virii and trojans and upload them to boards (renamed, or course); after all, would you download a 500-byte program labeled "really awesome virtual reality simulator?" You would if it were one megabyte, though. As I stated before, DO NOT ABUSE THIS PROGRAM AND UPLOAD INFLATED FILES TO GOOD BOARDS FOR CREDIT. If you want to do it to a lamer, go ahead, but like I said before, if everyone RESIZEd their files then everyone would be wasting time download tiny, useless, lame programs made out to be cool by their large size. Don't be lame and abuse these utilities; they were meant for causing mayhem, but don't inflict it on your friends. RESIZE has a few other uses. You can RESIZE (normally) a file which PKLITE or LZEXE refuses to compress; it will end up no larger, and this method sure beats the old UNDELETE procedure. An interesting side note. My friend Leeking Virus has discovered another use for this versatile utility. Here's a way he came up with (and tested, I might add) for crashing boards. When you go to upload (or even download, depending on the software), most BBSs will tell you how much space is free on the hard disk. What you do is RESIZE a small file to take up at least that much space and then upload it while no one's around (naturally boards with two gigabyte hard disks are pretty much immune to this, as your hard disk must be large enough to hold the RESIZEd file). You must be sure to NOT use the -r option, and NOT to PKZIP it. Unless you want to totally waste time, be sure to use JMODEM or another protocol with data compression. The file will still take what it originally would to download, but it will swell up on the receiver's hard disk to fill it up. Hehehe. On Telegard boards it has the added advantage of locking up the board; Telegard tries to log the fact that the disk is full to an error file, but since there's no room, it can't create the file, so it tries, to log that error, and so on, trapping the board in an infinite loop. Other BBS software might do this too, but so far Telegard is the only system that's been tested. At Nowhere Utilities v2.0 - 7- (C) 1992 Nowhere Man and [NuKE] the very least there'll be no more uploads that day. Another possibility is to RESIZE -r a file to the size of the target hard disk, give it the read-only attribute, ZIP it up and give it to a board that automatically PKUNZIPs files for scanning. Similar effects... USER2TXT -------- If you're into hacking boards, I'm sure you know the most prized possession you can take is the user list. The information in that file can get you accounts on many other boards all over the country (if the people are stupid enough to use the same password on every board they call, which many people are). But how do you take a user list, in binary format, and turn it into a readable form? If you have Telegard (or whatever other BBS it comes from) you could just copy it to your GFILES directory, use the (U) option, and flip through the users one by one, writing down the passwords and phone numbers. But what if you don't have the time, or you don't have Telegard, or you'd like a nice file for on-line reference from your comm program? USER2TXT fills that gap. To user USER2TXT, give it two parameters, the first being the name of the Telegard v2.5/v2.7 or X-Ot-Icks v3.8 user list (almost always USER.LST), and the second being the name of the output file. USER2TXT will convert the binary data in the first file to readable ASCII. The second file will contain each user's name, real name, password, and phone number. The first user will always be the sysop. This program really has only one use, which I've already described above. This is a simple utility, but one that you'll find very useful. WIPE ---- WIPE is a little utility I wrote to totally wipe a file off of a disk. You run WIPE with one or more file names (wildcards allowed), which are the files to wipe. The files are unrecoverable by normal means (UNDELETE, QU, DISKEDIT, etc.), so be VERY careful with this; it DOES NOT prompt you to verify your choice. This was done because I figured if you were ever in the situation to need this program (a bust, etc.) you would not want to be slowed down constantly hitting "Y." I'd also advise renaming this program, as it's only a matter of time before some lamer develops an ANSI bomb that runs it. Suggested uses for this program: only one, really, and that's to destroy sensitive information in case of a bust. If I were you, I'd write a batch file called BUST.BAT, or something like that, that would automatically WIPE all of the files you needed destroyed. This program is much faster than Norton's DISKWIPE or WIPEFILE because mine doesn't need to meet some silly military standard. I'm sure if someone were REALLY REALLY desperate they could possibly get your files back, but they'd need sophisticated equipment that no police force would normally have. If you have the time (ie: you've been warned the cops are coming for you) then I'd advise using WIPEDISK or another military-standard wipe program, but WIPE is much faster in case you don't have the time. Like I said, BE VERY CAREFUL WITH IT. Nowhere Man and [NuKE] are NOT responsible if you fuck yourself over with this. It is only meant for desperate situations. Nowhere Utilities v2.0 - 8- (C) 1992 Nowhere Man and [NuKE] Revision Information -------------------- Version 2.00 (September 5, 1992) o DECRYPT, FAKEWARE and USER2TXT programs added. o Removed a bug in RESIZE that would create huge files if you attempted to make a file smaller than it's current size (ie: RESIZE -10000 TEST.DAT where TEST.DAT is only 5000 bytes long). Thanks to Guido Sanchez. o Major revisions to FIXTIME. The help message was revised to correctly indicate that several filenames can be used (v1.00's help message read "FIXTIME [hh:mm:ss [mm-dd-yy]] filename," but there should have been ellipses after "filename"). I've also changed FIXTIME so that it isn't necessary to specify a time in order to change file dates. Dates and times are also checked for invalid settings (for example, the time "99:99:99"). o CRYPTCOM's decryption routine has been changed, slightly increasing its size but making it faster and more compatible with certain (picky) programs. o NOLZEXE now recognizes files compressed with PKLITE v1.1x. o All programs that utilized random numbers have had their random-number generation routines updated. This will not effect the functioning of the programs. o Documentation cleaned up. Many spelling/grammatical errors were fixed, the layout was changed, and several inaccuracies (including a reference to a non-existent paragraph) were corrected. Version 1.00 (January 25, 1992) o Initial release. Closing comments ---------------- As you can see, the Nowhere Utilities are very powerful, but they also can be abused -- DON'T. I intended for the entire virus community to benefit from these, not for some losers to abuse them. Other than that little warning, I heartily encourage you to experiment with the utilities, to use them in new and interesting ways (if you find a novel use for a utility, let me know so I can mention it in the next version). Enjoy them. Nowhere Utilities v2.0 - 9- (C) 1992 Nowhere Man and [NuKE] As usual, greets go out to Rock Steady, Rigor Mortis, Leeking Virus and Murdak, all [NuKE] and SCP members and sites, Phalcon/SKISM, and all virus-writers everywhere. Thanks to anyone else who I forgot to mention; your input into this project is still greatly appreciated, even if I do forget a name here and there. If anyone has any questions, comments, complaints, or suggestions about this or any other fine product from Nowhere Man or [NuKE], I can be reached at The Hell Pit and FreeMatrix, both official U.S. distribution sites for [NuKE]. I also monitor most Chicago-area networks, as well as NuKENet, Swashnet, CyberCrime International, P/S Net, and FidoNet; responses to my products may be posted there also. Once again, so long, and happy virusing. -- Nowhere Man, [NuKE] '92 Nowhere Utilities v2.0 - 10- (C) 1992 Nowhere Man and [NuKE]