How to Mess With CMOS


The basic settings on your computer such as how many and what kinds of disk drives and which ones are
used for booting are held in a CMOS chip on the mother board. A tiny battery keeps this chip always
running so that whenever you turn your computer back on, it remembers what is the first drive to check in
for bootup instructions. On a home computer it will typically be set to first look in the A: drive. If the A:
drive is empty, it next will look at the C: drive.  

On my computer, if I want to change the CMOS settings I press the delete key at the very beginning of the
bootup sequence. Then, because I have instructed the CMOS settings to ask for a password, I have to give
it my password to change anything. 

If I don't want someone to boot from the A: drive and mess with my password file, I can set it so it only
boots from the C: drive. Or even so that it only boots from a remote drive on a LAN. 

So, is there a way to break into a Win 95 box that won't boot from the A: drive? Absolutely yes! But before
trying this one out, be sure to write down *ALL* your CMOS settings. And be prepared to make a total
wreck of your computer. Hacking CMOS is even more destructive than hacking system files. 

Step one: get a phillips screwdriver, solder sucker and soldering iron. 

Step two: open up your victim. 

Step three: remove the battery . 

Step four: plug the battery back in. 

Alternate step three: many motherboards have a 3 pin jumper to reset the CMOS to its default settings. Look
for a jumper close to the battery or look at your manual if you have one. 
For example, you might find a three pin device with pins one and two jumpered. If you move the jumper to
pins two and three and leave it there for over five seconds, it may reset the CMOS. Warning --  this will not
work on all computers! 

Step five: Your victim computer now hopefully has the CMOS default settings. Put everything back the way
they were, with the exception of setting it to first check the A: drive when booting up. 

******************************* 
You can get fired warning: If you do this wrong, and this is a computer you use at work, and you have to go
crying to the systems administrator to get your computer working again, you had better have a convincing
story. Whatever you do, don't tell the sysadmin or your boss that "The Happy Hacker made me do it"! 
******************************* 

Step six: proceed with the A: drive boot disk break-in instructions. 

Does this sound too hairy? Want an easy way to mess with CMOS? There's a program you can run that
does it without having to play with your mother board. 

How to Mess with CMOS #2 
 Boy, I sure hope you decided to read to the end of this GTMHH before taking solder gun to your
motherboard. There's an easy solution to the CMOS password problem. It's a program called KillCMOS
which you can download from http://www.koasp.com. (Warning: if I were you, I'd first check out this site
using the Lynx browser, which you can use from Linux or your shell account). 
  

Now suppose you like to surf the Web but your Win 95 box is set up so some sort of net nanny program
restricts access to places you would really like to visit. Does this mean you are doomed to live in a Brady
Family world? No way. 

There are several ways to evade those programs that censor what Web sites you visit. 

Now what I am about to discuss is not with the intention of feeding pornography to little kids. The sad fact
is that these net censorship programs have no way of evaluating everything on the Web. So what they do is
only allow access to a relatively small number of Web sites. This keeps kids form discovering many
wonderful things on the Web. 

As the mother of four, I understand how worried parents can get over what their kids encounter on the
Internet. But these Web censor programs are a poor substitute for spending time with your kids so that they
learn how to use computers responsibly and become really dynamite hackers! Um, I mean, become
responsible cyberspace citizens. Besides, these programs can all be hacked way to easily. 

The first tactic to use with a Web censor program is hit control-alt-delete. This brings up the task list. If the
censorship program is on the list, turn it off. 

Second tactic is to edit the autoexec.bat file to delete any mention of the web censor program. This keeps it
from getting loaded in the first place. 

But what if your parents (or your boss or spouse) is savvy enough to check where you've been surfing?
You've got to get rid of those incriminating records whowing that you've been surfing Dilbert! 

It's easy to fix with Netscape. Open Netscape.ini with either Notepad or Word Pad. It probably will be in the
directory C:\Netscape\netscape.ini. Near the bottom you will find your URL history.  Delete those lines. 

But Internet Explorer is a really tough browser to defeat. 
Editing the Registry is the only way (that I have found, at least) to defeat the censorship feature on Internet
Explorer. And, guess what, it even hides several records of your browsing history in the Registry. Brrrr! 

*************************  
Newbie note: Registry! It is the Valhalla of those who wish to crack Windows. Whoever controls the
Registry of a network server controls the network --  totally. Whoever controls the Registry of a Win 95 or
Win NT box controls that computer -- totally. The ability to edit the Registry is comparable to having root
access to a Unix machine. 
'em  

How to edit the Registry: 

Step zero: Back up all your files. Have a boot disk handy. If you mess up the Registry badly enough you
may have to reinstall your operating system. 

****************************** 
You can get fired warning: If you edit the Registry of a computer at work, if you get caught you had better
have a good explanation for the sysadmin and your boss. Figure out how to edit the Registry of a LAN
server at work and you may be in real trouble.  ******************************* 

******************************* 
You can go to jail warning: Mess with the Registry of someone else's computer and you may be violating
the law. Get permission before you mess with Registries of computers you don't own. 
******************************* 

Step one: Find the Registry. This is not simple, because the Microsoft theory is what you don't know won't
hurt you. So the idea is to hide the Registry from clueless types. But, hey, we don't care if we totally trash
our computers, right? So we click Start, then Programs, then Windows Explorer, then click on the Windows
directory and look for a file named "Regedit.exe." 

Step two: Run Regedit. Click on it. It brings up several folders: 

HKEY_CLASSES_ROOT 
HKEY_CURRENT_USER 
HKEY_LOCAL_MACHINE 
HKEY_USERS 
HKEY_CURRENT_CONFIG 
HKEY_DYN_DATA 

What we are looking at is in some ways like a password file, but it's much more than this. It holds all sorts of
settings -- how your desk top looks, what short cuts you are using, what files you are allowed to access. If
you are used to Unix, you are going to have to make major revisions in how you view file permissi ons and
passwords. But, hey, this is a beginners' lesson so we'll gloss over this part. 

**************************** 
Evil genius tip: You can run Regedit from DOS from a boot disk. Verrrry handy in certain situations... 
**************************** 

Step three. Get into one of these HKEY thingies. Let's check out CURRENT_USER by clicking the plus sign
to the left of it. Play around awhile. See how the Regedit gives you menu choices to pick new settings. You'll
soon realize that Microsoft is babysitting you. All you see is pictures with no clue of who these files look in
DOS. It's called "security by obscurity." This isn't how hackers edit the Registry. 

Step four. Now we get act like real hackers. We are going to put part of the Registry where we can see -- and
change --  anything. First click the HKEY_CLASSES_ROOT line to highlight it. Then go up to the Registry
heading on the Regedit menu bar. Click it, then choose "Export Registry File." Give it any name you want,
but be sure it ends with ".reg". 

Step five. Open that part of the Registry in Word Pad. It is important to use that program instead of Note
Pad or any other word processing program. One way is to right click on it from Explorer. IMPORTANT
WARNING: if you left click on it, it will automatically import it back into the Registry. If you were messing
with it and accidentally left click, you could trash your computer big time. 

Step six: Read everything you ever wanted to know about Windows security that Microsoft was afraid to let
you find out. Things that look like: 


[HKEY_CLASSES_ROOT\htmlctl.PasswordCtl\CurVer] 
@="htmlctl.PasswordCtl.1" 

[HKEY_CLASSES_ROOT\htmlctl.PasswordCtl.1] 
@="PasswordCtl Object" 
 [HKEY_CLASSES_ROOT\htmlctl.PasswordCtl.1\CLSID] 
@="{EE230860-5A5F-11CF-8B11-00AA00C00903}"  

The stuff inside the brackets in this last line is an encrypted password controlling access to a program or
features of a program such as the net censorship feature of Internet Explorer. What it does in encrypt the
password when you enter it, then compare it with the unencrypted version on file. 

Step seven: It isn't real obvious which password goes to what program. I say delete them all! Of course this
means your stored passwords for logging on to your ISP, for example, may disappear. Also, Internet
Explorer will pop up with a warning that "Content Advisor configuration information is missing. Someone
may have tried to tamper with it." This will look really bad to your parents! 

Also, if you trash your operating system in the process, you'd better have a good explanation for your Mom
and Dad about why your computer is so sick. It's a good idea to know how to use your boot disk to reinstall
Win 95 it this doesn't work out. 

Step eight (optional): Want to erase your surfing records? For Internet Exp lorer you'll have to edit
HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE and HKEY_USERS. You can also delete the files
c:\windows \cookies\mm2048.dat and c: \windows\cookies\mm256.dat. These also store URL data. 

Step nine. Import your .reg files back into the Regis try. Either click on your .reg files in Explorer or else use
the "Import" feature next to the "Export" you just used in Regedit. This only works if you remembered to
name them with the .reg extension. 

Step nine: Oh, no, Internet Explorer makes this loud  obnoxious noise the first time I run it and puts up a
bright red "X" with the message that I tampered with the net nanny feature! My parents will seriously kill
me! 

Or, worse yet, oh, no, I trashed my computer!  

All is not lost. Erase the Registry and its backups. These are in four files: system.dat, user.dat, and their
backups, system.da0 and user.da0. Your operating system will immediately commit suicide. (This was a
really exciting test, folks, but I luuuv that adrenaline!) If you get cold feet, the Recycle bin still works after
trashing your Registry files, so you can restore them and your computer will be back to the mess you just
made of it. But if you really have guts, just kill those files and shut it down. 

Then use your Win 95 boot disk to bring your computer back to life. Reinstall Windows 95. If your desk top
looks different, proudly tell everyone you learned a whole big bunch about Win 95 and decided to practice
on how your desk top looks. Hope they don't check Internet Explorer to see if the censorship program still is
enabled. 




And if your parents catch you surfing a Nazi explosives instruction site, or if you catch your kids at bianca's
Smut Shack, don't blame it on Happy Hacker. Blame it on Microsoft security -- or on parents being too busy
to teach their kids right from wrong. 

So why, instead of having you edit the Registry, didn't I just tell you to delete those four files and reinstall
Win 95? It's because if you are even halfway serious about hacking, you need to learn how to edit the
Registry of a Win NT computer. You just got a little taste of what it will be like here, done on the safety of
your home computer.  

You also may have gotten a taste of how easy it is to make a huge mess when messing with the Registry.
Now you don't have to take my work for it, you know first hand how disastrous a clumsy hacker can be
when messing in someone else's computer systems. 
 So what is the bottom line on Windows 95 security? Is there any way to set up a Win 95 box so no one can
break into it? Hey, how about that little key on your computer? Sorry, that won't do much good, either. It's
easy to disconnect so you can still boot the box. Sorry, Win 95 is totally vulnerable. 

In fact, if you have physical access to *ANY* computer, the only way to keep you from breaking into it is to
encrypt its files with a strong encryption algorithm. It doesn't matter what kind of computer it is, files on any
computer can one way or another be read by someone with physical access to it  --  unless they are
encrypted with a strong algorithm such as RSA. 

We haven't gone into all the ways to break into a Win 95 box remotely, but there are plenty of ways. Any
Win 95 box on a network is vulnerable, unless you encrypt its information. 

And the ways to evade Web censor programs are so many, the only way you can make them work is to
either hope your kids stay dumb, or else that they will voluntarily choose to fill their minds with worthwhile
material. Sorry, there is no technological substitute for bringing up your kids to know right from wrong. 

****************************** 
Evil Genius tip: Want to trash most of the policies can be invoked on a workstation running Windows 95?
Paste these into the appropriate locations in the Registry. Warning: results may vary and you may get into
all sorts of trouble whether you do this successfully or unsuccessfully. 

[HKEY_LOCAL_MACHINE \Network\Logon] 

[HKEY_LOCAL_MACHINE \Network\Logon] 
"MustBeValidated"=dword:00000000 
"username"="ByteMe" 
"UserProfiles"=dword:00000000 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies] 
"DisablePwdCaching"=dword:00000000 
"HideSharePwds"=dword:00000000 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\Explorer] 

"NoDrives"=dword:00000000 
"NoClose"=dword:00000000 
"NoDesktop"=dword:00000000 
"NoFind"=dword:00000000  
"NoNetHood"=dword:00000000 
"NoRun"=dword:00000000 
"NoSaveSettings"=dword:00000000 
"NoRun"=dword:00000000 
"NoSaveSettings"=dword:00000000 
"NoSetFolders"=dword:00000000  
"NoSetTaskbar"=dword:00000000 
"NoAddPrinter"=dword:00000000 
"NoDeletePrinter"=dword:00000000 
"NoPrinterTabs"=dword:00000000 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\Network] 




"NoNetSetup"=dword:00000000 
"NoNetSetupIDPage"=dword:00000000  
"NoNetSetupSecurityPage"=dword:00000000   "NoEntireNetwork"=dword:00000000 
"NoFileSharingControl"=dword:00000000 
"NoPrintSharingControl"=dword:00000000 
"NoWorkgroupContents"=dword:00000000 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\System] 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\System] 

"NoAdminPage"=dword:00000000 
"NoConfigPage"=dword:00000000 
"NoDevMgrPage"=dword:00000000 
"NoDispAppearancePage"=dword:00000000 
"NoDispBackgroundPage"=dword:00000000 
"NoDispCPL"=dword:00000000 
"NoDispScrSavPage"=dword:00000000  
"NoDispSettingsPage"=dword:00000000 
"NoFileSysPage"=dword:00000000 
"NoProfilePage"=dword:00000000 
"NoPwdPage"=dword:00000000 
"NoSecCPL"=dword:00000000 
"NoVirtMemPage"=dword:00000000 
"DisableRegistryTools"=dword:00000000 

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\WinOldApp 

                              [END of message text] 
                          [Already at end of message] 
  PINE 3.91   MESSAGE TEXT           Folder: INBOX   Message 178 of 433 END 
  

[HKEY_CURRENT_USER\Software\Microsoft \Windows \CurrentVersion\Policies\WinOldApp 

"Disabled"=dword:00000000 
"NoRealMode"=dword:00000000

Popular Posts