Code-Encryption

*..•*¨*•.¸¸ ★  *•* ★ ..•*¨*•.¸¸★¸¸ ..•*¨*•.¸¸ ★  *•* ★ ..•*¨*•.¸¸★¸¸ ..•*¨*•.¸¸ ★  *•* ★ ..•*¨*•.¸¸*

Encrypting your code

author : zyzygygr TGA
date:1st May ***5
Dedicated to you my star, my love

intro:

this is a very lame essay on encrypting your code ,pretty much everybody knows it,but it is for those who are new to this.so the l33t can skip this one .

tools/knowledge:

8086 assembly language
tasm
imagination ;)

essay:
so how many times did you feel that you wanted your code to get encrypted and decrypted as and when you desired.
as meaty the topic sounds ,trust me it is nowhere near it.all you need is the basic assembly language and a dollop of imagination. ;).imagination is your key here.

i will present a very simple code and through it will explain it.

---------------------------------------CODE STARTS HERE------------------------------------------

data segment
no1 db 07h ;nos. to add
no2 db 01h
xor1 db 44h,78h,23h,67h ;array of numbers to enc.
xor2 db 23h,89h,35h,55h
data ends

code segment

assume cs:code ,ds:data

start:

mov ax,data
mov ds,ax
mov al,no1
call addfn
call modfn
call modfn2
call modfn2
call modfn
call addfn
int 3

addfn proc

add al,no2
ret

addfn endp

modfn proc

mov si,04h
lea di,xor1
loop1:
mov al,[di]
xor byte ptr cs:[addfn+si],al
sub si,01h
jz exit
inc di
jmp loop1
exit:ret

modfn endp

modfn2 proc

mov di,04
lea si,xor2
loop2:
mov al,[si]
xor byte ptr cs:addfn+di,al
sub di,01h
jz ex
inc si
jmp loop2
ex:ret

modfn2 endp

code ends
end start

-------------------------------------------CODE ENDS HERE----------------------------------------


the program does an addition of two numbers.simple pimple!

now after it has added we are modifying the code at the call address of the addition function

functions :

addfn :adding two numbers

modfn:func. 1 to encrypt the call addfn

modfn2: func. 2 to encrypt the encrypted addfn


i have used xor func. ,for it is the simplest method to encrypt and decrypt the data.the add instruction in the call takes up 4 bytes.

addfn is just a label,it actually refers to a memory.hence the first byte it should be pointing to is the opcode of the instruction "add al,no2".

it is of 4 bytes.hence we take a counter of 4 and encrypt it using another array of numbers.

due to the addressing mode ,we have to set the array of numbers to either of the indexes and then put it in a loop .thus instead of encrypting the code with just one number ,we are encrypting the code with random numbers(which can either be given directly as we did or through functions like GetTickCount and other randomize functions,your choice!)

modfn encrypts the addfn intially and then modfn2 encrypts the encrypted addfn.double encryption!

you can use any encryption technique as per your imagination!

now the add function has just one instruction ,what i mean is :

addfn proc

add al,no2
ret

addfn endp

hence you know that all you have to encrypt is just a couple of bytes,but what happens when the procedure is really long.there you don't know how many bytes to encrypt,unless your intuition is pretty good!

so what do we do?

add a label till the point where you want to encrypt.

somefn proc
................
................
................

encrpyttillhere: ret

somefn endp

now you have the point till you want to encrypt.here are the changes you have to make in the modfn.

modfn proc
lea si,somefn
lea di,encrypttillhere
sub di,si
lea si,xor1

loop1:
mov al,[si]
xor byte ptr cs:somfn+di,al
sub di,01h
jz exit
inc si
jmp loop1

exit:ret

modfn endp

pretty small eh? :D

first we load the address of somefn in si.then the di is loaded with the address of the point till we want to encrypt.

the difference of the si from di will give you the number of bytes ,as an address indicates the number of bytes from a reference address.
now you have the number of bytes to encrypt and you can go crazy with your encryption algorithm.

this is one of the many techniques through which you can change your code.you have to be wise so as to where to call the encrypting fn and decrypting fun.,because under the situation of hiding the protection,a wrong enc. or dec. call can leak the protection.

moral:let your imagination take the driver's seat and watch what happens to your code!
pretty simple huh.
well end of essay.now you can play with your code.
have phun!

Greetz :all my friends(you know who you are),fusion members.
comments and suggestions are welcome.  ¸¸.¸.☆¨¯`♥´ ¸¸.☆¨¯`♥´ ¸¸.☆¨¯`♥`¸¸.☆¨

email: the-legions

„ø¤º°¨„ø¤º°¨°º¤ø„¸¨°º¤ø„¸¸„

zyzygygr8atyahoodotcom

¸„ø¤º°¨„ø¤º°¨°º¤ø„¸¨°º¤ø„¸¸„

¨°º¤ø„, GuardianAngel  ,º¤ø„°¨¤ø„¸

 *•* ASTALAVISTA *•*   

TUTORIAL TO CRACK WINRAR 3.10 BETA 4

Disclaimer: THIS TEXT IS FOR EDUCATIONAL PURPOSES ONLY !I DON'T BEAR THE CONSEQUENCES OF YOUR ACTIONS!!!

AUTHOR: zyzygy TGA

TOOLS REQUIRED: CODE FUSION (astalavista.box.sk)


WIN32DASM 8.93 (ANY VERSION WILL DO)


SKILL LEVEL: VERY EASY


TARGET: WINRAR 3.10 beta 4

Hi there ,this is a simple target to crack so I will try to keep it as simple as possible.Let's get started.

When you run winrar.exe you will find an annoying nag screen asking you to purchase it and some functions are disabled too.

O.k. ,now dissasmble it and under string references look for "evaluation copy" or "available in registered version only".

Scroll up a bit and you see this piece of code .

* Referenced by a CALL at Addresses:
|:00444FDD , :0045462A , :00456CDD|

:004459D4 81C400FCFFFF add esp, FFFFFC00
:004459DA 50 push eax

* Possible StringData Ref from Data Obj ->"%s - WinRAR"
|
:004459DB 68B6FD4800 push 0048FDB6
:004459E0 8D442408 lea eax, dword ptr [esp+08]
:004459E4 50 push eax
:004459E5 E87AAD0300 call 00480764
:004459EA 83C40C add esp, 0000000C
:004459ED 803DA870490000 cmp byte ptr [004970A8], 00 <--this is an important check.
:004459F4 757A jne 00445A70
:004459F6 A118874A00 mov eax, dword ptr [004A8718]
:004459FB 83F814 cmp eax, 00000014
:004459FE 7C05 jl 00445A05
:00445A00 83F828 cmp eax, 00000028
:00445A03 7C1D jl 00445A22

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004459FE(C)|

* Possible Reference to String Resource ID=00873: "evaluation copy"

If you search for it you will find the instruction

803DA870490000 cmp byte ptr [004970A8], 00

So if you will change the above instruction to:

803DA870490000 cmp byte ptr [004970A8], 01

everywhere then it will get cracked ;-) as we are making it check with the wrong condition.

Now we use Code Fusion to simplify our task.

Open it and fill in the required details and then select the original file by as winrar.exe by clicking on the '+' sign.

Now in the patch section click on the '+' sign and select "Find and replace" and in that in the first window enter :

803DA870490000

In the second window enter the following

803DA870490001 ;This is the modified code

Now select "Replace All" and click o.k..

Then click next and make the executable and run it.

Run the cracker winrar.exe and you will find that all the diabled features are removed.Click on "Help" and "About",you will find the following code :

"Registered to: "

Well if you want it to be registered to your name then create rarreg.key

in the destination directory and enter the following details:

Registered to:
Your name
Your company
Save it and then run winrar.exe and see the about section and you will find it to be registered to you.

That's all from me for now .I hope it was simple and easy to digest.

Comments and suggestions are welcome.

Email:

the-legions@mail.ru

ASTALAVISTA

API Tutorials

-------------------------------------------------------------------
9x/NT API Hooking via Import Tables | [Guardian Angel] | UG3 |
-------------------------------------------------------------------

Hi, this is a follow up tutorial from my 'Understanding Import Tables' which
i wrote a couple of years ago, the aim of this tutorial is to show how
easy it can be to hook apis in a single thread process, the tutorial requires
you have knowledge of import table structures, i.e. u've read my previous
document.
wuts goin on
-------------
ok, so what we gonna do? im gonna explain how to code an api hook for
a little exe ive created which detects softice through CreateFileA.
The concept
-----------
We need to emulate createfilea and change its output, so we'll code a new
createfilea controling api, this will be done inside a dll, and basically the
way its going work is our softice detcting exe has createfilea in the import table,
this'll be in the kernel thunk, we'll create a dll and in its entrypoint it'll scan
the importtable for the createfilea then it'll replace with a pointer to
our new createfilea function. whad'ya mean I dont make sense, RIGHT!
you've asked for it now, perpare for an outstanding diagram.

Ok it wasnt quite what i expected but it'll do. Detect.exe will call a create
on several SoftICE drivers, if all return false(-1) then softice isnt install
but if a success is returned then SoftICE is installed, the Call CreateFile
that it'll use is a call dword ptr [xxxxxx] (FF 15 xx xx xx xx) the xxxx is
an address in the rdata kernel's first thunk, at run time this'll be the
address of createfile in kernel32.dll, we need to simpley redirect this to
our own function, so, we're gonna need some free space, i;ve chosen
to use a dll. Our dll which ive decided to name core.dll is going to contain
some code in its entry point to:

• Find the EXE import table pointer
• Find the kernel import descriptor
• Find the First Thunk entry
• Scan the thunk for createfileapi
• Change entry to our code

Sounds like a cunning plan doesnt it, ok so all this is going to be done in our
DLL in the its entrypoint, the entrypoint is called during the LoadLibrary process
, we need all this to be done at the start of our exe, so we need another cunning
plan to load our dll on the detect.exe's entrypoint, ahh 2 cunning plans in one day
we're on a roll now, for loading the dll on detects entrypoint i've come up with a
novel idea of writing a new pieace of code called Loader.exe, heres its objectives:

• Create the process detect.exe in suspended mode
• Readprocessmemory the first 500bytes from entrypoint
• Writeprocesmemory over the entrypoint with some dynamic LoadLibrary code
• Resume process
• Use various getcontext calls to wait until Loadlibrary finished(i.e. all hooking)
• Suspend process
• Writeprocessmemory over the old entrypoint code
• Restore exe to start position
• Resume process with hook in place :-)

First we need a plain dll, here is one
________________________________________________________________________
.486
locals
jumps
.Model Flat ,StdCall
o equ offset
HINSTANCE EQU DWORD

extern CreateFileA :PROC
extern VirtualAlloc :PROC
extern VirtualFree :PROC
extern GetFileSize :PROC
extern CloseHandle :PROC
extern ReadFile :PROC
extern WriteFile :PROC
extern MessageBoxA :PROC
extern GetOpenFileNameA :PROC
extern ExitProcess :PROC
extern WriteProcessMemory :PROC
extern ReadProcessMemory :PROC
extrn SetFilePointer:PROC
extrn _wsprintfA:PROC
extrn lstrlen:PROC
extrn VirtualProtectEx:PROC
extrn OpenProcess:PROC
extrn GetThreadContext:PROC
extrn GetCurrentThread:PROC
extrn GetCurrentThreadId:PROC
extrn GetModuleHandleA:PROC
extrn GetProcAddress:PROC
extrn GetCurrentProcessId:PROC
extrn lstrcmp:PROC
extrn GetStdHandle:PROC
extrn SendDlgItemMessageA:PROC
extrn SendMessageA:PROC
extrn GetDlgItem:PROC
extrn lstrcat:PROC
extrn RtlZeroMemory:PROC
extrn GetModuleFileNameA:PROC
extrn GetLastError:PROC
include dbg.inc
.data
bytesrw dd 0

.code
DllEntry proc hinstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD

cmp [reason],1
jne no_core_4_u

push hinstDLL
call InitCore
no_core_4_u:
mov eax,1
ret
DllEntry Endp

;-----------------------------------------------------------------------------
InitCore proc DllModule:DWORD
pushad

call dbg1
db '[+] shh, Ive entered the target process',0
dbg1:
call dbg_string
call dbg_allout,1

popad
mov eax,1
ret
InitCore endp
;-----------------------------------------------------------------------------
End DllEntry
________________________________________________________________________
Its a basic dll which will output a message to debug.txt once loaded using my dbg.inc
all source files, tools, are provided(link at bottom)

Ok so we have a dll, this is gonna the dll we inject into our target process, and like
an evil spy its going to steal information and also modify the exes running behaviour,
now we need the injecter which is loader.exe, here it is, take note of the points above
as this is what its doing.
________________________________________________________________________
.486
locals
jumps
.Model Flat ,StdCall
o equ offset
extern CreateFileA :PROC
extern VirtualAlloc :PROC
extern VirtualFree :PROC
extern GetFileSize :PROC
extern CloseHandle :PROC
extern ReadFile :PROC
extern WriteFile :PROC
extern MessageBoxA :PROC
extern GetOpenFileNameA :PROC
extern ExitProcess :PROC
extern WriteProcessMemory :PROC
extern ReadProcessMemory :PROC
extern CreateProcessA :PROC
extern GetThreadContext :PROC
extern Sleep :PROC
extern CharLowerA :PROC
extern SetFileAttributesA :PROC
extern LoadLibraryA :PROC
extern FreeLibrary :PROC
extern SetThreadContext :PROC
extern ResumeThread :PROC
extern SuspendThread :PROC
extern VirtualProtect :PROC
extern GetProcAddress :PROC
extrn SetFilePointer:PROC
extrn _wsprintfA:PROC
extrn lstrlen:PROC
extrn VirtualProtectEx:PROC
extrn GetModuleHandleA:PROC
extrn GetStdHandle:PROC
extrn DialogBoxParamA:PROC
extrn LoadIconA:PROC
extrn SendMessageA:PROC
extrn GetWindowRect:PROC
extrn MoveWindow:PROC
extrn GetDesktopWindow:PROC
extrn SendDlgItemMessageA:PROC
extrn GetDlgItem:PROC
extrn ExitThread:PROC
extrn CreateThread:PROC
extrn lstrcat:PROC
extrn RtlZeroMemory:PROC
extrn CreateFileMappingA:PROC
extrn MapViewOfFileEx:PROC
extrn GetLastError:PROC
extrn GetModuleFileName:PROC
include dbg.inc
.data
tStartupInfo dd 44h
db 44h dup (?) ; startup info for the process were opening
tProcessInfo dd 4 dup (?) ; process / thread handles
filename db 'detect.exe',0
titlef db ' Hook Test',0
msgf db 'An error occured, see debug.txt for details.',0

;dynamic loader
write_data:
db 090h ; change to 0CCh if u wanna debug
call OverLibname
db 'core.DLL',0
OverLibname:
call OverLoadLib
VaLoadLibraryA dd 0
OverLoadLib:
pop eax
mov eax,[eax]
call eax
jmp $
waitp EQU $-write_data
write_data_len EQU $-write_data
Kernel32 db 'Kernel32.dll',0
FuncLL db 'LoadLibraryA',0
jmp_eip db 0EBh, 0FEh
align 4
.data?
threadid dd ?
bytesrw dd ?
fhandle dd ?
buffer dd ?
null dd ?
gEntryPoint dd ?
gImageBase dd ?
oldflags dd ?
memory_ptr dd ?
memory_size dd ?

myBuffer db 1000h dup(?)
align 4
my_context dd 100h dup (?)

.code
main:
LoadApi:
call GetModuleHandleA,o Kernel32
call GetProcAddress,eax,o FuncLL
mov [VaLoadLibraryA],eax
;--------------------------------.Collect_PE_Image_Information.---------------------------

call CreateFileA, o filename,0C0000000h,0,0,3,80h,0
mov [fhandle],eax

call VirtualAlloc,0,1000h,1000h,4
mov [buffer],eax

call ReadFile,[fhandle],[buffer],1000h,o null,0
mov eax,[buffer]
mov edi,[eax+3ch]
lea eax,[eax+edi] ; EAX = PE-HEADER
mov ebx,[eax+28h]
mov [gEntryPoint],ebx ; save entrypoint
cmp ebx,0
jne ITS
call err3
db ' + Error! Null EntryPointed, close open processes',0
err3:
call dbg_string
call error
ITS:

mov ebx,[eax+34h]
mov [gImageBase],ebx

add [gEntryPoint],ebx

call VirtualFree,[buffer],0,8000h
call closehandle,[fhandle]
;-----------------------------------------------------------------------------------------
mov [my_context], 00010000h+1+2+4+8+10h
call CreateProcessA, o filename, 0, 0, 0, 0, 4, 0, 0, o tStartupInfo, o tProcessInfo
call dbg2
db '+ Loading Process ',0
dbg2:
call dbg_string
call dbg_allout,1
call VirtualProtectEx,[tProcessInfo],[gEntrypoint],1000h,40h,o oldflags

call ReadProcessMemory,[tProcessInfo],[gEntryPoint],o myBuffer,100h,0 ; save oep data
mov eax,o myBuffer

call WriteProcessMemory,[tProcessInfo],[gEntryPoint],o write_data,100h,0
call dbg3
db '+ Injected Hook ',0
dbg3:
call dbg_string
call dbg_allout,1
jmp t4
db 'hehe omg here goes nothing!'
t4:
call ResumeThread, [tProcessInfo+4]

call dbg4
db '+ Starting Process - Passing Control to DLL, good luck! ',0
dbg4:
call dbg_string
call dbg_allout,1
call sleep,100h ; take a nap, we deserved it
call GetThreadContext, [tProcessInfo+4], o my_context
test eax, eax
jz anerror
mov edi,[gEntryPoint]
add edi,waitp-2 ; calculate the offset where JMP EIP is
ContextLoopE:
call GetThreadContext, [tProcessInfo+4], o my_context
test eax, eax
jz anerror
mov eax, [my_context+0b8h] ; CONTEXT+B8 = EIP
cmp eax, edi ; are we there yet?
jz run_app
call Sleep, 100h
jmp ContextLoopE

run_app:
call dbg8
db '+ Loader regained control, welcome back sir! ',0
dbg8:
call dbg_string
call dbg_allout,1
call SuspendThread, [tProcessInfo+4] ; STOP!....
call WriteProcessMemory,[tProcessInfo],[gEntryPoint],o mybuffer,100h,0 ; restore code
mov edi,[gEntryPoint]
mov [my_context+0B8h],edi ; set EIP to start
call SetThreadContext, [tProcessInfo+4], o my_context

call ResumeThread, [tProcessInfo+4] ; CARRY ON! ...
push 0
call exitprocess ; we wont bother sticking around

anerror:
error:
call messageboxa,0,o msgf,o titlef,0
call exitprocess,0

end main
________________________________________________________________________
So now we have a loader and dll, we can test these on detect.exe which is provided
compiled and with source below. If you run detect.exe it will say softice detected or
it might say softice not detected, it doesnt really matter what the msg box says
is true or not because our aim is more focused on switching the results of createfilea
and therefore altering the follow of the program. Ok now if you run loader instead if all
goes to plan the msgbox will be displayed again but a debug.txt will appear, take a look
inside.
+ Loading Process
+ Injected Hook
+ Starting Process - Passing Control to DLL, good luck!
[+] shh, Ive entered the target process
+ Loader regained control, welcome back sir!

ah, now we can see that our dll has sucessfully entered the detect exe and printed
out the message to the file, so now we have control and can alter things before the
exe starts, so the next step is hook the createfilea import, which at the time of this
dll loading we'll have the kernel address in the import table, so now we proceed to
scan and replace.
we'll need a function to find the correct iid(image import descriptor) for the kernel,
our function with take 3 params, location of the import table(iids), a text string of the
library we're searching for and our module imagebase, the function will return eax = 1
and edi = IID if sucessfull, or eax = -1(0FFFFFFFh) if failed,

________________________________________________________________________
FindThunk proc uses ebx ecx edx esi, IT:DWORD, LIBNAME:DWORD, IMAGEBASE:DWORD
mov esi,LIBNAME
mov edx,0
call lstrlen,esi
mov ecx,esi
mov eax,IT

scan_for_libname:
mov esi,[LIBNAME] ; our dll name
mov edi,[eax+0Ch] ; libname from first iid
add edi,[IMAGEBASE]
mov [temp],eax
call lstrcmp,edi,esi ; compare them
cmp eax,0
mov eax,[temp]
jne next_IID
mov edi,eax ; found a match, save iid into edi
mov eax,1 ; set eax to success
jmp FT_ExitPoint
next_IID:
add eax,14h ; next iid
cmp dword ptr [eax+0Ch],0 ; finished all?
jne scan_for_libname
mov eax,-1 ; set eax to failed

FT_ExitPoint:
ret
FindThunk endp
;*import.inc
________________________________________________________________________
ok if you run through that its pretty simple, it takes our string reads the one
from the import table and compares until we find which iid its in.
ok now lets use this in our core.dll under the first message.
________________________________________________________________________
kern32 db 'KERNEL32.dll',0
lkern32 db 'Kernel32.dll',0
call getmodulehandlea,0
mov [tImageBase],eax
add eax,[eax+3Ch]
add eax,80h ; PE+80 = location of import table
mov eax,[eax]
add eax, [tImageBase]
mov [tIID],eax

; *

call FindThunk,eax,o kern32,[tImageBase]
cmp eax,-1
jne hook_api
call FindThunk,[tIID],o lkern32,[tImageBase]
cmp eax,-1
jne hook_api
call err1
db '[o] Failed to find kernel descriptor',0
err1:
call dbg_string
call dbg_allout,1
call exitprocess,0
hook_api:
call dbg2
db '[+] Found kernel descriptor at ',0
dbg2:
call dbg_string
call dbg_dword,edi,0
call dbg_allout,1

________________________________________________________________________
theres our new code which makes use of the function with some error checking, if you look
where the * is, put an int 3 here and i3here on in softice and we can trace to see if its working
as well, after running you should get a debug.txt like this,
________________________________________________________________________
+ Loading Process
+ Injected Hook
+ Starting Process - Passing Control to DLL, good luck!
[+] shh, Ive entered the target process
[+] Found kernel descriptor at 00403000
+ Loader regained control, welcome back sir!
________________________________________________________________________
Ok we're nearly there now :) , now we have a point in the import table, we can get the pointer
to the first thunk which will contain an array of kernel addresses and somewhere our createfile is
in there, we'll replace the address with an offset to a new createfilea in our dll, ok here comes the
big bit, lets start of by creating our new createfilea, i wont add the softice check
code but just some simple log msgs for now, heres mine.
________________________________________________________________________
NewCreateFile Proc

pop eax
mov [ret_addr],eax

call wdbg1
db 13,10,'CreateFileA: ',0
wdbg1:
call dbg_string
call dbg_dword,[ret_addr],0

call wdbg2
db ' File = ',0
wdbg2:
call dbg_string

call dbg_string,dword ptr [esp]
nowmsg:

call [CreateF]

call wdbg3
db ' Handle: ',0
wdbg3:
call dbg_string
call dbg_dword,eax,0
call dbg_allout,1

push [ret_addr]
ret
NewCreateFile ENDP
________________________________________________________________________
okey dokey, thats our new createfile, the call in the middle to CreateF will be a dword where we hold
the real createfilea address to call. ok now we need to store some info which is the real createfilea address
and the kernel32 imagebase, after the found kernel message we'll add something like this,
________________________________________________________________________
push edi ; - kernel iid
;int 3
call GetModuleHandleA,o kern32 ; get base for libname
mov [module],eax
call getprocaddress,[module],o CreateFa
mov [CreateF],eax
pop edi
________________________________________________________________________
now we have some important info saved we're going to create the hooking proc now, this
procedure with scan the thunk for a match of the api we're trying to hook, it'll then replace
this with the offset of NewCreateFile. prodcedure takes the following params,
IID the descriptor, imagebase the base of kernel, HookME a string of the api to hook
and NewProc the offset of the new proc, i.e NewCreateFile., here it is

________________________________________________________________________
Hook_IAT proc uses edi ebx, IID:DWORD, IMAGEBASE:DWORD, HOOKME:DWORD, NEWPROC:DWORD
LOCAL TSize:DWORD
LOCAL spare:DWORD
LOCAL KIB:DWORD

call getprocaddress,[module],[HOOKME] ; get the address of what we are hooking!
cmp eax,0
jne hook_it
call err2
db 13,10,'+ Unable to Resolve address for wanted hook',0
err2:
call dbg_string
call dbg_allout,1
call exitprocess,0 ; eejit

hook_it:
mov [hooked],eax
mov edi,IID
mov edi,[edi+10h] ; get pointer to FirstThunk
add edi,[IMAGEBASE] ; EDI = array of all kernel functions
push eax ; save address of what we are replacing
call Get_Thunk_Size,edi ; external proc
imul eax,4
mov [TSize],eax ; save size in bytes

call unprotect,edi,[Tsize] ; get r/w access to whole thunk (external proc)
pop eax ; restore address of what we are replacing
find_import:
cmp [edi],eax ; EDI = current thunk ptr EAX = address to hook
jne scan_next_import ; DID WE FIND THE ADDRESS?
mov ebx,[NEWPROC] ; YES! move loc of new proc into ebx
mov [edi],ebx ; REPLACE THUNK POINTER!
; ****** You may wish to save all edi's here so you can replace the apis back
; if you intend to dump, or copy the original thunk back over, OR! add a new param
; to save the value
mov eax,1 ; success, ahh :-)
jmp Hook_IAT_ExitPoint ; get out of here
scan_next_import:
add edi,4 ; check next next thunk entry
cmp dword ptr [edi],0 ; are we at the end?
jne find_import ; is there still hope?

mov eax,-1 ; nope, dam
Hook_IAT_ExitPoint:

ret
Hook_IAT endp
________________________________________________________________________
there it is, thats going into imports.inc, yo may notice *external proc this are extra functions
i've written, heres the code,
________________________________________________________________________
unprotect proc loc:dword, tsize:dword ; provide r/w access to a memory range
pushad
call VirtualProtectEx,[tProcessInfo],loc,tsize,40h,o oldflags
popad
ret
unprotect endp
add following to core.asm near the top
call GetCurrentProcessId
mov [processid],eax
call OpenProcess, PROCESS_ALL_ACCESS, 0, processid
mov [tProcessInfo],eax
________________________________________________________________________

________________________________________________________________________
Get_Thunk_Size PROC uses edi, THUNK:DWORD
mov eax,0
mov edi,[THUNK]
count_em_up:
cmp dword ptr [edi],0
je Get_Thunk_Size_ExitPoint
inc eax
add edi,4
jmp count_em_up

Get_Thunk_Size_ExitPoint:
ret
Get_Thunk_Size ENDP
________________________________________________________________________
now we have some groovy functions, lets put em into action, now we are ready to hook
createfilea with our hook_iat function, in core.asm add the following, should be after a
pop edi,
________________________________________________________________________

CreateFa db 'CreateFileA',0 ; createfilea ascii
call Hook_IAT, edi,[tImageBase],o CreateFa ,o NewCreateFile
cmp eax,-1
jne hookeda
call err3
db '[+] Hook Failed ',0
err3:
call dbg_string
call dbg_dword,edi,0
call dbg_allout,1
call exitprocess,0
hookeda:
call dbg3
db '[i] API Hooked ',0
dbg3:
call dbg_string
call dbg_dword,edi,0
call dbg_allout,1
________________________________________________________________________
ok compile it all up and lets run the loader again now, if all goes to plan then
it should run through and produce a debug.txt, lets take a look,
________________________________________________________________________
+ Loading Process
+ Injected Hook
+ Starting Process - Passing Control to DLL, good luck!
[+] shh, Ive entered the target process
[+] Found kernel descriptor at 00403000
[i] API Hooked 00403000
+ Loader regained control, welcome back sir!
CreateFileA: 004012C1 File = \\.\SICE Handle: FFFFFFFF
________________________________________________________________________
wow cool huh, it has logged our createfilea, now depending on your system
setup the call to open the softice driver might fail like mine or it might return a
handle number, although now i've demostrated the basis of iat hooking i'll add code
to change the output of the attempted sice access to make it fail in case you do
have softice loaded. note. this is a 9x detect only, and \\.\NTICE fails on 2k anyway
with the new DS2.7
________________________________________________________________________
NewCreateFile Proc

pop eax
mov [ret_addr],eax

call wdbg1
db 13,10,'CreateFileA: ',0
wdbg1:
call dbg_string
call dbg_dword,[ret_addr],0

call wdbg2
db ' File = ',0
wdbg2:
call dbg_string

call dbg_string,dword ptr [esp]

mov eax,[esp]
add eax,4 ; skip \\.\
cmp [eax],'ECIS'
jne nowmsg
add esp,1Ch ; remove params off stack
mov eax,-1 ; set eax to fail
jmp skip_call ; skip the real api
nowmsg:

call [CreateF]
skip_call:
call wdbg3
db ' Handle: ',0
wdbg3:
call dbg_string
call dbg_dword,eax,0
call dbg_allout,1

push [ret_addr]
ret
NewCreateFile ENDP
________________________________________________________________________
ta da! cool huh, now we have successfully altered the way our target works and enabled
use to have control over the apis, theres many uses for this technique, e.g. if you were
unpacking a program where might be an api during the process which you would want to
hook because at that time the import table is unpacked or theres something that needs
changing, the other use is as you may have seen, logging apis and what they're doing,
as a little bonus i've included an api logger with a couple more of apis, here the output
from me running it on media player.
________________________________________________________________________
+ Loading Process
+ Injected Hook
+ Starting Process - Passing Control to DLL, good luck!
[+] shh, Ive entered the target process
[+] Found kernel descriptor at 00422000
[%] Hooked VirtualAlloc
[%] Hooked GlobalAlloc
[%] Hooked GetProcAddress
+ Loader regained control, welcome back sir!
VirtualAlloc : 00416C7D Block Size: 00002000 For Region: 00860000
VirtualAlloc : 00416D2D Block Size: 00001000 For Region: 00860000
VirtualAlloc : 00416A79 Block Size: 00001000 For Region: 00960000
GetProcAddress : 004066EB getting address for api GetOpenFileNameA
________________________________________________________________________
with this logger i've edited the code slightly, the hook_iat function now saves the real api
into a extra param provided, and it also displays a msg if the hook was successfull
I didnt add any code to say hooking failed, whatever functions it finds it will hook and display
a message in the log, some programs may use getprocaddress to get api addresses if they're
not found in the import table, so best solution is we hook getprocaddress and like our createfile
we check to see which api it is resolving and if its one we are interested in, we return the offset
of our alternative function into eax.
phew, and that brings me to the end of the tutorial, i hope you found it usefull
and if you decided to create more usefull hooks for hooks.inc let me know :-)


Files. (publishers don't put these files in. You must provided yourself)

Basic Loader and Template with full compilation tools and configuration
CreateFile Hook
Api Logger

All Code provided is free for public use.

ASTALAVISTA

 

Win87xx 1.18 General Reversing Approach

-| Win87xx 1.18 |- by: Xacker Rev by TGA

{ Best view under IE6? Maximized - Font enlarged for blindies! } Overview: In this essay im gonna show you how you can crack with some luck every setup file that requires password or serial upon installation to proceed. These kinds of setup files (such as programs packed with InstallShield, Inno SFX etc..) works approximately the same, they unpack some files to the disk then execute the real setup file, thus, the real setup file is actually embedded within the setup package. Sometimes the programmers attend to unpack only few files or only part of the program that you wanna install as another part of protection. Those different kind of protections are all alike when you get to crack 'em and i hope this essay will show ya how you can accomplish that. Things you need to know: You need to understand how CreateFileA, WriteFile functions work, thats all! Things you should obtain: - SoftIce (i use 3.24 on win9x) - PE-Editor (i use lordpe) - HexEditor (old times Hiew :p) - Win87xx 1.18 (ofcourse silly!) Lets begin: In order to reverse such programs you first need to find where the the checking routine is (cmp goodserial,badserial -> jne getlost) and to be more spicific you need to know the opcodes of those commands, why? later on. So, how to find where the checking routine is? open up the setup file and click next to proceed, WOOPS! you have to enter a password to continue installing the program, enter anything.. no no not 'anything', i mean anything as password hehe, i enter 'this1234pass' and i hit next, a msgbox displayed 'The password you entered is not correct. Please try again'. Now open sice, in fact there is two functions we can set a bp on, the 1st one works only on 9x boxes coz we will set the bp on HMEMCPY function, while the other works on both NT & 9x coz we will set the bp on SLEEP, the two functions takes you into the heart of the protection, the hmemcpy takes you right before the checking routine while the sleep ofcoz takes you after the comparsion has been done so, pick up what suites your [O]h[S]ystem! bpx hmemcpy || bpx sleep: Go ahead and enter any password like 'this1234pass' then set a bp in sice on hmemcpy, F5 to go back to the program and hit Next to break on this function. after you do so press F12 for 12 times to pass the RET, now you will find your self on the following addr: 4407BA: mov eax,[ebp-4] ; u r here call 403588 push eax lea eax,[ebp-4] call 403758 pop edx call 42E678 ; interesting call cmp eax,[4511dc] ; compare eax value with whats on 4511dc setz bl ; set zero to bl if they dont match test bl,bl ' bl = 0 ? jz getlost ; -> getlostreged: mov byte ptr [451260],0 ; else continue mov eax,[ebp+8] mov eax,[eax-4] mov eax,[eax+1e4] mov edx,edx call 421e60 jmp continuegetlost: blah blah blah blah call Sleep blah blah blah blah call MessageBoxA jmp stupidcracker Really simple algorithm when you come to test it, you only need to patch that jz into jnz and you can continue your installation. But doing so is limited to your machine and you have to go through all debugging again on next installation! so what are you gonna do? If you check the file that you are in after you break on any of the previous apis you will notice that you are in something like 'Insxxxx' where xxxx is a rand hex number that changes from one execution to another! That file is created when you start installation in the Temp dir and its deleted after you close it. So, our lil checking routine is in that file, but we cant patch it there coz the file will be deleted, and we cant just copy it, patch it and set it there on next installation hoping the program will pick it instead of the one which it creates! so again... What are you gonna do? What we are going to do is very simple, we will think logically about this, so lets review back what we know about the program: - The checking routine is in the Insxxxx.tmp file. - That file is being created in the the temp dir. - We cant patch that file coz it will be very stupid! The weakness of this protection is that the setup file has to WRITE the bytes of the protection algorithm to the Insxxxx.tmp file and there is where we are gonna strike! we can simply interrupt the writing process, and change the bytes before they get written to the file which creates a patched file for us! Ofcourse this operation it self is also limited coz you will have to interrupt the process each time you wanna install the program so to pass such thing we will inject a code in the program that will do that for us but before we need to know the opcodes of our checking routine, and in this case its the opcodes of the JZ command but because there will be alot of JZs with the same opcodes we will take search for 4 bytes instead of 2, this insures that we get the correct JZ and we can save em in a register when we wanna search for 'em :) Go back now to the program and debug it to locate the opcodes, after you view the addr of the JZ note down the 1st four bytes that you will get in the data window, they will be like this: [74 1C C6 05] (flip) (flip) <- searching in my win32api manual for the usage of CreateFileA && WriteFile, (flip).. here is how to use 'em: The CreateFileA returns the handle that can be used to access the object. HANDLE CreateFile( LPCTSTR lpFileName , // pointer to name of the file DWORD dwDesiredAccess , // access (read-write) mode DWORD dwShareMode , // share mode LPSECURITY_ATTRIBUTES lpSecurityAttributes , // pointer to security attributes DWORD dwCreationDistribution , // how to create DWORD dwFlagsAndAttributes , // file attributes HANDLE hTemplateFile // handle to file with attributes to copy ); The WriteFile function writes data to a file and is designed for both synchronous and asynchronous operation.The function starts writing data to the file at the position indicated by the file pointer.After the write operation has been completed, the file pointer is adjusted by the number of bytesactually written, except when the file is opened with FILE_FLAG_OVERLAPPED. If the file handle was created for overlapped input and output (I/O), the application must adjust the position of the file pointer afterthe write operation is finished. BOOL WriteFile( HANDLE hFile , // handle to file to write to LPCVOID lpBuffer , // pointer to data to write to file DWORD nNumberOfBytesToWrite , // number of bytes to write LPDWORD lpNumberOfBytesWritten , // pointer to number of bytes written LPOVERLAPPED lpOverlapped // pointer to structure needed for overlapped I/O ); So obviously the CreateFileA function must be called to return the handle of the file that is being created then the program can calls WriteFile providing the handle and sets the number of bytes to write to that file. The thing that you need to know that the program must write the data in parts due to memory strictions. We will go back to our program now and (before we run the setup) we will set a bp on CreateFileA then run it. You will have to break 3 times to get to the right call, make sure you are about to create the Insxxxx.tmp file by viewing EAX value 'd eax' After you reach the right call clear the bp you sat and set one on WriteFile, before you press F11 take a look @ the registers and note down the values, [EAX=10000 || EBX=40FDB8 || ECX=10000 || EDX=00000000 || ESI=BA0004 || EDI=10000 || EBP=64AD64 || ESP=64FC9C], now press F11 to get out of the call then scroll abit to the top and you will see this: push 00 ; lpOverlapped? nopush eax ; lpNumberOfBytesWritten = 10000mov eax, [ebx+08]mul ecxpush eax ; nNumberOfBytesToWrite = 10000push esi ; lpBufferpush dword ptr [ebx] ; hFilecall WriteFile Now we will interrupt the data so how we do that? we will use the 's'earch command in sice, it allows to search for certain bytes and its used like this: s BufferToSearchIn L BoundaryToSearchIn ,xx,xx (return) You have to replace BufferToSearchIn with esi, replace BoundaryToSearchIn with ffffff (it tells sice to search in all the buffer), replace xx with the bytes we wanna search for ,74,1C,C6,05 When you enter this command you will get either 'Pattern not found' or 'Patten found at ....', so enter that command and see the result, if you didnt find your bytes then press F5 to break again on the next part of data to be written then use the command again, repeat that till you see 'Pattern found at 017F:BA2C34 (2C30)' We only care about the number between () coz its the offset of the bytes being written, why do we need this offset? we need it to reach the bytes in our injected code, they are simply @ esi+2c30 ! Now ive found the bytes, whats next? We will search now for a place where we can redirect the execution flow to a cave we choose in order to inject our code. Lets first search for a suitable cave, i found one @ 40C570 (90 bytes in the .code section, but the .code section flag is Read/Execute only so change the characteristics to E0000020) Now where can we redirect the flow? we will do that @ 403C80, yes we will change the call to writefile to our jmp 40c570 so set a bp on WriteFile -> F11, clear all the bps, set new one @ 403c80 and break on it, then type 'e 403c80 e9 eb 88 00 00 (return)' Now press F10 to goto that location, we will inject a code now that searchs the written data for our bytes and when it finds 'em it will patch and write 'em to the file. This code will be the following: pushad ; saves registers values to restore l8r mov eax, [esi+2c30] ; store bytes @ esi+2c30 in eax cmp eax, 05C61C74 ; are they identical? jne 40c577 ; pass our patch if not our bytes mov word ptr [esi+2c30], 9090 ; write NOP instead of JZ :)40c577: popad ; restore registers values call 4011dc ; call writefile jmp 403c85 ; jump back to normal execution flow You can set a bp on 40c570 and do 'd esi+2c30' then keep pressing F5 and you can see how your bytes are being compared with the ones we want then how the patch will be applied.. but thats not all of it coz after the program finishs calling writefile a msgbox appears telling you that the file is corrupted, its not, thats bcoz our modification but bcoz its just a msgbox you can simply remove it by patching addr 40C30E to JMP before you start your reversing journey :) Now how can i get a cracked copy of the program? you cant dump the process ofcourse coz its not in one file but you have to take the opcodes of the code you have injected and using any hexeditor you admire :p you have to make the changes, it should be something like this with lordpe: In the end: Greetings goes out to: Fusion members, chik and who ever ive learnt anything from ASTALAVISTA

We appreciate donations. Thanks guy!!

Piratpartiet the Swedish Pirate Party : the European program

Libertà è non perdere di vista i propri diritti, e non accettare di vederli depauperati. 
Libertà è conoscere i propri diritti, e quanto li minaccia. 
Libertà è ricordarsi di difendere i propri diritti, in ogni situazione

Freedom is not to lose sight of their own rights and not accept to see them depleted.
Freedom is knowing their rights, and what threatens them.
Freedom is to remember to defend their rights in every situation 


Punto Informatico Italy del 5 mnovembre 2009

Debuting on December 1, will enter into force a treaty created primarily to streamline the working methods and rules of voting in the EU. The number of seats will increase from 736 to 754, giving parties like the Swedish pirates the opportunity to add a place in the European Parliament. And Piratpartiet has already designated its companion, one that surely will be the youngest Member of the Old Continent.

Her name is Amelia Andersdotter, 22, ready to get to Brussels Christian Engstrom, who was elected last June after the exploits of the first political party devoted to the defense of the free movement of culture online. Andersdotter decided to devote himself full time to parliamentary activity, leaving his studies in economics and Spanish at Lund University in Sweden. "The European Parliament need direction to a sustainable economy of knowledge - has commented on the neo-parliamentary - and here I'll have to come into play."http://www.ameliatillbryssel.se/english
My name is Amelia Andersdotter and I am 21 years old. I study Economics and Spanish at Lund University in southern Sweden. I am one of the top candidates in the 2009 European Parliament elections for Piratpartiet (the Swedish Pirate Party).
My political ambitions include a thorough revision and change of the copyright legislation, a complete removal of the patent system and a more balanced approach to security, safety and the market versus privacy, where the latter in particular needs to be taken much more into consideration. I believe in strong civil rights, even in a digital environment.
I have been working toward this end for some three years, beginning in the spring of 2006. During that period of time I have managed to take an active part in the development of Ung Pirat, the political youth organisation associated with Piratpartiet. I have also taken an active role in the development of the party's European political programme and the co-operation between Pirate Parties and Young Pirates organisations in Europe and around the world.
For any questions or comments, send email to amelia.andersdotter@piratpartiet.se.
You can also call me at +46 73 8436779, but please note that I'm in GMT+2.
The images on this page are free to use.

Rick Falkvinge

Rickard "Rick" Falkvinge (Swedish pronunciation: [ˈfalkˈviŋe]), born Dick Augustsson on 21 January 1972 in Gothenburg, is a Swedish IT entrepreneur known as the leader and founder of the Swedish Pirate Party.
Falkvinge graduated from Göteborgs Högre Samskola where he studied natural science in 1991. During his studies he was active in the Moderate Youth League (Swedish: Moderata Ungdomsförbundet), the youth wing of the Swedish Moderate Party.
He started his first company in 1988 at the age of 16.
In 1993 he began studies for a degree in Engineering Physics at the Chalmers University of Technology in Gothenburg. He dropped out 1995 to work as an entrepreneur.
Falkvinge has previously worked as a project leader at Microsoft. He was manager of development at a smaller software company but resigned to work with the Pirate Party on a full time basis. The Danish documentary Good Copy Bad Copy includes segments of an interview with Falkvinge explaining the emergence of the Pirate Party in response to the May 2006 police raid on The Pirate Bay. (The Pirate Bay is not formally affiliated with Pirate Party.)
He currently resides in Sollentuna north of Stockholm.
From Wikipedia 

Piratpartiet (the Swedish Pirate Party): the European program

From the founder and first leader of the Pirate Party in circulation, one Swedish, one would expect an assault and all'establishment to copyright holders' rights with the proverbial knife between his teeth. Yet, listening and watching Rick Falkvinge during one of his first public appearance after the election to the European seat, one gets the impression of being in the presence of a good speaker and a polished politician, that makes some sensible proposals, shareable , appreciated. But, pausing to reflect for a moment, they are potentially disruptive in a context like the EU where they are questioning the Telecoms Package and the doctrine Sarkozy.

Of course, the occasion in which the discourse takes Falkvinge certainly helps: The first congress of the newly formed Association Digital Agora, held in Salerno on the sidelines of a week's work of the Radical Party, and its leaders in the party whose Marco Cappato, a leader is found founders and early supporters. An audience well disposed to listen and gather suggestions, borrow the experience of the Pirate Party in Sweden, which in the last election has made the satisfaction of becoming the third political force in the country, super organized on the square for many years and is coupled with a By far the most comprehensive and theoretically grounded than that of the followers of the buccaneers.

Falkvinge, however, is not one to hide behind a finger candidly admits that without the story The Pirate Bay, without the raid of 2006 and the trial of 2009, perhaps his party would not be where he is now. But at the same time, it is ready to reclaim his seat in the European Parliament with proposals (concrete or not we'll see) that obviously relate to the hot issues of his campaign and that are very dear to the inhabitants of the Net: anonymity, copyright, fair compensation and, last but not least, ACTA.
The leader of the Pirate Party, as mentioned, is a good speaker: he expresses himself with calm and rattles off facts and dates, carefully builds his argument. Remember the birth of Copyright in 1557, the United Kingdom, and the historical reasons that led the church hierarchy to want this measure of control over the new medium of knowledge recalls what happened in the '60s and '70s with the first pirate radio that extra-territorial waters broke the "monopoly", as he calls it, the government on this form, quoting the claims of the TV commercial revolution of the '80s, in Sweden and how long the satellite decoders have been outlawed due the delay with which the state has taken steps to reform the laws on the matter.

All to get to a point: copyright, copyright law, the interests of the major disk and celluloid, according Falkvinge are merely a pretext for governments around the world have taken to putting groped under control new primary tool for disseminating information. Internet: which is anonymous, which is democratic and uncontrollable, where everyone can have their opinion and where anyone can verify the facts, data, events, refute false reconstructions and Lies election.

After the sinking, Falkvinge dissolves aggression: his Pirate Party, and could not be otherwise, that contributes to parliamentary office, not the last subversive anarchist organization. Rather, "the new generation of civil rights groups" means a horizontal structure that attempts to meet the new needs of those citizens also online, bringing the network all of your rights and unquestionable that everyone already enjoys in the West when speaks of "real life".

"Western governments criticized China for censorship on the Internet - is pressing the Swedish leader - now emulate the Chinese government, in silence increases interceptions, including international, and in tandem increases the data retention in Germany, half of the citizens ceased to call psychologists and other support services for fear that the government can keep track of these calls. " We need to take countermeasures immediately - obviously named encryption, anonymization of any kind (other concepts already supported in the past in Italy by other associations) - but there are other initiatives that are undertaken for groped to cope with a system draconian control of citizens.

"Governments think - adds - that the Internet is a game to remove a child when it was bad: do not believe that the Internet is something real, tangible. Different rules are applied to the web and, in some ways second Falkvinge, incomprehensible: the post shall be inviolable if sent with envelope and stamp, but easily intercepted if it is composed of bits. Public libraries lend securities covered by copyright without charge for 150 years: the same must be done, for private use, online. The intermediaries are not responsible for the transport: since the Roman Empire, "an ambassador is not the messenger," and that must be valid offline (where couriers and post offices are not responsible for what is being sent) as online.

The Pirate Party, starting today with the first sessions of the new European Parliament, will try to bring these issues to the attention of the political agenda: Criminal liability for infringement of copyright if done for commercial purposes (according Falkvinge, the legalization of file sharing for individuals); limit of five years duration of copyright; recognition of the right remix, mashup, and reuse of creative content, recognition of authorship of works, to avoid plagiarism. Finally, revisiting the principle of fair compensation and contrast the so-called broadband tax: Who would be compensated for the traffic generated online joke Falkvinge, holders of rights on music and movies, or producers of pornographic material that has long produced revenues in Network ?

The intervention of Falkvinge closes with a diplomatic answer to the free software guru Richard Stallman, who had challenged the hypothesis of a limitation to five years of copyright free pieces of code, fearing that they could end up in proprietary software . Falkvinge liquidate the hypothesis of a state archive of source code, and places emphasis on the discourse competitiveness: "If a closed source software needs to integrate pieces of free software older than five years, exceeding in this way, its free counterpart there would still be a problem. " And then, of political experience, thanks Stallman and invites him to continue his work which is so important for the community.

Marco Calamari - Freedom is not to lose sight of their own rights and not accept to see them depleted. Freedom is knowing their rights, and what threatens them. Freedom is to remember to defend their rights in every situation
Rome - The release today of Cassandra Crossing has a dedication is dedicated to all those who, while using the Net (since you're reading) still do not realize it at the European Parliament that the Italian Parliament is in direct discussion and projects Law aimed at transforming the Web as we know it into something very different.

It is likely that when you read these lines one of these stones, Amendment 138 of the Telecom Package has already been approved (it was approved a compromise between Council and Parliament, ed), with a text more or less strong but which enshrine the principle that connect to the web is a natural right, but that is just as "natural" that someone can provide the pain of disconnection forced. As if he felt the need for the enshrinement in law that the natural right to breathe, never questioned before, used as a passkey to establish the death penalty by hanging.

And while this thing materializes between the general indifference of those who "have heard of it", others are clubbed in a row. The "Net neutrality" will soon be abolished, allowing anyone to provide connectivity to decide which communications can pass through the Net and how quickly. Is not a technical detail for experts, but rather a blatant form of censorship against all the People of the Net
Who is not outraged should be clear that is exactly the same situation that would arise if the phone providers such as Telecom or Vodafone reserves the right to terminate conversations on subjects of their unwelcome. More so we can not say.

How many others are convinced that these laws abnormal, which are growing in all Western legal systems, are poisoned fruit of a tree ill.

The disease of this tree has a name, for now not very pronounced, and that name is ACTA: a multilateral treaty whose approval is only a matter of time, which many have not even heard of, or that they think something far away that does not concern them .

The disease has a precise cause, and the struggle to free movement of culture that the lobby of those who create rents parasitic intermediate between producers and consumers of culture is willing to defend at all costs, even subverting the Network and the Western legal systems.

The disease has its plague-spreaders, which vary in name depending on the context and the nation, and are easily recognizable paternalistic attitude and / or offended when promoting these initiatives, and the fact that carefully avoids the subject of evolution culture.

The disease can spread because in most of the inhabitants of the Net now missing the antibodies that trigger immune reactions against those who want to eliminate natural freedoms and replacing them with profits, oppression and control.

This episode is dedicated to you!

ASTALAVISTA

Punto Informatico Italian