Training session 20: Cyber Cafe's
Learn how to defeat 'Cyber Cafe Managers'
How many times have you walked into a cyber cafe and thought to yourself, why should i pay to use this machine? The access is slow, and the rates are way too high. This thought came through my head the very first time i walked into a cyber cafe. The first time i had ever used one of these machines i was horrified that the owner believed it was necessary to lock the machines from being tampered with. A stupid, and rather annoying program was installed that disallowed registry access, and access to various things such as the disk drive and cd drive. In every cyber cafe i have entered, there has been some form of restrictions created to either enforce payment, or stop the user from fiddling. These 'Cyber Cafe Managers' are normally designed by small to medium sized software companies with little or no care about stopping people who actually 'test' their software. This tutorial will contain a fix that i have personally found for every diferent 'Cyber Cafe Manager' i come across in my travels and an explanation of how the program works.
The first program i shall examine is called 'PC Security', created by 'Tropical Software'. This program conains four main files to operate, wsec32hk.dll, sdaemon.exe, winsec32.ini and security.exe. Here is an explanation of each component and its default location:
This is the main interface program which acts as a monitor to change the configuration of the policies.
Stealth Encryptor, dont ask me exactly what this program does, i believe it is used to encrypt the password you enter into the program. It is not important to the overall process but never the less, comes in handy to know about.
Here is the real program itself, this acts to enforce policies, and is the program that is loaded at startup. Without this program the entire package is useless (and no longer a threat).
This is the configuration file for the program, it can be modified to disable the alarm or similar things. The file is locked for editing by default, and unless you kill sdaemon.exe, it will stay that way. Here is a default configuration file:
Position=1200 750 270 135
So now, how does this all come together? Well at startup sdaemon.exe is loaded, and restricts the user from pretty much anything fun. The user is presented with security.exe's interface and is told to enter a password to change settings. By default, if five wrong passwords are tried, the program turns up the volume and plays 'alarm.wav' into the sound system on the computer in an attempt to get the attention of the owner. This is obviously bad. There are a number of diferent ways to disable this program, but i will show you the way i used at the time.
Firstly i opened notepad, this program is rarely locked, and can come in quite alot of handy some times. If it is locked, try loading edit.exe from c:\windows\command, or something similar. Just something that will allow text editing. Now open up c:\autoexec.bat and add a new line with a single 'command.com' in it. Now save the file. If the file does not save, then right click the file and from properties, unclick 'read only'. This can also be done from dos by typing 'attrib -h -r -s c:\autoexec.bat'. Once the new line is added and the file is saved, just reboot the machine. You should be presented with a dos prompt, completely free of windows. Although this can sometimes be accomplished using a simple F8 at startup, the program can disable this feature in msdos.sys. Now delete c:\windows\sdaemon.exe. If the machine is not running windows 98, or the file is not present then the following is a simple way to resolve the problem:
1. make sure you are in c drive by typing 'c:'
2. type 'dir /s sdaemon.exe', you should be presented something similar to the following:
C:\>dir /s sdaemon.exe
Volume in drive C has no label.
Volume Serial Number is 3CF6-E7E4
Directory of C:\win98
05/02/2002 04:45p 1,105,024 sdaemon.exe
1 File(s) 1,105,024 bytes
0 Dir(s) 29,031,542,272 bytes free
Ok, so this tells us that a file name sdaemon.exe exists in c:\win98.
3. type 'cd ' which in this case is 'cd win98'
4. type 'attrib -h -r -s'
5. type 'del sdaemon.exe'
Now just reboot the machine and PC Security should be disabled. With a minimal ammount of work the entire protection is removed, and you are free to screw with anything you wish.
Next program is 'Cyber Cafe Pro'. This program's protection is a little simpler than PC Security, but is somewhat more effective. It also has the beauty of managing time used on the machine. A normal cafe running this software will follow a similar procedure to the following:
You walk into the cafe and a moron worker sits behind the desk reading magazines. You can freely walk upto and sit down at any machine you please. When you walk upto the machine a screen asking for a timecode is displayed. This interface blocks the normal windows explorer and acts to piss you off and stop you from using the machine. When you talk to the moron worker you find that you pay for a timecode which allows you to login for a specified ammount of time. If you take a look at the computer on the workers desk you can see that it is acting as a server to the various computers in the building. From this we derive that when you logon to a computer, it tells the server it is logging in and starts the time to kill your credit.
Generally i would be kind enough to pay for the absolute minimum time possible. Although sometimes this protection can be broken without needing any. To kill the protection do the following:
1. Login to the computer, pay the minimum possible
2. Load up mIRC. Generally a cyber cafe would be mad to not give access to this, so many people use it.
3. Once you are in mIRC type '/run regedit.exe'
4. Add a key to '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' containing 'explorer.exe' as a value.
5. Reboot and use CTRL+ALT+DEL to kill Cyber Cafe Pro.
You should be presented with a totally normal desktop ready to do what you please. As soon as you have access, remove your string out of the registry, we dont want the owner to get suspicious. If your cafe is a little more intelligent, you will have to kill the program before it loads. Either edit 'c:\autoexec.bat' or use F8 at bootup to get yourself into dos. Do a search for ccpclient.exe by typing 'dir /s ccpclient.exe'. This file is generally in 'c:\program files\ccpclient\'. Delete or rename this file and after a reboot you should have full access. Depending on the cafe it may be possible to hit the power button and use F8 to make the change so that you dont have to pay anything at all.
For anyone who does not know the F8 trick, here is how it works. When windows 95/98/ME is booting it will display something similar to 'Starting Windows 98'. As soon as this is displayed press F8 and you will be shown a bootup menu. Command prompt refers to dos access. If the computer displays a motherboard logo, you may have to keep pressing F8 before the text is displayed to access the menu. This trick can be disabled by editing 'msdos.sys' but unless the 'Cyber Cafe Manager' installed has a function for it, the owner nearly never disables it.
You can now defeat some of the available protections used in cyber cafes. Aslong as you dont kill anything, you arent liable for legal actions to the best of my knowledge. Just try not to do anything stupid, or show off to other people.