Guide to Hacking AMOS

From Higher Intellect Wiki
Jump to: navigation, search

                      A Guide to Hacking AMOS                       

The Alpha Micro computer is a fairly easy system to understand, for
those of you familiar with VAX systems.  The operating system (AMOS)
is a ripoff of the DEC stuff, so many commands are similar.  This is
a guide on how to use the Alpha.

Background on security:
---------- -- ---------

When the Alpha Micro leaves the factory, they do not have any type of 
security feature built into it, except for certain higher end models,
which will be discussed later.  Thus, if the user installs a modem
directly to the system, and you call in, you'll be at the OS level
already.  Pretty easy, eh?

Due to the lack of a cursor display character, the pound sign (#) will
be used to represent the cursor throughout this document.  The prompt
for AMOS is a period, which users refer to as the dot.  Wnen you log on,
you'll see this:

	.#

At this point, you can type away and use the various accounts and 
programs on the system.  When you first connect, depending on how the
last user left the modem, you may or may not be logged in to a
partition.  To verify this, type in the LOG command.

	.LOG

The computer will respond in one of two fashions.  If it says "Not
logged in", then you will have to log to an existing account.  If it
says "Current login is DSK1:[203,1]", then there is no need to scan
for an account right away.

Perhaps the most important thing to do after this is to do a SYSTAT,
which will let you know who else is on the system, and what account,
program is being run, and other info.  Example:

	.SYSTAT

Status of AMOS/L version 1.3D(165) on Friday, November 11, 1988 03:24:54 PM

JOB1  TRM1  DSK1:201,3  0067732 ^C CONECT 122880 bytes at 4505554
JOB2  TRM2  DSK0:1,2    0024984 TI SYSACT 176800 bytes at 4505554
JOB3  TRM3  Not logged  0015460 ^C MEMORY  12288 bytes at 3137554
MODEM HAYES DSK0:1,4    0037325 SL SYSTAT  67912 bytes at 2179023

4 jobs allocated on system, 3 jobs in use (3 logged in)
Total memory on system is 2048K bytes
System uptime is 07:28:19

DSK0	26402 blocks free		DSK1	3578 blocks free
4 devices on system, total of 29980 blocks free

	.#

Here's a quick rundown on what each column means...
Col 1: The name of the job
Col 2: The terminal to which the job is attached
Col 3: The device and account into which the job is logged
Col 4: The octal memory address where the JCB is located
Col 5: Terminal status of for that job
Col 6: Last program run by that job
Col 7: Number of bytes (decimal) of memory allocated
Col 8: Octal memory address for beginning memory partition

The rest is self explanatory.  The 5th column (terminal status) has
numerous codes which need to be given.  Here's the abbreviation and what
it stands for:

	TI	Terminal input wait state
	TO	Terminal output wait state
	LD	Program load state
	SL	Sleep state
	IO 	I/O access other than terminal
	EW	External wait state
	RN	Running
	SP	Suspended state
	SW	Semaphore wait
	^C	Control-C

The SYSTAT program can be used even when you are not logged in, which 
is a plus if you wish to access an account without knowing the password.
There is another program, called STAT, but don't use this.  It 
constantly updates the screen, and will mess you up if you're using a
modem.

Before going further, it should be mentioned on how the Alpha Micro
computer is structured.  On each system, a number of hard drives 
subdivided into logical units are encountered.  These may be named in
any fashion by the sysop, following only the limitation of the LU being
three letters or less in length.  This is then followed by the device
number.  Sample LU's may look like:  DSK0:, DSK1:, WIN0:, HWK3:, etc.

On each disk is found a grouping of accounts, also known as partitions,
or PPN's (project, programmer number).  It is in these accounts where
you log in to, and execute programs.  These are enclosed in square
brackets [], to separate them from the disk specification.  When used
all togther, it looks like this:

DSK0:[1,2], DSK0:[1,4], WIN3:[100,0], DSK4:[377,7]


System Commands:
------ ---------

When in doubt, type HELP.  This will give you some online information 
the system you are currently logged in to.  Below are a list of some
of the more common commands that you can use.

ASCDMP -- displays the data in physical bocks in ASCII form.
ATTACH -- connects a job to a terminal.
BASIC  -- places you in interactive BASIC mode.
BATCH  -- loads frequently used commands to your memory partition.
BAUD   -- change the baud rate of your terminal.
CAL100 -- allows you to calibrate the clock oscillator.
CLEAR  -- write zeroes to all free disk blocks.
COMPIL -- use this to compile BASIC programs.
COPY   -- copies one or more files between accounts or disks.
CREATE -- creates a random file of specified size  (any size!!).
CRT610 -- verifies quality of videocasstte backup media.
DATE   -- returns with current system date.
DING   -- rings the terminal bell.
DIR    -- gives a directory listing for specific files or accounts.
DIRSEQ -- alphabetizes all current entries in an account.
DSKANA -- analyzes the data on a disk, and reports errors.
DSKCPY -- copies contents of one disk and places on another disk.
DSKDDT -- allows you to examine and change data directly on disk.
DSKPAK -- packs the blocks in use to create area of free blocks.
DUMP   -- display file contents & memory to the screen.
ERASE  -- deletes one or more files from disk.
ERSATZ -- displays the currently defined ersatz names.
FIX    -- disassemble assembler (.LIT) code.
FORCE  -- allows you to send terminal input to another job.
HELP   -- displays all available help files for the system.
JOBALC -- displays your job name.
JOBPRI -- determine your job priority, and change other's priority.
JOBS   -- shows all jobs on system, and how many are in use.
KILL   -- kill the program being run by another job, or a single job.
LNKLIT -- creates ML programs by linking object code files.
LOAD   -- loads disk files into your memory partition as mem modules.
LOG    -- logs you into an account so you can access the files there.
LOGOFF -- logs you out of the account you were logged into.
MAKE   -- creates the first record of a SEQ file (make a bogus file).
MEMORY -- allocates memory to your job (e.g. .MEMORY 64K).
MONTST -- tests the system monitor by bringing up the system new.
MOUNT  -- see which disks are on the system. Do a /U to unmount a disk.
M68    -- assemble an assembler program to an unlinnked ML file.
PASS   -- allows you to change your account password.
PPN    -- displays a list of all accounts on a logical device (eg DSK0:).
PRINT  -- send one or more files to a printer.
QDT    -- allows you to examine and modify locations in memory.
REBOOT -- reboots the system after hitting RETURN.
REDALL -- diagnostic test that looks at disk & reports read errors.
RENAME -- rename files in an account from one name to another.
RUN    -- runs a compiled BASIC program.
SAVE   -- save memory modules as disk files.
SEND   -- send messages to other terminals on the system.
SET    -- set terminal handling options for your terminal.
SLEEP  -- put your job to "sleep" for a period of time.
SORT   -- alphabetically & numerically sort data in a SEQ file.
STAT   -- displays & continually updates status of all system jobs.
SUBMIT -- used to enter, change, or delete files from task manager.
SYSACT -- used to change account passwords, or initialize a disk.
SYSTAT -- mentioned above.
TIME   -- displays or sets the time of day.
TRMDEF -- gives information about the system terminals.
TYPE   -- displays a text file to the screen (use the /P switch).
VCRRES -- read files from videocassette to disk.
VCRSAV -- save files from disk to videocassette.
VER    -- gives you version of current operating system level.
VUE    -- create and enter text editor.  Use ESCape to toggle modes.

You have to be careful with how the programs are used.  If done 
inappropriately, you could do major damage to the computer.  Many of 
the above programs can only be executed from the operator account
DSK0:[1,2].


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Entering via BASIC:

There is a back door in the version of BASIC that comes bundled with
AMOS.  Depending on the type of security present, you can gain access
to the system operator account (DSK0:[1,2]), which gives you the power
to do quite a few things.  What the command essentially does is poke
into memory the appropriate values to give you sysop access.

Type this in at the dot prompt (.) :

.BASIC

AlphaBASIC Version 1.3 (217)

READY

#

Once inside BASIC, type in this command as seen below;  it doesn't
matter if you use upper or lower case.

WORD(WORD(1072)+20)=258

BYE

.#

The BYE command exits you out of BASIC and puts you back at the
OS level.  You can also rename files and open files via BASIC.

Depending on the security in the system, if you typed in everything
as above, you should be logged into DSK0:[1,2], also known as OPR:.
This is the system operator's account, from which all types of
commands can be issued.  

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When you finally get connected to the system, you need some place to log
in to.  There are certain default accounts on every system.  These are:

	OPR:  --> DSK0:[1,2]		SYS:  --> DSK0:[1,4]
	DVR:  --> DSK0:[1,6]            CMD:  --> DSK0:[2,2]
        LIB:  --> DSK0:[7,0]		HLP:  --> DSK0:[7,1]
   	BOX:  --> DSK0:[7,2]		BAS:  --> DSK0:[7,6]
	MAC:  --> DSK0:[7,7]

While logging around to the different accounts, some will have defined
"ersatz" names.  This means that besides the [p,pn] specification, you can
access that account with a defined name.  In the above examples, logging
into SYS: is the same as logging into DSK0:[1,4].


As mentioned previously, older models of the Alpha Micro did not have any
security built in to them.  Later versions of the operating have changed 
this, though.  Once you get connected and you try to log into an account,
you may be asked for a password.  The word you type is not echoed on your
screen.  Two default passwords that you can try for logging purposes are
"DEMO" and "SYSTEM SERVICE".  These are not case-sensitive, so you can 
type them in either upper or lower case.  If neither of these work (which
is unlikely, since people are too lazy to change them), try running the
SYSTAT command.  

What happens is that you will often see people logged in under a short
(6 digits or less) user name, such as JOHN, AMY, SUSAN, etc.  Try logging
in with one of these as your PW.  80 per cent of the time it will work.

If you've gotten into the system this far, then good.  There are lots
of things to do or access.  If you're looking around for information,
these are contained in files that end in a .TXT extension.  These may be
examined by using the TYPE command from AMOS.  The syntax would be:

	.TYPE MODEM.TXT/P

The /P is not required, but is useful, because otherwise the file would be
diaplayed too quickly for you to look at.  The /P switch displays the 
contents one page at a time.  Pressing <RET> will scroll through the text.
One word of warning:  Don't use the TYPE command on .LIT, .SBR, or .OBJ
files; doing so will usually result in your terminal being locked up,
effectively ending your session.

Now let's say you wanted to check out the files that are in other accounts.
Usually all that is needed is to simply log there.  However, certain
accounts will be passworded.  There is no simple way to just dump the 
contents of a disk block and see what the PW is.  There are alternatives,
however.  One method is to log into the operator account (DSK0:[1,2]) and
use the SYSACT command.  This lets you to various things to the disk, but
the one you would be concerned about lists all of the accounts on a parti-
cular disk.  The command works like this:

	.#
	.SYSACT DSK0:

Use the "H" to get a listing of all the available commands from within
SYSACT.

	*
	*h
	Implemented commands are:
	A PPN	- Add a new account
	C PPN 	- Change password of an account
	D PPN	- Delete an account
	E	- Rewrite MFD and exit to monitor
	H 	- Help (Print instructions)
	I	- Initialize entire disk
	L	- List current accounts

The last one "L" is the one we're concerned with.  Press <RET> after it to
see a listing of all the accounts on the disk.  Passwords (if any) will be
displayed to the right.  The "C" option will allow you to change the PW on
an individual account.  Then press "E" to go back to the command level.

If you want to check out a file a little less elegantly, this may be done
by simply copying the file to an unpassworded account or by typing the 
file from another account.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Account and file structure:

As explained before, there are accounts on the disk, which may or may not
contain files in them.  AMOS maintains this account structure on the disk.
In fact, a listing of which files belong in what account are kept track of
in the account directory.

There are two types of files that are possible on the Alpha Micro:
sequential (linked) and random (contiguous) files.  Each block is 512 bytes
in length, which may or may not be filled up totally.  Files may not overlap
onto another disk, and each disk block has a unique number by which it is
referenced to via AMOS.

The format of most Alpha files are sequential -- AMOS reads in each disk
block of the file, which tells it the disk address of the next disk block.
The key point is that to access one block of data, you have to access all
preceding blocks.

When AMOS writes a sequential file to the disk, it looks for the first free
disk block.  It writes a copy of the first file block into that disk 
location.  Next, it looks for another free disk block.  This next disk block
may or may not be anywhere near the first block used.  This process goes on
until the entire file is transferred to the disk.  The disk blocks that make
up the file may be scattered across the disk.  Each disk block in the file
contains a portion of the file; it also contains the address of the next 
disk block used by the file.

              *-----------*-----------*
              | Address of| Data in   |
              | next block| file block|
              *-----------*-----------* 

Sequential files are also called linked files because the disk blocks are 
linked together by the information in each block that points to the address
of the next disk block.  The last block in the file is designated as such
by a link of zero.  It looks like this:

                                                     /---\
     /----------------\       /----------------\     !    |
     !                 !      !                 !    !    X  
*-----------*--------* ! *-----------*--------* !  *----------*-------*
| Address of|  DATA  | ->| Address of|  DATA  | !->|  EOF     | DATA  |
| next block|        |   | next block|        |    | Zero link|       |
*-----------*--------*   *-----------*--------*    *----------*-------*


Random files differ from their sequential counterparts because the data in
them can be accessed randomly.  AMOS knows how long the files are, and also
knows exactly where the files begin on the disk.  The operating system can
therefore access any block in a file by computing an offset value from the
front of the file, and then reading the proper disk location.  The distinc-
tion between random and sequential is that since the disk blocks don't have
to be accessed in any particular order, AMOS can locate specific data in a 
file quicker.

When a random file is written to disk, the first free groups of contiguous
blocks are searched for which are large enough to hold the entire file.  If
there aren't enough blocks on the disk, the message "Disk full" appears.
Random files look something like this:


  *---------------*---------------*---------------*---------------*
  | File block #1 | File block #2 | File block #3 | File block #4 |
  *---------------*---------------*---------------*---------------*

One a random file is allocated on the disk, it is not possible to expand it.
Random files are used mainly for applications where the file length remains
constant.


The first block on a disk (block 0) is the disk ID block.  Alpha Micros use
this disk block to maintain permanent identification information about the
disk.  The next block (block 1) is the Master File Directory (MFD).  At
block 2 lies the disk bitmap.  The bitmap is the structure that keeps track
of which blocks on the disk are in use, and which are available.  The 
bitmap contains one bit for each block on the disk.  If a block is in use,
the bit in the bitmap that represents that disk block is a 1; if the block
is available for use, its bit in the bitmap is a 0.  The bitmap is perma-
nently stored on the disk beginning with block 2 and extending as far as 
necessary.  The last two words in te bitmap form a hash total.  If some 
data in the bitmap becomes destroyed, then there is a chance that data
corruption has occurred.  The ocre for writing data to the disk is:

   [1] Find in memory a copy of the bitp of the disk to be accessedd.
   [2] Computer the hash total of the bitmap & check agains the sh.
   [3] Consult bitmap to see the next free block.
   [4] Change bitmap to shockthe block is in use.
   [5] Recompute bitmap hash to reflect the modified bmap.
   [6] Write modified bitmap back out to the disk.
   [7] Write thata to the chosen block.

Every disk contains one Master File Directory (MF  Each disk contains
one MFD.  The MFD is one block long, and contains e entry of four words
for each user account allocated on that disk.  This ps the limitation
of having a maximum of 63 user accounts per disk.

Each try in the MFD identifies a specific acct directory.  Individual
account dectories are known as User File Directories (UFDs).  The entry
contains thccount PPN, number of the first block used by the UFD, and
a password assned (if any).  The MFD contains one entry for every UFD
on the disk.One UFD exists for each user account; it contains one entry 
for eachlein that account.  These contain various sorts of information 
relating tthe file.  A UFD may consist of more than one disk block; if 
it is larger than oblock, the first word of the FD is nzero and gives the link 
to the next UFD bock.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Since the existing security  the Alpha Micro is lax, third party
comiehave wriiten their own sceurity systems, making it considerably
more dicult to access a system.  However, all is not lost.  There are a
few wato make things easier.

Default passwords are the first step.  One of the security systems, known
as TSASS, has the default passwords of MAL, MAL, MAL for its prompts.  You
will know that you've encounted an Alpha Micro running TSASS by the 
message: "Welcome to a Time Shar and Security System".  Another security
package, UltraSafe, has the dult PW's of OPR, OPR, OPR.  An UltraSafe
system is harder to recognize because the prompts can be changed, although
some more common ones ask for  NAME, PORD, and GROUP.

The next option is if you have found a password that lets you in, it may be
one of low security.  This can automatically chain you into a menu or shell
program.  Depending onw the system is configure, a string of Control C'or any 
other key sequence) can mess up the buffer, automatically causing
e curity system to crash, and bringing you to AMOS, without being 
confined to the security program.  The input must be typed in rapidly, or
it won't work.  This method works for both TSASS and UltraSafe.


Share your opinion