1994-05-24 - Fix for pgp23a to make it 2.6 compatible

Header Data

From: catalyst-remailer@netcom.com
To: cypherpunks@toad.com
Message Hash: 1bb210e07f0eb636b4d5e19457972fd8b5900c90670a0085cbc931cce438229b
Message ID: <199405240911.CAA02919@mail2.netcom.com>
Reply To: N/A
UTC Datetime: 1994-05-24 09:11:26 UTC
Raw Date: Tue, 24 May 94 02:11:26 PDT

Raw message

From: catalyst-remailer@netcom.com
Date: Tue, 24 May 94 02:11:26 PDT
To: cypherpunks@toad.com
Subject: Fix for pgp23a to make it 2.6 compatible
Message-ID: <199405240911.CAA02919@mail2.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

I found a bug in pgp 2.3a : it's incompatible with pgp 2.6 messages made
after September first. Here's the fix, in both uuencode and pgp armored
format. Uudecode or pgp-extract this, and you will get a file called
fixpgp.com. Go into the directory where your pgp 2.3a DOS executable is
(pgp.exe) and run fixpgp. It should print "Done". That's it! 2.3a is now
fully compatible with 2.6. If it prints "File error" pgp.exe is either
not present or not writable. Fixpgp must be run with pgp.exe in the 
current directory. Do not run on anything but a virgin copy of the pgp23a
for dos distribution. If you compiled it yourself, modify the source as
described below.

                                                 Pr0duct Cypher

section 1 of uuencode 4.13 of file FIXPGP.COM

begin 644 FIXPGP.COM
MN`(]NCL!S2%R*(O8N`!"N0``NH?"S2%R&;1`N0$`NE,!S2%R#;0^S2&T";I.W
G`<TAS2"T";I#`<TAS2!P9W`N97AE`$9I;&4@97)R;W(D1&]N920&7
``
end
sum -r/size 47444/146 section (from "begin" to "end")
sum -r/size 46454/84 entire input file


- -----BEGIN PGP MESSAGE-----
Version: 2.3a

rGRiCmZpeHBncC5jb20AAAAAuAI9ujsBzSFyKIvYuABCuQAAuofCzSFyGbRAuQEA
ulMBzSFyDbQ+zSG0CbpOAc0hzSC0CbpDAc0hzSBwZ3AuZXhlAEZpbGUgZXJyb3Ik
RG9uZSQG
=4Xbh
- -----END PGP MESSAGE-----

Now, wait a minute! This sounds like an evil NSA plot to compromise PGP!
What, exactly, will this program do to my PGP?

The short answer: it changes the byte at file offset C287 hex from a
08 hex to a 06 hex.

The long answer: take a look at crypto.c and we find:

/* Return nonzero if val doesn't match checkval, after printing a
 * warning.
 */
int
version_error(int val, int checkval)
{       if (val != checkval)
	{       fprintf (pgpout, PSTR(
"\n\007Unsupported packet format - you need a newer version\ 
 of PGP for this file.\n"));
		return(1);
	}
	return(0);
}

We need to disable this comparison. So looking at the object code:
(CS at startup was 136D)
1B8B:069F 55            PUSH    BP                                 
1B8B:06A0 8BEC          MOV     BP,SP                              
1B8B:06A2 8B4606        MOV     AX,[BP+06]                         
1B8B:06A5 3B4608        CMP     AX,[BP+08]                         
1B8B:06A8 7424          JZ      06CE                               
1B8B:06AA 1E            PUSH    DS                                 
1B8B:06AB B8C00F        MOV     AX,0FC0                            
1B8B:06AE 50            PUSH    AX                                 
1B8B:06AF 9A6A04412E    CALL    2E41:046A                          

There's our comparison. [bp+06] and [bp+08] are val and checkval.
So if we change the [bp+08] in the cmp to [bp+06], the program compares
[bp+06] to itself. This will always be true, so PGP will not notice the
fact that the packet number has changed to 03 from 02. Problem solved.

This is the source for fixpgp.com. I used the a86 assembler.
BTW note that PGPTools does not check version numbers, so it is always
compatible with 2.6.

; fixpgp.com : writes 06 hex to byte c287 of pgp2.3a
; this fixes 2.6 incompatibility

	org 100h
	mov ax,03d02        ; r/w
	mov dx,fname        ; filename
	int 21h             ; open file
	jc error            ; check for error
	mov bx,ax           ; move file handle
	mov ax,04200        ; file seek
	mov cx,0            ; msw of offset
	mov dx,0c287h       ; magic address
	int 21h             ; move file pointer
	jc error            ; check for error
	mov ah,040h         ; write file
	mov cx,1            ; one byte
	mov dx,offset magic ; byte to write
	int 21h             ; write the byte
	jc error            ; check for error
	mov ah,03eh         ; close file
	int 21h             ; do it
	mov ah,09h          ; print msg
	mov dx,okmsg        ; it worked
	int 21h             ; print
	int 20h             ; and quit

error:  mov ah,09h          ; print msg
	mov dx,ermsg        ; adr of msg
	int 21h             ; print the error
	int 20h             ; abort

fname:  db 'pgp.exe',0
ermsg:  db 'File error$'
okmsg:  db 'Done$'
magic:  db 06h

-----BEGIN PGP SIGNATURE-----
Version: 2.3a lives!

iQCVAgUBLeGxH8GoFIWXVYodAQGH9wQAhLGL4V/86DMTjw4qlfJd0gbQCAf+sFSC
Hpf9jD1YAdUfUMRGYvp+8wNVBv9z90EHppRkU7MOT8zFJ3F0uJHvbzQgiiWp/5tO
nyimv9D4lotqg/K7wmQwCEmys0sj0/zLOyyzAX/62YX8rmLKfTCo88V94QdEaNHS
boBMlUSX0ys=
=pVKf
-----END PGP SIGNATURE-----






Thread