Documentation for PPECHECK v1.0b written by Codeblaster. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~           
Table of contens:
		 1.0 - General info
		 1.1 - Parameters 
		 1.2 - Design and layout
		 1.3 - Commands added in PPECHK.EXE
		 1.4 - Using PPECHK with an upload processor/Batch files
		 1.5 - Logical backdoor (what is it?)
		 1.6 - Possible bugs/false warnings
		 1.7 - Contacting the author
		 1.8 - Some last greetings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~           


1.0 GENERAL INFO
~~~~~~~~~~~~~~~~
It is well known that many PPE authors put in some extra commands in their
PPE's, that will fex. give them SYSOP ACCESS, USERS & PASSWORDS etc, and 
PCBOARDS around the world are beeing hacked using backdoors in PPE's.

PPECHECK was made in Turbo Pascal 7.0, and is designed to find even the most
hidden backdoors that you almost wouldn't spot if you went through the file
line for line yourself. And if you run a board and get lodsa PPE's up every
day, you just can't check them all. PPECHECK can therefore also be used with
your upload processor (Look 'Using PPECHCK with a...' for more info)
This is just a BETA version, and I would appreciate some feedback if you find
out that there's a backdoor that it doesn't find etc. Although this is a BETA,
you're pretty secure anyway. It has been tested a while by a PCB hacker. 

PPECHK is fast enough for everyone :), on a 486dx33 it checked 7000 lines
in aprox 3-4 secs.

1.1 PARAMETERS
~~~~~~~~~~~~~~
There are only 2 parameters in this beta version of PPECHK:

	-S   : Silent mode; Will not display anything on the screen.
	-L   : Log; Will write a log of what it finds. (PPECHK.LOG)
 

1.2 DESIGN AND LAYOUT
~~~~~~~~~~~~~~~~~~~~~
When you run PPECHK.EXE on a PPE that contains commands like the ones 
mentioned above, you will see lines popping up on your screen. The lines
have diffrent color, all after how dangerous the commands is.

The line in Bright White (15) tells you what command PPECHK found and where.
The line in ordinary white (07) gives you some info about that command.
The flashing red line (20) will pop up if PPECHK found a backdoor.

So, if PPECHK finds lotsa suspicious commands, that doesn't nessesary mean
that the PPE contains a backdoor. Many ordinary PPE's use the suspicious 
commands in an useful way, but if they're misused, it could be a backdoor.


1.3 COMMANDS ADDED IN PPECHK.EXE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is a list of PPE commands I've told PPECHECK to search for in this 
version of the program:

----------------- COMMANDS THAT WILL BE TAKEN AS BACKDOORS -----------------
GETALTUSER 1             : To get sysop's data (Why should a PPE get his data?)
U_SEC=                   : Redefinition of USER's Security Level.. Backdoor!!

------------- COMMANDS AND SUSPICIOUS ROUTINES THAT ARE NOTICED ------------
SYSOPSEC()               : Why should a PPE know the SYSOP's security?
GETALTUSER               : Get another user's stats.
GETUSER                  : Get current user's stats.
PUTALTUSER               : Save another user's stats.
PUTUSER                  : Save current user's stats.
U_PWD                    : User's password.
COMMAND + FORMAT/DEL/*.* : >Could be execution of one of the commands, but
SHELL + FORMAT/DEL/*.*   : >could also be just a sentence containing the words.
DOWNLOAD + USER*.*       : Can be downloading of USER.DAT or just a sentence.

----------------------------------------------------------------------------

Note that the last commands will not be taken as a backdoor themself, but
the commands together, and used in a special way (fex. to list all users
with NAME+PWD+SEC.LVL) will be taken as a backdoor.


1.4 USING IT WITH AN UPLOAD PROCESSOR
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
PPECHECK is perfect to use with an upload processor, and if you run PCBOARD,
it is even more perfect :)... You can use PPECHK.EXE wiht fex. BOOMLAB or
the PCBTEST.BAT that comes with PCBOARD 15.22.   An updated version of 
PCBTEST.BAT follows this archive, and you can use that one if you want, 
but it is mainly meant as an example to get you started.

PPECHK will automaticly find out if the file you specify to check is a PPE
or a decompiled PPE (PPD). If it's a PPE, PPECHK will use PPLD.EXE to 
decompile the PPE. PPLD.EXE must therefor be located in current directory.

ERRORLEVELS (feedback from PPECHK.EXE):
-------------------- Clean / Suspicious / Backdoor -------------------------
	1 - No backdoor found.
	2 - Suspicious routine found.
	3 - Backdoor found!!
----------------------- Specific commands found ----------------------------
	4 - "U_SEC =" found (redefinition of USER's sec.level)
	5 - "GETALTUSER 1" found (Get sysop's data - Password etc.)
----------------------------------------------------------------------------
With these errorlevels as feedback from PPECHK you have many options of what
to do if a backdoor is found. If you could fex. do this:

IF ERRORLEVEL==3 ECHO @USER@ >>C:\PCB\BLACKLST.TXT

This is a bit drastic :)  ... heh... (what if it's not a backdoor after all?)
You can also do this:

IF ERRORLEVEL==3 ECHO @X84PPE CONTAINS A BACKDOOR >>C:\TEMP\FILE_ID.DIZ

And then update the archives FILE_ID.DIZ with PKZIP. You can see PCBTEST.BAT
if you want more details.

When you use the "specific commands found" errorlevels, you should know that
all the errorlevels belove the errorlevel that is put ON will also be put ON.
So if the PPE finds number 7, all errorlevels belove will also be put ON.
That means that if PPECHK finds number 7 (the execute routine) you can't know
if it did find number 4 (U_SEC=) earlier in the file.

1.5 LOGICAL BACKDOOR
~~~~~~~~~~~~~~~~~~~~
Some commands, like GETALTUSER, U_PWD, PUTUSER etc. can be used in a backdoor,
when they together are used in a specific way. Since these commands are very
common to use in ordinary PPE's that have no backdoors, I've just added these
commands to be suspicious commands (commands that COULD be used in a backdoor)

Take a look at this example:
;----------------------------
INT X
:BEGIN
X = X + 1
GETALTUSER X
PRINTLN U_NAME()
PRINTLN U_PWD
PRINTLN U_SEC
PRINTLN "-----NEW-USER-------"
GOTO BEGIN
;----------------------------

This is a backdoor that will show you all users with password and everything,
but it does not contain any of those 100% sure backdoors like "U_SEC = ",
"GETALTUSER 1", "SYSOPSEC()" etc. So what to do?!
I couldn't add these commands as backdoors, since there would be too many
false warnings then, so I've made the 'LOGICAL BACKDOOR'.

The logical backdoor will notice every time a command like this are beeing
used, and if the commands are together, and used in a specific way, the
logical backdoor will most likely become 3, wich means that there most likely
is a backdoor in the PPE. The logical backdoor can be from 1 - 3.


1.6 POSSIBLE BUGS/FALSE WARNINGS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are some commands that will be taken as a backdoor, that some ordinary
backdoor-free PPE's use. Like fex. if a PPE shall blacklist a person, and
set his security level to 0 :

U_SEC = VAR001       ;(VAR001 = 0)

This will be taken as a backdoor, as it is redefination of the USER's security
and VAR001 could as well be SYSOPSEC(). There's only one way to get away these
bugs/false warnings and that's by saving all variables in a PPE into 
variables in the program. This will most likely be done in a later version
of PPECHECK.


1.7 CONTACTING THE AUTHOR
~~~~~~~~~~~~~~~~~~~~~~~~~
If you want to contact me, for any reason (feedback, error-report, questions,
suggestions etc.) you can either E-MAIL me at: BJORNBO@ASKOY.VGS.NO
or leave a message to me at some board in Norway, under Codeblaster .

1.8 SOME LAST GREETINGS
~~~~~~~~~~~~~~~~~~~~~~~
I would like to greet/thank the following persons:
	*TNSe           - For helping me out sometimes
	*DARKTROOPER    - 4 beeing patient
	*RIPPERJACK     - Kewl dewde!
	*BRAINDEAD      - 4 beeing kewl!
	*PSYCH0         - Belgian scene rewle! :)
	*CYBERNETIC     - Hacking 800's!
	*POSEIDON       - For having such a dork name :)