Zines/phrack/4/6.txt

                                ==Phrack Inc.==

                    Volume One, Issue Four, Phile #6 of 11

                               Crashing DEC-10's
                                 by The Mentor
                                    3-13-86



        Occasionally there will be a time when destruction is necessary.
        Whether it is revenge against a tyrannical system operator or against
a particular company, sometimes it is desirable to strike at the heart of a
company...their computer.
        What follows is a fairly detailed explanation of how to go about
crashing a DEC-10 computer running any operating system.  The user will have
to be able to create and execute assembly level and high level language
files, as well as having a good working knowledge of programming.
        The first step is to obtain an account.  Whether this be a default
account like 5,30 (pw: GAMES) or an account that you hacked by some other
method, you have to be able to access the system.  Superuser access is not
necessary, however, for this method to work.
        At the heart of every mainframe computer is the central processing
unit.  The CPU handles all instructions, fetching them from memory, decoding
them, and executing them.  A DEC has what is called a DMA (Direct Memory
Access) Controller that functions as a small CPU handling all the input and
output from memory and peripherals, freeing the main CPU to execute instruc-
tions.  We take advantage of this fact in crashing the system.
        Theory:  The CPU depends on the DMA Controller to handle all memory
access.  If the DMA can be crashed, the CPU grinds to a halt and the sysop
has to run DSK:RAT to restore all the files on the system (a one hour process,
deadly at peak operating time.)  We cause the DMA to crash by slowing it down
incredibly and overflowing the system stack.
        Practice-
        There exists an area known as 'Job Data Area' at octal 20 through 140
of the user's memory.  This stores all relevant information about the current
task executing.  The individual locations each have a 6-bit mnemonic starting
with .JB in each case.  These must be introduced into a symbol table as ext-
ernal references.
        The highest core address available to the user is stored at .JBREL
in the Job Data Area.  If you try to access more core than you are allowed,
you will get an interrupt and it will crash.  The first step is to disable
the interrupt.  This is done by setting bit 22 in the AC to 1.  This is done
with a mask as follows...
        APRENB  AC
        MOVEI   AC,20000 (octal)
        The interrupt is now shut out.  Next, you must start snatching up all
available system core.  This cannot be done by directly meddling with .JBREL.
Instead, you must alter AC (accumulator) to contain the highest desired
address and then move it into .JBREL.  This can be done with the following
subroutine.
        CORE    AC,
TOP:    MOVE    AC,.JBREL##
        AOJA    AC,.+1
        CORE    AC,
        BRA     TOP
        At first, incrementing only by one looks like a slow way to grab core,
but since it is only allocated in chunks of either 1K or 2K words, you can
quickly suck up a lot of memory.  (Following this file is a complete sample
program in MACRO-10 showing how to increase the core to a certain limit.)
        Now that we have all the core we can get, the system is already more
than likely slowing down.  This is good.  Now we put in the fatal blow.
You should already have prepared a program that relies heavily on recursion.
The choice languages for this are either C or Pascal.  Simply set up a simple
recursive program (Towers of Hanoi with 100 rings, for instance), and tell it
to execute.
        What will begin to happen is that the DMA stack will start filling up,
slowing the system down even further.  Eventually, after between 5 minutes and
15 minutes (longest it's ever taken me), you get the nice beep and...
        ;;OPSER- DEC SYSTEM-10 NOT RUNNING
        I've only had to do this on three systems that the sysop really
pissed me off (not counting the system where I go to school, on which I do
it all the time when I'm bored...)  It's kind of an extreme measure, but
it can be an effective one.
        The following program is a sample for those not familiar with MACRO-10
assembly language.
32

START:  TITLE   SAMPLE
        MOVE    P,[IOWD  3,MEM]
        MOVE    [PUSHJ  P,PDLOV]
        MOVEM   .JBAPR##
        MOVEI   AC,600000
        APRENB  AC,
        SETZB   CT
        MOVEM   AC
        AOS
        PUSHJ   P,S1
        JRST    .-3
S1:     IDIVI   AC,10
        HRLM    N,(P)
        JUMPE   AC,.+3
        PUSHJ   P,S1
        SKIPA
        PUSHJ   P,S2
        HLRZ    N,(P)
        ADDI    N,60
        OUTCHR  N
        POPJ    P,
S2:     SOJG    CT,.+4
        OUTCHR  [15]
        OUTCHR  [12]
        MOVEI   CT,10
        MOVE    T,P
        OUTCHR  [40]
        AOBJN   T,.-1
        POPJ    P,
PDLOV:  PUSHJ   P,LIMIT
        SUB     P,[1,,0]
        JRSTF   @.JBTPC##
LIMIT:  CAIL    1000            ;CHANGE TO WHATEVER YOU WANT!
        EXIT
        POPJ    P,
MEM:    BLOCK   10
        END     START