RSTS: A Trick of Two

by The Marauder / Phoneline Phantoms

Free Space

What is free space?  Well on all RSTS/E systems, there is a portion of the disk, assigned to 'free space', which is basically free space for the saving of files.

When you issue a SAVE, or OPEN command, RSTS/E simply grabs however many blocks are needed from this space, and stores your file there.  Then this space is marked as being 'unavailable'.  When you delete, or kill a file the exact opposite happens, RSTS/E moves a few pointers, which mark this space as 'available, (or free)' space, leaving the entire file 99% of the time totally intact!

Here is an algorithm for a program to read free space:

10 OPEN 'FILE.EXT' AS FILE 1% 20 PUT #1%, RECORD xxxxx% 30 CLOSE 1% 40 END

Where:

FILE.EXT = Any valid filename you want the free space to be placed in. XXXXX% = Any integer between 1 and 32767 inclusive, telling how many blocks of free space you wish transferred into FILE.EXT.

for example, if I wanted to read 500 blocks of free space into a file called FREE.SPC, I would write my program as follows:

10 OPEN 'FREE.SPC' AS FILE 1% 20 PUT #1%, RECORD 500% 30 CLOSE 1% 40 END

Now in my directory would be the file FREE.SPC holding 500 blocks of free space.

You can now simply PIP, TECO, ETD, or any text editor to examine the contents of this file.  Whatever was deleted in the past few hours will usually be 99% intact this includes BASIC programs, any ASCII text files (compiled code is untranslatable so it's useless).  This is especially useful at schools in the beginning or end of year when the administration is deleting and creating new accounts.

Note:  You (and anyone else) can prevent files from going to free space in a readable format.  When deleting as file, program, etc. use the following:

PIP PROG.EXT/WO/LO (on RSTS/E v6.00 and earlier) PIP PROG.EXT/DE/ER (on RSTS/E v7.00 and later)

What this does in effect is tell PIP to 'write zeroes' over the entire file before releasing it to free space.  Few persons know to use this, and fewer still ever use it!)

Programs With 'Holes' in Them

On most systems there are usually a few programs that have holes in them that can be used to your advantage.  Here are a few i have found.

If the system you are hacking supports a BASIC-PLUS-2 runtime system (prompts with Well?? from the basic keyboard monitor (from Ready).

SW BP2COM ESP ^Z (Control+Z)

This is a legendary bug in the older versions of RSTS/E, what is basically does is switch to BASIC-PLUS-2 as the default keyboard monitor, executes the CCL that invokes the RPG editor (esp), then Cntrl+Z (exits) out of it leaving full privileges intact !!!  So you can run any program on the system!

Another big hole I have found, is in the program (1,2)RPGDMP.TSK, which is a RPG ASCII dump program, used for dumping RPG source code and checking for stray control characters that have a way of getting into RPG source and playing hell with the compiler.  To use it, simply try:

RUN (1,2)RPGDMP

It will ask you for a file name, then output device.  You can give it any file name on the system (like $ACCT.SYS), and it will be dumped to whatever output device you selected!!! (SCREEN, LP:, or DISK)