A LIST, hacker disassembling uncovered 2003
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (3.17 MB, 717 trang )
HackerDisassemblingUncovered
ISBN:1931769222
byKrisKaspersky(ed)
A-LISTPublishing©2003(584pages)
Thistextshowshowtoanalyzeprograms
withoutitssourcecode,usingadebuggerand
adisassembler,andcovershackingmethods
includingvirtualfunctions,localandglobal
variables,branching,loops,objectsandtheir
hierarchy,andmore.
TableofContents
HackerDisassemblingUncovered
Preface
Introduction
PartI-GettingAcquaintedwithBasicHacking
Techniques
StepOne
StepTwo
StepThree
StepFour
StepFive
StepSix
- Warmingup
- GettingAcquaintedwiththeDisassembler
- Surgery
- GettingAcquaintedwiththeDebugger
- IDAEmergesontotheScene
- UsingaDisassemblerwithaDebugger
IdentifyingKeyStructuresofHigh-Level
StepSeven Languages
PartII-WaysofMakingSoftwareAnalysisDifficult
Introduction
CounteractingDebuggers
CounteractingDisassemblers
AnInvitationtotheDiscussion,orNewProtectionTips
HackerDisassemblingUncovered—Howto…
Index
ListofFigures
ListofTables
ListofListings
BackCover
Thisbookisdedicatedtothebasicsofhacking—
methodsofanalyzingprogramsusingadebuggerand
disassembler.Thereishugeinterestinthistopic,butin
reality,thereareveryfewprogrammerswhohave
masteredthesemethodsonaprofessionallevel.
Themajorityofpublicationsthattouchonissuesof
analyzingandoptimizingprograms,aswellascreating
meansofprotectinginformation,delicatelytiptoe
aroundthefactthatinordertocompetentlyfind
"holes"inaprogramwithouthavingitssourcecode,
youhavetodisassemblethem.Restoringsomething
thatevensomewhatresemblesthesourcecodeisstill
consideredanextremelycomplextask.Inthebook,
theauthordescribesatechnologyusedbyhackersthat
givesapracticallyidenticalsourcecode,andthis
includesprogramsinC++aswell,whichare
particularlydifficulttodisassemble.
Thebookgivesadetaileddescriptionofwaysto
identifyandreconstructkeystructuresofthesource
language—functions(includingvirtualones),localand
globalvariables,branching,loops,objectsandtheir
hierarchy,mathematicaloperators,etc.The
disassemblymethodologythatwewilllookathasbeen
formalized—i.e.,ithasbeentranslatedfroman
intuitiveconceptintoacompletetechnology,available
andcomprehensibletoalmostanyone.
Thebookcontainsalargenumberofuniquepractical
materials.Itisorganizedinsuchamannerthatitwill
mostcertainlybeusefultotheeverydayprogrammer
asamanualonoptimizingprogramsformodern
intelligentcompilers,andtotheinformationprotection
specialistasamanualonlookingforso-called"bugs."
The"fromsimpletocomplex"styleofthebookallows
ittoeasilybeusedasatextbookforbeginner
analyzersand"codediggers."
AbouttheEditor
KrisKasperskyistheauthorofarticlesonhacking,
disassembling,andcodeoptimization.Hehasdealt
withissuesrelatingtosecurityandsystem
programmingincludingcompilerdevelopment,
optimizationtechniques,securitymechanismresearch,
real-timeOSkernelcreation,andwritingantivirus
programs.
HackerDisassemblingUncovered
KrisKaspersky
Copyright©2003A-LIST,LLC
Allrightsreserved.
Nopartofthispublicationmaybereproducedinanyway,storedina
retrievalsystemofanytype,ortransmittedbyanymeansormedia,
electronicormechanical,including,butnotlimitedto,photocopy,
recording,orscanning,withoutpriorpermissioninwritingfromthe
publisher.
A-LIST,LLC
295EastSwedesfordRd.
PMB#285
Wayne,PA19087
702-977-5377(FAX)
Allbrandnamesandproductnamesmentionedinthisbookare
trademarksorservicemarksoftheirrespectivecompanies.Anyomission
ormisuse(ofanykind)ofservicemarksortrademarksshouldnotbe
regardedasintenttoinfringeonthepropertyofothers.Thepublisher
recognizesandrespectsallmarksusedbycompanies,manufacturers,
anddevelopersasameanstodistinguishtheirproducts.
HackerDisassemblingUncovered
ByKrisKaspersky
1-931769-22-2
03047654321
A-LIST,LLCtitlesareavailableforsitelicenseorbulkpurchaseby
institutions,usergroups,corporations,etc.
ExecutiveEditor:NataliaTarkova
BookEditor:JulieLaing
LIMITEDWARRANTYANDDISCLAIMEROFLIABILITY
A-LIST,LLC,AND/ORANYONEWHOHASBEENINVOLVEDINTHE
WRITING,CREATION,ORPRODUCTIONOFTHEACCOMPANYING
CODE("THESOFTWARE")ORTEXTUALMATERIALINTHEBOOK,
CANNOTANDDONOTWARRANTTHEPERFORMANCEOR
RESULTSTHATMAYBEOBTAINEDBYUSINGTHECODEOR
CONTENTSOFTHEBOOK.THEAUTHORSANDPUBLISHERSHAVE
USEDTHEIRBESTEFFORTSTOENSURETHEACCURACYAND
FUNCTIONALITYOFTHETEXTUALMATERIALANDPROGRAMS
CONTAINEDHEREIN;WEHOWEVERMAKENOWARRANTYOFANY
KIND,EXPRESSEDORIMPLIED,REGARDINGTHEPERFORMANCE
OFTHESEPROGRAMSORCONTENTS.
THEAUTHORS,THEPUBLISHER,DEVELOPERSOFTHIRDPARTY
SOFTWARE,ANDANYONEINVOLVEDINTHEPRODUCTIONAND
MANUFACTURINGOFTHISWORKSHALLNOTBELIABLEFOR
DAMAGESOFANYKINDARISINGOUTOFTHEUSEOF(ORTHE
INABILITYTOUSE)THEPROGRAMS,SOURCECODE,ORTEXTUAL
MATERIALCONTAINEDINTHISPUBLICATION.THISINCLUDES,BUT
ISNOTLIMITEDTO,LOSSOFREVENUEORPROFIT,OROTHER
INCIDENTALORCONSEQUENTIALDAMAGESARISINGOUTOFTHE
USEOFTHEPRODUCT.
THEUSEOF"IMPLIEDWARRANTY"ANDCERTAIN"EXCLUSIONS"
VARYFROMSTATETOSTATE,ANDMAYNOTAPPLYTOTHE
PURCHASEROFTHISPRODUCT.
Preface
Thisbookopensthedoortothewonderfulworldofsecuritymechanisms,
showingyouhowprotectioniscreated,andthenbypassed.Itis
addressedtoanyonewholikescaptivatingpuzzles,andtoanyonewho
spendstheirspare(oroffice)timerummaginginthedepthsofprograms
andoperatingsystems.Lastly,itisforanyonewhoisengagedconstantly
orincidentallyinwritingprotections,andwhowantstoknowhowto
counteractubiquitoushackerscompetentlyandreliably.
Thisbookisdevotedtohackingbasics—totheskillsneededforworking
withadebuggerandadisassembler.Themethodsofidentifyingand
reconstructingthekeystructuresofthesourcelanguage—functions
(includingvirtualones),localandglobalvariables,branches,cycles,
objectsandtheirhierarchies,mathematicaloperators,etc.—are
describedindetail.
Choosingthetoolsyouwillneedtousethisbookisessentiallyamatter
ofyourpersonalpreferences.Tastesdiffer.Therefore,don'ttake
everythingthatImentionbelowtobecarvedinstone,butratheras
advice.Tousethisbook,you'llneedthefollowing:
Adebugger—SoftIce,version3.25orhigher
Adisassembler—IDAversion3.7x(Irecommend3.8;4.xiseven
better)
AHEXeditor—anyversionofHIEW
Developmentkits—SDKandDDK(thelastoneisn'tmandatory,
butisreallygoodtohave)
Anoperatingsystem—anyWindows,butWindows2000orlater
isstronglyrecommended
Acompiler—whicheverC/C++orPascalcompileryoulikemost
(inthebook,you'llfindadetaileddescriptionoftheparticular
featuresoftheMicrosoftVisualC++,BorlandC++,WatcomC,
GNUC,andFreePascalcompilers,althoughwewillmostlywork
withMicrosoftVisualC++6.0)
Now,let'stalkaboutallthisinmoredetail:
SoftIce.TheSoftIcedebuggeristhehacker'smainweapon.
Therearealsofreeprograms—WINDEBfromMicrosoft,and
TRWfromLiuTaoTao—butSoftIceismuchbetter,andhandier,
thanallthesetakentogether.AlmostanyversionofIcewillsuit
ourpurposes;Iuseversion3.26—it'stime-tested,maintainsits
stability,andgetsalongwonderfullywithWindows2000.The
modern4.xversionisn'tveryfriendlywithmyvideoadapter
(MatroxMillenniumG450),andingeneralgoesbellyupfromtime
totime.Apartfromthis,amongallthenewcapabilitiesofthe
fourthversion,onlythesupportofFramePointOmission(FPO)
(seethe"LocalStackVariables"section)isparticularlyusefulfor
workingwiththelocalvariablesdirectlyaddressedthroughthe
ESPregister.Thisisanundoubtedlypracticalfeature,butwecan
dowithoutitifwemust.Buyit;youwon'tregretit.(Hackingisn't
thesameaspiracy,andnobodyhasyetcancelledhonesty.)
IDAPro.Themostpowerfuldisassemblerintheworldis
undoubtedlyIDA.It'scertainlypossibletolivewithoutit,butit's
muchbettertolivewithit.IDAprovidesconvenientfacilitiesfor
navigatingtheinvestigatedtext;automaticallyrecognizeslibrary
functionsandlocalvariables,includingthoseaddressedthrough
ESP;andsupportsmanyprocessorsandfileformats.Inaword,a
hackerwithoutIDAisn'tahacker.ButIsupposeadvertisingit
reallyisn'tnecessary.Theonlyproblemis,howdoyougetthis
IDA?Pirateddiscscontainingitareextremelyrare(thelatest
versionI'veseenwas3.74,anditwasunstable);Internetsites
offeritevenlessoften.IDA'sdeveloperquicklystopsanyattempt
atunauthorizeddistributionoftheproduct.Theonlyreliableway
toobtainitistopurchaseitfromthedeveloper
(http//www.idapro.com)orfromanofficialdistributor.
Unfortunately,nodocumentationcomeswiththedisassembler
(exceptforthebuilt-inhelp,whichisveryterseand
unsystematic).
HIEW.HIEWisnotonlyaHEXeditor;itisadisassembler,an
assembler,andanencrypterallinone.Itwon'tsaveyoufrom
havingtobuyIDA,butitwillmorethancompensateforIDAin
certaincases.(IDAworksveryslowly,andit'svexingtowastea
wholebunchoftimeifallweneedistotakeaquickglanceatthe
fileunderpreparation.)However,themainpurposeofHIEWisn't
disassembling,butbithacking—smallsurgicalinterferenceina
binaryfile,usuallywiththeaimofcuttingoffpartoftheprotection
mechanismwithoutwhichitcan'tfunction.
SDK(SoftwareDevelopmentKit—apackagefortheapplication
developer).ThemainthingthatweneedfromtheSDKpackage
isdocumentationontheWin32APIandtheDUMPBINutilityfor
workingwithPEfiles.Neitherhackersnordeveloperscando
withoutdocumentation.Attheminimum,youneedtoknowthe
prototypesandthepurposeofthemainsystemfunctions.This
informationcanbegatheredfromnumerousbookson
programming,butnobookcanboastofcompletenessanddepth
ofpresentation.Therefore,soonerorlater,you'llhavetousean
SDK.HowcanyougetanSDK?SDKisapartofMSDN,and
MSDNisissuedquarterlyoncompactdiscs,andisdistributedby
subscription.(Youcanlearnmoreaboutsubscriptionconditions
ontheofficialsitehttp//msdn.microsoft.com.)MSDNalsocomes
withtheMicrosoftVisualC++6.0compiler.(It'snotaparticularly
newone,butitwillsufficeforgoingthroughthisbook.)
DDK(DriverDevelopmentKit—apackageforadeveloperof
drivers).WhatistheuseofaDDKpackageforahacker?It'llhelp
toclearuphowthedriverismade,howitworks,andhowcanit
becracked.Apartfromthebasicdocumentationandplentyof
samples,itincludesaveryvaluablefile—NTDDK.h.Thisfile
containsdefinitionsformostoftheundocumentedstructures,and
isliterallyloadedwithcommentsrevealingcertaincuriousdetails
ofthesystem'soperation.ThetoolsthatcomewiththeDDKwill
alsobeofuse.Amongotherthings,you'llfindtheWINDEB
debuggerincludedintheDDK.Thisisarathergooddebugger,
butnowherenearasgoodasSoftIce;therefore,itisnot
consideredinthisbook.(Ifyoucan'tfindIce,WINDEBwilldo.)
TheMASMassemblerinwhichdriversarewrittenwillbeuseful,
aswillcertainlittleprogramsthatmakethehacker'slifeabit
easier.ThelatestDDKversioncanbedownloadedforfreefrom
Microsoft'ssite;justkeepinmindthatthesizeofthecomplete
DDKforNTisover40MB(packed),andevenmorespaceis
requiredonthedisk.
Operatingsystem.I'mnotgoingtoforcemyowntastesand
predilectionsonthereader;nevertheless,Istronglyrecommend
thatyouinstallWindows2000oralaterversion.Mymotivation
hereisthatit'saverystableandsteadilyworkingoperating
system,whichcourageouslywithstandssevereapplicationerrors.
Onethingaboutahacker'sworkisthatthissurgicalinterference
inthedepthsofprogramsquiteoftenmakesthemgocrazy,
whichresultsintheunpredictablebehaviorofthecracked
application.Windows9xoperatingsystems,showingtheir
corporativesolidarity,frequently"goonstrike"alongsidethe
frozenprogram.Occasionally,thecomputerwillrequirerebooting
dozensoftimesaday!Youshouldconsideryourselfluckyif
rebootingsuffices,andyoudon'tneedtorestoredisksthatwere
destroyedbyfailure.(Thisalsohappens,althoughseldom.)It's
muchmoredifficulttofreezeWindows2000.I"succeed"indoing
thisnomorethantwiceamonthwhenIhaven'thadenough
sleep,oramnegligent.What'smore,Windows2000allowsyou
toloadSoftIceatanymoment,withoutrebootingthesystem,
whichisveryconvenient!Lastly,allthematerialinthisbook
impliestheuseofWindows2000oralaterversion,andIrarely
mentionhowitdiffersfromothersystems.
Iassumethatyouarealreadyfamiliarwiththeassembler.Ifyoudon't
writeprogramsinthislanguage,youshouldatleastunderstandwhat
registers,segments,machineinstructions,andthelikeare.Otherwise,
thisbookwilllikelybetoocomplexanddifficulttounderstand.Isuggest
thatyoufirstfindatutorialontheassemblerandthoroughlystudyit.
Apartfromassembler,youshouldhaveatleastageneralnotionofthe
operatingsystem.
Anditmightbeusefulifyoudownloadallthedocumentationon
processorsavailablefromtheIntelandAMDsites.
Iguessthat'senoughorganizationalstuff.Let'sgetgoing.
Introduction
ProtectionClassifications
Checkingauthenticityisthe"heart"oftheoverwhelmingmajorityof
protectionmechanisms.Inallcases,wehavetomakesurethatthe
personworkingwithourprogramiswhoheorsheclaimstobe,andthat
thispersonisauthorizedtoworkwiththeprogram.Theword"person"
mightmeannotonlyauser,buttheuser'scomputerorthemediumthat
storesalicensedcopyoftheprogram.Thus,allprotectionmechanisms
canbedividedintotwomaincategories:
Protectionbasedonknowledge(ofapassword,serialnumber,
etc.)
Protectionbasedonpossession(ofakeydisc,documentation,
etc.)
Knowledge-basedprotectionisuselessifalegitimateownerisn't
interestedinkeepingthesecret.Anownercangivethepassword(and/or
serialnumber)towhomeverheorshelikes,andthusanyonecanusea
programwithsuchprotectiononhisorhercomputer.
Therefore,passwordprotectionagainstillegalcopyingisnoteffective.
Why,then,dopracticallyallprominentsoftwaremanufacturersuseserial
numbers?Theanswerissimple—toprotecttheirintellectualpropertywith
thethreat(howeverunlikely)ofbruteforce.Theideagoesapproximately
asfollows:Thequiet,work-a-dayenvironmentofacertaincompanyis
suddenlybrokenintobyasquadofagentsdressedincamouflage,
comparingtheWindowslicensenumbers(MicrosoftOffice,Microsoft
VisualStudio)tolicenseagreements.Iftheyfindevenoneillegalcopy,
someofficialpopsupseeminglyfromoutofnowhereandstartstojoyfully
rubhisorherhandsinanticipationoftheexpectedwindfall.Atbest,
they'llforcethecompanytobuyalltheillegalcopies.Atworst…
Naturally,nobodyisbarginginonusersintheirhomes,andnobodyis
evenconsideringit(yet)—yourhouseisstillyourcastle.Besides,what
canyougetfromadomesticuser?Awidedistributionofproductsisgood
formanufacturers,andwhocandistributebetterthanpirates?Evenin
thatcase,serialnumbersaren'tsuperfluous—unregistereduserscannot
usetechnicalsupport,whichmaypushthemtopurchaselegalversions.
Suchprotectionisidealforgiantcorporations,butitisn'tsuitablefor
smallgroupsofprogrammersorindividualdevelopers,especiallyifthey
earntheirbreadbywritinghighlyspecializedprogramsforalimited
market(say,starspectraanalysis,ormodelingnuclearreactions).Since
theycannotapplysufficientpressure,it'sunrealforthemtoaskusersto
checktheirlicenses,andit'shardlypossibleto"beat"thepaymentoutof
illegalusers.Allthatcanbedoneisthroughthreatandeloquence.
Inthiscase,protectionbasedonthepossessionofsomeuniquesubject
thatisextremelydifficulttocopy,orimpossibletocopyingeneral(the
idealcase),ismoreappropriate.Thefirstofthiskindwerekeyfloppies
withinformationwrittenontheminsuchamannerthatcopyingthefloppy
diskwasimpossible.Thesimplestway(butnotthebest)topreparesuch
afloppywastogentlydamagethediskwithanail(anawl,apenknife),
andthen,havingdeterminedthesectorinwhichthedefectwaslocated
(bywritingandreadinganytestinformation—upuntilacertainpoint,
readingwillproceednormally,followedby"garbage"),registeritinthe
program.Then,eachtimetheprogramstarted,itcheckedwhetherthe
defectwaslocatedinthesameplaceornot.Whenfloppydisksbecame
lesspopular,thesametechniquewasusedwithcompactdiscs.The
moreaffluentcrippletheirdiscswithalaser,whileordinaryfolkstilluse
anawlornail.
Thus,theprogramisrigidlyboundtoadisc,andrequiresitspresenceto
run.Sincecopyingsuchadiscisimpossible(justtrymakingidentical
defectsonacopy),pirateshavetogiveup.
Otherpossession-basedprotectionmechanismsfrequentlymodifythe
subjectofpossession,limitingthenumberofprogramstartsorthe
durationofitsuse.Suchamechanismisoftenusedininstallers.Soasto
notirritateusers,thekeyisonlyrequestedonce,whentheprogramis
installed,andit'spossibletoworkwithoutthekey.Ifthenumberof
installationsislimited,thedamagearisingfromunauthorizedinstallation
ofonecopyonseveralcomputerscanbeslight.
Theproblemisthatallofthisdeprivesalegaluserofhisorherrights.
Whowantstolimitthenumberofinstallations?(Somepeoplereinstallthe
operatingsystemandsoftwareeachmonthorevenseveraltimesaday).
Inaddition,keydiscsarenotrecognizedbyalltypesofdrives,andare
frequently"invisible"devicesonthenetwork.Iftheprotectionmechanism
accessestheequipmentdirectly,bypassingdriversinordertothwart
hackers'attacksmoreeffectively,suchaprogramdefinitelywon'trun
underWindowsNT/2000,andwillprobablyfailunderWindows9x.(This
is,ofcourse,ifitwasn'tdesignedappropriatelybeforehand.Butsucha
caseisevenworse,sinceprotectionexecutingwiththehighestprivileges
cancauseconsiderabledamagetothesystem.)Apartfromthat,thekey
itemcanbelost,stolen,orjuststopworkingcorrectly.(Floppydisksare
inclinedtodemagnetizeanddevelopbadclusters,CDscanget
scratched,andelectronickeyscan"burnout".)
Figure1:Themaintypesofprotection
Naturally,theseconsiderationsconcerntheeffectivenessofkeysin
thwartinghackers,andnottheconceptofkeysingeneral.Endusersare
nonethebetterforthis!Ifprotectioncausesinconveniences,userswould
rathervisitthenearestpirateandbuyillegalsoftware.Speecheson
morals,ethics,respectability,andsoonwon'thaveanyeffect.Shameon
you,developers!Whymakeusers'livesevenmorecomplicated?Users
arehumanbeingstoo!
Thatsaid,protectionsbasedonregistrationnumbershavebeengaining
popularity:Oncerunforthefirsttime,theprogrambindsitselftothe
computer,turnsona"counter",andsometimesblockscertain
functionalities.Tomaketheprogramfullyfunctional,youhavetoentera
passwordfromthedeveloperinexchangeformonetarycompensation.
Topreventpiratecopying,thepasswordisoftenaderivativeofkey
parametersoftheuser'scomputer(oraderivativeoftheirusername,in
anelementarycase).
Certainly,thisbriefoverviewofprotectiontypeshasleftmanyofthem
out,butadetaileddiscussionofprotectionclassificationsisbeyondthe
scopeofthisbook.We'llleaveitforasecondvolume.
ProtectionStrength
Ifprotectionisbasedontheassumptionthatitscodewon'tbe
investigatedand/orchanged,it'spoorprotection.Concealingthesource
codeisn'taninsurmountableobstacletostudyingandmodifyingthe
application.Modernreverseengineeringtechniquesautomatically
recognizelibraryfunctions,localvariables,stackarguments,datatypes,
branches,loops,etc.And,inthenearfuture,disassemblerswillprobably
beabletogeneratecodesimilarinappearancetothatofhigh-level
languages.
But,eventoday,analyzingmachinecodeisn'tsocomplexastostop
hackersforlong.Theoverwhelmingnumberofconstantcracksisthe
besttestamenttothis.Ideally,knowingtheprotectionalgorithmshouldn't
influencetheprotection'sstrength,butthisisnotalwayspossibleto
achieve.Forexample,ifaserverapplicationhasalimitationonthe
numberofsimultaneousconnectionsinademoversion(whichfrequently
happens),allahackerneedstodoisfindtheinstructionoftheprocess
carryingoutthischeckanddeleteit.Modificationofaprogramcanbe
detectedandpreventedbytestingthechecksumregularly;however,the
codethatcalculatesthechecksumandcomparesittoaparticularvalue
canbefoundanddeleted.
Howevermanyprotectionlevelsthereare—oneoronemillion—the
programcanbecracked!It'sonlyamatteroftimeandeffort.But,when
therearenoeffectivelawsprotectingintellectualproperty,developers
mustrelyonprotectionmorethanlaw-enforcementbodies.There'sa
commonopinionthatiftheexpenseofneutralizingprotectionisn'tlower
thanthecostofalegalcopy,nobodywillcrackit.Thisiswrong!Material
gainisn'ttheonlymotivationforahacker.Muchstrongermotivation
appearstolieintheintellectualstruggle(who'smoreclever:the
protectiondeveloperorme?),thecompetition(whichhackercancrack
moreprograms?),curiosity(whatmakesittick?),advancingone'sown
skills(tocreateprotections,youfirstneedtolearnhowtocrackthem),
andsimplyasaninterestingwaytospendone'stime.Manyyoung
hackersspendweeksremovingtheprotectionfromaprogramthatonly
costsafewdollars,orevenonedistributedfreeofcharge.
Theusefulnessofprotectionislimitedtoitscompetition—otherthings
beingequal,clientsalwaysselectunprotectedproducts,evenifthe
protectiondoesn'trestraintheclient'srights.Nowadays,thedemandfor
programmersconsiderablyexceedssupply,but,inthedistantfuture,
developersshouldeithercometoanagreementorcompletelyrefuseto
offerprotection.Thus,protectionexpertswillbeforcedtolookforother
work.
Thisdoesn'tmeanthatthisbookisuseless;onthecontrary,the
knowledgethatitprovidesshouldbeappliedassoonaspossible,while
theneedforprotectionhasn'tdisappearedyet.
PartI:GettingAcquaintedwithBasicHacking
Techniques
StepOne:Warmingup
StepTwo:GettingAcquaintedwiththeDisassembler
StepThree:Surgery
StepFour:GettingAcquaintedwiththeDebugger
StepFive:IDAEmergesontotheScene
StepSix:UsingaDisassemblerwithaDebugger
StepSeven:IdentifyingKeyStructuresofHigh-LevelLanguages
StepOne:Warmingup
Thealgorithmofsimplestauthenticationconsistsofacharacter-bycharactercomparisonofthepasswordenteredbyausertothereference
valuestoredeitherintheprogram(whichfrequentlyhappens),oroutside
ofit—forexample,inaconfigurationfileortheregistry(whichhappens
lessoften).
Theadvantageofsuchprotectionisitsextremelysimplesoftware
implementation.Itscoreisactuallyonlyonelineofcodethat,intheC
language,couldbewrittenasfollows:if(strcmp(password
entered,referencepassword)){/*Passwordis
incorrect*/}else{/*PasswordisOK*/}.
Let'ssupplementthiscodewithprocedurestopromptforapasswordand
displaythecomparison,andthenexaminetheprogramforits
vulnerabilitytocracking.
Listing1:TheSimplestSystemofAuthentication
//Matchingthepasswordcharacterbycharacter
#include<stdio.h>
#include<string.h>
#definePASSWORD_SIZE100
#definePASSWORD"myGOODpassword\n"
//TheCRaboveisneeded
//soasnottocutoff
//theuser-enteredCR.
intmain()
{
//Thecounterforauthenticationfailures
intcount=0;
//Thebufferfortheuser-enteredpassword
charbuff[PASSWORD_SIZE];
//Themainauthenticationloop
for(;;)
{
//Promptingtheuserforapassword
//andreadingit
printf("Enterpassword:");
fgets(&buff[0],PASSWORD_SIZE,stdin);
//Matchingtheenteredpasswordagainstthereferencevalue
if(strcmp(&buff[0],PASSWORD))
//"Scolding"ifthepasswordsdon'tmatch;
printf("Wrongpassword\n");
//otherwise(ifthepasswordsareidentical),
//gettingoutoftheauthenticationloop
elsebreak;
//Incrementingthecounterofauthenticationfailures
//andterminatingtheprogramif3attemptshavebeenused
if(++count>3)return-1;
}
//Oncewe'rehere,theuserhasenteredtherightpassword.
printf("PasswordOK\n");
}
Inpopularmovies,coolhackerseasilypenetrateheavilyprotected
systemsbyguessingtherequiredpasswordinjustafewattempts.Can
wedothisintherealworld?
Passwordscanbecommonwords,like"Ferrari","QWERTY",ornames
ofpethamsters,geographicallocations,etc.However,guessingthe
passwordislikelookingforaneedleinahaystack,andthere'sno
guaranteeofsuccess—wecanonlyhopethatwegetlucky.Andlady
luck,asweallknow,can'tbetrifledwith.Isthereamorereliablewayto
crackthiscode?
Let'sthink.Ifthereferencepasswordisstoredintheprogram,andisn't
cipheredinsomeartfulmanner,itcanbefoundbysimplylookingatthe
binarycode.Lookingatallthetextstrings,especiallythosethatlooklike
apassword,we'llquicklyfindtherequiredkeyandeasily"open"the
program!
Theareainwhichweneedtolookcanbenarroweddownusingthefact
that,intheoverwhelmingmajorityofcases,compilersputinitialized
variablesinthedatasegment(inPEfiles,inthe.datasection).Theonly
exceptionis,perhaps,earlyBorlandcompilers,withtheirmaniacal
passionforputtingtextstringsinthecodesegment—directlywhere
they'reused.Thissimplifiesthecompiler,butcreatesalotofproblems.
Modernoperatingsystems,asopposedtoouroldfriendMS-DOS,
prohibitmodifyingthecodesegment.Therefore,allvariablesallocatedin
itareread-only.Apartfromthis,onprocessorswithaseparatecaching
system(Pentiums,forexample),thesestring"litter"thecodecache,
loadedduringreadaheadand,whenthey'recalledforthefirsttime,
loadedagainfromtheslowRAM(L2cache)intothedatacache.The
resultissloweroperationandadropinperformance.
So,let'sassumeit'sinthedatasection.Now,wejustneedahandy
instrumenttoviewthebinaryfile.Youcanpress<F3>inyourfavorite
shell(FAR,DOSNavigator)and,bypressingthe<PageDown>key
admirethedigitsscrollingdownuntilitboresyou.Youcanalsousea
hex-editor(QVIEW,HIEW,etc.)but,inthisbook,forpresentation
purposes,I'llusetheDUMPBINutilitysuppliedwithMicrosoftVisual
Studio.
Let'sprintoutthedatasection(thekeyis/SECTION:.data)asraw
data(thekeyis/RAWDATA:BYTES),havingspecifiedthe">"character
forredirectingtheoutputtoafile.(Theresponseoccupiesalotofspace,
andonlyits"tail"wouldfindroomonthescreen.)
>dumpbin/RAWDATA:BYTES/SECTION:.datasimple.exe>filename
RAWDATA#3
00406000:0000000000000000000000003B114000.....
00406010:64404000000000000000000070114000d@@..
00406020:00000000000000000000000000000000.....
00406030:456E7465722070617373776F72643A00Enter
00406040:6D79474F4F4470617373776F72640A00
00406050:57726F6E672070617373776F72640A00Wrong
00406060:50617373776F7264204F4B0A00000000Passw
00406070:406E400000000000406E400001010000@n@..
Look!Inthemiddleoftheotherstuff,there'sastringthatissimilartoa
referencepassword(it'sprintedinbold).Shallwetryit?Itseemslikely
weneednotevenbother:Judgingfromthesourcecode,itreallyisthe
password.Thecompilerhasselectedtooprominentofaplaceinwhichto
storeit—itwouldn'tbesuchabadideatohidethereferencepassword
better.
Oneofthewaystodothisistomanuallyplacethereferencepassword
valueinasectionthatwechooseourselves.Theabilitytodefinethe
locationisn'tstandard,and,consequently,eachcompiler(strictly
speaking,notactuallythecompiler,butthelinker—butthatisn'treally
important)isfreetoimplementitinanyway(ornotimplementitatall).In
MicrosoftVisualC++,aspecialpragma—data_seg—isusedforthis,
andindicatesinwhichsectiontheinitializedvariablesfollowingitshould
beplaced.Bydefault,unassignedvariablesareplacedinthe.bbs
section,andarecontrolledbythebss_segpragma.
Let'saddthefollowinglinestoListing1,andseehowtheyrun.
intcount=0;
//Fromnowon,alltheinitializedvariableswillbe
//locatedinthe.kpncsection.
#pragmadata_seg(."kpnc")
//Notethattheperiodbeforethename
//isn'tmandatory,justcustomary.
charpasswd[]=PASSWORD;
#pragmadata_seg()
//Nowalltheinitializedvariableswillagain
//belocatedinthesectionbydefault(i.e.,."data").
charbuff[PASSWORD_SIZE]="";
...
if(strcmp(&buff[0],&passwd[0]))
>dumpbin/RAWDATA:BYTES/SECTION:.datasimple2.exe>filename
RAWDATA#3
00406000:00000000000000000000000045114000...
00406010:04414000000000000000000040124000.A@
00406020:00000000000000000000000000000000...
00406030:456E7465722070617373776F72643A00Ent
00406040:57726F6E672070617373776F72640A00Wro
00406050:50617373776F7264204F4B0A00000000Pas
00406060:206E400000000000206E400001010000n@.
00406070:00000000000000000010000000000000...
Aha!Now,there'snopasswordinthedatasectionandhackers'attack
hasbeenretarded.Butdon'tjumptoconclusions.Simplydisplaythelist
ofsectionsinthefile:
>dumpbinsimple2.exe
Summary
2000.data
1000.kpnc
1000.rdata
4000.texts
Thenonstandardsection.kpncattractsourattentionrightaway.Well,
shallwechecktoseewhat'sinit?
dumpbin/SECTION:.kpnc/RAWDATAsimple2.exe
RAWDATA#4
00408000:6D79474F4F4470617373776F72640A00
There'sthepassword!Andwethoughtwehidit.It'scertainlypossibleto
putconfidentialdataintoasectionofnoninitializeddata(.bss),the
serviceRTLsection(.rdata),orevenintothecodesection(.text)
—noteveryonewilllookthereforthepassword,andsuchallocation
won'tdisturbthefunctioningoftheprogram.Butyoushouldn'tforget
aboutthepossibilityofanautomatedsearchfortextstringsinabinary
file.Whereverthereferencepasswordmaybe,suchafilterwilleasilyfind
it.(Theonlyproblemisdeterminingwhichtextstringholdstherequired
key;mostlikely,adozenorsopossible"candidates"willneedtobe
tried.)
IfthepasswordiswritteninUnicode,thesearchissomewhatmore
complicated,sincenotallsuchutilitiessupportthisencoding.Butit'dbe
rathernativetohopethatthisobstaclewillstopahackerforlong.
