Software Hacking

@mmar

Hassan 1
 Introduction

 Even with today’s most advanced methods of defeating piracy, it is still

relatively easy to crack almost any program or application in the world But
Why?
 Because of computer processes’ ability to be completely manipulated by
an Assembly Debugger
 This way you can completely bypass the registration process by making it
skip the application's key code verification process without using a valid
password or key
Hassan
 Introduction

Binary Fetch, decode, execute

Code

Data Processor
...
Stack

Heap
read and write
Process
File system Memory
 All programs are stored in memory
4G 0xffffffff

The process’s view In reality, these are

of memory is that virtual addresses;
it owns all of it the OS/CPU map
them to physical
addresses

0 0x00000000
The instructions themselves are in memory

4G 0xffffffff

...
0x4c2 sub $0x224,%esp
0x4c1 push %ecx
0x4bf mov %esp,%ebp
0x4be push %ebp
...
Text

0 0x00000000
Data’s location depends on how it’s created

4G 0xffffffff
Set when
cmdline & env
process starts int f() {
Stack int x;
…
Runtime
Heap malloc(sizeof(long));

Uninit’d data static int x;

Known at static const int y=10;

Init’d data
compile time
Text

0 0x00000000
 We are going to focus on runtime attacks

Stack and heap grow in opposite directions

Allows us not to have
to declare their size

0x00000000 0xffffffff
Heap 3 2 1 Stack

Stack push 1
push 2
pointer push 3
return
 What is Buffer Overflow?

 Buffer overflows are a product of poorly constructed software programs

 These programs may have multiple deficiencies such as stack overflows,
heap corruption, format string bugs, and race conditions—the first three
commonly being referred to as simply buffer overflows
 Buffer overflows can be as small as one misplaced character in a million-
line program

Hassan
 Requirements

 Windows System (Preferably a VM)

 A Debugger/Disassembler installed
 IDAPro
 OllyDbg (This will be used today)

Hassan
 Stack

 Stacks are an abstract data type known as last in, first out (LIFO)
 Stacks operate much like a stack of trays in a cafeteria. For example, if you
put a tray down on top of the stack, it will be the first tray someone else
will pick up
 Stacks are implemented using processor internals designed to facilitate
their use (such as the ESP and EBP registers). The most important
stack operations are PUSH and POP

Hassan
 Stack

 PUSH places its operand (byte, word, etc.) on the top of the stack, and
POP takes data from the top of the stack and places it in the
command’s operand, a register or memory location

Hassan
 Few Important Registers

 The most important flow control register is Extended Instruction Pointer

or EIP
 As is clear from its name, EIP contains the address of the next instruction
to be executed
 If an attacker is able to modify its contents to point to the code in
memory that he controls, he can control the process’s behaviour

Hassan
 Few Important Registers

 When you call a function, this pointer is saved on the stack for later use.
When the function returns, this saved address is used to determine the
location of the next executed instruction

Hassan
 Quick look at the Stack & Base pointer

 Memory for functions, local variables, and flow control is stored in a

stack, which is a data structure characterized by pushing and popping
 The x86 architecture has built-in support for a stack mechanism. The
register support includes the ESP and EBP registers
 ESP is the stack pointer and typically contains a memory address that
points to the top of the stack. The value of this register changes as items
are pushed on and popped off the stack

Hassan
 Quick look at the Stack & Base pointer

 EBP is the base pointer that stays consistent within a given function so
that the program can use it as a placeholder to keep track of the location
of local variables and parameters
 EBP was designed to provide a “Base Pointer” for the current function so
that all parameters and local variables would be at a fixed offset from the
base pointer even as the stack pointer moved with push and
pop instructions
 EBP is a pointer to the top of the stack when the function is first called
Hassan
Quick look at the Stack & Base pointer

Hassan
Quick look at the Stack & Base pointer

Hassan
Quick look at the Stack & Base pointer

Hassan
 Stack Frame

You may find the stack

drawn in different

Memory Addresses
directions in different
books

Hassan
Stack Frame

Memory Addresses
Hassan
 Let us Begin

 Suppose the output of some program is

Hassan 21
Addition and Multiplication Methods

20
10

Hassan
Division and Subtraction Functions

Hassan
 Playing with Fire

Double click to amend any

Now create a new executable
value

Hassan
 Complex Applications

 What if the applications are encrypted? Compressed or both?

 How will you get to know about such applications

Hassan
 Analysis with PEiD

 PEiD interprets and shows the contents of the PE file structure and also
tells us whether the target application is compressed or encrypted:
 In this case, PEiD mentions that the EXE file has been created by “UPX
 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo”

Hassan
 Cracking the Password

 When executed for the first time, Glow displays a message box informing
the user that a default password has been set:
 Subsequently, the target application presents a dialog box requesting a
password to continue:

Hassan
 Software Analysis

 Windows applications (executables) have a specific structure (file format)

called Portable Executable (PE)
 A PE file is divided into various sections, including:
 A section for file information (the header)
 A section for the actual machine code instructions (code section)
 A section for the program’s strings and data (data section)
 A section for the names of the various external functions and dynamic link libraries
(DLLs) that the program uses
 A section for fixed-size and structured data, such as menus, dialogue boxes, icons
and cursors (resource section)

Hassan
Password in the Registry

Hassan
Method-1

Produce a Password
with the
same Hash Value

Hassan 30
Method-2

Shun the Password

Comparison

Hassan 31
Let’s Verify the Claim

If comparison in not 0 (meaning they are not same it is jumping to a address

If it is same it is jumping to 360 address

Hassan
We can manipulate the Comparison

XOR will always be zero

Hassan
Method-3

Overflow the Password

Buffer

Hassan 34
 How to Misuse this ?

 If we can overwrite the return address, we can make the program

jump to any area of code or memory that we like
 In the assembly, it is evident that after successful password verification,
the code jumps to the Enable Window area at address 00402360

Hassan
Overflow
The program crashes at 23 characters

Hassan
 Overflow

 When the program exits a function, the CPU jumps to the point (called
the return address) where the program resumes after returning from
the function
 The Password Verification function in this program copies the text
that is typed in the password edit box to a local buffer that is just
20 characters in size
 When more than 20 characters are entered in the password edit box, the
extra characters overwrite a return address which is on the process stack
Hassan
 Overflow

 The return address tells the CPU where in the process memory it should
jump to (continue to execute from) when the Password Verification
function exits

Hassan
 We can overrflow
We can convert the return address to ASCII

We can use this

address as there are
nops instructions

I don’t like this symbol

Hassan
 How to Misuse this ?

 We will now make our application control jump to this memory address.
This is overwriting the actual return address with a legitimate address
now, but definitely not the original
 40235A when converted to ASCII becomes @#Z. We have to enter it in
reverse form 12345678901234567890Z#@

VeryNiceThisisHackITZ#@

Hassan
Time Bound Applications

Hassan 41
 Time Bound Applications

 Trial versions of a large number of licensed applications get

expire after a certain time period
 Among these applications a large number of them use simple time
functions in their coding
 Many such applications can be easily cracked while some highly
sophisticated applications do give a tough time

Hassan
 Time Bound Applications
 Application Developers
 Release and not Debug Mode
 Employ Compression, Encoding, Encryption
 Sanitize your Code
 Use lesser Referenced Strings
 Use safer functions
 Secure Coding
 Application Crackers
 Polish Computer Architecture skills
 Fall in love with Assembly Language
 Coding helps Cracking
Hassan
Thanks

Hassan 44