Thursday, July 18, 2013

Software Cracking/Disassembly/Debugging ... call it what you may this is just the beginning

So recently i got a little of complains about not showing people how to crack software and how i have not shown how software is broken into using reverse engineering well here is the guide to doing all this... right here am using

Ollydbg
Hackers disassembler
coffee
coffee
ASM
and more coffee
For this example i will be using a software that has been in the past been used and numerous tutorials have been published and video documented , the reason am going to do this is to:
elaborate what really happens in ASM and reverse engineering using various methods such as creating a software crack.
Also this is barely an easy task we will be breaking down a little about ASM in general though this is hardly a substitution to ASM tutorial... please understand ASM enough to indulge in this... numerous times have i been approached by people saying they cannot understand what is happening or what or why do we do JMP to NOP... well i will show you why but please if you have no idea what JE or JZE translates to and their similarity and maybe their relation to ZL please... refresh your understanding with assembly with the provided documentation and pdf tutorials on this site here

Moving on.... we can fairly start... here am using WinRAR ver 3.80 ... its quite old around 2008 release so its ok for us to use it for simple testing.... we can try the 5.0 beta 7 2013 release but lets get the basic understanding of what happens shall we?

so a copy of it can be found in our trusty site for old apps oldapps.com ---> good for finding old , previous versions of software. moving on we download our WinRAR
Then We install...


After the final Setup we can see what it tells us about the product


We Start it and the first thing we note is the program is an evaluation copy as we noted when downloading and installing that its a trial


opening its about we can see that it has 40 days for trial


I go back again to my method that is ... error generating ... :) in Vulnerability/exploits errors are a very good friend of yours in this method what i do is forward the date in my machine past forty days to see if the program is affected by that.... why? .... check out this post to in my earlier post explaining why i did that. Moving on when i change the date the program acts out with an error saying the time extension has been passed.... well thats a good thing... now what do we want to achieve....

1. to crack the software would mean to remove the (evaluation copy) message....
2. allow us to use the software without time restriction.... which is removing the message box about purchasing the software....
we good ? aight lets go...


we fire up our Hacker Disassembler ... let me refer it to HD for now ..cool? aight
now loading up HD with the WinRAR executable we find tonnes of information and ASM code... now what we need is the required steps to activate* the software so here goes nothing...


we do a simple search for the string 'evaluation' ... we don't search for the whole bit to get the most outputs of the string 'evaluation' .. ok?


with that we get a string match


how do we know this is what string we want.... observe the code below circled in red.... there is an output that states in a comment (you all know how comments on ASM are made right with a semicolon) and its states.... and points that the ( <---- starts from there that is the first bracket to (evaluation copy) is there... this can be clarified by scrolling down and you will find the rest of the string there...


now looking at the above code what do we see.... well i will break it down to the most none-asm way possible but will explain every term we need ... we can see that the program moves registers first(this may not be the same as the programmer compiled it as asm has a way of optimizing code) so the first two mov are done then it calls a certain address to act moves a register again....performs an arithmetic function (eax) of subtraction (probably to check the time difference----we don't know yet since we have not gone to all the calls and functions here its just a cracker/programmer intuition ) we call an address again then we compare (cmp) a byte to an address  then the program does a jne---> hoping you know what a jne is ...which means it does a Jump if Not Zero which its a  conditional jump... A GOOD THING.... now we wont even go further since we find a condition that must be fulfilled so as the above error must be displayed... you get where am going with this... cool

now note down the address that the JNE is allocated and leave it at that... on my end its 00444B71


we move on from that.... now the next step is to go for the error thats thrown off when a certain period is past.... this is the message box telling us to register... now the box has a string message stating
'Please Purchase WinRAR license' ... now one thing about it is it was a Dialog box ... so we click on the D on the HD and we get all Dialog References..... here we search for it by typing Please.... well mine showed up just when typing plea* :)



we double click on the dialog reference to get to where its addressed it gives us the below address and with that we basically have the dialog right there in red... we see it has various options before it does a push of an address.... now this push is what we want/don't want... get what am saying... its what we want as of now ... i.e to see in the asm code ... but its what we ... DON'T want in the executable when it runs....

alright


now what we so like before we note down the address the command holds.... on my end its 0048731A
and we move on


now here is where we fire up our little and mighty Ollydbg....  and load up the WinRAR executable


we now have the addresses we want to go to... so we right click on the frame that has loaded up the executable ... (top left frame) and click 'Go to' we can do this with a short cut that is CTRL+G ...


on this we paste/type our address... the first one and click Ok to go to that address that holds the conditional jump we want/need


highlighted in gray is the area of interest.... and we can see the JNZ that is loaded is the one we want... a lot of ASM new comers ask why do we get JNZ and we wanted JNE well here is a little analogy i use to help the predicament...

JNE is Jump if Not Equal
while
JNZ is Jump if Not Zero

the two assume a Jump condition is to be fulfilled only if the execution doesn't bring a Zero or anything equal to a Zero same thing right o___0 ... go figure



Now what we want is to do a simple thing;

 change the conditional jump to a none conditional jump

with that we can stop the execution of the string we want to get raid off.



with the above we right click... only this time we choose > Binary then Edit while we have selected the line of address ....
here we have HEX+01 which we need to edit.... now to change a JNE to a none conditional jump such as JE its opposite we have to have it as a minus one in the 85 field to become 84 seeing as:

Instruction Jump Condition          Test
JE                 Jump if Equal                  ZF=1
JNE                 Jump if Not Equal         ZF=0
JG                 Jump if Greater         (ZF=0) AND (SF=OF)
JGE          Jump if Greater or Equal SF=OF
JL                 Jump if Less                 SF≠OF
JLE           Jump if Less or Equal (ZF=1) OR (SF≠OF)

see this link for the whole table that will explain better and easier

we can give it any range as long as it will not be Zero result


Now after that we will get the below code having it changed to a JE....



moving on... we again head on to the second address which is the following



 we paste /type our address from before and ....


we land on our PUSH address .... that pushes our dialog box.... now what we want to do is kill the push.... how.... well simple by filling it with NOPs .... what are NOPs... this are No data/ No Command/ No assignment to addresses or registers.... so what do we do



We right click and it select the entire line go to
 > Binary
and select
> Fill with NOPs

.... filling with 00s in other programs also works... tweak around and observe....


as the diagram below shows the red code on the left that is filled with NOPs


Now what we want to do is save this cracked*/modified executable... with that we do as such....
right click go to....
> Copy to executable
>All Selections


you will get the below screen with the following notations at the top left D*
select'
>Save file


Save it to a place like the desktop.... first or save it with a different name in the same folder and ....


Now after that close up your Ollybdg or whatever Disassembler .... and execute/run it.... the executable you created and saved... and like mine on the desktop.... see what it brings up... a cool interface that has no evaluation required....







As it goes thats the procedure..... well for most applications .... this is just the basics and we can move on to harder more complex applications... please use this knowledge for good but not to diminish people/companies from their sweat and products/services

as a developer you may ask how do i secure myself from this.... well in a lot of ways

  • Write code with the intentions of not letting people crack it... :) ... avoid being to easy when creating dialogs and strings for responses.
  • Comments are good but can also lead to fatalities.
  • Obfuscate your code...
  • Tweak methods to display errors when in need to only.
  • Optimise your program by also doing a jumble up of serial/product key functions.
  • Use sophisticated algorithms to create keys/serials .
  • Use files instead of Keys.
  • Activate product online(also helps).

Remember you are as strong as your weakest links :) with that.... I am out and CIAO


Wednesday, July 17, 2013

Exploit writing .... for humans .... yes its possible


I think this topic is a little hushed due to its nature of sophistication or learning curve....

going from my earlier post about software cracking (I hardly spilled the ASM beans on that one) hence a little offset will probably occur here.... on this.... what i will do is break down the barrier of programming language that is high level and low level...

so what will need to know before we start

  • a high level programming language.... e.g C,Java,Python,Perl or Ruby
  • and yes we need to know a little enough about ASM(for now ...if we advance we need to add more to our stack)
  • Metasploit is not a must but can be very helpful
  • math.... yes a lot of mathematics
this will be sort of long since i will break it down to the bare essential so if you think its too soft.... thats because it is... moving along

  • Reverse Engineering--- this is simply breaking down an object/code in our case and getting a look at the code from a decompiler
  • ASM--- assembly language (just google this part ... i will wait) yes its that.... but heres the trick about ASM... it has a lot of gibberish but its very understandable some terms
functions------- e.g POP, PUSH ,MOV,SUB ,RET
register ----    AX multiply/divide, string load & store

CX count for string operations & shifts
DX port address for IN and OUT
BX index register for MOVE
SP points to top of stack
BP points to base of stack frame
SI points to a source in stream operations
DI points to a destination in stream operations


Along with the general registers there are additionally the:

IP instruction pointer
FLAGS
segment registers (CS, DS, ES, FS, GS, SS) which determine where a 64k segment starts (no FS & GS in 80286 & earlier)
extra extension registers (MMX, 3DNow!, SSE, etc.) (Pentium & later only).

^borrowed from wikipedia

The IP register points to the memory offset of the next instruction in the code segment (it points to the first byte of the instruction). The IP register cannot be accessed by the programmer directly.
 

this are just examples and barely scratch the surface of what is happening.... explaining that would probably require another blog....
now here is the explanation to the above 

a register is a place you do stuff---that easy huh hehehe yaah for now... registers are work benches 
like EIP is what is about to happen next
and ESP is a workshop---when we working
and EAX mostly.. math is done in there ---> this simply my analogy from my teachers point of view.... 
 
now moving to disassembly (google that also) we have various tools that can do all this decompiling... now for me i will not dare recommend any tool ... just mess with them see what is your best method /tool to approach the code/apps here are some examples

debuggers
  • Ollydbg
  • SoftIce(very old though)
  • IDA Pro(yes its expensive---but worth it)
  • Immunity is also a good option so also try it
moving on now something really cool about ASM.... ASM works on a step by step procedure... what do i mean... when ASM wants to work with an *object... it does so one step at a time... now here is the interesting part... if it had stacked an object under ten procedures... it will have to go back through the same ten procedures in reverse to pick it up again.... then start working from there....


ok moving on.... i wont spend more time here but if you came for exploit development am guessing you are ready for whats next.... 

Methods of attacking the application

now a lot of people ask me how do we even start by attacking a software ?

assume you have a sole responsibility to pentest a music/media software... our example will be a software known as Easy RM to MP3 Conversion Utility    its a small ,media oriented software 
we can also use vlc,adobe,word anything that will basically be an exe for now... but lets start with this aight...  

method of exploit... buffer overflow what is buffer overflow?... this is when an application cannot handle excessive data and spills it... well not exactly spilling it out but into another workbench /Register

then how do we know how to get a buffer overflow? we crush it... per say we bring out errors
... i mean how do we get errors from it ... well you broke the first code lassy... we get errors from it .. 
 
heres how fuzzing... what is fuzzing (google that ... am waiting).. got it? ok now here is where we create a fuzzer (yes not all tools are already made when hacking)

so here is a simple fuzzer

and when we run the fuzzer.... we get the following 

moving on from that what we have created is simply a file that will be read by the media app i.e Easy RM .... it contains a lot of data that is basically A's so here is our output when we get it to open (i changed to kali linux from mac here for reasons you will see just ahead)



















now here is when the fun begins (well not all times will the app crush directly sometimes we need more As aka junk data so we multiply with more if we need to) so does it crush yes it does B) 
moving on we now want to see whats happening when it does that.... we fire up our trusty Debugger i will use Ollydbg for now so here is the open session screen and attach the running (new running )process of Easy RM... hanged the fuzzer to bring out Bs ... not thats its needed to just me being me....

so we attach the process to ollydbg and open our new crush file (with Bs---just checking if you following) and again baaam it crushes... this time with this showing on our ollydbg



let me do a little explaining.... on the window on the right side we have the Registers...
on our top left side we have a blank part but thats the because our program crushed on an earlier look it would be filled with the program functions the NOP POP MOV and what have you ....
lower left has a little of everything the hex,ascii (everything thats going on)

so we have something at the furthest end.... the top right corner... on that side we have a lot of BBBBB.... as u can see then we have a very interesting notation

looking at it we have Bs in EBX ,ESP then to our favourite Register EIP.... why is it our fav ... its because 1... programmers can't directly access that register... not even on an ASM level.... 2. EIP as i stated earlier is what is about to happen .... thats right ... NEXT .... so that means its what is unknown to the program at that time... hence we can call any function if we spill that called function inside there.... and that function is our... YAY hahaha no abbreviation for that, our ShellC0d3 <---- ok thats not so cool) but ....

hold your horses ... we far from that well not that far... depending on which high horse we decide to pull an allnighter on ... ok now what we need to do is know where excatly the code *breaks at.... how do we do that?.... we create a pattern

now EIP is only 4bytes big/in size so what happend is along all those Bs i sent or were loaded there is a place with the 4 bytes that caused the crush.... now what we wanna do is try and get the 4 bytes location... now this can be done it two ways... the manual way where we create a fuzzer with diffrent As and Bs characters as sucj 3000 As and 3000 Bs so is we get As only its in the range of 3000 if we get Bs its in the range of 3001 and above true?.... this is the deffrential method....
we also have a tool for doing that in metasploit... this tool is a ruby script called pattern.... so here it is working its magic....

and it creates a sequence that looks like so.....
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8..... and so on now we will modify our script to this


with that i can go on as now our script./fuzzer looks like so ...moving on now we can get a pattern that doesn't repeat itself and we can look for our 4 bytes 

and again BAAAM our sweet application crushes.... but this time we note our EIP .... now our EIP contains not 42424242 nope now it contains a sweet melody of 7A53307A with this we can tell how this is going to go down....

now here is where the math comes in.... P.S dont be surprised if you get a different Address it just depends on what your file path in the executable is... it may be longer or shorter now... to offset the data

where getting a tool to offset still in metasploit i get this


for my first offset.... now with this i can conclude the exact size of the buffer before i write my shell code... the center one being what am looking for.... now for this it means,35071 is the buffer length needed to overwrite EIP. So if i create a file with  35071 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42.
 
here is the result... and am all smiles with that



so what does that mean... we have found the soul important address that the register overflows at B) and that is a very good thing.... now the shell code ... ah ah not yet.... why... thats because we cant fit a whole command prompt/shell code in 4 BYTES!!! thats crazy .... but we do have something else... remember when we we busy filling the program with As or Bs .... on our bottom right on the debugger
we had something like such


with that.... we have a way in.... now what we have to do since the As or Bs were filled in a ESP register we have too look for a JMP ESP function.... why since we wanna jump to the code .... fill it with data.... and the register that is filled from the ESP code that is the EIP which we cant***** access programmatically and also awaits to execute the overflowing data........ runs the desired shellcode so... here we go

 on the above screen shot---- we click on E* to bring up the executables....
listed below are the executables....

now a little note to be noted <--- what hahaha alright .... the system processes we see are quite ok to use also... but this will be platform DEPENDANT in sense ... if we use them they can only be used by a person attacking the same platfrom e.g XP service pack 1 will work only on SP1 platform of XP and so on.... anyway using the same application executable really will save us much... plus its what we will do.... so here goes nothing..... we select the executable for Easy MP3.... if it had dlls we could use them if we wanted to....

so we select the executable since we dont want too many exploit restrictions..... and we search   in the code for the JMP ESP command..... this we get from here



wuuuu ..... with that.... we can set a break point to observe if the JMP ESP is going to hold any water..... now this is not a must its just a procedure if u run into an issue while working, now whats our address in the JMP ESP?  7CA7A787x86 processors have a habit of ending up in little endian encoding so we read addresses as  \x87\xA7\xA7\x7C .
  
now to generate our shellcode.... there are a lot of ways .... but best way is by use of metasploit... AGAIN B)..... here is how using the msfweb method 

and with that we generate a bind payload..... 
...... now lets go to our fuzzer....

after generating the payload.... and encoding it with ShikataGaiNai to evade a little and bring a little peek a boo .... we are ready to put the shell code into our fuzzer.... so here we go 'B)

we create a script/fuzzer that looks as such

 and with that we generate the playlist we want to be ran by the victim.... and we test to see if it works...

 what do you know... it opens and doesnt crush :P

ok lets see if the shellcode executes ok....
 VOILA!!!! ....there we go :)


our payload works and binds us to port 4444... wow nice huh... yeah ... anyway this is a very simple application to attack... adobe, vlc, java-dependant software have the same kind of feel and feed.... it gets a little tricky though if obfuscated and also if the program does not have 3rd party dlls... well i hope this is a start for you ...if you want more on ASM check out my links with PDF downloads ... here will be posting the video for this soon so please keep in touch.... ask questions in comments if you need any help ...where i can i will gladly help where i can.

CIAO happy hunting.



Monday, July 15, 2013

Hey Free Wi-Fi ... the matatu hacking Syndrome


Everything has a price... heck even the free tools i know including our brains pay a price by need of knowledge and so on and so forth... what am i getting at... in Kenya i got a chance to ride in one of the Wi-Fi enabled PSVs Public Service Vehicles... the hacker in me... did not want to hate on a lot of this issues but hey the pentester in me likes to create awareness so ... with the whole country going digital and being stuck in traffic for a little over 45 minutes i decided to give this beautiful tech savvy mode of transport a pentest :) (really i should get paid)

Coming of as a very lucrative and empowering initiative (thats going to give them a lot of revenue ) by the safaricom network one of Kenya's major Network (mobile and data) providers   an initiative dubbed the vumaonline is an initiative to equip most (if not all) PSVs with wireless data capability where customers will admire and adore using the internet on this vehicles at no extra cost to them .

well without further a do ... the first thing is i made sure my window was shut tight beyond the point of no robber slide and smiled at my besty Diana as she knew ... this nikka is up to no good (thats what she actually said) then pulled out my little Talia (Asus 11.3 inch laptop) and booted up my little default pentest environment .... my trusted and heavily customised Backtrack linux ...
plugin in my external usb wireless card (capable of injection i might add).

and we were on.... first thing was to connect to the Wi-Fi which had a pathetic key i may add (the number plate e.g KBC_567D) so even the guy trailing the vehicle might get a glimpse of the network ( not that i tested i assumed---which is wrong :( but hey at that range i believe its possible) and when i connected first thing i did.... the near obvious... enumerate all the users on the network by scanning the whole IP range... so what do we get: in a quick instance

arp-scan
and here is my command

arp-scan --interface=wlan1 --localnet
this gives me various IP addresses and  MAC addresses which resolving them (MAC addresses) to their vendor/manufacturer ID using this http://www.macvendorlookup.com/ gives me something close to this

3 Samsung devices
3 Huawei devices
1 Blackberry device

good we are going somewhere .... with this i can go on :)
oww yes the Wi-Fi was well protected with WPA-PSK so no hackers allowed :)  while thats really cute the password still irks me...

moving on i wanted to try out an MiTM attack (Man in The Middle)  ...but hey too bad i will have to confess that i actually gave up due to the time constraint...(with the above information not much damage was done but if given time i would probably have done tonnes more like own your phone,redirect web logins to phishing sites, steal credentials, install malware (sooner or later via initiating downloads of malicious apks in case of android phones that would tap your messages and probably see how much MPESA transactions u see/do in a day or given time) ) i had but, more fun and pentest would still suffice what i did is pull out my Samsung galaxy tab plus and waged a little more interesting attack method :) hacking facebook (thats all i could see when peeping over their shoulders .....FACEBOOK and well twitter and a little what's up on one of the passengers phone.... so here goes nothing.

So a simple app called (well not really simple) FaceNiff entered the software/app market recently with the ability to hack facebook accounts... with a simple method,
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

*** ROOTED PHONE *** is required. Please note that if webuser uses SSL this application won't work.
This application due to its nature is very phone-dependant so please let me know if it won't work for You

Use with stock browser (might not work with other)

well moving in on the kill we get one user with a none protected facebook account... well how does this work?

we connect to the Wi-Fi , using your regular wi-fi settings.
start the application,

you can also choose which accounts to attack
also you can do auto locating of profiles that match your preference and also do a MAC to vendor resolve




















and with that we got the accounts as above.... what is the dangers of this
as i have asserted on previous notes and research most people use default and/or same passwords in accounts so... is it hard that your company email is protected by the same password? your online bank account? what of your laptop/computer password? well its just a matter of time till a malicious hacker /information gatherer finds that and you are done for.

P.S the above application does not require you to be tech savvy or a hacker per say but hey :)

so how do we/I fix this first recommendation ....
-Encrypt your network see SSL i warned people about it earlier 
heres how on facebook---->


1.  Click on the Account tab.
2.  Choose Account Settings.
3.  Click Change next to Account Security.
How to Protect Your Facebook Profile: 10 Ways to Increase Privacy
4. Check the box for Secure Browsing (https). Click Save.
How to Protect Your Facebook Profile: 10 Ways to Increase Privacy
NOTE: Whenever you use a Facebook page or third-party app that takes you out of secure browsing, and you allow it, it will disable it completely and you'll have to go back and reset your preferences. Don't assume it will automatically switch back.
When in Account Security, you can also change settings for Login Approvals and Login Notifications and check your recent Login Activity.
and with that follow the procedure to other sites like google,gmail,youtube,amazon,itunes e.t.c

owww please use more than one strong passwords on different sites read about how to create strong passwords here

in the meantime surf safe :) good day owww and yes i did warn the beautiful lady who i owned her account... she bought me coffee today :)



ARCHIVED

:) No longer posting, all articles should be treated as archived and outdated