Category Archives: Hacking

A Simple Demonstration on Reversing Software

03 Saturday May 2014

Posted by in Hacking, Reverse Engineering

2 Comments

Tags

, , ,

In this post, we will learn how to use the demo version of IDA Pro to disassemble, debug, and crack a simple crackMe software.  You may download a copy of crackMe here.  Simply unzip, load into IDA Pro, and follow along.

After unzipping the target binary and running it

Screen Shot 2014-05-03 at 1.47.38 PM

In our scenario, we have a piece of software that is asking for a passphrase or key to unlock it.  Since we don’t know the correct passcode, the software exits with a “wrong password” message.   All is not lost.  This is the power of reverse engineering and using tools such as IDA Pro’s disassembler and debugger: we don’t need the source code to learn how the software works.  With just a debugger and a disassembler, we can often extract keys and learn a lot about the our target software.

After installing your IDA demo.  Double-click to the IDA demo icon and you should see a window like below:

Screen Shot 2014-05-03 at 1.59.26 PM

Select the “New” button and then open your crackMe binary:

Screen Shot 2014-05-03 at 2.00.00 PM

 

Then click Ok on the “Load New File” Window:

Screen Shot 2014-05-03 at 2.00.19 PM

IDA will ask if you want to switch to “proximity view now”, simply click the “No” button.  You should see a window similar to the screenshot below:

Screen Shot 2014-05-03 at 2.04.46 PM

At the very top is the navigation band.  It gives a layout of the binary as loaded in the virtual address space of memory.  The dark blue bands refer to code or functions written inside the binary.  The light blue bands refer to functions that come from a library (e.g. the C run time library), and the pink area refers to Windows APIs that are loaded by Dynamic Link Libraries (DLLs).

The boxes on the left side contain a function window and a graph overview window.  Both can be used to quickly navigate to areas of code that might be interesting to investigate.  The middle window contains a call graph of the entire binary.  You can change from this call graph view to a flat source code view by hitting the space bar.  The space bar will toggle back and forth between call graph view and flat view.

Before examining the source code, let us first set up IDA’s debugger.  In the menu bar, select Debugger, then at the dialog box, select the Local Win32 debugger.

Screen Shot 2014-05-03 at 2.23.53 PM

Once the debugger is set, the green debugging arrow should be activated.

Screen Shot 2014-05-03 at 2.29.38 PM

Before we begin debugging, lets navigate around the code to find some interesting landmarks.  Right at the start, we can see a call being made to a Windows API, IsDebuggerPresent.  According to the Microsoft Developers Network documentation, this function determines if the calling process, i.e. crackMe, is being debugged by a user-mode debugger.  It sets EAX to 1 if the calling process is being debugged.  It sets EAX to 0 if the calling process is not being debugged.  If we were to start the IDA debugger (green arrow button or hit F9 key), crackMe simply exits.  So we will have to deal with this common anti-debugging technique.

Scrolling down a little ways, we see what looks to be a command prompt asking for the passphrase and then some sort of comparison routine.  Note the hard-coded string that is moved into the ECX register:

Screen Shot 2014-05-03 at 2.46.55 PM

It looks like this comparison routine is comparing the user’s command line input to the hard-coded string “ericroolz”.

Screen Shot 2014-05-03 at 2.50.41 PM

Just by static examination, we managed to extract the passphrase.  We can test that by running crackMe from the command line and typing in “ericroolz” and we should get the “Correct password” message.  That is one way to defeat this example.  But suppose we did not see the passphrase, perhaps it was obfuscated or encrypted, or buried in thousands of thousands of lines of code.  All is not lost, we can use IDA’s debugger to step to this crucial decision point:

Screen Shot 2014-05-03 at 3.05.53 PM

Then we can manipulate the results of EAX or the JNZ command to always take the path to the correct password message.  But first, we are going to have to deal with the IsDebuggerPresent check at the start of this code.  First, lets set a break point at the very start of the program, like in the screenshot below (hit the F2 key and you will see a red band indicating the break point is set):

Screen Shot 2014-05-03 at 3.11.53 PM

Now hit run or F9.  We should break:

Screen Shot 2014-05-03 at 3.14.58 PM

While we are at this break, hit the ‘G’ key and type “kernel32_IsDebuggerPresent” in the resulting dialog box.  It is important to have the kernel32 and the underscore along with the IsDebuggerPresent):

Screen Shot 2014-05-03 at 3.17.37 PM

you should wind up here:

Screen Shot 2014-05-03 at 3.18.44 PM

Next, set a break point (F2) at the “retn” instruction at address 7C8130B0:

Screen Shot 2014-05-03 at 3.21.13 PM

Right-click on that break point and select “Edit Breakpoint”.  In the resulting dialogbox, you want to set the condition of EAX=0 and unselect the Break (under Actions) check box.  Next click OK:

Screen Shot 2014-05-03 at 3.23.21 PM,

We are setting the break point in such a way that we are not suspending the program when we hit the break point, but simply setting the return value (stored in EAX) from IsDebuggerPresent to always be 0, that is, regardless of the fact that we are running crackMe in IDA’s debugger, the condition will always return false and we will fool the program into continuing with our debug session.

Next, hit the ‘G’ key again and type in ‘eip’ in the box.  This will take us back to our current break point, that is, to where the current instruction pointer is pointing to:

Screen Shot 2014-05-03 at 3.29.51 PM

Next, we are going to want to navigate to that crucial decision point we saw earlier during our static analysis:

Screen Shot 2014-05-03 at 3.05.53 PM

So let us go to loc_401067 and set a break point there.  We can use the ‘G’ key and type in the address to take us there:

Screen Shot 2014-05-03 at 3.33.24 PM

Now after hitting F9 again, the debugger runs to this break point we just set.  Open the resulting command window and enter any passphrase you want (I typed in “whatever” then hit the enter key):

Screen Shot 2014-05-03 at 3.35.16 PM

Screen Shot 2014-05-03 at 3.38.04 PM

After typing any phassphrase, we hit the breakpoint.  Note the value in the EAX register.  It is a 1.  The TEST EAX, EAX instruction is checking whether EAX is 0 or not.  Since it is 1, the JNZ command will jump us to the incorrect password message.  We don’t want that.  We can do one of two things:

1.  We can change the value of EAX by highlighting the EAX register, right clicking and choosing the “Zero value”.  This will change EAX to 0 and we will take the path to the correct password message.

2.  We could step past the TEST EAX, EAX instruction and pause on the JNZ instruction.  If EAX was 0, the TEST instruction would set the zero flag (ZF = 1) but since what I typed in won’t match “ericroolz” either, the zero flag will not be set (ZF=0).  We can simply change the zero flag by right clicking on the ZF value and choosing “Increment value”.  This will increment the ZF to 1 from 0, thus causing the JNZ instruction to take the correct password message.

I will demonstrate method number 1.  You may re-run this example and try method 2 if you wish.  Right-clicking on the EAX value:

Screen Shot 2014-05-03 at 3.47.57 PM

We will just 0 out EAX:

Screen Shot 2014-05-03 at 3.49.04 PM

Note that the EAX value changed to 0 and if we single step past the TEST instruction:

Screen Shot 2014-05-03 at 3.51.04 PM

You should see the red arrow pointing to the correct password message blinking.  That signifies that we will take that path after setting EAX to 0.  If we continue to run the debugger (F9) we should see that even though we clearly entered the wrong key, we still were able to “unlock” our program:

Screen Shot 2014-05-03 at 3.54.49 PM

Now that we know the crucial decision point, we could use an editor such as OllyDbg and change the JNZ instruction to something that will always jump to the correct message location no matter what passphrase is typed in.

Although, this example was rather simple, it does illustrate the power of using a disassembler and a debugger.  Even though we do not possess the source code, that did not prevent us from learning how our target binary worked.  Once we understood how our binary worked, we were able to manipulate it into “unlocking” itself.

 

The Power of Python

29 Saturday Mar 2014

Posted by in Computer Security, Hacking, Pen-testing, Python

Leave a comment

Tags

, , , ,

I am often asked by CS students interested in a career of pen-testing, what programming language they should learn?  Is there one that is best suited for pen-testing?  My answer is Python — hands down.  It is a very easy language to learn and it is very powerful.  When a pen-tester in the field needs to whip up an automated tool, it is usually done in Python because it is fairly easy to code up working prototypes on the fly.  I will demonstrate by whipping up a Python key-logger in just a moment.

Another reason you should learn Python is that many pen-testing tools are written in Python.  So if you ever need to take an existing tool and extend its capability, you will have to understand the Python language.  Python is also available on many pen-testing platforms such as BackTrack and Kali linux.

As I said, learning Python is very easy because it is a well documented programming language.  Almost everything you need to learn the language is available at python.org.  There are also very good tutorials available here and here.  Once you get the basics down, you will be amazed at the tools you can create.  Allow me to demonstrate with a simple Python key-logger:

First, a word of warning.  This key-logger only works on Windows machines and it will log every key stroke a user presses.  Please do not load this key-logger on anybody’s machine but your own.  This key-logger is for educational purposes only.  Besides, it is not very stealthy.

Next, you will need to install Python on your Windows machine.  You can download Python here.  I am using Python 2.7.6 for a Windows 7 64-bit machine.  Python 2.7.6 is pretty stable so I prefer it to versions 3.x.  Be sure you select the proper installer for your Windows machine (i.e. 32-bit or 64-bit).

After installing Python, you will need to install a library called pyHook.  pyHook is a wrapper for global input hooks in Windows.  It wraps the Windows SetWindowsHookEx API.  You can get the appropriate version for your version of Python and Windows 32-bit or 64-bit versions here.  Scroll all the way down until you get to the pyHook section.  For my machine, I installed the pyHook‑1.5.1.win‑amd64‑py2.7.exe version.

After installing pyHook, fire up a command prompt (cmd.exe) and cd into the C:\Python27 directory, then type ‘python’ at the prompt (without the quotes) you should see:

Screen Shot 2014-03-29 at 8.52.56 PM

the three right angle brackets (>>>) is the prompt for python.  Type ‘import pyHook’ then enter.  You should see no errors if pyHook installed correctly:

Screen Shot 2014-03-29 at 8.55.40 PM

You are now good to go.  Fire up your favorite editor.  You could use notepad.exe but it is much better to use an editor that recognizes Python syntax.  A good one is notepad++ or my favorite is Vim.

Before coding up the key-logger, I visited the documentation page to learn how to use pyHook.  You should too.  Play with pyHook from the Python command shell to get a feel for what you can do with it; see if you can cobble your own key logger together before looking at my implementation.  If you need further hints, see this pyHook wiki.

Here is my implementation:

Screen Shot 2014-03-29 at 9.10.40 PM

That is it!  It only took about 20 lines of code!  That is the power of Python.  To run your key-logger, make sure you are in your Python directory (usually C:\Python27) and type the name of your key-logger (I named mine logger.py):

Screen Shot 2014-03-29 at 9.15.40 PM

Now open up another command prompt and type, ‘dir’, and ‘whoami’.

Screen Shot 2014-03-29 at 9.18.30 PM

Open up notepad and type anything you want:

Screen Shot 2014-03-29 at 9.21.30 PM

Once you are done, your logging file should contain every key you typed:

Screen Shot 2014-03-29 at 9.27.53 PM

With a little reading and some practice, Python can help you become that evil genius you’ve always aspired to be.  That is the power of Python.

 

 

Holy 1984 Batman!

01 Sunday Dec 2013

Posted by in Computer Security, Cyber Security Research, Hacking

Leave a comment

Tags

, ,

I warned that hooking everything up to Internet was a bad idea years ago.  Your TV can now watch you!  Too bad you can’t break for commercial every 10 minutes like your TV does.  Here is another article on the subject.

This is what people can do with the new smart TV you are buying for Christmas.  I shudder to think what can be done to medical devices that talk over wireless networks.  I am not sure what can be done about the problem.  People love the convenience of controlling their home’s thermostat or security system remotely, from the Internet.  And the bad guys love the ease of convenience, too.  The “Internet of things” security is a hot growing research area so we will be reading a lot more about the problem.

to publish or not to publish

Often, I am confronted by people about publishing vulnerabilities.  “Why would you bring this to the attention of the hackers?”, they would say.  The truth is, if someone like me can find the problem, then any reasonably intelligent and curious person can also find the problem.  It is very likely, that there are others who are aware of the vulnerabilities and this would include the hacker community.  More of our appliances contain computer chips that run light-weight versions of the Linux operating system and open source software.  Anybody can get access to the source code, and all code contain bugs and vulnerabilities.  It doesn’t matter who wrote the software, or how smart they are, mistakes get made, and others will find those mistakes and exploit them if they can.

Other scientific professions have suffered from similar dilemmas.  Physicists working on the Manhattan project, for example, often had to come to terms with the prospects of advancing human knowledge and having that knowledge lead to human destruction.  Wasn’t there a story somewhere about Buddhist priest who once said: “The good news is: all humans possess the keys to heaven.  The bad news: that same keys also opens the gates of hell.”?

I believe it is better to publish the technical vulnerabilities; to be aware of them so that many bright minds can come together and fix the problems.  And it helps alert the defenders to look out for them.  I remember watching the “Super Friends” as a kid.  On one episode, Robin was complaining about the inherent dangers of scientific discoveries and how easy it can be for people like Lex Luthor to use them for evil.  Batman replied: “… Technology is neither good or evil.  It is the mind behind it that determines its use.”

And they say Batman has no real super powers.  He has a super intellect.  I know.  It’s not as sexy as having a chest you can bounce bullets off of.  Or a new smart TV that you can hook directly up to the Internet.