GOING UNDERCOVER
(How to autoconnnect to Internet at work)
by +Yamato
(10 July 1997)
Courtesy of Fravia's page of reverse engineering
Well, I have almost no words. This document is INCREDIBLE! +Yamato has
not only reverse engineered
a protection scheme: he has reverse engineered a whole situation!
All the people
out there that have already read my corporate survival
strategies know well how important I reckon the struggle against a situation
where people are at the complete mercy of their stupid boss and some servile
sysads.
+Yamato was deprived of internet access at work... a scary situation... and what
did he do?
He used his superior cracker intelligence to solve the situation.
Note also the two c programs he wrote: browse.c is
a little GOOD utility in its own rights!
Read this fantastic essay and you'll also understand, as I for sure understand now,
what for an incredible "nose" had +ORC -from the
beginning- when
he told us to send immediately the +HCU membership to +Yamato after reading his
first essay at the beginning of March.
Going undercover
by +Yamato
Content of the essay: hiding
Windows applications, cracking Wingate, registry settings
Case study: you are working for a company, and
your Internet access is cut (for various reasons, all leading to
money). What do you do?
Software needed: Wingate 1.3.17 proxy server ( a very good,
fast and tiny proxy server, running on all Win32 platforms ) you can download
it from www.deerfield.com/wingate
Tools: w32dasm, soft-ice, c compiler, resource
workshop.
Hi again, folks. I read Fravia's essay about
survival strategies in a corporation environment, and I thought
to give my contribution to the cause. So, here is the story:
A while ago, my boss searched some computers in
our office and found some interesting files of mine. He didn't
like them, so he cut off my Internet connection. Of course I was
desperate, I cried two days and two nights :o) .But then, I wiped
my tears and started working on the problem. My idea was to use a
proxy server installed on another computer, and to connect
through that proxy. Several problems were involved here but the
biggest one was that the proxy server must be invisible, and, obviously,
consume very little memory. First I had to choose the proxy
software. I heard about Micro$oft Proxy, so I went to M$ site. Here
are the requirements:
35 Megs of HD space
Win NT Server 4.0
IIS 2.0 ??!!!
Service Pack
This really sucks. I need a NT Server to run the
proxy, and Internet Information Server. Why the hell do I need a
web server to run a proxy server? Beats me. So I dropped MS
Proxy. I wanted to be able to run the proxy even on a pure win95
machine, without any sucking web server or service packs. So a
simple search on the web led me to the proxy software of my
dreams: Wingate. Here are the specs, to compare with the MSProxy:
300 K of HD space
Win95, NT Workstation, Server ...
Eeeh...! What do you think bout this difference?
And both programs do the same thing!
The first problem was to hide the proxy. After a
little search through win32.hlp file I found the solution: we can
use ShowWindow(SW_HIDE) and the window will disappear from the
task bar and Alt+TAB menu. In Windows NT it will disappear even
from the process list in Task Manager. In Win95 it will still
appear in Ctrl+Alt+Del dialog. So I did 2 little programs to hide
my program. First, launch.c, launches the
proxy server and hides it, then exits. The name of the proxy
program is xor-ed in the code, so a dump on the exe file won't
reveal the name of the launched program.
Second, browse.c, is a little utility
which lists all windows from the system ( even those hidden ) and
you can choose what to hide and what to show. This is useful to
show the proxy server after you hide it.
After that, I cracked the wingate (I'll talk later about
this). Then I used Borland Resource Workshop (thanx Fravia for
the tip) to remove the icon of the program, so nobody can imagine
what it is. Then copied launch.exe and wingate.exe in the windows
dir of the target computer, and of course renamed them to some
inoffensive names, so they will not get the attention of the
user. This is very important, since the name will appear in
Ctrl+Alt+Del dialog. So choose a name like csrss.exe, osa.exe or
any background process which is not running.
To start the proxy server every time the computer boots, I put
launch.exe in the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
subkey. So the proxy will be launched in a hidden window every
time somebody logs in . Nobody will know that the proxy is
running, and the hacker/cracker is happy. Version 2.0 of Wingate
will allow the proxy to run as a service, so it even won't
be necessary to log in.
More counter measures:
You have to be more careful when browsing through your hidden proxy.
First, disable disk cache in Netscape, so they cannot see what
you did. Leave only the memory cache, and eventually increase its
size.
Second, use different ports than default, for the proxy. For
example DO NOT leave http proxy on port 80 (the default number).
Put a port like 1276, so they cannot find it through a network
scan.
Another problem is that they can look into your Options/Network
Settings/Proxy information submenu , and see the address and port
of the proxy server.That's why is necessary to have a little
utility to erase the proxy information from the options with a
simple click of mouse. Make a little C program which calls
RegDeleteKey. The important keys (for Netscape Navigator) are:
HKEY_CURRENT_USER/Software/Netscape/Netscape Navigator/Proxy
Information
HKEY_CURRENT_USER/Software/Netscape/Netscape Navigator/URL
History.
Delete these keys, and your tracks are gone. You can make
another utility to put back all these settings.
Now the crack for Wingate:
Wingate has a user name-password type protection, combined
with a time limit protection. There are 4 types of licenses:
- 1 user free license (unlimited time)
- unlimited number of users (1 month time limit)
- 2,5 or 10 users (unlimited time)
- unlimited no of users (unlimited time) the most powerful
one
Start disassembling the file with w32dasm. Search the source
for "Invalid Information" string. Found one location.
Right before this location we can see that this code is
referenced by a conditional jump at 402DCD. Around this address
we find:
:00402DB0 68C4DC4400 push 0044DCC4
:00402DB5 8D45F0 lea eax, [ebp-10]
:00402DB8 50 push eax
:00402DB9 8975F0 mov [ebp-10], esi
:00402DBC 68B8DC4400 push 0044DCB8
:00402DC1 68C0DC4400 push 0044DCC0
:00402DC6 E8455E0100 call 00418C10
:00402DCB 85C0 test eax, eax
:00402DCD 0F8449010000 je 00402F1C ;if eax==0 jump to Invalid Reg no!
:00402DD3 3975F0 cmp [ebp-10], esi
:00402DD6 0F84E5000000 je 00402EC1 ;if equal skip verification of expiry date
;--------------------- verify expiry date -----------------------
:00402DDC 8D45E0 lea eax, [ebp-20]
:00402DDF 50 push eax
:00402DE0 E81B7B0100 call 0041A900
:00402DE5 DD00 fld qword ptr [eax]
:00402DE7 E8BC8C0100 call 0041BAA8
:00402DEC 3B45F0 cmp eax, [ebp-10]
;--------------------- done verify -------------------------------
:00402DEF 7E43 jle 00402E34 ;if reg no has not expired jmp Good guy
:00402DF1 56 push esi
:00402DF2 56 push esi
* Possible StringData Ref from Data Obj ->"This key has now expired."
|
:00402DF3 683C954400 push 0044953C
:00402DF8 E800100300 call 00433DFD ;call showMessageBox
At address 402DC6 there is a call, and right after a test
eax,eax. If eax=0 the the reg number is invalid! If we change the
je to jne we'll receive a message that "this reg no has
expired!". But after the jump equal, at address 402DD3,
there is another comparison: if esi == [ebp-10] then the
registartion number isn't time limited. Changing this with cmp
esi,esi and nop will give us unlimited time.
Now I want unlimited numbers of users. For this I have to step
into the routine which is called at 402DC6. This routine takes
four parameters:
push 44DCB8 ---------> this is the reg no user has typed
lea eax,[ebp-10]
push eax ---------------> I dont know what is this
push 44DCB8 ---------> see bellow
push 44DCC0 ---------> this is the user name
call 418C10 -----------> the check routine
Using Soft-Ice I was able to see that 44DCC0 is the user name,
and 44DCB8 is the reg no. But what is that 44DCB8 address? With a
little feeling ( ORC calls this Zen ) I guessed that this could
be the number of users (licenses). So, the check routine takes
user name and reg no, verify the reg code, and returns the number
of licenses taken from the reg no. It sets eax to zero if reg no
is invalid.
If we have an unlimited number of users license, than the 44DCB8
must have 0xFF or 0x00. 44DCB8 is the 3rd parameter pushed on
stack, so it is at the address [EBP+0C] inside the routine. We'll
search through the following code after EBP+0C.
Here is the code for the check routine, with some comments
(part of it):
* Referenced by a CALL at Addresses:
|:00402DC6 , :0040FC1E
|
:00418C10 64A100000000 mov eax, fs:[00000000]
:00418C16 55 push ebp
:00418C17 8BEC mov ebp, esp
:00418C19 6AFF push FFFFFFFF
:00418C1B 687E8D4100 push 00418D7E
:00418C20 50 push eax
:00418C21 64892500000000 mov fs:[00000000], esp
:00418C28 81ECA4000000 sub esp, 000000A4
:00418C2E 53 push ebx
:00418C2F 56 push esi
:00418C30 57 push edi
:00418C31 8B7514 mov esi, [ebp+14]
:00418C34 8B06 mov eax, [esi]
:00418C36 8378F818 cmp [eax-08], 00000018 ;check length of reg code
:00418C3A 7415 je 00418C51 ;if it's 24 then go on; good guy
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418D6E(U)
|
:00418C3C 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418D5D(U)
|
:00418C3E 8B4DF4 mov ecx, [ebp-0C]
:00418C41 5F pop edi
:00418C42 64890D00000000 mov fs:[00000000], ecx
:00418C49 5E pop esi
:00418C4A 5B pop ebx
:00418C4B 8BE5 mov esp, ebp
:00418C4D 5D pop ebp
:00418C4E C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418C3A(C)
|
:00418C51 33FF xor edi, edi
:00418C53 33DB xor ebx, ebx
;----------------------------------------------------
; here is some math stuff, I don't even look at it
; the interesting part is here, to the end of the routine
;-----------------------------------------------------
:00418D31 3A5DEC cmp bl , [ebp-14]
:00418D34 752C jne 00418D62 ;if not equal exit-invalid reg no
:00418D36 837DE800 cmp [ebp-18], 00000000
:00418D3A 7526 jne 00418D62 ;exit - invalid reg no
:00418D3C 8B450C mov eax, [ebp+0C] ; HERE IS [EBP+0C] !!!!!!!
:00418D3F 8A4DED mov cl , [ebp-13] ; mov cl<-no of users
:00418D42 8B55E4 mov edx, [ebp-1C]
:00418D45 8808 mov [eax], cl ; mov 44DCB8<-cl
:00418D47 8B4510 mov eax, [ebp+10]
:00418D4A C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:00418D51 8910 mov [eax], edx
:00418D53 E830000000 call 00418D88
:00418D58 B801000000 mov eax, 00000001
:00418D5D E9DCFEFFFF jmp 00418C3E
So to crack this routine we'll have to change 4 things:
1. check of the string length
cmp [eax-08], 00000018 change with cmp eax,eax , nop
2,3 two jumps at 418D34 and 418D62
4. put unlimited no of users in cl at address 418D3F
mov cl, [ebp-13] change with mov cl,ff , nop
There is another problem. as you can see at the beginning of
the routine, it is called twice. And this makes sense. Once is
called when you register the program, and twice, when the program
starts, it looks in the registry to read the settings, then
verifies the reg code again. Cracking the second call is
identical with the first call.
That's all folks.
This program is very useful to me. I wish I could pay for it,
but I don't have the money. The authors deserve support* from us,
so they can continue to build such a tiny and wonderful programs,
and to fight against Micro$oft and their overbloated programs.
Bye!
(c) +Yamato 1997
*)
It could well be that the publishing of this essay helps the
authors instead of damaging them, for a couple of reasons:
1) How many did know of the existence of this nice program?
Many will know it now, since this page has twenty times more readers than
the wingate one, and among the readers of this page there are many
system administrators, developers and software experts;
2) The protection of wingate is painfully weak, and needs to be
"ironed" a little. Hopefully the Wingate boys will now work a little on
it;
3) Many reverse engineer will pay for Wingate if they deem it useful:
as a matter of fact many of us throw away well before the end of the
trial period all cracked programs and pay
for the (very few) they keep for obvious security reasons;
4) Many, paying or not, will use from now on Wingate, and the mass
use is the only way to impose a product: a truth that the enemies of humanity at
Micro$oft very well know btw.
+Yamato's trick will work for quite a while...
the sysads will eventually find a solution, but it
will be implemented worldwide very slowly, as usual... I reckon that you may
use this "my own proxy" method with absolute security for 6-7 months
and with relative security for another couple of years... and we'll
have already devised better methods by then :-)
You are deep inside Fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
tools
cocktails
search_forms
corporate
mailFravia
Is reverse engineering legal?