Protection and hacking of the database on the example of the program "Parts Catalog"
If you want to protect the database that is used in your program, this information will be useful to you. You may need to improve security, for example, by encrypting database values ​​and decrypting them during output.
So. There is a program with a folder DATA, the data from which I really want to get.
There are several options.
First you need to know in what format the data is stored in the program. You can use the free program TrID . We try ...
')
Sadness Something not known. It looks like some kind of proprietary format based on ole datastore. If this is indeed the case and the developers decided to bother and write their own DBMS, then it will be very difficult to extract data for a long time. It will be easier to use option 1.
But, all programmers are lazy and most likely this is some known format. For example Access or Firebird. I would do that. Looked in the catalog with the program, there are no libraries.
We investigate further. We download a very useful free utility with Process explorer , which shows all program access to the registry, files and everything else possible.
We start, we configure, that only one catalog.exe process is motivated, which is the main executable file of the program.
Run the program and see where it goes.
ABOUT! It uses an ODBC data source. Most likely used db is access! Set yourself a plus sign. We look further. There is an interesting key in the TraceSQLMode registry. Googling it turns out that all requests can be written to the file. Change the key and look for the file. Found:
We look requests:
The plate is called spare, which means a spare part. So this is not an auxiliary database and the names of the parts are really stored there. Fine. We look further.
Accessing the database file is not in the program directory. So it is temporarily copied there. We try to open in access - without result, it does not understand.
We make an action in the program, switch to another position in the directory, look more closely at the log:
Before the request, the file is modified, something is written to it. Probably it either decrypts or changes the file header. Now it is no longer important, because we understand that if prior to a request to copy this file, then it is more likely to be working.
So you need to somehow suspend the execution of the program until the request, while the file is working. That's right, tracing in debagger. Download debugger, for example, free OllyDbg weighing 1.3MB.
Run in admin mode if you have windows vista and above.
Join the running process (attach)
Choose our process:
We return to Process Explorer and watch the function call stack (in the context menu of the event):
The breakpoint can be put on the call to close the CloseHandle file in the kernel32.dll system module.
Go to this module in debugger:
Find the desired function:
Set a breakpoint (F2).
Next, run the program execution by pressing F9. And do any action in the experimental program. The program will stop at the breakpoint.
We trace (F8) in debaggrere until records of access to the registry appear before the execution of the request. This will mean that the database file has been modified to connect to it and is readable.
After that, go to the file and copy it to another location:
We look at the file now:
100% mdb! This is an MS Access file. Rename, open, make sure that all is well.
We have successfully obtained a database suitable for further modifications or converting to another format.
Since I started writing, I’ll post a script on groovy to convert data from MS Access to a PostgreSQL database.
here he is:
It is started by the interpreter:
Conclusions: To protect the database, you need either (the most reliable) to write data in a proprietary format, or encrypt the values ​​in the database and unzip it directly on display, as well as use auxiliary protection methods, such as encrypt the file itself, change the file signature, use the built-in encryption bd
PS The author of this article is Alexander Surovtsev. If you liked the material, help him please get an invite to Habr. I, unfortunately, distributed all my invites. His email address is surovtsev.alex on gmail.com, twitter is mobal1 Thank you very much!
So. There is a program with a folder DATA, the data from which I really want to get.
There are several options.
- The first option. You can go the hard way by taking screenshots and exporting applications one by one to excel. But it is a long and uninteresting way.
- The second option. Think and decode the data.
First you need to know in what format the data is stored in the program. You can use the free program TrID . We try ...
')
Sadness Something not known. It looks like some kind of proprietary format based on ole datastore. If this is indeed the case and the developers decided to bother and write their own DBMS, then it will be very difficult to extract data for a long time. It will be easier to use option 1.
But, all programmers are lazy and most likely this is some known format. For example Access or Firebird. I would do that. Looked in the catalog with the program, there are no libraries.
We investigate further. We download a very useful free utility with Process explorer , which shows all program access to the registry, files and everything else possible.
We start, we configure, that only one catalog.exe process is motivated, which is the main executable file of the program.
Run the program and see where it goes.
ABOUT! It uses an ODBC data source. Most likely used db is access! Set yourself a plus sign. We look further. There is an interesting key in the TraceSQLMode registry. Googling it turns out that all requests can be written to the file. Change the key and look for the file. Found:
We look requests:
SELECT
…
FROM spare LEFT JOIN photo ON photo.serial = spare.serialThe plate is called spare, which means a spare part. So this is not an auxiliary database and the names of the parts are really stored there. Fine. We look further.
Accessing the database file is not in the program directory. So it is temporarily copied there. We try to open in access - without result, it does not understand.
We make an action in the program, switch to another position in the directory, look more closely at the log:
Before the request, the file is modified, something is written to it. Probably it either decrypts or changes the file header. Now it is no longer important, because we understand that if prior to a request to copy this file, then it is more likely to be working.
So you need to somehow suspend the execution of the program until the request, while the file is working. That's right, tracing in debagger. Download debugger, for example, free OllyDbg weighing 1.3MB.
Run in admin mode if you have windows vista and above.
Join the running process (attach)
Choose our process:
We return to Process Explorer and watch the function call stack (in the context menu of the event):
The breakpoint can be put on the call to close the CloseHandle file in the kernel32.dll system module.
Go to this module in debugger:
Find the desired function:
Set a breakpoint (F2).
Next, run the program execution by pressing F9. And do any action in the experimental program. The program will stop at the breakpoint.
We trace (F8) in debaggrere until records of access to the registry appear before the execution of the request. This will mean that the database file has been modified to connect to it and is readable.
After that, go to the file and copy it to another location:
We look at the file now:
100% mdb! This is an MS Access file. Rename, open, make sure that all is well.
We have successfully obtained a database suitable for further modifications or converting to another format.
Since I started writing, I’ll post a script on groovy to convert data from MS Access to a PostgreSQL database.
here he is:
import groovy.sql.Sql
java.util.Properties prop = new java.util.Properties();
prop.put(“charSet”, “cp1251”);
sourceSql = Sql.newInstance('jdbc:odbc:catalog2',prop)
targetSql = Sql.newInstance(“jdbc:postgresql://localhost:5432/catalog”,”catalog”,”catalog”, “org.postgresql.Driver”)
def images = targetSql.dataSet(“image”);
sourceSql.eachRow('select * from image') {
def id = it.id
images.add(id:id,block:it.block);
def image=it.getProperty(“image”)
if (image) {
File f = new File(“D:/trid_w32/images/” + id + “.png”);
f.append(image);
}
}
def coords = targetSql.dataSet(“coord”);
sourceSql.eachRow('select * from coord') {
coords.add(id:it.id,block:it.block,x:it.x,y:it.y,r:it.r);
}
def spares = targetSql.dataSet(“spare”);
sourceSql.eachRow('select * from spare') {
spares.add(id:it.id,parent:it.parent,num:it.num,serial:it.serial,count:it.count,spec:it.spec,apply:it.apply,ru:it.ru,cn:it.cn);
}It is started by the interpreter:
groovy _.groovyConclusions: To protect the database, you need either (the most reliable) to write data in a proprietary format, or encrypt the values ​​in the database and unzip it directly on display, as well as use auxiliary protection methods, such as encrypt the file itself, change the file signature, use the built-in encryption bd
PS The author of this article is Alexander Surovtsev. If you liked the material, help him please get an invite to Habr. I, unfortunately, distributed all my invites. His email address is surovtsev.alex on gmail.com, twitter is mobal1 Thank you very much!
Source: https://habr.com/ru/post/127164/
All Articles