Software protection: Major errors when programming a program registration unit (or one bit can change the world)
In order to write a good program, as a rule, it takes a lot of time and effort from a programmer. Most programmers do not even realize how simple their programs can be hacked. The standard time required for hacking a program with errors in protecting the user's legality checker is usually less than 5 minutes. In my articles, I want to talk about the main shortcomings that programmers allow in application registration blocks. To do this, I wrote a small program on which I will try to show how easy it is to bypass a piece of code responsible for checking the legality of a copy of the software. If this topic is of interest to readers, it will be continued in subsequent publications.
First we need:
• Disassembler (I used the IDA Free disassembler www.hex-rays.com/idapro/idadownfreeware.htm )
• Hex editor (I took the editor with the built-in disassembler BIEW biew.sourceforge.net/ru/biew.html )
• A little brain :)
')
The first step is to define the compiler used to create the loadable module. To do this, we use the small utility PEiD (http://www.peid.info/). Step two - start the program. These are very important steps that will allow us to gather important information for choosing a search strategy in the disassembled listing of the registration data validation block. The interface window of the program looks like this:
The first thing we see is the inscription in the title bar: “registration data is not correct!”. This means that the program checks the availability of a registration number and code when downloading. This simplifies the task. By changing the logic of the algorithm at the very beginning of the program launch, we will later receive a full-featured copy. Now we will try to enter some data into the input fields.
Naturally, we will receive a message that the entered code does not match the user name. Using the PEiD utility, we learn that the program was written and compiled in the Delphi integrated environment. By the appearance of the message box, it can be concluded that the procedure from the internal component library was used to create the dialog message. You can also determine the compiler by visually inspecting the executable module, paying attention to the features of the program section entries, additional lines of copyright. In order to study the source code of a program, we disassemble it using IDA.
To begin with, we will try to find in the ShowMessage function window, which was probably used to display the message window. As you can see, there are two cross-references to this procedure in the program listing.
It is logical to assume that one of these windows gives a message about the successful registration of the program, the other about the unsuccessful registration. Our attention should be drawn to the function at the virtual address .0047120E. It is on the results of its work that the further branching of the algorithm depends. As a rule, the logical result of the function is passed to the register al. Thus, it can be concluded that the sub_470FFC function is responsible for checking the correctness of the entered program registration data. Further, all we need is to replace the results of the function. To do this, go to the address. 00470FFC. There are two ways to falsify the results of the function: reduce its execution with only the necessary lines or find a place in the program where al is reported as 0. In the first case, opening the executable module in BIEW and going to the above address, enter the following code: 33C0B001C3 which corresponds to register clearing battery (eax), telling him the true result and the command to return to the address in the stack. The disadvantage of this method is too large changes to the source code of the program. The fewer modifications of the source code will be made, the more effectively it will look and the less likely the program will work incorrectly in the future. Our attention should be drawn to the following code snippet.
The virtual address .0047106E actually assigns the result of the function. By changing the value of the code 0x75 to 0x74 in the conditional branch operator, which is one line higher, we will force the program to consider any name / code combinations as legal except the correct combinations to be legal. We launch the modified program, we immediately see the inscription in the title bar that the program is already registered.
Entering an arbitrary combination of the registration name / code, we will receive a notification of the successful registration of the program.
Thus, we bypassed the program registration block and avoided possible program bookmarks that could be inside the registration function (when modifying the program code in the first way described, the application could not work correctly despite the registration success messages).
So consider the main mistakes.
1. Using the same function to check the legality of a copy (there should be many functions, despite the fact that they actually do the same thing)
2. Using standard notification dialogs (it is better to write your own notification forms for messages to the user)
3. Notifications to the user of successful registration (only notification of the registration data entry and a proposal to restart the program are permissible)
4. No additional checks of the legality of the copy, no binding of the results of the program from the entered data (the name / password combination should produce correction factors that affect the result of the application)
These are not all recommendations that can be given to authors of software, but their implementation can make it difficult to hack a program. Perhaps this will be enough to stop the beginner, but obviously not enough for a person who has been studying the source code of programs for a long time. In any case, no matter how complicated and intricate protection is, it can be hacked. The whole question is in the qualification of a person and time. The ideal option is when a hacking program costs more than buying a legal copy. Good luck to all :).
First we need:
• Disassembler (I used the IDA Free disassembler www.hex-rays.com/idapro/idadownfreeware.htm )
• Hex editor (I took the editor with the built-in disassembler BIEW biew.sourceforge.net/ru/biew.html )
• A little brain :)
')
The first step is to define the compiler used to create the loadable module. To do this, we use the small utility PEiD (http://www.peid.info/). Step two - start the program. These are very important steps that will allow us to gather important information for choosing a search strategy in the disassembled listing of the registration data validation block. The interface window of the program looks like this:
The first thing we see is the inscription in the title bar: “registration data is not correct!”. This means that the program checks the availability of a registration number and code when downloading. This simplifies the task. By changing the logic of the algorithm at the very beginning of the program launch, we will later receive a full-featured copy. Now we will try to enter some data into the input fields.
Naturally, we will receive a message that the entered code does not match the user name. Using the PEiD utility, we learn that the program was written and compiled in the Delphi integrated environment. By the appearance of the message box, it can be concluded that the procedure from the internal component library was used to create the dialog message. You can also determine the compiler by visually inspecting the executable module, paying attention to the features of the program section entries, additional lines of copyright. In order to study the source code of a program, we disassemble it using IDA.
To begin with, we will try to find in the ShowMessage function window, which was probably used to display the message window. As you can see, there are two cross-references to this procedure in the program listing.
It is logical to assume that one of these windows gives a message about the successful registration of the program, the other about the unsuccessful registration. Our attention should be drawn to the function at the virtual address .0047120E. It is on the results of its work that the further branching of the algorithm depends. As a rule, the logical result of the function is passed to the register al. Thus, it can be concluded that the sub_470FFC function is responsible for checking the correctness of the entered program registration data. Further, all we need is to replace the results of the function. To do this, go to the address. 00470FFC. There are two ways to falsify the results of the function: reduce its execution with only the necessary lines or find a place in the program where al is reported as 0. In the first case, opening the executable module in BIEW and going to the above address, enter the following code: 33C0B001C3 which corresponds to register clearing battery (eax), telling him the true result and the command to return to the address in the stack. The disadvantage of this method is too large changes to the source code of the program. The fewer modifications of the source code will be made, the more effectively it will look and the less likely the program will work incorrectly in the future. Our attention should be drawn to the following code snippet.
The virtual address .0047106E actually assigns the result of the function. By changing the value of the code 0x75 to 0x74 in the conditional branch operator, which is one line higher, we will force the program to consider any name / code combinations as legal except the correct combinations to be legal. We launch the modified program, we immediately see the inscription in the title bar that the program is already registered.
Entering an arbitrary combination of the registration name / code, we will receive a notification of the successful registration of the program.
Thus, we bypassed the program registration block and avoided possible program bookmarks that could be inside the registration function (when modifying the program code in the first way described, the application could not work correctly despite the registration success messages).
So consider the main mistakes.
1. Using the same function to check the legality of a copy (there should be many functions, despite the fact that they actually do the same thing)
2. Using standard notification dialogs (it is better to write your own notification forms for messages to the user)
3. Notifications to the user of successful registration (only notification of the registration data entry and a proposal to restart the program are permissible)
4. No additional checks of the legality of the copy, no binding of the results of the program from the entered data (the name / password combination should produce correction factors that affect the result of the application)
These are not all recommendations that can be given to authors of software, but their implementation can make it difficult to hack a program. Perhaps this will be enough to stop the beginner, but obviously not enough for a person who has been studying the source code of programs for a long time. In any case, no matter how complicated and intricate protection is, it can be hacked. The whole question is in the qualification of a person and time. The ideal option is when a hacking program costs more than buying a legal copy. Good luck to all :).
Source: https://habr.com/ru/post/80933/
All Articles