Software protection: Major errors when programming a program registration unit (or one bit can change the world)
In order to write a good program, as a rule, it takes a programmer a lot of time and effort. Most programmers do not even realize how simple their programs can be hacked. The standard time required to crack a program with errors in protecting the user legality checker usually does not exceed 5 minutes. In my articles I want to talk about the main shortcomings that programmers make in application registration blocks. To do this, I wrote a small program on which I will try to show how easy it is to get around the code section responsible for checking the legality of a copy of the software. If this topic will be interesting to readers, it will be continued in subsequent publications.
First we need:
• Disassembler (I used the IDA Free disassembler www.hex-rays.com/idapro/idadownfreeware.htm )
• Hex editor (I took the editor with the built-in BIEW disassembler biew.sourceforge.net/en/biew.html )
• A little brain :)
The first step is to identify the compiler used to create the loadable module. To do this, we will use the small PEiD utility (http://www.peid.info/). Step two - launch the program. These are very important steps that will allow us to collect important information for choosing a search strategy in the disassembled listing of the registration data validation block. The program interface window is as follows:
The first thing we see is an inscription in the title bar: "registration data is not correct!". This means that the program at startup checks for the registration number and code. This simplifies the task. changing the logic of the algorithm at the very beginning of the program launch, we will get a fully functional copy in the future. Now let's try to enter some data in the input fields.
Naturally, we get a message that the entered code does not match the username. Using the PEiD utility, we learn that the program was written and compiled in an integrated Delphi environment. From the appearance of the message window, we can conclude that the procedure from the internal library of components was used to create a dialog message. You can also determine the compiler by visually inspecting the executable module, paying attention to the features of the sections of the program, additional copyright lines. In order to study the source code of the program, we disassemble it using the IDA.
To begin, let's try to find ShowMessage in the function window, which was probably used to display the message window. As you can see, there are two cross-references to this procedure in the program listing.
It is logical to assume that one of these windows gives a message about the successful registration of the program, the other - about the failed registration. The function at the virtual address .0047120E should attract our attention. The further branching of the algorithm depends on the results of its work. As a rule, the logical result of the function is passed to the al register. Thus, we can conclude that the sub_470FFC function is responsible for checking the correctness of the entered program registration data. Further, all we need is to replace the results of the function. To do this, go to the address. 00470FFC. There are two ways to falsify the results of the function: reduce its execution only with the necessary lines or find a place in the program where the register al is informed 0. In the first case, opening the executable module in the BIEW program and going to the above address, enter the following code: 33C0B001C3 which corresponds to clearing the battery register (eax), telling it the true result and the return command to the address on the stack. The disadvantage of this method is too large changes to the source code of the program. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention.
The virtual address .0047106E actually assigns the result of the function. By changing the value of the code 0x75 to 0x74 in the conditional branch operator, which is located one line above, we will force the program to consider any name / code combinations as legal except regular ones. We start the modified program, we immediately see the inscription in the title bar that the program is already registered.
By entering an arbitrary combination of registration name / code, we will receive a notification about the successful registration of the program.
Thus, we bypassed the program registration unit, and avoided possible software “bookmarks” that could be inside the registration function (when modifying the program code in the first way described, the application could not work correctly despite messages about successful registration).
So consider the main mistakes.
1. Using one function for checking the legality of a copy (there should be many functions, despite the fact that they actually do the same thing)
2. Using standard notification dialogs (it is better to write your notification forms for messages to the user)
3. Notifications of the user about successful registration (only a notice of registration data entry and an offer to restart the program are acceptable)
4. The absence of additional checks on the legality of the copy, the lack of linking the results of the program from the entered data (a combination of username / password should produce corrective factors that affect the result of the application)
These are not all the recommendations that can be given to the authors of the software, but their implementation can make it difficult hacking programs. Perhaps this will be enough to stop the beginner, but obviously not enough for the person who has been studying the source code of programs for a long time. In any case, no matter how complex and complicated the defense is, it can be hacked. The whole question is in the qualifications of man and time. The ideal option is when hacking a program is more expensive than buying a legal copy. Good luck to all :).
First we need:
• Disassembler (I used the IDA Free disassembler www.hex-rays.com/idapro/idadownfreeware.htm )
• Hex editor (I took the editor with the built-in BIEW disassembler biew.sourceforge.net/en/biew.html )
• A little brain :)
The first step is to identify the compiler used to create the loadable module. To do this, we will use the small PEiD utility (http://www.peid.info/). Step two - launch the program. These are very important steps that will allow us to collect important information for choosing a search strategy in the disassembled listing of the registration data validation block. The program interface window is as follows:
The first thing we see is an inscription in the title bar: "registration data is not correct!". This means that the program at startup checks for the registration number and code. This simplifies the task. changing the logic of the algorithm at the very beginning of the program launch, we will get a fully functional copy in the future. Now let's try to enter some data in the input fields.
Naturally, we get a message that the entered code does not match the username. Using the PEiD utility, we learn that the program was written and compiled in an integrated Delphi environment. From the appearance of the message window, we can conclude that the procedure from the internal library of components was used to create a dialog message. You can also determine the compiler by visually inspecting the executable module, paying attention to the features of the sections of the program, additional copyright lines. In order to study the source code of the program, we disassemble it using the IDA.
To begin, let's try to find ShowMessage in the function window, which was probably used to display the message window. As you can see, there are two cross-references to this procedure in the program listing.
It is logical to assume that one of these windows gives a message about the successful registration of the program, the other - about the failed registration. The function at the virtual address .0047120E should attract our attention. The further branching of the algorithm depends on the results of its work. As a rule, the logical result of the function is passed to the al register. Thus, we can conclude that the sub_470FFC function is responsible for checking the correctness of the entered program registration data. Further, all we need is to replace the results of the function. To do this, go to the address. 00470FFC. There are two ways to falsify the results of the function: reduce its execution only with the necessary lines or find a place in the program where the register al is informed 0. In the first case, opening the executable module in the BIEW program and going to the above address, enter the following code: 33C0B001C3 which corresponds to clearing the battery register (eax), telling it the true result and the return command to the address on the stack. The disadvantage of this method is too large changes to the source code of the program. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention. The fewer modifications of the source code will be made, the more spectacular it will look and the less likely the program will malfunction in the future. The following code snippet should get our attention.
The virtual address .0047106E actually assigns the result of the function. By changing the value of the code 0x75 to 0x74 in the conditional branch operator, which is located one line above, we will force the program to consider any name / code combinations as legal except regular ones. We start the modified program, we immediately see the inscription in the title bar that the program is already registered.
By entering an arbitrary combination of registration name / code, we will receive a notification about the successful registration of the program.
Thus, we bypassed the program registration unit, and avoided possible software “bookmarks” that could be inside the registration function (when modifying the program code in the first way described, the application could not work correctly despite messages about successful registration).
So consider the main mistakes.
1. Using one function for checking the legality of a copy (there should be many functions, despite the fact that they actually do the same thing)
2. Using standard notification dialogs (it is better to write your notification forms for messages to the user)
3. Notifications of the user about successful registration (only a notice of registration data entry and an offer to restart the program are acceptable)
4. The absence of additional checks on the legality of the copy, the lack of linking the results of the program from the entered data (a combination of username / password should produce corrective factors that affect the result of the application)
These are not all the recommendations that can be given to the authors of the software, but their implementation can make it difficult hacking programs. Perhaps this will be enough to stop the beginner, but obviously not enough for the person who has been studying the source code of programs for a long time. In any case, no matter how complex and complicated the defense is, it can be hacked. The whole question is in the qualifications of man and time. The ideal option is when hacking a program is more expensive than buying a legal copy. Good luck to all :).