I understand the concept of buffer overflow, and acknowledge it can give me the opportunity to execute my own code within a foreign executable.
My question is, cant this simply be done with easier ways ?
Say inject a DLL, and in DLLMain write your malicious code ?
Or play with the disassembly and inject assembly code into executable ?
And even if you got your malicious code working, what damage\profit can you get by the act, that you could not get by editing the disassembly by yourself ?
As far as I understand, the moment you got an executable in your hands you are the master of it, and can add\change\remove code by playing with the disassembly, why make all the effort for searching for exploits ?
Thanks, Michael.
Thing is, you don't generally get the victim to run your executable. So the fact that you can make it malicious is of little value.
Instead you can get the potential victim to use your input: that's why it's so interesting.
Most of the time, this is due to the skeptical minds of users nowadays towards executables, and how they do not think that a PDF document could contain a virus. In other situations, the only way to deliver the code is through an exploit, such as a buffer/heap/stack overflow.
For example, on Apple iOS devices, the only way to download executable code is through the AppStore. All executables that come this way must be explicitly approved of by Apple. On the other hand, if the user simply visits a link to a maliciously crafted PDF document in MobileSafari, it could allow an attacker to arbitrarily execute code on the device.
This is the case with Comex's JailbreakMe.com site (both v2.0 (Star) and v3.0 (Saffron)). The site has the device load an incredibly intricate PDF file that ultimately leads to jailbreaking the device. There is no chance in the world that Apple would approve of an app that would do the same thing.
Related
A lot of web3 websites are emerging were we need to have, for example, a nft of a given collection to access some subpages of a web app.
But I don't understand something. Since we have the code of the web app, could someone just download the html source, remove the nft check, in that case, and access the subpage?
I know that it isn't that simple to modify an app, especially if they use something like React, but would that be feasible?
I guess not, otherwise they won't do it like this, but I don't get why it isn't possible.
Theoretically, yes they could. Any code that is written on the client-side can be tampered with. If the code on the client-side contains the information necessary to display a particular element, then from a security standpoint, you could assume that someone who's interested enough could reverse-engineer the code and force that element to display, even if you have JavaScript checks that are intended to block it.
The best way for such an application to actually stop important data from being displayed to the user is to only send the data once the server validates that the given user has permission to access something. If the data never gets sent to the client to begin with, and the server is secure there isn't really anything they can do about it.
Another way is to make it more difficult for clients to reverse-engineer the code, by minifying the code and having a whole lot of it. Minified code is very hard to read. For example, it could take quite some effort to read through 6000 lines of minified code and figure out enough about what's going on to make the changes you want. (Someone may get lucky and happen to stumble onto something close to the listeners they can see attached to elements on the page that gives them what they want - but they may not.)
In general: don't trust anything done on the client-side. The only way to be absolutely certain that data isn't displayed to those who shouldn't be able to see it is to never send it to the client in the first place.
I've just found myself in situation where I needed to handle exception I'll probably never get, so out of curiosity, let's do a small poll.
Do you validate the presence of resources in your programs? I mean, those resources which are installed with your program, like icons, images and similar. Generally, if those are missing, either your install didn't do its job, or the user randomly deleted files in your app.
If you do validate the presence, what do you do when the files are not there?
Of course, for web apps, you'll have nice 404 page or broken link, but what about the rest? Fail early, yes, but leave handling failures to your compiler, or what?
In Python, many folks rely on simple exception handling for this kind of thing. We might wrap an application in a Big-Old-Try-Block that reports "serious problems" for unhandleable exceptions like this and tries to clean up and exit gracefully.
It's hardly worth checking deeply in advance.
If it's even possible for the user to get to some super delicate and precious part of the application and the app dies undoing hours (or years) of work, then you should rethink that use case to create a more robust scenario where a crash is not so destructive.
Graceful Degradation:
... but no, in a lot of cases it doesn't really matter if resources are missing, that's violating the structural integrity of the program. In the case in my picture above, it's a video game where resources are loaded over the net, and sometimes (I think?) the server doesn't supply the textures needed so they are displayed as pink and black checkers. In that case it makes a bit of sense.
I am a programmer. I have about 5 years experience of programming in different kind of languages. I was concerning about my code speed, about optimizing the memory that uses my code, and about good coding style and so on. But have never thought how secure my code is. So I have disassembled my code to see what can do a hacker. Would it be easy to crack my code?
And I saw that it is! It is very easy, because I was storing
serial number as a string
encryption-decryption codes as well
So if someone has the minimal knowledge of assembler he/she can just simple dissembler and after 10-20 minutes of debugging my code is cracked!!! Even it could be done by opening the exe with notepad I guess! :-)
So what I am asking are the following:
Where I should store that kind of secure information’s?
What are the common strategies of delivering a secure code?
First thing you must realize is that you'll never prevent a determined reverser from cracking any protection schemes because anything that the code can do, the reverser will eventually find out how to replicate it. The only way you can achieve any sort of reliable protection is to have the shipped program be nothing more than a dumb client and have the brunt of the software on some server the reverser has no access to.
With that out of the way, you can certainly make it harder for a would be reverser to break your protections. Obfuscation is the sort of first step in achieving this. I have no experience using obfuscators but I'm sure you can find some suggestions for some on SO. Also if you're using a lower level language like C/C++, simply compiling the code with full optimization and stripping all debugging symbols gets you a decent amount of obfuscation.
I read this article a few years ago, but I still think it's techniques hold up today. It's one of the developers of a video game called Spyro talking about the set of techniques they used to prevent piracy. They claim it wasn't until 3 months after the release that a cracked version became available, which is fairly impressive.
If you are concerned about piracy, then there are many avenues you can take. Making the code security tighter (obfuscation, license codes, binding the software to a particular PC, hardware/dongle protection, etc) is one, but it's worth bearing in mind that every piece of software can be cracked if someone sufficiently talented can be bothered.
Another approach is to consider the pricing model for your software. If you charge $1000 a copy, then there is a big incentive for someone to have a go at cracking it. If you only charge $5 then why should anyone bother to crack it?
So what is needed is a balance. Even the most basic protection will stop ordinary people making casual copies. Beyond that, simple techniques (obfuscation and license codes) and a sensible pricing strategy will hold most would-be crackers at bay by making it not worth the bother of cracking. After that, you start getting into ever more sophisticated techniques (dongles/CDs needing to be present to run the software, only being able to run the software after logging on to an online licensing system) that take a lot of effort/cost to implement and significantly increase the risk of annoying genuine customers (remember how annoyed everyone got when they bought half life but it wouldn't let them play the game?) - unless you have a popular mainstream product (i.e. a huge revenue stream to protect), there probably isn't much point going to that much effort.
Make it web app.
It will generally not be well-protected unless there's an external service doing the checking that you are in control of - and that service can still be spoofed by those who really wants to "crack" it. Instead, trust the customer and provide only minimal copyright protection. I'm sure there was an article or podcast about this by Joel Spolsky somewhere... here's another related SO question.
I have no idea if it will help but Windows provides (since 2000) a mechanism to retrieve and store encrypted information and you can also salt this storage on a per-application basis if needed: Data Protection API (DPAPI)
This is on a machine or a user level but storing serials and perhaps some keys using it might be better than having them hidden in the application?
What sort of secure are you talking about?
Secure from the perspective that you are guarding your users data well? If so, study some real cryptography and utilize Existing libraries to encrypt your data. The win32 API is pretty good for this.
But if you're talking about stopping a cracker from stealing your application? There are many methods, but just give up. They slow crackers down, they don't stop them.
Look at How to hide a string in binary code? question
First you have to define what your code should be secure against, being secure as such is meaningless.
You seem to be worried about reverse engineering and users generating license codes without paying, though you don't say so. To make this harder you can obfuscate your code and key information in various ways. There area also techniques to make the use of debuggers harder, to prevent the reverse engineer from stepping through the code and seeing the information in clear.
But this only makes reverse engineering somewhat harder, not impossible
Another common security threat is execution of unwanted code, for example via buffer overflows.
A simple technique for doing this is to xor over all your code and xor back when you need it... but this needs an innate knowledge of assembly... I'm not sure, but you could try this:
void (*encryptionFunctn)(void);
void hideEncryptnFunctn(void)
{
volatile char * i;
while(*i!=0xC0) // 0xC0 is the opcode for ret
{
*i++^=0x45; // or any other code
}
}
To prevent against hackers viewing your code, you should use an obfuscator. An obfuscator will use various techniques which make it extremely difficult to make sense of the obfuscated code. Some techniques used are string encryption, symbol renaming, control flow obfuscation, etc. Check out Crypto Obfuscator which additionally also has external method call hiding, Anti-Reflector, Anti-Debugging, etc
The goal is to erect as many obstacles as possible in the path of a would-be hacker.
I've written a little program that reads and converts my local playlists from the iTunes xml (some more background on my blog: Reading the Playlists from the iTunes Library XML).
Now I want to do something similar with the playlists that are stored on my iPod (in my case, a 2nd generation nano; please no iPhone anwers - I'm already envious ;-)). Any legal way to do this?
OS 3.0 lets you get at the playlist.
Checkout MediaPlayer.h.
Ah, wait. Nano? No, I don't think so. I assumed you meant ipod touch.
It's been a long time since I've dealt with that particular brand of iPods, but if memory serves; if you enable disk mode (if possible), all the info on the iPod will be accessible through a hidden folder on the Volume that shows up in Finder.
Where on that volume the information is I couldn't tell you, but it's probably in there somewhere; most likely in the binary property list format; so the data might take some massaging, but a simple trip through an appropriately factored command line tool should yield the info, or the info in it's XML incarnation.
If, however, the Nano doesn't allow use as a hard disk, I'm afraid there's not likely to be a whole lot to be done for it.
The only way that seems to work is to access the iPod through iTunes. iTunes offers an "older type" COM-based interface (?) called iTunesLib. You can register with Apple to get some documentation, but there is a decent description in Dan Crevier's Blog on MSDN.
There must be some other ways though, as there are some alternatives to iTunes that also allow to transfer music to iPods etc. Ideas, anyone? ;-)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
We're doing an "Amazing Race" kind of event, and thought it would be cool to have CDs that could only play once... like a "this message will self destruct in 5 seconds..."
Any thoughts on how to do this? I was thinking it could be a compiled HTML website that would write a cookie and only play once. I don't want to write to the registry (don't want to depend on windows, don't want to install anything, etc).
I also don't care if it's hackable... This is a one-time fun event, and I don't really care too much if people could remove the cookie or something.
Any other ideas?
If the content is HTML and run inside a normal browser window, then a cookie may work but there are caveats:
User runs the CD once when IE is the default browser. User runs at a later time, when Firefox is the default browser so cookie cannot be checked.
The browser's security settings may be locked down to prevent use of script so the cookie cannot be set (more of an IE problem).
An alternative might be Flash's equivalent of cookies, but if script was locked down then the same may be true for Flash.
If you used Flash to create the content, you could then use a wrapper program such as Zinc to produce cross-platform executables of the content.
Then, the Flash could use its version of cookies (local shared objects) to determine when the content has been displayed - write to the LSO the first time and read from it thereafter.
I would say encrypt (part of) the contents of the disc with a unique one time pad, that you request from a server that does a read directly followed by a delete of the decryption key. You could write an identifier on each disk so you can use multiple disks, each with a unique key.
This requires network access and some encryption tools, but a very simple implementation would do what you want it to do, is feasible, and it would be 'unbreakable' unless the one time pad is captured and stored.
If just for fun, this should be secure enough.
You can create a volatile registry entry. It will only exist untill the computer is restarted. This solution is very much "hackable", but it is simple and may suffice for what you want to do.
Take a look at the REG_OPTION_VOLATILE here.
Will the computers this is run on have internet access? You can easily load up a remote url (execute 'start http://yoururl.com' from autorun.inf), store the cookie and prevent it from being loaded again if the cookie exists.
If it's allowed to be hackable, then I'd just go with a simple solution of HTML + JavaScript, requiring (say) a GUID to enter, with some silly obfuscation in the code to validate the GUID.
What I mean by silly obfuscated validation is something like putting together a big array of ROT13'ed GUIDs, then adding code to only accept the Math.floor(PI * E + 32/(new DateTime()).getYear())'th GUID in the array, and ROT13 it again using sufficiently uncommented/unclear code, then check the user input against the result. Do it all in one line for kicks, or generate the GUIDs in some pseudo-random manner using a known seed... you get the idea :).
The only snag might be if IE doesn't allow local JavaScript? Hmm, looks like they'd need to deal with the InfoBar thing :(.
You could also set a registry key that would prevent playing, though this could be bypassed.
I think your best bet is to use Rewritable media for this. You can create your application easily, like HTML site or something like that, and after the last link or last page, however you decide to do you could execute a script with some command-line burner that would erase the rewritable media, or even write an ISO that you keep in CD with a text file or a flash that explains that the CD is lost forever.
Give a look at some Command Line Burners. Linux have several, that isn't worth to mention here, for windows you can use Cheetah CommandLine Burner among several others.
If you wish to do a CD without depending on the installed OS you should give a look at LIVE CDs. FreeDOS is a choice for "DOS Compatible applications" or my suggestioon you use a Linux live CD.
Also you will have several options for small HTTP servers, like lighthttpd and even browsers in several flavors from text interfaces to the graphical ones.
Good luck on the race :D. Great idea BTW!
Make a Java Swing application. That will not require Internet and it runs on Mac, Windows, and Linux. You can write to the file system for the lock. System.getProperty("user.home") gives you the home equivalent for the platform. You might have to include a jre in your CD.
Not quite what you're looking for, but you could put in on re-writable media and have an executable over-write itself (or part of itself).
I don't know if a CD-RW could do that automatically, or if you would have to look at cheap USB sticks.