Showing posts with label PROGRAM ALTERATION. Show all posts
Showing posts with label PROGRAM ALTERATION. Show all posts

Wednesday, November 2, 2016

ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux

ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux

EDB-Debugger (Evan's Debugger) is an analyzer, debugger and disassembler for multi architecture binary files with ELF format (executable and linkable format). EFL is the standard format for executable files, object code, shared libraries, and memory dump.

- The goal of the author, Evan Teran, was to create a similar tool to OllyDbg analyzer for usage with Linux systems. Although GDB (GNU Debugger) is available for Linux, this analyzer only works through command line, providing no GUI. 

- In this example EDB-Debugger will be used to alter the runtime operation of a program written in C language.

- First we create a simple program (prueba.c) in C language, the result of which is to print out the string HOLA:

- Compiling:

- Running, and the result is that the program prints the string HOLA in the console:

- To begin the analysis the executable file is loaded in the debugger EDB:

- Running the program, the output is the expected HOLA:

- Then we seek the location of the string HOLA within the program. The path is as follows: Plugins -> Binary Searcher -> Binary String Search Ctrl + F

- EDB allows to enter directly characters searched in ASCII. The result of that search string in hexadecimal is 48 4F 4C 41 = H O L A, located in the memory segment between positions 0804840F and 0804940F:

- Indeed, in previous memory position we find the following statement, one of whose operands is 0x414C4F48.

The operand is stored in Little Endian format (least significant byte at lowest memory position): 

0x414C4F48 = 48 4F 4C 41 = HOLA (in ASCII)

- In order to alter program operation at runtime, right clicking on previous instruction, and in the displayed menu choosing the Edit Bytes option:

This option allows to edit the ASCII code, and where it says HOLA to write BYE:

Instruction is altered, being the operand in Little Endian format 0x455942 the ASCII value of string character BYE:

- After running the program, we see that the output is now BYE:

ALTERATION OF A PROGRAM AT RUNTIME - Example 1 - Bypassing authentication

ALTERATION OF A PROGRAM AT RUNTIME - Example 1 - OllyDgb with Windows - Bypassing authentication

- The goal of this exercise is to alter the execution flow of a program at runtime. 

- The program is written in C language, and its normal operation consists of the user entering the password "PARIS" and the program showing the message "Password OK". In case of entering an invalid password the program answers "Password NOT OK".

- The alteration consists on bypassing the authentication so that any invalid password would be considered valid by the program. To solve this problem there are many alternatives.

- A simple solution resides on altering only 1 assembly instruction for the executable program, accessed through the debugger OllyDbg.

- First, we should study the code of the program in C language.

- The following statement prints on the screen the string "Password:" inviting the user to enter the password:

printf ( "Password");

- The program reads the password string that the user is entering, printing as the user is typing:

gets (password);

- The program compares the string "PARIS" (valid password) with the new string entered by the user.

if (strcmp (password, "PARIS") == 0)

- Then, depending on the result of the comparison, the program will jump either conditionally to print the message of invalid password ...

printf ( "Password NOT OK \ n");

... or calling the passwordOK() function ...

passwordOK ();

... whose code prints on the screen the valid password prompt:

printf ( "Password OK \ n");

- To solve the problem it can be introduced an unconditional jump (JMP, in assembler) to the memory address where passwordOK() routine begins just after the user has entered his password, and before it occurs the comparison with "PARIS".

- In this way it prevents the program to jump conditionally (JNZ, depending on the result of the comparison) to one place or another.

- Let's examine the solution in assembly language using the debugger OllyDbg.

- Once the executable file in OllyDbg loaded, we stand on the entry point of the program, pressing the blue triangle on the toolbar.

- In the analytical column, fragments of assembly language related to the corresponding program in C language are easily observed

- In this first fragment the program reads the password from the screen as the user is introduced.

- See how the program calls to the gets C language function in the memory address 00401378, using the CALL instruction <JMP.& msvcrt.gets.>:

Then, by calling the C function strcmp, assembler CALL <JMP. & Msvcrt.strcmp>, located in the memory address 0040138C, the program compares the password entered by the user with the string "PARIS". Depending on the result, it is run or not a conditional jump JNZ SHORT pac1.0040139F, because this instruction depends on the sign flag Z. That is, if the result of the comparison is 1 the flag z (Z flag = 1) is triggered, which means that the password entered by the user is different from "PARIS" and the message "password NOT OK" is printed on the screen.

- It is important to note that the destination address 0040139F of the conditional jump JNZ holds the routine printing screen message "Password NOT OK".

- Here, the entire code snippet recently commented:

- Now, to alter the program successfully, so that the program displays the message valid password regardless of its content, it will have to interrupt the flow of control of the normal program, executing an unconditional jump to the PasswordOK () function, just before that can run the comparison previously studied.

- It is therefore important to detect that the PasswordOK() function begins at the memory address 004013E6:

- To alter the program at runtime on the 0040138C instruction calling strmcpy (we do not want that instruction to be run), a right click is made in the displayed menu option, clicking Assemble:

- In the empty space the unconditional jump instruction JMP SHORT 004013E6 is introduced, which refers to the code snippet PasswordOK() routine, beginning as we saw in the memory address 004013E6. The jump is of SHORT type because it is a close jump within the same code segment, less than 127 bytes away.

- The debugger OllyDbg enters 3 NOP (0x90 in hexadecimal) to fill the empty spaces after replacing one instruction for the other one. This ensures an smooth execution of the program, avoiding the possibility of unwanted rewriting of some memory addresses:

The EIP register shows that the next instruction to be executed after 0040138C (unconditional jump JMP) instruction is 004013E6 where passwordOK() routine starts. Thus, successive values ​​of EIP and the instructions executed are:

- Finally, entering the passwordOK () routine:

- It is noticed that once the program is resumed, after the previous change, entering different erroneous passwords (such as "hello", "goodbye", or a string of different nonsense characters), however the program recognizes all of them as valid. So it can be considered that the implemented alteration achieved the desired objective of bypassing the authentication: