The primary point of interest was, of course, subverting the password authorisation scheme of the application. Due to runtime protection it was not possible to permanently patch the application binary so I had to apply the patches at every execution. That lost its glamour after the first 15 times so I devised an Immunity Debugger PyCommand that would apply the patch after attaching to the application binary. Then I issued the same command for all 9 points that I had to patch. It took about 4 runs for that to also loose its magic...
By now you must know where I am going with this...
So I devised a PyCommand that takes a ; separated of : separated quadruples of the information required to setup the hooks. I was feeling quite imaginative that afternoon.
The idea behind this PyCommand is that a breakpoint is set at each point that the program execution must be manipulated. Once the breakpoint is hit, the relevant manipulation associated with it will be executed. That may be setting the value of a register to a specified value (eg. EAX=0x00000000) or to the contents of another register (eg. EAX = EBX) .
The required information in order to setup the breakpoint hooks is:
The idea behind this PyCommand is that a breakpoint is set at each point that the program execution must be manipulated. Once the breakpoint is hit, the relevant manipulation associated with it will be executed. That may be setting the value of a register to a specified value (eg. EAX=0x00000000) or to the contents of another register (eg. EAX = EBX) .
The required information in order to setup the breakpoint hooks is:
- ID: A unique - descriptive - name in order to identify the hook by
- ADDRESS: The address that the breakpoint will be set
- REGISTER: The register to be modified
- VALUE: The value to be set to the register, this can either be static (0x00000000) or the name of another register in which case the value of that register is being copied to the one we wish.
So at the end of the day I ended up with something along the lines of:
!bsu.py -b PREJMP:0x0040501290:EAX:EBX;POSTCMP:0x00407612:EAX:00000001
You can get the PyCommand from here.
The code is messy, but it works. I will try to put comments in it but I cannot guarantee that it will continue to work. To those wondering, yes putting comments in my code CAN break normal functionality.
./Z
The code is messy, but it works. I will try to put comments in it but I cannot guarantee that it will continue to work. To those wondering, yes putting comments in my code CAN break normal functionality.
./Z
No comments:
Post a Comment
Note: only a member of this blog may post a comment.