Sunday 27 September 2009

Application Behavioural Changes

I was recently at a situation where I needed to test the security of a purely fat client, that is no server-side component was used at the application, rather a database hosting the application data. As such, all input validation and integrity checks where done at the fat client. After reversing part of the application it was evident that the application runtime behaviour would need to be changed per my needs in order to subvert these checks. To put things into perspective, by the term application runtime I am referring to the values held by the registers at program execution.

The primary point of interest was, of course, subverting the password authorisation scheme of the application. Due to runtime protection it was not possible to permanently patch the application binary so I had to apply the patches at every execution. That lost its glamour after the first 15 times so I devised an Immunity Debugger PyCommand that would apply the patch after attaching to the application binary. Then I issued the same command for all 9 points that I had to patch. It took about 4 runs for that to also loose its magic...

By now you must know where I am going with this...

So I devised a PyCommand that takes a ; separated of : separated quadruples of the information required to setup the hooks. I was feeling quite imaginative that afternoon.

The idea behind this PyCommand is that a breakpoint is set at each point that the program execution must be manipulated. Once the breakpoint is hit, the relevant manipulation associated with it will be executed. That may be setting the value of a register to a specified value (eg. EAX=0x00000000) or to the contents of another register (eg. EAX = EBX) .

The required information in order to setup the breakpoint hooks is:
  • ID: A unique - descriptive - name in order to identify the hook by
  • ADDRESS: The address that the breakpoint will be set
  • REGISTER: The register to be modified
  • VALUE: The value to be set to the register, this can either be static (0x00000000) or the name of another register in which case the value of that register is being copied to the one we wish.

So at the end of the day I ended up with something along the lines of:

! -b PREJMP:0x0040501290:EAX:EBX;POSTCMP:0x00407612:EAX:00000001

You can get the PyCommand from here.

The code is messy, but it works. I will try to put comments in it but I cannot guarantee that it will continue to work. To those wondering, yes putting comments in my code CAN break normal functionality.


No comments:

Post a Comment

Note: only a member of this blog may post a comment.