A few months ago I attended a local user group meeting that focussed on software security. The presenter demonstrated several techniques that one could employ to bypass software security and several “tricks of the trade” that one could implement to make ones software more secure. The presentation rekindled the fire I had for a little research project that I had attempted several months earlier on reverse engineering .Net applications but that at the time I had lost interest in after an hour of unsuccessful googling. This time with a little more effort I found the right threads and was soon on my way to reverse engineering a product I had written and released to the internet. The scary part was that with little over an hours experience I had in effect bypassed all security that I had implemented in software up to that day… one word describes it best – I was a noob.
In this post I will outline the tools I used in my noob hacking and highlight a few blogs/sites that one can visit to get more information on the topic.
In a future post I will demonstrate obfuscation, and why this adds another layer of protection to ones code as well as other techniques that once can try.
If you are a security expert I ask for your patience when reading this blog as I am only a beginner when it comes to things like this, and would appreciate any comments / links where I can expand my knowledge base.
That being said.. lets get to the example…
The Tools You Will Need for basic Hacking a .Net application… Reflector – Redgate’s reflector allows you to explore and analyze compile .NET assemblies, viewing them in C#, VB and IL. Reflexil - Reflexil is an assembly editor that runs as a plug-in for Redgate’s Reflector, it is able to manipulate IL code and save the modified assemblies to disk. Getting Started – Installing Reflexil into Reflector First, download the above tools from their links.
I am going to assume that you have a knowledge of Reflector. If you haven’t used it before, there are tons of blogs on the internet or you can view their online video which runs your through the basics.
Once reflector is installed you will need to install the reflexil plugin/addin. You do this by opening reflector and going View-> Add-Ins
2010-08-30 08-09-37 PM
The Add-Ins window will appear, click “Add”.
2010-08-30 08-10-44 PM
Browse to the Reflexil director and select Reflexil.Reflector.dll file.
2010-08-30 08-10-30 PM
If the process is done correctly, then the add in will appear in the add-ins available list.
Editing your first application using Reflector & Reflexil It is really quite simple to do this. Simply add the assembly that you want to edit to reflector. The assembly can be either an exe, dll or mcl (Macro Command Language).
2010-08-30 08-18-16 PM
Once you have added the assembly to reflector, it will be shown in the tree as a node and you can browse its sub components. In the example below I added BasicApplication.exe to reflector and browsed to the Main function. As I double clicked on the main function, the translated IL code is shown on the left pane of the window. In this instance I have set it to translate to c# code.
2010-08-30 08-19-53 PM
Lets say I now found a section of code I wanted to edit – reflector by default does not allow me to edit code, simply view it – so this is where Reflexil comes into play.
Select the method you want to edit and on the menu go Tools-> Reflexil vx.x
2010-08-30 08-27-38 PM
As soon as you click the Reflexil on the menu, an additional Reflexil pane will appear under the Disassembler code window.
2010-08-30 08-29-30 PM
Depending on how familiar you are with assembly code, the instruction pane of the Reflexil window will look very much like assembly language of old. In fact it is IL Assembly Code – for an interesting explanation on interpreting IL code read Sameers “Introduction to IL Assembly Language”.
In this instance though we will use a sample simple enough that you should be able to get a basic idea of what is going on just by slowly browsing the instruction list and making educated guesses.
Now there are two ways you can edit the IL code with Reflexil…
Edit each instruction line by line using op codes (Right click on the IL Code –> Edit) Edit a section of code in your chosen language and rebuild it into the project (Right click on the IL Code –> Replace all with code) Using method one, you would get a popup window that looks like the following…
2010-08-31 06-15-48 AM
Simply put in the new opcode and click update.
Once you have done all the changes you need to, highlight the root of the assembly (on the left hand pane) and the Reflexil window on the right hand side will change to show the following…
2010-08-31 06-24-47 AM
Click the Save As button (on the right hand pane) and enter the new name of your patched application. And that’s it – you have now edited your first assembly / application.
Bypassing Basic Security While I am no expert when it comes to security, I have picked up a few things in the last couple of days. In my mind, placing security for licensing in an application is a game of cat and mouse – the person implementing the security wants to hide the checks they put in so that the person trying to bypass the security does not know where it is. Ultimately it is also a game of time – with enough time, someone with enough skill will be able to identify and bypass any security measures. So the real objective for someone implementing security is really that you want to implement security so that it takes so much time for someone to bypass that it is cheaper for them to actually buy the product.
That saying – you are only as strong as your weakest link is so true with security. Typically in the past I would spend tons of time generating complex strings and parsers to evaluate the validity of registration codes and then use these algorithms to “secure” my application by having a single check when the application starts up on whether the registration string was valid or not. In that instance, my weakest point was the “checking”, not the actual code and so someone attempting to hack my application would simply need to either skip the check on the validity of the code altogether or negate just it so that only invalid codes are passed.
Let’s have a look at a basic console application I wrote to illustrate the point.
class Program { static void Main(string[] args) { Console.WriteLine(“Enter secret password : “); if (Console.ReadLine() == “secret”) { Console.WriteLine(“You got the secret message”); } else { Console.WriteLine(“No Access”); } Console.ReadLine(); } }
Really simple, stuff – the console prompts the user for a secret password, and then checks if the password is valid and shows a secret message, if not it refuses access.
Looking at the application compiled through reflector and reflexil we would get something that looked like the following….
2010-08-31 06-59-58 AM
At the point where the arrow is, we have the weakest link. Basically the way IL code works is that at this point it is comparing the two first values on the stack to see if they are equivalent and if not it will jump to line 22 and present the “No Access” message.
All we need to do is change the check from a true to a false and in effect what we have done is told the system that if the inputted password does not equal the secret word then continue, else give no access…
We do this by right clicking on line 15 in Reflexil and going Edit and then changing the brtrue.s to brfalse.s as illustrated below…
2010-08-31 07-04-04 AM
Now if we save the application (as explained in the previous section) and run it, we get the secret message if we don’t enter the secret password…
2010-08-31 07-06-52 AM
and if we enter the right password, we get the no access message…
2010-08-31 07-07-31 AM
And that’s how simple it is… security bypassed…
With more complex security, it takes more time – but ultimately if the code is in there, then with enough searching you will be able to bypass the “code” security.
Conclusion. As demonstrated above, the very most basic of protection is able to be bypassed in a matter of seconds. The approach I demonstrated is the most simple of scenarios and for more complete examples of similar techniques and a bit more info on how IL Code works I advise you read the following blogs…
Introduction to IL Assembly Language Assembly Manipulation and C# / VB.NET Code Injection (Great Read) Reverse Engineering with Reflector and Reflexil In future posts I will demonstrate more on how you can add additional layers of security to ones .net programs including obfuscation, strong naming, etc.
Till then… happy coding…