GOING UNDERCOVER
(How to autoconnnect to Internet at work)

by +Yamato
HCU
(10 July 1997)


Courtesy of Reverser's page of reverse engineering

Well, I have almost no words. This document is INCREDIBLE! +Yamato has not only reverse engineered a protection scheme: he has reverse engineered a whole situation!
All the people out there that have already read my corporate survival strategies know well how important I reckon the struggle against a situation where people are at the complete mercy of their stupid boss and some servile sysads.
+Yamato was deprived of internet access at work... a scary situation... and what did he do? He used his superior cracker intelligence to solve the situation.
Note also the two c programs he wrote: browse.c is a little GOOD utility in its own rights!
Read this fantastic essay and you'll also understand, as I for sure understand now, what for an incredible "nose" had +ORC -from the beginning- when he told us to send immediately the +HCU membership to +Yamato after reading his first essay at the beginning of March.

Going undercover

by    +Yamato

Content of the essay: hiding Windows applications, cracking Wingate, registry settings
Case study: you are working for a company, and your Internet access is cut (for various reasons, all leading to money). What do you do?
Software needed: Wingate 1.3.17 proxy server ( a very good, fast and tiny proxy server, running on all Win32 platforms ) you can download it from www.deerfield.com/wingate
Tools: w32dasm, soft-ice, c compiler, resource workshop.

Hi again, folks. I read Reverser's essay about survival strategies in a corporation environment, and I thought to give my contribution to the cause. So, here is the story:

A while ago, my boss searched some computers in our office and found some interesting files of mine. He didn't like them, so he cut off my Internet connection. Of course I was desperate, I cried two days and two nights :o) .But then, I wiped my tears and started working on the problem. My idea was to use a proxy server installed on another computer, and to connect through that proxy. Several problems were involved here but the biggest one was that the proxy server must be invisible, and, obviously, consume very little memory. First I had to choose the proxy software. I heard about Micro$oft Proxy, so I went to M$ site. Here are the requirements:

35 Megs of HD space
Win NT Server 4.0
IIS 2.0 ??!!!
Service Pack

This really sucks. I need a NT Server to run the proxy, and Internet Information Server. Why the hell do I need a web server to run a proxy server? Beats me. So I dropped MS Proxy. I wanted to be able to run the proxy even on a pure win95 machine, without any sucking web server or service packs. So a simple search on the web led me to the proxy software of my dreams: Wingate. Here are the specs, to compare with the MSProxy:

300 K of HD space
Win95, NT Workstation, Server ...

Eeeh...! What do you think bout this difference? And both programs do the same thing!

The first problem was to hide the proxy. After a little search through win32.hlp file I found the solution: we can use ShowWindow(SW_HIDE) and the window will disappear from the task bar and Alt+TAB menu. In Windows NT it will disappear even from the process list in Task Manager. In Win95 it will still appear in Ctrl+Alt+Del dialog. So I did 2 little programs to hide my program. First, launch.c, launches the proxy server and hides it, then exits. The name of the proxy program is xor-ed in the code, so a dump on the exe file won't reveal the name of the launched program.

Second, browse.c, is a little utility which lists all windows from the system ( even those hidden ) and you can choose what to hide and what to show. This is useful to show the proxy server after you hide it.

After that, I cracked the wingate (I'll talk later about this). Then I used Borland Resource Workshop (thanx Reverser for the tip) to remove the icon of the program, so nobody can imagine what it is. Then copied launch.exe and wingate.exe in the windows dir of the target computer, and of course renamed them to some inoffensive names, so they will not get the attention of the user. This is very important, since the name will appear in Ctrl+Alt+Del dialog. So choose a name like csrss.exe, osa.exe or any background process which is not running.

To start the proxy server every time the computer boots, I put launch.exe in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run subkey. So the proxy will be launched in a hidden window every time somebody logs in . Nobody will know that the proxy is running, and the hacker/cracker is happy. Version 2.0 of Wingate will allow the proxy to run as a service, so it even won't be necessary to log in.

More counter measures:

You have to be more careful when browsing through your hidden proxy.
First, disable disk cache in Netscape, so they cannot see what you did. Leave only the memory cache, and eventually increase its size.
Second, use different ports than default, for the proxy. For example DO NOT leave http proxy on port 80 (the default number). Put a port like 1276, so they cannot find it through a network scan.
Another problem is that they can look into your Options/Network Settings/Proxy information submenu , and see the address and port of the proxy server.That's why is necessary to have a little utility to erase the proxy information from the options with a simple click of mouse. Make a little C program which calls RegDeleteKey. The important keys (for Netscape Navigator) are:

HKEY_CURRENT_USER/Software/Netscape/Netscape Navigator/Proxy Information
HKEY_CURRENT_USER/Software/Netscape/Netscape Navigator/URL History.

Delete these keys, and your tracks are gone. You can make another utility to put back all these settings.

Now the crack for Wingate:

Wingate has a user name-password type protection, combined with a time limit protection. There are 4 types of licenses:

- 1 user free license (unlimited time)
- unlimited number of users (1 month time limit)
- 2,5 or 10 users (unlimited time)
- unlimited no of users (unlimited time) the most powerful one

Start disassembling the file with w32dasm. Search the source for "Invalid Information" string. Found one location. Right before this location we can see that this code is referenced by a conditional jump at 402DCD. Around this address we find:

:00402DB0 68C4DC4400       push 0044DCC4
:00402DB5 8D45F0           lea eax, [ebp-10]
:00402DB8 50               push eax
:00402DB9 8975F0           mov [ebp-10], esi
:00402DBC 68B8DC4400       push 0044DCB8
:00402DC1 68C0DC4400       push 0044DCC0
:00402DC6 E8455E0100       call 00418C10
:00402DCB 85C0             test eax, eax
:00402DCD 0F8449010000     je 00402F1C			;if eax==0 jump to Invalid Reg no!
:00402DD3 3975F0           cmp [ebp-10], esi
:00402DD6 0F84E5000000     je 00402EC1			;if equal skip verification of expiry date

;--------------------- verify expiry date -----------------------
:00402DDC 8D45E0           lea eax, [ebp-20]
:00402DDF 50               push eax
:00402DE0 E81B7B0100       call 0041A900
:00402DE5 DD00             fld qword ptr [eax]
:00402DE7 E8BC8C0100       call 0041BAA8
:00402DEC 3B45F0           cmp eax, [ebp-10]
;--------------------- done verify -------------------------------

:00402DEF 7E43             jle 00402E34		;if reg no has not expired jmp Good guy
:00402DF1 56               push esi
:00402DF2 56               push esi

* Possible StringData Ref from Data Obj ->"This key has now expired."
                                  |
:00402DF3 683C954400       push 0044953C
:00402DF8 E800100300       call 00433DFD		;call showMessageBox

At address 402DC6 there is a call, and right after a test eax,eax. If eax=0 the the reg number is invalid! If we change the je to jne we'll receive a message that "this reg no has expired!". But after the jump equal, at address 402DD3, there is another comparison: if esi == [ebp-10] then the registartion number isn't time limited. Changing this with cmp esi,esi and nop will give us unlimited time.
Now I want unlimited numbers of users. For this I have to step into the routine which is called at 402DC6. This routine takes four parameters:

push 44DCB8 ---------> this is the reg no user has typed
lea eax,[ebp-10]
push eax ---------------> I dont know what is this
push 44DCB8 ---------> see bellow
push 44DCC0 ---------> this is the user name
call 418C10 -----------> the check routine

Using Soft-Ice I was able to see that 44DCC0 is the user name, and 44DCB8 is the reg no. But what is that 44DCB8 address? With a little feeling ( ORC calls this Zen ) I guessed that this could be the number of users (licenses). So, the check routine takes user name and reg no, verify the reg code, and returns the number of licenses taken from the reg no. It sets eax to zero if reg no is invalid.
If we have an unlimited number of users license, than the 44DCB8 must have 0xFF or 0x00. 44DCB8 is the 3rd parameter pushed on stack, so it is at the address [EBP+0C] inside the routine. We'll search through the following code after EBP+0C.

Here is the code for the check routine, with some comments (part of it):

* Referenced by a CALL at Addresses:
|:00402DC6   , :0040FC1E   
|
:00418C10 64A100000000            mov eax, fs:[00000000]
:00418C16 55                      push ebp
:00418C17 8BEC                    mov ebp, esp
:00418C19 6AFF                    push FFFFFFFF
:00418C1B 687E8D4100              push 00418D7E
:00418C20 50                      push eax
:00418C21 64892500000000          mov fs:[00000000], esp
:00418C28 81ECA4000000            sub esp, 000000A4
:00418C2E 53                      push ebx
:00418C2F 56                      push esi
:00418C30 57                      push edi
:00418C31 8B7514                  mov esi, [ebp+14]
:00418C34 8B06                    mov eax, [esi]
:00418C36 8378F818                cmp [eax-08], 00000018   ;check length of reg code
:00418C3A 7415                    je 00418C51		   ;if it's 24 then go on; good guy

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418D6E(U)
|
:00418C3C 33C0                    xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418D5D(U)
|
:00418C3E 8B4DF4                  mov ecx, [ebp-0C]
:00418C41 5F                      pop edi
:00418C42 64890D00000000          mov fs:[00000000], ecx
:00418C49 5E                      pop esi
:00418C4A 5B                      pop ebx
:00418C4B 8BE5                    mov esp, ebp
:00418C4D 5D                      pop ebp
:00418C4E C21000                  ret 0010



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418C3A(C)
|
:00418C51 33FF                    xor edi, edi
:00418C53 33DB                    xor ebx, ebx

;----------------------------------------------------
; here is some math stuff, I don't even look at it
; the interesting part is here, to the end of the routine
;-----------------------------------------------------

:00418D31 3A5DEC                  cmp bl , [ebp-14]
:00418D34 752C                    jne 00418D62		;if not equal exit-invalid reg no
:00418D36 837DE800                cmp [ebp-18], 00000000
:00418D3A 7526                    jne 00418D62		;exit - invalid reg no
:00418D3C 8B450C                  mov eax, [ebp+0C]	; HERE IS [EBP+0C] !!!!!!!
:00418D3F 8A4DED                  mov cl , [ebp-13]	; mov cl<-no of users
:00418D42 8B55E4                  mov edx, [ebp-1C]
:00418D45 8808                    mov [eax], cl 	; mov 44DCB8<-cl
:00418D47 8B4510                  mov eax, [ebp+10]
:00418D4A C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:00418D51 8910                    mov [eax], edx
:00418D53 E830000000              call 00418D88
:00418D58 B801000000              mov eax, 00000001
:00418D5D E9DCFEFFFF              jmp 00418C3E
So to crack this routine we'll have to change 4 things:
1.  check of the string length
      cmp [eax-08], 00000018 change with cmp eax,eax , nop
2,3 two jumps at 418D34 and 418D62 
4.  put unlimited no of users in cl at address 418D3F
	mov cl, [ebp-13] change with mov cl,ff , nop

There is another problem. as you can see at the beginning of the routine, it is called twice. And this makes sense. Once is called when you register the program, and twice, when the program starts, it looks in the registry to read the settings, then verifies the reg code again. Cracking the second call is identical with the first call.

That's all folks.

This program is very useful to me. I wish I could pay for it, but I don't have the money. The authors deserve support* from us, so they can continue to build such a tiny and wonderful programs, and to fight against Micro$oft and their overbloated programs.

Bye!

(c) +Yamato 1997

*) It could well be that the publishing of this essay helps the authors instead of damaging them, for a couple of reasons:
1) How many did know of the existence of this nice program? Many will know it now, since this page has twenty times more readers than the wingate one, and among the readers of this page there are many system administrators, developers and software experts;
2) The protection of wingate is painfully weak, and needs to be "ironed" a little. Hopefully the Wingate boys will now work a little on it;
3) Many reverse engineer will pay for Wingate if they deem it useful: as a matter of fact many of us throw away well before the end of the trial period all cracked programs and pay for the (very few) they keep for obvious security reasons;
4) Many, paying or not, will use from now on Wingate, and the mass use is the only way to impose a product: a truth that the enemies of humanity at Micro$oft very well know btw.

+Yamato's trick will work for quite a while... the sysads will eventually find a solution, but it will be implemented worldwide very slowly, as usual... I reckon that you may use this "my own proxy" method with absolute security for 6-7 months and with relative security for another couple of years... and we'll have already devised better methods by then :-)


You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms corporate mailFraVia
Is reverse engineering legal?