Domain: woodmann.com
Stories and comments across the archive that link to woodmann.com.
Comments · 20
-
firmware rootkits: we're everywhere! muhahahaha
Network Cards & PCI Cards Firmware: No protection or detection of rootkits / malware, & AMD CPU issue
# Designing and implementing malicious hardware
"Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques. Yet current work on trojan circuits considers only simple attacks against the hardware itself, and straightforward defenses. More complex designs that attack the software are unexplored, as are the countermeasures an attacker may take to bypass proposed defenses.
We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one speciïc attack, can instead design hardware to support attacks. Such flexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including a login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more ïexible, and harder to detect than an initial analysis would suggest."
https://db.usenix.org/event/leet08/tech/full_papers/king/king_html/
# Attacking network cards
"I've reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP "offload engines" in hardware and therefore can trigger on incoming and outgoing packets). The resulting "Jedi Packet Trick" (sorry, couldn't resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers. "
https://lwn.net/Articles/284162/
http://www.links.org/?p=330# 'Super-secret' debugger discovered in AMD CPUs
# Password-protected feature goes beyond x86http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/
# Super-secret debug capabilities of AMD processors !
# Hidden Debug Mode Found In AMD Processors
http://hardware.slashdot.org/story/10/11/12/047243/Hidden-Debug-Mode-Found-In-AMD-Processors
# A microcode reliability update is available that improves the reliability of systems that use Intel processors
http://support.microsoft.com/kb/936357
# Google: attacking network cards malware, PCI rootkit, PCI rootkits, rootkit firmware, etc.
-
Smell this
Network Cards & PCI Cards Firmware: No protection or detection of rootkits / malware, & AMD CPU issue
# Designing and implementing malicious hardware
"Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques. Yet current work on trojan circuits considers only simple attacks against the hardware itself, and straightforward defenses. More complex designs that attack the software are unexplored, as are the countermeasures an attacker may take to bypass proposed defenses.
We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one speciïc attack, can instead design hardware to support attacks. Such ïexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including a login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more ïexible, and harder to detect than an initial analysis would suggest."
https://db.usenix.org/event/leet08/tech/full_papers/king/king_html/
# Attacking network cards
"I've reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP "offload engines" in hardware and therefore can trigger on incoming and outgoing packets). The resulting "Jedi Packet Trick" (sorry, couldn't resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers. "
https://lwn.net/Articles/284162/
http://www.links.org/?p=330# 'Super-secret' debugger discovered in AMD CPUs
# Password-protected feature goes beyond x86http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/
# Super-secret debug capabilities of AMD processors !
# Hidden Debug Mode Found In AMD Processors
http://hardware.slashdot.org/story/10/11/12/047243/Hidden-Debug-Mode-Found-In-AMD-Processors
# A microcode reliability update is available that improves the reliability of systems that use Intel processors
http://support.microsoft.com/kb/936357
# Google: attacking network cards malware, PCI rootkit, PCI rootkits, rootkit firmware, etc.
-
Re:Apple == EVIL
Google started using the word App in 2006 for Google Apps (well before the Apple trademark application in 2008).
App was a buzzword in 2002 for Microsoft 95/98 application development.
Numerous references exist for making an "app" in various perl and php forums around 2000.
A killer app for computer chat published in the Economist in 1999.
Article titled "The Killer App" published in the Harvard Business Review in 1998
App Launcher software patcher circa 1998.
"DOS App" used on uunet in 1994...
And that is just from a few minutes of googling...
Apple did not invent the term "App" as a word.
-
Re:Detection = failure
Mhm... don't know about you but during all the time I followed the cracking scene (mainly 90s) I saw some *really* clever cracking techniques.
From adding actual functionality to a program (see for example this for an example tutorial; to reverse engineering the com protocol of a software that "called home" and creating a server that simulated the activation server.
Oftentimes when some software isn't cracked is because crackers are not interested on them or because a good cracker hasn't looked at the software.
To see the *real* capability of crackers, have a look at this forum.
The second point being that if the crackers were any good at software development they would have the vision, skill and patience to create new software that inspires people to play through the game / create beautiful works of art / solve new problems
I agree with that, reverse-engineers are as good at developing software as say most physicist; that does not mean that some physicists do not get my respect
;-) -
Re:a step in the right direction
"Just make the inside a vacuum"...Just?
Anyway, those dongles apparently are more 'involved' to work around than they are hard to work around:
-
Re:Username/password combo for banks flawed.
Dongles are often everything that they are cracked up to be:
-
FlexLM revisited?
Yeah, I heard this kind of promise from the FlexLM guys decades ago. Interoperability, you control the licenses, yadda yadda. It's a turd. Individual vendors couldn't get their client implementations working well enough to "play nice" with other competing vendors applications (yes, Altera and Xilinx, I'm looking at you.) If your network and license-server topology is slightly different from the reference one, nothing works properly. FlexLM is still a disaster. This form of restriction will be too.
-
Re:countdown
USB Dongles have been cracked for years. Once you crack the key (a 2 minute process), you can dump the data off it and then emulate the dongle at will. See for yourself
This hasn't stopped my company from using them for licensing... Despite me demonstrating this. -
Adobe eBook DRM status? (post-Sklyarov)Wishing I wasn't forced to use Acrobat for increasingly many eBooks...
While Touretzky prefaces his page on the subject with "Computer professionals who have examined these mechanisms have found them easy to defeat", I miss something able to decrypt or print the latest crop -- where APDFPR says
APDFPR Error
Yet I see some nicely decrypted ones floating around. E.g. (one of many for purely instructional purposes): ISBN 0387954775 here.
The document was created with 'eBook Exchange (EBX_HANDLER) 128-bit security v.3' encryption handler. This protection method is not supported.Having the eBook and the etx.etd file I guess that should in principle be possible, but how's that done in practice?
-
Re:Microsoft has blundered badly
Certain Wibu implementations have been cracked:
http://www.woodmann.com/crackz/Dongles.htm
http://www.woodmann.com/crackz/Tutorials/WibuAnaly sis.zip (file contains a .pdf)
A cracking group offering their "services" to crack Wibu and tons of other stuff:
http://www.djvibe.com/forum/showthread.php?p=1685 (Advertised on this site and may others, they have a rather large catalog of cracked dongle-protected software for sale.)
Someone who took a peak at one of Wibu's dongle solutions and wrote a short paper on how to crack it: http://www.cobra-basket.de/e/Dongle.txt
Note though: Codemeter is considered "secure" even by some crackers still, as a real solution requires the presence of a legit dongle. Brute-forcing it in software would take too long by most people's standards. So to engineer a crack, someone needs the dongle to work off of.
The weakness with dongles will always apparently be the APIs, especially ones that interact with the MS Windows APIs and Registry.
This info was found doing a quick Google search. I am of the opinion however, that Codemeter has been cracked, but the people who have cracked it, make much more money their way (selling their services or cracked software) than telling Wibu AG how they did it and collecting on any bounty offered like during that "hacking contest" they had. -
Re:Microsoft has blundered badly
Certain Wibu implementations have been cracked:
http://www.woodmann.com/crackz/Dongles.htm
http://www.woodmann.com/crackz/Tutorials/WibuAnaly sis.zip (file contains a .pdf)
A cracking group offering their "services" to crack Wibu and tons of other stuff:
http://www.djvibe.com/forum/showthread.php?p=1685 (Advertised on this site and may others, they have a rather large catalog of cracked dongle-protected software for sale.)
Someone who took a peak at one of Wibu's dongle solutions and wrote a short paper on how to crack it: http://www.cobra-basket.de/e/Dongle.txt
Note though: Codemeter is considered "secure" even by some crackers still, as a real solution requires the presence of a legit dongle. Brute-forcing it in software would take too long by most people's standards. So to engineer a crack, someone needs the dongle to work off of.
The weakness with dongles will always apparently be the APIs, especially ones that interact with the MS Windows APIs and Registry.
This info was found doing a quick Google search. I am of the opinion however, that Codemeter has been cracked, but the people who have cracked it, make much more money their way (selling their services or cracked software) than telling Wibu AG how they did it and collecting on any bounty offered like during that "hacking contest" they had. -
Digimarc and Photography
Digimarc was great- I loved them. It was hillarious to see images marked and then 'remarked' by hacking the program to re-watermark the image. The original mark wasn't recoverable.
http://www.woodmann.com/fravia/frogdigi.htm
Food for thought. -
Re:Stupid stupid idea
Well, not quite that easy given that any prog paranoid enough to be using a dongle should also be wrapped, full of anti-debugger and detection routines, and in the worst case actually run some of its code on/from the dongle (e.g. some high-end music packages do this.) Softice in particular was always pretty easy to detect historically.
Incidentally for anyone who wants to start playing around with basic win32 reversing I would strongly recommend Ollydbg, it's free (shareware but doesn't time out etc), powerful and suprisingly easy to use. Don't expect to be able to crack hard targets like games straight away (they will have commercial protection wrappers) but with fairly basic understanding of what I was doing I've cracked quite a few significant products with it and it's fun / satisfying to do so. There are various forums and other resources dedicated to the subject out there. Have fun! -
Re:All Reverse Engineering I could had...
Actually this mirror has existed for a very long time now. It's also the most famous, I think.
-
SearchloresFor a hacker's approach to searching, check out serachlores.org. It's run by Fravia, who for years ran the best reverse engineering site around. Stuff like including the phrase "parent directory" in the search query to limit searches to directory listings, how to stalk people on the internet, stuff like that.
You can still find old mirrors of the reverse engineering site, but the only active one I know of is at www.woodmann.com/fravia. The message board is at www.woodmann.net/forum, no crackz, serialz, or warez allowed. Just techniques, tools, etc.
-
SearchloresFravia was once the biggest name in reverse engineering. His webpage was a reverse-engineering blog as far back as 1995, and he was instrumental in getting good reverse-engineers to talk together and teach each other their tricks.
The one remaining active mirror of his site is at http://www.woodmann.com/fravia. The messageboard at http://www.woodmann.com/upload is still the best place to go for reverse-engineering windows code; no crack requests, serial requests, or target-specific code are allowed, but you can address particular copy protections by name.
Fravia has since moved on to reverse-engineering search engines. If you want to find the stuff that doesn't turn up at the top of a google search, start here.
-
SearchloresFravia was once the biggest name in reverse engineering. His webpage was a reverse-engineering blog as far back as 1995, and he was instrumental in getting good reverse-engineers to talk together and teach each other their tricks.
The one remaining active mirror of his site is at http://www.woodmann.com/fravia. The messageboard at http://www.woodmann.com/upload is still the best place to go for reverse-engineering windows code; no crack requests, serial requests, or target-specific code are allowed, but you can address particular copy protections by name.
Fravia has since moved on to reverse-engineering search engines. If you want to find the stuff that doesn't turn up at the top of a google search, start here.
-
CRC32
given a CRC32 hash and part of the input, can you recover the other part?
Maybe, you may find this tutorial useful: CRC and how to Reverse it. -
macrovision safecast
somewhere to start reading about the issue: the tech they use and a few words on how it works.
I used to use TurboTax each year. I always bought my own copy and I never shared it. A number of times I've needed to print my return out later on a different machine; but now I wouldn't be able to. Experts always suggest you save your return and papers and stuff forever...but now Intuit would expand that advice to "also save your old PCs and hope they continue to work years later". But, the main annoyance for me is simple: Intuit doesn't need to know I exist just because I might use their software. It should be as insignificant an event as if I used notepad.exe. I understand their troubles...but I don't care. So, I'll just find an alternative. Goodbye dear Intuit.
But...I might just ask a buddy who has bought the thing if I could please take a peek at his HD's sector 32 before and after the install. Just out of curiosity. -
Re:Some useful RE links...Go here.
It's +fravia's page, but it's constantly being updated with new stuff.