Sunday, June 26, 2016

Bypassing Protections: Exploiting Activation to Access Sensitive Data

Welcome to part 2 of the Bypassing Protections series. In this part, we will be looking at an application which uses online activation to verify a license key and activate the software. After activation, the server allows the user to upload their sensitive data to the server, using their registration information as authentication. In this tutorial, we will look into creating an activator which will allow us to bypass the online activation and access the sensitive data that other users have uploaded. Before we begin, I am obligated to say that this tutorial is provided for informational purposes only. By reading this tutorial, you agree not to use the information in this tutorial to hack the server or pirate the application of the software author. As last time, I will not mention the name of the software in this post, but will include pictures which will allow you to determine which software this tutorial was based upon.

To begin this tutorial, we will first try to find the license verification routine. Let's start the target up in ollydbg and attempt to register it with a random name and serial. In this example, I will be using the author's name and '123456' as a license key.

After clicking okay and the nag appears, let's pause ollydbg and follow the call stack back into the application code. After a few steps, we will arrive here:

It appears that this is the verification routine at first glance. Let's set a breakpoint on Function labeled "GenerujKluczProdukti..." and attempt to register again. After the breakpoint, we can step inside and look around. Inside this routine, we notice there is a loop that appears to be replacing the characters in our name which are greater than >=$80 with their numerical/ordinal value in a &#ordinal; format.

We can recreate this function in delphi like this:

After this routine, the application takes an MD5 hash of our name, extracts every other character from the hash, and inserts dashes every 5 characters.

We can generate a key in delphi like this:

I will publish the getMD5 code later which uses the CryptoAPI.

Now that we can generate a valid serial, we can look into the online activation. Following the jump past the nag routine, we begin preparing the url to verify our key with the server. At this point, I advise disconnecting the internet or blocking the application with the firewall. After scrolling down, we can see a string which says [RETURN:OK]. Below this, there is JLE. If we bypass this jump by setting EAX=0, our application will believe the server verified our serial as legitimate.
 Let's toggle a breakpoint on CMP EAX, -1 and allow the program to attempt to activate. Once we break here, immediately set EAX to 0. Now, we will begin storing our information in the registry. The activation data is stored in HKEY_CURRENT_USER\Software\Classes\.p k c d o c 2(remove spaces) in the following string values:
o1= encrypted name
k1= encrypted serial
v1= encrypted version
wk= server result (0)
Each value with the exception of wk(sever result) is encrypted with with the following algorithm.
This routine encrypts each individual character of the name, key, and version number. It then converts the encrypted character, which is a WORD(16 bits unsigned) to a number string(inttostr) and adds it to a numerical string separated by a space. We can recreate the routine in this fashion:

The result of this routine is then added to the registry. We can do this in delphi using the TRegistry unit.

Now, we can use this activator to activate the application with any name we please, without having to verify it online. Now that the application is registered to the author of the software, we can now access any tournament data he has stored on the server.

This is due to the fact that the server grants access to information stored on the server by using the username and license key for authentication.

Since there is only one possible license key for each licensed user, and the name of each user is published with their tournament results, we can simply activate the software with their name to gain access to their data. This is a serious flaw which I tried to bring to the attention of the author, but he ignored every email I attempted to send him.

A way that this authentication flaw could be fixed is to remove the md5 license scheme and make the serial number for each user generated at random. That way, there are trillions, if not an infinite number of possible serial numbers for each user. This way, if I activated the application in the manner above, using a serial I generated at random, it would be next to impossible for me to generate the exact key issued by the author, thus, causing the authentication to fail. The author could also add a second layer of authentication for accessing the online data which required the user to create an account on the server with their email and password.

I want to thank you for reading and following along with this tutorial. If you have any questions, feel free to ask them below. Until next time, happy reversing.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.