Break SSS technology blockade-vulnerability warning-the black bar safety net

Recently is really too busy, while the countersunk finishing school to be turned over tothe networkthe security research topic, while in the online to clean up the malicious website. I love machine follow me were non-stop, no how much rest of time okay my machine is a dual Xeon in theservice, ha in. One day suddenly you want to use to the SSS, immediately to the black-and-whitewebon the Down a down. The results of a registration dumbfounded, this SSS 7.30 even on aWebauthentication, the KeyGen to generate the registration file can’t pass the certification. Suddenly remembered 0 to 5 years of thehackingonline has an article Introducing the SSS, turning to look at. This does not look okay, look over I almost didn’t from the 6 floor jump down. The magazine says:“in the face of SSS can not crack the problem, we use a virtual machine to restore law…” I’m really desperate, it seems N much high already for this SSS helpless, what could I do? Is it only this?
However, I just don’t believe evil, have to put this SSS broken. Blasting it? Unlikely. The other method? I’m not reviewing it, when the hack didn’t learn it. Simply yielded, by the SSS to forget.

Nimble crack

First, we still the old method, use the KeyGen to generate a registration file. This registry file is not a panacea, but no it is absolutely not. Fill out the registration information, press the Generate on OK.
Well, we first regardless of it, let it side cool to go to butterflies: whatever it you build it to do what? Jerk…that Not this mean, wait a minute to use it.
In the next step, you must say one thing: the host file. This file wouldn’t everyone know? Its function is to replace the DNSdomain nameto resolve, in order to achieve rapid the purpose of the visit, and it is in the query priority than thenetworkon any of the DNSserviceare high. So, as long as the modified host file, you can“kidnapping”domain. There are many friends of the machine, even if I entered the correct URL, also on some malicious websites, and mostly this file is modified the reasons. Note that this file has no extension, are located in the%windir%\system32\drivers\etc under Windows 2 0 0 0/XP/2 0 0 3 system, we use Notepad to put this file open, add such line:
127.0.0.1 www.safety-lab.com
Thiswww.safety-lab.comis the SSS official site, we do so in order to deceive the SSS, let it connect to your own machine. Because after my Sniffer capture found, the SSS in the certification register, to<http://www.safety-lab.com/update/db/keys.php&gt;submitted userdata, and in the verify fail time, theserviceend return a 1. Experienced friends at a glance can be seen, the SSS should be is to rely on this return value to determine whether the user is legitimate. That is, as long as this value becomes 0, and we can successfully register.
Someone will ask, How do you know it returns 0, that is, the registration is successful? Impossible to be anything else digital? In fact, this I guess half, the use of social engineering derived half. In fact, sometimes play thehackingdoes not necessarily only need totechnical, you also need a little bit of luck.
We start to set up a Webservice, since everyone is a Windows user, you use IIS good the following configuration the IIS process is in 2 0 0 3, 2 0 0 0/XP / Vista may vary, please refer to the relevant. Go to the site properties— > in the main directory— > is configuration— > the mapping for. dat, the. pl and. php three the suffix of the file to add the mapping. The executable file box, your. the asp file is how to set up, does not move on the line.
The purpose of this is to get the three extension files in IIS can be used as the ASP file is executed. In fact, with other language implementations are also possible, but the author will only ASP, no way. Set a good mapping, we’re going to do a few files,“Fudge Fudge”SSS.
The most important thing is to first registration, otherwise what also can not be used. Let’s analyze this keys. the php code is actually asp language, this keys. php in IIS is being used as an asp implementation:
[The following code in the keys. php]
<%
Dim crc,name,founder ‘define a few variables
founderr=true 'in order to prevent the program error, the control error variable is set to true
if request(“crc”)<>“” and request(“name”)<>“” then
founderr=false
end if

if founderr=false then
response. write “<html><body>0” 'if there is input, it returns a value
response. end
end if

if founderr=true then
response. write “<html><body>1” 'handle the unexpected situation, to prevent the SSS does not receive the return value and hang out.
response. end
end if
%>
This code is very simple, just accept the SSS send up of the CRC and NAME the two variables, and returns a value. It may be seen, this returns the value of the<html>and<body>tag has no end, in fact this need not be the end. Because I over-analyze Sniffer caught in the completedatapackage, found is like this. Perhaps it is Safety-Lab deliberately do a trap bar, whatever, can be registered it is OK.
Our host file is not already changing for the better? 那 就 把 以上 的 代码 保存 成 keys.php into your IIS root directory under the/update/db/if your IIS root directory in E:\inetpub\wwwroot, it is put in E:\inetpub\wwwroot\update\db\in. Then we open the SSS, import the registry file, click Done, and look, it’s not done?

However, just cracked, and can not meet our requirements. Now if you use the online upgrade will still fail. But it will also put you just registered up authorization revoked. What should I do? Hey, then look back don’t you know it?

Broken the software cannot be upgraded, that just like with the D Version XP a feeling-a very bad mood. So, spent another point Kung Fu, the upgrade restriction is also lifted, though not quite perfect, but it can detect an upgrade.
Or the old method, with Sinffer the upgrade process of packages grip down, analyze it. We see the SSS upgrade program visit the following page: to the front is<http://www.safety-lab.com/&gt;is omitted）
\update\db\keys.php or to verify the identity of, insidious…
\update\sss\update. dat this is adatafiles of unknown function; the
\update\db\getdbaudits.pl adatato boot the file that is used to generate an updated list.
First up for analysis, and then each break. This keys. php just talked about, I will not say. update. dat file is like a primer index file, according to my observation, it’s still in fluctuation, but it is not through aserviceto parse, you can directly download the down, but in order to keepdatathe latest, we still use dynamic methods to deal with it. First look at a piece of code to it:
[The following code in the update. dat]
<%
On error resume next 'no other meaning, to prevent errors and to
Dim sURL

Dim Retrieval

Function GetURL(url)
Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With

Response. BinaryWrite retrieval. responseBody 'output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “<http://safety-lab.com/update/sss/update.dat&gt;” 'this is to get the address
Response. Write GetURL(sURl)
%>
This is a ASPprogrammingis a classic function of the application. This page is the role of IIS to another site, made a page, and then back to the client. Assuming that this exists in the host A page on the point is on host B, but host A customer by accessing this page, you can on host A sees host B is on something. However, this and ordinary web pages with JavaScript page redirection is different: the JavaScript is to allow the client to re-orientation, this is the IIS as the intermediary of theserviceis the redirection.
Especially for a program requests a page of the time. Because the program does not identify those by the JavaScript language consisting of the redirect statement, and such a method you do not need the client’s support. Oh, almost forgot one thing, if your machineOn a similar VisNetic Firewall category with the IDS function of the firewall, take it off, otherwise it will error. I was debugging this update. dat how access has a problem, later found to be VisNetic filtering request to the filtering.
Then look at another file code:
[The following code in getdbaudits. pl]
<%
On error resume next
Dim outformat,sURL
outformat=request(“outformat”)

Dim Retrieval

Function GetURL(url)
Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With
Response. BinaryWrite retrieval. responseBody 'output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “<http://safety-lab.com/update/db/getdbaudits.pl?outformat&gt;=” & amp; outformat
Response. Write GetURL(sURl)
%>

This file and the previous file is similar, except that one of the variables of the process. Understand that ASP friends at a glance you can see not too clear, to the expert for advice about it. This page request should be to update the list, but not too large, all the returneddataalso it has 8-10KB. Soon we will be able to see the results.
See? It’s got the updated list. I guess there are a lot of people may soon go to click on that Next button? Don’t worry, here are the issues need to be addressed. The first pocket a circle, for everyone to talk about my original idea, the following process is merely a concept to explain, everyone need not follow the operation.
I’m still using a Sniffer capture of the method, see upgrade procedure access\update\db\getaudits. pl file, and back foot heel A A 8 2 5 character variables! I’m not in the articles listed, that take up space in the disk: data. txt in. These variables, although many, but to program The processing or ease. So, I wrote a corresponding page:
[The following code in getaudits. pl]
<%
On error resume next
Dim outformat,sURL
outformat=Request. ServerVariables(“Query_String”)
'Note: the Request. ServerVariables(“Query_String”)for obtaining the url? Something behind
Dim Retrieval
Response. Buffer = True
Function GetURL(url)

Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With

Response. BinaryWrite retrieval. responseBody 'output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “<http://safety-lab.com/update/db/getaudits.pl&gt;?” & outformat
Response. Write GetURL(sURl)
%>
This page is used to download the updatedata. Due to this request the page without a variable name, the web behind directly applieddata, I also very embarrassed. Later Internet access to find information, the original with the Request. ServerVariables(“Query_String”)you can directly access the“?” Something behind. In theory, this page can be completely returned to an upgrade program needs to thedata, but the theory is always there and the actual from Place.
SSS upgrade program in order to preventthe networkfault and let the program long-lost response, setting a connection timeout, probably in 1 0 seconds or so. Safety-Lab. com is a Russian website, and you want to download thedata, and every turn requires hundreds of KB to the current connection speed, simply can not be in 1 0 seconds to complete the download I used, but 2M Netcom ADSL, this page also does not support so-called instant transferof data is the next point, the transmission, and the like IIS put all thedatafrom Safety-Lab. com download back of time, the SSS of the upgrade program already Timed Out. Of course, there is a connection Russian site super-fast friends, you can also use this method.
So what do we do? Way to be there. I later found that access to Safety-Lab on getaudits. pl is do not need authorization. How? Think? In the upgrade program appears to update the list when as shown in Figure 4, in the host file“127.0.0.1 www.safety-lab.com”preceded by a“#”without the quotes, so Windows will ignore this line. Next, click on Next, you can download the upgradedata.
May have a friend look over the article will note to all my page turning address to write is:<http://safety-lab.com/&gt;it. We feel this address with the previous www address is the same, then by DNS resolution time, in the host file even if the difference between a character too. We are in the host file, set the<http://www.safety-lab.com/&gt;parsing to the local, is not equal to<http://safety-lab.com/&gt;also resolves to the local. Further emphasizing the point, the SSS is generally to upgrade thedatato download to the C:\Program Files\Common Files\Safety-lab\Download, you to the SSS of the installation directory is not found.

Finally, I do for some common questions answered, and also easy for everyone to reference.
Q: my. dat or. pl,. php why can not perform, or just see the source file?
Answer: there is no give on the document set up in IIS mapping. The above three extensions of the mapping, are provided with. asp files are mapped the same, you can. If your IIS is 6. 0, Please in the Webserviceextension to open the asp support.

Q: my other settings exactly right, but the upgrade program prompt“Download Error, HTTP Error Disconnect server”is going on?
A: due to safety-Lab. com is an offshore website, access is not necessarily open. A connection failure is when there is happening, please try again or disconnection reconnection. In addition, please check whether the firewall restricts the IIS process w3wp.exe AccessInternet.

Q: Why can’t I register SSS for? Why I update it prompts me for the registration invalid?
Answer: this is because you do not have to modify the host file. In accordance with the above, modify the host file and in the upgrade program displays the updated list as shown in Figure 4 and then back.

So far, one in the industry has a fairly high rating of the scanner, it has been fully cracked. Really difficult to understand, a anti-crack up and down by power, security audit software, but planted in this little trick, I remember MS programmers call this a Hack is. I think this is what WTF says“flexible intrusion thinking”. In fact, according to this idea go, very much withWebto register the authentication function, was once considered to be“uncrackable”software can also be easily lifted use restrictions.

Practical protection
Above I have described how to use Web enrollment authentication flaw to hack the software, we have an insight into the on the Web registration certification this new registration of the means of attack method. In the following article, I come and we talk about how to block Web registration notch on the following articles in the code examples, complete with the ASP language.
From the above examples to see, to determine registration information for legality and returns a value of Keys. php file of the page, in the design there is one very serious logical errors. The designer is most likely the idea is this:
[The following code in the keys. asp]
<!–# include file=“conn. asp” - >
<%
Dim CRC,Name,err
err=true

if request(“crc”)<>“” and request(“name”)<>“” then
crc=request(“crc”)
name=request(“name”)
err=false
end if

if Not IsNumeric(crc) or Not IsNumeric(name)then
err=true
response. write “<html><body>1”
response. end
end if

if err=false then
Set rs=Server. CreateObject(“ADODB. Recordset”)
sql=“select * from users where ucrc=”&crc &" & uname = " & amp; name 'we assume that the name and the crc of thedataare stored in thedatalibrary
rs. open sql,conn,1,1
if rs(“id”)=“” then
response. write “<html><body>1”
response. end
else
response. write “<html><body>0”
response. end
end if
end if
%>
Everything seem perfect, right? I realize it may not as people, but you can still see the filter SQL Injection attack statements. However, as judged by the identifier returns two results, 0 and 1 is very inappropriate. Generally there experience of the attacker, the resulting error is returned when a“1”, It is natural to associate to the correct time returns“1”, This, Thisnetworkauthentication protection is useless.
The best way is: first, you must modify your program, do not let it alone determines the return is“0”OR“1”to determine whether the user is legitimate. You can give the program to add a module, the Web AuthenticationServiceto return the information processing, if performance and user-submitted information to form a particular kind of relationship, it is determined as a legitimate user, otherwise it is illegal.
Secondly, you Web verificationserviceserver-side page must also be changed. Your Web verificationservice, you can follow the steps below to process user-submitted information:
1. The information submitted by the user into thedatarepository query;
2. If the query is less than the relevantdata, then directly return a failure code such as“1”; and
3. If the query is successful, then the user-submitteddatato do a processing, and returns to the client;
4. In order to prevent user abuse of the genuine registration number of each registration number should be set a registration limit the number of times such as 1 0.
Finally, you need to give your software to be a powerful anti-crack protection, allow the General Cracker essential to your software is unable to start. Otherwise, if you Web a registered certification of how closely, are meaningless. Because, the Cracker will be directly by modifying the program, skip your Web registration certification.
In addition, the upgrade is also a need to protect the place. You can put on top to verify the user’s code, added to the display to update the list of programs, so that both will not take up too much of your resources, and can prevent non-authorized users access to update the list. Customer upgrade program in the upgrade list before, but also to verify theserviceto submit about the user’s identity information.
In fact, in accordance with my above described method of view, the implementation is not very complex. It is also not too esotericartat all. However, this is a little tips, it can be difficult for a large number of want to eat white rice? I’m not refer to study to crack peer-to.