Valhalla Legends Forums Archive | Battle.net Bot Development | lockdown source

AuthorMessageTime
rob
Based from the code that iago released.

This should work on any x86 system.  Tested on windows/linux/freebsd.

http://www.onlythechosen.com/lockdown-src.zip
July 30, 2007, 5:44 AM
Barabajagal
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]

I like your "tweedle" and "twitter" functions ;)
July 30, 2007, 6:16 AM
Hell-Lord
Nice work Rob :)
July 30, 2007, 6:23 AM
iago
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
I like your "tweedle" and "twitter" functions ;)
[/quote]
When I named those, I didn't know what they were doing :P
July 30, 2007, 11:45 PM
Barabajagal
you remind me of my friend Warren. His error handlers were always named ZipadeeDooDahZipdadeeDayMyOhMyWhatAWonderfulDay or Hell, which was always fun to read... On Error GoTo Hell. And instead of commenting out code, he'd put it in an if statement that read "If 2 + 2 = 5 Then".
July 31, 2007, 1:08 AM
BreW
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]
[/quote]
At least 3 different lockdown checkrevison sources were released since 3 months ago....
July 31, 2007, 2:15 AM
UserLoser
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]

I like your "tweedle" and "twitter" functions ;)
[/quote]

Pretty sure that's the reason people like to release things openly--it's only a problem when people do not give credit when necessary
July 31, 2007, 2:19 AM
iago
[quote author=-RealityRipple- link=topic=16910.msg171282#msg171282 date=1185844081]
you remind me of my friend Warren. His error handlers were always named ZipadeeDooDahZipdadeeDayMyOhMyWhatAWonderfulDay or Hell, which was always fun to read... On Error GoTo Hell. And instead of commenting out code, he'd put it in an if statement that read "If 2 + 2 = 5 Then".
[/quote]
The names aren't that far off, because when I first started looking at them, it was clear that they were just pushing bits around and doing some other bitwise math. So "Twiddle" was born, since it was twiddling some bits. Then I looked at a second, similar function and giving it a similar name was logical, so out came "Tweedle". It basically made sense. :P
July 31, 2007, 2:25 AM
Yegg
[quote author=brew link=topic=16910.msg171283#msg171283 date=1185848132]
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]
[/quote]
At least 3 different lockdown checkrevison sources were released since 3 months ago....
[/quote]

If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.

PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
July 31, 2007, 4:28 AM
BreW
[quote author=Yegg link=topic=16910.msg171288#msg171288 date=1185856139]
[quote author=brew link=topic=16910.msg171283#msg171283 date=1185848132]
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]
[/quote]
At least 3 different lockdown checkrevison sources were released since 3 months ago....
[/quote]

If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.

PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
[/quote]
warz's version is by far the easiest to work with.
July 31, 2007, 12:20 PM
iago
[quote author=brew link=topic=16910.msg171289#msg171289 date=1185884457]
[quote author=Yegg link=topic=16910.msg171288#msg171288 date=1185856139]
[quote author=brew link=topic=16910.msg171283#msg171283 date=1185848132]
[quote author=-RealityRipple- link=topic=16910.msg171269#msg171269 date=1185776167]
[me=-RealityRipple-]watches as bots magically attain lockdown hashing and new DLLs are made.[/me]
[/quote]
At least 3 different lockdown checkrevison sources were released since 3 months ago....
[/quote]

If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.

PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
[/quote]
warz's version is by far the easiest to work with.
[/quote]
It's also incomplete, Windows-only, and requires proprietary code to be run.

Mine, on the other hand, is complete, Windows-only, and is self-sustaining.

Rob's is complete, cross-platform, and self-sustaining.

So it depends how you define "easiest" :P

This is rather what I intended, thought. I wanted to release working code and let other people worry about making it good. :)
July 31, 2007, 2:58 PM
warz
Why are you calling it incomplete? It worked completely, when I had posted it. Can't say that now, because I haven't looked at it since.
July 31, 2007, 5:56 PM
HdxBmx27
He's calling it incomplete because you are still using Blizzard's dll. Instead of reimplementing everything yourself.
Note: Don't start the argument again >.< it's annoying.
Hehe this source would of helped a lot when making my java port. But I learned way more about PE files then i ever wanted to so I'm happy :P
~Hdx
July 31, 2007, 6:51 PM
warz
I'm assuming he's talking about something else when he mentions incomplete because he also adds "and requires proprietary code to be run. " Also, we're not arguing about anything, but if we were, adding your two cents and then calling it annoying is no way to go about telling somebody to quit arguing. I enjoyed learning about windows PE header sections while doing this.
July 31, 2007, 9:45 PM
HdxBmx27
I'm sorry, I just figured if I had the answer to a question I should say it. From all my communications with iago, that is what he is referring to. And I added the comment about arguments because the last few times that there were discussions about the use of propitiatory code in your implementation it turnd into 10 page arguments.
Sorry for posting my thoughts.
~Hdx
July 31, 2007, 9:56 PM
warz
I don't recall ever arguing about that... because, well, it does use third party code - I wouldn't have ever denied that. I was asking iago, also. Although you may have given me what you think is the probable answer, it still cannot be the answer I'm looking for, considering the answer I'm looking for will not be coming from you. If it were coming from you, it would not have been the answer that I was looking for, therefor making it not the answer to my question at all. In the event that I thought iago would not give a reply, I would have refrained from asking the question all together, so that I may avoid receiving an answer that isn't really the answer. Sometimes, you have to be straight forward so that you get the answer that you're looking for. (which cannot be given by anyone other than the one)
July 31, 2007, 10:55 PM
BreW
Man, warz, stop being so lame.
July 31, 2007, 11:44 PM
iago
It's incomplete because there's code missing.

It relies on proprietary code because it's incomplete.

It's not quite the same :P

(I'm not trying to complain or anything, I'm not exactly putting my version on a pedestal. I was just explaining what the differences are.)
August 1, 2007, 4:14 AM
warz
incomplete in a sense, i guess. complete in another sense.

[quote author=brew link=topic=16910.msg171301#msg171301 date=1185925490]
Man, warz, stop being so lame.
[/quote]

how's the vampire life style treating ya?
August 1, 2007, 4:20 AM
BreW
[quote author=betawarz link=topic=16910.msg171306#msg171306 date=1185942030]
[quote author=brew link=topic=16910.msg171301#msg171301 date=1185925490]
Man, warz, stop being so lame.
[/quote]
how's the vampire life style treating ya?
[/quote]
Dunno what you're talking about, I told you that was a joke about 100 times, how many more until you understand?
Heh. Your lockdown checkrevision code doesn't exactly work either, I keep getting invalid version:
[quote]
Checksum == -1885853027
exeVersion == 17760257
exeInfo == $/hÚÉf°ÃÚ=á@³#
[10:41:35 AM] [BNET] Sending 0x51...
[10:41:35 AM] [BNET] Received 0x51!
[10:41:35 AM] [BNET] Invalid product version.
[10:41:35 AM] [BNET] Disconnected.
[/quote]
August 1, 2007, 2:42 PM
Yegg
[quote author=brew link=topic=16910.msg171313#msg171313 date=1185979339]
[quote author=betawarz link=topic=16910.msg171306#msg171306 date=1185942030]
[quote author=brew link=topic=16910.msg171301#msg171301 date=1185925490]
Man, warz, stop being so lame.
[/quote]
how's the vampire life style treating ya?
[/quote]
Dunno what you're talking about, I told you that was a joke about 100 times, how many more until you understand?
Heh. Your lockdown checkrevision code doesn't exactly work either, I keep getting invalid version:
[quote]
Checksum == -1885853027
exeVersion == 17760257
exeInfo == $/hÚÉf°ÃÚ=á@³#
[10:41:35 AM] [BNET] Sending 0x51...
[10:41:35 AM] [BNET] Received 0x51!
[10:41:35 AM] [BNET] Invalid product version.
[10:41:35 AM] [BNET] Disconnected.
[/quote]
[/quote]

[quote author=brew link=topic=16910.msg171289#msg171289 date=1185884457]
warz's version is by far the easiest to work with.
[/quote]
August 1, 2007, 4:40 PM
warz
yeah. don't take anything brew says to heart. i don't think i have taken him seriously once, ever. also, any problems he mentions, or complains about, with anything he does, i generally assume it's an error he is making before i assume it's a problem with what he's using. my assumptions have been correct just about every time, also.
August 1, 2007, 4:52 PM
Yegg
[quote author=betawarz link=topic=16910.msg171316#msg171316 date=1185987172]
yeah. don't take anything brew says to heart. i don't think i have taken him seriously once, ever. also, any problems he mentions, or complains about, with anything he does, i generally assume it's an error he is making before i assume it's a problem with what he's using. my assumptions have been correct just about every time, also.
[/quote]

I know. I wasn't implying that your implementation was bad or less than anyone else's. Thought I'd remind brew know that yours was the "easiest to work with" according to him. I know it's not working due to his own mistake(s), I just find it funny that he makes that claim and about a day later he' s experiencing problems.
August 1, 2007, 7:24 PM
BreW
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
August 2, 2007, 2:22 AM
iago
I don't think there's anything wrong with using fopen() as long as you're careful to check the return value to ensure the file actually opened.
August 2, 2007, 2:36 AM
l2k-Shadow
[quote author=brew link=topic=16910.msg171325#msg171325 date=1186021343]
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
[/quote]

no. i just dled and compiled the code and it works just fine. you must be doing something incorrectly.
August 2, 2007, 2:40 AM
BreW
[quote author=l2k-Shadow link=topic=16910.msg171328#msg171328 date=1186022456]
[quote author=brew link=topic=16910.msg171325#msg171325 date=1186021343]
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
[/quote]

no. i just dled and compiled the code and it works just fine. you must be doing something incorrectly.
[/quote]
With VC++ 6? That's what I have, it doesn't recognize fopen_s.
anyways..
[code]
void Parse0x50(char *data) {
char sdfg1[4], asdf[512], mpqName[32], ChecksumFormula[64], tmpCDKey[64], buf[256];
char *files[5];
int i = 0;
memcpy(sdfg1, data + 8, 4);
strcpy(mpqName, data + 24);
strcpy(ChecksumFormula, data + 25 + strlen(mpqName));
ClientToken = GetTickCount() + 7000;
ServerToken = GetDWORD(sdfg1);
strcpy(tmpCDKey, bot.cdkey);
if (!DecodeCDKey(tmpCDKey))
AddChat(vbRed, "[BNET] Invalid CDKey!");
HashCDKey(KeyHash, ServerToken, ProductValue, PublicValue, PrivateValue, ClientToken);
GetCurrentDirectory(sizeof(buf), buf);
strcat(buf, "\\Hashes\\STAR\\");
while (i < 5) {
files[i] = (char *)malloc(256);
strcpy(files[i], buf);
i++;
}
mpqName[strlen(mpqName) - 4] = 0;
strcat(mpqName, ".dll");
memset(buf, 0, sizeof(buf));
GetCurrentDirectory(sizeof(buf), buf);
strcat(buf, "\\Hashes\\DLLs\\");
strcat(buf, mpqName);
strcat(files[0], "starcraft.exe");
strcat(files[1], "storm.dll");
strcat(files[2], "battle.snp");
strcpy(files[3], buf);
strcat(files[4], "sexp.bin");
int crresult = CheckRevisionLD(files[0], files[1], files[2], ChecksumFormula, exeVersion, Checksum, exeInfo, files[3], files[4]);
if (crresult) {
memset(buf, 0, sizeof(buf));
sprintf(buf, "Failed Lockdown CheckRevision! [error %d]", crresult);
AddChat(vbRed, buf);
}
sprintf(asdf, "\nClientToken == %u\nServerToken == %u\nmpqName == %s\nChecksumFormula == %s\nCDKey == %s\nProductValue == %d\nPublicValue == %d\n"
"PrivateValue == %d\nKeyHash == %s\nChecksum == %d\nexeVersion == %d\nexeInfo == %s",
ClientToken, ServerToken, mpqName, ChecksumFormula, bot.cdkey, ProductValue,
PublicValue, PrivateValue, KeyHash, Checksum, exeVersion, exeInfo);
AddChat(vbCyan, asdf);
Send0x51();
}

[/code]
amirite?

[Edit: broke up code statement to avoid breaking the table.]
August 2, 2007, 3:37 AM
Kp
brew: you are leaking memory.  You are also using unchecked buffer operations, in some cases with the buffer input derived from a clearly untrustworthy source.  You should fix both of those before you continue debugging the actual problem.
August 2, 2007, 5:28 AM
BreW
Okay so i added the following to the end of it
[code]
i ^= i;
while (i < 5) {
free(files[i]);
i++;
}
[/code]
That should fix the memory leak, now what?? :(
and what do you mean by unchecked buffer operations, just not setting the array to 0 before using it?
I figured that'd be fine, as you can see i use strcat and strcpy so on (which tacks on the null char for you). So what's wrong with that? And what is the actual problem anyways?
August 2, 2007, 1:57 PM
Yegg
What is the purpose of i ^= i? Why not just i = 0?
August 2, 2007, 3:42 PM
BreW
[quote author=Yegg link=topic=16910.msg171341#msg171341 date=1186069364]
What is the purpose of i ^= i? Why not just i = 0?
[/quote]
Because it's more efficient then MOV (takes 7 less cpu cycles) and it doesn't have to store a constant value of 0.
August 2, 2007, 6:13 PM
Yegg
That depends on the compiler you're using. I created some binary files from a simple C source I just wrote:

[code]int main () {
    int i;

    i ^= i;
}[/code]

produces

[code]00000000  8D4C2404          lea ecx,[esp+0x4]
00000004  83E4F0            and esp,byte -0x10
00000007  FF71FC            push dword [ecx-0x4]
0000000A  55                push ebp
0000000B  89E5              mov ebp,esp
0000000D  51                push ecx
0000000E  83EC10            sub esp,byte +0x10
00000011  C745F800000000    mov dword [ebp-0x8],0x0
00000018  83C410            add esp,byte +0x10
0000001B  59                pop ecx
0000001C  5D                pop ebp
0000001D  8D61FC            lea esp,[ecx-0x4]
00000020  C3                ret[/code]

and

[code]int main () {
    int i;

    i = 0;
}[/code]

produces

[code]00000000  8D4C2404          lea ecx,[esp+0x4]
00000004  83E4F0            and esp,byte -0x10
00000007  FF71FC            push dword [ecx-0x4]
0000000A  55                push ebp
0000000B  89E5              mov ebp,esp
0000000D  51                push ecx
0000000E  83EC10            sub esp,byte +0x10
00000011  C745F800000000    mov dword [ebp-0x8],0x0
00000018  83C410            add esp,byte +0x10
0000001B  59                pop ecx
0000001C  5D                pop ebp
0000001D  8D61FC            lea esp,[ecx-0x4]
00000020  C3                ret[/code]

You'll notice the two are identical. Perhaps there is some optimization argument gcc should be given?
August 2, 2007, 6:42 PM
BreW
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
August 2, 2007, 6:48 PM
Yegg
I don't know much about Visual C++. It sounds like a good idea to keep the optimizations on unless you're a pretty advanced guru with the language and software.
August 2, 2007, 6:52 PM
iago
Optimizing C code like that is almost always stupid. If you're going to do that, you'd might as well start expanding your loops out.

Seriously, let the compiler/optimizer do what it's good for.
August 2, 2007, 7:45 PM
Antarctica
Anything that will work for vb6?
August 2, 2007, 8:14 PM
UserLoser
[quote author=iago link=topic=16910.msg171348#msg171348 date=1186083930]
Optimizing C code like that is almost always stupid. If you're going to do that, you'd might as well start expanding your loops out.

Seriously, let the compiler/optimizer do what it's good for.
[/quote]
August 2, 2007, 10:53 PM
Newby
[quote author=brew link=topic=16910.msg171344#msg171344 date=1186080522]
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
[/quote]

You motherfucker, I thought I had posted today because I use this avatar in other places. You confused me you bastard.
August 2, 2007, 11:18 PM
BreW
[quote author=Newby link=topic=16910.msg171352#msg171352 date=1186096711]
[quote author=brew link=topic=16910.msg171344#msg171344 date=1186080522]
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
[/quote]
You motherfucker, I thought I had posted today because I use this avatar in other places. You confused me you bastard.
[/quote]
....huh...?

[quote]
Seriously, let the compiler/optimizer do what it's good for.
[/quote]
I say its not doing it's job good enough.
August 3, 2007, 12:07 AM
l2k-Shadow
How come you're using while (i < 5) i thought you said != is way more efficient.

I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
August 3, 2007, 12:16 AM
Yegg
[quote author=l2k-Shadow link=topic=16910.msg171354#msg171354 date=1186100167]
How come you're using while (i < 5) i thought you said != is way more efficient.

I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
[/quote]

Don't always just "let the compiler do the work".  It's educational to learn how certain parts of the compiler are actually done. brew, don't expect that those kinds of small details will improve your applications at all, because typically they won't, but it's still fun to learn little things like that. Look more into it.
August 3, 2007, 1:29 AM
raylu
[quote author=l2k-Shadow link=topic=16910.msg171354#msg171354 date=1186100167]
How come you're using while (i < 5) i thought you said != is way more efficient.

I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
[/quote]
Of course! There is no middleground between pure ASM and...well, every time I think I've seen the worst solution possible, I learn something new...but you get the point.
August 3, 2007, 1:47 AM
BreW
[quote author=raylu link=topic=16910.msg171358#msg171358 date=1186105624]
[quote author=l2k-Shadow link=topic=16910.msg171354#msg171354 date=1186100167]
How come you're using while (i < 5) i thought you said != is way more efficient.

I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
[/quote]
Of course! There is no middleground between pure ASM and...well, every time I think I've seen the worst solution possible, I learn something new...but you get the point.
[/quote]
eh... MASM
I don't feel very leet coding in C...
But now when I go back to finish a project in VB i'm totally disgusted at how dumbed down it is.
August 3, 2007, 2:36 AM
Kp
That assembly looks grossly unoptimized.  I could have done that in two instructions:[code]
xor eax, eax
ret[/code]

brew: considering how concerned you are about manual optimization, I find it a little surprising you have not even considered security.  Read up about buffer overflows, look at how many patches Microsoft has to issue because their programmers do not understand buffer overflows, then look at your code again.  If you still think it is OK, then I will pick it apart and explain what is wrong.
August 3, 2007, 3:44 AM
iago
[quote author=Yegg link=topic=16910.msg171357#msg171357 date=1186104567]
Don't always just "let the compiler do the work".  It's educational to learn how certain parts of the compiler are actually done. brew, don't expect that those kinds of small details will improve your applications at all, because typically they won't, but it's still fun to learn little things like that. Look more into it.
[/quote]
The problem is, if you make your code less readable but execute a fraction of no time faster, you lose. You're typically better off keeping your code readable rather than efficient.

That being said, efficient algorithms are important. If you bubblesort/insertionsort 100000000 items or quicksort/shellsort 100000000 items, it matters very little whether each instruction is fast or slow, the quicksort will always be faster. Algorithm choice is important in many cases.
August 3, 2007, 4:40 AM
BreW
[quote author=Kp link=topic=16910.msg171361#msg171361 date=1186112645]
brew: considering how concerned you are about manual optimization, I find it a little surprising you have not even considered security.  Read up about buffer overflows, look at how many patches Microsoft has to issue because their programmers do not understand buffer overflows, then look at your code again.  If you still think it is OK, then I will pick it apart and explain what is wrong.
[/quote]

To be completely honest, I don't see anything wrong with that code. Maybe it is insecure, but honestly who cares. Not like everybody's going to be using it anyways. Anyways, I can't really think of a problem with that code. Please clue me in :9
August 3, 2007, 3:33 PM
Kp
[quote author=brew link=topic=16910.msg171373#msg171373 date=1186155231]
To be completely honest, I don't see anything wrong with that code. Maybe it is insecure, but honestly who cares. Not like everybody's going to be using it anyways. Anyways, I can't really think of a problem with that code. Please clue me in :9
[/quote]

You should care, as should anyone who runs it or uses it as an example.
[list]
[li]None of your string copies are checked in any way, so if any of the inputs are too long, you will copy past the end of the allocated buffer.  Once you have a buffer overrun, various things can happen.  Since you are using an antiquated compiler without support for SSP, a buffer overrun can lead to arbitrary code execution.  In this case, some of your inputs are clearly derived from data furnished by the server.  Based on your responses thus far, I will assume that you do not have parameter checking code elsewhere.  If that assumption is correct, then any server you connect to, whether battle.net or some rogue third-party BNCS emulation server, could take control of your program just by sending you a specially crafted packet.  Once this happens, the attacker can do anything your user account can do.[/li]
[li]You are using sprintf, rather than snprintf.  This is another form of unchecked string transfer.[/li]
[li]Your subscript operation on mpqName assumes the MPQ name will be at least four elements long.  If it is less, you will overwrite part of the variable which precedes mpqName in memory.[/li]
[li]You are allocating from the heap for a fixed number of fixed size small buffers.  Why bother?  If the allocations are predictable and small, put them on the stack to simplify the logic.[/li]
[li]Your code is not const-correct.  The variable 'data' is never written to, but is not marked as const.[/li]
[li]Your code is not Unicode-correct.  You are using the TCHAR form of GetCurrentDirectory, but the argument is a char.  You should use GetCurrentDirectoryA.[/li]
[/list]

Never assume that external input can be trusted to be correct.  Always validate it, even if you think it will come from a source that would not have an interest in breaking your program.  Expect that eventually, you will make a mistake.  Design your code to minimize the opportunity to make dangerous mistakes.  For instance, even though an input is coming from a function which already validated it, you should still use a checked copy.  Then, if you someday add a path where the input can come in without being validated, the checked copy will still catch an attack.
August 4, 2007, 5:48 AM
BreW
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
[quote]
Your code is not const-correct.  The variable 'data' is never written to, but is not marked as const.
[/quote]
What is the benefit of marking a variable as a const, anyways?

Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
August 4, 2007, 3:58 PM
Yegg
If you mark a variable as const, the compiler won't let you modify it, thus keeping you from modifying variables that you didn't intend on modifying.
August 4, 2007, 4:50 PM
Newby
[quote author=brew link=topic=16910.msg171392#msg171392 date=1186243116]
Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
[/quote]

No... if the payload is constructed properly it could do so much more.
August 4, 2007, 5:49 PM
warz
Depending what it overflows into, anyways.
August 4, 2007, 6:36 PM
iago
[quote author=brew link=topic=16910.msg171392#msg171392 date=1186243116]
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
[quote]
Your code is not const-correct.  The variable 'data' is never written to, but is not marked as const.
[/quote]
What is the benefit of marking a variable as a const, anyways?

Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
[/quote]

You should read the classic paper "Smashing the Stack for Fun and Profit" by Aleph1 (aka, Elias Levy, who works at Symantec :) ). It'll explain in gory details why that isn't necessarily true.
August 4, 2007, 8:06 PM
Yegg
You can get that paper by DJ_Ripper via IRC in #ebooks on irc.tehnet.org/6667.
August 4, 2007, 8:12 PM
Kp
[quote author=brew link=topic=16910.msg171392#msg171392 date=1186243116]
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
[/quote]

Your operating system is responsible for enabling the feature and configuring the hardware appropriately.  If I recall correctly, NX support is present in Windows XP SP2 and Windows Vista.  It is probably supported in some version of Windows Server 2003, but I do not know which Service Pack introduced it.  Even when DEP is on, Windows implements it in a way that is not that hard to bypass, which was necessary for compatibility with stupidly written copy prevention schemes.  Finally, even supposing that DEP cannot be bypassed, an attacker can still transfer control to any other point in your program.  Depending on the program, this could do any of a variety of bad things.

Think of DEP like the safety features on a car: good to have, will probably reduce the damage you sustain if you ever need it, but you are still better off just not needing it in the first place.
August 4, 2007, 8:37 PM

Search