PDA

View Full Version : A continued discussion on "ownage".


Woodmann
September 22nd, 2007, 21:00
Continued from here: http://www.woodmann.com/forum/showthread.php?t=10450

The reason why I have closed the other thread and started a new one here is quite obvious,
it went completely off topic.

I think the discussion in the other thread was quite usefull, that is why I wish to continue
it here but with a small change.

What is "ownage" ?

A clean "virgin" .exe.
A functional dump.
A keygen.
A working crack/patch.
A serial.

Tell me what is "ownage" as it relates to different protections.
For example, you are not going to keygen Securom. So whats makes "ownage".
Is keygenning THE type of "ownage" in a "commercial" app like quickbooks or photoshop.
Is having a patch for those programs the same type of "ownage" ?

Tell me what you think "ownage" is.

Woodmann

LLXX
September 23rd, 2007, 03:37
Quote:
A clean "virgin" .exe.
"Ownage" in the context of a wrapper-based protection (e.g. packers)
Quote:
A functional dump.
"It works", can't say much more than that.
Quote:
A keygen.
Definitely.
Quote:
A working crack/patch.
"It works", not as good as Keygen.
Quote:
A serial.
Unless the program had a hardcoded serial, I'm more inclined to believe someone bought the app and distributed the serial he got. So...no.

evlncrn8
September 23rd, 2007, 03:45
I think its easier to say 'ownage' is when the cracker/reverser understands all thats going on within the target, how the key is checked, how the serial is validated, how the dongle is communicated with, and uses that knowledge to remove the protection from the target.... in a clean way

fr33ke
September 23rd, 2007, 08:00
I would say it is ownage if you get the cleanest possible way to make a program act like a registered version. Here is my list, from best to worst:

1. Keygen
2. Serial (even though this does not always require much knowledge)
3. Keygen with patch for the public key (usually better than serials in the long run)
3. Virgin exe
4. Virgin exe patched a little bit to make it registered
...dumps increasingly different from virgin...
10. Inline patch for the packed file
...more increasingly unclean dumps...
20. Dump with half of the protector still present, 10x bigger than the original
...things that don't work properly...
...things that don't work at all...

nikolatesla20
September 23rd, 2007, 08:31
"Ownage" can be defined simply as this:


The ability to force the program to work how the cracker intended, and not as the program's author intended.


There need not be various levels.

-nt20

Shub-nigurrath
September 23rd, 2007, 12:03
Consider if the program is your windows os. When you consider your system being owned, for example by a virus? A virus afterall or a cracker are the same thing: a media through which a vulnerability is exploited, by hand or through an automa (virus).

Is it enough to reverse few important things of the system, or apply some brute forcing (like fuzzing) or reverse the system back to C? I agree with nicola tesla, "ownage" is when you fool the program and convince it to act in an unforeseen way or reveal some private information. These two things are called tampering and spoofing. They are just two different ways to own, but it's anyway owning.

What we can discuss about is the elegance of the solution, some are more elegant some less, that is true.

So we can say: owning is when you "convince" the program to act as you want, removing DRMs, adding menu or anything else that the author didn't wanted to happen. Might be there are different degrees (from the simplest we can name just patching to a complete reversing or decompilation), but if you (the attacker) are able to reach your target, then you owned the program.

Before releasing a developer must properly craft the application protection, assigning to the protection a policy (serial numbers, who will use it and so on) and a goal (against who you want to be protected, for how long,..). To create a completely secure program (given that (s)he understood what secure means for his/her application), any developer should worry of any degree of owning, which allows someone to break his protection goal and his/her fore visions.

All the rest is more or less academy, as I said in the previous thread RCE includes the word Engineering that has an important characteristic, to apply the engineering method of solving problems; practical and direct. This is just the opposite of classical sciences, like physics or mathematics. It's not casual that reversers reversing cryptology (much more mathematical) are much more formal..

BR
Shub

Sab
September 23rd, 2007, 14:05
+1 to nictlo /shub

Owning your app is making it conform to your will. When it comes to various degrees of what is a better solution well that depends on an app to app basis. As an example:

Armadillo Keygen: Nice to do, but if the application is still wrapped, those who want to use the app while it is protected even if keygenned, cannot run it with a debugger present, or maybe be incompatible with other apps that detect the app itself as a debugger.

This is the case for almost any protection. So, really not much more to say. Some solutions are better than others depending on the situation at hand. There will usually be an argument for a better/cleaner solution, but when it comes to practicality unless you have actually done the job it is much easier to speak and given useless opinions than to actually do and contribute.

Shub-nigurrath
September 23rd, 2007, 15:03
Security of an application is one of its functionalities. By the security point of view, a security flaw is a bug, an exploit or a working crack are a bug too.
Consider this: you write an application that for some unknown reason hangs. You later discover that the reason of this hanging is a stupid user's behavior or worst a conflict with some strange application the user installed or whatever strange reason. What do you think of this bug, how much elegant it is or just consider solving it? If the bad user's behavior provoked it, would you simply give the guilt to the user or is you that failed to create a running program?
For the security of programs it is exactly the same: if your application can be cracked (whatever method they used, also rolling dices), you failed your attempt to protect it.
Fortunately there are kids/reversers doing the work for the developers, allowing to find their poor mistakes, finding non-canonical ways to break their protections.

What happened with our srom stuffs is just this, now we see what next srom will do to improve ..

Woodmann
September 23rd, 2007, 21:17
Howdy,

In my most humble opinion, "owned" means any program/game/whatever
that you can make work no matter how you make it run.

I dont think it can be explained any easier than this.

Further thoughts from ya'll ?

Woodmann

rendari
September 23rd, 2007, 22:34
Well, I tend to think of it this way:

Imagine some game with sicks ass protection, I'm talking about 10 different VMs each emulating routines with thousands of commands, each VM coded by a different team of coders, authenticating on a server and executing code remotely, some sick ass 2 g crypto that makes a hoe wanna cry and all that other shit that makes any nerd wanna wet himself. Now imagine that some group took a year to rebuild to VM, hacked the server and got the code that was remotely executed, put the exe back together piece by piece, most frustrating piece of work ever. And finally, they release an exe 99.9999999% identical to the one made by the devs.

The very next day some other group with some bored 16 year old high school nerd as their lead cracker, finds a simple little boolean check the the protection devs forgot to remove, patch a JE -> a JNE and the protection authenticates no matter what. Then they release that crack.

Now that other group with all those insane crackers ODing on meth probably noticed this, but they chose to put a year into it anyways, to rebuild it anyways, for the challenge and to learn new things.

Now who here truly owned the protection? Because for both of them the end results are the same

Maximus
September 24th, 2007, 03:59
Very funny discussion....

To short things up for you, the difference in the way you obtain a goal -supposed the result is more or less achieved- lies in the ethic (is it right to do so?) or the Aesthetic (how nice such work is?).

Supposedly, the final goal of a crack is... a crack. Might work better, might not, but as long as it works with no major limitations, they are all equal.

They can only differ in the 'taste' each one can have, but only at the eyes of the 'experts'. The common joe won't know the difference, since they both work for him.

Aesthetic of RCE -mind you this is what you are really discussing about. Not about 'ownage' or not. As long as the application runs without DRM, protection authors are defeated. They might moan about the fact it has not been cracked they way they want but... from an operative (engineering) point of view, why taking the long path when a short, almost equivalent one exists? It would be a total nonsense.
You can take a longer path for... surely not operative reasons so?
--->ethic reasons
--->aesthetic reasons

eheh, I prefer the Tate's, but supposedly this kind of things hardly can fit a museum...

condzero
September 24th, 2007, 08:25
Hey Woody,

You forgot Loader (unless I missed somethin').

The developers can change a couple lines of code in their protection rendering the latest crack or tools useless and mess everything up from a cracker's perspective. I prefer the quick and dirty approach if possible, don't have time for elegance. How many ppl here have been told by their boss, "Gee that program of yours is certainly elegant", but rather, "Does the damn thing work!" or "Is the program finished yet!".

You decide...

LLXX
September 24th, 2007, 14:22
Quote:
[Originally Posted by condzero;68791]You forgot Loader (unless I missed somethin').
A loader as in a separate executable, or added to the original executable? The former is absolutely hideous, amounts to giving someone a crutch instead of properly fixing his cracked femur. (If the loader just loads the file and makes several patches, then goes to the original code, why couldn't they just patch the file itself? Because of self-checking? This can be patched out too!)

The latter, not as appalling but once again, why not make the changes that the loader makes at runtime, only 'freeze' those changes in the static file?

To put all this into perspective, with the whole discussion on aesthetics and elegance: Would you rather buy a $2 generic plastic quartz watch or a $20,000 gold Rolex?

Sab
September 24th, 2007, 14:50
I dont wear a watch.

Shub-nigurrath
September 24th, 2007, 15:24
the advantage of loaders in my point of view is, leaving out all the technical things, that with a simple script you can delete all the loaders in a snap and have again original unaltered programs.

potassium
September 24th, 2007, 15:44
As I see it, ownage is (as nikolatesla20 wrote) when the target program behaves like YOU want and NOT what the developer intended it to. Then there are 101 ways of getting there.

Also you could see it like this

keygen = ownage
loader = ownage
patch = ownage
processpatcher = ownage
lame script = ownage
unpacked exe = ownage
revirgined exe = ownage
and so on..

But! All these might be ordered in degree of knowledge demanded to achieve each ownage. Also as condzero wrote, I don't have time.. etc. Yeah, time is too a factor to take into account. Ofcourse if you want to waste one week to figure out a sick algorithm.. Sure, go ahead. But a onebyte patch will do the same "work" with a minutes work if you have templates ready for a patcher for instance.

Also, you could incorporate elegance into a patcher aswell. Instead of using CRC and static comparison as most of the patchers are today you could use dynamic search pattern like; ok I search for

MOV EAX, EBX
CMP [EAX],0000001h
JNE GO_TO_HELL_BAD_BOY
ETC
ETC

but the developer exchanged EAX and EBX or maybe they used other registers.. You get the point..

There is elegance in forseeing what the developers are going to do next. And that is not so ugly.

just my two cents

naides
September 24th, 2007, 15:46
Quote:
[Originally Posted by LLXX;68801]
To put all this into perspective, with the whole discussion on aesthetics and elegance: Would you rather buy a $2 generic plastic quartz watch or a $20,000 gold Rolex?



I currently wear the $2 plastic Quartz.
If I had $20.000 to spare, I will take a long vacation in the Caribbean, buy the program I am trying to reverse, get a new computer, a catered dinner and another pitcher of margaritas when I get home, and by the way, buy the $2 watch anyway.

If you need to know all the nooks and crannies of a protection to such and extend that you could write the protection and/or the application from scratch, by all means do it, but this is an act of forward engineering, not reverse engineering; or, as they say in my old country, inventing the wheel, yet one more time. . .

blurcode
September 24th, 2007, 17:26
I'm not a computer, so i don't need a Timer

Woodmann
September 24th, 2007, 22:23
Howdy,

I wear both types of watches. The one I prefer is the cheap one that functions as I desire. YES the elegant one is nice BUT, day in and day out I wear the cheap watch,The gets the job done watch.

This is a most excellent discussion .

Lets change things again.

My question: If you were to release, what type would it be. IE; crack, keygen, et al;

I hope you all know what I am asking.

Woodmann

Shub-nigurrath
September 25th, 2007, 02:38
OT, I use pocket watches only.

'bout releasing .. it depends of the scene: for the 0day, the one I know better and possibly others didn't release yet.. for a tutorial probably the most elegant possible, but according to personal tastes and depending on the tutorial's audience. Tutorials might be for learning, transfer already known things to or for broadcasting results now seen before. To do a good work in the first case you must explain everything and elegantly, in the second case the good work is the result itself so a less elegant solution is acceptable too.

LLXX
September 25th, 2007, 03:59
It seems like not many of you are watch cconnoisseurs... but I'd go with the $20000 one, since I can afford it.
Quote:
[Originally Posted by Woodmann;68815]If you were to release, what type would it be. IE; crack, keygen, et al;
If it can be keygenned (i.e. accepts serial and key, standard "lock" type protection), then a keygen; otherwise, a patch.

However, writing a tutorial is a completely different matter altogether.

blurcode
September 25th, 2007, 06:56
Quote:
[Originally Posted by LLXX;68821]It seems like not many of you are watch cconnoisseurs... but I'd go with the $20000 one, since I can afford it.


At least when thiefs kill you there will be a good reason

ET IN ARCADIA EGO

fr33ke
September 25th, 2007, 07:22
For me, what to release depends mostly on the time I am willing to spend on it. I simply try until I did it perfectly or until I get bored.

Unless it is an interesting protection, I usually stop after three days of not coming any further, and then the release is the best I have at that point.

Maximus
September 25th, 2007, 14:54
sigh naides beatens me
but mine one is not even watch, it's a polar heart rate monitor I use for running

evlncrn8
September 25th, 2007, 23:17
Quote:
[Originally Posted by Woodmann;68815]
My question: If you were to release, what type would it be. IE; crack, keygen, et al;


hmm truly depends on the target...

if it requires registration, then keygen sure (a clean keygen that is, not a keygen + some patch, like the winrar 'keygens')... also i think it ultimately depends on the protection.. like for example, if you know the protection on the target is very slow (heavy vm or whatever) and a performance increase could be gained by complete removal of the protection, then i'd also do that..

the answer i think truly depends on how much of a perfectionist you are

Arcane
October 4th, 2007, 06:16
Id say if nobody had cracked the protection before .. there would be probs and the method used by arteam would be super ..and great as a first step to defeating securom but COME on ..they dident invent that method ..and its been used for a long time(back on securom 5 ? but im not so old)...if they indeed wantet to present something new ..theyd took the time and rebuild the codes .. and find sollutions that dident involved dumping and attaching securom back..but just my opinion ..prolly not a popular one

Shub-nigurrath
October 4th, 2007, 07:58
hi mate,
we clearly stated that this is not new (well deroko method instead is original, actually), it simply has never been written down by anyone. 0dayz have the bad attitude to keep things for their own, we are not ^_^

Rachmaninoff
October 5th, 2007, 15:55
This thread is about the following:
Woodmann users regged between 2001 and 2003 thinks ARteam tutorial is NOT complete owning. Probably because it lacks some sort of aesthetic 'thingy'.

0day is a competition, therefore it would be a tactical misstake to share knowledge. - the strong word 'Complete owning' in combination with "hey don't give out our secrets" is causing the buzz.

For me complete owning is when you turn a protection inside out, or providing multiply ways of doing same thing. I enjoyed the tutorial, probably the most advanced public tutorial ever written on CD-protections.

Best regards

Rachmaninoff
connoisseur and reverser

rendari
October 5th, 2007, 16:48
Quote:

probably the most advanced public tutorial ever written on CD-protections.


Actually I think credit for that should go to Peex for writing this monster:
http://www.woodmann.com/yates/cd/TSD27p.txt

LLXX
October 6th, 2007, 00:04
Quote:
[Originally Posted by rendari;69193]Actually I think credit for that should go to Peex for writing this monster:
http://www.woodmann.com/yates/cd/TSD27p.txt
Except that it's not in the standard language of the Internet

Rachmaninoff
October 6th, 2007, 07:36
There are probably a couple of good tutorials written in chinese too.