Psp3000 cracking principle-about Buffer Overflow

They have been amazed at how hackers use buffer overflow to intrude into and crack the system. Just like the image format virus that appeared on IE browser, this attack on PSP was completed with a TIFF Format Image. Because I love PSP, I decided to understand what happened here. How does a Magic Image crack the system?

Cache overflow. The learning name is memory overflow, which is actually out of memory. The results show that the program crashes and the system crashes. This is a common software programming bug. Why can this phenomenon be exploited by hackers?

After carefully reviewing the information, we found that the crash was caused by an incorrect (illegal) Command executed by the machine. Possible causes include: (1) invalid computing conditions, such as Division by zero errors; (2) Data addressing errors, such as crossing the border or data protected; (3) incorrect instruction addressing (similar to 2); (4) invalid or unidentifiable instruction; (5 ),...... And so on. Hackers pointed out that not all buffer overflow will cause a crash (crash), and not all crashes (CRASHES) are caused by (3) and (4. Most buffer overflow is not helpful for cracking. Only when buffer overflow occurs (3) and (4) Can the cracking be valuable. (Some people specialize in Cracking in other cases, but the process is too complicated, and it will always come down to 3 and 4 ). So let's take a closer look at what happened in 3 and 4 cases?

(3) It is easy to understand that in a 32-bit PC system, an error in the Cs: IP value leads to a cross-border error. This is generally because some commands in some functions modify the memory stack out of bounds, and the RET (or retf) Command gets an error CS: IP address when returning the address. These values are generally stored in [EBP]-4 (or [EBP]-8) and are easily modified. Access to any local variable may be modified out of bounds.

(4) It is not hard to understand. The problem is described in detail in the computer language of the Microcomputer principle. Simply put, an instruction is a binary number. A set of instructions supported by all CPUs is a binary number set. If an instruction (Binary Number) is not in this set, it is an invalid instruction. If so, of course it is a valid command. It is worth mentioning that the binary number of this command is the same as the binary number of data. That is to say, in some cases, data and commands can be converted to each other. Let's look at the assembly language command mov ax, 4c00h is equal to the binary number b8004c, mov sp, 16 is equal to bc1000. The binary b8004c is equal to the RGB (, 76) of the image pixel data, and bc1000 is equal to RGB (, 16, 0 ). In this way, there is a connection between commands and image data.

 

The following describes the buffer overflow cracking process.

1. Hackers must have a simulated environment to continuously monitor the status of each register of the CPU. In a PC system, it is your own computer. On psp, It is the psp1000 of the old model that has been cracked by brute force (usually by modifying hardware.

2. constantly try various system functions to find crashes.

3. analyze the status of each register of the CPU when the machine crashes (CRASHES) and find valuable clues (for example, a game requires entering the player name, but when the length exceeds a certain number, it will crash. A hacker found that when he entered his name as aaaaaaaa ...... (Repeated) when a machine crashes, the value of a register is a0a0a0a0. If it is bbbbbbbb ...... (Repeated), the register value is b0b0b0b0. This determines the impact of the input value on the register value .). In this attack, we studied a crash when pre-reading an image file in the image browser, and analyzed the relationship between the data values in the file and the register.

4. Study the register attributes obtained from 3. If it is a command Address Register (equivalent to CS: IP, or EBX in PC), congratulations. Close to victory, This is the above (3) and (4) situations. If not, continue to analyze the impact of this register on a command address register and find the connection between them. If there is no clue, you can only give up this step, starting from 2.

5. At this time, we can confirm that if an input data is X, a certain instruction address register will be changed to y. Y = f (x ).

6. compile a set of target commands (that is, the program you want to run, such as Hello World), convert the commands to binary data, and then import them to a specific region of a TIFF image file. And put the X value in a special position in the file.

7. Repeat the crash process. When a crash occurs, the instruction Address Register has changed to y as expected, and the data in the specific area of the image file has been imported into the memory. The value y points to the memory.

8. Next, the CPU executes their programs as the hacker expected. The cracking is complete.

 

Conclusion:

Hackers are also people, but they are smart and diligent.