Recently, I've had the opportunity to examine a massively cross-platform application that's compiled for Windows, Linux, OSX, HP-UX, Solaris, AIX, etc. I've been in the software world long enough to know that companies like to write code ONCE, and then compile it on different platforms with a little platform specific "shim" code, and then ship it. It makes PERFECT sense to do this, as you can have all your bugs fixed in a shared tree, and only have to fix them once. It's even BETTER when you can leverage this work with a protection vendor who offers a protection system that runs on all your target platforms, as it allows you to write your protection code only once.
But therein lies the problem. Various compilers on various OSes do things differently. For instance, the MAC compiler might leave in the debugging info and tell me that that random byte in program memory is really called "licenseObtained". And, once I know that, I can do an XREF on that memory location, and find the 2 places that it's written to. The first writes a "1" there, and exits the function, and the other writes a "0" there, and drops to a function that displays a messagebox with a message that it was "unable to obtain a license". When this happens, it doesn't matter that the compilers on the other platforms removed this label. The cat is firmly out of the bag.
I heard that! You said "Big deal, you found a variable's name in one version of the application, how does that doom all the OTHER platforms?" Simple! The function that made the decision on the value to write to that memory location also read an environment variable that isn't read anywhere else in the code. So, you simply search for that string in memory, find where it's accessed, and that leads you back to the function. On ALL the platforms. Also, it helps when you don't strip your binaries, and I see that the function is named "LicenseCheck". In this case, you load the application into IDA, let it run for a while, and then tell it to GOTO "LicenseCheck", and there you are.
There are a MULTITUDE of protection failures on display in this application, but the application itself is a great tool. And, I will admit that it's completely possible that the authors don't care about these failures, as protection is there solely "to keep the honest people honest". I can respect that! As someone who has seen the nastiest protection circumvented easily, it makes sense to not spend a ton of time/money trying to protect your application, as really, protection isn't your core business, and a minority of your business customers would use a pirated version, so it's not WORTH it.
But, there you have it. The perils of sharing the same codebase on a multitude of platforms.
Friday, January 16, 2015
Subscribe to:
Posts (Atom)