A Hacker's Tale (With a Human Side)

This is a hacking story from my University years. It ends with a nice bit about human qualities.

The University had several computer labs, most of them equipped with Unix workstations, a few with PCs. I would often be found in the PC lab, since I was already quite familiar with that kind of machine and operating system. It was the early nineties, and PCs back then were running MS-DOS. Networking was done by connecting them to Novell™ servers via coaxial Ethernet cable, which delivered a (decent, for that time) 10 megabits per second.

Each PC in the lab was running a network driver, which was making parts of the server's filesystem visible locally as DOS drives. These drives were available only at the filesystem level: if you bypassed the OS and invoked the BIOS to enumerate the physical hard disks on the system, they did not show up, because they did not physically exist.

Filesystem access to these drives was subject to security checks performed by the Novell™ server, which was running some proprietary Novell™ operating system, so the whole setup was fairly secure, and for even higher security, the server was kept locked in a cabinet, so nobody but the administrator had physical access to it. The administrator of the lab was Dr. "A", and he had appointed as co-administrator a fellow student and friend of mine, Bashir.

Back in those days, if you were a power user, (let alone a computer lab administrator,) you absolutely had to be using the Norton Utilities.

Screen capture of the main menu of the Norton Utilities; found on the interwebz.
Of course, most of these utilities required physical access to the disk, so it was impossible to use them on the server, but they could be used on workstations.  And they were indispensable, so Bashir had stored them on the server, in order to be able to access them from any workstation.

One day Bashir had to troubleshoot something on one of the workstations in the lab, so he connected to the server using his password, he launched the Norton Utilities from the server, and then I noticed that upon startup the utilities asked him for a password again.

I asked Bashir what is the deal with that second password, and he told me that Dr. "A" had protected the Norton Utilities with a password so as to prevent people from using them to destroy the server. I told him that this was absurd, because the utilities could not be used on a Novell™ server, and he told me that he had tried to explain that to Dr. "A", but he would not understand.

One of the following days I was at the computer lab very late, like 2 o'clock in the morning. I was there not because I had some assignment to complete, but because you know, if you are mad about programming, then the computer lab is where you are likely to be found late at night. The only other person in the lab at that time was Yoshi.  Me and Yoshi were the best students in the class. I could not exactly call him a friend, because he kind of kept a distance, but I did respect the fact that he was the most knowledgeable among the other students, and I hoped that he thought more or less the same about me.

I was thinking about the password of the Norton Utilities. What made that password especially interesting was that given the lax security practices of that early era, it was in all likelihood the same as the password of the administrator of the Novell™ server. So, I wondered where the password was stored. Since the Norton Utilities resided on the server, there was no storage medium available to them other than the server's filesystem, subject to the same security checks performed by the server on any user accessing the utilities, which meant that anyone who could run the Norton Utilities should also be able to read the password, if only one knew where it was kept.

I looked at the directory where the Norton Utilities were installed, but I could not find any file that looked like it may contain a password. I wondered whether they stored the password within the executable itself. I checked the time stamp of the executable, and sure enough, it was more than an hour later than the time stamp of the installation directory. This did not exactly prove anything, but it was a good indicator.

So, I rolled up my sleeves and got to work. I took out the floppy disk that I always carried with me, and launched Borland's Turbo Debugger from it.

Screenshot of Borland Turbo Debugger found on the interwebz, possibly the same version that I was using back then.
I loaded the Norton Utilities executable with the debugger, and let it run.  Once prompted for the password, I entered my name, and instead of hitting the Enter key I hit Ctrl+Break to switch to the debugger.  The debugger stopped deep inside the BIOS service which waits for the next keystroke.  I started single-stepping until I found a loop, I placed a breakpoint after the loop, and resumed the program, letting the BIOS run its loop. The Norton Utilities was now waiting for me to type the next key. I hit the Enter key, and I was back in the debugger, stopped at the breakpoint right after the loop. I now started single-stepping with the goal of returning from the BIOS back to the Norton Utilities. Once I was back, I continued single-stepping, hoping that the program would immediately proceed to do something with the password, but that did not seem to be happening. I was going over hundreds upon hundreds of instructions which I had no idea what they were doing, but one thing I could tell was that they were not dealing with my password in any way. I reasoned that since the Norton Utilities also had a text-mode Graphical User Interface, I was probably deep inside GUI code, which was launched from some application logic that was thousands, possibly even tens of thousands of instructions away. So, I decided to take a different approach.

I performed a global memory search for my name, and I found the place within the application's data segment where it had been stored. I placed a "memory access" breakpoint on that memory location, and I let the Norton Utilities resume execution. When it stopped, I was looking at the code that was about to check the password that I had entered against the administrator's password which was saved somewhere within the executable.  I started single-stepping again.

After not too many more instructions, I found a loop that was reading characters from my name, XORing each character with 01Ah, and storing it in a buffer. I knew that I was looking at my name being encrypted prior to being compared against the encrypted administrator's password. I single-stepped further, and sure enough, there was a loop that was comparing the contents of that buffer against the contents of some other, unknown buffer, which was in all certainty the encrypted administrator's password. The comparison failed at the very first character, so I was taken out of the loop and to the end of the function. I stepped out of the function, and I noticed that the caller was checking whether the AX register contained a zero or non-zero value. AX contained non-zero, so I changed it to zero, I resumed the program, and voila, I was running the Norton Utilities as if I was the administrator.

That was one of the most gratifying moments of my life.

The next step, of course, was to find out exactly what the administrator's password was.  "In a few minutes I will have the administrator's password", I said to Yoshi, who was completely unaware of what I had been doing all that time. Yoshi turned his head in my direction by maybe an inch, then he said "uh-uh," and turned back to his screen. Obviously, he highly doubted my claim.

I reloaded the Norton Utilities in Turbo Debugger, I repeated the same process until I reached the encryption routine, and took a note of its address. I allowed the routine to encrypt my name again, and proceeded to the comparison routine. Once I had the address of the buffer that contained the administrator's encrypted password, I instructed the debugger to invoke the encryption routine on it, reasoning that a simple XORing function will decrypt when reapplied, and this gave me the administrator's password in plain text.

"I have it!" I said to Yoshi.

That did get his attention.

He came over to see. I was so excited that I could not sit on my chair, I showed it to him while we were both standing in front of the computer. I relaunched the Norton Utilities, typed the magic letters, and I was in. Yoshi was impressed. He asked me how I did it, and I explained everything to him.

"I bet it is the same as the network administrator password", I said, and tried to log into the Novell™ server as admin using this password. Sure enough, I was in.

"It may even be the same as the personal password of Dr. "A"", I said.

I tried it, and yes, I was also in.

Yoshi had a huge grin in his face. He was really impressed.

And then, these amazing words came out of his mouth:

"Dude, I thought you were an asshole!"

I laughed, because I kind of knew why Yoshi was saying that.  Back then I was an arrogant bastard, I liked to show off my knowledge, and I lacked the interpersonal skills necessary to handle disagreements on technical matters in a civil manner, when I knew I was right and the other person was wrong. I probably even was snobbish at times, certainly not to Yoshi, but to others, and I suppose Yoshi had noticed.

I also laughed because of the sincerity with which Yoshi had said that, the purity of his intentions in saying it. Obviously, for Yoshi to say that to my face, there was not even a trace of a suspicion of me being an asshole anymore, that was all so left behind, it was as if it had never happened. I was totally not an asshole anymore.

I also laughed because I knew that hacking prowess does not really tell us anything as to whether someone is an asshole or not. I did not really deserve that much credit.  I kept that in mind for the rest of my life.

No comments:

Post a Comment