A Hacker's Tale (With a Human Side)

Screenshot of Borland Turbo Debugger found on the interwebz, possibly the same version that I was using back then.

This is a hacking story from my University years. It ends with a nice bit about human qualities. 

Parts of this text are very deeply technical, to the point where they might only be understood by experienced programmers with deep low-level knowledge of how computers work. This is in a sense intentional: if you do not understand a sentence, it is because very advanced hacking stuff is happening. 

A Hacker's Tale

The University had several computer labs, most of them equipped with Unix workstations, a few with PCs. I would often be found in the PC lab, since I was already quite familiar with that kind of machine and operating system. It was the early nineties, and PCs back then were running MS-DOS. Networking was done by connecting them to Novell™ servers via coaxial Ethernet cable, which delivered a (decent, for that time) 10 megabits per second.

Each PC in the lab was running a network driver, which was making parts of the server's filesystem visible locally as DOS drives. These drives were available only at the filesystem level: if you bypassed the OS and invoked the BIOS to enumerate the physical hard disks on the system, they did not show up, because they did not physically exist.

Filesystem access to these drives was subject to security checks performed by the Novell server, which was running some proprietary Novell operating system, so the whole setup was fairly secure, and for even higher security, the server was kept locked in a cabinet, so nobody but the administrator had physical access to it. The administrator of the lab was Dr. "A", and he had appointed as co-administrator a fellow student and friend of mine, Bashir.

Back in those days, if you were a power user, (let alone a computer lab administrator,) you absolutely had to be using the Norton Utilities.

Screen capture of the main menu of the Norton Utilities; found on the interwebz.

Of course, most of these utilities required physical access to the disk, so it was impossible to use them on the server, but they could be used on workstations, so Bashir had stored them on the server in order to be able to access them from any workstation.

One day Bashir had to troubleshoot something on one of the workstations in the lab, so he connected to the server using his password, he launched the Norton Utilities from the server, and then I noticed that upon startup the utilities asked him for a password again.

I asked Bashir what is the deal with that second password, and he told me that Dr. "A" had made use of a password-protection feature of the Norton Utilities so as to prevent people from using them to destroy the server. I told him that this was absurd, because the utilities could only be launched from the server, they could not be used against the server, and he told me that he had tried to explain that to Dr. "A", but he would not understand.

One of the following days I was at the computer lab very late, like 2 o'clock in the morning. I was there not because I had some assignment to complete, but because you know, if you are mad about programming, then the computer lab is where you are likely to be found late at night. The only other person in the lab at that time was Yoshi.  Me and Yoshi were the best students in the class. I could not exactly call him a friend, because he kind of kept a distance, but I did respect the fact that he was the most knowledgeable among the other students, and I hoped that he thought more or less the same about me.

I was thinking about the password with which the Norton Utilities had been protected. I was thinking that in choosing to protect the Norton Utilities with a password, Dr. "A" may have inadvertently compromised the security of the server, because:
  • Given the lax security practices of the era, the password that the Norton Utilities had been protected with was in all likelihood the same as the administrator's password for the Novell server.
  • For as long as the password was kept only by the Novell server, it was fairly secure; however, the moment the password was given to the Norton Utilities, the safety of the password depended on how secure the Norton Utilities were.
  • By nature, the Norton Utilities could not be anywhere near as secure as the server itself, because the Norton Utilities resided on the server's filesystem, so the only storage medium available to them for storing the password was that same filesystem, meaning that anyone who had sufficient access to launch the Norton Utilities (even if prevented, by password, from actually using them,) also had access to the password, if only one knew how to find it.
I looked at the directory where the Norton Utilities were installed, but I could not find any file that looked like it may contain a password. I wondered whether the password was stored within the executable itself. Normally, nobody writes data into executables, but for very special purposes, such as password protection, one could conceivably do that. I checked the time-stamp of the executable, and sure enough, it was more than an hour later than the time-stamp of the installation directory. This did not exactly prove anything, but it was a very good indication that something had been written into the executable after installation took place.

So, I rolled up my sleeves and got to work. I took out the floppy disk that I always carried with me, and launched Borland's Turbo Debugger from it.

I loaded the Norton Utilities executable with the debugger, and I let it run. When it prompted me for the password, I entered my name instead. Then, I hit Ctrl+Break to switch to the debugger. The debugger stopped deep inside the BIOS service which waits for the next keystroke. I managed to single-step out of the BIOS service and into the Norton Utilities, and I continued single-stepping, hoping to see it doing something with the password that I had just entered, but that did not seem to be happening. I was going over hundreds upon hundreds of instructions which I had no idea what they were doing, but one thing I could tell was that they were not dealing with passwords in any way. I reasoned that since the Norton Utilities had a text-mode Graphical User Interface, I was probably deep inside GUI code, which had been invoked from some application logic that was thousands, possibly even tens of thousands of instructions away. So, I decided to take a different approach.

I performed a global memory search for my name, and I found the place within the application's data segment where it had been stored after being read from the BIOS. I placed a "memory access" breakpoint on that memory location, and I let the Norton Utilities resume execution. When it stopped, I was finally looking at code that was about to do something with the password that I had entered. I started single-stepping again.

After not too many more instructions, I reached a loop that was reading characters from my name, XORing each character with 01Ah, essentially turning it into gibberish, and storing it in a buffer. I realized that I was looking at the user-entered password being encrypted prior to being compared against the encrypted administrator's password. I found it amusing that the Norton Utilities, one of the top commercial tools of that era, created by some of the brightest programmers around, was using one of the simplest imaginable and most woefully insecure encryption mechanisms, the letter-by-letter XOR method, for password encryption. I single-stepped further, and sure enough, there was a loop that was comparing the contents of that buffer against the contents of some other, unknown buffer, which also contained gibberish, and was in all certainty the encrypted administrator's password. 

The comparison failed at the very first character, so I was taken out of the loop and to the end of the function. I stepped out of the function, and I noticed that the caller was checking whether the AX register contained a zero or non-zero value. This is usually the machine code that gets emitted by a compiler when you have an if-statement which invokes a boolean function and does one thing if the function returned `true`, or another thing if the function returned `false`. My guess was that the if-statement was something like `if comparison-succeeded then proceed-with-running else show-error-message.` Clearly, the comparison had not succeeded, and AX contained non-zero; so, I changed it to zero in order to pretend that the comparison had in fact succeeded; I knew there was no need to continue single-stepping anymore; I just resumed program execution from that point, and voila, I was running the Norton Utilities as if I was the administrator.

That was one of the most gratifying moments of my life.

Of course, the next step was to find out exactly what the administrator's password was. "In a few minutes I will have the administrator's password", I said to Yoshi, who was completely unaware of what I had been doing all that time. Yoshi turned his head in my direction by barely an inch, said "uh-uh," and turned back to his screen. Obviously, he highly doubted my claim.

I reloaded the Norton Utilities in Turbo Debugger, I repeated the same process until I reached the encryption routine, and took a note of its address. I allowed the routine to encrypt my name again, and proceeded to the comparison routine. Once I had the address of the buffer that contained the administrator's encrypted password, I instructed the debugger to invoke the encryption routine on that buffer, reasoning that a simple XORing function will decrypt when reapplied. This turned the contents of the buffer from gibberish into plain text. I was looking at the administrator's password.

"I have it!" I said to Yoshi.

That did get his attention.

He came over to see. I was so excited that I could not sit on my chair, I showed my feat to him while we were both standing in front of the computer. I relaunched the Norton Utilities, typed the magic letters, and I was in. Yoshi was impressed. He asked me how I did it, and I explained everything to him.

"I bet it is the same as the network administrator's password", I said, and tried to log into the Novell server as admin using this password. Sure enough, I was in.

"It may even be the same as the personal password of Dr. "A"", I said.

I tried it, and yes, I was also in.

Yoshi had a huge grin in his face. He was really impressed.

And then, these amazing words came out of his mouth:

"Dude, I thought you were an asshole!"

I laughed, because I kind of knew why Yoshi was saying that. Back then I was an arrogant bastard, I liked to show off my knowledge, and I lacked the interpersonal skills necessary to handle disagreements on technical matters in a civil manner, when I knew I was right and the other person was wrong. I probably even was snobbish at times, certainly not to Yoshi, but to others, and I suppose Yoshi had noticed.

I also laughed because of the sincerity with which Yoshi had said that, the purity of his intentions in saying it. Obviously, for Yoshi to say that to my face, there was not even a trace of a suspicion of me being an asshole anymore; it was not just left behind, it was as if it had never happened. I was totally not an asshole, period.

I also laughed because I knew that hacking prowess does not really tell us anything as to whether someone is an asshole or not. I thought that maybe I did not really deserve that much credit. I kept that in mind for the rest of my life.

No comments:

Post a Comment