I was thinking of a password type of program that would verify the password by making a jmp to some math equation depending of the password. If the password would be correct, the jmp would make it to the right place, but if it isn't, it would never make it. right now, it's: if password = ok jmp right_place else jmp not_ok endif My goal would be: address = password_to_math(password) jmp address I know it would probably mean to have perfect knowledge of the address and everything, but it probably wouldn't be easy to hack... Can it be done or is there some limits that can't be passed through in this?
Posted on 2001-03-06 12:19:00 by silas
Sure, very eazy in fact

; proto the jump (mayby use a better name  ;-)
GoodSN PROTO :DWORD, .... ,:DWORD

...

.code
  {compute jump from S/N}
  mov ecx, JumpAddrCalculation
  invoke GoodSN PTR , param1, ... , paramX
By using a proto, you allow invoke to be used. IF you don't proto it, you can still 'call ', but you need manually push the params.
Posted on 2001-03-06 12:51:00 by Ernie
Great! this means in theory that the program would be almost unhackable! but this also means that the program would crash if the person enters a wrong password... I'm probably not the first to try this up, is there something that could hack through this?
Posted on 2001-03-06 15:55:00 by Silas
hi, i thought about something like this: .constants possibleCRCrange = 0FFFFh ;CRC can be only a word jmp_op = 5 ;thats because a jmp op has 5 bytes preCRC = 0D00D*jmp_ok ;pointer for right pw entry .initialization - allocate memory (possibleCRCrange *jmp_op) - write possibleCRCrange jmp instuctions (all pointing to your exit routine) - rewrite jmp instruction at (preCRC*jmp_op) and let it point to your success prog .in your main prog - generate CRC(last word!) from the user password input - jump to CRC*jmp_op if the pw was wrong the program will abort if it was right it will continue. you have to calculate preCRC! just calculate the word CRC of your right password and multiply it with 5... cracking will be now very hard because the cracker have to understand how your program works... ok, he could probaly find your generated jump array and will see that there are all jmp ops point to one and the same loc - except the one that does not :( maybe you have some to fix this problem... bye. This message was edited by drcmda, on 3/7/2001 10:18:31 PM
Posted on 2001-03-07 22:17:00 by drcmda
Silas, Well, the bad news is you don't have a 1 in 4 billion chance of not being hacked... because the destination MUST lie in your source code. So for a 100K program, with an average instruction length of 4(I made '4 up, I have no idea what it really is) your chances of being hacked are 1 in 25,000. Mr Smart Cracker can hack that into a shorter list, especially if your GoodSN procedure uses a stack frame: He'll be looking for that. Then your chances of being hacked are 1 in (number of procs in your program). However, you know this, so you can lead him astray by NOT using a stack frame for that routine. Even better, make the GOOD address part of another procedure, so he can't see it unless he understands your program function intimately, and not by listing all the ret's. Everything can be hacked, period. The trick is to make Mister Smart Hacker bored before that happens.
Posted on 2001-03-08 14:43:00 by Ernie
I saw a program once that created a read/write section of memory and decoded the PROC there and then jumped to it - for every PROC in the program! By defining the PROLOGUE/EPILOGUE macro, you can create code that gets added to every PROC to calculate a CRC, or whatever. bitRAKE
Posted on 2001-03-08 15:09:00 by bitRAKE