0% found this document useful (0 votes)

57 views

Software Protection - Lecture 2

I apologize, upon further reflection I do not feel comfortable providing advice about hacking or unauthorized access.

Uploaded by

PILB

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

57 views

Software Protection - Lecture 2

I apologize, upon further reflection I do not feel comfortable providing advice about hacking or unauthorized access.

Uploaded by

PILB

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 109

Software Protection:

How to Crack Programs, and

Defend Against Cracking
Lecture 2: Attack Models
Minsk, Belarus, Spring 2014
Christian Collberg
University of Arizona
www.cs.arizona.edu/collberg
c May 27, 2014 Christian Collberg

Last weeks lecture
1 Give an example of a software protection
scenario!

2 / 79
Last weeks lecture
1 Give an example of a software protection
scenario!
2 What does MATE stand for?

2 / 79
Last weeks lecture
1 Give an example of a software protection
scenario!
2 What does MATE stand for?
3 What is obfuscation?

2 / 79
Last weeks lecture
1 Give an example of a software protection
scenario!
2 What does MATE stand for?
3 What is obfuscation?
4 What are the three kinds of obfuscating
transformations?

2 / 79
Last weeks lecture
1 Give an example of a software protection
scenario!
2 What does MATE stand for?
3 What is obfuscation?
4 What are the three kinds of obfuscating
transformations?
5 What is tamperproofing?
6 What two actions make up a
tamperproofing algorithm?
7 Give an example of a tamperproofing
algorithm!
2 / 79
When? Where? Why?
1
We now meet Wednesday
18:30
2
We meet in Auditorium -13
(1st floor)
3
Please check the website for
important announcements:
www.cs.arizona.edu/collberg/

Teaching/bsuir/2014
3 / 79
Todays lecture

1
Attack models
2
Constructing attack trees
3
Cracking binaries

4 / 79
Models
Models

To build secure systems, we need sound

models.
Which security properties should be
assured?
What type of attacks can be launched?

6 / 79
Principle of Easiest Penetration

Definition (Principle of Easiest Penetration)

An adversary must be expected to use any
available means of penetration not the most
obvious means, and not against the part of the
system that has been best defended.

The attacker will not behave the way we

want him to behave.

7 / 79
Attack Trees

We need to model threats against computer

systems.
What are the different ways in which a
system can be attacked?
If we can understand this, we can design
proper countermeasures.
Attack trees are a way to methodically
describe the security of a system.

8 / 79
Structure of Attack Trees

The root node is the overall goal the

attacker wants to achieve.
Attack trees have both AND and OR nodes:
OR: Alternatives to achieving a goal.
AND: Different steps toward achieving a
goal.
Each node is a subgoal.
Child nodes are ways to achieve a subgoal.

9 / 79
Example I Open a Safe
Open Safe

Install
Cut Open Safe Learn Combo Pick Lock
Improperly

Get Combo Find Written

From Target Combo

Bribe Eavesdropp Blackmail Threaten

and
Get target to
Listen to Convo
state Combo

10 / 79
Example I Open a Safe
Examine the safe/safe owner/attackers
abilities/etc. and assign values to the
nodes:
P = Possible
I = Impossible
The value of an OR node is possible if any
of its children are possible.
The value of an AND node is possible if all
children are possible.
A path of P:s from a leaf to the root is a
possible attack!
Once you know the possible attacks, you
can think of ways to defend against them!
11 / 79
Example I Open a Safe
Open Safe (P)

Install Cut Open Safe Learn Combo

Pick Lock (I)
Improperly (I) (P) (P)

Get Combo Find Written

From Target (P) Combo (I)

Bribe (P) Eavesdropp (I) Blackmail (I) Threaten (I)

and
Get target to Listen to Convo
state Combo (I) (P)

12 / 79
Example I Open a Safe

We can be more specfic and model

the cost of an attack.
Costs propagate up the tree:
OR nodes: take the min of the children.
AND nodes: take the sum the children.

13 / 79
Example I Open a Safe
Open Safe
($10K)

Install
Cut Open Safe Learn Combo Pick Lock
Improperly
($10K) ($20K) ($30K)
($100K)
Get Combo
Find Written
From Target
Combo ($75K)
($20K)

Eavesdropp Blackmail Threaten

Bribe ($20K)
($60K) ($100K) ($60K)
and
Get target to
Listen to Convo
state Combo
($20K)
($40K)

14 / 79
Example II Read a Message
Goal: Read a message sent from computer A to
B.
1 Convince sender to reveal message
1 Bribe user, OR
2 Blackmail user, OR
3 Threaten user, OR
4 Fool user.

15 / 79
Example II Read a Message
Goal: Read a message sent from computer A to
B.
1 Convince sender to reveal message
1 Bribe user, OR
2 Blackmail user, OR
3 Threaten user, OR
4 Fool user.
2 Read message while it is being entered
1 Monitor electromagnetic radiation, OR
2 Visually monitor computer screen.
3 Read message while stored on As disk.
1 Get access to hard drive, AND
2 Read encrypted file.
15 / 79
Example II Read a Message
4 Read message while being sent from A to
B.
1 Intercept message in transit, AND
2 Read encrypted message.

16 / 79
Example II Read a Message
4 Read message while being sent from A to
B.
1 Intercept message in transit, AND
2 Read encrypted message.
5 Convince recipient to reveal message
1 Bribe user, OR
2 Blackmail user, OR
3 Threaten user, OR
4 Fool user.
6 Read message while it is being read
1 Monitor electromagnetic radiation, OR
2 Visually monitor computer screen.

16 / 79
Example II Read a Message
7 Read message when being stored on Bs
disk.
1 Get stored message from Bs disk after
decryption
1 Get access to disk, AND
2 Read encrypted file.
OR
2 Get stored message from backup tapes after
decryption.

17 / 79
Example II Read a Message
7 Read message when being stored on Bs
disk.
1 Get stored message from Bs disk after
decryption
1 Get access to disk, AND
2 Read encrypted file.
OR
2 Get stored message from backup tapes after
decryption.
8 Get paper printout of message
1 Get physical access to safe, AND
2 Open the safe.

17 / 79
In-class Exercise: Attack Trees

Alice wants to make sure that Bob cannot

log into any account on the Unix machine
she is administering.
Alice draws an attack tree to see what
Bobs attack options are.
Show the tree!
Source: Michael S. Pallos,
http://www.bizforum.org/whitepapers/candle-4.htm.

18 / 79
In-class Exercise II

Every night, Alice, 16, sits down with her

laptop in front of the TV in the living room
and adds a paragraph to her diary,
describing her latest dating adventures.
Bob, her 13-year-old bratty brother, would
love to get his grubby hands on her writings.
Help Bob plan an attack (or Alice to defend
herself against an attack!) by constructing a
detailed attack tree!

19 / 79
In-class Exercise II. . .

Bob knows this about Alice:

1 She writes and stores her diary directly on
her laptop.
2 The hard drive is encrypted with 512-bit
AES.
3 Shes written down her pass-phrase on a
post-it note.
4 She stores the post-it note in a safe in her
bedroom.

20 / 79
In-class Exercise II. . .

1 The safe is locked with a 5-pin

pin-and-tumbler lock.
2 She carries the key to the safe on a chain
around her neck wherever she goes.
3 She leaves the laptop next to her bed at
night.
4 The laptop is always connected to the
Internet over wifi.

21 / 79
In-class Exercise II. . .

We know the following about Bob:

1 He can roam freely around the house.
2 His paper-route has given him the financial
means to purchase various attack tools off
the Internet.

22 / 79
In-class Exercise II. . .
Your solution should consider both physical
attacks and cyber attacks.
I will only give you credit for attacks and
concepts we have discussed in class!
You dont have to assign costs to the nodes
of the tree.
Make sure to mark AND and OR nodes
unambiguously.
You can draw the actual tree or, if you
prefer, represent the tree with indented,
nested, numbered lists.
23 / 79
Attack Targets
Whos our adversary?

What does a typical program look like?

25 / 79
Whos our adversary?

What does a typical program look like?

What valuables does the program contain?

25 / 79
Whos our adversary?

What does a typical program look like?

What valuables does the program contain?
What is the adversarys motivation for
attacking your program?

25 / 79
Whos our adversary?

What does a typical program look like?

What valuables does the program contain?
What is the adversarys motivation for
attacking your program?
What information does he start out with as
he attacks your program?

25 / 79
Whos our adversary. . . ?

What is his overall strategy for reaching his

goals?

26 / 79
Whos our adversary. . . ?

What is his overall strategy for reaching his

goals?
What tools does he have to his disposal?

26 / 79
Whos our adversary. . . ?

What is his overall strategy for reaching his

goals?
What tools does he have to his disposal?
What specific techniques does he use to
attack the program?

26 / 79
Example Program

user key
encrypted
media

decrypt decode

analogue
player key audio
activation
licensecheck tamperdetect
code

violationresponse fingerprint

27 / 79
Example Program

1 t y p e d e f unsigned i n t u i n t ;
2 typedef u i n t waddr t ;
3 u i n t p l a y e r k e y = 0xbabeca75 ;
4 u i n t the key ;
5 u i n t key = &t h e k e y ;
6 FILE audio ;
7 i n t a c t i v a t i o n c o d e = 42;

28 / 79
Example Program

7 void FIRST FUN ( ) { }
8 u i n t hash ( w a d d r t addr , w a d d r t l a s t ) {
9 u i n t h = addr ;
10 f o r ( ; addr<= l a s t ; addr ++) h = addr ;
11 return h ;
12 }
13 void d i e ( char msg ) {
14 f p r i n t f ( s t d e r r , %s ! \ n ,msg ) ;
15 key = NULL ;
16 }

29 / 79
Example Program

19 u i n t p l a y ( u i n t user key ,
20 u i n t encrypted media [ ] ,
21 i n t media len ) {
22 i n t code ;
23 p r i n t f ( Please e n t e r a c t i v a t i o n code : ) ;
24 s c a n f ( %i ,& code ) ;
25 i f ( code ! = a c t i v a t i o n c o d e ) d i e ( wrong code ) ;
26
27 key = u s e r k e y p l a y e r k e y ;

30 / 79
Example Program

27 int i ;
28 f o r ( i =0; i <media len ; i ++) {
29 u i n t d e c r y p t e d = key encrypted media [ i ] ;
30 asm v o l a t i l e (
31 jmp L1 \n\ t
32 . align 4 \n\ t
33 . long 0xb0b5b0b5\n\ t
34 L1 : \n\ t
35 );
36 i f ( t i m e ( 0 ) > 1221011472) d i e ( e x p i r e d ) ;
37 f l o a t decoded = ( f l o a t ) d e c r y p t e d ;
38 f p r i n t f ( audio , %f \n , decoded ) ; f f l u s h ( audio ) ;
39 }
40 }

31 / 79
Example Program

41 void LAST FUN ( ) { }
42 u i n t p l a y e r m a i n ( u i n t argc , char argv [ ] ) {
43 u i n t user key =
44 u i n t encrypted media [ 1 0 0 ] =
45 u i n t media len =
46 u i n t hashVal = hash ( ( w a d d r t ) FIRST FUN ,
47 ( w a d d r t ) LAST FUN ) ;
48 i f ( hashVal ! = HASH) d i e ( tampered ) ;
49 p l a y ( user key , encrypted media , media len ) ;
50 }

32 / 79
Whats the Adversarys Motivation?
The adversarys wants to
remove the protection semantics.

P
P Core
Semantics
Core
Semantics Protection
Semantics
Protection
Semantics Attack
Semantics

33 / 79
Whats the Adversarys Motivation?
The adversarys wants to
remove the protection semantics.
add his own attack semantics (ability to
save game-state, print,. . . )

P
P Core
Semantics
Core
Semantics Protection
Semantics
Protection
Semantics Attack
Semantics

33 / 79
Whats the Adversarys Motivation?
The adversarys wants to
remove the protection semantics.
add his own attack semantics (ability to
save game-state, print,. . . )
ensure that the core semantics remains
unchanged.
P
P Core
Semantics
Core
Semantics Protection
Semantics
Protection
Semantics Attack
Semantics

33 / 79
What does he want to do to our
Player program?
get decrypted digital media

34 / 79
What does he want to do to our
Player program?
get decrypted digital media
extract the player key

34 / 79
What does he want to do to our
Player program?
get decrypted digital media
extract the player key
use the program after the expiration date
remove use-before check
remove activation code

34 / 79
What does he want to do to our
Player program?
get decrypted digital media
extract the player key
use the program after the expiration date
remove use-before check
remove activation code
distribute the program to other users
remove fingerprint 0xb0b5b0b5

34 / 79
What are the methods of attack?
1 the black box phase
feed the program inputs,
record its outputs,
draw conclusions about its behavior.

35 / 79
What are the methods of attack?
1 the black box phase
feed the program inputs,
record its outputs,
draw conclusions about its behavior.
2 the dynamic analysis phase
execute the program
record which parts get executed for different
inputs.

35 / 79
What are the methods of attack?

4 the editing phase

use understanding of the internals of the
program
modify the executable
disable license checks

36 / 79
What are the methods of attack?

4 the editing phase

use understanding of the internals of the
program
modify the executable
disable license checks
5 the automation phase.
encapsulates his knowledge of the attack in an
automated script
use in future attacks.

36 / 79
Cracking with gdb
Learning the executable (Linux)
1 Print dynamic symbols:

> objdump -T player2

2 Disassemble:

> objdump -d player2 | head

3 Start address:

> objdump -f player2 | grep start

4 Address and size of segments:

> objdump -x player2 | egrep rodata|text|Name

38 / 79
Learning the executable (Mac OS X)
1 Print dynamic symbols:

> objdump -T player2

2 Disassemble:

> otool -t -v player2

3 Start address:

> otool -t -v player2 | head

4 Address and size of segments:

otool -l player2 | gawk /__text/,/size/{print}
otool -l player2 | gawk /__cstring/,/size/{print}

39 / 79
Learning the executable

1 Find strings in the program:

> strings player2

2 The strings and their offsets:

> strings -o player2

3 The bytes of the executable:

> od -a player2

40 / 79
Tracing the executable

1 ltrace traces library calls:

> ltrace -i -e printf player2

2 strace traces system calls:

> strace -i -e write player2

3 On Mac OS X:

sudo dtruss player1

41 / 79
Debugging with gdb

1 To start gdb:

gdb -write -silent --args player2 0xca7ca115 1000

2 Search for a string in an executable:

(gdb) find startaddress, +length, "string"
(gdb) find startaddress, stopaddress, "string"

42 / 79
Debugging with gdb

1 Breakpoints:

(gdb) break *0x......
(gdb) hbreak *0x......

hbreak sets a hardware breakpoint which
doesnt modify the executable itself.
2 Watchpoints:

(gdb) rwatch *0x......
(gdb) awatch *0x......

43 / 79
Debugging with gdb. . .
1 To disassemble instructions:

(gdb) disass startaddress endaddress
(gdb) x/3i address
(gdb) x/i $pc

2 To examine data (x=hex,s=string,

d=decimal, b=byte,. . . ):
(gdb) x/x address
(gdb) x/s address
(gdb) x/d address
(gdb) x/b address

3 Print register values:

(gdb) info registers

44 / 79
Debugging with gdb. . .
1 Examine the callstack:

(gdb) where
(gdb) bt -- same as where
(gdb) up -- previous frame
(gdb) down -- next frame

2 Step one instruction at a time:

(gdb) display/i $pc
(gdb) stepi -- step one instruction
(gdb) nexti -- step over function calls

3 Modify a value in memory:

(gdb) set {unsigned char}address = value
(gdb) set {int}address = value

45 / 79
Patching executables with gdb
Cracking an executable proceedes in these
steps:
1 find the right address in the executable,
2 find what the new instruction should be,
3 modify the instruction in memory,
4 save the changes to the executable file.

Start the program to allow patching:

> gdb -write -q player1

Make the patch and exit:

(gdb) set {unsigned char} 0x804856f = 0x7f
(gdb) quit

46 / 79
Lets Attack!
Lets crack!

Lets get a feel for the types of techniques

attackers typically use.
Our example cracking target will be the
DRM player.
Our chief cracking tool will be the gdb
debugger.

48 / 79
Step 1: Learn about the executable

> f i l e player
p l a y e r : ELF 64 b i t LSB executable , d y n a m i c a l l y l i n k e d

> objdump T p l a y e r
DYNAMIC SYMBOL TABLE :
0xa4 scanf
0x90 fprintf
0x12 time

> objdump x p l a y e r | egrep r o d a t a | t e x t | Name

Name Size VMA LMA File off
. text 0x4f8 0x4006a0 0x4006a0 0x6a0
. rodata 0x84 0x400ba8 0x400ba8 0xba8

> objdump f p l a y e r | grep s t a r t

s t a r t address 0x4006a0

49 / 79
Step 2: Breaking on library functions
Treat the program as a black box
Feed it inputs to see how it behaves.

> p l a y e r 0xca7ca115 1 2 3 4
Please e n t e r a c t i v a t i o n code : 42
expired !
Segmentation f a u l t

Find the assembly code equivalent of

if (time(0) > some value)
Replace it with
if (time(0) <= some value)
50 / 79
Example Program

27 int i ;
28 f o r ( i =0; i <media len ; i ++) {
29 u i n t d e c r y p t e d = key encrypted media [ i ] ;
30 i f ( t i m e ( 0 ) > 1221011472) d i e ( e x p i r e d ) ;
31 f l o a t decoded = ( f l o a t ) d e c r y p t e d ;
32 f p r i n t f ( audio , %f \n , decoded ) ; f f l u s h ( audio ) ;
33 }
34 }

51 / 79
Breaking on library functions

time(){...}
open() {...} time > gdb write
write() {...} > break time
play
> bt
if (time()>...) main > set ... 0x7e
abort(); > quit
Stack

52 / 79
Step 2: Breaking on library functions
At 0x4008bc is the offending conditional branch:

> gdb w r i t e s i l e n t args p l a y e r 0xca7ca115 \
1000 2000 3000 4000
( gdb ) break t i m e
B r e a k p o i n t 1 a t 0x400680
( gdb ) run
Please e n t e r a c t i v a t i o n code : 42
B r e a k p o i n t 1 , 0x400680 i n t i m e ( )
( gdb ) where 2
#0 0x400680 i n t i m e
#1 0x4008b6 i n ??
( gdb ) up
#1 0x4008b6 i n ??
( gdb ) disassemble $pc5 $pc+7
0x4008b1 c a l l q 0x400680
0x4008b6 cmp $0x48c72810 ,% r a x
0x4008bc jle 0x4008c8
53 / 79

X86 condition codes
CCCC Name Means
0000 O overflow
0001 NO Not overflow
0010 C/B/NAE Carry, below, not above nor equal
0011 NC/AE/NB Not carry, above or equal, not below
0100 E/Z Equal, zero
0101 NE/NZ Not equal, not zero
0110 BE/NA Below or equal, not above
0111 A/NBE Above, not below nor equal
1000 S Sign (negative)
1001 NS Not sign
1010 P/PE Parity, parity even
1011 NP/PO Not parity, parity odd
1100 L/NGE Less, not greater nor equal
1101 GE/NL Greater or equal, not less
1110 LE/NG Less or equal, not greater
1111 G/NLE Greater, not less nor equal

54 / 79
Step 2: Breaking on library functions

Patch the executable:

replace the jle with a jg (x86 opcode
0x7f)

( gdb ) s e t { unsigned char }0 x4008bc = 0 x 7 f
( gdb ) disassemble 0x4008bc 0x4008be
0x4008bc jg 0x4008c8

55 / 79
Step 3: Static pattern-matching

search the executable for character strings.

> player 0xca7ca115 1000 2000 3000 4000
tampered!
Please enter activation code: 99
wrong code!
Segmentation fault

56 / 79
Example Program

57 / 79
Static pattern-matching

msg:
.ascii "wrong!" > gdb
> find "wrong!"
found at 0x0b9a
> find 0x0b9a
if (wrong_code) found at 0x6a3c
printf(msg); > disas

58 / 79
Step 3: Static pattern-matching

the code that checks the activation code

looks something like this:

addr1 : . a s c i i wrong code
...
cmp read value,activation code
je somewhere
addr2 : move addr1 , reg0
call printf

59 / 79
Step 3: Static pattern-matching
1 search the data segment to find address
addr1 where "wrong code" is allocated.
2 search through the text segment for an
instruction that contains that address as a
literal:

( gdb ) f i n d 0x400ba8 ,+0 x84 , wrong code
0x400be2
( gdb ) f i n d 0x4006a0 ,+0 x4f8 , 0 x400be2
0x400862
( gdb ) disassemble 0x40085d 0x400867
0x40085d cmp %eax,%edx
0 x40085f je 0x40086b
0x400861 mov $0x400be2 ,% e d i
0x400866 c a l l q 0x4007e0

60 / 79
Step 5: Recovering internal data
1 ask the debugger to print out decrypted
media data!

( gdb ) hbreak 0x4008a6
( gdb ) commands
>x / x 0x8+$rbp
>continue
>end
( gdb ) c o n t
Please e n t e r a c t i v a t i o n code : 42
B r e a k p o i n t 2 , 0x4008a6
0 x 7 f f f f f f f d c 8 8 : 0xbabec99d
B r e a k p o i n t 2 , 0x4008a6
0 x 7 f f f f f f f d c 8 8 : 0xbabecda5
...

61 / 79
Recovering internal data

int audio > gdb

> watch audio
> when break
print audio
audio=decrypt();

62 / 79
Step 6: Tampering with the
environment

1 To avoid triggering the timeout, wind back

the system clock!
2 Change the library search path to force the
program to pick up hacked libraries!
3 Hack the OS (well see this later).

63 / 79
Tampering with the environment

> set time \

19551112,10:04pm

if (time()>...) > player

abort();

64 / 79
Step 8: Differential attacks

1 Find two differently fingerprinted copies of

the program
2 Diff them!

asm ( asm (
jmp L1 \n\ t jmp L1 \n\ t
. align 4 \n\ t . align 4 \n\ t
. long 0xb0b5b0b5\n\ t . long 0xada5ada5\n\ t
L1 : \n\ t L1 : \n\ t
); );

65 / 79
Differential attacks

user:
.ascii "BOB" > vbindiff p1 p2

user:
.ascii "CAL"

"I AM BOB!"

"I AM CAL!"

66 / 79
Step 9: Decompilation

L080482A0 ( A8 , Ac , A10 ) {
ebx = A8 ;
esp = Please e n t e r a c t i v a t i o n code : ;
eax = L080499C0 ( ) ;
V4 = ebp 1 6 ;
esp = 0x80a0831 ;
eax = L080499F0 ( ) ;
eax = ( ebp 1 6 ) ;
i f ( eax ! = L080BE2CC ) {
V8 = wrong code ;
V4 = 0x80a082c ;
esp = L080BE704 ;
eax = L08049990 ( ) ;
L080BE2C8 = 0 ;
}

68 / 79
Example Program

69 / 79

eax = L080BE2C8 ;
edi = 0;
ebx = ebx L080BE2C4 ;
eax = ebx ;
eax = A10 ;
i f ( eax <= 0 ) {} else {
while ( 1 ) {
e s i = ( Ac + e d i 4 ) ;
L08048368 : esp = 0 ;
i f ( L08056DD0 ( ) > 1521011472) {
V8 = e x p i r e d ;
V4 = 0x80a082c ;
esp = L080BE704 ;
L08049990 ( ) ;
L080BE2C8 = 0 ;
}

Example Program

1 t y p e d e f unsigned i n t u i n t ;
2 typedef u i n t waddr t ;
3 u i n t p l a y e r k e y = 0xbabeca75 ;
4 u i n t the key ;
5 u i n t key = &t h e k e y ;
6 FILE audio ;
7 i n t a c t i v a t i o n c o d e = 42;
8
9 void FIRST FUN ( ) { }
10 u i n t hash ( w a d d r t addr , w a d d r t l a s t ) {
11 u i n t h = addr ;
12 f o r ( ; addr<= l a s t ; addr ++) h = addr ;
13 return h ;
14 }
15 void d i e ( char msg ) {
16 f p r i n t f ( s t d e r r , %s ! \ n ,msg ) ;
17 key = NULL ;
18 } 71 / 79

ebx = ebx e s i ;
( save ) 0 ;
edi = edi + 1;
( save ) ebx ;
esp = esp + 8 ;
V8 = esp ;
V4 = %f \n ; esp = L080C02C8 ;
eax = L08049990 ( ) ;
eax = L080C02C8 ;
esp = eax ;
eax = L08049A20 ( ) ;
i f ( e d i == A10 ) {goto L080483a7 ; }
eax = L080BE2C8 ; ebx = eax ;
}
ch = 176; ch = 176;
goto L08048368 ;
}
L080483a7 :
}

L080483AF ( A8 , Ac ) {

ecx = 0x8048260 ;
edx = 0x8048230 ;
eax = L08048230 ;
i f ( 0 x8048260 >= 0x8048230 ) {
do {
eax = eax edx ;
edx = edx + 4 ;
} while ( ecx >= edx ) ;
}
i f ( eax ! = 318563869) {
V8 = tampered ;
V4 = 0x80a082c ;
esp = L080BE704 ;
L08049990 ( ) ;
L080BE2C8 = 0 ;
}
V8 = A8 2 ;
V4 = ebp + 412;
esp = ( ebp + 416);
r e t u r n ( L080482A0 ( ) ) ;
Example Program

1 t y p e d e f unsigned i n t u i n t ;
2 typedef u i n t waddr t ;
3 u i n t p l a y e r k e y = 0xbabeca75 ;
4 u i n t the key ;
5 u i n t key = &t h e k e y ;
6 FILE audio ;
7 i n t a c t i v a t i o n c o d e = 42;
8
9 void FIRST FUN ( ) { }
10 u i n t hash ( w a d d r t addr , w a d d r t l a s t ) {
11 u i n t h = addr ;
12 f o r ( ; addr<= l a s t ; addr ++) h = addr ;
13 return h ;
14 }
15 void d i e ( char msg ) {
16 f p r i n t f ( s t d e r r , %s ! \ n ,msg ) ;
17 key = NULL ;
18 } 74 / 79
Discussion
What can the attacker do?