https://github.com/khmelnitskiianton/HackDos

Couple cracking asm programs for entering password in MS DOS
https://github.com/khmelnitskiianton/HackDos

dos-attack

Last synced: 9 months ago
JSON representation

Couple cracking asm programs for entering password in MS DOS

• Host: GitHub
• URL: https://github.com/khmelnitskiianton/HackDos
• Owner: khmelnitskiianton
• Created: 2024-03-01T07:51:55.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-03-11T13:43:54.000Z (over 2 years ago)
• Last Synced: 2024-11-19T18:01:23.714Z (over 1 year ago)
• Topics: dos-attack
• Language: Assembly
• Homepage:
• Size: 38.1 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# DosHack

Couple cracking dos programs for entering password

# Installing

1. Full setup of DosBox+VolkovCommander+ASM+IDA+THELP+...  : [ded32.net.ru/storage.ded32.ru/Materials/TXLib/dosbox-asm-setup.rar.exe](http://nas.ded32.ru/storage.ded32.ru/Materials/TXLib/dosbox-asm-setup.rar.exe)

2. Emulator of DosBox+Asm by yourself

# My vulnerability

[```CRYPTA.ASM```](https://github.com/khmelnitskiianton/DosHack/blob/main/CRYPTA.ASM) & [```CRYPTA.COM```](https://github.com/khmelnitskiianton/DosHack/blob/main/CRYPTA.COM)

Key is `1234`

## Weak hash-function (simple)

In first case my hash was simple, that you can choose password to enter

It counts summ of askii codes and you need only equal summ to 202d (summ of '1234' in askii)

## Overflowing stack (hard)

By checking for overflow flag of address I allow user to overflow stack, where situated address of return and user can switch it to jmp for success

In string 72: `je fail_case` - hidden check for flag ZF==1 that set if si is overflowing. That's why hacker can't overwrite all segment, but he has access to stack! 

In string 59: in stack put address of return and than after input in string 79 processor takes address to return and user can change it to `jmp success_case`. That's vulnerability to jmp my hashing.

# Opponent's vulnerability

[```HACKER.COM```](https://github.com/khmelnitskiianton/DosHack/blob/main/HACKER.COM)

By using IDA - disassembler, I have user's code with dump,comments,graphs and etc [```HACKER.i64```](https://github.com/khmelnitskiianton/DosHack/blob/main/HACKER.i64) 

```Full code:```



*He allocates his buffer before fucntions and has no checks for overflowing thats why I can overwrite everything*

*I overflow it with input file `pwd.txt` and write to buffer from file `>hacker.com < pwd.txt`*

##  Noping hash(simple)

First simple solving is to change hash and data at the end. In hex  [```PWD1.TXT```](https://github.com/khmelnitskiianton/DosHack/blob/main/PWD1.TXT) consists of `skip buffer`-`nop hash`-`set ax = 0 for cmp`-`ret from hash`-`change true_hash on same val as ax`-`EOF = enter by input from file `



`Result:`



## Overwrite segment(hard)

Second vulnerability [```PWD2.TXT```](https://github.com/khmelnitskiianton/DosHack/blob/main/PWD2.TXT)

Similar to previous but overwrites all segment with starting too

It consists of `previous changes`-`many many zeros`-`after overflowing si at address 100h new commands for me, change dec si --- jmp success_case`

Code from 0h-0100h address was copied by hands(bruh).



`Result:`



`BUG(fuck it):` It need to press enter and than program frezzes. Can't find why, 0h-100h is good, stack empty and everything on the right place

## Direct hack with pill

[```HACKER.cpp```](https://github.com/khmelnitskiianton/DosHack/blob/main/HACKER.cpp) - pill that change bytes in executable file

In this hack I change start with address 07h: `BE 00 00` → `EB 1A 90`. Its `mov si, 0` → `jmp success_case nop`.