# Project 10 (Extracting Secrets)

## Objectives

In this lab you will learn about the fundamental difficulties in restricting what users can do with the data on their computers. You will also:

• Learn how any traditional content restriction mechanism can be easily circumvented.
• Learn how “protected” data can be easily extracted from any application.

## Overview

For many years, software companies have tried to restrict what users may do with the applications they buy. Often, these efforts have focused on preventing users from running applications on more than one computer. More recently, they've tried to restrict what users may do with data such as video, audio and even text.

In 1998, congress passed the Digital Millenium Copyright Act. Among other things, it specifies that “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” The problem with this clause as it relates to computers is that in their present state, no technological measures can effectively prevent a computer owner from accessing the data on his own machine!

## Requirements

• Download fortune_static, a statically linked linux executable, and fortunes.enc, a file with encrypted content. When you run fortune, it will ask you for the “CD key,” a password designed to restrict access to the program. You will not be given a valid CD key.
• Use a debugger to bypass this password mechanism and make the program function normally. (Instead of exiting, it will print out a random quote from the file fortunes.enc.) This is done by modifying variables, registers, return addresses, etc. using the debugger. (See the ddd manual or gdb manual for help)
• Now that you understand the code, open the executable in a hex editor (khexedit on the Linux machines) and modify the assembly code so that you can obtain a fortune every time you run the program. Perhaps any cdkey that you enter will now work, for instance. You may be able to insert noops (0x90) to effectively crack the executable. Dr. Seamons was able to do this by modifying just one byte in the executable using vim as a hex editor. (vim works better for this than vi.) The result will be a new executable file that you can run and obtain a fortune.
• Find a way to obtain all of the plaintext fortunes from fortunes.enc using the debugger.

## Passoff

Generate a written pdf report for the lab that addresses the following items. Please number each item for clarity.

• How did you use the debugger to bypass the password mechanism? What variables were modified? Please include a screenshot of the debugger in the report.
• How did you edit the program to bypass the cdkey mechanism?
• How did you obtain all the fortunes from the encrypted file?

Include the following in your report.

• Please include a plain text section containing the list of all fortunes from the fortunes.enc file.
• Please include a screenshot of the debugger that shows you were able to access the plain text fortunes in memory (in your report or a separate file).

## Tips

• To run the fortune file on the lab machines, be sure to set the “is executable” flag under the permissions tab in the file properties.
• To disassemble the fortune file while keeping the hex values for each instruction that is executed use the following command in the terminal:
    objdump -d fortune_static > dump.txt
This will disassemble the entire program and store the result in the file dump.txt