Hacking Securecrt Script Interfaces
YES You CAN SAY THIS A CRACK Paper But I Perfer Call IT "HACK" MEANS RIP The Target, Find Something You Want.however "Hack" Means Look Around The Target, Use Some Method and Have Fun .Of cause here crack is a method of hack :) The target is SecureCRT form VanDyke Software, version 4.0.7.I spent a week work on it.The mothed described below IS NOT intend for diffrent versions. OK, here comes the detail .
I. THOERY 1.The target SecureCRT is a popular terminal software which can be used to connect to serial port or remote servers with telnet, SSH etc easily and powerful.And as a feature it supports VBScript and JScript programs for advance users.But VanDyke did not provided a API set for developers using asm / c / c . Now our target is to expose the interface with some works, then we can get some advantage more then the weak script provides.Just for fun :) 2.deep view First of all we should have some knowledge about how SecureCRT provide script interface instead of api interface.Refer to MSDN and there's many ways can make a program support script.Then fire up IDA PRO and decomplie the exe file comes some interesting strings: .data : 004E2748 aScriptingErr_2 db 'Scripting error', 0Dh, 0Ah; DATA XREF: sub_42BC80 7C8 .data: 004E2748 db 'AddNamedItem failed: 0x% x', 0 Find "AddNamedItem" in msdn, now we know the program uses IActiveScript interface to e Xport functions to scripts.below is mechanism of the communication (see fas figure1.gif):
1) When load a script form SecureCRT's "Script" menu, the program starts a thread and check the first two lines of the script to make sure if it is a SecureCRT script.Commonly it is: # $ language = "VBScript" # $ interface = "1.0" 2) Then SecureCRT starts the script engine and get IActiveScript interface from the engine. 3) Now SecureCRT expose a instanced IActiveScript object named "crt" to the engine use IActiveScript :: AddNamedItem.Note the IActiveScript might already exist even no script loaded. 4) Then script engine starts to parse and execute the script.II.IMPLEMENT 1.Get the interface If you compare a SecureCRT Script (for example a vbs file) and a common VB script, you will find that the diffrent .Not Only The First Two Lines Not Recognied In Common VB Scripts, But Also The Object "CRT". WHEN WE Use A Object in VB Script, The First Step Is To Create A Object: SET EXL = Excel.xls' Get A Excel Worksheet Object
But in SecureCRT script, no object created and a object named "crt" appears as if it is a built-in VB Script object. This is because a common VB script is running on a globe enviroment but SecureCRT scripts runs under a specific enviroment where Really exissrs a pre-defined object "CRT" .and this is our target :) The works left is cracking details.i think with a decomplier and debugger it 's yasprse. 2.use the interface finally we goes here :) To use the Interface, we should go into SecureCRT's process space called "injuction". The source code attached says all works and blow are some notes. 1) Because the patch dll will modify the code squence (called SMC), the code section of securecrt .exe must be modified to READ | wIRTE | EXECUTE.Or you will meet a Window execption (tm) .And because dll codes should be called at least once, add function exported by the injuction dll to securecrt.exe's import section 2). The SecureCrt.c and SecureCrt.h in Source Code Are Generated By M IDL the IDL complier provided by Microsoft.IDL file comes from typelib resource warped in SecureCRT.exe Because of The IDL provides dual interface, so we can leave from the mud of IDispatch interfaces (from a SDK point). 3) Function patch should be static because the code jump must addressed to a vaild address. 4) The operation codes (GetInterface () function here) is called inside a target function, beware of stack frame. (I spent one whole day on the mass) 5) the script ENGINE LOADS AFTER SecureCrt Found a Vails Script, of Cause You Can Get The Interface Directly, But it's NOT The Purpose of this PAPPER.
The code get the securecrt version and set to caption .III.BEYOND Because of used fixed address to patch, so can not be used for all versions.In future, I think we can get the interface use a different method such as script debug Interface (http://msdn.microsoft.com/msdnmag/issues/1200/Active/toc.asp?frame=true) Or Even in-PORC Server Techs.i Think No Modificition Would Be Applied To Target. of Cause You CAN rip the code as your own terminal function, but not suggested. If you go further the way and do something concinnity, please send me a mail, thanks :) IV.Tools IDA PRO Numega Softice Numega BoundsChecker PE Editor MS COM / OLE Viewer ( SHIPPED with MS SDK) MS VC 6V.Reference Masm 32 V8 COM PACKAGE DOCSHAVE FUN
