******************************NOTICE!****************************** This is just for educational purposes. Anything you do with the knowledge you gain from this document is not my responsitiblity. ******************************NOTICE!****************************** .:HeX:. Reverse engineering: Changing default ports used by software Hey, been a while since i wrote another tutorial, but lets jump right into it. So, if your reading this tutorial you should know a little bit about programming with sockets, if not...well just you might get lost =P. So, lets review a bit. We have a structure sockaddr_in that is used to hold some information about the socket. Mainly, there are four parts, sin_family,sin_port,sin_addr.s_addr, and sin_zero. The main part we want to look at in this tutiorial is how to change the port a program is defautly using. This could be useful in a lot of ways, such as some ftp server programs are designed to only run on port 21 only, you can switch it to whatever you want and some server programs that allow you to use the microphone to talk to over the net only run on a port unless registered, but you can change that. So when programming sockets, htons() is used to convert a port number to short network byte order. All we have to do is find that piece of code in the program (considering thats the function that they use and they don't use it manually). So, 1st off your going to need portsource.exe You can get the sourecode at the bottom of this document or download it from http://www.freewebtown.com/thrashenskate/portsource.exe After you got it, run it. Open up command prompt (start -> run: cmd) and type telnet 127.0.0.1 2121 you should get something like Yay...you connected...NOW HACK IT! Now, close the window that just showed. Load it up into ollydbg after. Ok, now when its loaded we need to search for htons(), so then we click the "Cpu - main thread" window and then hit ctrl+n. Here is the functions that this program uses. we need to find htons(), so we look for something that says htons. Ah, there it is...WSOCK32.htons (the wsock32 part is the library name). So, higlight it an hit enter. Then select the CALL and hit enter again. Ok, there we are... If you look, it says HostSource=849. Thats what port the program runs on in hex, in decimal its 2121. So, if we alter the number, we alter the port. So, lets do it. Lets make the program run on port 62. Right click the line and click Follow in dump -> Selection Look at the bottom where it has the Hex dump. Change the 49 08 to 3E 00 by click on 49 and typing 3E 00 , now everything is in place. Lets run it and see if it worked... Hit the play button and then open up cmd and type telnet 127.0.0.1 2121 Connecting To 127.0.0.1...Could not open connection to the host, on port 2121. No connection could be made because the target machine actively refused it. Ok, now lets try 62. telnet 127.0.0.1 62 Yay...you connected...NOW HACK IT! So, as you can see, we successfully hacked it. Well, this tutorial was short and i will add on to it later. But for now, go hack some more ;) /* Source code..to compile save source as portsource.c and type gcc portsource.c -o portsource.exe -l gdi32 -l wsock32 ...or you can use msvc++ or whatever compiler you have */ #include #include HWND hWnd; char blah[30]; struct sockaddr_in serveraddr,clientaddr; SOCKET lsocket,csocket; int length; WORD version; WSADATA wsadata; LRESULT CALLBACK WndProc(HWND hwnd,UINT Msg,WPARAM wParam,LPARAM lParam) { switch(Msg) { case WM_DESTROY: WSACleanup(); closesocket(lsocket); PostQuitMessage(0); break; case WM_CREATE: version = MAKEWORD(1,1); WSAStartup(version,&wsadata); if((lsocket=socket(AF_INET,SOCK_STREAM,0))==-1) { MessageBox(NULL,"Failed to create socket.","Error",0); return 0; } serveraddr.sin_family=AF_INET; serveraddr.sin_addr.s_addr=INADDR_ANY; serveraddr.sin_port=htons(2121); if(bind(lsocket,(LPSOCKADDR)&serveraddr,sizeof(struct sockaddr))==-1) { MessageBox(NULL,"Failed to bind socket to port.","Error",0); return 0; } if(listen(lsocket,10)==-1) { MessageBox(NULL,"Socket failed to listen for clients.","Error",0); return 0; } length=sizeof(clientaddr); csocket=accept(lsocket,(struct sockaddr *)&clientaddr,&length); send(csocket,"Yay...you connected...NOW HACK IT!",34,0); break; default: return DefWindowProc(hwnd,Msg,wParam,lParam); } return 0; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow) { MSG Msg; WNDCLASSEX wc; wc.cbSize=sizeof(WNDCLASSEX); wc.style=CS_HREDRAW|CS_VREDRAW; wc.lpfnWndProc=WndProc; wc.cbClsExtra=0; wc.cbWndExtra=0; wc.hInstance=hInstance; wc.hIcon=NULL; wc.hCursor=NULL; wc.hbrBackground=(HBRUSH)GetStockObject(COLOR_WINDOW+1); wc.lpszMenuName=NULL; wc.lpszClassName="Window"; wc.hIconSm=NULL; if(RegisterClassEx(&wc)==0) { MessageBox(NULL,"Failed to register window.","Error",0); return 0; } hWnd = CreateWindowEx(WS_EX_OVERLAPPEDWINDOW,"Window","Hack It!",WS_OVERLAPPEDWINDOW,20,20,400,400,NULL,NULL,hInstance,NULL); if(!hWnd) { MessageBox(NULL,"Failed to create create window.","Error",0); return 0; } ShowWindow(hWnd,SW_SHOW); UpdateWindow(hWnd); while(GetMessage(&Msg,NULL,0,0)) { TranslateMessage(&Msg); DispatchMessage(&Msg); } return 0; }