Negative Subtracting – Bypass the Protection

/1 Comment/in /by

Introduction to negative subtracting
We all know about the negative subtracting issue. For example, if I transfer money to you, it is reduced from my account and added to your account. The code looks something like:

Myaccount.value = myaccount.value – transfer.amount
Youraccount.value = youraccount.value + transfer.amount

Now, what happens if I transfer a negative value to your account? We know that subtracting two negatives give a positive, so if I transfer minus one hundred to you, my account will increase by one hundred and your account will be reduced by one hundred.

Another example is an online roulette game. The house always wins eventually, because the chances are against the player. But we can turn it simply by betting a negative value. Now, each time we lose, we lose a negative value which means that we actually win…

Up until here it is clear and simple and I hope that everyone knows it.

 

Example of (in)secure code
I recently came across a code that looked secure at first impression, but only upon second glance I understood that it is not secure at all. Let me start by showing you the code (C language), I modified it to become like a hacme game…:
 

#include <stdio.h>
#include <stdlib.h>

int main()
{
                int inited_balance = 1000;
                int balance = inited_balance;
                int transfer;

                while (1)
                {
                                printf(“You current balance is %d\n”, balance);
                                printf(“\nHow much do you want to transfer? “);
                                scanf(“%d”, &transfer);
                                balance = balance – (abs(transfer));

                                if (balance > inited_balance)
                                {
                                                printf(“\n\nYou found the secret of life, to give is to receive!\n\n\n”);
                                }
                }

                return 0;
}

The protection is based on the abs function, abs stands for absolute. It changes the number from a negative value to the same value but positive. For example, 50 stays 50, -50 becomes 50.

It looks secured, but it is the hacker’s business to know the extreme things…

Abs function is vulnerable to integer overflow and underflow (of course, C being C, it acts different on different compilers. In this article I used GCC compiler). For example, abs(4294967296) returns 0 because it works with int of 4 bytes, and binary representation of 4294967296 is: [00000001][00000000] [00000000] [00000000] [00000000] and since int is just four bytes, the remaining byte falls and we are left with all the zeros…

 

The beautiful bypass

So, in our little hacme game, in order to beat the house, the easiest way is to go into minus value. If we start with 1000 units, we need to subtract 1001, now our balance is -1. Subtracting minus of MIN_INT value, which is -2147483648 will add it and become the maximum integer positive value.

 

abs_game

 

You can play with the attached game (hacme abs), you might find it fun 🙂

Enjoy
Israel

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to alban Cancel reply

Your email address will not be published. Required fields are marked *