hacking SecureCRT Script Interfaces

hacking SecureCRT Script Interfaces

    Yes you can say this is a crack paper but I perfer call it "hack" because in my opinion "crack" means rip the target,find something you want.However "hack" means look around the target,use some method and have fun.Of cause here crack is a method of hack:)
    The target is SecureCRT form VanDyke Software,version 4.0.7.I spent a week work on it.The mothed described below IS NOT intend for diffrent versions.
    OK,here comes the detail.

I. THOERY
    1.The target
       SecureCRT is a popular terminal software which can be used to connect to serial port or remote servers with telnet,SSH etc easily and powerful.And as a feature it  supports VBScript and JScript programs for advance users.But VanDyke didn't provided a API set for developers using asm/c/c++.Now our target is to expose the interface with some works,then we can get some advantage more then the weak script provides.Just for fun:)
     2.deep view
       First of all we should have some knowledge about how SecureCRT provide script interface instead of  api interface.Refer to MSDN and there's many ways can make a program support script.Then fire up IDA PRO and decomplie the exe file comes some interesting strings:
      .data:004E2748 aScriptingErr_2 db 'Scripting error',0Dh,0Ah ; DATA XREF: sub_42BC80+7C8
      .data:004E2748                 db 'AddNamedItem failed: 0x%x',0
       Find "AddNamedItem" in msdn,now we know the program uses IActiveScript interface to export functions to scripts.Below are mechanism of the communication(see figure1.gif):

       1)When load a script form SecureCRT's "Script" menu, the program starts a thread and check the first two lines of the script to make sure if it is a SecureCRT script.Commonly it is :
 #$language = "VBScript"
 #$interface = "1.0"
       2)Then SecureCRT starts the script engine and get IActiveScript interface from the engine.
       3)Now SecureCRT expose a instanced IActiveScript object named "crt" to the engine use  IActiveScript::AddNamedItem.Note the IActiveScript might already exist even no script loaded.
       4)Then script engine starts to parse and execute the script.

II.IMPLEMENT
     1.Get the interface
       If you compare a SecureCRT Script (for example a vbs file) and a common VB script,you will find that the  diffrent.Not only the first two lines not recognised in common VB scripts,but also the object "crt".
     When we use a object in VB script,the first step is to create a object:
     set exl = Excel.xls     'get a excel worksheet object

     But in SecureCRT script,no object created and a object named "crt" appears as if it is a built-in VB Script object.
     This is because a common VB script is running on a globe enviroment but SecureCRT scripts runs under a specific enviroment where really exists a pre-defined object "crt".And this is our target:)
     The works left is cracking details.I think with a decomplier and debugger it 's a easy case.
     2.Use the Interface
       finally we goes here:) To use the Interface,we should go into SecureCRT's process space called "injuction". The source code attached says all works and blow are some notes.
     1)Because the patch dll will modify the code squence(called SMC),the code section of securecrt.exe must be modified to READ|WIRTE|EXECUTE.Or you will meet a Window Execption(tm).And because dll codes should be called at least once,add function exported by the injuction dll to securecrt.exe's import section.
     2)The securecrt.c and securecrt.h in source code are generated by MIDL the IDL complier provided by Microsoft.IDL file comes from typelib resource warped in SecureCRT.exe Because of The IDL provides dual interface,so we can leave from the mud of IDispatch interfaces (from a SDK point).
     3)Function patch should be static because the code jump must addressed to a vaild address.
     4)The operation codes(GetInterface() function here) is called inside a target function,beware of stack frame.(I spent one whole day on the mass)
     5)the script engine loads after SecureCRT found a vaild script,of cause you can get the interface directly,but it's not the purpose of this papper.

     The code get the securecrt version and set to caption .
III.BEYOND
     Because of used fixed address to patch,so can't be used for all versions.In future,I think we can get the interface use a different method such as script debug interface(http://msdn.microsoft.com/msdnmag/issues/1200/active/toc.asp?frame=true) or even in-porc server techs.I think no modificition would be applied to target.
     Of cause you can rip the code as your own terminal function,but not suggested.
     If you go further the way and do something concinnity,please send me a mail,thanks:)
   
IV.Tools
     IDA PRO
     Numega Softice
     Numega BoundsChecker
     PE Editor
     MS COM/OLE Viewer (shipped with MS SDK)
     MS VC 6
V.Reference
     MASM 32 V8 COM Package docs

                                                                                 Have Fun