1998. Malvern. I’m in the fishbowl. My head is on the desk. I’m doing tech support, talking to Joe the Baker or Bob the Builder over the phone with my dinky headset on, my head on the desk, without hope. Going “Oh my God. I can’t do this any more.”
I’m working tech support for VET antivirus. The tech support guys are in one of those glassed-in areas. We call it the fishbowl. Eventually, after 9 months at VET, falling slowly, my head is on the desk. I can’t go on.
I got the job because I had this underlying fundamental knowledge of computers. I remember vividly in the interview, them saying “can you describe how a computer boots up?”
Me, blinking at them: “How much detail do you want?” A moment of silence.
“It does a power-on self test. It starts from the 16th byte from the top of memory. It then loads the master boot record of a hard disk, or a boot sector of a floppy disc at location 0:7C00 in memory. The processor at this stage is in real mode. The master boot record starts with FA33C0 usually, ends in 55AA.” All sorts of crazy shit like that. My head swam with these pieces of information.
I had always been writing assembly on the side. I had an interest in all things low-level. Or trying to. I had signed up for it at Uni, but nobody else did. So they cancelled the class.
Since then, I never stopped wanting to understand assembly code, but I couldn’t do it, for some reason. The way I actually started learning it was by cracking software. By cracking copy-protection on software. I spent a lot of time in soft ice, the debugger.
Since then, I never stopped wanting to understand assembly code… The way I actually started learning it was by cracking software.
One way to crack was, you could do a “deadlisting”. Thats where you bring up the tool – still the central tool on both sides of the virus arms race – called IDA, and you look for strings. When a copy protection violation has been detected, it usually gives you a message. “This key is no longer valid”. You find that message, and you find where that is being referenced, in code. And with the disassembler, you backtrack through the code, looking to invert the jump to where that check is. It’s usually a boolean check: true or false. You invert the jump to say its valid, when its not. “Jump when invalid” becomes “jump when valid”. That’s called a “hard crack”. Not recommended, because the software can easily detect it has been changed, and take action.
The soft crack, that’s the best way. Thats when you go through and understand the logic of how the keys are generated, and you generate your own valid keys. You’re not modifying the software at all.
To stay sane, to get my head up off that desk, I’m teaching myself to crack software, while I’m working at a company whose business it is to beat crackers. I’m learning from the research and analysis guys. I see an opening there. The most brilliant, and socially inept human I have ever met has left his job to take up horticulture, leaving a hole in the organisation. A way out of the fishbowl.
The exam, to get the job: write your name using DOS interrupts. Now using BIOS interrupts. Now I write it using no interrupts at all. Directly addressing the video buffers. Blasting bits up onto the screen. I get the job: virus researcher. My boss, Kaminsky, gives me this disc with the GWAR virus on it. I’m hooked.
After a while the viruses I saw changed. They became more complex. Multi-partite, which means boot sector and file. Next came encryption. What encryption did for viruses: you couldn’t just run it through the disassembler to see what it did, because it was encrypted using a secret code. What you needed to do do first is decrypt it.
How do you do that? You manually decrypt it, or you write a script, or…
You create a goat machine.
You create a goat machine. It’s a sacrificial machine. You segregate it, and wait for it to get infected. You wait for the virus to get in memory. When it’s in memory, its decrypted. It has to be. So you dump the processor memory space, and then run it through the disassembler. After a while, encrypted viruses were easy for us to detect.
All this was before modern worms, which replicate and travel over networks. After a while, the bad guys started to increment the encryption with each new infection. In the antivirus industry, we beat that one too. But beating the next threat represented a whole new way of thinking: polymorphism was coming.