docHow To Guide Assembler Language Backdoor DD Name Check
download 
Report Transcription
How To Guide Assembler Language Backdoor DD Name Check
EGS Innovations, Inc. How To Guide Assembler Language Backdoor DD Name Check EGS Innovations, Inc. 207 Meadow Wood Drive Joliet, Illinois 60431-4809 Phone: Fax: (815) 744-2401 (815) 744-2401 [email protected] http://www.EGSInnovations.com Assembler Language How To Guide: Backdoor DD Name Check Overview Did you ever need to turn off an application validation function for testing or debugging purposes? The answer is probably “yes”. Many mainframe software vendors have for decades used backdoor switches to turn on/off key software features for testing and debugging. One of the most common methods used is to have the software check for a specific DD name that has been allocated. In this document I will outline a simple method to check if a specific DD name has been allocated. Obfuscate (hide) the DD name To hide our special DD name from prying eyes in the executable load module we will need to scramble (obfuscate) the name and dynamically unscramble it when it is time to do the name check. A simple way to do that is code the DD name with some of its bits missing. When its time to unscramble the name we add the missing bits. For example we start with a EBCDIC literal of ‘ABCD’ which is hex ‘C1C2C3C4’. We then remove the X’40’ bit from each character giving x’81828384’. We then remove the X'80' bits. To unscramble all we need to do is execute an Or Immediate (OI) instruction on each name byte using a mask of X’40’. After we turn on the X’40’ bits we can then turn on the X’80’ bits. This is a very simple encryption scheme and decoding process but it is just convoluted enough to hide it from prying eyes. Unscrambling routine The following routine will unscramble our sample character string: DECODE DLOOP WRKDDN XC MVC LA LHI LA OI BXLE OC . . . DS WRKDDN,WRKDDN WRKDDN(4),=CL4'01020304’ R2,WRKDDN R3,1 R4,7(,R2) 0(R2),X'40' R2,R4,DLOOP WRKDDN(4),X'80808080' CL8 EGS Innovations, Inc. www.EGSInnovations.com Page 1 Assembler Language How To Guide: Backdoor DD Name Check Determining if DD name allocated Once the search DD name has been unscrambled we need to check to see if it has been coded in the JCL or dynamically allocated. There a numerous ways to do this. I will illustrate to ways of scanning for a DD name: ¾ Use DEVTYPE macro (example 1) ¾ Scan TIOT control blocks (example 2) Example 1 – Find DD name using DEVTYPE macro DEVTYPE WRKDDN,DWORD LTR R15,R15 JZ TAGA * * * TAGA Do DD Name scan Found? Jump if yes, bypass feature DD name not found, activate feature DS 0H Skip feature Example 2 – Find DD name by scanning TIOT blocks TLOOP L USING L L L LA CLI JE CLC JE SLR IC AR J DS R11,CVTPTR CVTMAP,R11 R1Ø,CVTTCBP R1Ø,4(R1Ø) R9,TCBTIO-TCB(R1Ø) R9,24(R9) 0(R9),X’00’ TAGA 4(8,R9),DDNAME TAGB R1,R1 R1,0(R9) R9,R1 TLOOP 0H TAGA * * DD name found process feature * . TAGB DS 0H . . EGS Innovations, Inc. R11 -> CVT Map CVT fields R10 -> CVTTCP R10 -> active TCB R9 -> TIOT Header R9 -> First TIOT Last TIOT? Yes, skip feature Found DD name? Yes, skip feature Clear R1 Get TIOT length R9 -> next TIOT Check next TIOT Process feature Skip feature www.EGSInnovations.com Page 2 Assembler Language How To Guide: Backdoor DD Name Check DDNAME . DS CL8 . CVT DSECT=YES IKJTCB LIST=NO Summary By using simple coding techniques software features can be activated and deactivated by the presence of a specific DD name. The DD name text can be scrambled in the source code to make it difficult to locate when viewing the load module. EGS Innovations, Inc. www.EGSInnovations.com Page 3 Assembler Language How To Guide: Backdoor DD Name Check About the author Jeffrey Celander has had over 30 years experience as a software developer and almost an equal time working in Business. He is the principal of EGS Innovations, Inc. EGS Innovations is a software development consulting and training organization based in Joliet Illinois USA. About EGS Innovations, Inc. Founded in 2009, EGS Innovations is a privately owned company. We specialize in the creation and deployment of Mainframe business applications software and commercial product software using new or existing technologies. We provide training in a variety of Mainframe disciplines. All EGS Innovations services are available at very affordable rates. Visit our website and see what we have to offer http://www.EGSInnovations.com. Software Agreement and Disclaimer Permission to use, copy, modify and distribute this software, documentation or training material is granted for personal use. Any other use requires written permission from the publisher EGS Innovations, Inc. The EGS Innovations name or Logo may not be used in any advertising or publicity pertaining to the use of the software without the written permission of EGS Innovations, Inc. EGS Innovations, Inc. makes no warranty or representations about the suitability of the software, documentation or learning material for any purpose. It is provided "AS IS" without any express or implied warranty, including the implied warranties of merchantability, fitness for a particular purpose and non-infringement. EGS Innovations, Inc. shall not be liable for any direct, indirect, special or consequential damages resulting from the loss of use, data or projects, whether in an action of contract or tort, arising out of or in connection with the use or performance of this software, documentation or training material. If you have any questions, suggestions or comments please call or send an e-mail to: [email protected] EGS Innovations, Inc. www.EGSInnovations.com Page 4 Assembler Language How To Guide: Backdoor DD Name Check Assembler Language How To Guide: Backdoor DD Name Check First Edition (June 2010) Reader comments on this document are welcomed and encouraged. Comments may be sent to: EGS Innovations, Inc. Technical Publications Group 207 Meadow Wood Drive Joliet, Illinois 60431-4809 © Copyright EGS Innovations, Inc. 2010. All rights reserved. Printed in the United States of America. This publication may be reproduced for personal use or for use as an educational aid. Any other use requires the prior written permission of the publisher, EGS Innovations, Inc. Trademarks IBM, MVS, OS/390 and z/OS are trademarks of IBM Corporation. EGS Innovations, Inc. www.EGSInnovations.com Page 5
