A real hacker is never calm inside.
If you see Yuan Ge, you will almost doubt the above judgment. It's hard to connect the good, even dumb, uncle, with the "Spirit of the Cyberspace" that used to be able to access all personal computers and servers at will.
But please believe me, once you walk into his spiritual world, you will see the stormy waves.
Compared to text and language, Yuan is more accustomed to lyrical with numbers and code. A silent person constantly asks the world for answers, repeatedly overthrowing people's basic understanding of cyberspace.
Reality is such a surprise. We love this story.
Yuan Ge Yuan Renguang
A pen, a book, a game of chessThose who are obsessed with mathematics have a cold atmosphere. When Yuan is still Xiaoyuan, when he was in elementary school, he had been holding books of mathematical theory every day, standing in the whizzing time.
I was born in rural areas and my home conditions were not good, so I could only read my favorite books at the elementary school library or the Xinhua Bookstore in the town. Fortunately, the books on mathematics that I care about are not very good sales. You can buy one copy for a dime or two cents. But even so, I can hardly afford it, only picking the one I like the most, the thickest, and the cheapest.
By the time he came to middle school, Yuan Ge had started to look at the content of the postgraduate group theory. In Boolean Algebra, Symmetric Identity, you can make up for your classmates' eyes when they look at these books.
It takes a price to buy these books.
In junior high school, a ballpoint pen was a good stationery. Once I had a few cents at home and I wanted to buy a ballpoint pen. But just because my test scores are good, getting a school award is just a ballpoint pen. I told my parents that this was the pen that I bought with money and bought a book from the savings.
In this incident, his elder brother "spoken secretly." Yuan brother was beaten up by his father. In those years, the spirit of poverty alleviation came before the material came out of poverty. Although Yuan Ge was beaten by a book, it is obviously not too bad luck.
The paranoia of mathematics and logic allowed him to get along with the world with a unique perspective.
I have a classmate's brother who likes to play chess, so I am interested in the object board game. There is an important principle at the end of the next day, that is, it cannot be considered in the mind of most people, but it must consider all logical possibilities. For example, in the ordinary times, you will not easily give the car to others, but in the endgame, you have to consider the entire space. In fact, each step can be abstracted as a step of Boolean algebra logic. Using mathematical methods can solve this mystery well. question.
In addition to being an end game master, the younger brother Yuan is a poker puzzler and brain teasers. Perhaps for him, there is no more sexy thing in the world than tight logic.
When he was Shandong University president, mathematician Pan Chengdong
Wind TalkerBecause he admires the reputation of Shandong University’s president and mathematics teacher Pan Cheng-dong, the seriously partial Yuan brother relied on two nearly perfect scores in mathematics and physics to enter the Department of Mathematics of Shandong University. However, when he arrived at the university, he faced a thorny problem, that is, he had completed self-study in high school during almost all the courses. Sitting in class and sleeping in a daze is a torment for him.
"I don't want to take classes. I like to study on my own because self-study is faster and deeper." His reasoning is simple and clear. Yuan Ge is looking for a new world that is fascinating to him. The computer has thus officially entered his life.
1993-1997 was the era of Yuan Ge's college. At that time, Cyber ​​World was not connected to the vast ocean like today. Computer viruses often spread from one computer to another through a floppy disk. Yuan Ge recalled that at the time, he was trying to "understand the virus." Once Yuan brother wants to understand something, it is really necessary to do it. You know.
Due to the special properties of viruses, they are often spread by the underlying logic of computers. Yuan Brother, who follows the virus, also came to the bottom of Cyberspace. "Assembly language" "computer principle" "operating system principle" "the principle of the disk controller", a class is not to go to the Yuan brother soaked in the library to read these books.
In school, it is money to get on board, so I can't always stay in the engine room. I used debug to disassemble the operating system BIOS code in the computer room and encountered code that needed to be carefully studied. I wrote it down using the school's homework. Some code translates into high-level code without a few lines, but because I copy all the underlying assembly code, the amount is very large. Later, I found that the assignments were all filled up by me.
For him, the strongest skills acquired in college for four years are mastering the ability to communicate with the computer's soul—a binary language. For computers, the binary code is like the “according tones†that everyone uses to think. No language is more direct to the “heart of the machine†than a binary language. Today, when Yuan Kan is looking at binary code, he can automatically make up the source code of high-level language. There are not many people in the world who can think like this from a computer world perspective. He is like a "wind-speaker", and a lyric poem in his mouth is like a gust of wind in the eyes of ordinary people.
The underlying principle of the computer is boring, but if you are interested, you find it very comfortable to master this principle to understand and control the basic operation of the computer. If your computer is well-grounded, adding a little bit of input can basically become a big deal.
Yuan brother made a clear cut.
In his college days, Yuan Brother not only made a variety of programming languages ​​perfect, but also saw the most ingenious application of these languages ​​from the virus. Yuan Ge recalled:
For example, the famous ghost virus at that time could be automatically deformed, which broke through the rules that rely on virus signatures;
For example, DIR virus can completely bypass the anti-virus card mechanism and create a new infection.
"Piracy dealers" in the pastFor Yuan Brothers, all the imprisonment that jumped out of this cyberspace world is his immortal river stream. In addition to breaking the anti-virus card in the school's computer room and causing the virus to afflict, cracking anti-virus software "KV300" was one of his actions.
The most popular anti-virus software at the end of the last century (no one): KV 300 anti-virus floppy disk
At the time I was studying a special mechanism for CPU operation: DMA. Some information is transmitted directly by the CPU and may take a long time. Therefore, the DMA controller can directly control the memory for auxiliary transmission and share some work for the CPU. I found that this mechanism can be exploited because an interrupt will be generated each time the DMA transfer completes. If interception is performed at this time, it will be able to resolve the contents of its operation on the disk. Using this method to cycle through, you can read out the entire anti-virus floppy disk and completely bypass its encryption technology.
The crack disk that other people did at that time was banned by Jiangmin Company after a period of time. However, as long as the virus database is updated, my crack disk can be used normally.
For the "work" of that year, Yuan Ge is still very satisfied. Even when he didn't get four grades in English and didn't get a diploma and degree certificate, he even thought that if he couldn't find a job, he would sell pirated copies. "People's genuine sales of 260,360, I only need one-tenth of the price, 26,36, should be a good business."
God did not give Yuan a chance to become a "pirate dealer." He still acquired a monolithic development position at Hisense.
BlockbusterThose who are familiar with another hacking enlightener, Zhang Xundi, knew that because the earliest hotels were connected to broadband, he embarked on the road to security research and established the "security focus" of the Huangpu Military Academy of the hacker community. Similar to Zhang Xundi, Yuan brother came into contact with the Internet because Hisense applied for a dedicated network in 1997, which allowed Yuan to study new topics while working. This time, he wanted to make a network agreement. You should understand that according to Yuan Ge's script, if he is “engaged†by him, he will surely be extorted by the tenderness of his coke.
When I was learning network protocols, I read books and memorize them while disassembling them into binary code. It's like learning English. While backing words, you can remember when you make a dialogue.
This hacker who had not graduated from English Level 4 and did not graduate had a good sense of humor and took an English example.
There are innumerable kinds of logic in the real world, and each kind of logic, as long as it exists, even if it is bizarre, how hard to imagine, may be the weapons that change the world. Yuan Ge seized a door that looked strangely logical.
In Windows 9X, web sharing documents are very popular. When I researched the shared protocol code, I found that when the server performs password verification on the client, the password length check is based on the information sent by the client. This thing looks very strange. Because experience tells us how long the password is, it must be based on the password stored on the server. I immediately wrote the verification code, sending a message from the client, telling the server to verify only one byte, and the server really verified only one byte. Only one byte of 256 possibilities, very good to crack.
Yuan Gehei entered the computers of his colleagues and leaders, watching their wages, lamenting the wonders of the world while he was determined to be a network security expert.
Windows 98 interface (for nostalgia)
This is the first real loophole he discovered. Since then, Yuan is out of control.
He discovered the famous Windows shared password verification vulnerability that allows him to freely access shared files.
He participated in the establishment of the old security company Green Alliance, to study a number of high-risk IIS server vulnerabilities, can freely visit any IIS web server;
He studied the RPC protocol used by each personal computer and discovered a number of serious RPC service buffer loopholes that could directly break the permissions of all Windows computers and achieve remote intrusion.
At the beginning of the 21st century, when many technology enthusiasts landed in hacker forums in the rapidly spreading Internet, Yuan Brothers has become a spiritual beacon for the hacker community.
In the beginning, Yuan Ge actively submitted the discovered loopholes to Microsoft. However, Microsoft was not the Microsoft that was willing to pay for the loophole. The other party's unyielding attitude caused Yuan to gradually lose his enthusiasm for submitting. When Yuan found a fatal flaw in RPC services that could be used to attack any computer, he chose to be silent. Until two years later, the 18-year-old American Jeffrey created the Shockwave worm through the same technology and swept half the world.
Data Stream - Pirates of the World in CyberspaceAlthough before 2000, Microsoft's attitude toward white hats has always been indifferent, but this does not prevent Yuan brother's exploration of cybersecurity. Yuan Ge thinks this is the time when his life is "highly productive." The time for eating, sleeping, and going to the toilet every day is thinking about code. The most central proposition he is considering is whether he can use a common security model to assist or even replace holes.
To understand Yuan's tools, you need to understand the nature of the vulnerability first.
The essence of the computer is program processing. Depending on the input data, a string of code opens up a myriad of different doors inside the computer and eventually becomes a result. And when the input information meets certain special conditions, it will find a strange door inside the computer and try to open it. At this time, Cyber ​​World will suffer a crash and a loophole will be created.
That is, finding this particular code finds a loophole that can defeat the system. So there are two main directions for vulnerability mining:
1, fuzzy test. Fuzzy test is a kind of black box test. By giving some data to the system at random, observe whether the system has abnormal reaction. However, a system is so huge that there are countless possibilities for inputting information. The scope of this possibility is exponential. So if you blindly test, even to the destruction of the universe, you can't even test all the possible billions of billions.
2, white box testing. By studying the source code or binary code of the system, discover the logic holes and potential problems. This method also has the problem that for a complex program, the huge amount of code has gone beyond human reading ability. And there are many programs in a program that portray the contents of the interface. This is not a concern for the vulnerabilities diggers. Before reading, you cannot eliminate these useless codes.
Logical tree diagram of software operation
Yuan's tools combine fuzz testing with white-box testing, which he calls "data flow" testing methods.
According to the researcher’s interest, the targeted data was constructed and the system processed. In the process of processing, you can check the status of the program running in the debugger through breakpoints. Through the code that stays in the debugger, you can infer what piece of code is processing the data. In this way, you can directly locate a key piece of code without going through a lot of code auditing. Disassemble this piece of code and you can read it. According to this code, all its logical branches can be inferred, so that according to these full-quantity branches, new data can be reconstructed in a targeted manner for further targeted attempts.
It may not sound difficult, but the most difficult part of the system has not yet arrived.
Although you can read this code, but you need to use mathematical methods to abstract the contents of this code in order to deduct all of its logic branches, some human understanding logic, you want to use the program to automatically solve, Need a very complicated logic description. And for each tiny logical point, followed by a very large number of path levels, there are also numerous possibilities in this case, which involves the mathematical problem of constraint solving.
Yuan Ge said.
As revealed in the Pirates of the Dream, Yuan Bo's deep insights into the logic of numbers and the world, Limbo, who is at the deepest level in cyberspace, gave him insight into the truth in a space of only a few bytes of space.
Around 2008, Microsoft could not resist the invasion of countless loopholes, and began to gradually introduce loopholes in the use of mitigation measures. Such mechanisms do not reduce the appearance of vulnerabilities, but make the exploitation of vulnerabilities very difficult. They are like a wall. You know that the loophole is opposite, but you can't get close. Including DEP, ASLR, and emet, including the cfi that will be introduced later, are all effective mitigation measures.
Yuan brother stands behind the wall and is ready to "get in". He suddenly felt that the sight in front of him was like a memory of nearly a decade ago.
In 1997, macro viruses were becoming popular. This is a virus that exploits script code execution to cause damage. Since the virus can only rely on scripts with text attributes, many research institutions including Jinshan think that the destructive power of this type of virus is very limited, and even said that it can only be used as a prank.
However, Yuan does not think so, he believes his own judgment: "Although the macro code is interpreted and implemented, but the interpretation of the implementation is execution, and there is no essential difference between the machine code." He wrote several articles, proved to compile the binary virus code into The possibility of plain text format. That is, an attack program can look exactly like letters and numbers. This is roughly equivalent to transforming sand into gold by changing the arrangement of atoms.
Time back to 2008, Yuan brother suddenly found that his worldview proposed ten years ago may have bypassed all loopholes to mitigate measures from a higher dimension. That is, by using script (text) code to write the attack program, through a smart design, the DEP chip that Microsoft uses to protect will not be triggered during the attack.
However, turning a string of attack code into plain text is simple and complicated to implement.
In two or three months, Yuan Ge made the following N things:
Read through the detailed principles of JavaScript and VBScript, and complete the short board of code compilation;
Found an attack on IE;
Attempted a myriad of attack paths and configured a number of exploit combinations;
Complete the writing and debugging of the attack code.
This attack method passes all versions from the earlier IE 3 to IE 9 just launched. Even when IE 10 was launched two years later, it was still possible to complete the attack without changing a single code. This is the technique that Yuan Ge is most proud of: DVE (Data Virtual Execution Technology), which he personally calls "the hand of God."
It is like acting in another higher dimension of space. Everyone can't see the process of action and can only accept the result of the action.
He explained.
The code is just a tool in Yuan's eyes. People standing in "place of God" can even use a poem and a poem that makes sense for each word to defeat a system. The so-called "Laughing, smashing, annihilation, and annihilation," but this is the case.
However, this God who walked in Cyberspace eventually touched the human business dilemma. In 2010, Microsoft wanted to use 350,000 U.S. dollars to acquire "The Hands of God" - DVE technology, but this technology in Yuan Brother's heart far exceeds this value. This business did not succeed. Until three years later, the famous hacking leader TK of Yuan Ge's good friend independently submitted a set of confrontation technology to Microsoft and obtained the famous one hundred thousand dollars. Due to the intersection of the technology involved and the DVE technology, Microsoft partially blocked the DVE attack.
In 2014, Yuan Ge chose to publish the technical details of the DVE on the Internet. Once God had landed in mundane territory.
Zhan Lujian (one known as Zhan Yan)
Zhan Yi
Yuan brother is looking forward to his next DVE.
To this end, the hacker who rewritten the history of Internet security joined Tencent and established a brand-new laboratory called "Zhan Yu."
Yuan Ge told Lei Fengwang (search "Lei Feng Net" public concern) : "Zhan Yan, is the famous swordsmith in the Spring and Autumn Period, Europe Ye Zizi cast sword. 'Benevolence's sword, Daqiao Ruoqiang' is the world's evaluation of Zhan Yan." It is also a certain kind of inner portrayal of Yuan Brother who has passed the undisputable year. He needs a sword, a sword that can penetrate the cloud again.
For Yuan Ge, although his own inspiration and achievements could not be duplicated, he realized that he needed a team more than ever before.
The current vulnerability mining and utilization has reached a relatively advanced stage. If there is no team and a full set of technical support, some things cannot be achieved by relying on the strength of one person.
He said.
As for the reasons for joining Tencent, Yuan Ge gave a simple reason: “TK and Wu Shi are all there. I understand them and I agree with them all. The security industry is a gathering place.â€
In March 2016, the Zhanxi Laboratory was established. Yuan brother stands in the frontier of cyberspace and waits for new comrades-in-arms.
The moment that made him God will eventually return.