License protections & software cracking

License Protections & Software Cracking

Originally presented at OpKoko 2012By Peter Magnusson ( twitter: @blaufish_ )Also do check out sakerhetspodcasten.se

/* agenda */

intro License Protections

crackingDefending!

Cracking tools

Can you prevent cracking?

Trusted Computing Base• You cannot protect against an local

attacker with unlimited access to hardware

• Client SW – There is no TCB

• Locked clients?

Massive Multiplayer Online

Server

client

/* agenda */

crackingDefending!

Cracking tools

License protections

licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum }

Weakness?

9 2008-11-18

Tie license to hw?

licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b

if ( lic.machine != GetMachine() { return false; }

return lic.c == checksum }

KeyMakerlicenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum

KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }

KeyMakers

Understand check algorithm

Analyze software

KeyMaker

Extract/inverse algorithm

XOR etc is bad…

Verify Sign

Classic problem, solved!

Symetric Asymetric

Asymetric Signatur

License Generator

License Check

Secret Public

Public

LicenseShare Public key

but not Secret Key

Asymetrisk Signatur

licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) }

serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ...

KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }

/* agenda */

cracking

Defending!

Cracking tools

Cracking

Reverse EnigneeringBinary Patching

Classic anti-piracy code

if ( softwareNotModified() ) { ... }

if ( usbDongleInserted() ) { ... }

if ( licenseIsValid() ) { ... }

if( … ) … if ( not … ) …CALL …

TEST EAX, EAX

JE … JNE …

0x74 0x75. Change 1 bit to corrupt an if-guard

/* agenda */

cracking

Defending!

Cracking tools

oh shit…

Making reverse engineering harder

Voodoo! Obstruct cracking• Check many times

– More guards!– Unpredictable timing for guards

timer { t => random() e => guard()}

Voodoo! Obstruct cracking• Silent guard

– Program works "less than great” instead of complaining about binary patching detected.

“game is lagging!”

“boss is immortal!”

“file corrupted upon save!”

Voodoo! Obstruct cracking• Obfuscators, Packers

– Obstruct Disassemblers and Unpackers– Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated!

Voodoo! Obstruct cracking• Anti-Debug

– Code that makes debugger puke– Detours, P-Code osv: Fredrik Sjöström

http://sakerhetspodcasten.se/?p=67

/* agenda */

crackingDefending?

Cracking tools

Cracking Tools (Embedded)• Hardware Tools / Techniques

– Dump memory etc using JTAG/Debug– Read ROM chips– Cool down RAM and read dump memory in

external RAM reader

• Great sources:– Travis Goodspeed– "Cold boot attacks", "Frost" attack

Cracking Tools• Decompilers & disassemblers

– Translates binary to assembler, C, java, VB– IDA Pro, Reflector, ILSpy, JD-GUI m.m.

Game.DEX

71378b93x313e3e 12378603120707312073

12 789321907812307

package game;public class Game { public static void main(...

Cracking Tools• Debuggers

– Attach to process and show code variables while running.

– OllyDbg, Visual Studio for .NET etc

Attach to process: GAME.EXEAdd break point on: game.dll ! DecryptGameFilesInspect memory, stack, etc…

Cracking Tools• Tracing tools

– Show systemcalls, JIT-compiles, file access– strace, procmon, kdd

FILE LOAD: Foo.AssemblyCOMPILE: Foo.CopyProtectionsCOMPILE: Foo.CopyProtections.IsLicenseOK()

Cracking Tools• Process dumper

– Copy running process memory to file– Analyze what is in memory

PROCESS

71378b93x313e3e

PROCESS.DMP

71378b93x313e3e

Cracking Tools• Unpackers and de-obfuscators

– Remove various protections added

Game.Encryted.EXE

71378b93x313e3e 12378603120707312073

12 789321907812307

package game;public class Game { public static void main(...

FIN, ACK

License protections & software cracking

Technology

Transcript of License protections & software cracking

Protections Catalogue

Playbook - '02 - PASS PROTECTIONS

HUMAN RESEARCH PROTECTIONS - PRISONERS

COLD CRACKING OF WELDS - Sodel - · PDF fileCOLD CRACKING OF WELDS 4. HYDROGEN BEHAVIOUR ... cracking, also called Hydrogen-induced Cracking (HIC) or delayed cracking, occurs when

Updates in Research Protections

Cryptocurrency and Investor Protections

Electrical safety and protections

PROTECTIONS COLLECTIVES - altradequipement.com · PROTECTIONS COLLECTIVES POUR CHARPENTE METALLIQUE pinces IPE rapides, platines à visser ou à cheviller, garde-corps PROTECTIONS

Micom Protections

Consumer Powers and Protections

protections tld 2013

Transmission Line Protections 1

Sovereign Immunity Protections

Pavement Cracking: Mechanisms, Modeling, … Cracking Mechanisms, Modeling, Detection, ... Restrained shrinkage cracking of fiber-reinforced self-consolidating ... Top-down cracking

Station Protections

The protections of God

IGO Protections - ICANN

ALK13 PROTECTIONS - Catalogo

Legal Protections Jingle

Lender Protections in Purchase Agreements: Negotiating ...media.straffordpub.com/products/lender-protections-in-purchase... · Lender Protections in Purchase Agreements: Negotiating