Download - License protections & software cracking

1

License Protections & Software Cracking

Originally presented at OpKoko 2012By Peter Magnusson ( twitter: @blaufish_ )Also do check out sakerhetspodcasten.se

2

/* agenda */

intro License Protections

crackingDefending!

Cracking tools

3

Can you prevent cracking?

hard

4

Trusted Computing Base• You cannot protect against an local

attacker with unlimited access to hardware

• Client SW – There is no TCB

• Locked clients?

5

Massive Multiplayer Online

Server

client

DATA

TCB

6

/* agenda */


crackingDefending!

Cracking tools

7

License protections

8

License protections

licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum }

Weakness?

9 2008-11-18

Tie license to hw?

licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b

if ( lic.machine != GetMachine() { return false; }

return lic.c == checksum }

10

KeyMakerlicenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum

KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }

11

KeyMakers

Understand check algorithm

Analyze software

KeyMaker

Extract/inverse algorithm

12

XOR etc is bad…

Verify Sign

Classic problem, solved!

Symetric Asymetric

13

Asymetric Signatur

License Generator

License Check

Secret Public

Public

LicenseShare Public key

but not Secret Key

14

Asymetrisk Signatur

licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) }

serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ...

KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }

15

/* agenda */


cracking

Defending!

Cracking tools

16

Cracking

Reverse EnigneeringBinary Patching

18

Classic anti-piracy code

if ( softwareNotModified() ) { ... }

if ( usbDongleInserted() ) { ... }

if ( licenseIsValid() ) { ... }

19

if( … ) … if ( not … ) …CALL …

TEST EAX, EAX

JE … JNE …

0x74 0x75. Change 1 bit to corrupt an if-guard

20

/* agenda */


cracking

Defending!

Cracking tools

21

oh shit…

Making reverse engineering harder

22

Voodoo! Obstruct cracking• Check many times

– More guards!– Unpredictable timing for guards

timer { t => random() e => guard()}

23

Voodoo! Obstruct cracking• Silent guard

– Program works "less than great” instead of complaining about binary patching detected.

“game is lagging!”

“boss is immortal!”

“file corrupted upon save!”

24

Voodoo! Obstruct cracking• Obfuscators, Packers

– Obstruct Disassemblers and Unpackers– Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated!

25

Voodoo! Obstruct cracking• Anti-Debug

– Code that makes debugger puke– Detours, P-Code osv: Fredrik Sjöström

http://sakerhetspodcasten.se/?p=67

26

/* agenda */


crackingDefending?

Cracking tools

27

Cracking tools

28

Cracking Tools (Embedded)• Hardware Tools / Techniques

– Dump memory etc using JTAG/Debug– Read ROM chips– Cool down RAM and read dump memory in

external RAM reader

• Great sources:– Travis Goodspeed– "Cold boot attacks", "Frost" attack

29

Cracking Tools• Decompilers & disassemblers

– Translates binary to assembler, C, java, VB– IDA Pro, Reflector, ILSpy, JD-GUI m.m.

Game.DEX

71378b93x313e3e 12378603120707312073

12 789321907812307

package game;public class Game { public static void main(...

30

Cracking Tools• Debuggers

– Attach to process and show code variables while running.

– OllyDbg, Visual Studio for .NET etc

Attach to process: GAME.EXEAdd break point on: game.dll ! DecryptGameFilesInspect memory, stack, etc…

31

Cracking Tools• Tracing tools

– Show systemcalls, JIT-compiles, file access– strace, procmon, kdd

FILE LOAD: Foo.AssemblyCOMPILE: Foo.CopyProtectionsCOMPILE: Foo.CopyProtections.IsLicenseOK()

32

Cracking Tools• Process dumper

– Copy running process memory to file– Analyze what is in memory

PROCESS

71378b93x313e3e

PROCESS.DMP

71378b93x313e3e

33

Cracking Tools• Unpackers and de-obfuscators

– Remove various protections added

Game.Encryted.EXE

71378b93x313e3e 12378603120707312073

12 789321907812307

package game;public class Game { public static void main(...

34

FIN, ACK