1
License Protections & Software Cracking
Originally presented at OpKoko 2012By Peter Magnusson ( twitter: @blaufish_ )Also do check out sakerhetspodcasten.se
2
/* agenda */
intro License Protections
crackingDefending!
Cracking tools
3
Can you prevent cracking?
hard
4
Trusted Computing Base• You cannot protect against an local
attacker with unlimited access to hardware
• Client SW – There is no TCB
• Locked clients?
5
Massive Multiplayer Online
Server
client
DATA
TCB
6
/* agenda */
intro License Protections
crackingDefending!
Cracking tools
7
License protections
8
License protections
licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum }
Weakness?
9 2008-11-18
Tie license to hw?
licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b
if ( lic.machine != GetMachine() { return false; }
return lic.c == checksum }
10
KeyMakerlicenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum
KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }
11
KeyMakers
Understand check algorithm
Analyze software
KeyMaker
Extract/inverse algorithm
12
XOR etc is bad…
Verify Sign
Classic problem, solved!
Symetric Asymetric
13
Asymetric Signatur
License Generator
License Check
Secret Public
Public
LicenseShare Public key
but not Secret Key
14
Asymetrisk Signatur
licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) }
serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ...
KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }
15
/* agenda */
intro License Protections
cracking
Defending!
Cracking tools
16
Cracking
Reverse EnigneeringBinary Patching
17
18
Classic anti-piracy code
if ( softwareNotModified() ) { ... }
if ( usbDongleInserted() ) { ... }
if ( licenseIsValid() ) { ... }
19
if( … ) … if ( not … ) …CALL …
TEST EAX, EAX
JE … JNE …
0x74 0x75. Change 1 bit to corrupt an if-guard
20
/* agenda */
intro License Protections
cracking
Defending!
Cracking tools
21
oh shit…
Making reverse engineering harder
22
Voodoo! Obstruct cracking• Check many times
– More guards!– Unpredictable timing for guards
timer { t => random() e => guard()}
23
Voodoo! Obstruct cracking• Silent guard
– Program works "less than great” instead of complaining about binary patching detected.
“game is lagging!”
“boss is immortal!”
“file corrupted upon save!”
24
Voodoo! Obstruct cracking• Obfuscators, Packers
– Obstruct Disassemblers and Unpackers– Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated!
25
Voodoo! Obstruct cracking• Anti-Debug
– Code that makes debugger puke– Detours, P-Code osv: Fredrik Sjöström
http://sakerhetspodcasten.se/?p=67
26
/* agenda */
intro License Protections
crackingDefending?
Cracking tools
27
Cracking tools
28
Cracking Tools (Embedded)• Hardware Tools / Techniques
– Dump memory etc using JTAG/Debug– Read ROM chips– Cool down RAM and read dump memory in
external RAM reader
• Great sources:– Travis Goodspeed– "Cold boot attacks", "Frost" attack
29
Cracking Tools• Decompilers & disassemblers
– Translates binary to assembler, C, java, VB– IDA Pro, Reflector, ILSpy, JD-GUI m.m.
Game.DEX
71378b93x313e3e 12378603120707312073
12 789321907812307
package game;public class Game { public static void main(...
30
Cracking Tools• Debuggers
– Attach to process and show code variables while running.
– OllyDbg, Visual Studio for .NET etc
Attach to process: GAME.EXEAdd break point on: game.dll ! DecryptGameFilesInspect memory, stack, etc…
31
Cracking Tools• Tracing tools
– Show systemcalls, JIT-compiles, file access– strace, procmon, kdd
FILE LOAD: Foo.AssemblyCOMPILE: Foo.CopyProtectionsCOMPILE: Foo.CopyProtections.IsLicenseOK()
32
Cracking Tools• Process dumper
– Copy running process memory to file– Analyze what is in memory
PROCESS
71378b93x313e3e
PROCESS.DMP
71378b93x313e3e
33
Cracking Tools• Unpackers and de-obfuscators
– Remove various protections added
Game.Encryted.EXE
71378b93x313e3e 12378603120707312073
12 789321907812307
package game;public class Game { public static void main(...
34
FIN, ACK