license protections & software cracking
DESCRIPTION
How software license enforcement works, how they are cracked, and how cracking can be made harder. And how to make it very hard to create keymakers. Originally presented at Opkoko 2012. Also presented at HEAVENS project 2013.TRANSCRIPT
![Page 1: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/1.jpg)
1
License Protections & Software Cracking
Originally presented at OpKoko 2012By Peter Magnusson ( twitter: @blaufish_ )Also do check out sakerhetspodcasten.se
![Page 2: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/2.jpg)
2
/* agenda */
intro License Protections
crackingDefending!
Cracking tools
![Page 3: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/3.jpg)
3
Can you prevent cracking?
hard
![Page 4: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/4.jpg)
4
Trusted Computing Base• You cannot protect against an local
attacker with unlimited access to hardware
• Client SW – There is no TCB
• Locked clients?
![Page 5: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/5.jpg)
5
Massive Multiplayer Online
Server
client
DATA
TCB
![Page 6: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/6.jpg)
6
/* agenda */
intro License Protections
crackingDefending!
Cracking tools
![Page 7: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/7.jpg)
7
License protections
![Page 8: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/8.jpg)
8
License protections
licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum }
Weakness?
![Page 9: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/9.jpg)
9 2008-11-18
Tie license to hw?
licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b
if ( lic.machine != GetMachine() { return false; }
return lic.c == checksum }
![Page 10: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/10.jpg)
10
KeyMakerlicenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum
KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }
![Page 11: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/11.jpg)
11
KeyMakers
Understand check algorithm
Analyze software
KeyMaker
Extract/inverse algorithm
![Page 12: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/12.jpg)
12
XOR etc is bad…
Verify Sign
Classic problem, solved!
Symetric Asymetric
![Page 13: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/13.jpg)
13
Asymetric Signatur
License Generator
License Check
Secret Public
Public
LicenseShare Public key
but not Secret Key
![Page 14: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/14.jpg)
14
Asymetrisk Signatur
licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) }
serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ...
KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }
![Page 15: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/15.jpg)
15
/* agenda */
intro License Protections
cracking
Defending!
Cracking tools
![Page 16: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/16.jpg)
16
Cracking
Reverse EnigneeringBinary Patching
![Page 17: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/17.jpg)
17
![Page 18: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/18.jpg)
18
Classic anti-piracy code
if ( softwareNotModified() ) { ... }
if ( usbDongleInserted() ) { ... }
if ( licenseIsValid() ) { ... }
![Page 19: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/19.jpg)
19
if( … ) … if ( not … ) …CALL …
TEST EAX, EAX
JE … JNE …
0x74 0x75. Change 1 bit to corrupt an if-guard
![Page 20: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/20.jpg)
20
/* agenda */
intro License Protections
cracking
Defending!
Cracking tools
![Page 21: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/21.jpg)
21
oh shit…
Making reverse engineering harder
![Page 22: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/22.jpg)
22
Voodoo! Obstruct cracking• Check many times
– More guards!– Unpredictable timing for guards
timer { t => random() e => guard()}
![Page 23: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/23.jpg)
23
Voodoo! Obstruct cracking• Silent guard
– Program works "less than great” instead of complaining about binary patching detected.
“game is lagging!”
“boss is immortal!”
“file corrupted upon save!”
![Page 24: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/24.jpg)
24
Voodoo! Obstruct cracking• Obfuscators, Packers
– Obstruct Disassemblers and Unpackers– Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated!
![Page 25: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/25.jpg)
25
Voodoo! Obstruct cracking• Anti-Debug
– Code that makes debugger puke– Detours, P-Code osv: Fredrik Sjöström
http://sakerhetspodcasten.se/?p=67
![Page 26: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/26.jpg)
26
/* agenda */
intro License Protections
crackingDefending?
Cracking tools
![Page 27: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/27.jpg)
27
Cracking tools
![Page 28: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/28.jpg)
28
Cracking Tools (Embedded)• Hardware Tools / Techniques
– Dump memory etc using JTAG/Debug– Read ROM chips– Cool down RAM and read dump memory in
external RAM reader
• Great sources:– Travis Goodspeed– "Cold boot attacks", "Frost" attack
![Page 29: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/29.jpg)
29
Cracking Tools• Decompilers & disassemblers
– Translates binary to assembler, C, java, VB– IDA Pro, Reflector, ILSpy, JD-GUI m.m.
Game.DEX
71378b93x313e3e 12378603120707312073
12 789321907812307
package game;public class Game { public static void main(...
![Page 30: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/30.jpg)
30
Cracking Tools• Debuggers
– Attach to process and show code variables while running.
– OllyDbg, Visual Studio for .NET etc
Attach to process: GAME.EXEAdd break point on: game.dll ! DecryptGameFilesInspect memory, stack, etc…
![Page 31: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/31.jpg)
31
Cracking Tools• Tracing tools
– Show systemcalls, JIT-compiles, file access– strace, procmon, kdd
FILE LOAD: Foo.AssemblyCOMPILE: Foo.CopyProtectionsCOMPILE: Foo.CopyProtections.IsLicenseOK()
![Page 32: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/32.jpg)
32
Cracking Tools• Process dumper
– Copy running process memory to file– Analyze what is in memory
PROCESS
71378b93x313e3e
PROCESS.DMP
71378b93x313e3e
![Page 33: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/33.jpg)
33
Cracking Tools• Unpackers and de-obfuscators
– Remove various protections added
Game.Encryted.EXE
71378b93x313e3e 12378603120707312073
12 789321907812307
package game;public class Game { public static void main(...
![Page 34: License protections & software cracking](https://reader033.vdocuments.net/reader033/viewer/2022061122/5472bab7b4af9fbe0a8b5130/html5/thumbnails/34.jpg)
34
FIN, ACK