Successfully reported this slideshow.

License protections & software cracking

1

Share

Upcoming SlideShare
Ha opensuse
Ha opensuse
Loading in …3
×
1 of 34
1 of 34

License protections & software cracking

1

Share

Download to read offline

How software license enforcement works, how they are cracked, and how cracking can be made harder. And how to make it very hard to create keymakers.

Originally presented at Opkoko 2012. Also presented at HEAVENS project 2013.

How software license enforcement works, how they are cracked, and how cracking can be made harder. And how to make it very hard to create keymakers.

Originally presented at Opkoko 2012. Also presented at HEAVENS project 2013.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

License protections & software cracking

  1. 1. License Protections & Software Cracking Originally presented at OpKoko 2012 By Peter Magnusson ( twitter: @blaufish_ ) Also do check out sakerhetspodcasten.se 1
  2. 2. /* agenda */ 2 intro License Protections cracking Defending! Cracking tools
  3. 3. Can you prevent cracking? 3
  4. 4. Trusted Computing Base • You cannot protect against an local attacker with unlimited access to hardware • Client SW – There is no TCB  • Locked clients? 4
  5. 5. Massive Multiplayer Online 5 Server client TCB
  6. 6. /* agenda */ 6 intro License Protections cracking Defending! Cracking tools
  7. 7. License protections 7
  8. 8. 8 License protections licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum } Weakness?
  9. 9. 2008-11-189 Tie license to hw? licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b if ( lic.machine != GetMachine() { return false; } return lic.c == checksum }
  10. 10. 10 KeyMaker licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }
  11. 11. KeyMakers 11 Understand check algorithm Analyze software KeyMaker Extract/inverse algorithm
  12. 12. XOR etc is bad… 12 Verify  Sign Classic problem, solved! Symetric  Asymetric
  13. 13. Asymetric Signatur 13 License Generator License Check Secret Public Public License Share Public key but not Secret Key
  14. 14. Asymetrisk Signatur 14 licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) } serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ... KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }
  15. 15. /* agenda */ 15 intro License Protections cracking Defending! Cracking tools
  16. 16. Cracking Reverse Enigneering Binary Patching 16
  17. 17. 17
  18. 18. Classic anti-piracy code 18 if ( softwareNotModified() ) { ... } if ( usbDongleInserted() ) { ... } if ( licenseIsValid() ) { ... }
  19. 19. if( … ) …  if ( not … ) … 19 CALL … TEST EAX, EAX JE … JNE … 0x74  0x75. Change 1 bit to corrupt an if-guard
  20. 20. /* agenda */ 20 intro License Protections cracking Defending! Cracking tools
  21. 21. oh shit… Making reverse engineering harder 21
  22. 22. Voodoo! Obstruct cracking • Check many times – More guards! – Unpredictable timing for guards 22 timer { t => random() e => guard() }
  23. 23. Voodoo! Obstruct cracking • Silent guard – Program works "less than great” instead of complaining about binary patching detected. 23 “game is lagging!” “boss is immortal!” “file corrupted upon save!”
  24. 24. Voodoo! Obstruct cracking • Obfuscators, Packers – Obstruct Disassemblers and Unpackers – Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated! 24
  25. 25. Voodoo! Obstruct cracking • Anti-Debug – Code that makes debugger puke – Detours, P-Code osv: Fredrik Sjöström http://sakerhetspodcasten.se/?p=67 25
  26. 26. /* agenda */ 26 intro License Protections cracking Defending? Cracking tools
  27. 27. Cracking tools 27
  28. 28. Cracking Tools (Embedded) • Hardware Tools / Techniques – Dump memory etc using JTAG/Debug – Read ROM chips – Cool down RAM and read dump memory in external RAM reader • Great sources: – Travis Goodspeed – "Cold boot attacks", "Frost" attack 28
  29. 29. Cracking Tools • Decompilers & disassemblers – Translates binary to assembler, C, java, VB – IDA Pro, Reflector, ILSpy, JD-GUI m.m. 29 Game.DEX 71378b93x313e3e 12378603120707312073 12 789321907812307 package game; public class Game { public static void main(...
  30. 30. Cracking Tools • Debuggers – Attach to process and show code variables while running. – OllyDbg, Visual Studio for .NET etc 30 Attach to process: GAME.EXE Add break point on: game.dll ! DecryptGameFiles Inspect memory, stack, etc…
  31. 31. Cracking Tools • Tracing tools – Show systemcalls, JIT-compiles, file access – strace, procmon, kdd 31 FILE LOAD: Foo.Assembly COMPILE: Foo.CopyProtections COMPILE: Foo.CopyProtections.IsLicenseOK()
  32. 32. Cracking Tools • Process dumper – Copy running process memory to file – Analyze what is in memory 32 PROCESS 71378b93x313e3e PROCESS.DMP 71378b93x313e3e
  33. 33. Cracking Tools • Unpackers and de-obfuscators – Remove various protections added 33 Game.Encryted.EXE 71378b93x313e3e 12378603120707312073 12 789321907812307 package game; public class Game { public static void main(...
  34. 34. FIN, ACK 34

×