Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
License Protections &
Software Cracking
Originally presented at OpKoko 2012
By Peter Magnusson ( twitter: @blaufish_ )
Als...
/* agenda */
2
intro License
Protections
cracking
Defending!
Cracking
tools
Can you prevent cracking?
3
Trusted Computing Base
• You cannot protect against an local
attacker with unlimited access to hardware
• Client SW – Ther...
Massive Multiplayer Online
5
Server
client TCB
/* agenda */
6
intro License
Protections
cracking
Defending!
Cracking
tools
License protections
7
8
License protections
licenseIsValid() {
License lic = load(license.txt)
checksum = lic.a XOR lic.b
return lic.c == checks...
2008-11-189
Tie license to hw?
licenseIsValid() {
License lic = load(license.txt)
checksum = lic.a XOR lic.b
if ( lic.mach...
10
KeyMaker
licenseIsValid() {
License lic = load(license.txt)
checksum = lic.a XOR lic.b
return lic.c == checksum
KeyMake...
KeyMakers
11
Understand
check algorithm
Analyze
software
KeyMaker
Extract/inverse
algorithm
XOR etc is bad…
12
Verify  Sign
Classic problem,
solved!
Symetric  Asymetric
Asymetric Signatur
13
License Generator
License Check
Secret Public
Public
License
Share Public key
but not Secret Key
Asymetrisk Signatur
14
licenseIsValid() {
License lic = load(license.txt)
pubKey.verySignature(lic.sign, lic.data)
}
serve...
/* agenda */
15
intro License
Protections
cracking
Defending!
Cracking
tools
Cracking
Reverse Enigneering
Binary Patching
16
17
Classic anti-piracy code
18
if ( softwareNotModified() ) { ... }
if ( usbDongleInserted() ) { ... }
if ( licenseIsValid() ...
if( … ) …  if ( not … ) …
19
CALL …
TEST EAX, EAX
JE … JNE …
0x74  0x75.
Change 1 bit to corrupt an if-guard
/* agenda */
20
intro License
Protections
cracking
Defending!
Cracking
tools
oh shit…
Making reverse engineering
harder
21
Voodoo! Obstruct cracking
• Check many times
– More guards!
– Unpredictable timing for guards
22
timer {
t => random()
e =...
Voodoo! Obstruct cracking
• Silent guard
– Program works "less than great” instead of
complaining about binary patching de...
Voodoo! Obstruct cracking
• Obfuscators, Packers
– Obstruct Disassemblers and Unpackers
– Old obfuscators probly cracked b...
Voodoo! Obstruct cracking
• Anti-Debug
– Code that makes debugger puke
– Detours, P-Code osv: Fredrik Sjöström
http://sake...
/* agenda */
26
intro License
Protections
cracking
Defending?
Cracking
tools
Cracking tools
27
Cracking Tools (Embedded)
• Hardware Tools / Techniques
– Dump memory etc using JTAG/Debug
– Read ROM chips
– Cool down RA...
Cracking Tools
• Decompilers & disassemblers
– Translates binary to assembler, C, java, VB
– IDA Pro, Reflector, ILSpy, JD...
Cracking Tools
• Debuggers
– Attach to process and show code variables
while running.
– OllyDbg, Visual Studio for .NET et...
Cracking Tools
• Tracing tools
– Show systemcalls, JIT-compiles, file access
– strace, procmon, kdd
31
FILE LOAD: Foo.Asse...
Cracking Tools
• Process dumper
– Copy running process memory to file
– Analyze what is in memory
32
PROCESS
71378b93x313e...
Cracking Tools
• Unpackers and de-obfuscators
– Remove various protections added
33
Game.Encryted.EXE
71378b93x313e3e
1237...
FIN, ACK
34
Upcoming SlideShare
Loading in …5
×

License protections & software cracking

456 views

Published on

How software license enforcement works, how they are cracked, and how cracking can be made harder. And how to make it very hard to create keymakers.

Originally presented at Opkoko 2012. Also presented at HEAVENS project 2013.

Published in: Technology
  • Be the first to comment

License protections & software cracking

  1. 1. License Protections & Software Cracking Originally presented at OpKoko 2012 By Peter Magnusson ( twitter: @blaufish_ ) Also do check out sakerhetspodcasten.se 1
  2. 2. /* agenda */ 2 intro License Protections cracking Defending! Cracking tools
  3. 3. Can you prevent cracking? 3
  4. 4. Trusted Computing Base • You cannot protect against an local attacker with unlimited access to hardware • Client SW – There is no TCB  • Locked clients? 4
  5. 5. Massive Multiplayer Online 5 Server client TCB
  6. 6. /* agenda */ 6 intro License Protections cracking Defending! Cracking tools
  7. 7. License protections 7
  8. 8. 8 License protections licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum } Weakness?
  9. 9. 2008-11-189 Tie license to hw? licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b if ( lic.machine != GetMachine() { return false; } return lic.c == checksum }
  10. 10. 10 KeyMaker licenseIsValid() { License lic = load(license.txt) checksum = lic.a XOR lic.b return lic.c == checksum KeyMaker() { License lic = new License() lic.a = random() lic.b = random() checksum = lic.a XOR lic.b save(license.txt) }
  11. 11. KeyMakers 11 Understand check algorithm Analyze software KeyMaker Extract/inverse algorithm
  12. 12. XOR etc is bad… 12 Verify  Sign Classic problem, solved! Symetric  Asymetric
  13. 13. Asymetric Signatur 13 License Generator License Check Secret Public Public License Share Public key but not Secret Key
  14. 14. Asymetrisk Signatur 14 licenseIsValid() { License lic = load(license.txt) pubKey.verySignature(lic.sign, lic.data) } serverLicenseGen() { License lic = new License( ... ) lic.sign = privKey.sign(lic.data) ... KeyMaker() { throw Exception(“No privKey. Sad KeyMaker! ”) }
  15. 15. /* agenda */ 15 intro License Protections cracking Defending! Cracking tools
  16. 16. Cracking Reverse Enigneering Binary Patching 16
  17. 17. 17
  18. 18. Classic anti-piracy code 18 if ( softwareNotModified() ) { ... } if ( usbDongleInserted() ) { ... } if ( licenseIsValid() ) { ... }
  19. 19. if( … ) …  if ( not … ) … 19 CALL … TEST EAX, EAX JE … JNE … 0x74  0x75. Change 1 bit to corrupt an if-guard
  20. 20. /* agenda */ 20 intro License Protections cracking Defending! Cracking tools
  21. 21. oh shit… Making reverse engineering harder 21
  22. 22. Voodoo! Obstruct cracking • Check many times – More guards! – Unpredictable timing for guards 22 timer { t => random() e => guard() }
  23. 23. Voodoo! Obstruct cracking • Silent guard – Program works "less than great” instead of complaining about binary patching detected. 23 “game is lagging!” “boss is immortal!” “file corrupted upon save!”
  24. 24. Voodoo! Obstruct cracking • Obfuscators, Packers – Obstruct Disassemblers and Unpackers – Old obfuscators probly cracked by crackers! – Test how well it actually obfuscated! 24
  25. 25. Voodoo! Obstruct cracking • Anti-Debug – Code that makes debugger puke – Detours, P-Code osv: Fredrik Sjöström http://sakerhetspodcasten.se/?p=67 25
  26. 26. /* agenda */ 26 intro License Protections cracking Defending? Cracking tools
  27. 27. Cracking tools 27
  28. 28. Cracking Tools (Embedded) • Hardware Tools / Techniques – Dump memory etc using JTAG/Debug – Read ROM chips – Cool down RAM and read dump memory in external RAM reader • Great sources: – Travis Goodspeed – "Cold boot attacks", "Frost" attack 28
  29. 29. Cracking Tools • Decompilers & disassemblers – Translates binary to assembler, C, java, VB – IDA Pro, Reflector, ILSpy, JD-GUI m.m. 29 Game.DEX 71378b93x313e3e 12378603120707312073 12 789321907812307 package game; public class Game { public static void main(...
  30. 30. Cracking Tools • Debuggers – Attach to process and show code variables while running. – OllyDbg, Visual Studio for .NET etc 30 Attach to process: GAME.EXE Add break point on: game.dll ! DecryptGameFiles Inspect memory, stack, etc…
  31. 31. Cracking Tools • Tracing tools – Show systemcalls, JIT-compiles, file access – strace, procmon, kdd 31 FILE LOAD: Foo.Assembly COMPILE: Foo.CopyProtections COMPILE: Foo.CopyProtections.IsLicenseOK()
  32. 32. Cracking Tools • Process dumper – Copy running process memory to file – Analyze what is in memory 32 PROCESS 71378b93x313e3e PROCESS.DMP 71378b93x313e3e
  33. 33. Cracking Tools • Unpackers and de-obfuscators – Remove various protections added 33 Game.Encryted.EXE 71378b93x313e3e 12378603120707312073 12 789321907812307 package game; public class Game { public static void main(...
  34. 34. FIN, ACK 34

×