concours hackers

Défi Wibu-Systems: imbattu pour la quatrième fois

No protection system can be 100% secure. But we keep trying. In the past, we have organised competitions at Wibu-Systems to test the security quality of our products. In these competitions, a protected program was published, and it was shown that its protection could not be cracked and made to run without the corresponding license in the WibuBox. This practical test is serious and relevant to software manufacturers who want to publish protected software products for free download from their websites.
In our Hackers Contest 2007, we went one step further and the participants not only received the protected application, but also a CmDongle with the corresponding license. Over a thousand contestants entered the competition with prize money worth 32768 euro (or US-$ 40000).

Tâche

To win the contest participates had to manipulate software protected by CodeMeter^® so it would run without the CmDongle.

Competition with 2 functions
• Program only executable with CmDongle
• Function 1: Feature bit set in the CmDongle -> run
• Function 2: Feature bit not set in the CmDongle
• Both functions display a password

Task:
• Find out 2 passwords.
• Program must be completely executable without the CmDongle.
• Send solution and cracked program via email to Wibu-Systems.

Contestants

1092 contestants from 27 countries entered the contest and had up to six weeks to remove the copy protection and claim the attractive prize money of 32768 euro (or US $ 40000). Most contestants came from Germany, followed by China, USA, the Netherlands, Poland, Hungary, France, Great Britain, and the Ukraine.

Result

Although the challenge was theoretically solvable, none of the contestants could fully remove the protection. Most of the contestants fell into the trap of trying to by-pass the intruder detection and had their license locked in the CmStick. The only remaining option was to use brute force attacks to decrypt the code. The chance of breaking the 128 bit AES encryption was pracitically zero.

No one succeeded completely
• No attack against the encryption
• No attack against the hardware or manipulation of the Feature Map

Other contestants stumbled at other hurdles. But we did receive some excellent partial solutions and we rewarded these contestants with prizes worth between 500 and 2000 euro. Hackers or Crackers follow different paths to developers, and the partial solutions were an important input for us. These partial winners discovered some weaknesses in our system which we not seen before. The discovery of these weaknesses has allowed us to strengthen our overall security.

Partial solutions
• Partial memory dump
• Partial record/ playback approach
• Partial solutions awarded with a prizes worth 16000 euro

The Bottom Line

We accept that no security system is 100% secure but a high level of security can be achieved with:

• Secure Hardware: the CmDongle provides secure key storage and strong encryption in a smart-card chip. The CodeMeter^® system includes crack detection which can lock the license key.
• Secure Integration Technology: the code and resources of the protected application are never fully decrypted in the main memory of the PC. Variable encryption, anti-debugging and obfuscation technologies as well as tools to individually integrate the source code are used to further increase security.