Wibu-Systems has been organizing hackers' contests for many years to prove the strength of its protection and security technologies. By involving hackers early on in the process and letting the door open even to countries like Russia and China known to have the highest piracy rates in the world, we prove that our products represent the pinnacle of secure licensing and intellectual property protection.
And the result is: No contestant has ever succeeded in cracking the sample application protected by CodeMeter. Customers can stay reassured that Wibu-Systems does not just enforce high quality standards of its own, but is also taking the necessary steps to have hackers, crackers, and pirates test its technology first hand before it is commercialized.
Global Hackers' Contest 2017
To test the validity and strength of the newly patented encryption method Blurry Box, integrated with the anti-debug and obfuscation methods of CodeMeter Protection Suite, we launched a new contest, open to all hackers around the globe. The underlying principle of Blurry Box is the exact opposite of “security through obscurity”; based on Kerckhoffs’ Principle, Blurry Box cryptography uses published methods that greatly increase the complexity and time required for an attack to be successful.
The contenders were delivered a game application protected with Blurry Box cryptography that came with its license stored in a CmDongle. Between May 15th and June 2nd, they were requested to hack the protected game and prove they could run it without the provided dongle and without any Internet connection to a jury consisting of IT security scientists and independent from the challenge partners (Wibu-Systems, Karlsruhe Institute of Technology, and FZI ResearchCenter for Information Technology).
None of the 315 international contendants managed to send in a full crack of the encryption scheme. The only two exploits that were received were found to be incomplete: They simulated a record playback attack that did not lead to any valid result or playable game. The two participants who submitted their partial solution received a volunteer award of €1,000 each. The remaining €48,000 of the original prize at stake will go towards further research and development.
Défi Wibu-Systems: imbattu pour la quatrième fois
No protection system can be 100% secure. But we keep trying. In the past, we have organised competitions at Wibu-Systems to test the security quality of our products. In these competitions, a protected program was published, and it was shown that its protection could not be cracked and made to run without the corresponding license in the WibuBox. This practical test is serious and relevant to software manufacturers who want to publish protected software products for free download from their websites. In our Hackers Contest 2007, we went one step further and the participants not only received the protected application, but also a CmDongle with the corresponding license. Over a thousand contestants entered the competition with prize money worth 32768 euro (or US-$ 40000).
To win the contest participates had to manipulate software protected by CodeMeter® so it would run without the CmDongle.
Competition with 2 functions
Program only executable with CmDongle
Function 1: Feature bit set in the CmDongle -> run
Function 2: Feature bit not set in the CmDongle
Both functions display a password
Find out 2 passwords.
Program must be completely executable without the CmDongle.
Send solution and cracked program via email to Wibu-Systems.
1092 contestants from 27 countries entered the contest and had up to six weeks to remove the copy protection and claim the attractive prize money of 32768 euro (or US $ 40000). Most contestants came from Germany, followed by China, USA, the Netherlands, Poland, Hungary, France, Great Britain, and the Ukraine.
Although the challenge was theoretically solvable, none of the contestants could fully remove the protection. Most of the contestants fell into the trap of trying to by-pass the intruder detection and had their license locked in the CmStick. The only remaining option was to use brute force attacks to decrypt the code. The chance of breaking the 128 bit AES encryption was pracitically zero.
No one succeeded completely
No attack against the encryption
No attack against the hardware or manipulation of the Feature Map
Other contestants stumbled at other hurdles. But we did receive some excellent partial solutions and we rewarded these contestants with prizes worth between 500 and 2000 euro. Hackers or Crackers follow different paths to developers, and the partial solutions were an important input for us. These partial winners discovered some weaknesses in our system which we not seen before. The discovery of these weaknesses has allowed us to strengthen our overall security.
Partial memory dump
Partial record/ playback approach
Partial solutions awarded with a prizes worth 16000 euro
The Bottom Line
We accept that no security system is 100% secure but a high level of security can be achieved with:
Secure Hardware: the CmDongle provides secure key storage and strong encryption in a smart-card chip. The CodeMeter® system includes crack detection which can lock the license key.
Secure Integration Technology: the code and resources of the protected application are never fully decrypted in the main memory of the PC. Variable encryption, anti-debugging and obfuscation technologies as well as tools to individually integrate the source code are used to further increase security.