Software protection from a hacker’s perspective
Мы должны знать намерения своих врагов. “You need to know the arguments of your enemies” replied an aristocratic landowner in a Russian novel when asked why he had books by Karl Marx on his shelves. This is not unlike the world of software protection where good protection is only possible if you know the methods and tools used by your hackers.
Let’s pretend I’m a hacker, but only theoretically, of course. Why do I hack software? Mainly because I can and it’s fun. But most importantly I earn money from it. I don’t just let anybody use my hacks in the Internet. I sell them. I’m not politically motivated like hacker groups who compromise online systems and bring down the websites of public authorities and governmental organizations.
Who am I dealing with?
Before I begin, I try to get as much information as possible about the protected software. What anti-piracy system does it use? Is it a commercially available product or a homegrown solution? How’s it integrated into the software? Via an API or a wrapper? Does it have a dongle or is the license tied to a computer? Will my client supply me an executable version or do I have to work without a license? And finally: what pitfalls can I expect to encounter?
I divide my hacks into two categories: trivial ones which don’t need a license and challenges which do. In the latter case, I act like Rambo at the end of the first book. No, not the film, but the book. I take my time and am very careful, as I am not sure what fatal traps my license faces. With CodeMeter for example you can expect lots of nasty things. I’ve managed to destroy many of their dongles because the lads from Wibu are always coming up with new ideas. If I switch sides one day, I’ll go there.
Crack without license
First I examine the software to see whether the executable code is encrypted. There are people around who think they can scare me off by using a packer like UPX. As far as I’m concerned, compressed software is just like unencrypted software. The properties of the application allow me to recognize very quickly which packer or encryption tool has been used. The section names give it away immediately.
If the application is unencrypted I analyze it using a disassembler. IDA Pro is a very good one for native applications. For .NET applications I like to use Reflector, even if you now have to pay for it. The disassembler takes a while to do its job, so I sit at my PlayStation 3 for a couple of hours. But it’s worth waiting. Afterwards you get a diagram of the program flow, and a list of functions names and linked libraries. Now I want to change the program and very quickly find the best place to redirect a jump i.e. where to change a JNZ to a JZ so the program jumps if the license isn’t found. This is not actually the type of hack I like at all as you can’t make money from it. How do I control its distribution and stop other hackers from giving it away? Usually I distribute my trivial hacks for free, my motto being “He who makes no effort deserves to be stolen from.”
By the way, you can contract me as a consultant. I would then analyze your software as a good guy, like Robert Redford in Sneakers. When I get a contract job from a company, the first I hear are stories about all the great things the R&D engineers have built into the software in attempts to confuse me. Actually what confuses me most is that my JNZ patch doesn’t seem to have any effect.
I have two approaches for encrypted software, and both of them need a license. In the first approach I start the software and wait untill it’s sitting unencrypted in memory. I then do a memory dump and reconstruct the software from it.
By the way, did I mention I hate CodeMeter®? I hate it because it only lets part of the software sit unencrypted in memory. The dump is then like a puzzle but without any type of pattern. My biggest challenge is to get the software to run so that all parts are eventually decrypted. I have to use the software intensively to do this. Unfortunately, I’m not an expert user of boring geology software. And even if I were, how would I know if every function’s been run at least once? The best test plans of a manufacturer only manage to test about 80% of the software. If I managed 100% I would make a fortune selling test tools. I would then be sitting under a sun umbrella on a Caribbean beach sipping cocktails every day. Or maybe I’d buy a villa in Baden Baden.
I don’t really like this type of hack either. For one thing, I have to protect it somehow if I want to sell it, and then I have to repeat the hack each time a new version of the software is released. How am I supposed to get rich if I can’t automate anything?
I decide to change the hack and write my own tools to automatically remove the protective encryption wrap. This means I only have to press a button when a new version is released or when I come across a piece of software with the same protection. Up till now I’ve seldom had to change anything to cope with new releases. These tools give me an edge over my competitors. By the way, did I mention I hate CodeMeter®? CodeMeter® inserts encrypted traps into the software. If I fall into one of them the license is deactivated. And so far I haven’t managed to detect them all. I guess they must have spent of lot of time designing them. For today, I think I’ll do the hacks with the other two dongles. I’ll look at the CodeMeter® dongle some time next week when I have nothing else to do.
Record Playback / Emulation
My favorite hack is the emulation or record/playback hack. I hook up between the software and the dongle. There are people around who think they can stop me by encrypting their communications data. It might work with most people but not with me. Here again I have a competitive edge over all those wannabe hackers.
Just as I expected: CodeMeter’s encrypted their communications data. At first glance, it’s just like other decent dongles do. The fact that CodeMeter uses an open source driver (USB flash driver) rather than a proprietary one doensn’t help me or hinder me. I spend ages battling with CodeMeter’s anti-debug measures. Other dongles are child’s play in comparison.
I now listen in on the traffic flowing between the dongle and software, and produce a simulation, emulation or playback driver. It’s both easy to sell and protect from piracy. And generally speaking it’s scalable for future versions. It’s my money printing press. I don’t even have to listen in any more on some older dongles. I just need some data from the dongle and I have enough information to fully emulate it. A homegrown algorithm was never a good idea. Unfortunately, so many people use AES, now that this type of hack hardly works anymore. By the way, CodeMeter® was one of the first dongles to use AES. Even the old WibuKey used the standardized FEAL algorithm, which was a real tough nut to crack but thanks to the 40 bit export control I managed it eventually. The new WibuKey uses 64 bit FEAL which neither I nor my rivals have managed to crack. A well-implemented standard is, and always will be, the hacker’s enemy.
My record/playback doesn’t work either with CodeMeter®. They use a method called P-RID (RID = Required Information Decryption). The required data is multiply stored in the software. Different sequences are randomly fetched (random in terms of time and computer, P = Probabilistic). I’m nowhere near understanding it yet, though there does seem to be an encryption layer within the encrypted channel. It appears to extend from the protected application to the CmDongle. I can’t find anything about it in either the manual or the user API. What’s for sure though is that the Wibu concept has three layers of protection during communication: the outer (simple) encryption, the inner encryption and the random components. By the way, did I tell you I hate CodeMeter®? I’m giving up on it for now. Maybe I’ll have a look at it again next week. For the time being though, I’ll concentrate on my other hacks.
Of course the world isn’t just black and white, and I have to combine a number of approaches to get my hack right. As I earn my money from my hacks, I make sure they are protected and try to use scalable solutions. Once you get it working, you can make money from it all the time. When CodeMeter®’s involved though, it’s like doing a puzzle. I more or less have to start all over again every time a new version is released. And the number of licenses, or better said, client licenses I’ve managed to kill; they weren’t too pleased about it.
I like a sporting challenge, but with CodeMeter® it’s nothing but a load of sequences and the same old boring, tiresome analysis. I hate it. I’m never sure I’ve got the full solution. Of course there are differences here too. I’ve come across software with lousy CodeMeter® integration. Such software is then easy to crack.
If I give my client a memory dump of a software where CodeMeter® has been skillfully integrated, it won’t be long before I hear complaints. It doesn’t work anymore, or the hack computes the wrong results. The problem is, I don’t really understand the software. I might be a very good hacker, but at the end of day, I’m just a hacker.
Result of the 2011 Hacker’s Contest in Russia
A Hacker’s contest was held by Wibu-Systems for the first time in Russia from November 23 to December 8, 2011.
The reward of the Hacker’s contest was 20 000 Euro. 114 participants were registered in the contest. The main objective of the Hacker’s contest was to run the software, protected by a Wibu hardware key CmStick without a security key.
However, Wibu hardware solutions have been so resistant to cracking, that neither party could overcome their defense, and the hefty amount of 20 000 Euro remains in the Wibu coffers.
The hacker’s contest in Russia reconfirms the highest level of protection provided by the solutions from Wibu-Systems.
Russia is famous for its ingenious hackers and outstanding professionals in the field of encryption. This is an accepted fact! But even the originality and ingenuity of our professionals has not helped them to break the solutions of Wibu-Systems. The results of the Hacker’s contest show that software developers can be absolutely confident in the safety of their intellectual property using solutions from Wibu-Systems.
KEYnote 23 – Edition Spring 2012