How software license enforcement works, how they are cracked, and how cracking can be made harder. And how to make it very hard to create keymakers.
Originally presented at Opkoko 2012. Also presented at HEAVENS project 2013.
[2024]Digital Global Overview Report 2024 Meltwater.pdf
License protections & software cracking
1. License Protections &
Software Cracking
Originally presented at OpKoko 2012
By Peter Magnusson ( twitter: @blaufish_ )
Also do check out sakerhetspodcasten.se
1
4. Trusted Computing Base
• You cannot protect against an local
attacker with unlimited access to hardware
• Client SW – There is no TCB
• Locked clients?
4
22. Voodoo! Obstruct cracking
• Check many times
– More guards!
– Unpredictable timing for guards
22
timer {
t => random()
e => guard()
}
23. Voodoo! Obstruct cracking
• Silent guard
– Program works "less than great” instead of
complaining about binary patching detected.
23
“game is
lagging!”
“boss is
immortal!”
“file corrupted
upon save!”
24. Voodoo! Obstruct cracking
• Obfuscators, Packers
– Obstruct Disassemblers and Unpackers
– Old obfuscators probly cracked by crackers!
– Test how well it actually obfuscated!
24
25. Voodoo! Obstruct cracking
• Anti-Debug
– Code that makes debugger puke
– Detours, P-Code osv: Fredrik Sjöström
http://sakerhetspodcasten.se/?p=67
25
28. Cracking Tools (Embedded)
• Hardware Tools / Techniques
– Dump memory etc using JTAG/Debug
– Read ROM chips
– Cool down RAM and read dump memory in
external RAM reader
• Great sources:
– Travis Goodspeed
– "Cold boot attacks", "Frost" attack
28
29. Cracking Tools
• Decompilers & disassemblers
– Translates binary to assembler, C, java, VB
– IDA Pro, Reflector, ILSpy, JD-GUI m.m.
29
Game.DEX
71378b93x313e3e
12378603120707312073
12 789321907812307
package game;
public class Game {
public static void main(...
30. Cracking Tools
• Debuggers
– Attach to process and show code variables
while running.
– OllyDbg, Visual Studio for .NET etc
30
Attach to process: GAME.EXE
Add break point on: game.dll ! DecryptGameFiles
Inspect memory, stack, etc…
32. Cracking Tools
• Process dumper
– Copy running process memory to file
– Analyze what is in memory
32
PROCESS
71378b93x313e3e
PROCESS.DMP
71378b93x313e3e
33. Cracking Tools
• Unpackers and de-obfuscators
– Remove various protections added
33
Game.Encryted.EXE
71378b93x313e3e
12378603120707312073
12 789321907812307
package game;
public class Game {
public static void main(...