Copy Protection & Cracking History

Transcript

1. MindCamp 6 May 23-25, 2014 MindCamp 6 May 23-25, 2014

2. Copy protection & cracking history By @Kartones

3. Agenda • Storage of data • Techniques of copy protection

   • Cheating (bonus section)

4. Storage Filesystem • Recommended encrypted – Even in consoles &

   mobile • Easy to detect – Process Monitor – Obfuscation useless

5. Storage System Registry (Windows) • Recommended encrypted • Easy to

   detect – Process Monitor – Not very safe

6. Storage Remote Server • Depends on server security • Depends

   on connection QoS

7. Storage Paper! • Code Wheels • Instructions manual words

8. Storage Cassetes • Cheap

9. Storage Cassetes • Easy & cheap to copy

10. Storage Cartidges • Hardware bound • Really hard to copy

11. Storage Cartidges • Always possible to dump • Once hacked,

    multi-game cartidges

12. Storage NES Floppy Disks

13. Storage NES Floppy Disks

14. Storage Floppy Disks • Special “unreadable” sectors • Custom partition

    formats

15. Storage Floppy Disks • Always a way to copy or

    convert

16. Storage Custom Optical Drives • Hard or impossible to duplicate

    • Propietary formats • Physical modifications

17. Storage Custom Optical Drives • Console mod to accept other

    format (e.g. GD-ROM -> CD-ROM) • ISO dump & ISO loader • Can be faster than original!

18. Storage A/V Streaming • Emerging technology • Usually subscription-based

19. Storage A/V Streaming • Classic cracking impossible • Probably fake

    accounts • Still not widely used

20. Techniques Undocummented Hardware/Firmware • Modified motherboards / CPU / firmwares

    – E.g. XBox 360 DVD drive special firmware

21. Techniques Undocummented Hardware/Firmware • Hidden backdoors – 360 DVDdrive debug

    mode • Engineers with time – Firmware “diffs” • Documentation leaks • CPU exceptions • Firmware glitches

22. Techniques ROM & Flash based storage • ROM OS Bootstrap

    – Cannot be modified – Can be encrypted (Xbox 360 onwards) • Main OS data on Flash • Can get more complex – Boot mini-ROM -> decrypt ROM -> check Flash hash -> boot flash

23. Techniques ROM & Flash based storage • “Chips” w/secondary ROM

    – Boot original -> redirect to 2nd ROM • Satellite software can have bugs – PSP: Tiff buffer overflow – Xbox: Unsigned Dashboard font files – Savegame buffer vulnerabilities Great paper: 17 Mistakes Microsoft Made in the Xbox Security System

24. Techniques Time/Uses based Trial • Stops working after X days/uses

    • Usually allows full version – Exception: 3DS demos

25. Techniques Time/Uses based Trial • System clock == trivial “crack”

    • Encrypt value – 1st launch date, # remaining uses… • Only obfuscation? BAD – Process Monitor

26. Techniques CD-Check • CD must be in drive • Unreadable

    sectors • Special formatted partitions • Usually combined (like CD-Key) • Made game load slower • DEPRECATED

27. Techniques CD-Check • Clone CD, Blindwrite… – able to read

    most CDs • CD-Drive emulators + ISOs – DaemonTools • Cracks – Disable or fake check • Special FAIL mention: PS2 Game Swap Trick

28. Techniques Game CD-Key • Permanent, unbinded • Reusable – Local

    validity check – Online check • install and/or play time – Online activation with # max activations

29. Techniques Game CD-Key • Extract validation algorithm – Create a

    Keygen • Patch validation algorithm – Allow to accept anything as valid – Crack • Distribute CD-Keys in .NFO – Blacklisting + online checks rendered this obsolete

30. Techniques Registration CD-Key • Binds upon registering • User/Email +

    Password • As safe as user password • Validation at install time • Usually online validation at play time • Binds IAPs to a certain account • Commercial services available – Microsoft SLP – Steam – Apple Store, Play Store…

31. Techniques Registration CD-Key • Patch validation algorithm • Create fake

    validation server app

32. Techniques PC Hardware binded • Network MAC, HDD Serial, CPU

    ID… • Severe restrictions – Any change needs reactivation

33. Techniques PC Hardware binded • Device ID emulators • Bypassing

    checks

34. Techniques USB Dongle • Needs plugged at launch time •

    Uncommon for videogames • Copy-protected – HDD special partitions – HDD sectors with special data – Custom Hardware – Custom Firmware

35. Techniques USB Dongle • Dongle emulator • Patch validation algorithm

    • Extract validation binaries, distribute them

36. Techniques Online play • Remote servers • Sometimes game data

    online only

37. Techniques Online play • Dump & decrypt received game data

    – Singleplayer games • Server emulator – Multiplayer games – Hard to keep up with updates

38. Techniques CD-Key/Serial Generation • Assymetric encryption • Partial Key Verification

39. Techniques CD-Key/Serial Generation • Crypto expert can always detect encryption

    pattern in dissasembled code

40. Techniques Code/Data Obfuscation • Binaries obfuscation – Headers manipulation –

    Packing… • Custom/obfuscated data formats

41. Techniques Code/Data Obfuscation • Java/.NET/ASM dissassemblers • Reflection tools –

    Managed languages • Patient cracker will discover any “hidden” format – e.g. Game File Format Central website

42. Techniques Binaries Encryption • Many tools available for PC •

    Consoles now do it – Even for the ROM

43. Techniques Binaries Encryption • IDA (cross-platform dissasembler & debugger) •

    Memory dumpers • Emulation systems – If you can’t crack it, emulate a legit scenario – Slower than a real crack

44. Techniques Binaries Signing • Binary comes “clean” -> can’t run

    • “Something” signs -> can run – Usually per-user signature – System-wide signature • e.g. system updates • Consoles • Some mobile platforms

45. Techniques Binaries Signing • If gets broken, SPOF – XBox360

    JTAG: Auto self-signing

46. Techniques Gaming SDKs • Steam, Games For Windows Live *

    • Memory & binaries protection – Unsafe memory modification -> crash to desktop – Anti-debugging measures – Disallows game modding • Except if game has solid modding SDK

47. Techniques Gaming SDKs • Generic SDK == Generic crack Tool

    – SteamEmu, rev-emu, rev-launcher – XLiveLess • Always ends up cracked/emulated

48. Cheating Hardware

49. Cheating Software

50. Final Advice Crackers have more time and more determination than

    you Focus on quality content, not anti-piracy measures

51. The End Slides will be at http://slides.kartones.net