software protection: how to crack programs, and defend against …collberg/teaching/mgu/2014/... ·...
TRANSCRIPT
![Page 1: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/1.jpg)
c© May 27, 2014 Christian Collberg
Software Protection:
How to Crack Programs, and
Defend Against Cracking
Lecture 2: Attack Models
Minsk, Belarus, Spring 2014
Christian CollbergUniversity of Arizona
www.cs.arizona.edu/˜collberg
![Page 2: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/2.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 / 79
![Page 3: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/3.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?
2 / 79
![Page 4: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/4.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?3 What is obfuscation?
2 / 79
![Page 5: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/5.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?3 What is obfuscation?4 What are the three kinds of obfuscating
transformations?
2 / 79
![Page 6: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/6.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?3 What is obfuscation?4 What are the three kinds of obfuscating
transformations?5 What is tamperproofing?
2 / 79
![Page 7: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/7.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?3 What is obfuscation?4 What are the three kinds of obfuscating
transformations?5 What is tamperproofing?6 What two actions make up a
tamperproofing algorithm?
2 / 79
![Page 8: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/8.jpg)
Last week’s lecture
1 Give an example of a software protectionscenario!
2 What does MATE stand for?3 What is obfuscation?4 What are the three kinds of obfuscating
transformations?5 What is tamperproofing?6 What two actions make up a
tamperproofing algorithm?7 Give an example of a tamperproofing
algorithm!2 / 79
![Page 9: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/9.jpg)
When? Where? Why?
1 We now meet Wednesday18:30
2 We meet in Auditorium Π-13(1st floor)
3 Please check the website forimportant announcements:
www.cs.arizona.edu/˜collberg/
Teaching/bsuir/2014
3 / 79
![Page 10: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/10.jpg)
Today’s lecture
1 Attack models2 Constructing attack trees3 Cracking binaries
4 / 79
![Page 11: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/11.jpg)
Models
![Page 12: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/12.jpg)
Models
To build secure systems, we need soundmodels.
Which security properties should beassured?
What type of attacks can be launched?
6 / 79
![Page 13: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/13.jpg)
Principle of Easiest Penetration
Definition (Principle of Easiest Penetration)
An adversary must be expected to use anyavailable means of penetration — not the mostobvious means, and not against the part of thesystem that has been best defended.
The attacker will not behave the way wewant him to behave.
7 / 79
![Page 14: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/14.jpg)
Attack Trees
We need to model threats against computersystems.
What are the different ways in which asystem can be attacked?
If we can understand this, we can designproper countermeasures.
Attack trees are a way to methodicallydescribe the security of a system.
8 / 79
![Page 15: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/15.jpg)
Structure of Attack Trees
The root node is the overall goal theattacker wants to achieve.
Attack trees have both AND and OR nodes:
OR: Alternatives to achieving a goal.AND: Different steps toward achieving a
goal.
Each node is a subgoal.
Child nodes are ways to achieve a subgoal.
9 / 79
![Page 16: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/16.jpg)
Example I — Open a Safe
Open Safe
Pick LockLearn Combo
Find WrittenCombo
Get ComboFrom Target
ThreatenBlackmailEavesdropp
Listen to ConvoGet target tostate Combo
Bribe
Cut Open SafeInstall
Improperly
and
10 / 79
![Page 17: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/17.jpg)
Example I — Open a SafeExamine the safe/safe owner/attacker’sabilities/etc. and assign values to thenodes:
P = PossibleI = Impossible
The value of an OR node is possible if anyof its children are possible.The value of an AND node is possible if allchildren are possible.A path of P:s from a leaf to the root is apossible attack!Once you know the possible attacks, youcan think of ways to defend against them!
11 / 79
![Page 18: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/18.jpg)
Example I — Open a Safe
Open Safe (P)
Pick Lock (I)Learn Combo
(P)
Find WrittenCombo (I)
Get ComboFrom Target (P)
Threaten (I)Blackmail (I)Eavesdropp (I)
Listen to Convo(P)
Get target tostate Combo (I)
Bribe (P)
Cut Open Safe(P)
InstallImproperly (I)
and
12 / 79
![Page 19: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/19.jpg)
Example I — Open a Safe
We can be more specfic and modelthe cost of an attack.
Costs propagate up the tree:
OR nodes: take the min of the children.AND nodes: take the sum the children.
13 / 79
![Page 20: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/20.jpg)
Example I — Open a Safe
Open Safe($10K)
Pick Lock($30K)
Learn Combo($20K)
Find WrittenCombo ($75K)
Get ComboFrom Target
($20K)
Threaten($60K)
Blackmail($100K)
Eavesdropp($60K)
Listen to Convo($20K)
Get target tostate Combo
($40K)
Bribe ($20K)
Cut Open Safe($10K)
InstallImproperly
($100K)
and
14 / 79
![Page 21: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/21.jpg)
Example II — Read a Message
Goal: Read a message sent from computer A toB.
1 Convince sender to reveal message1 Bribe user, OR2 Blackmail user, OR3 Threaten user, OR4 Fool user.
15 / 79
![Page 22: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/22.jpg)
Example II — Read a Message
Goal: Read a message sent from computer A toB.
1 Convince sender to reveal message1 Bribe user, OR2 Blackmail user, OR3 Threaten user, OR4 Fool user.
2 Read message while it is being entered1 Monitor electromagnetic radiation, OR2 Visually monitor computer screen.
15 / 79
![Page 23: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/23.jpg)
Example II — Read a Message
Goal: Read a message sent from computer A toB.
1 Convince sender to reveal message1 Bribe user, OR2 Blackmail user, OR3 Threaten user, OR4 Fool user.
2 Read message while it is being entered1 Monitor electromagnetic radiation, OR2 Visually monitor computer screen.
3 Read message while stored on A’s disk.1 Get access to hard drive, AND2 Read encrypted file.
15 / 79
![Page 24: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/24.jpg)
Example II — Read a Message
4 Read message while being sent from A toB.
1 Intercept message in transit, AND2 Read encrypted message.
16 / 79
![Page 25: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/25.jpg)
Example II — Read a Message
4 Read message while being sent from A toB.
1 Intercept message in transit, AND2 Read encrypted message.
5 Convince recipient to reveal message1 Bribe user, OR2 Blackmail user, OR3 Threaten user, OR4 Fool user.
16 / 79
![Page 26: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/26.jpg)
Example II — Read a Message
4 Read message while being sent from A toB.
1 Intercept message in transit, AND2 Read encrypted message.
5 Convince recipient to reveal message1 Bribe user, OR2 Blackmail user, OR3 Threaten user, OR4 Fool user.
6 Read message while it is being read1 Monitor electromagnetic radiation, OR2 Visually monitor computer screen.
16 / 79
![Page 27: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/27.jpg)
Example II — Read a Message
7 Read message when being stored on B’sdisk.
1 Get stored message from B’s disk afterdecryption
1 Get access to disk, AND2 Read encrypted file.
OR2 Get stored message from backup tapes after
decryption.
17 / 79
![Page 28: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/28.jpg)
Example II — Read a Message
7 Read message when being stored on B’sdisk.
1 Get stored message from B’s disk afterdecryption
1 Get access to disk, AND2 Read encrypted file.
OR2 Get stored message from backup tapes after
decryption.
8 Get paper printout of message1 Get physical access to safe, AND2 Open the safe.
17 / 79
![Page 29: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/29.jpg)
In-class Exercise: Attack Trees
Alice wants to make sure that Bob cannotlog into any account on the Unix machineshe is administering.
Alice draws an attack tree to see whatBob’s attack options are.
Show the tree!
Source: Michael S. Pallos,http://www.bizforum.org/whitepapers/candle-4.htm.
18 / 79
![Page 30: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/30.jpg)
In-class Exercise II
Every night, Alice, 16, sits down with herlaptop in front of the TV in the living roomand adds a paragraph to her diary,describing her latest dating adventures.
Bob, her 13-year-old bratty brother, wouldlove to get his grubby hands on her writings.
Help Bob plan an attack (or Alice to defendherself against an attack!) by constructing adetailed attack tree!
19 / 79
![Page 31: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/31.jpg)
In-class Exercise II. . .
Bob knows this about Alice:1 She writes and stores her diary directly on
her laptop.2 The hard drive is encrypted with 512-bit
AES.3 She’s written down her pass-phrase on a
post-it note.4 She stores the post-it note in a safe in her
bedroom.
20 / 79
![Page 32: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/32.jpg)
In-class Exercise II. . .
1 The safe is locked with a 5-pinpin-and-tumbler lock.
2 She carries the key to the safe on a chainaround her neck wherever she goes.
3 She leaves the laptop next to her bed atnight.
4 The laptop is always connected to theInternet over wifi.
21 / 79
![Page 33: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/33.jpg)
In-class Exercise II. . .
We know the following about Bob:1 He can roam freely around the house.2 His paper-route has given him the financial
means to purchase various attack tools offthe Internet.
22 / 79
![Page 34: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/34.jpg)
In-class Exercise II. . .
Your solution should consider both physicalattacks and cyber attacks.
I will only give you credit for attacks andconcepts we have discussed in class!
You don’t have to assign costs to the nodesof the tree.
Make sure to mark AND and OR nodesunambiguously.
You can draw the actual tree or, if youprefer, represent the tree with indented,nested, numbered lists.
23 / 79
![Page 35: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/35.jpg)
Attack Targets
![Page 36: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/36.jpg)
Who’s our adversary?
What does a typical program look like?
25 / 79
![Page 37: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/37.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
25 / 79
![Page 38: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/38.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation forattacking your program?
25 / 79
![Page 39: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/39.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation forattacking your program?
What information does he start out with ashe attacks your program?
25 / 79
![Page 40: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/40.jpg)
Who’s our adversary. . . ?
What is his overall strategy for reaching hisgoals?
26 / 79
![Page 41: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/41.jpg)
Who’s our adversary. . . ?
What is his overall strategy for reaching hisgoals?
What tools does he have to his disposal?
26 / 79
![Page 42: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/42.jpg)
Who’s our adversary. . . ?
What is his overall strategy for reaching hisgoals?
What tools does he have to his disposal?
What specific techniques does he use toattack the program?
26 / 79
![Page 43: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/43.jpg)
Example Program
audioplayer key
encrypted
media
tamper−detectlicense−check
decrypt decode
analogue
fingerprintviolation−response
activation
code
user key
27 / 79
![Page 44: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/44.jpg)
Example Program
✞ ☎
1 typedef unsigned i n t u i n t ;2 typedef u i n t ∗ waddr t ;3 u i n t p layer key = 0xbabeca75 ;4 u i n t the key ;5 u i n t ∗ key = &the key ;6 FILE∗ audio ;7 i n t a c t i v a t i o n c o d e = 42;
✝ ✆
28 / 79
![Page 45: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/45.jpg)
Example Program
✞ ☎
7 void FIRST FUN ( ){}8 u i n t hash ( waddr t addr , waddr t l a s t ) {9 u i n t h = ∗addr ;
10 for ( ; addr<=l a s t ; addr ++) hˆ=∗ addr ;11 return h ;12 }13 void die ( char∗ msg) {14 f p r i n t f ( s tde r r , ”%s !\n ” ,msg ) ;15 key = NULL ;16 }
✝ ✆
29 / 79
![Page 46: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/46.jpg)
Example Program
✞ ☎
19 u i n t p lay ( u i n t user key ,20 u i n t encrypted media [ ] ,21 i n t media len ) {22 i n t code ;23 p r i n t f ( ” Please enter a c t i v a t i o n code : ” ) ;24 scanf ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d ie ( ” wrong code ” ) ;2627 ∗key = user key ˆ p layer key ;
✝ ✆
30 / 79
![Page 47: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/47.jpg)
Example Program
✞ ☎
27 i n t i ;28 for ( i =0; i<media len ; i ++) {29 u i n t decrypted = ∗key ˆ encrypted media [ i ] ;30 asm v o l a t i l e (31 ” jmp L1 \n\ t ”32 ” . a l i g n 4 \n\ t ”33 ” . long 0xb0b5b0b5\n\ t ”34 ” L1 : \n\ t ”35 ) ;36 i f ( t ime ( 0 ) > 1221011472) d ie ( ” exp i red ” ) ;37 f l o a t decoded = ( f l o a t ) decrypted ;38 f p r i n t f ( audio , ”%f \n ” , decoded ) ; f f l u s h ( audio ) ;39 }40 }
✝ ✆
31 / 79
![Page 48: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/48.jpg)
Example Program
✞ ☎
41 void LAST FUN( ){}42 u i n t p layer main ( u i n t argc , char ∗argv [ ] ) {43 u i n t user key = · · ·44 u i n t encrypted media [100 ] = · · ·45 u i n t media len = · · ·46 u i n t hashVal = hash ( ( waddr t ) FIRST FUN ,47 ( waddr t )LAST FUN ) ;48 i f ( hashVal != HASH) d ie ( ” tampered ” ) ;49 p lay ( user key , encrypted media , media len ) ;50 }
✝ ✆
32 / 79
![Page 49: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/49.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics.
Protection
Semantics
Core
Semantics
Protection
Semantics
Core
Semantics
Attack
Semantics
P
P
33 / 79
![Page 50: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/50.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics.add his own attack semantics (ability tosave game-state, print,. . . )
Protection
Semantics
Core
Semantics
Protection
Semantics
Core
Semantics
Attack
Semantics
P
P
33 / 79
![Page 51: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/51.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics.add his own attack semantics (ability tosave game-state, print,. . . )ensure that the core semantics remainsunchanged.
Protection
Semantics
Core
Semantics
Protection
Semantics
Core
Semantics
Attack
Semantics
P
P
33 / 79
![Page 52: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/52.jpg)
What does he want to do to ourPlayer program?
get decrypted digital media
34 / 79
![Page 53: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/53.jpg)
What does he want to do to ourPlayer program?
get decrypted digital media
extract the player key
34 / 79
![Page 54: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/54.jpg)
What does he want to do to ourPlayer program?
get decrypted digital media
extract the player key
use the program after the expiration dateremove use-before checkremove activation code
34 / 79
![Page 55: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/55.jpg)
What does he want to do to ourPlayer program?
get decrypted digital media
extract the player key
use the program after the expiration dateremove use-before checkremove activation code
distribute the program to other usersremove fingerprint 0xb0b5b0b5
34 / 79
![Page 56: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/56.jpg)
What does he want to do to ourPlayer program?
get decrypted digital media
extract the player key
use the program after the expiration dateremove use-before checkremove activation code
distribute the program to other usersremove fingerprint 0xb0b5b0b5
reverse engineer the algorithms in theplayer
34 / 79
![Page 57: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/57.jpg)
What are the methods of attack?
1 the black box phasefeed the program inputs,record its outputs,draw conclusions about its behavior.
35 / 79
![Page 58: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/58.jpg)
What are the methods of attack?
1 the black box phasefeed the program inputs,record its outputs,draw conclusions about its behavior.
2 the dynamic analysis phaseexecute the programrecord which parts get executed for differentinputs.
35 / 79
![Page 59: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/59.jpg)
What are the methods of attack?
1 the black box phasefeed the program inputs,record its outputs,draw conclusions about its behavior.
2 the dynamic analysis phaseexecute the programrecord which parts get executed for differentinputs.
3 the static analysis phaseexamining the executable code directlyuse disassembler, decompiler, . . .
35 / 79
![Page 60: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/60.jpg)
What are the methods of attack?
4 the editing phaseuse understanding of the internals of theprogrammodify the executabledisable license checks
36 / 79
![Page 61: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/61.jpg)
What are the methods of attack?
4 the editing phaseuse understanding of the internals of theprogrammodify the executabledisable license checks
5 the automation phase.encapsulates his knowledge of the attack in anautomated scriptuse in future attacks.
36 / 79
![Page 62: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/62.jpg)
Cracking with gdb
![Page 63: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/63.jpg)
Learning the executable (Linux)
1 Print dynamic symbols:✞ ☎
> objdump -T player2✝ ✆
2 Disassemble:✞ ☎
> objdump -d player2 | head✝ ✆
3 Start address:✞ ☎
> objdump -f player2 | grep start✝ ✆
4 Address and size of segments:✞ ☎
> objdump -x player2 | egrep ’rodata|text|Name’✝ ✆
38 / 79
![Page 64: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/64.jpg)
Learning the executable (Mac OS X)
1 Print dynamic symbols:✞ ☎
> objdump -T player2✝ ✆
2 Disassemble:✞ ☎
> otool -t -v player2✝ ✆
3 Start address:✞ ☎
> otool -t -v player2 | head✝ ✆
4 Address and size of segments:✞ ☎otool -l player2 | gawk ’/__text/,/size/{print}’
otool -l player2 | gawk ’/__cstring/,/size/{print}’✝ ✆
39 / 79
![Page 65: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/65.jpg)
Learning the executable
1 Find strings in the program:✞ ☎
> strings player2✝ ✆
2 The strings and their offsets:✞ ☎
> strings -o player2✝ ✆
3 The bytes of the executable:✞ ☎
> od -a player2✝ ✆
40 / 79
![Page 66: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/66.jpg)
Tracing the executable
1 ltrace traces library calls:✞ ☎
> ltrace -i -e printf player2✝ ✆
2 strace traces system calls:✞ ☎
> strace -i -e write player2✝ ✆
3 On Mac OS X:✞ ☎
sudo dtruss player1✝ ✆
41 / 79
![Page 67: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/67.jpg)
Debugging with gdb
1 To start gdb:✞ ☎
gdb -write -silent --args player2 0xca7ca115 1000✝ ✆
2 Search for a string in an executable:✞ ☎
(gdb) find startaddress, +length, "string"
(gdb) find startaddress, stopaddress, "string"✝ ✆
42 / 79
![Page 68: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/68.jpg)
Debugging with gdb
1 Breakpoints:✞ ☎
(gdb) break *0x......
(gdb) hbreak *0x......✝ ✆
hbreak sets a hardware breakpoint whichdoesn’t modify the executable itself.
2 Watchpoints:✞ ☎
(gdb) rwatch *0x......
(gdb) awatch *0x......✝ ✆
43 / 79
![Page 69: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/69.jpg)
Debugging with gdb. . .
1 To disassemble instructions:✞ ☎
(gdb) disass startaddress endaddress
(gdb) x/3i address
(gdb) x/i $pc✝ ✆
2 To examine data (x=hex,s=string,d=decimal, b=byte,. . . ):✞ ☎
(gdb) x/x address
(gdb) x/s address
(gdb) x/d address
(gdb) x/b address✝ ✆
3 Print register values:✞ ☎
(gdb) info registers✝ ✆
44 / 79
![Page 70: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/70.jpg)
Debugging with gdb. . .
1 Examine the callstack:✞ ☎
(gdb) where
(gdb) bt -- same as where
(gdb) up -- previous frame
(gdb) down -- next frame✝ ✆
2 Step one instruction at a time:✞ ☎
(gdb) display/i $pc
(gdb) stepi -- step one instruction
(gdb) nexti -- step over function calls✝ ✆
3 Modify a value in memory:✞ ☎
(gdb) set {unsigned char}address = value
(gdb) set {int}address = value✝ ✆
45 / 79
![Page 71: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/71.jpg)
Patching executables with gdb
Cracking an executable proceedes in thesesteps:
1 find the right address in the executable,2 find what the new instruction should be,3 modify the instruction in memory,4 save the changes to the executable file.
Start the program to allow patching:✞ ☎
> gdb -write -q player1✝ ✆
Make the patch and exit:✞ ☎
(gdb) set {unsigned char} 0x804856f = 0x7f
(gdb) quit✝ ✆
46 / 79
![Page 72: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/72.jpg)
Let’s Attack!
![Page 73: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/73.jpg)
Let’s crack!
Let’s get a feel for the types of techniquesattackers typically use.
Our example cracking target will be theDRM player.
Our chief cracking tool will be the gdb
debugger.
48 / 79
![Page 74: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/74.jpg)
Step 1: Learn about the executable✞ ☎
> f i l e p layerp layer : ELF 64− b i t LSB executable , dynamica l ly l i n k e d
> objdump −T p layerDYNAMIC SYMBOL TABLE:0xa4 scanf0x90 f p r i n t f0x12 t ime
> objdump −x p layer | egrep ’ rodata | t e x t |Name ’Name Size VMA LMA F i l e o f f. t e x t 0x4f8 0x4006a0 0x4006a0 0x6a0. rodata 0x84 0x400ba8 0x400ba8 0xba8
> objdump − f p layer | grep s t a r ts t a r t address 0x4006a0
✝ ✆
49 / 79
![Page 75: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/75.jpg)
Step 2: Breaking on library functions
Treat the program as a black box
Feed it inputs to see how it behaves.✞ ☎
> p layer 0xca7ca115 1 2 3 4Please enter a c t i v a t i o n code : 42exp i red !Segmentation f a u l t✝ ✆
Find the assembly code equivalent of
if (time(0) > some value)· · ·
Replace it with
if (time(0) <= some value)· · ·
50 / 79
![Page 76: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/76.jpg)
Example Program
✞ ☎
27 i n t i ;28 for ( i =0; i<media len ; i ++) {29 u i n t decrypted = ∗key ˆ encrypted media [ i ] ;30 i f ( t ime ( 0 ) > 1221011472) d ie ( ” exp i red ” ) ;31 f l o a t decoded = ( f l o a t ) decrypted ;32 f p r i n t f ( audio , ”%f \n ” , decoded ) ; f f l u s h ( audio ) ;33 }34 }
✝ ✆
51 / 79
![Page 77: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/77.jpg)
Breaking on library functions
main
Stack
time(){...}
open() {...}
write() {...}> break time
> bt
> set ... 0x7e
> gdb −−write
if (time()>...)
> quitabort();
time
play
52 / 79
![Page 78: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/78.jpg)
Step 2: Breaking on library functions
At 0x4008bc is the offending conditional branch:✞ ☎
> gdb −w r i t e −s i l e n t −−args p layer 0xca7ca115 \1000 2000 3000 4000
( gdb ) break t imeBreakpoint 1 a t 0x400680( gdb ) runPlease enter a c t i v a t i o n code : 42Breakpoint 1 , 0x400680 i n t ime ( )( gdb ) where 2#0 0x400680 i n t ime#1 0x4008b6 i n ??( gdb ) up#1 0x4008b6 i n ??( gdb ) disassemble $pc−5 $pc+70x4008b1 c a l l q 0x4006800x4008b6 cmp $0x48c72810,%rax0x4008bc j l e 0x4008c8✝ ✆53 / 79
![Page 79: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/79.jpg)
X86 condition codes
CCCC Name Means
0000 O overflow
0001 NO Not overflow
0010 C/B/NAE Carry, below, not above nor equal
0011 NC/AE/NB Not carry, above or equal, not below
0100 E/Z Equal, zero
0101 NE/NZ Not equal, not zero
0110 BE/NA Below or equal, not above
0111 A/NBE Above, not below nor equal
1000 S Sign (negative)
1001 NS Not sign
1010 P/PE Parity, parity even
1011 NP/PO Not parity, parity odd
1100 L/NGE Less, not greater nor equal
1101 GE/NL Greater or equal, not less
1110 LE/NG Less or equal, not greater
1111 G/NLE Greater, not less nor equal
54 / 79
![Page 80: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/80.jpg)
Step 2: Breaking on library functions
Patch the executable:
replace the jle with a jg (x86 opcode0x7f)
✞ ☎
( gdb ) set {unsigned char}0x4008bc = 0x7f( gdb ) disassemble 0x4008bc 0x4008be0x4008bc j g 0x4008c8✝ ✆
55 / 79
![Page 81: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/81.jpg)
Step 3: Static pattern-matching
search the executable for character strings.✞ ☎
> player 0xca7ca115 1000 2000 3000 4000
tampered!
Please enter activation code: 99
wrong code!
Segmentation fault✝ ✆
56 / 79
![Page 82: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/82.jpg)
Example Program
✞ ☎
19 u i n t p lay ( u i n t user key ,20 u i n t encrypted media [ ] ,21 i n t media len ) {22 i n t code ;23 p r i n t f ( ” Please enter a c t i v a t i o n code : ” ) ;24 scanf ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d ie ( ” wrong code ” ) ;2627 ∗key = user key ˆ p layer key ;
✝ ✆
57 / 79
![Page 83: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/83.jpg)
Static pattern-matching
msg:
.ascii "wrong!"
if (wrong_code)
> find "wrong!"
printf(msg);
> gdb
found at 0x0b9a
> find 0x0b9a
> disas
found at 0x6a3c
58 / 79
![Page 84: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/84.jpg)
Step 3: Static pattern-matching
the code that checks the activation codelooks something like this:
✞ ☎
addr1 : . a s c i i ” wrong code ”. . .cmp read value,activation code
j e somewhereaddr2 : move addr1 , reg0
c a l l p r i n t f✝ ✆
59 / 79
![Page 85: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/85.jpg)
Step 3: Static pattern-matching
1 search the data segment to find addressaddr1 where "wrong code" is allocated.
2 search through the text segment for aninstruction that contains that address as aliteral:
✞ ☎
( gdb ) f i n d 0x400ba8 ,+0x84 , ” wrong code ”0x400be2( gdb ) f i n d 0x4006a0 ,+0 x4f8 ,0 x400be20x400862( gdb ) disassemble 0x40085d 0x4008670x40085d cmp %eax,%edx0x40085f j e 0x40086b0x400861 mov $0x400be2,%edi0x400866 c a l l q 0x4007e0✝ ✆
60 / 79
![Page 86: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/86.jpg)
Step 5: Recovering internal data
1 ask the debugger to print out decryptedmedia data!
✞ ☎
( gdb ) hbreak ∗0x4008a6( gdb ) commands>x / x −0x8+$rbp>continue>end( gdb ) contPlease enter a c t i v a t i o n code : 42Breakpoint 2 , 0x4008a60 x 7 f f f f f f f d c 8 8 : 0xbabec99dBreakpoint 2 , 0x4008a60 x 7 f f f f f f f d c 8 8 : 0xbabecda5
. . .✝ ✆
61 / 79
![Page 87: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/87.jpg)
Recovering internal data
> when break
print audio
int audio
audio=decrypt();
> gdb
> watch audio
62 / 79
![Page 88: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/88.jpg)
Step 6: Tampering with theenvironment
1 To avoid triggering the timeout, wind backthe system clock!
2 Change the library search path to force theprogram to pick up hacked libraries!
3 Hack the OS (we’ll see this later).
63 / 79
![Page 89: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/89.jpg)
Tampering with the environment
> player
abort();
> set time \
19551112,10:04pm
if (time()>...)
64 / 79
![Page 90: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/90.jpg)
Step 8: Differential attacks
1 Find two differently fingerprinted copies ofthe program
2 Diff them!✞ ☎asm (
” jmp L1 \n\ t ”” . a l i g n 4 \n\ t ”” . long 0xb0b5b0b5\n\ t ”” L1 : \n\ t ”
) ;✝ ✆
✞ ☎asm (
” jmp L1 \n\ t ”” . a l i g n 4 \n\ t ”” . long 0xada5ada5\n\ t ”” L1 : \n\ t ”
) ;✝ ✆
65 / 79
![Page 91: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/91.jpg)
Differential attacks
user:
user:
.ascii "CAL"
.ascii "BOB" > vbindiff p1 p2
"I AM BOB!"
"I AM CAL!"
66 / 79
![Page 92: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/92.jpg)
![Page 93: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/93.jpg)
Step 9: Decompilation✞ ☎
L080482A0 (A8 , Ac , A10 ) {ebx = A8 ;esp = ” Please enter a c t i v a t i o n code : ” ;eax = L080499C0 ( ) ;V4 = ebp − 16;∗esp = 0x80a0831 ;eax = L080499F0 ( ) ;eax = ∗ ( ebp − 16 ) ;i f ( eax != ∗L080BE2CC) {
V8 = ” wrong code ” ;V4 = 0x80a082c ;∗esp = ∗L080BE704 ;eax = L08049990 ( ) ;∗L080BE2C8 = 0;
}✝ ✆
68 / 79
![Page 94: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/94.jpg)
Example Program
✞ ☎
19 u i n t p lay ( u i n t user key ,20 u i n t encrypted media [ ] ,21 i n t media len ) {22 i n t code ;23 p r i n t f ( ” Please enter a c t i v a t i o n code : ” ) ;24 scanf ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d ie ( ” wrong code ” ) ;2627 ∗key = user key ˆ p layer key ;
✝ ✆
69 / 79
![Page 95: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/95.jpg)
✞ ☎
eax = ∗L080BE2C8 ;ed i = 0 ;ebx = ebx ˆ ∗L080BE2C4 ;∗eax = ebx ;eax = A10 ;i f ( eax <= 0) {} else {
while ( 1 ) {es i = ∗ (Ac + edi ∗ 4 ) ;
L08048368 : ∗esp = 0;i f ( L08056DD0 ( ) > 1521011472) {
V8 = ” exp i red ” ;V4 = 0x80a082c ;∗esp = ∗L080BE704 ;L08049990 ( ) ;∗L080BE2C8 = 0;
}✝ ✆
![Page 96: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/96.jpg)
Example Program✞ ☎
1 typedef unsigned i n t u i n t ;2 typedef u i n t ∗ waddr t ;3 u i n t p layer key = 0xbabeca75 ;4 u i n t the key ;5 u i n t ∗ key = &the key ;6 FILE∗ audio ;7 i n t a c t i v a t i o n c o d e = 42;89 void FIRST FUN ( ){}
10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗addr ;12 for ( ; addr<=l a s t ; addr ++) hˆ=∗ addr ;13 return h ;14 }15 void die ( char∗ msg) {16 f p r i n t f ( s tde r r , ”%s !\n ” ,msg ) ;17 key = NULL ;18 }
✝ ✆71 / 79
![Page 97: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/97.jpg)
✞ ☎
ebx = ebx ˆ es i ;( save ) 0 ;ed i = ed i + 1 ;( save ) ebx ;esp = esp + 8;V8 = ∗esp ;V4 = ”%f \n ” ; ∗esp = ∗L080C02C8 ;eax = L08049990 ( ) ;eax = ∗L080C02C8 ;∗esp = eax ;eax = L08049A20 ( ) ;i f ( ed i == A10 ) {goto L080483a7 ;}eax = ∗L080BE2C8 ; ebx = ∗eax ;
}ch = 176; ch = 176;goto L08048368 ;
}L080483a7 :}✝ ✆
![Page 98: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/98.jpg)
✞ ☎
L080483AF (A8 , Ac ) {· · ·ecx = 0x8048260 ;edx = 0x8048230 ;eax = ∗L08048230 ;i f (0 x8048260 >= 0x8048230 ) {
do {eax = eax ˆ ∗edx ;edx = edx + 4;
} while ( ecx >= edx ) ;}i f ( eax != 318563869) {
V8 = ” tampered ” ;V4 = 0x80a082c ;∗esp = ∗L080BE704 ;L08049990 ( ) ;∗L080BE2C8 = 0;
}V8 = A8 − 2;V4 = ebp + −412;∗esp = ∗ ( ebp + −416);return ( L080482A0 ( ) ) ;
}✝ ✆
![Page 99: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/99.jpg)
Example Program✞ ☎
1 typedef unsigned i n t u i n t ;2 typedef u i n t ∗ waddr t ;3 u i n t p layer key = 0xbabeca75 ;4 u i n t the key ;5 u i n t ∗ key = &the key ;6 FILE∗ audio ;7 i n t a c t i v a t i o n c o d e = 42;89 void FIRST FUN ( ){}
10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗addr ;12 for ( ; addr<=l a s t ; addr ++) hˆ=∗ addr ;13 return h ;14 }15 void die ( char∗ msg) {16 f p r i n t f ( s tde r r , ”%s !\n ” ,msg ) ;17 key = NULL ;18 }
✝ ✆74 / 79
![Page 100: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/100.jpg)
Discussion
![Page 101: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/101.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
76 / 79
![Page 102: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/102.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
Disassemble/decompile machine code.
76 / 79
![Page 103: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/103.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
Disassemble/decompile machine code.
Debug binary code without source code.
76 / 79
![Page 104: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/104.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
Disassemble/decompile machine code.
Debug binary code without source code.
Compare two related program versions.
76 / 79
![Page 105: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/105.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
Disassemble/decompile machine code.
Debug binary code without source code.
Compare two related program versions.
Modify the executable.
76 / 79
![Page 106: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/106.jpg)
What can the attacker do?
Pattern-match on static code and executionpatterns.
Disassemble/decompile machine code.
Debug binary code without source code.
Compare two related program versions.
Modify the executable.
Tamper with the execution environment.
76 / 79
![Page 107: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/107.jpg)
In-Class Exercise
Alice writes a program that she only wantsBob to execute 5 times.
At the end of each run, the program writesa file .AliceSecretCount with thenumber of runs so far.
At the beginning of each run, the programreads the file .AliceSecretCount and, ifthe number of runs so far is ≥ 5, it exits withan error message BAD BOB! .
Draw a detailed attack tree with all attacksavailable to Bob!
77 / 79
![Page 108: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/108.jpg)
Exercises
1 Exercise 1 is on the website:
www.cs.arizona.edu/˜collberg/
Teaching/bsuir/2014
78 / 79
![Page 109: Software Protection: How to Crack Programs, and Defend Against …collberg/Teaching/mgu/2014/... · 2014-05-27 · In-class Exercise II Every night, Alice, 16, sits down with her](https://reader034.vdocuments.us/reader034/viewer/2022042212/5eb4c1c62dbc3a5a2853d99b/html5/thumbnails/109.jpg)
Next week’s lecture
1 Static analysis2 Obfuscation algorithms3 Please check the website for
important announcements:
www.cs.arizona.edu/˜collberg/
Teaching/bsuir/2014
79 / 79