Software Tamper-Proofing
Deployed
2-year Anniversary Report
Macrovision Corporation
Patrice Capitant
VP Engineering
Agenda









SafeDisc
The Hacker World
Hacker Tools & Security Risks
SafeDisc Deployment
In The Field
The Lessons
Recommendations
SafeDisc 2.0
Summary
SafeDisc
 Copy Protection of PC games on CD.
 Applied to more than 51 million units over 20
months
 Applied to more than 300 titles
 More than 100 SafeDisc replication facilities
worldwide
The Hacker World
 Super-Hackers (The White Knights)
– Organized (suppliers, crackers, coders, web hosters)
– Friendly competition but cooperation on tough
problems
 Custom Tools
– Debuggers & add-ons (anti-debugger aids, memory
dumps...)
– Advanced Hex-editors
– Packers & unpackers (PEcrypt, Procdump,…)
The Hacker World
 Hacker’s goals: to beat and humiliate you
– Generate tamper-proof patches
– Generate essays on your technology
– Generate essays on hack techniques
Hackers’ Application Form – Part 1
:
.:[ #HUMMERS_WareZ ]:.
:
.:[ Application Form ]:.
§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§
WE'RE LOOKING FOR:
Suppliers, Web Hosters, Crackers, Coders
Check the position(s) you want to apply for, look for the section &
answer the questions.
: []Topsite FTP Courier
X1 : X2 : X9
:
: []Web Hoster
X1 : X3 : X9
:
: []Site Operator
X1 : X4 : X9
:
: []Shell Supplier
X1 : X5 : X9
:
: []Supplier
X1 : X6 : X9
:
: []Cracker
X1 : X7 : X9
:
: []Coder
X1 : X8 : X9
:
: []Other
X1 : X9 : X9
:
§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§
Hackers’ Application Form – Part 2
X1. Information
:
Real Name-...............................[
]
:
Nick-....................................[
]
:
E-mail-..................................[
]
:
IP Mask-.................................[
]
:
ICQ Number-..............................[
]
:
Connection speed-........................[
]
:
Years of experience in warez?-...........[
]
:
Have you been or are you in a group right now?
[
]-YES
[
]-NO
:
What Groups? What Position?
Groups-...............[
Position-.............[
]
]
Hackers’ Application Form – Part 3
X2. Topsite FTP Courier
:
Do you have access to new, 0-min warez?
[
]-YES
[
]-NO
:
How many mb can you curry in a week?-......[
:
Name the sites you are on?
#1-[
#2-[
#3-[
]
]
]
MBS ]
Hackers’ Application Form – Part 4
X3. Web Host
:
Can you host the page 24/7?
[]-YES
[]-NO
:
Space Available for the page-..............[
:
Any other information? (Domain name, etc)
[
]
[
]
[
]
MBS ]
Hackers’ Application Form – Part 5
X4. SiteOp
:
Connection Speed: (cable users need not apply)
[]T1 []T3 []OC+
:
Operating System (Check all that apply)
[ ]Windows 3.1x/95/98
[ ] Any Nix os (Please Specify)
[
[ ]Other(Please Specify)
[
]
]
:
Space Available for the group-..........…
[
GIGS ]
:
Will your site be dedicated to HUMMERS only?
[
]-YES
[
] –NO
:
Will your site be up 24/7? If not,how often?
[
]-YES
[
]-NO Hours up-[
]
:
How many users can your site support at a time?-[
]
:
What is the ip and login info of your site? (look only account)
IP: [
]
LOGIN: [
] PASS: [
]
Hackers’ Application Form – Part 6
X5. Shell Supplier
:
Do you own a shell?
[
]-YES
[
]-NO
:
How many 24/7 bots do you have on your shell?-[
]
Hackers’ Application Form – Part 7
X6. Supplier
:
What can you supply?-................[
:
How much can u supply in a day/week?-[
:
Will you supply on demand?
[ ]-YES
[
]-NO
]
]
Hackers’ Application Form – Part 8
X7. Cracker
:
How long have you been hacking/cracking?-[
]
:
How many applications have you cracked?-[
]
:
How many games have you cracked?-[
:
What are the last last three games/apps you've cracked?
#1-[
]
#2-[
]
#3-[
]
:
Are you willing to demonstrate your skills to a Senior in HUMMERS?
[]-YES
[]-NO
]
Hackers’ Application Form – Part 9
X8. Coder
:
What do you use to code? (Programs)
[
]
:
Do you have examples of your work?
:
[]-YES
:
How fast can you start and finish a good program for the group?
[
]
[
]
[]-NO
(If yes, please include one with this app)
Hackers’ Application Form – Part 10
X9. Other
:
What other thing can you do that is not listed?
[
[
[
[
[
[
]
]
]
]
]
]
Hackers’ Application Form – Part 11
X10. Hand-in App
Now rename this yournick.txt and copy and paste,
then send it to "[email protected]" with
"HUMMERS APPLICANT" as your subject.
§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-§
©1998
[HUMMERS_Warez]
Hacker Tools & Security Risks
 Debuggers
 Disassemblers File Level Attacks
 Memory Lifts
 Spoofing
 Cryptographic Attacks
 Procedural
Debuggers
 Step through code
 Set memory and code breakpoints
 Disassemble code
 Change operation of code
 General experimentation tool
 e.g. SoftIce, TRW and Microsoft debuggers
Disassemblers
 Can analyse security code in a file on hard drive
 Allow authentication and security code to be
easily patched and recompiled
 Help remove obfuscation code
 e.g. idapro
Spoofing
 Spy programs used to monitor application calls to
system functions
 Spoof program intercepts calls and returns data
expected for an authentication
 e.g. frogsice, spy32
Memory Lifts
 Copies decrypted application (or sections) from
memory to a file.
 Reconstructs the remainder of the application
 Can memory lift security code or protected
application
 e.g. procdump
Cryptographic Attacks
 Use of cryptographic techniques to analyse
encrypted-protected applications
 Use of cryptographic techniques to find decryption
keys
Procedural
 Leaks from publishers
 Release of demo builds
 Publishing cracks on the WWW
 Publishing cracker tools
SafeDisc Deployment
 Successful Pre-release Testing…
– Software successfully tested by single hackers and
corporate entities (Microsoft, Alladin) over 2-month
period
 …Conclusions:
– It will take a very long time to crack:
• There is plenty of time to add security features
– If a crack occurs, patching the security hole will be
sufficient
In The Field
First hack after 6 month.
Three generic hacks over two years, all patched.
All hacks limited to Super-Hackers.
Time to Hack keeps decreasing.
Time to Hack (days)
200
180
160
140
120
100
80
60
40
20
0
Oc
t-9
8
De
c-9
8
Fe
b99
Ap
r-9
9
Ju
n99
Au
g99
Oc
t-9
9
De
c-9
9
Fe
b00
Ap
r-0
0
Ju
n00
Au
g00




The Lessons
 Super-Hackers can’t spell
 Super-Hackers will work together:
– You are facing large skilled groups not individuals
 Hacks are more than one break:
– Frequently reflect systematic understanding of whole
security system
The Lessons
 Hacks are more a matter of “when” than “if”
 Essays on your security techniques will be
published
 Patches will be tamper-proofed (just to show you)
The Lessons (cont.)
 Security hardness when raised to the level of
Super-Hackers
– Diminishes number of hacks
– Diminishes distribution sites for patches
– Deters cautious users from applying patches
Recommendations
 Be proactive:
– New security techniques must be added frequently
– Expect to develop major changes in security architecture on a
regular basis
 Be patient:
– Monitor hackers techniques & tools
– Devise multiple techniques before releasing counter-attack
 Focus on slowing down hacks:
– Put as many layers of security as you can in all critical areas
 Focus on limiting hack effectiveness:
– Use polymorphism: Each installation is different
– Dedicate resources to monitor and close Web sites
SafeDisc 2.0
 Enhanced automated wrapping tool
– Added DLL and data protection
 Additional security layers in each critical area
– Debuggers, disassemblers, spoofing, memory lifts &
cryptographic attacks
– Heavier use of polymorphism
 Same program against hackers sites
 New SDK for publishers
– Additional security (level 1-3) for identified functions
 Additional media signatures for both data & audio
Summary
 SafeDisc hacks limited to a small group of Super-
Hackers
 Original strategy focused on preventing all hacks
– Did not put a boundary on time to hack
 Second generation tamper-proofing just released
– Focuses on limiting time to hack
Conclusion