|
|
CRACKING
All applications can be cracked. Easy vs. difficult to crack is defined by the skill level needed and the time required. Even strong DRM systems typically do not survive the onslaught of the crackers for more than two weeks.
 The cracker's goal is to remove the copy protection in a game or application and upload a completely unprotected version on a number of file sharing sites. A further objective is to develop a tool for automatic removal of the particular type of protection. Such tools can be found on the internet for many protection products. Many cracker teams specialize in particular DRM products. For example, Reloaded has for years focused on SecuROM and, thus, has a significant knowledge base of how it works.
In addition to removing the DRM system from the application, crackers develop and publish other ways to circumvent the DRM. The algorithms for product keys are routinely hacked and fully working keys published on the Internet. Similarly, tools to emulate any hardware-based protections, such so called NoCD patches, are also available in great numbers on the Internet.
To remove the copy protection requires finding it in the code and determining how to circumvent it – removing it may suffice or it can be necessary to manipulate it to return a proper value. The crackers have to accomplish the DRM removal, without easy access to the source code.
Crackers are very skilled in reading machine code residing in memory when a program executes. The machine code is translated from the source code and with some skills and the right tools, a cracker can get close to the same information from this code as from the source code. The most common tools used in this process are:
Debuggers allow crackers to see and understand how the application executes, with many capabilities to control the execution and the data. The cracker can choose the starting point which makes most sense, step through the application instruction by instruction to see how it executes and changes the data. The cracker can also set break points (stop execution at a particular point), inspect and alter memory locations. With such capabilities, a cracker can in a fairly short period of time get a pretty good understanding of how any less complicated protection system works. Disassemblers translate the binary code in an executable file back to readable and understandable assembler code. This code is at a lower level than most programming languages like C but can be read and understood by crackers or anybody else with such training and experience, and can be translated back to readable source code. Decompilers are similar to disassemblers but instead of translating the .exe file back into assembler, it proceeds into a higher level language like C or C++. The use of a decompiler can increase the efficiency of a cracker significantly, if it is optimized for the compiler used for the application originally.
Armed with these tools, and many others, crackers set out to find all the instances of copy protection in an application and resolve each one. Thus, the work effort to crack a particular copy protection solution is driven by the number of instances of protection and the difficulty of resolving each one.
The key challenge for DRM solutions is to make 4 cracker attacks exceedingly difficult to do:
Enabling unauthorized installations/activations. The easiest way to break a DRM system is to circumvent the activation process itself. If it relies on an algorithmic activation code – break the algorithm. If it relies on the disk being in the drive, find the test in the code and remove it. Other tricks include emulating the server response or disabling the server connection altogether. Core dumping to obtain unprotected code. Since code on the disk is often very difficult to work with and possibly encrypted, code in memory is more vulnerable to attack. Thus, crackers use core dumping to get access to the code and then employ disassemblers etc. Core dumping is tricky, because the memory contains a lot of other things than just the game and the cracker must first assemble a copy of the game code itself from the core dump. Reverse engineering. Reverse engineering enables a cracker to understand how the code is meant to behave and, in particular, how the DRM acts. Reverse engineering can be very straightforward if the code can easily be seen by the cracker and is shown as developed, i.e., in a somewhat linear fashion. Illegal uploading. The ultimate aim of the cracker is to upload a copy on the internet, where the DRM has been fully removed. In some instances, the key challenge for the cracker will be to ensure that the game is also playable on another machine. Such tests may not appear as normal DRM code.
The most common reasons protections against illegal copying fail are:
A single point of vulnerability. For example, the original design of the most popular License Manager. A single patch in the right place of the application and all calls to the License Manager were removed, resulting in the application open to use by anyone. Reliance on encryption only. Encryption by itself is usually not a very strong protection. It is much stronger if combined with other techniques like obfuscation and anti-debugging or implemented on multiple levels. The entire code is available and visible in one piece locally. Games played on a server require much more work, since access to the server is often not feasible. Games, where the loaded code is scattered throughout memory, are much more difficult to break. Insufficient use of randomness. Crackers are very good at finding patterns. If the nature of the protection can be found through detecting patterns in how it behaves, it will be easily broken. The larger the use of randomness, the more secure the protection is.
For more info on various DRM protections, see DRM Protection To Date.
|
|
|
|
|
