How long will the best software-only protections last?

Hi,

I've seen/tested several software protections such as armadillo and asprotect. While I'm not all that good yet, from reading tuts on cracking Armadillo (Ricardo) and other protections I have not heard of a protection lasting more than a few weeks.

I know this question has been thrown around before (i.e., it is hopeless to protect against reverse-engineering because eventually with enough time it will be cracked). This is true with software-only protection, I wonder if it is with some of the new hardware dongles such as Rockey5. That one looks unique in that code is only run on the smartcard (it never gets executed on the CPU) so unless you RE the hardware/smartcard you are hosed.

My question is: Would it ever be possible to make software-only protection last a few months?? My guess is no. Seems like hardware is the only way to go.

For instance, if the protection were to crash the computer/delete files when something was tripped (but not immediately and it would have to detect virtual machines), and then morph itself upon running.. is this only a nuisance ? It would also have to have many sections encrypted, then decrypted when needed and reencrypted again (wouldn't this be removed like Ricardo does by debugging and stripping out the code upon decryption).

It seems like debugger checks, parent/child protection, crc checks, and everything else is just a nuisance. Any one have thoughts on this??

[dyn!o]

Hi,

Quote:

I've seen/tested several software protections such as armadillo and asprotect. While I'm not all that good yet, from reading tuts on cracking Armadillo (Ricardo) and other protections I have not heard of a protection lasting more than a few weeks.

And you heard good. The best protection can last not more than 10-14 days (for the first attempt or serious update and ~1 day for the next deprotection).

Quote:

Would it ever be possible to make software-only protection last a few months?? My guess is no. Seems like hardware is the only way to go.

Theoretically it is possible. Practically.... life will show.

Quote:

For instance, if the protection were to crash the computer/delete files when something was tripped (but not immediately and it would have to detect virtual machines), and then morph itself upon running.. is this only a nuisance ? It would also have to have many sections encrypted, then decrypted when needed and reencrypted again (wouldn't this be removed like Ricardo does by debugging and stripping out the code upon decryption).

Still too simple.

The market needs something different. Something really new. Imagine StarForce vm. Did they invent something new? Nope. They used all the best and known ideas. But they succeeded. The same concerns Themida. Now imagine what would happen if you bring something really new. Something people (crackers) will not understand and be not able to deal with using known methods. Someone may say: "then new crackers will be born". Assuming so then why StarForce is still not commonly crackable (in PRO version), not to mention Themida? New crackers will face much harder way to cross than we had in the time of starting our hobbies few years ago (compare Aspack to Themida or the first SecuROM to the actual version.... not to mention StarForce).

Quote:

It seems like debugger checks, parent/child protection, crc checks, and everything else is just a nuisance.

Anti-debugger (based on INT1/INT3 and exceptions), parent/child checks, crc checks are already outdated.

Regards.

Dear chaboyd,
If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.

Regards,
Android.

[D-Jester]

Quote:

Originally Posted by Android

If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.

I believe you are refering to Code-Lock

_http://www.chosenbytes.com/challenge.php

Yeah...my names on that list. I lost interest once I realized that its not a protector persay, rather an add-on. I unpack, I don't keygen, inline, patch, etc...

Its an *.ocx (ActiveX) control protected with neolite, designed for VB developers.

It can be removed all you have to do is remove all the DLLFunction calls, it doesn't even compress the executable, but the key is his stipulations of what he considers a successful cracking of his protection:

Code:

1) Code-Lock will register a program with any registration code.

This would require modification of the *.ocx control so that its not application specific; possible but not likely since it needs the application ID to generate the registration code

Code:

2) The registered version protected by Code-Lock will run on any computer.

This would require modification of the *.ocx control so its not computer specific; possibel but not likely since a hardware ID is used to generate the registration code

Code:

3) You have to crack Code-Lock within 60 days of the Challenge.

Considering its written in VB, I'll give it 4 of 10 stars....but uncrackable, not even StarForce can make that claim, and its renowned for its complexity, and difficulty.

Peace...

[dyn!o]

Guys, don't waste your time on Code-Lock speculations.

Quote:

Code-Lock has been uncrackable for 5 years 2 months 2 days 5 hours 37 minutes and 56 seconds...

That's right and within the same time I haven't had any sex. He lives in his own world and let him countinue it.

Look at the awards he (I forgot this sleepwalker's nick) admitted to himself - these are not awards. Look also at the forum posts he is making mostly by himself (I mean posts like "I can't believe it! It's still uncracked!"). Childrens like fairytales and www.code-lock.com is a one big kindergarden with own world of dreams.

Search ExeTools and find my post where I posted the correspondence (if I correctly remember... "dynio" or "dyn!o" post) where he disallowed me to get into the competition. At that time he just encrypted a part of code with asymmetric key so it was clear that it's uncrackable but not because of software security but cryptographic algorithm. As far as I remember I asked him about that possibility and probably that was the reason of refusing me getting into this sick "challange".

Quote:

Considering its written in VB, I'll give it 4 of 10 stars....but uncrackable, not even StarForce can make that claim, and its renowned for its complexity, and difficulty.

Comparing ChosenBytes dream to StarForce reality is not suitable. CodeLock is not even 10% of StarForce complexity. Look at Toca 2, Trackmania and SCCT - they are uncracked and millions of people would like to play them. Splinter Cell CT has been produced in over ~7.000.000 of copies (for example GTA: ~10.000.000 till today). That's a challange.

Regards.

Quote:

Reward:
USD$2000 will be paid to the first successful cracker.
(Which other software protection is confident enough to challenge crackers?)

Means that expect from cracker to tell his name/address to send the money? Sounds like starwars to me.

[D-Jester]

Quote:

Originally Posted by dyn!o

That's right and within the same time I haven't had any sex.

Damn , I am sorry to here that.

Quote:

Originally Posted by dyn!o

Comparing ChosenBytes dream to StarForce reality is not suitable. CodeLock is not even 10% of StarForce complexity.

I know of StarFoces legacy, I haven't ever had the opportunity, Since I don't play games on my PC.

Now you've got my synapse's firing though, maybe a copy of Splinter Cell CT would be a nice addition to my grocery list...yeah Wal-Mart should have it...
Thanks for your input dyn!o you and JMI always have a way of sliciing through the bull$hit to the facts; to end the arguements.

Peace...

Hi,
Thanks Dyn!o and D-Jester for all you said.
But what I meant was not Code-Lock.
I was talking about a custom protection made by a russian reverser used in program which is written in VC++ using MFC privileges.
And this MFC part has mede the reversing very hard.

Anyway,if any body is interseted I have the software on my FTP and I can share it.
Just send a PM if you need the link and more details about this program.

Best Regards,
Android.

[dyn!o]

Don't get me wrong but actually there are many uncracked applications. I don't know any application which stays uncracked because of protection strength (forget Code-Lock legend). Most of them aren't touched because there is no interest to do so (they're not popular enough).

I own myself tens of uncracked applications, some of them with custom protections never seen before. It's a pitty that most of them are AsProtect/Armadillo like clones (I would say all.... except interesting exception called VMProtect which gets better and better with each release).

Quote:

If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.

Asking to crack a specific software here may be perceived by some people like request, which doesn't look quite good (I don't mean that you are requesting).

Regards.

LOL, there's a request section.

[pp2]

What about VMProtect'ed executables and ExeCrypt unpacked itself? They are both released more than a year ago, but still are not cracked? Mutable virtual machine is hard to analyze (yes it is possible, but needs too many time to). Or I missed smth and they are both simply cracked already?

[dyn!o]

VMProtect is a very good protector for specific tasks. I didn't see it properly used yet. Even StarForce Nightmare author(s) made a small mistake while configuring VMProtect blocks (thus you can see what Nightmare really does despite the fact of VM protected code). VMProtect is crackable but requires manual work and some experience. If someone would think before protecting then who knows... it may be really hard.

Regarding ExeCrypt I didn't really see it, something new inside?

CodeLock is bullshit.... just a cryptor.. remember everyone ASprotect does this from so long ago... so what's so special with this codelock... aspr and other cryptor/protector encrypt parts of the code.. impossible to recover without entering original serial key.. also could work by using a System ID.... so.... so i just see an author trying to promote his app. to make it famous and to make enought $

My 1 cent left

Regards

Quote:

Originally Posted by dyn!o

Don't get me wrong but actually there are many uncracked applications. I don't know any application which stays uncracked because of protection strength (forget Code-Lock legend). Most of them aren't touched because there is no interest to do so (they're not popular enough).

I own myself tens of uncracked applications, some of them with custom protections never seen before. It's a pitty that most of them are AsProtect/Armadillo like clones (I would say all.... except interesting exception called VMProtect which gets better and better with each release).


Asking to crack a specific software here may be perceived by some people like request, which doesn't look quite good (I don't mean that you are requesting).

Regards.

Dear dyn!o,
Hi,
As I mentioned before there is no cryptography used in this target.
But it's still not cracked.

Also as for requesting I have done it before in TSRH and SND forums.
Most of the crackers there failed to help.
Also I sent some requests to individual crackers but just one of them managed to clear some points about the target.

That's all about this DAMN target.

Regards,
Android.

>>>Mutable virtual machine is hard to analyze

I downloaded and did a quick test of VMProtect 1.05. It certainly seems to do a good job preventing both analysis through IDAPro and Ollydbg. Ollydbg can't execute the code since it is no longer x86 instructions. I haven't figured out yet how the VM actually executes it though.


-------------------------------------
New addition

So I decided to test if VmProtect mutates the code each time you protect a program. It definitely changes. I used the maximum protection options and delected the project after each run. I did three runs applying the VM to a program including the below section of code:

004015FF E85C020000 call 00401860
00401604 83C404 add esp,04
00401607 E8F4F9FFFF call 00401000
0040160C 0FBEC0 movsx eax,al
0040160F 83F879 cmp eax,79
00401612 750F jnz 00401623

How the code appears while debugging during each run:

First run:

004015FF .-E9 9DCE0100 JMP Guessing.0041E4A1
00401604 58 DB 58 ; CHAR 'X'
00401605 D2 DB D2
00401606 57 DB 57 ; CHAR 'W'
00401607 C5 DB C5
00401608 E4 DB E4
00401609 06 DB 06
0040160A ED DB ED
0040160B . 53 PUSH EBX
0040160C . EB 35 JMP SHORT Guessing.00401643
0040160E E0 DB E0
0040160F F2 DB F2
00401610 74 DB 74 ; CHAR 't'
00401611 DA DB DA
00401612 0D DB 0D

Second run:

004015FF .-E9 43D00100 JMP Guessing.0041E647
00401604 63 DB 63 ; CHAR 'c'
00401605 72 DB 72 ; CHAR 'r'
00401606 9E DB 9E
00401607 72 DB 72 ; CHAR 'r'
00401608 A0 DB A0
00401609 19 DB 19
0040160A BD DB BD
0040160B 17 DB 17
0040160C BE DB BE
0040160D E6 DB E6
0040160E . C3 RETN
0040160F DC DB DC
00401610 C6 DB C6
00401611 AD DB AD
00401612 B6 DB B6

Third run:

004015FF >-E9 46CF0100 JMP Guessing.0041E54A
00401604 DA DB DA
00401605 D7 DB D7
00401606 15 DB 15
00401607 . 1351 4D ADC EDX,DWORD PTR DS:[ECX+4D]
0040160A . 8B7B C9 MOV EDI,DWORD PTR DS:[EBX-37]
0040160D . C3 RETN
0040160E . 01FB ADD EBX,EDI
00401610 > 3932 CMP DWORD PTR DS:[EDX],ESI
00401612 . 70 68 JO SHORT Guessing.0040167C


So you can see that the hex dump is quite a bit different with no obvious patterns. So while it doesn't change from run to run it does "mutate" when you actually protect a program. Maybe this is old news and everyone already knows this..