Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-09-2005, 00:32
chaboyd
 
Posts: n/a
How long will the best software-only protections last?

Hi,

I've seen/tested several software protections such as armadillo and asprotect. While I'm not all that good yet, from reading tuts on cracking Armadillo (Ricardo) and other protections I have not heard of a protection lasting more than a few weeks.

I know this question has been thrown around before (i.e., it is hopeless to protect against reverse-engineering because eventually with enough time it will be cracked). This is true with software-only protection, I wonder if it is with some of the new hardware dongles such as Rockey5. That one looks unique in that code is only run on the smartcard (it never gets executed on the CPU) so unless you RE the hardware/smartcard you are hosed.

My question is: Would it ever be possible to make software-only protection last a few months?? My guess is no. Seems like hardware is the only way to go.

For instance, if the protection were to crash the computer/delete files when something was tripped (but not immediately and it would have to detect virtual machines), and then morph itself upon running.. is this only a nuisance ? It would also have to have many sections encrypted, then decrypted when needed and reencrypted again (wouldn't this be removed like Ricardo does by debugging and stripping out the code upon decryption).

It seems like debugger checks, parent/child protection, crc checks, and everything else is just a nuisance. Any one have thoughts on this??
Reply With Quote
  #2  
Old 06-09-2005, 16:47
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
Hi,

Quote:
I've seen/tested several software protections such as armadillo and asprotect. While I'm not all that good yet, from reading tuts on cracking Armadillo (Ricardo) and other protections I have not heard of a protection lasting more than a few weeks.
And you heard good. The best protection can last not more than 10-14 days (for the first attempt or serious update and ~1 day for the next deprotection).

Quote:
Would it ever be possible to make software-only protection last a few months?? My guess is no. Seems like hardware is the only way to go.
Theoretically it is possible. Practically.... life will show.

Quote:
For instance, if the protection were to crash the computer/delete files when something was tripped (but not immediately and it would have to detect virtual machines), and then morph itself upon running.. is this only a nuisance ? It would also have to have many sections encrypted, then decrypted when needed and reencrypted again (wouldn't this be removed like Ricardo does by debugging and stripping out the code upon decryption).
Still too simple.

The market needs something different. Something really new. Imagine StarForce vm. Did they invent something new? Nope. They used all the best and known ideas. But they succeeded. The same concerns Themida. Now imagine what would happen if you bring something really new. Something people (crackers) will not understand and be not able to deal with using known methods. Someone may say: "then new crackers will be born". Assuming so then why StarForce is still not commonly crackable (in PRO version), not to mention Themida? New crackers will face much harder way to cross than we had in the time of starting our hobbies few years ago (compare Aspack to Themida or the first SecuROM to the actual version.... not to mention StarForce).

Quote:
It seems like debugger checks, parent/child protection, crc checks, and everything else is just a nuisance.
Anti-debugger (based on INT1/INT3 and exceptions), parent/child checks, crc checks are already outdated.

Regards.

Last edited by dyn!o; 06-09-2005 at 17:57.
Reply With Quote
  #3  
Old 06-12-2005, 03:51
Android
 
Posts: n/a
Dear chaboyd,
If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.

Regards,
Android.
Reply With Quote
  #4  
Old 06-12-2005, 12:25
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
Quote:
Originally Posted by Android
If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.
I believe you are refering to Code-Lock

_http://www.chosenbytes.com/challenge.php

Yeah...my names on that list. I lost interest once I realized that its not a protector persay, rather an add-on. I unpack, I don't keygen, inline, patch, etc...

Its an *.ocx (ActiveX) control protected with neolite, designed for VB developers.

It can be removed all you have to do is remove all the DLLFunction calls, it doesn't even compress the executable, but the key is his stipulations of what he considers a successful cracking of his protection:
Code:
1) Code-Lock will register a program with any registration code.
This would require modification of the *.ocx control so that its not application specific; possible but not likely since it needs the application ID to generate the registration code

Code:
2) The registered version protected by Code-Lock will run on any computer.
This would require modification of the *.ocx control so its not computer specific; possibel but not likely since a hardware ID is used to generate the registration code

Code:
3) You have to crack Code-Lock within 60 days of the Challenge.
Considering its written in VB, I'll give it 4 of 10 stars....but uncrackable, not even StarForce can make that claim, and its renowned for its complexity, and difficulty.

Peace...
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
Reply With Quote
  #5  
Old 06-12-2005, 18:55
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
Guys, don't waste your time on Code-Lock speculations.

Quote:
Code-Lock has been uncrackable for 5 years 2 months 2 days 5 hours 37 minutes and 56 seconds...
That's right and within the same time I haven't had any sex. He lives in his own world and let him countinue it.

Look at the awards he (I forgot this sleepwalker's nick) admitted to himself - these are not awards. Look also at the forum posts he is making mostly by himself (I mean posts like "I can't believe it! It's still uncracked!"). Childrens like fairytales and www.code-lock.com is a one big kindergarden with own world of dreams.

Search ExeTools and find my post where I posted the correspondence (if I correctly remember... "dynio" or "dyn!o" post) where he disallowed me to get into the competition. At that time he just encrypted a part of code with asymmetric key so it was clear that it's uncrackable but not because of software security but cryptographic algorithm. As far as I remember I asked him about that possibility and probably that was the reason of refusing me getting into this sick "challange".

Quote:
Considering its written in VB, I'll give it 4 of 10 stars....but uncrackable, not even StarForce can make that claim, and its renowned for its complexity, and difficulty.
Comparing ChosenBytes dream to StarForce reality is not suitable. CodeLock is not even 10% of StarForce complexity. Look at Toca 2, Trackmania and SCCT - they are uncracked and millions of people would like to play them. Splinter Cell CT has been produced in over ~7.000.000 of copies (for example GTA: ~10.000.000 till today). That's a challange.

Regards.

Last edited by dyn!o; 06-12-2005 at 19:02.
Reply With Quote
  #6  
Old 06-12-2005, 21:46
baatazu
 
Posts: n/a
Quote:
Reward:
USD$2000 will be paid to the first successful cracker.
(Which other software protection is confident enough to challenge crackers?)
Means that expect from cracker to tell his name/address to send the money? Sounds like starwars to me.
Reply With Quote
  #7  
Old 06-12-2005, 23:24
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
Quote:
Originally Posted by dyn!o
That's right and within the same time I haven't had any sex.
Damn , I am sorry to here that.


Quote:
Originally Posted by dyn!o
Comparing ChosenBytes dream to StarForce reality is not suitable. CodeLock is not even 10% of StarForce complexity.
I know of StarFoces legacy, I haven't ever had the opportunity, Since I don't play games on my PC.

Now you've got my synapse's firing though, maybe a copy of Splinter Cell CT would be a nice addition to my grocery list...yeah Wal-Mart should have it...
Thanks for your input dyn!o you and JMI always have a way of sliciing through the bull$hit to the facts; to end the arguements.

Peace...
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
Reply With Quote
  #8  
Old 06-13-2005, 03:34
Android
 
Posts: n/a
Hi,
Thanks Dyn!o and D-Jester for all you said.
But what I meant was not Code-Lock.
I was talking about a custom protection made by a russian reverser used in program which is written in VC++ using MFC privileges.
And this MFC part has mede the reversing very hard.

Anyway,if any body is interseted I have the software on my FTP and I can share it.
Just send a PM if you need the link and more details about this program.

Best Regards,
Android.
Reply With Quote
  #9  
Old 06-13-2005, 05:14
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
Don't get me wrong but actually there are many uncracked applications. I don't know any application which stays uncracked because of protection strength (forget Code-Lock legend). Most of them aren't touched because there is no interest to do so (they're not popular enough).

I own myself tens of uncracked applications, some of them with custom protections never seen before. It's a pitty that most of them are AsProtect/Armadillo like clones (I would say all.... except interesting exception called VMProtect which gets better and better with each release).

Quote:
If you like I can introduce a target that has lasted for about 2 years and nobody has managed to crack it up to now.
Asking to crack a specific software here may be perceived by some people like request, which doesn't look quite good (I don't mean that you are requesting).

Regards.

Last edited by dyn!o; 06-13-2005 at 05:17.
Reply With Quote
  #10  
Old 06-14-2005, 12:24
posiedon
 
Posts: n/a
LOL, there's a request section.
Reply With Quote
  #11  
Old 06-14-2005, 17:02
pp2 pp2 is offline
Friend
 
Join Date: Jan 2002
Posts: 53
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 13 Times in 10 Posts
pp2 Reputation: 2
What about VMProtect'ed executables and ExeCrypt unpacked itself? They are both released more than a year ago, but still are not cracked? Mutable virtual machine is hard to analyze (yes it is possible, but needs too many time to). Or I missed smth and they are both simply cracked already?
Reply With Quote
  #12  
Old 06-14-2005, 18:36
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
VMProtect is a very good protector for specific tasks. I didn't see it properly used yet. Even StarForce Nightmare author(s) made a small mistake while configuring VMProtect blocks (thus you can see what Nightmare really does despite the fact of VM protected code). VMProtect is crackable but requires manual work and some experience. If someone would think before protecting then who knows... it may be really hard.

Regarding ExeCrypt I didn't really see it, something new inside?
Reply With Quote
  #13  
Old 06-14-2005, 20:35
Crk
 
Posts: n/a
CodeLock is bullshit.... just a cryptor.. remember everyone ASprotect does this from so long ago... so what's so special with this codelock... aspr and other cryptor/protector encrypt parts of the code.. impossible to recover without entering original serial key.. also could work by using a System ID.... so.... so i just see an author trying to promote his app. to make it famous and to make enought $

My 1 cent left

Regards
Reply With Quote
  #14  
Old 06-16-2005, 09:01
Android
 
Posts: n/a
Quote:
Originally Posted by dyn!o
Don't get me wrong but actually there are many uncracked applications. I don't know any application which stays uncracked because of protection strength (forget Code-Lock legend). Most of them aren't touched because there is no interest to do so (they're not popular enough).

I own myself tens of uncracked applications, some of them with custom protections never seen before. It's a pitty that most of them are AsProtect/Armadillo like clones (I would say all.... except interesting exception called VMProtect which gets better and better with each release).


Asking to crack a specific software here may be perceived by some people like request, which doesn't look quite good (I don't mean that you are requesting).

Regards.
Dear dyn!o,
Hi,
As I mentioned before there is no cryptography used in this target.
But it's still not cracked.

Also as for requesting I have done it before in TSRH and SND forums.
Most of the crackers there failed to help.
Also I sent some requests to individual crackers but just one of them managed to clear some points about the target.

That's all about this DAMN target.

Regards,
Android.
Reply With Quote
  #15  
Old 06-23-2005, 03:20
chaboyd
 
Posts: n/a
Wink Looks like it does mutate

>>>Mutable virtual machine is hard to analyze

I downloaded and did a quick test of VMProtect 1.05. It certainly seems to do a good job preventing both analysis through IDAPro and Ollydbg. Ollydbg can't execute the code since it is no longer x86 instructions. I haven't figured out yet how the VM actually executes it though.


-------------------------------------
New addition

So I decided to test if VmProtect mutates the code each time you protect a program. It definitely changes. I used the maximum protection options and delected the project after each run. I did three runs applying the VM to a program including the below section of code:

004015FF E85C020000 call 00401860
00401604 83C404 add esp,04
00401607 E8F4F9FFFF call 00401000
0040160C 0FBEC0 movsx eax,al
0040160F 83F879 cmp eax,79
00401612 750F jnz 00401623

How the code appears while debugging during each run:

First run:

004015FF .-E9 9DCE0100 JMP Guessing.0041E4A1
00401604 58 DB 58 ; CHAR 'X'
00401605 D2 DB D2
00401606 57 DB 57 ; CHAR 'W'
00401607 C5 DB C5
00401608 E4 DB E4
00401609 06 DB 06
0040160A ED DB ED
0040160B . 53 PUSH EBX
0040160C . EB 35 JMP SHORT Guessing.00401643
0040160E E0 DB E0
0040160F F2 DB F2
00401610 74 DB 74 ; CHAR 't'
00401611 DA DB DA
00401612 0D DB 0D

Second run:

004015FF .-E9 43D00100 JMP Guessing.0041E647
00401604 63 DB 63 ; CHAR 'c'
00401605 72 DB 72 ; CHAR 'r'
00401606 9E DB 9E
00401607 72 DB 72 ; CHAR 'r'
00401608 A0 DB A0
00401609 19 DB 19
0040160A BD DB BD
0040160B 17 DB 17
0040160C BE DB BE
0040160D E6 DB E6
0040160E . C3 RETN
0040160F DC DB DC
00401610 C6 DB C6
00401611 AD DB AD
00401612 B6 DB B6

Third run:

004015FF >-E9 46CF0100 JMP Guessing.0041E54A
00401604 DA DB DA
00401605 D7 DB D7
00401606 15 DB 15
00401607 . 1351 4D ADC EDX,DWORD PTR DS:[ECX+4D]
0040160A . 8B7B C9 MOV EDI,DWORD PTR DS:[EBX-37]
0040160D . C3 RETN
0040160E . 01FB ADD EBX,EDI
00401610 > 3932 CMP DWORD PTR DS:[EDX],ESI
00401612 . 70 68 JO SHORT Guessing.0040167C


So you can see that the hex dump is quite a bit different with no obvious patterns. So while it doesn't change from run to run it does "mutate" when you actually protect a program. Maybe this is old news and everyone already knows this..

Last edited by chaboyd; 06-28-2005 at 09:50. Reason: Answer my own question
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bit-arts is dead (long ago) bart General Discussion 0 04-14-2006 00:08
software protections help panagiotis General Discussion 9 09-10-2004 04:58
Newbie question ASPR 1.23 RC4 (long!) Wurstgote General Discussion 126 02-27-2004 11:41


All times are GMT +8. The time now is 15:44.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )