Well, nothing new. If it runs, it can be cracked. I say it as a reverser (legal) with more than 10 years of exp. So, instead of investing money/time into the protection mechanisms, it's better to use the resources to improve your software. Yet well-thought custom protection (i.e. not ASProtect, Armadillo, etc..) can be harder, but it's all the same crackable.
It is true the techniques in the article are nothing new. However, this comment is a knee jerk reaction and largely misleading. The notion that something being crackable is a failure is incorrect. The time a protection scheme needs to hold up varies depending on the industry, but the economics of DRM to not require it to last forever. For video games it's a month or two (Starcraft 2 sold 75% of total copies told to date within the first month). Also, there are several DRM schemes deployed in production today that are acknowledged by those in the field as quite effective, namely BD+ and DirecTV's scheme. Indeed, as far as I know there hasn't been a break in DirecTV for over half a decade.
As far as malware goes, virtualization obfuscators are the current state of the art. They are a fundemental advancement in packing. Up until virtualization obfuscators, all other packers had the weakness where at some point the unprotected program would end up in memory. This weakness is easily exploitable (ala VxClass, see Recon 2010 for an easily digestible talk). Virtualization obfuscators are still beatable with manual reverse engineering (see Rolles WOOT 2009) and some effort has been made to automate the process (see Wenke Lee's group at Oakland 2009). But when a packing scheme forces you to hire reverse engineers who know what symbolic execution is, you know that you've substantially raised the bar.
To add to the 'quite effective' schemes: Cinavia. It adds watermarks to the audio in movies and is resilient enough to be maintained even when a cam-rip is done of a movie. Brilliant scheme, and the patent application (US7369677) is really well written. There hasn't been a break yet, but it'll come eventually.
Haha yeah that paper is how I got started reversing VM based schemes. A short paper that does use symbolic execution and theorem proving is BinHunt, although it's a blatant ripoff of Halvar published 4 years later. Their only claimed contributions are (1) symbolic execution and theorem proving for basic block equivalence and (2) backtracking for their maximum common subgraph isomorphism algorithm (in contrast to Halvar who I believe used direction instruction comparison for basic block equivalence and a greedy subgraph algorithm). These could be meaningful contributions but they provide no data to prove that that the posited accuracy increase of symbolic execution and backtracking is worth the large performance hit.
I'm not sure DirecTV's scheme is entirely relevant, because it revolves around protected hardware rather than protected software.
The idea behind DirecTV is that the crypto code runs entirely in hardware the user can never see, heavily protected physically - a protection method which isn't possible for software on most modern x86 machines. Plus, satellite providers have a distinct advantage in that their content needs to be protected only in real time.
I do give kudos to DirecTV for managing to create a technology that's less of a sieve than Nagravision (although that might also have to do with DirecTV suing everyone who dared go near their smartcards into oblivion in the early 2000s), but they play a totally different (and, IMO, much easier) game than software protectors do.
As for BD+, with HDCP broken so widely I don't really see a point to breaking it. Scene groups can source movies of equal or greater quality from many other sources, even using decrypted HDMI as a last resort, before needing to care about actually exploiting the BD+ VM.
I have a very little bit of insight into how DirecTV's modern cards are implemented, and the fundamental technique does not rely on hardware --- in other words, if you had already been outfitted with a lab that could decap and image chips well enough to generate simulators, the fundamental technique involved would still be expensive to unwind.
BD+ has produced multiple titles which, during their new release window, had no high-quality HD rips torrented. But that's besides the point: if antidebugging and antireversing is such a lost cause, it stands to reason that BD+ should be completely broken by now. But, of course, it is not.
"Plus, satellite providers have a distinct advantage in that their content needs to be protected only in real time."
I could be wrong here, and it's been a while since I missed with Echostar/Dish hardware, but DVR recordings are stored on the hard drive in raw, encrypted form and then played back through the decryption hardware.
Yet another mistake Dish made - IMO, every iteration of Nagravision is end-to-end pretty poorly implemented.
At any rate, I was speaking more to the practical aspects than the technical ones. In the eyes of a DRM writer, a game needs to be protected for at least a few weeks (launch purchase window), and once it's cracked once, it's pretty much the end - the game is in the wild, and the damage is done, because what's being pirated is the game itself.
On the flip side, what satellite providers are protecting isn't really the content - it's the ability to display the content in at a certain point of presence as a stream. Public exhibition (bars, clubs) and live PPV fights are the big game for satellite encryption, not Joe Public (or Joe Pirate) watching his shows. They'll be available to pirates immediately after they're aired through other means (stations, screeners, stripping HDCP off of HDMI) anyway.
That's why I think the satellite game is easier - not technically, but practically. As a satellite TV provider, even if your DRM can be removed post facto, the benefit to the pirate is greatly diminished (and the downside to you, as well).
I beleive 99.99% of those who pirate will never buy a game just because they don't want to wait several days (or weeks, very rare). DRM only harasses those who don't pirate.
>> Starcraft 2 sold 75% of total copies told to date within the first month.
And who says that without the DRM it would be lower? Maybe it would be even higher! Many techy people just don't buy those new games with draconian DRMs/Spyware which require internet connection. Or they buy the game and then download NODVD/cracked.exe
Note the instructions. It's just capturing the video stream via analog source, as far as I can tell.
I believe your comment's parent was referring to their over-the-air stream DRM (i.e. the stream to the dish receiver), which hasn't been publicly broken.
And since cracking follows the path of least resistance, it's likely that the DRM would have been cracked if that was the only way to get at the content.
This is a case of deadbolted door, window left open.
I agree with you there - all HD video DRM is "deadbolted door, window left open" at this point since HDCP is fully opened (both by the ability to clone or purchase the HDCP hardware from a real TV and by the leaking of the HDCP master keys).
There's still some incentive to crack video DRM, since ripping through HDMI requires a re-encode and degrades quality, but the approach is good enough that the payoff is reduced substantially.
Breaking DRM is not the only relevant aspect of the video game industry. Punkbuster and other anticheat daemons need to work for the lifetime of the game.
I do not know a lot about reversing but I was always under the impression that nothing was impenetrable and most schemes were easily defeated. In light of this I am always puzzled by the relative efficacy of punkbuster and related daemons.
Who are the best 'reversers' out there? I work in bioengineering which is largely a reverse-engineering discipline (i.e. we do a lot of tweaking natural organisms that we didn't design) -- just curious if there are overlapping ways of thinking / general approaches. Anyone do serious CS research on reverse engineering methodologies?
I've been out of touch and out of practice for years now, so I'm curious to know the answer to this question. I was fascinated with reverse engineering back when Fravia[1] hadn't yet completely moved away from cracking to "search lore".
There is the 0-day Scene, those groups which are pretty much closed/private (to name some, CORE, BliZZARD, EMBRACE, HERiTAGE, SSG, DiGERATi..), these are invitation only. And the Web scene groups like FFF, TSRh, RES, who often offer to solve some keygenme/crackme for newcomers to be accepted.
No, my business is continuing to grow year on year. People seem to love installing my dead software on their dead PC's running that dead operating system Windows and they are quite happy to pay me for it.
Sorry to go off topic, but I have to ask. How did you get involved in that industry? Malware analysis seems like something I'd love to do. If you don't mind, could you share any tips or career advice you would give to someone who might want to pursue a career in malware analysis/antivirus industry?
Well, in my case I was enjoying unpacking protected software (just for fun, I wasn't distributing cracked software, just writing tutorials on how to bypass protections and releasing tools/unpackers/unprotectors for common types of protectors). Then somebody contacted me and offered the job.
What you can do? I would start from tuts4you.com, teach x86 assembly language, download a degugger and/or disassembler and dig something or follow tutorials.
Thanks for your reply. I guess I tend to shy away from things like tuts4u and crackmes.de because it seems questionable legally, although I haven't looked into it much. I mostly "reverse" my own code in gdb just to understand whats going on in the assembly. These types of things are hard to show in a resume, so I'm not really sure how to make myself an attractive job candidate to some of these antivirus companies.
I don't see anything illegal in disassembling shareware or any other type of software. Compare it with disassembling your smartphone/alarm clock/hand watch/.. to find out how it works. Why should it be illegal?
