Sunday, November 18, 2012

Casual Gaming Protections

Over the years, I've been fortunate to see lots of protections on so called "Casual Gaming" games. These are the games like Bejeweled, and that ilk. Generally, these games are written by a company, and provided to several online "publishers", who distribute them. Reflexive.com, Yahoo Games, people like that.

 Well, the games are provided in their original unprotected "ready to run" form, and the individual publishers add their own protection to them to enforce their "60 minute free trial" restrictions. The quality of this publisher applied protection varies wildly. I will touch on some of the ones that I have seen in this posting.

  Generally speaking, there are 2 types of protections in use. The first one is where the publisher uses some "off the shelf" protection to either manage the entirety of the trial, or at least in an attempt to thwart circumvention of their trial system. These are things like the Armadillo protection system from Silicon Realms, and systems of that type. Generally, these are more successful than if the publisher had written the whole thing from scratch, as more than likely, the game author isn't going to be an authority on copy protection, and that job should be left to the professionals (As you'll see in the OTHER category a little later). The problem with these "solutions" is that MANY MANY tools exist online for removing, stripping, or at least circumventing them. As mentioned elsewhere on this blog, that is one of the perils of off the shelf protection.

  This class also includes more of a hybrid system, where the company develops a protection on their own, and uses the packer/protector over the top to at least act as a speed bump (sleeping policeman if you will) to the would be hackers. But these suffer the same fate as the full blown systems mentioned previously. These packers run the gamut from the fully commercial ASProtect, down to the lowly open source UPX. And, ultimately, if you are counting on a packer to protect you, you truly have no protection at all.

  The other type, is the entirely self written protection system. These are the ones that I'll be spending the most time talking about in this post, as to me, they're the most hilarious. I'm not trying to pan ALL of them, as I've seen some that weren't bad! I saw one that did 2 asm instructions, and a jmp, over and over and over. Very reminiscent of the old floppy based protection called SuperLock. (I have a copy of that around here somewhere). It also goes through a couple of layers of decryption, and unpacking, and runs code from inside itself, so it plugs the obvious "memory dump" holes. Honestly, I forget who had this protection, but it was pretty good. Now, with that one out of the way, we can move on to the others.

  There are a couple of publishers who share the idea that renaming the .exe to something else, and setting the "hidden" attribute on the file is enough to stop piracy. I kid you not! When you install the game, they install everything, and create a shortcut on the desktop. This shortcut leads to their monolithic loader that keeps track of your time playing, and how much time you have left, etc. It also has intrinsic ads, and serves as your gateway to download more of their games. It also features code that loads, and runs the game from it's super secret location. (The root of the game install directory). The solution to this protection is ALMOST as bad as Popeye mentioned in previous posts, and just barely better than Superman also mentioned elsewhere. So, the method to "crack" these games, is to rename the .exe back to .exe, and update the shortcut's target. TA DA! (Shaking head).

  We've now covered the good, and the bad, which brings us to the most popular technique. This one utilizes a technique where the code at the initial entry point is removed/encrypted/scrambled in the game, and the loader/time tracker replaces it at runtime. It creates the task suspended, and then through WriteProcessMemory they replace the garbage at the OEP with the correct (original) code, and then perform a ResumeThread to launch the game. This was a pretty cool idea back in 2004 when I first saw it, but this is 2012, and it seems to be becoming MORE popular, not less. I've found derivatives of this idea in *3* different companies protection schemes. And NO, packing you loader with ASProtect doesn't help. It also doesn't help if your ASProtected loader loads an ASProtected .dll to do all the work. It all results in the same thing. An API hook eats your lunch, and allows someone to dump out the data, or in some cases, (like mine), I copy your "altered" game to a new name, and replace the correct bytes "on the fly" as the loader runs.

  The only thing worse than these windows protections, are their Mac counterparts. Say you have a game called "Fool's Errand". You have a bundle that holds all the files, and it contains the loader, named "Fool's Errand", and all the support files. Among these is a copy of the REAL executable, UNTOUCHED. Just renamed to something that's supposed to blend in with the other files. The downfall of all of these is when you launch the game, and from a terminal do a simple "ps x", and see 2 things running. 1 the loader "Fool's Errand", and something else, from the same bundle, called "data". Once you see that, you exit the game, delete the loader, rename data to Fool's Errand, and play forever. Just simply pathetic!

Sunday, August 26, 2012

I saw a well designed protection!

I know that normally in this space I rant about how bad this protection was, or how pathetic THAT protection was. But this post will be different. I recently had the opportunity to see an amazingly well designed protection system. Strangest of all, it was a homegrown protection written by what looks like a small developer. No, I don't know the name of the protection, and I won't tell you what packages it was on, but I'll tell you ABOUT it. The packages are both from the same source, a presumably small independent developer who produced a package to aid in the generation, and distribution of test taking tutors. Say you want to get you Linux+ certification, you can go to the web, and buy their package, and it'll help you study for the test. The target installs, and presents you with a single .exe. A quick scan tells you that it's an encapsulated Java application, with an executable launcher. A quick search, and you can pull out the whole jar file that is the program, and a quick unzip later, and you have all the .class files. Run them through decompiler of your choice, and you'll soon see that they've been obfuscated. While the obfuscated code is difficult to follow, the error messages that the application prints leads you to the right place in record time. You can see that a particular function gets called, and it's return value means the code you entered is bad, or that you're running in demo mode, or that your trial has expired. So, now a quick note. I've never learned Java. C/C++, yes, Java? No. So, that means that I have to consult the web for parameters to APIs, or what a particular API itself does. So, I see the application getting a resource, and using it in what looks like a way that would tell me EVERYTHING. So, I google the string. And what I find, is absolutely shocking. I find the COMPLETE source to the package. ALL OF IT. For whatever reason, the developer at this company kept his Eclipse workspace on the web server machine. A quick "wget", and I had the complete source, with comments, and even notes to their customers describing how their protection works. Game over, right? NO. And here's why. The protection is well designed. When you hit their website, if you opt for the demo, you get that. A demo package, with only 10 questions. (Out of who knows HOW many for the regular package). If you don't BUY a test, you can't get the executable, and all the questions. That's good idea number 1. If a pirate can't TOUCH your app., he can't crack/pirate it. Number 2. Once you get the package, you also get a serial number. When you run the app., the first thing you are presented with, is a registration box asking for that serial number that you were given. It takes this, and grabs some stats like your MB serial number, your MAC address, etc., and interlaces all this data into a packet that it sends to their registration server. The registration server returns the time period that your application is authorized for, and, (Drumroll please), the AES key to decrypt the questions database. This data is all interlaced together, and BASE64'd for the trip. The client application pulls the packet apart, save the dates, and the key for the questions, and boom. Off you go. Now, as a pirate, I'm all about weaknesses in the system. YES, you could prolong the license period forever. YES, you could buy all the tests once, and pull the private key out, and release them at once. (That would probably be kinda obvious though). As part of the glob that I downloaded, there were all the tools to be used by the customers to enter test questions into the questions database, and, the private keys for a bunch that already exist. So, in THEORY, if you could get all the applications, you could release them all without having to BUY them. But, this takes us back to problem #1. You don't get the application if you don't BUY it first. So, on a tour de force level, this protection scheme is relatively low tech, but it is above all, EFFECTIVE. So, good job who ever you are that wrote it!

Tuesday, March 27, 2012

Sometimes I think you should have to have a license to write protection.

Tonight's application was a database monitoring application written mostly in unobfuscated java. Is this 1999 and no one told me? I mean SERIOUSLY. And the thing that made it all that much better was that this code runs under Tomcat, and while running something called Jasper, it spit out .java versions of some of the important files. I didn't even have to decompile them! (shaking head). OK, so here's how it all works. You get a license key from the vendor when you register your trial, or buy a license from them. It comes in the form of a string of characters that you copy & paste into a form in the program. (It's all web based evidently). This license key contains a server name if you buy a license, or a string that they identify later as the "trial sentinel", and a number. This number is the time since the epoch in milliseconds for when your trial, or license expires. At runtime, in just about every module, they load this string from the key file, decrypt it, and pull the 2 halves out. (There is a delineation character between the fields). Then, they simply compare the time to now, if it comes back negative, your license has expired, and you need to get a new one.

So, as you see, the lynch pin of this WHOLE protection boils down to a simple string decryption routine. It was written in java as well, and unobfuscated for your reversing pleasure. A little while examining it, and I was able to write my very own ENcrypter, so that I can now make license files till the cows come home. Here's the pertinent code:


void EncryptString(char *s)
{
char temp[1026];
char output[2049];
unsigned char x, y;
unsigned char len = (strlen(s) & 0xFF);

memset(temp, 0x00, 1026);
memset(output, 0x00, 2049);

temp[0] = len ^ 0x95;
temp[1] = s[0] ^ 0x95;
temp[2] = s[1] ^ 0x59;

for(x = 3; x <= len; x++)
{
temp[x] = s[x - 1] ^ temp[x - 3];
}

for(x = 0, y = 0; x <= len; x++)
{
output[y++] = ((temp[x] & 0xF0) >> 4) | 0x40;
output[y++] = (temp[x] & 0x0F) | 0x40;
}

printf("[%s]\n", output);
}

The 1st byte of the license is the LENGTH xor'd with 0x95, followed by the serverID, followed by the expiration time. They do a pseudo rolling encryption where the value of THIS byte is xor'd with the value of another byte in the string, (3 bytes away). Once they have this, they simply walk through the string, pull out the upper nibble, shift it right, and OR it with 0x40, as that makes it printable, and then pull the lower nibble, and OR it with 0x40. Then, save those bytes, and move along. So, the resulting string ends up being twice as long as the actual payload.

I can only hope that these guys kick ass on database applications, and that it works better than their attempt at protection. Maybe they're finally wising up, and are only trying to "keep the honest people honest", as that's about all this scheme would do.