Something scary
 Alex Ionescu (AlexIonescu) <aionescu gmail com> |
Thursday, September 28 2006 19:44.09 CDT |
I'm sure you've all heard about the recent FairUseWMV or however it's called, ie, the ANTI-Windows Media DRM hack that's been making the rounds. It keeps being patched and cracked again, which has gotten a lot of people talking. Now, I don't want to argue about pro/anti-DRM or any of the politics behind the matter, but something has me scared.
Apparently Microsoft is now convinced that the guy has access to private source code (I'm guessing the DRM components) and is using them to write his hacks. The reverse engineer of course denies this.
Of course, Microsoft might be right, although, AFAIK, the DRM source is not publically available even through the "Shared source" programs, so you'd have to have pretty deep connections inside the company. But isn't it also possible that the growing utilities that simplify debugging, bindiffing and guessing Microsoft code internals could be making these hacks easy to produce?
Suppose Microsoft makes a patch to protect the DRM system, wouldn't the reverse engineer just have to do a bindiff, easily discover what was changed, and work around it? To a seasoned reverse engineer this might take a couple of hours, while in the old days it could've taken a lot more. If being "too good" at reversing is now an easy way to paint a "I read intellectual property code" on your face, then anyone that does reverse engineering to produce exploits should be worried (even if these exploits are responsibly released).
Like I've shown previously, good tools can extract actual source code from PDB files, tell you the exact location of files inside the tree, and dump internal data structures by using checked builds. To anyone not familiar with these techniques, seeing an exact line of source from your codebase is a good way to get scared and assume they saw it.
I also think the MS DRM code is obfuscated, much like WinLogon. But at Recon 2006 (and I'm sure this has been done before), one of my favorite presnations was about breaking Skype's obfuscation techniques. MS probably didn't reimplement a new obfuscation method for their patch, instead they just fixed some code. They might've though "even bindiffed, it'll take a while for him to figure it out". But a good de-obfuscator would recognize the generic algorithms use, and instantly produce a "Clean" copy, which would then be bindiffed.
To sum things up, my worry is that our tools and collective knowledge have become so advanced that we might now be at risk of similar "you've seen our code" lawsuits. Now this is DRM, and of course the guy can still be sued under DMCA. But what if you reverse engineer a piece of obfuscated software, only to find out that it has GPL code, or phones home, or acts like spyware. You're pretty much protected against doing this kind of reversing (the DMCA lets you reverse to find spyware-like activitiy), but you're not protected if the company can now claim you've seen their source. And even though the burden of proof is on them, do you have the money to defend yourself? And what if your reversing employed their PDB and internal debugging function that they had left in the code in a beta (or like WoW leaked an intenral private PDB). It would become much harder for you to prove you didn't actually see the code, or at least, much costlier.
Just a thought...
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |