About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
AlexIonescu
's Blog
Created: Thursday, September 28 2006 19:44.09 CDT
Printer Friendly ...
Something scary
Author:
AlexIonescu
# Views:
2389
I'm sure you've all heard about the recent FairUseWMV or however it's called, ie, the ANTI-Windows Media DRM hack that's been making the rounds. It keeps being patched and cracked again, which has gotten a lot of people talking. Now, I don't want to argue about pro/anti-DRM or any of the politics behind the matter, but something has me scared.
Apparently Microsoft is now convinced that the guy has access to private source code (I'm guessing the DRM components) and is using them to write his hacks. The reverse engineer of course denies this.
Of course, Microsoft might be right, although, AFAIK, the DRM source is not publically available even through the "Shared source" programs, so you'd have to have pretty deep connections inside the company. But isn't it also possible that the growing utilities that simplify debugging, bindiffing and guessing Microsoft code internals could be making these hacks easy to produce?
Suppose Microsoft makes a patch to protect the DRM system, wouldn't the reverse engineer just have to do a bindiff, easily discover what was changed, and work around it? To a seasoned reverse engineer this might take a couple of hours, while in the old days it could've taken a lot more. If being "too good" at reversing is now an easy way to paint a "I read intellectual property code" on your face, then anyone that does reverse engineering to produce exploits should be worried (even if these exploits are responsibly released).
Like I've shown previously, good tools can extract actual source code from PDB files, tell you the exact location of files inside the tree, and dump internal data structures by using checked builds. To anyone not familiar with these techniques, seeing an exact line of source from your codebase is a good way to get scared and assume they saw it.
I also think the MS DRM code is obfuscated, much like WinLogon. But at Recon 2006 (and I'm sure this has been done before), one of my favorite presnations was about breaking Skype's obfuscation techniques. MS probably didn't reimplement a new obfuscation method for their patch, instead they just fixed some code. They might've though "even bindiffed, it'll take a while for him to figure it out". But a good de-obfuscator would recognize the generic algorithms use, and instantly produce a "Clean" copy, which would then be bindiffed.
To sum things up, my worry is that our tools and collective knowledge have become so advanced that we might now be at risk of similar "you've seen our code" lawsuits. Now this is DRM, and of course the guy can still be sued under DMCA. But what if you reverse engineer a piece of obfuscated software, only to find out that it has GPL code, or phones home, or acts like spyware. You're pretty much protected against doing this kind of reversing (the DMCA lets you reverse to find spyware-like activitiy), but you're not protected if the company can now claim you've seen their source. And even though the burden of proof is on them, do you have the money to defend yourself? And what if your reversing employed their PDB and internal debugging function that they had left in the code in a beta (or like WoW leaked an intenral private PDB). It would become much harder for you to prove you didn't actually see the code, or at least, much costlier.
Just a thought...
Add New Comment
Comment:
There are
31,322
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}