this is only vulnerable to a replay in certain situations. ie: a certain key on a certain dongle is matched to the distrubuted crypted pe. hence, a single correct key would only work in conjunction to the specific dongle/software dist. ie: i make a dist for you, i gibve you a dongle specific to that dist. There stands a chance that if not implemented correctly, or if there is just a single decrypt of the entire code section of the executeable, you may just do a single memory dump to disk after it is encrypted once, then rebuild the executeable from this. This is why you perform some operations at runtime also(in addition to other anti cracking tricks, self modifying code, anti debugging, etc), so that it is unlikely that it is worth cracking a single instance of this program while not being able to create a general crack for all instances. Really decent dongle protection is not cheap. it is not useful for most software situations because of this. Also, it is important to remember that a sufficeintly dedicated cracker will break anything. if he has it, he will break it. know your opponents and protect agaiunst the highest degree of opponent that is efficent(time vs money vs value of the program) to protect against. It's unlikely that some 30 dollar shareware program would require such a system. it may be worth it, however, to protect some $100k systems. it's up to the developer/vendor to evaluate the degree of protection that is useful for the situation. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "Daniel Roethlisberger" <danielat_private> To: <PEN-TESTat_private> Sent: Wednesday, June 06, 2001 8:11 AM Subject: Re: How secure are dongles for copy-protection? > > Ryan Permeh <ryanat_private> wrote: > > 1. Take a key issued by vendor. This is the "liscence" key > > offered in most scenarios. > > 2. Pipe this key to the dongle. > > 3. perform cryptographic transformation on the issued "liscence > > key". this cryptographic transform could be a > > hash/crypt/decrypt depending on situation. Potentially this > > could be multiple transformation. The closer to hardware > > configured the better. > > 4. return the value of the transformation(s) from the dongle to > > the program. > > 5. use this as a key to uncrypt the codesegment of the > > executeable(the .text segment of the pe or whatever format > > you need). > > This is still vulnerable to the replay attack. You just look at > the output of the dongle and replay that to the software; it > requires no attack on the dongle itself. I come to the conclusion > that dongle based protection systems cannot be perfect. Either you > can replay the dongle output; or you can attack the part of the > software that does the same operation as the dongle in order to > verify the result. > > Cheers, > Dan > > > -- > Daniel Roethlisberger <danielat_private> > PGP Key ID 0x8DE543ED with fingerprint > 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED > >
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 15:29:41 PDT