Tag Archives: Cracking

[Security] Tarnovsky Explains Infineon TPM Hack

On the Black Hat 2010 conference in Crystal City notorious smart card hacker Christopher Tarnovsky explained how he managed to hack current Trusted Platform Modules by Infineon.

This time Tarnovsky managed to read secured data from TPM chips like RSA and DES crypto keys. His approach took six months and a lab consisting of devices for about US$ 200,000. After having found out the exacty way to compromise Infineon’s chips it took only six hours to compromise an XBox 360’s TPM chip.

On the Black Hat 2008 in Amsterdam Tarnovsky said he was offered US$ 100,000 to crack the Xbox 360’s TPM:

A Microsoft engineer is wondering: “Did you take an interest in the processor of our Xbox360 game console?” – “I was offered 100’000 dollars to break it”, says Tarnovsky. “But I replied that that wasn’t enough.”

For people generally interested in approaching smart card security check this article with a video Wired.com featuring Tarnovsky in his security lab.

[iPhone] Kali DRM Protection Layer on sale

Protect the Devs

The well known RipDev has announced to offer a sophisticated protection addition to limit software piracy. It is called Kali. As copying of iPhone apps has become sort of simple by using “Crackulous” some developers are confronted with decreasing sales.

RipDev says their own products like iPref, Kate and Installer are already protected using Kali. And they still seem to have not been cracked (properly).

What does Kali do?

Too make a long story short: it does nothing new. It simply uses runtime encryption and server sided authentication for decryption. Whenever parts of the program have been decrypted properly they can be executed otherwise the CPU tries to execute the still encrypted code and thus a program just crashs. Disabled error handling and code design beyond the standards is a must.

History Lessons

Runtime encryption has a long history. From the middle to the end of the 1990’s some talented protection defeaters like fravia (all the power to you bro’) organized annual cracking competitions within the Higher Cracking University (HCU+). In the 1980’s people were printing deadlistings of assembly code and were studying protections to find ways to circumvent them. the motivation was: interoperability and fun. Cracking protections is said is like playing chess. Easy games (thus easy protections) are not interesting. Complicated games are challenging.

Anti-Debugging checks are well known to Win32 experts for years. Also automized cracking programs are not new. Some people may still remember the masterpiece ProcDump. ProcDump allowed automized dumping of runtime encrypted programs (by also fixing the headers with import tables and so on).

Nowadays tons of automizer scripts that allow convenient unpacking of generic runtime encrypted Windows programs are available for assembly debuggers like Olly Debug. Generic protection wrappers don’t live long until getting defeated. On the other hand it seems specific protections (like the one used in Ableton’s Live Mac version) are very challenging to be cracked, since they are designed to be used in only one single program and not in tons of programs.

What do we learn from this? Decide for yourself.

101 of Digital Economy

There are people who say that an operating system like Windows 95 or 98 could only reach such a high societal penetration and thus make Microsoft dominating the market because it was so easy to copy. And nowadays? Almost every user who had an illegal Windows 95 back in the days nowadays uses legally bought Windows XP or Windows Vista. The consumers are trained to use Windows. In the long run this strategy has proved to be successful. Almost the same applies to Adobe’s Photoshop: almost every computer user knows how to use the basic functions, but almost nobody has ever bought it. But Photoshop has become the standard. There is no real competitor. In the long run Adobe’s strategy has proved to be successful aswell. Anyway we really doubt companies’ officials would admit those strategies.

And Apple? Apple knows about the concept of (religion and) market penetration. They are interested in selling their devices. It’s additional business for them to sell software for the iPhone, but their primary intention in the ongoing stage is to extend market penetration. Easily available software for their devices makes the device even more attractive to consumers. They will not be too interested in prosecuting teenage crackers.

What devs can also do

There are many options.

  1. Design an own protection layer.
  2. Bug the crackers with updates. As every update needs to be unpacked again this will be boring for half a millions apps every month.
  3. Check the price for your app. What’s better: earning 100 x 15USD or 500 x 4USD? What did we say about market penetration?
  4. Think about introductory offers (for every new version)
  5. Think about free demos with limited functionality

The time is over when developers sold 200,000 apps in one week. This was only possible in the beginning of Apple’s AppStore. Now it is usual software business.

Final Words

Kali is a good idea for the average developer with no knowledge of protections. Anyway as history shows it will have a limited degree of efficiency. As crackers like challenges a lot, they will really like to defeat Kali (I bed they are right now sitting analyzing RipDev’s Kali protected apps). Another thing might be unforeseeably: some developers are also crackers. They might apply for the Kali offer just for fun to get a better understanding.

Moreover although RipDev’s programs seem to have not been cracked until now this does not imply that this comes from the protection. The market’s demand for his programs might also be just too little.