Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Security in the Client – Part 2

Data Obfuscation

Steven Davis

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

CAUTION: Obfuscation and the Language of

Security• Language here is confusing

and non-standard!• Other problems with encrypt,

encode, secure….• Security is full of sloppy

language

And causes real problems both between security people and with REAL people

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Obfuscation & Code Obfuscation Confusion

• Anti-Tamper– Altering code so that

changes to code can be detected by code

– Adding sequence checks, control flags, etc.

• Anti-Reverse Engineering– Making decompilation

and extraction of code logic more difficult

– Extra, non-standard assembly code (loops, jumps, etc.) that break up apparent code logic

DO

ES N

OT

STO

P C

OD

E TH

EFT

Cop

ying

with

out u

nder

stan

ding

is n

ot s

topp

ed!

Als

o do

es n

ot s

top

data

alte

ratio

n

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Data Obfuscation

– What is it?• Hiding Data so that it can’t be found• Storing Data so that it cannot be

undetectably altered

– Tactics• Splits• Keyed Split• Encryption• Multiple Stores• Local vs. Remote verification

– Challenges• Programming Complexity

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

• The game cheater and hackers Best Friend!• Provides direct access to computer RAM• Application independent cheat tools… easy and powerful and

customizable

Memory EditorsMemory Editors

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Classic Trap – Private Keys

• Flawed assumption of many security systems• … and Virtually All DRM systems• Private Keys aren’t Secret from their user!

– (Good luck with that “trusted hardware”)– They have to be exposed on their platform– Signature keys can also be replaced

• No recovery mechanism

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Asymmetric Warfare

Security is about making the other guys work hard without much work on

your part

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

General Data Obfuscation Approach

• Usually Protected_XXX_Class or Template– Makes it easy to specify values that are being protected– Limits performance impact– Separates Obfuscation design from Main code

• BetterBetter – Use Macro or Script at Compile time– Language dependent– Puts obfuscation in-line, so harder to identify remove

Can be used with Code Obfuscation (to hide Data Obfuscation)

HighScore = new ProtectedInt();

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Data Obfuscation Internals - Split

• Easy and quick• Can be detected and

countered without too much difficulty– Memory editor looks

for changed memory– Make arbitrary

changes to identified changed memory and look at visible results

// pseudo code splitClass ProtectedInt() {

private Int a;private Int b;

// initialize valuesProtectedInt(x) {

a = new Int();a = randomInt();b = new Int();b = x-a;

}// retrieval method

getProtectedInt() {return a+b;

}}

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Data Obfuscation Internals – Keyed Split• Easy and quick• Can be detected and

countered without too much difficulty– Memory editor looks

for changed memory– Make arbitrary

changes to identified changed memory and look at visible results

• Basis of most license registration and license spoofing scenarios

// pseudo code keyed splitClass ProtectedInt() {

private Int b;// initialize values

ProtectedInt(x) {a = new Int();a = get_Platform_IDx();// or other local valueb = new Int();b = x-a;

}// retrieval method

getProtectedInt() {return b+get_Platform_IDx();

}

}

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Data Obfuscation Internals – Encrypt• Slow (depending on

algorithm)– This can be a real

issue.. Full encryption gives little benefit

• Hacker needs to find algorithm and key– If only used locally,

binary code can be replaced sometimes

– Remember: key is still present!

// pseudo code encryptClass ProtectedInt() {

private Int b;// initialize values

ProtectedInt(x) {a = new ByteArray();a = ByteArray.fromInt(x);b = getKey();a = Encrypt(a,b);

}// retrieval method

getProtectedInt() {d = Decrypt(a,b);return Int.fromByteArray(d);

}

}

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Blind Functions

– Hackers like to “plug out” security functions to bypass them

– To detect this, structure security functions as “blind functions”

Security Test

Yes/No

Security Function

Data

Output

ExternalVerification

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Alternatives to Encryption

– Full encryption is time consuming….– So, use “really bad” encryption instead– Based on Cipher-Block Chaining– Create a non-linear function that is reversible and affect the

entire data stream

Byte-based sample:

Store randomized 256 entry table (T)Key stream (K) – m bytes Data bytes (B) – n bytes

If n = 1

E = B[0];

for (i = 0; i<m;i++) {E = T[E+K[i]];

}return E;

If n > 1If n > 2*m then l = 2*n else l=

2*mE[0] = T[B[0]+K[0]];for (i = 1; i<l;i++) {

x = i mod n;E[i] = T[E[i-1]+B[i]+K[i]];

}return E;

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Multiple Stores// pseudo code multiple store using splitClass ProtectedInt() {

private Int a;private Int b;private Int c;

// initialize valuesProtectedInt(x) {

a = new Int();a = randomInt();b = new Int();b = x-a;c = x;

}// retrieval method

getProtectedInt() {return c;

}}

• Store both an unprotected and protected version of data

• … let the hacker think he’s won

• … and, of course, you can combine all of the methods together.

incrementProtectedInt(y) {c = c+y;d = new Int();

d = randomInt();a = a+d;b = b+y-d

}

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

Verification – Local & Remote

– Verification can either occur locally or remotely– If remote, pass all versions of data to the server and

let the server make the decision (and decrypt or recover all of the data).

– Action on verification does not need to be taken immediately

verifyProtectedInt() {if (c-(a+b)==0) {

return true};

return false;}

For multiple stores:

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

What next?• Don’t give up!

• More security presentations at: http://free2secure.com/

• Check out my book “Protecting Games”– Additional information at http://playnoevil.com/

• You can “win” the security game

Security eBooks

Games, iGaming, and Gambling steve@free2secure.com+1.650.278.7416

About Me• Steven Davis

– 25+ Years of Security Expertise

– I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications

• http://www.linkedin.com/in/playnoevil

– Author, “Protecting Games”

• Why Free2Secure?– Security is too expensive and isn’t working. There has to be a better way.

I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/

– Join me there, ask questions, challenge assumptions, let’s make things better