Wibu-Systems Hackers Contest 2007: unbeaten for the fourth time
No protection system can be 100% safe. But we keep trying. In the past, Wibu-Systems arranged competitions to check the security quality of our products. In these previous competitions, a protected program was published and it was shown that its protection could not be cracked and made to run without a suitable license in the WibuBox. This is a serious practice-oriented test for software producers who want to publish a protected software product for free download on their website.
In our Hackers Contest for 2007, we went one step further and the participants in the competition received not only the protected application, but also a CodeMeter stick with the appropriate license. Over a thousand contestants entered the competition to claim the attractive prize of €32,768 (or US $40,000).
Task
To win the contest you had to manipulate a CodeMeter protected software so it would run without CodeMeter.
Competition with 2 functions
- Program only with CodeMeter stick executable
- Function 1: Feature-Bit set in CodeMeter → run
- Function 2: Feature-Bit is not set in CodeMeter
- Both Functions display a password
Task:
- Find out 2 passwords.
- Program has to be completely executable without CodeMeter.
- Send resolution method and cracked program via e-mail to Wibu-Systems.
Contestants
1,092 contestants from 27 countries entered the contest and had up to six weeks to remove the copy protection and claim the attractive prize of €32,768 (or US $40,000). Most of the contestants were from Germany, followed by China, USA, the Netherlands, Poland, Hungary, France, Great Britain and the Ukraine.
Result
Although the challenge was theoretically solvable, none of the contestants could fully remove the protection. Most of the contestants fell in the trap of trying to by-pass the intruder detection and had their license locked in CodeMeter. This resulted in further brute-force attacks to the encryption. The chance of breaking the 128-bit AES encryption was nearly to none.
- No one succeeded completely
- No attack against the encryption
- No attack against the hardware or manipulation of the Feature Map
Other contestants failed to jump other hurdles. But we did receive some excellent partial solutions and we awarded those contestants with 500 to 2,000 Euro each. Hackers or Crackers go down different paths than developers and the partial solutions were important input for us. These partial winners discovered some weaknesses in our system which we not seen before. And the discovery of these weaknesses allowed us to strengthen our overall security.
- Partial solutions
- Partial memory dump
- Partial Record/ Playback approach
- Partial solutions awarded with a total amount of 16,000
The Bottom Line
CodeMeter has not been cracked
We accept that no security system is 100% secure. But a high level of security can be reached by:
- Secure Hardware:
- CodeMeter provides for secure key storage and strong encryption in a smart-card chip. The CodeMeter system includes a crack detection, which can lock the license key.
- Secure Integration Technology:
- The code and resources of the protected application will never be completely decrypted in the main memory of the PC. Variable encryption, anti-debugging and obfuscation technologies as well as tools to individually integrate the source code increase the security level again.
