

Creative anti-debugger technique in Spotify for Windows - tkiley
http://www.steike.com/code/spotify-vs-ollydbg/

======
tptacek
If the time it took to reverse enough of Spotify to find this trick was worth
more than the N months of what Spotify was trying to protect (prior to the
disclosure of the problem), then the trick was a net win for Spotify. That's
the basis of DRM.

Want to make this a modern scheme?

* Make it much, much harder to reverse enough of Spotify to find tricks like this. Encrypt code with a "white-box" variant of an intentionally obfuscated algorithm. Compile numerous dead-code dead-end encrypted code paths into the binary.

* Make the scheme _renewable_ , so that instead of simply making a binary decision about whether the program can run or not run, it derives a secret that all valid instances of the program need to operate. Now when someone breaks the scheme (as inevitably they will), release an update with different compiler tricks and a different secret.

* Stockpile a lot of these variants (it is easier for you to do this than for attackers to reverse those tricks, which returns the advantage to you). Make update transparent. Trickle out updates until attackers get bored and go away.

This is essentially the BD+ DRM scheme, which has kept Slysoft mostly on their
heels (multi-week delays on new titles were typical, last I checked). And BD+
had a much harder problem to solve, since they had to coordinate the scheme
amongst lots of consumer electronics vendors. You can do better.

------
tkiley
Granted, this hack relies on a bug in old borland library code which means
it's not effective in all situations, but it's still pretty cool.

------
asciilifeform
Given the existence of Bochs, Qemu, and VMWare, the use of anti-debugger traps
is a comical anachronism.

~~~
tptacek
Per se, anti-debugger traps are an anachronism.

In general, nothing about (say) Bochs obsoletes software protection. Advanced
protected code (say) encrypts sensitive blocks, and uses (say) runtime
artifacts to decrypt them before executing.

There are software protection schemes that nobody has published breaks for,
presumably because they are too much of a pain in the ass to break.

~~~
mahmud
Off the top of your head, what are some hard ones to look at?

~~~
tptacek
If brl is watching, he'll name one that I decided was much too much of a pain
in the ass to win a message board bet over. Most of my experience here is
NDA'd though.

~~~
Create
_Most of my experience here is NDA'd though._

...security through obscurity never really works.

~~~
tptacek
A nonstatement. Just because something is obscure doesn't mean that it hasn't
also been secured. More importantly, in this setting, obscurity increases
cost. DRM is all about cost.

~~~
Create
_A nonstatement. Just because something is obscure doesn't mean that it hasn't
also been secured._

A nonstatement. Just because something has also been secured, doesn't mean
that it is secure. Obfuscation has no true correlation to true security.

~~~
tptacek
I don't know who's argument that comment was intended to address, but it
wasn't mine.

------
YuriNiyazov
Man, this is the sort of thing that originally seduced me to become a software
guy.

