1 of 40

Analyzing modern DRMs

Maurice Heumann

© WIBU-SYSTEMS AG

2 of 40

Who am I?

  • Maurice Heumann
  • Developer @ WIBU-SYSTEMS by day
  • Reverse Engineer by night
    • bypassed Steam CEG, Arxan, Denuvo, …
  • Twitter: momo5502

© WIBU-SYSTEMS AG 2024

2

2024-05-07

3 of 40

Who is WIBU?

  • DRM Company in Karlsruhe
  • Perfection in
    • Protection
    • Licensing
    • Security
  • Protection for
    • Native, Python, JS, .NET
    • Protection Compiler built on top of LLVM

© WIBU-SYSTEMS AG 2024

3

2024-05-07

4 of 40

Agenda

  • State of modern DRMs
  • How to analyze them?
  • How to patch them?
  • How to defeat against all that?
  • Summary

© WIBU-SYSTEMS AG 2024

4

2024-05-07

5 of 40

State of modern DRMs

5

6 of 40

State of modern DRMs

  • strong VMs, MBAs and obfuscation, …
  • compiler assisted modifications
  • anti-tamper, integrity checks, anti debugging, …

6

7 of 40

State of modern DRMs

  • security is very strong
  • modifying binaries often impossible
  • classical reverse engineering almost impossible

7

8 of 40

How to analyze modern DRMs?

8

9 of 40

How to analyze modern DRMs?

  • goal: find out how do DRMs behave
  • DRMs need external information
  • APIs, OS information, user specific data, …
  • classical reverse engineering fails

→ new tools needed

9

10 of 40

Emulation

with Qiling

10

11 of 40

Qiling

  • emulation framework
  • Windows, Linux, macOS, …
  • x64, x86, arm, …
  • based on Unicorn
    • based on QEMU
  • Python API
    • could be faster, but it’s ok

11

12 of 40

Qiling

  • Unicorn is just a CPU emulator → not OS aware
  • Qiling provides the OS environment
  • replicates all OS APIs
  • provides easy access to emulator state
  • supports a variety of hooks
    • instructions, memory, breakpoints, …

12

13 of 40

Qiling

DEMO

13

14 of 40

Qiling

  • strong framework
  • support for many platforms, architectures & OSes
  • not very well known → not being detected

but…

  • needs a lot of customization & scripting
  • has quite a few bugs (bad API implementations)
  • lacks features (TLS, missing APIs, …)

14

15 of 40

How to patch the binary?

15

16 of 40

How to patch the binary?

  • goal: tamper without triggering integrity checks
  • reverse engineering integrity checks slow

→ new tools needed

16

17 of 40

Hypervisor

17

18 of 40

What is a hypervisor?

  • software that runs VMs (OS)
  • type 1: bare metal → VMware ESXi
  • type 2: program on host OS → VMware Workstation
  • requires hardware support
    • Intel VT-x
    • AMD-V

18

19 of 40

How does a hypervisor work?

19

20 of 40

How does a hypervisor work?

  • most VM instructions run on the CPU
  • some, critical ones, are virtualized
  • “callback” is registered at the CPU
    • to handle instructions and other events
  • event is called “VM exit”
  • callback is called “VM exit handler”

20

21 of 40

How does a hypervisor work?

  • memory is abstracted
  • 2nd level address translation (SLAT)
    • Intel: EPT (Extended Page Tables)
    • AMD: Nested Paging
  • + a lot, lot more

→ address translation enables EPT hooking

21

22 of 40

How does a hypervisor work?

  • is loaded as a driver (type 2)
  • only installs “callbacks”
  • not VM aware in the first place
  • “virtualization” of current OS possible

22

23 of 40

What is EPT hooking?

Intel only

23

24 of 40

What is EPT hooking?

  • stealth hooking
  • invisible code manipulation
    • invisible to the user mode process and kernel

24

25 of 40

What is EPT hooking?

25

Virtual Address

Memory Read

Memory Execution

Physical Page

26 of 40

What is EPT hooking?

26

Virtual Address

Memory Read

Memory Execution

Physical Page

Physical Page

27 of 40

What is EPT hooking?

27

Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual - Vol 3A: 4.5.4

28 of 40

What is EPT hooking?

28

29 of 40

What is EPT hooking?

29

30 of 40

What is EPT hooking?

30

31 of 40

What is EPT hooking?

  • read fault (VM exit)
    • execute & ➕ read access
    • change PFN to good page
  • execution fault (VM exit)
    • ➖ read & ➕ execute access
    • change PFN to modified page

31

32 of 40

EPT Hooking

DEMO

32

33 of 40

What else can a hypervisor do?

  • trace memory reads through EPT violations
  • hook instructions: syscall, cpuid, …
  • manipulate time: rdtsc
  • + a lot more

→ see HyperDbg (hyperdbg.org)

33

34 of 40

How to defeat Qiling & hypervisors?

34

35 of 40

How to defeat Qiling?

  • detect its bugs (TLS, API misimplementations, …)
  • abuse implementation specifics
    • API stack frames missing
    • deterministic memory layout
  • abuse QEMU/Unicorn bugs
  • use unimplemented instructions (AVX)

35

36 of 40

How to defeat hypervisors?

  • really hard
  • detect virtualization
    • cpuid leaves
    • timing differences → VM exits are expensive
  • incorporate data to defeat EPT hooking
    • only code can be hooked, not data
  • use kernel mode drivers

36

37 of 40

Summary

37

38 of 40

Summary

  • modern DRMs are strong
    • breaking obfuscation not really a target anymore
    • more tooling needed
  • Qiling
    • simplifies analysis through emulation
    • allows analyzing external communication
  • hypervisor
    • simplifies analysis through virtualization
    • allows patching and manipulating programs

38

39 of 40

Links

39

40 of 40

40

We are hiring: maurice.heumann@wibu.com

Thank You!