Wibu-Systems Hackers Contest 2011: Unbeaten for the Sixth Time
Are the Russians the best in the world at cracking software? Perhaps, but they were unable to crack CodeMeter in Wibu-Systems’ sixth cracking contest. This time, the contest was sponsored by Rainbow Security, the exclusive distributor of CodeMeter in Russia.
114 participants pitted their cracking skills against CodeMeter's best-in-class security. Would-be crackers comprised 60% software developers, 20% system administrators, 15% IT professionals, and 5% other. They had two weeks to figure out how to run a protected application with no CodeMeter stick. Not only were there no outright winners, no one was able to perform even a partial crack.
Wibu-Systems Hackers Contest 2011: Unbeaten for the Fifth Time
Wibu-Systems China held its own hackers contest to see if anyone in a nation famous for cracking software could crack CodeMeter. Among the 138 Chinese software developers, students, professors, and other high-tech gurus who applied to crack Wibu-Systems’ CodeMeter software protection system, no one was able to collect the $15,000 prize.
Registered applicants were given a protected software application, a CodeMeter hardware CmDongle, and four weeks to crack the application. Just as in previous contests, no one was able to crack the CodeMeter-protected application. The task was to create a version of the application that would run without the CmDongle being present in the computer. At stake was a prize of 100,000 RMB or about $15,000.
Zou Haiyan, National Sales Director of Wibu-Systems (Shanghai), explains: “It is a big success having proven the high security level of CodeMeter in our Hacker’s Contest in China this year. Of course it is impossible to have 100% security. But with CodeMeter our customers will get a very high level of security. We constantly improve our security issue so that our customers can always rely on a strong protection solution.”
CodeMeter by Wibu-Systems AG, headquartered in Karlsruhe, Germany, is a proven and established hardware and activation-based solution protecting and licensing software used by software vendors worldwide. Continual improvements in encryption/decryption technology provides CodeMeter with strong mechanisms against cracking, for example record/playback attacks. Inside the CodeMeter smart card chip different security algorithms are used: 128-Bit AES, 224 Bit elliptical curve, and 1024 Bit RSA. Software vendors can decrypt only the part of the software that is running so that never the complete software is available unprotected on the computer. In addition, all communications between the CodeMeter stick and the software application are encrypted to prevent so-called “man in the middle” attacks.
Wibu-Systems Hackers Contest 2007: unbeaten for the fourth time
No protection system can be 100% safe. But we keep trying. In the past, Wibu-Systems arranged competitions to check the security quality of our products. In these previous competitions, a protected program was published and it was shown that its protection could not be cracked and made to run without a suitable license in the WibuBox. This is a serious practice-oriented test for software producers who want to publish a protected software product for free download on their website.
In our Hackers Contest for 2007, we went one step further and the participants in the competition received not only the protected application, but also a CodeMeter stick with the appropriate license. Over a thousand contestants entered the competition to claim the attractive prize of €32,768 (or US $40,000).
Task
To win the contest you had to manipulate a CodeMeter protected software so it would run without CodeMeter.
Competition with 2 functions
- Program only with CodeMeter stick executable
- Function 1: Feature-Bit set in CodeMeter → run
- Function 2: Feature-Bit is not set in CodeMeter
- Both Functions display a password
Task:
- Find out 2 passwords.
- Program has to be completely executable without CodeMeter.
- Send resolution method and cracked program via e-mail to Wibu-Systems.
Contestants
1,092 contestants from 27 countries entered the contest and had up to six weeks to remove the copy protection and claim the attractive prize of €32,768 (or US $40,000). Most of the contestants were from Germany, followed by China, USA, the Netherlands, Poland, Hungary, France, Great Britain and the Ukraine.
Result
Although the challenge was theoretically solvable, none of the contestants could fully remove the protection. Most of the contestants fell in the trap of trying to by-pass the intruder detection and had their license locked in CodeMeter. This resulted in further brute-force attacks to the encryption. The chance of breaking the 128-bit AES encryption was nearly to none.
- No one succeeded completely
- No attack against the encryption
- No attack against the hardware or manipulation of the Feature Map
Other contestants failed to jump other hurdles. But we did receive some excellent partial solutions and we awarded those contestants with 500 to 2,000 Euro each. Hackers or Crackers go down different paths than developers and the partial solutions were important input for us. These partial winners discovered some weaknesses in our system which we not seen before. And the discovery of these weaknesses allowed us to strengthen our overall security.
- Partial solutions
- Partial memory dump
- Partial Record/ Playback approach
- Partial solutions awarded with a total amount of 16,000
The Bottom Line
CodeMeter has not been cracked
We accept that no security system is 100% secure. But a high level of security can be reached by:
- Secure Hardware:
- CodeMeter provides for secure key storage and strong encryption in a smart-card chip. The CodeMeter system includes a crack detection, which can lock the license key.
- Secure Integration Technology:
- The code and resources of the protected application will never be completely decrypted in the main memory of the PC. Variable encryption, anti-debugging and obfuscation technologies as well as tools to individually integrate the source code increase the security level again.
