Crack Me If You Can: Exposing Fault Lines in Digital Forensic Software Security

for such tools and software how to find those faulty lines in the digital foreign sick tools and how to protect the integrity of the tools so that we are able to do our analysis correctly. So without any further ado please welcome in giving a warm welcome to Bavar sir. Hello good morning I hope I'm audible. Yes. So um as the host already introduced me and today is a very unique and an unusual topic I would say. I'll explain why is it unique and an unusual topic. So uh this is just my intro. So I uh love uh malware and forensics. So, so currently I am focused very much on the Mac OS malares and forensics. I

also do Windows malwares you know analysis not just uh you know Mac but the Mac is very fascinating for me but this topic uh that I'm going to present today is related to Windows based uh you know malares and forensics. So just this is just a intro of me. I'm also part of the organizing committee of DFIWS which is one of the oldest uh uh conferences for digital forensics in the world. So uh so yeah that's pretty much it. So here's the agenda that we are going to cover today and it's pretty straightforward and it might have some of the unusual steps which you won't find it in any other presentations. So please stay tuned. So just a disclaimer all the

opinions here are my own and does not represent my employer my employer in any way. And the second disclaimer is this presentation does not encourage cracking it at all. So this uh presentation is intended at improving the software security as a whole. So if you get some motivation after the presentation or during the presentation and you might get an urge that let me crack the softwares, please do not. It is illegal and the companies may sue you. So better not to get involved in those stuff. So coming to the introduction. So the first is the software piracy which is very prevalent in our industry. All the softwares all the paid softwares I would say they are

pirated. It is very common you know frequent you know it's it's a common thing that is seen all over the world. Then comes the software reverse engineering where people you know fiddle with the assembly code and uh try to bypass the security and you know get the paid software in free. Then comes software cracking that is part of reverse engineering. So it includes many techniques which uh will let you around the security mechanisms of that software and for specific for this presentation this is meant for digital forensics commercial softwares which are very very costly and not uh everyone or I would say most of the people would not be able to afford that only organizations education institutes law

enforcement agencies they would be able to afford it and hence they use it the most. So this is one of the statistic from last year. So in 2023 there was a you know major contribution to revenue loss just because of software piracy. So you can just imagine that this was for the last year and the stats for this year is yet to come but it would be definitely more than this and it's a common you know um disease I would say that is prevalent in all the industry and every company is tired of this. So coming to the uh copy protection technologies. So these are the technologies that are implemented by all the softwares which are u you know paid

in nature and which are not open source. So these all are highly paid uh you know softwares and they implement something which is called as copy protection technologies and they are of various types. Here I have mentioned the four four types and the first one is u media based. So I'm sure many of us have played games right GTS San Andreas, GTA 5, NFS most wanted those kind of stuff. So it is uh this type of mechanism is usually you know you'll have to insert a CDROM and then only it will allow you to actually play the game or the softwares. So this is a very common kind of technology that was used in the earlier

times. Now also it is used in the gaming industry mostly. Then comes the second type of uh protection which is the serial numbers and I'm pretty sure most of us are very familiar with this. We the uh I would say the best example for this is VMware or the virtualization software that we use that is pro versions. It all has serial numbers and you'll have to buy those serial number from the VMware or the vendor company but we do not like to do that. So there's a workaround to it and as you can see this is also a old example where uh Microsoft Office 20078 2003 we all used to do do this we you

know get this serial code from anywhere we just copy paste it and it just works with no issues. It does not have any online verification. It's just offline. So you just enter it and you're good to go. Then comes the third which is online activations. This was an advanced uh technology that was released after the uh you know serial numbers. So people were exploiting it and the companies were uh trying to find a way around it. So they invented this technology. So this is what it looks like. This is a Windows 10 activation. So you need to enter any of the key and it will get synced to the online license server or the manager and it will be linked to

your Microsoft account and hence it will get activated. So if you have someone's if you have a key from someone else let's say your friend it would not work. So this was to mitigate that issue. And the last is the hardware based protections. So companies were very annoyed by the people uh who were bypassing the software mechanisms and using their software for free. So what they did was they took it to the next level and they put a dongle which is a USB you know uh you can just connect it to your USB port. So these contain the licenses which you can't replicate. you can only read it with their own softwares when it is plugged into a system. So this was a

pretty good idea I would say. So this prevented a lot of uh software piracy and u software cracking and in the later part of our slides we have um a way to bypass this as well. So people have um you know they have their own way of getting around with this. So these are the four technologies that are currently in the market and it will be in the market for a very long time. So this is a convergence of three fields I would say. The first being the digital forensics because all the software presented in this presentation are mainly commercial forensic softwares and OSENT because I did a lot of hunting and of course malware

analysis because you can never trust crackers. they they will include some of the malicious code or malicious application just to crack it and you might end up using it and get your laptop infected maybe. So let's get an insight into the cracking market. So the first is how does the cracking work? Yes. So initially there is a uh you know disk or a software I would say and someone downloads it from somewhere and then they reverse engineer it and they crack it and then it is distributed to other websites like people have their own websites they have the telegram channels so people do it in all sorts of way so this is just a primer for cracking so um this was in

the context of media this is context in the context of software. So people download an exe. So this is pretty Windows focused. So people download an exe from the vendor portal or download it via their CDN using their command line and then they create a crack or to bypass the license and then they publicize it, they market it. They charge very, you know, high fees for this. I'll I'll just show you how much they charge it in the later later slides. And they often ask for money in USD or crypto just to evade the you know law enforcement agencies. So this is one of the screenshot from 2021 to 2022. So the this is one uh guy that I pinned from

Telegram and he is the owner of a channel which provides digital forensics crack softares. So I just asked him uh can you get me a oxygen forensics software? This is a um you know well-known organization in digital forensics world. So he just quoted me that oxygen is 150 USD which I would not pay of course. So I just wanted to get um so these people they have their own channels and they distribute that software in that channel and this was way back in 2021 and 2022 and later on they um you know uh they changed their selling mechanism. So you should not be asking this type of question. So they invented a new kind of marketing

way which we'll just see. So you might be wondering what all you know commercial softwares craft softwares are available or what people are selling in these markets. So first of all I love their work because they are the most creative people and we as analysts or the companies we need to learn from them because they are the ones who can bypass them. So as you can see these are two different screenshots from two different telegram channels and they have a wide variety of forensic softwares. Uh you from uh celebrate physical analyzer from celebrite. Uh the first four are from celebrite then magnet forensics oxygen forensics final. So they have a good catalog I would say of the crack

softwares and uh they have their own you know way of marketing. Some people do not like it um openly some people do. So the question that um I had is is there any honor among thieves or is there no honor among thieves? So let's just see. I would not make that decision. It's up to you. So the first one is uh so this is the latest trend that I have observed. So this is 2023 2024. So there is a channel and they all they they found a innovative way. So they are using the bot telegram bot as a service. So this is one of the channel and as you can see this is a VIP channel

and uh you need to pay actually to get into this and download all the softwares which they have cracked it for you and once you do that once you start this you'll see what kind of membership do you want so standard costs $50 pro cost $70 and premium costs 100 USD so once you purchase this membership they will add you to their VIP channel where you can download all these softwares cracked softwares which is a very innovative way just to evade law enforcement agencies because in the context of law enforcement agencies you need the proof but if you just have this hearsay you don't have the actual proof that they are actually selling the these you know

commercial softwares they have just listed it but the main uh softwares are inside those channels which are hidden and not public. Then comes uh this screenshot also. I am not familiar with this language. I think this is Persian or Arabic. Most of the crackers are from uh you know they belong from Persia, Syria, Iran. So all these kind of people they have their own you know way of communicating in their channels and this is one from a very famous uh cracker. I'll not reveal his name but I love his work. He's the one of the best person who you know makes the cracks. So the he he had a what do you say rivalry or an issue which someone raised on the

raid forums. He was um you know uh what do you say alleging that this person he is installing back doors in his cracks. So as a retaliation he wrote this long post that um if you have anything like every software uses VM protect software and you know a lot of different uh varieties of software and which antivirus engines will flag it of course because they have their own software mechan you know protection mechanisms the code is packed the code is offiscated so that is very uh you know commonly seen but uh Uh here someone just alleged that he's doing something very you know not legal. So this is a war between two crackers from two different

countries. And coming to the next. So this is another uh screenshot from another channel or another cracker where he is advising the users not to download uh or indulge with that that cracker because this cracker what he usually did was he asked for 100 USD or 100 pounds and he never added people to the VIP channel. So basically scamming. So he's just advising them whether it is you know a legit person or not and just advising stay away from it and as I was saying which uh this is a very famous uh cracker Dr. Fafa and he's from Egypt, Persia, I'm not very certain but on his you can just search his name. He's widely available on all

the social medias on X LinkedIn. He's he also has a YouTube channel where he makes cracks and advertises it and he always says this that all the contents are for educational purpose. He does not charge. All the other people charges for downloading the software you know cracked softwares which is very unique. Nobody does this. So you might be wondering what are the crackers motives. Yes. So the first is digital forensics softares are very very costly and not um affordable to a normal people or normal students. The second is they profit by charging the fees and I'll just in the later slides I'll show you why do they do this. Then software piracy of course selling on darknet markets or

even clear web. So they have their own websites mostly ending with or Iranian websites. So they do it not on dark web but on clear web as well and they have their own motives. So they make the victims fall to download free or their paid cracked applications and they can do you know they can infect them and they can excfiltrate their cookies, their data, their uh you know bitcoin tokens, bitcoin wallets, everything. So let's just see how much do actual commercial digital forensics tools cost in the current market. This is just an approximate cost. So all these digital forensic softwares companies they have their u own uh vendor or distributor. So every distributor will charge differently. So

this is just an approximation. The first one is celebrate which cost 15 lakhs per year a DVR examiner. This is for DVR and NVR examination where you analyze your CCTVs. So the these all softwares are being used by your law enforcement agencies and they have all these kind of softwares. Bulkasoft is a very popular one as well. Magnet is from Canada I think Canada or US. So you can just see how much these softwares cost and it's not feasible for a you know uh normal person to actually buy them. Then comes oxygen password. Passware is very famous for uh you know it allows you to brute force or decrypt the password or your u mobile

phones. Then comes XY N case mobile edit Lcomoft. This is specific for iOS. Then Xways OS forensics. So you can just see how huge is the market for this and how costly it is. So how and when did they start? Yes. So this was one of my side project I would say when I was back in my master's uh you know I was doing my masters in college. So I I had a lab there and I used to sit most of the time in my lab and I was just thinking that um why are all these digital forensic tools too expensive? Why aren't why can't I use it? So this got me into exploring telegram

channels and Iran those Iranian websites those shady sites I would say. So, and most of the classmates were out partying, but I was sitting in the lab doing all these geeky stuff because I was just glued to this. So, how did I actually find all of this? Yes. So, the first is Telegram. So, they have a feature called uh channels or groups. There is a second feature which is similar channels. then virus total of course and websites that these are websites or Iranian websites and through Google talking so most of them are from Iran. So this is a Google doc spec uh specifically for enumerating all the you know websites that have the keywords crack and

forensic. So this is the feature. So once you are in a telegram channel you will see if you go into the stats you will see something like 48 similar uh channels and if you tap into it you will see uh what all channels are available and you can see how many subscribers are there. So this is a pretty new feature and it requires telegram premium. I did not have Telegram premium. So I just went with whatever is visible. Seven, eight channels, whatever the first you know appeared on the list. So I just went there. I promoted from one channel to another. So these are all crackers who have their own techniques. They have their own signatures which we'll just

see it in some time. Then virus total. So you just put one name Dr. far and you can see it has a total of 92 cracks available on virus total which people have uploaded it because they want to know if the app is actually malicious or not. So this is the virus total one and this is the Google doc. So here if I if you search this you can see all of these websites with crack and withir which is Iran. So let's come to the techniques that these crackers implement to crack the softwares. First one is of course disabling Windows Defender because if it um you know if this detects it has a capability to actually submit your

sample to their uh repository which will analyze it and if it finds something malicious it will quarantine that file. So the first thing that these softwares make you do is uh you know just disable the defender. So they will ask you to do it manually of course most of most of them. And the second way is you need to uh you know run a script which is inside that malicious application which will disable your Windows Defender. And how does it do it? So it will uh so uh these uh the screenshot that you see here is Windows event log and this specific event ID 30002 is specifically for you know uh fiddling around with the Windows

Defender. So it they might restart it or they will just stop it just on the you know by running the script. So this is the first technique. Then comes disabling updates from the vendors. So it is not actually recommended. We are in the cyber security world. We are taught to actually update your all the softares and your OS. But these people they do not want it. Why? Because uh once you install any legit application and you crack it and if you update it, your crack will go back. it will be zero. So the crack won't work on the newer versions. So you have to be very you know they have to be very careful. So they they just disable

the software updates. Then third is they will set the expiry. So every software will have its expiry maybe one year's generally it is one year or three years license. So they will just set it to any date in the future. This is a you know screenshot from the key genen or key generation and you can manually put any dates that you want or the crackers might have already uh you know done for you. So just setting that date to any future date will extend your shelf life for that application. So you can use that crack applications for as long as you want. As you can see this is one of the screenshot where uh the cracker has set

the date to 2030. Then comes custom DLS. So they the you know crackers they have made their own DLS or EXES which you just uh you know have to copy paste it to the application where is it installed. Let's just take an example Microsoft Office. So you want to crack Microsoft Office. It is in C program files/ Microsoft. So you just copy uh the DL provided by the cracker just copy paste it there and you're done. It is cracked and uh they do this side loading as well. So the aim that uh they you know generally prefer is DL should be in the same path of your installed application. So once you do that it will

have all the permissions of the exe file. So it will run with a higher privilege. Most of these forensic softwares do require admin privileges to actually function. So it will also have the you know whatever DL is being loaded it will also have a higher privilege. It can do anything. So here is one of the snippet of the DL. So as you can see you can download these uh you know the setup file from uh their own hosted you know whatever site or domain and it will ask you to actually copy this XLY framework DL into all these folders. Once you do it, you need to open the application which is a legit application and you

just enter admin 1 2 3 4 5 and boom you are in you are you're using a paid software. So this is one of the beauty of DL or DL side loading and another one where uh one DL file is actually copied. So here you have to insert a blank USB drive to your computer. Put your DL in that um USB drive and just load your software. Then comes the most interesting part which I find it very fascinating is artist signature or the character signature I would say. So this is one of the code from Winston Churchill and it's it it is also there in west world if anyone has seen. So every software once you you know track

it and install it it will have some of the indications of who is the creator and whether you as a user want it or not they will reveal it to you that who is the master behind this. So some people some of the crackers they do like to hide or not hide actually they do like to publicize their data in the excess or metadata of that exe file. Then some prefer to put their own logo in the crack files. Then they will change the background or the fly images and incorporate into the legit application. Then comes they will redirect you to external links to their website or channel and they will also provide you with their WhatsApp number, telegram you

know number in in case you want to chat with them. So this is one of the ex uh snippet where you can see in the comment section uh this so this crack was made using inos setup. So this is a um exe builder application which everyone uses all the developers use it and so this is by default there and some of the signatures is legal copyright. So a cracker will put his name here and company name something.com. So they have their own way of marketing. This is one of them and this is the second one where you can see uh copyright omi team. So this is they call it a company which is not legitimate but

they make it look like a legitimate company or an organization. So in this you can see they have provided their WhatsApp number which starts with + 94 which is Iranian number in case you want to contact them. Then um this is another u uh crack application. So it has a unique marker uh if you can see it in the bracket VIP licensed. So this is very unique to one of the cracker and once you install it, it will change uh in the installed applications as well just to show that who is the maker or I created that crack. So this is magnet forensics a very popular forensics tool. So this is a normal not cracked a legit uh

application. So ideally once you run it it should look like this but after cracking it it will look like this. So this is one of the cracker who has you know made his uh you know inserted his logo into the application and it will also give you a popup saying this is notification from this and once you click okay it will redirect you to their website. This is a way of marketing. And in the installed applications, you will see VIP licensed, his uh website name, his Twitter handle, Facebook handle, everything. And then comes the most important part which crackers have tried to bypass it and they are very successful at this which is dongle emulator. So as we talked previously

that uh you need to insert a dongle which contains a license file into your you know USB port. So how people have tried to bypass it. So as this is a removal removable media which will show it on your windows as maybe D or whatever drive letter. So they will try to create a fake removable uh media and it will have all the license information which you can just copy paste it just follow their instructions. So this is one of the snippet where they have hosted the legit um application on their own website something cloud.cloud cloud and it will download the legit application binary and so this is one way where they have hosted it on their own website or the

server and second is downloading officially from their CDN so they have they are quite innovative so this is one of the um instruction that crackers usually you know they have a readme file on how to use their crack files so this is one of them where um Just so first step is install the legit application. Second is uh running IM disk which will create this removable disk. This is not a physical drive. It is a virtual uh you know drive that this software can create. So this is just an illusion but to this uh to the software it will look real and they will be able to actually load the license there. As you can see

uh copy all the files from dongle emulator to the new drive that uh is created and so this is basically emulating or creating an illusion that this exists but in reality it is not you are not using an actual dongle which contains the license. So just these three DLS copy paste it somewhere wherever the instruction was there and this is specifically for emulation. So you have to copy paste all of it in different location. So if you can see these two are the license file dot dot file and another dot dot file it it is not readable. So they do try to offiscate it. They have their own encryption methods. So this is how they bypass a dongle

based protection which is a very unique way to do it. Then second is uh the last method is key genen or key generation. So it uh so this is a legit thing that every developer does for their softwares and it is being misused by these crackers very frequently because it's the most easiest method. You don't have to actually build it. There is a um readym made key genen available. You just have to insert whatever details you want and you're good to go. So in this this is an instruction on how to actually you know crack u or generate this key genen. So just follow these all instructions. This is a legit application. You just follow the steps

that they have given. And so this is what a keyen looks like. It will have your hardware ID uh your expiration date then your local execution time. If you want to lock it, if you want to lock the trial, how many days you want the trial for, then if you want it to execute only once or twice, you can do all of it. So after doing this, once you click on generate, it will generate a key file and this is your license file. And coming to the end of the presentation, the final thoughts. So, so all of this uh you know revolves around Iranian websites and telegram channels. So why do they do it? It is

one of the most highly sanctioned countries in around the world uh it was the first but after the Russia Ukraine war Russia became the first and Iran became the second highly sanctioned country. So US US has implemented a lot of sanctions. You cannot trade with uh this country not in any way. So they'll they just cut off this country. So they have their own unique way. So they charge as I showed in the earlier slides, they'll charge $150 or $100. So this is how they you know what do you say attract money or contribute their to their economy. So final thoughts is how can this be fixed? Of course this needs fixing. It is generating a lot of loss for the

digital forensic companies or the major corporations. The first is using code offiscation. It's pretty simple but uh it's it needs to be implemented more uh you know thoroughly and efficiently. Then second is use stronger or custom encryption algorithms. So the uh crackers can easily crack the uh you know traditional algorithms AES, dees or whatever the encryption algorithms are. Then enforce hardwarebased licensing. Then online activation should be tied to an account. It should not be offline. Then updating and releasing patches to existing installed softwares. This is one of the way where you can reduce or mitigate the problem of cracking. Then comes involving the vendor threat intelligence team to find out where all the softwares are sold and u they should

recover all the softwares do whatever until they need to do and take a uh action as an organization to prevent all these kind of you know misuse of their softwares. Then comes incorporating anti-forensic techniques within their code. So most crackers what they uh do is they will just put it in uh you know they'll try to reverse engineer it using maybe IDO or GRA or any of the you know debugging they might put it in a debugger as well. So uh these software making companies should implement antiensic techniques inside their code. And last and very important is checking and verifying existing legitimate users. If you do not do it, you are at the risk of losing a lot of uh

revenue. So that's the end of my presentation. Thank you for listening to me and I'll take any questions if you have any questions or maybe you you can ask me in person whenever you

want. Yep. Yep. Thank you.