Macrovision's safecast goes through SD?

View previous topic View next topic Go down

Macrovision's safecast goes through SD?

Post by Rico on 24/7/2010, 06:54

Hi guys,

I decided to test the effectivity of shadowdefender on my new win7 x64 rig with complex programs that start up a bunch of services and fill the registry with junk. I had an old adobe photoshop cs2 trial (from adobe ftp site) lying around and decided to install it in shadow mode and see what happens. (documents,downloads and desktop is excluded)
A hidden adobe folder is created in my documents. -- which I delete

Anyways Ive installed it once. After reboot, with a reintall it loaded it said demo period is expired; which is rather strange considering that everything should be reverted upon reboot. To be frank, the point of this experiment is not to bypass product activation, but to test the resilience of shadowdefender against rootkit-esque type programs on the system. I also own activation keys for the mentioned product. Pirates who intend to bypass this drm will use the aid of a keygen/crack making this a rather impractical way in theory to bypass activation. The implications of my experience could be serious for those who rely on SD to protect them against malware.


the results got me thinking, if a legit program is able to somehow permanently affect the system, then malware could probably do the same but with much more adverse effects. I think Ive read somewhere that adobe products tend to modify the mbr, which is a little shady.
If someone has time to try this with a x64 vm please do.

UPDATE:
after some additional research today too, I found out macrovisions safecast writes directly to hdd sectors. Shouldn't shadowdefender stop this? it is this very sector that is commonly also manipulated by malware.

Photoshop CS (actually Macrovision's SafeCast) writes to
reserved absolute disk sector 32. As long as Linux isn't using
this sector for its boot loader you shouldn't have a problem.

source: http://www.velocityreviews.com/forums/t251090-photoshop-cs-on-dual-boot-linux-winxp-systems.html


Last edited by Rico on 26/7/2010, 07:46; edited 3 times in total (Reason for editing : clarification and addidtional info researched)

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 25/7/2010, 07:54

http://www.woodmann.com/forum/archive/index.php/t-7462.html --------- macrovision's scheme dissected on a reversing forum, Man these ppl are insane Shocked Laughing

http://www.wikihow.com/Remove-Safecast ------- might be useful for those who test on actual system.

It is definitely low level disk access that we are talking about here.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 26/7/2010, 08:31

Just a few questions. How exactly does one try to reproduce this? Can you give us a download link of the program involved (I think it's Safecast)?

I think step by step instructions of how to reproduce the issue would be nice. Don't forget to specify what exactly to look for.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 26/7/2010, 18:53

Hi ssj, the link to the software tested is http://download.adobe.com/pub/adobe/photoshop/win/cs2/Photoshop_CS2.exe

safecast is a drm component used in many kinds of softwares such as turbotax and pc games. When testing, force the trial to expire by setting the clock back. After reinstall (in shadowmode) after reboot, it will prompt you for activation. The bottom line here is that since all registry/files of the program are gone after reboot, the only way safecast detects a prior installation of the program is by detecting its mod to the hdd sector.

try it against the x64 version of shadowdefender -- the one i used.


Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 26/7/2010, 19:19

I'm not sure if I'll be able to test the 64-bit version, but I might give it a go (my Hardware is 64-bit capable, but I'm not sure if it's possible to run a 64-bit Guest on a 32-bit Host).

By the way, have you tested other light virtualisation programs like Returnil? If not, it might be interesting to see how it compares.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Ruhe on 26/7/2010, 19:28

ssj100 wrote:(my Hardware is 64-bit capable, but I'm not sure if it's possible to run a 64-bit Guest on a 32-bit Host).
AFAIK VMware is able to do so.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 26/7/2010, 22:44

No I haven't tested against returnil, and probably can't because my hdd has multiple partitions which might affect the results as the free returnil only shadows the c drive.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 1/8/2010, 01:32

Hey guys, I managed to test this with returnil on a single partition pc and its still able to modify the HDD. Those guys at Macrovision have got some hefty resources, when 5 year old safecast still makes it through LV products dveloped later on.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 1/8/2010, 06:30

Am I the only one who cares about the significance of this breach?? Not many people seem interested in testing this out like the TDSS fiesta @ wilders... Suspect bounce

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 1/8/2010, 06:33

I'd test it if I could get a 64-bit VM working - just too lazy to troubleshoot why it's not working for me at the moment. Do you know if the same issue can be reproduced on a 32-bit machine?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 1/8/2010, 06:47

By the way, Shadow Defender (and probably all LV software) does not cover the "CMOS":
http://www.shadowdefender.com/phpbb/viewtopic.php?f=3&t=296

Could this have anything to do with your test? In other words, I don't think Shadow Defender/Returnil etc are being bypassed or that Adobe are being clever - LV products simply don't virtualise the "CMOS" meaning that Adobe simply has to read the time/date in the "CMOS" and register that the time/date has expired? To achieve this, perhaps they store trial data online via your IP address etc?

EDIT: I can reproduce the issue on a 32-bit system. Maybe someone like Coldmoon will be able to dissect out exactly what's going on - I'll leave it to you to PM him etc.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 6/8/2010, 08:16

ssj100 wrote:By the way, Shadow Defender (and probably all LV software) does not cover the "CMOS":
http://www.shadowdefender.com/phpbb/viewtopic.php?f=3&t=296

Could this have anything to do with your test? In other words, I don't think Shadow Defender/Returnil etc are being bypassed or that Adobe are being clever - LV products simply don't virtualise the "CMOS" meaning that Adobe simply has to read the time/date in the "CMOS" and register that the time/date has expired? To achieve this, perhaps they store trial data online via your IP address etc?

EDIT: I can reproduce the issue on a 32-bit system. Maybe someone like Coldmoon will be able to dissect out exactly what's going on - I'll leave it to you to PM him etc.

Thanks for your response ssj, I have also talked about this to Coldmoon. If anything is posted by him concerning this I'll be sure to update. Meanwhile there are some intriguing thoughts about this:
Considering that testing was done on a firewalled pc, how could this have been possible? I didnt have any remote connection prompts at all which probably means its a local affair. Can/Is info in the CMOS be manipulated by programs? ie could info be stored there?

When you restored a vbox snapshot before installation, is the issue recreated?

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 6/8/2010, 09:03

Rico wrote:When you restored a vbox snapshot before installation, is the issue recreated?

I don't know, I didn't test that aspect. I know software like BluePoint Security is able to somehow read the time/date within a VM too, so it's not "fooled" by a snapshot back. You'd need to re-install the OS within the VM in order to "bypass" the 30 day trial (not that this is what we're intending to do here). I remember Zero_One (or similar) from BluePoint Security explained how they were able to do this, but I can't recall exactly what was said - I can try asking him again.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Rico on 7/8/2010, 05:58

This is puzzling indeed. From what Ive read even reinstalling the OS cannot undo these lowlevel changes.
Is the VM hdd in esscense a separate hdd? for example; does a malware like killdisk ruin part of the real hdd when unleashing the payload and destroying the vm?
I would be interested to know zero_one's say on this, please do let me know what he says.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by ssj100 on 7/8/2010, 09:54

Rico wrote:This is puzzling indeed. From what Ive read even reinstalling the OS cannot undo these lowlevel changes.
Is the VM hdd in esscense a separate hdd? for example; does a malware like killdisk ruin part of the real hdd when unleashing the payload and destroying the vm?
I would be interested to know zero_one's say on this, please do let me know what he says.

Yes, I suppose the VM hdd is a separate hdd. No, the killdisk does not ruin part of the REAL hdd when the VM is destroyed - in fact, simply rolling back to the previous snapshot restores the destroyed VM to normal.

Well, I haven't managed to get hold of Zero_One for the last few days. Hopefully he'll pop round again soon and we can ask him.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Macrovision's safecast goes through SD?

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum