0

I have discovered a software crack where the license check assembly (.NET) has been altered but the digital signature and the strong name are both still perfectly intact.

Strong naming is easy to inject back into modified or recompiled assemblies, however, I thought a digital signature (authenticode certificate) was much, much harder to bypass. How is it that these crackers have managed to heavily modify this assembly yet maintain the digital signature and the exact file size?

The signature was not re-applied, it still contains the date it was originally signed. Until now I thought that it meant the DLL was tamper proof but clearly not.

  • How difficult is it to tamper with an assembly without altering the digital signature?
  • Is a digital signature worth anything more than for Windows UAC since it clearly doesn't mean the file was not altered.
  • Is this just a problem with .NET assemblies or are native assemblies also vulnerable?
BrutalDev
  • 202
  • 2
  • 9
  • 2
    Is the signature still the same as the original file (i.e. they found a collision) or is it a new one which checks out when verified (i.e. they got the signing key)? – Philipp May 03 '16 at 18:30
  • Can you upload the pre- and post-cracked file somewhere along with the crack itself so we can take a look? This sounds kinda hokey and I can't imagine a situation where the signature would remain valid (aside from re-application of a stolen cert or, potentially, a weak hash like MD5). – Polynomial May 03 '16 at 19:01
  • The digital cert appears not to have been altered at all, it still has the timestamp from the original and verifies perfectly. This was cracked twice for two separate versions, both files very different from each other, both with the original signature in place. Ideally I don't want to leak this out, DM me on Twitter @brutaldev and I'll send you a private link with the files. – BrutalDev May 03 '16 at 19:25
  • 2
    Update: The signature is in fact invalid, but only if look at the details or use something like signtool. On the surface it looks good and the verification routines being used to check it were flawed. Using WinVerifyTrust to check now and it correctly determines the cracked signatures to be invalid from the executables. If the executables change, Windows will block it. My trust in digital signatures has been restored. Going to delete this silly question in 24-48 hours. Thanks for making me think about this more and dig deeper. – BrutalDev May 03 '16 at 23:29

0 Answers0