Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Minor Functional Differences Between Lockdown Module Flavors

Presently, an attacker needs to implement all flavors of the Lockdown module in order to be assured of a successful connection to Battle.net. However, even with the 20 possibilities now available, this is still not difficult due to the minor functional differences between the different Lockdown flavors. Moreso, it is trivially possible to find the "magic" constants that constitute the only functional differences between each flavor of Lockdown.

In the author's tests, two pattern matches and a small 200-line C program were all that were necessary to programmatically identify all of the magical constants that represent the functional differences between each flavor of Lockdown module, in a completely automated fashion. In fact, the author would wager that it took more time to implement all 20 different flavors of Lockdown modules than it took to devise and implement a rudimentary pattern matching system to automagically discover all 20 magical constants from the set of 20 Lockdown module flavors. Clearly, this is not desirable from the standpoint of effort put in to the protection scheme vs difficulty in attacking it.

In order to address these weaknesses, the following steps could be implemented:

  1. Implement true, major functional differences between Lockdown flavors. Instead of using a single constant value that is different between each flavor (probably a "#define" preprocessor constant), implement other, real functional differences. Otherwise, even with a number of different "non-functional" differences between module flavors, a pattern-matching system will be able to quickly locate the different constants for each module after a human attacker has discovered the constant for at least one module flavor.
  2. Avoid using quick-to-substitute constants as the "meat" of the functional differences betwene flavors. While these are convenient from a development perspective, they are also convenient from an attacker perspective. If a bit more time were spent from a development perspective, attackers could be made to do real analysis of each module separately in order to determine the actual functional differences, greatly increasing the amount of time that is required for an attacker to defeat this protection scheme.