Is it legal?!

[Super Mario]

Hello,

Just have a few (I think interesting) questions about relationship between RCE and law.

Question 1: I know reversing commercial protectors (e.g. Asprotect) is considered illegal and prohibited via DMCA and similar acts in US and EU countries. But... when anti-virus companies have to analyse malware packed with Asprotect, they do reverse engineer it, they do unpack it, they do develop and use automated tools for this, they do research and defeat protector (Asprotect in this case), right? So, are they violating the law? How do they do that? I believe there is exception for them (who defeat protector for the purpose of fighting malware), so if this is the case, I have another question:

Question 2: What if I decide to write dissertation for example, or some other university project, and document in my work how to unpack Asprotect (or any similar protector). I will never make that document available for general public (like posting online as tutorial), so there won't be any direct or indirect damage to the authors of Asprotect. Documenting in scientific work how to unpack protectors - is it acceptable? Again - I won't share that info public, but it will be considered my official research work, so will be mentioned in my CV for example. So, will it be legal to do so in US, or in EU?

I'd like to know your opinions. People working for AV companies (if they happen to be here) will have the definitive answer I believe. I'm particularly interested in the situation in US and EU countries.

If you answer with certainty, please explain how you know what you are saying. In other words, I'm interested both in opinions and in answers, but I want to distinguish them.

Thanks!

Edited October 17, 2011 by Super Mario

[kao]

Only a lawyer would be able to give definitive answers to these questions. So, please consider my answer as "opinion" only..

1) As for your example, your logic is flawed. When analyzing malware sample, AV companies do not analyze and defeat ASProtect itself (that could be a copyright violation), they analyze file that was packed by Asprotect (to which the maker of Asprotect has no copyright claim). If your logic was correct, then unpacking any ZIP archive would be a violation of copyright of PKWare Inc, inventors of ZIP file format.

However, there are few gotchas. Say - protector author X purchases license from company Y to use their proprietary compression algorithm Z in his protector. AV company now needs to use some proprietary algorithm to unpack this protector. So, in theory, AV company might need to purchase a license from company Y for their decompression algo. This is where it gets hairy..

2) AV industry and commercial protector authors cooperate. More or less. Of course, AV industry would like better cooperation (see http://forum.tuts4yo...lware-creators/ ) but it's a well known fact that most commercial protectors already have watermarks identifying users and certain AV engines know how to analyze these marks. Some packer authors also supply information about internal structures and decompression methods too. So - it's very unlikely that AV company would get sued by protector author.

3) As for your university project, I really suggest that you do not focus on a single commercial protector. Such research is useless from practical point of view.

Cheers,

kao.

[Super Mario]

Thank you very much for your reply!

When I said defeating protector, I meant analyzing/defeating samples protected by ASProtect, not the ASProtect application itself. So if this is acceptable (at least in scientific research format), that's all I'm interested in.

And you said researching single protector is useless. I was going (am going) to research not one single, but top few of them... Topic would be like "RCE attacks on binary protectors" or something... Why do you say it is useless? I want to work in the area of RCE, and I thought researching commercial protectors (how to unpack them...) would have been a good idea (as I think that's the biggest challenge in RCE). What else do you suggest then? I mean in RCE field, what topic can you propose?..

My knowledge level currently is somewhere at the manually unpacking asprotect-level protectors, though I'm desperate to move to harder ones time after time.

[kao]

1) Malware authors moved away from commercial protectors few years ago. Now every self-respecting team has their own custom packer/cryptor/protector. Reasons for this change are very simple - AV engines can handle most commercial packers and detect malware protected by them. Embedded watermarks help them too.

2) AV companies get cca 55000 samples per day (Source: http://blogs.mcafee.com/mcafee-labs/a-look-at-one-day-of-malware-samples). They are interested in solutions that can handle majority of samples, not some commercial packer that occurs in 0.1% of the samples. It's all about volume processing these days.

3) AV companies don't need proper 100% working unpacked malware sample. In most cases - to detect malware they won't need relocations or import rebuilding or complete analysis of "Protector X" VM - things which are usually the most challenging in manual unpacking.

That's why I'm saying that research focused on single (or few) commercial protectors is not useful.

As for research topic - just a few ideas that came to my mind during last minute: hypervisor-based unpacking, unpacker engine that uses machine learning to improve unpacking accuracy/speed, similarity detection in malware samples without unpacking them. Look at the VB conference program to see what's interesting for AV companies these days: http://www.virusbtn.com/conference/vb2011/programme/index

[Super Mario]

kao

Now I will seriously reconsider my choice. I had a bit different assumptions about these things... I have some decisions to make regarding that so could you please give your advice in the following topic as well: http://forum.tuts4yo...estions-please/

Anyway, for the sake of subject, I'm still interested whether it will be legal to "touch" commercial protectors in the academic research...

[evlncrn8]

there are various loopholes existing from country to country..for example reverse engineering something for academic research IS legal as long as you keep notes and treat it like an experiment etc.. thats a reason i gave when i got in trouble.. i showed my research notes and how i purchased the target program etc and made no money from my research / endeavours (important)...

Edited October 18, 2011 by evlncrn8

[deepzero]

In theory, would it be legal to publish a paper on dealing with a certain protector or interesting parts of it?

e.g., explaining in greatest detail how the VIrtual Machine of a wellknown protector works (themida, vmp, ...) ?

So, in theory, AV company might need to purchase a license from company Y for their decompression algo.

I wouldnt say so, the malicious file they were given may violate Y`s licensing, but no the researchs themselves.

After all, they could aswell grab a memory dump of the file and pretend to never have seen or identified the algorithm used.

d.

[evlncrn8]

many ways.. like one person analysing it, and describing (not in detail) how it works, you then making a 'clone'... thats sometimes whats done in hardware industries..

for academic research, you can do it, posting the results however may require permission, so it would be best to ask your university etc about that..

i just used academic research to explain why i did, how i had so much info etc.. and to point out it wasn't for piracy, it was for my own person academic interest, curiousity etc..

as for publishing.. depends if you want to use your real name or not.. but contacting the parties involved (if you use your real name) would be an idea...look at the dmca in detail, there are some loopholes

Edited October 19, 2011 by evlncrn8

[cozofdeath]

Since it is illegal to change most applications, whether it is a byte, or a whole section, wouldn't be illegal if I took someones commercial program and aspacked it to make it a smaller file size. I mean, it changes all kinds of bytes it in permanently and it isn't my program, so wouldn't that be considered illegal? So does it mean loaders/in mem patchers are fine because they don't change the original file at all? Just things I have wondered about.

[evlncrn8]

arguable point...

that would then also imply that if i copied an executable into an ntfs compressed folder that would be (by your assumption) illegal too as the file will be physically altered due to the. compression, and decompressed in memory on the fly by the. operating system...no?

[Blah]

probably a tad off topic but....@evil....back in da day u guys really did buy that stuff??i recall Deviance use to say that in there nfos too...

just curious...

i recall back in my c64 days id (or my parents) would buy a floppy and id copy it and return it etc)..same type of deal?or did u guys l itterally have dozens of originals in there cases on a bookshelf?

cheers

B

[Xentarion]

On 18.10.2011 at 11:13 AM, kao said:

Only a lawyer would be able to give definitive answers to these questions. So, please consider my answer as "opinion" only..

1) As for your example, your logic is flawed. When analyzing malware sample, AV companies do not analyze and defeat ASProtect itself (that could be a copyright violation), they analyze file that was packed by Asprotect (to which the maker of Asprotect has no copyright claim). If your logic was correct, then unpacking any ZIP archive would be a violation of copyright of PKWare Inc, inventors of ZIP file format.

hmm interesting. So basically code (protector code, virtual machine) attached to executables is not under any copyright and legally perfectly fine to reverse as long as the protected application does not show an EULA?

Which would mean that removing protector code and vms from for example unpackmes would be perfectly legal. Isn't the code added to the exe under the copyright of the protector company and therefore not allowed to be reversed because it violates their terms? Probably depends on the country right.

[kao]

Again, I must stress I'm not a lawyer. If you need legal advice, I suggest that you hire the lawyer who specializes in intellectual property laws.

 

Usually, protectors come with EULA containing sentences like these: "Licensee may freely distribute applications that it has processed using the Software" or "Protected applications can be distributed by a number of ways, depending on each developer/company. The distribution process is free of charge or obligation from XYZ". However, the protected application as a whole is under the EULA and that includes all protector code as well.

"...application is legal to reverse as long as it doesn't show EULA" - I like to think so. But I doubt that lawyers will see it that way.

Yes, we believe that removing protector code from unpackmes is legal. Some protector authors think otherwise..

[Xentarion]

okay thanks for your opinion. Interesting and also annoying that things in reverse engineering are most of the time not so clear regarding its legality given it's my favourite hobby. 

[Teddy Rogers]

It gets even more convoluted when you take in to consideration foreign and regional laws, some or part of those EULA's may count for nothing...

Ted.

[Techlord]

I agree with @Teddy Rogers.

I have attached a few excerpted pages (pages 17-23) from the book "Secrets of Reverse Engineering" by Eldad Eilam , for the purpose of clarification and to better help us understand the facts. I understand that generally taking a few photostat copies (or excerpted pages from a book), as long as its less than 10 percent of the total pages in the book (in many countries it's so), is fine...

Also, I have attached the 7 pages here, in the spirit of understanding more about this topic as it has been explained in a simple way.

@Teddy Rogers , hopefully I think that it should be fine... If its not, then please remove the attachment...

As can be seen from the document extracts above, as long as the reason for the reversing is not piracy, and if its for inter-operability with your systems, then it sperfectly legal to go ahead and reverse the program that you have purchased.

In the EU, I understand that as long as you own the program in question, you are allowed to reverse it for personal use (not for piracy or for commercial re-sale of course). We had a few cases like this in the past year, and that's what I finally understood from the discussions we had with our legal advisors. We had been told that the EU Law allowing this SUPERSEDES anything to the contrary even if its in the EULA, thus allowing one to reverse programs they own, for PERSONAL purposes !

Of course, I am not a lawyer myself, and hence as every individual case is different and unique, it'd be best to consult an attorney for your individual case.

Regarding Research papers on PROTECTORS as such, I can give you the [famous] paper by Rolf Rolles : "Unpacking Virtualization Obfuscators" . In it he had given SPECIFIC references to VM Protect and other protectors including their assembly language instruction code. I believe that he is well now , or otherwise, if it were to be seriously illegal, he paper would have been pulled off of the internet quite a long time ago !

Finally, in general, I have observed, that in general, as long as the "work" done if for personal purposes (non-commercial and non-profit) and/or purely for research purposes, there exist a lot of "official" ways to go ahead and conduct reversing and other studies on it, depending of course, on the country and the region that you are in.

Excerpted Pages from - Reversing - Secrets of Reverse Engineering.pdf

Edited May 1, 2016 by Techlord