Re: Protecting Software w/ Software License Keys...
Re: Protecting Software w/ Software License Keys...
- Subject: Re: Protecting Software w/ Software License Keys...
- From: Simon Stapleton <email@hidden>
- Date: Tue, 18 Jun 2002 02:34:09 -0500
On 6/17/02, Kyle Moffett said:
>
How could a cracker get past this? The government uses public-private
>
key cryptography for confidential material. Are you saying that somebody
>
could get past confidential security in a matter of days, or is my system
>
missing some step or something.
Cryptography is one thing, cracking is another one entirely. Your system may well stop crackers ever finding keys, but it won't stop them cracking your software so you don't need one.
Here's a case in point:
Back in the dim and distant past, I ws involved with a group of people who wrote demos for the Atari ST. Naff graphics, cack music, but some awesomely cool assembly level programming to make the machine do things that, theoretically, couldn't be done. They also cracked software. I should make it clear at this point that I did not crack software, nor do I know where the crackers lived or live. I was, however, in the vicinity when various softwares were cracked...
There was a particular game that was to be cracked, and it had a very, very clever protection scheme.
Like many others, it relied on bad sectors on the original disk, but sectors that were cleverly bad enough that they couldn't be reliably copied. The original disk would return a different error code each time the sector was read, a copy would always return the same error. The problem with this scheme is that it's easily spotted, even in assembler. Look for the bit(s) of code that manipulate the diskette drive, find the one that's searching for your (by now known) bad sector, find the comparison afterwards, either NOP it out or reverse the sense of the branch. Schemes like this could be cracked in a matter of minutes.
This particular game, though, hid the code that did it. The whole 'loading screen' code was encrypted, and was decrypted on the fly by a small but rather innocuous looking routine hooked into the vblank interrupt (the interrupt that got called every time the scan reached the bottom of the screen, a place oft used by demo coders to hook in music code) using a key dependent on the number of hblank interrupts (horizontal scan flyback) that had been called since decoding started and a checksum of the size of the program. The beauty of this was that if you stopped the code, it would mal-decrypt the rest, and KERBLOOEY!.
The way it was cracked was as follows:
1 - Work out what's going on.
2 - change the checksum routine to return a fixed number (the original checksum)
3 - change the decryption routine to store the decrypted code somewhere else as well.
4 - Run program, wait for the inevitable crash.
5 - Save decrypted bit of code to disk.
6 - patch decrypted code to not check the disk.
7 - patch in decrypted code, patch out the decryption routines.
This took 2 dedicated crackers less than 3 hours.
The problem being that if you need to tell the difference between 'registered' and 'unregistered' software, there's always going to be an `if()` statement. And that will always generate code that can be patched at a byte level in your file, no matter how cleverly you hide it, thus entirely bypassing your wonderful scheme. This will then be released as a small 'crack' program which the dishonest user can use to disable licence checking.
Simon
--
Eagles may soar, but weasels don't get sucked into jet engines.
--
PGP Key Id : 0x50D0698D
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.