Software Protection Survey
-
What software authors really need for piracy protection is OS and hardware support. The OS and the hardware needs to keep users from reading (in an editor) and writing (for patches) executable files. This would also require encryption of some kind, to keep EXEs from being modified on non-compliant OSes... But wait, that's Digital Rights Management stuff, and I don't like that. Hmm... -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
I have worries about OS support:
- I can't actually think of any way to stop an executable file from being read or written. The OS has to provide low level access to the disk in some way (e.g. for defragging and checking the disk), so even if the high level prevents access to the exe, you can still get to it at a lower level.
- If the OS supports protection, then breaking everyone's protection is easy because you just break the OS code. Does anyone know a good OS manufacturer?
- If it also relies on some hardware device (such as a dongle), I've already listed the problems with this in an earlier post.
- How are developers going to compile programs? If the OS has a "switch off protection - development in progress" mode, then that's pretty straightforward for anyone to use.
The two ends of this problem are:
- software can always be changed
- hardware is damned inconvenient to ship
So, it seems to me that most software products (excluding the really expensive stuff) need a cheap and simple but effective software protection solution. (PS does anyone know why using HTML list causes the post to go bold?) Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
-
Ok, here's my first post, and thoughts on the topic. Generic software protections are bad because they're generic (kinda obvious). If you want any kind of decent protection it really does need to be completely involved with the rest of your code. For example, TimeLock -- a protection that was contained within tl32v20.dll. Inside this there were I think two comparisons for the correct unlock code. By modifying a simple part, any software could be unlocked. If you visit astalavista.box.sk you can see the countless number of protections that have been broken, from the relatively inexpensive to the extremely expensive. Reversers and crackers hold software protection companies in fairly low regard, and as such there's probably a fairly high desire to obliterate any generic protections produced. Protection routines have to be interwoven with the rest of your application. A simple check like "If isRegistered Then EnableWindow Else DisableWindow" is easy to remove, since you can either change the parameter for enablewindow to true, and its enabled even with a wrong code, or, change the comparison so it checks the generated code, with the generated code etc. There are a few sites with good suggestions for coding protections, for example, whereby the protection routine is required to build a necessary structure. Thus, if the protection routine is removed the structure isn't built and thus renders the application unstable or useless. Alternatively, if the incorrect code is entered, likewise, the structure will be built incorrectly. Of course, if it was this simple then there would be masses of great protections. Some are better than others, but its really no substitute for creating one yourself. For example, a while ago while I was reading into this subject, a reverser had suggested using a grid of checkboxes. Instead of comparing a string with a string, a random sequence of checkboxes in an array were compared. Because its not a commonly used method it requires more thought than the regular serial number entry. Or, you could incorporate parts of the structures or code within pictures using steganography. Using a somewhat similar approach to passwords that MS Research recently demonstrated, by offering users a selection of pictures. Only if the correct combination is selected will the necessary code exist to run. Again, by using something a little unique, it makes the task of cracking it a little harder. (Bear in mind I've just had this thought off the top of my head, so it may be seriously flawe
Paul Ingles wrote: Protection routines have to be interwoven with the rest of your application. A simple check like "If isRegistered Then EnableWindow Else DisableWindow" is easy to remove, since you can either change the parameter for enablewindow to true, and its enabled even with a wrong code, or, change the comparison so it checks the generated code, with the generated code etc. Absolutely right. Paul Ingles wrote: Of course, if it was this simple then there would be masses of great protections. Some are better than others, but its really no substitute for creating one yourself. I'm not saying it is simple. I'm just saying it's possible. In fact, Paul, with respect, your second sentence contradicts your first one. If it isn't simple, why would you try to create one yourself? Everyone is basically saying "you can't sell a protection product that everyone can use without it being easily broken". I think this is based on these assumptions:
- a Software Protection System will have a single interface that can be targeted by crackers
- you can't spread the protection throughout your product
- coming up with your own solution will always be better
On this last point, what about cryptography? The best cryptographic systems are open source. Everyone gets to see how they work. But they are still difficult/impossible to break. We're still thinking about the source code issue, and we may well provide the source as part of our offering. In other words, we'll take the challenge that a cracker might say "I'll break it if I know how it works". Our system overcomes the first two assumptions. You *won't* have a single interface that can be targeted. You *will* be able to spread the protection throughout your product. I really like the idea of a collaborative area where we can test and discuss ideas. This will definitely be part of our offering. I'm simply asking whether developers would like a system that incorporates the good ideas, the ones that work, into a product they can purchase. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
-
When you generate the hash you use a key which only you know. The key never appears in the app, so it isn't possible for anyone else to generate a hash that will work. Neville Franks, Author of ED for Windows. www.getsoft.com
i must be missing something... as i see it, CRC is equivalent to a hash :
hash_or_crc = fn(fileBytes). if you app has to calculate it, a crack can bypass it. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
i must be missing something... as i see it, CRC is equivalent to a hash :
hash_or_crc = fn(fileBytes). if you app has to calculate it, a crack can bypass it. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
Chris Losinger wrote: i must be missing something... Yes. Go to Google and search for "one way hash". MD5 is a commonly used one way hash. This is all related to the wonderful world of Cryptography. "A hash function is an algorithm that takes a variable-length string as the input and produces a fixed-length binary value (hash) as the output. The tricky part is to make this process irreversible, that is, finding a string that produces a given hash value should be very hard (hence the word "one-way"). It should also be hard to find two arbitrary strings that produce the same hash value." have fun. Neville Franks, Author of ED for Windows. www.getsoft.com
-
I have worries about OS support:
- I can't actually think of any way to stop an executable file from being read or written. The OS has to provide low level access to the disk in some way (e.g. for defragging and checking the disk), so even if the high level prevents access to the exe, you can still get to it at a lower level.
- If the OS supports protection, then breaking everyone's protection is easy because you just break the OS code. Does anyone know a good OS manufacturer?
- If it also relies on some hardware device (such as a dongle), I've already listed the problems with this in an earlier post.
- How are developers going to compile programs? If the OS has a "switch off protection - development in progress" mode, then that's pretty straightforward for anyone to use.
The two ends of this problem are:
- software can always be changed
- hardware is damned inconvenient to ship
So, it seems to me that most software products (excluding the really expensive stuff) need a cheap and simple but effective software protection solution. (PS does anyone know why using HTML list causes the post to go bold?) Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
Russell Robinson wrote: I can't actually think of any way to stop an executable file from being read or written. the same way they'll make it impossible to read or write video and audio files: through a combination of software and compliant hardware. Russell Robinson wrote: How are developers going to compile programs? ahh... there's the true evil of DRM, and why every US citizen reading this should be sending letters to their congress people telling them to defeat the latest round of copyright nonsense. i am playing devil's advocate here. i don't want the OS to do anything like this. but, if the media people have their way, OSes will be required, by law, to prevent access and copying of copyrighted material - programs included. the only real way to do that is to combine software and smart hardware. then we're all screwed. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
Chris Losinger wrote: i must be missing something... Yes. Go to Google and search for "one way hash". MD5 is a commonly used one way hash. This is all related to the wonderful world of Cryptography. "A hash function is an algorithm that takes a variable-length string as the input and produces a fixed-length binary value (hash) as the output. The tricky part is to make this process irreversible, that is, finding a string that produces a given hash value should be very hard (hence the word "one-way"). It should also be hard to find two arbitrary strings that produce the same hash value." have fun. Neville Franks, Author of ED for Windows. www.getsoft.com
i know all about the "wonderful world of Cryptography". what i don't know is what you think a person should do with this one-way hash that makes it any different than just using it as an expensive CRC. calc the CRC of the EXE, stamp the EXE with it, recalc at runtime and compare against the stamped version (s/CRC/MD5/) -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
i know all about the "wonderful world of Cryptography". what i don't know is what you think a person should do with this one-way hash that makes it any different than just using it as an expensive CRC. calc the CRC of the EXE, stamp the EXE with it, recalc at runtime and compare against the stamped version (s/CRC/MD5/) -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
The difference is that hacker can patch out your protection code then calculate a new CRC and put it into the .EXE. Then when your code checks the CRC it says "all ok" and the app works normally. With a one way hash like MD5 it isn't possible for the hacker to calculate the new MD5 because they don't know the key. So when your app checks it, it fails. Neville Franks, Author of ED for Windows. www.getsoft.com
-
The difference is that hacker can patch out your protection code then calculate a new CRC and put it into the .EXE. Then when your code checks the CRC it says "all ok" and the app works normally. With a one way hash like MD5 it isn't possible for the hacker to calculate the new MD5 because they don't know the key. So when your app checks it, it fails. Neville Franks, Author of ED for Windows. www.getsoft.com
Neville Franks wrote: So when your app checks it, it fails. ok. so how does the app check it????? sheesh. actually, forget it. i don't want to know -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
Hardware protection is really good stuff. No argument from me. But it does have some drawbacks: 1. Can be inconvenient to the user when he/she buys 5 or 10 products that each require a dongle-like object. 2. Can be expensive - for each sale you have an extra expense. 3. Probably overkill for most software systems. 4. Inconvenient to the provider and the user - the user must wait until the physical dongle has been delivered to them. With more and more software being delivered electronically, this kind of defeats the whole concept. So, I think there's still room for a good software-only system. Hopefully, the survey will tell us (and everyone - we'll publish the results). Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
Russell Robinson wrote: 1. Can be inconvenient to the user when he/she buys 5 or 10 products that each require a dongle-like object. Not necessarily true. Only in case of multiple vendors. But yes, this can lead to a christmas tree in your LPT port. :) Russell Robinson wrote: 2. Can be expensive - for each sale you have an extra expense. Yeah, very expensive. Here in Brazil, about US$ 43 each key. Russell Robinson wrote: 4. Inconvenient to the provider and the user - the user must wait until the physical dongle has been delivered to them. With more and more software being delivered electronically, this kind of defeats the whole concept. Worst than that, I have to mantain about 10 keys hanging around just in the case I sell more than I predicted. Not only the user has to wait for the key, I (the software provider) have to wait for the keys and buy them in advance for the software I did not sell yet. Again, I think that a software-only protection can achieve about the same level of protection that a hardware key if a network server acts like the dongle. Conceptualy, if the protection scheme is really strong, the protocol can be LPT, USB or TCP/IP, it really doesn't matter. But I am yet to see it implemented. Crivo Automated Credit Assessment
-
Neville Franks wrote: So when your app checks it, it fails. ok. so how does the app check it????? sheesh. actually, forget it. i don't want to know -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
Chris Losinger wrote: ok. so how does the app check it????? sheesh. It runs the hash verifier function over the .exe and compares the result with what it is supposed to be. ie. The hash value embedded in the .exe Neville Franks, Author of ED for Windows. www.getsoft.com
-
Chris Losinger wrote: ok. so how does the app check it????? sheesh. It runs the hash verifier function over the .exe and compares the result with what it is supposed to be. ie. The hash value embedded in the .exe Neville Franks, Author of ED for Windows. www.getsoft.com
just replace
bool VerifyHash() {... return ok;}
with
bool VerifyHash() {... return true;}
breaking it is identical to a breaking a CRC check. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
just replace
bool VerifyHash() {... return ok;}
with
bool VerifyHash() {... return true;}
breaking it is identical to a breaking a CRC check. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
Correct, assuming they can find this and find every occurence of it. The trick is to check this at random times and in multiple places. I can check it on the nth start of my app n minutes after it started, on day 23 etc. etc. I can run it from some obscure thread instead of or as well as the main app thread. If there is something wrong just flag the fact and don't handle it till some time later. This is all about smoke and mirrors and deception. By all means have simple checks that make them think they've cracked it, but be realy devious with other well hidden and disguised code. At then end of the day it is all a game we play. Neville Franks, Author of ED for Windows. www.getsoft.com
-
Chris Losinger wrote: Russell Robinson wrote: I can't actually think of any way to stop an executable file from being read or written. the same way they'll make it impossible to read or write video and audio files: through a combination of software and compliant hardware. Like DVDs region restrictions. I don't own a DVD player, but I believe it's easy to get one that plays any DVD. Yes, I suppose it could happen, but it really would require a sea-change in the law in democratic countries. No-one would build a computer that provided hardware enforcement unless everyone *had* to. Imagine all US companies being forced to build computers that way....that would create a good market for Taiwanese computers; even if it had to be a black market. My guess is it's very unlikely.....And if we can come up with adequate software protection, there won't be a need for hardware protection. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
but, it's exactly what congress is trying to do. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
Russell Robinson wrote: I can't actually think of any way to stop an executable file from being read or written. the same way they'll make it impossible to read or write video and audio files: through a combination of software and compliant hardware. Russell Robinson wrote: How are developers going to compile programs? ahh... there's the true evil of DRM, and why every US citizen reading this should be sending letters to their congress people telling them to defeat the latest round of copyright nonsense. i am playing devil's advocate here. i don't want the OS to do anything like this. but, if the media people have their way, OSes will be required, by law, to prevent access and copying of copyrighted material - programs included. the only real way to do that is to combine software and smart hardware. then we're all screwed. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
Chris Losinger wrote: Russell Robinson wrote: I can't actually think of any way to stop an executable file from being read or written. the same way they'll make it impossible to read or write video and audio files: through a combination of software and compliant hardware. Like DVDs region restrictions. I don't own a DVD player, but I believe it's easy to get one that plays any DVD. Yes, I suppose it could happen, but it really would require a sea-change in the law in democratic countries. No-one would build a computer that provided hardware enforcement unless everyone *had* to. Imagine all US companies being forced to build computers that way....that would create a good market for Taiwanese computers; even if it had to be a black market. My guess is it's very unlikely.....And if we can come up with adequate software protection, there won't be a need for hardware protection. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
-
Correct, assuming they can find this and find every occurence of it. The trick is to check this at random times and in multiple places. I can check it on the nth start of my app n minutes after it started, on day 23 etc. etc. I can run it from some obscure thread instead of or as well as the main app thread. If there is something wrong just flag the fact and don't handle it till some time later. This is all about smoke and mirrors and deception. By all means have simple checks that make them think they've cracked it, but be realy devious with other well hidden and disguised code. At then end of the day it is all a game we play. Neville Franks, Author of ED for Windows. www.getsoft.com
yup -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
but, it's exactly what congress is trying to do. -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
Some in congress. Also, Microsoft and IBM are against it. And it Microsoft, which was recently convicted of rather nasty activity, can get away scot-free, then I'm not too worried about the congress bill(s) getting very far. You've got an election in the US soon (couple of years) haven't you? Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
-
Some in congress. Also, Microsoft and IBM are against it. And it Microsoft, which was recently convicted of rather nasty activity, can get away scot-free, then I'm not too worried about the congress bill(s) getting very far. You've got an election in the US soon (couple of years) haven't you? Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
Russell Robinson wrote: You've got an election in the US soon (couple of years) haven't you? this year (not for president, but for a fraction of congress) -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
Russell Robinson wrote: You've got an election in the US soon (couple of years) haven't you? this year (not for president, but for a fraction of congress) -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
I guess I'm an optimist in most things. It took nearly 5000 years (or maybe 35000 years) to create the concept of a Liberal Democratic Society. Clearly, they are the most prosperous of societies on Earth and many people have died either creating them or defending them. Our only real threat (apart from global annihilation through terrorism and/or war) is the really rich people who want to have absolute power too. I guess that's what you're talking about Chris: a couple of rich industries wanting to control our societies and take away freedoms. I think Liberal Democratic Societies are more resilient to those attacks than we might believe. However, it's people like yourself, who are passionate about the issue, that keep us on our toes and help to defend the freedoms we already have. I'm so inspired now :). Being an Aussie, can I write to congress or is a waste of time? Cheers. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
-
I guess I'm an optimist in most things. It took nearly 5000 years (or maybe 35000 years) to create the concept of a Liberal Democratic Society. Clearly, they are the most prosperous of societies on Earth and many people have died either creating them or defending them. Our only real threat (apart from global annihilation through terrorism and/or war) is the really rich people who want to have absolute power too. I guess that's what you're talking about Chris: a couple of rich industries wanting to control our societies and take away freedoms. I think Liberal Democratic Societies are more resilient to those attacks than we might believe. However, it's people like yourself, who are passionate about the issue, that keep us on our toes and help to defend the freedoms we already have. I'm so inspired now :). Being an Aussie, can I write to congress or is a waste of time? Cheers. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
Russell Robinson wrote: I'm so inspired now . Being an Aussie, can I write to congress or is a waste of time? :) you should get ready to fight this battle in the Aussie govt.. if this becomes a US law, it will probably spread (things seem to work out that way, unfortunately). -c
"Do you mind if I smoke?" "Madam, I don't care if you burn." -Oscar Wilde Smaller Animals Software, Inc.
-
Paul Ingles wrote: Protection routines have to be interwoven with the rest of your application. A simple check like "If isRegistered Then EnableWindow Else DisableWindow" is easy to remove, since you can either change the parameter for enablewindow to true, and its enabled even with a wrong code, or, change the comparison so it checks the generated code, with the generated code etc. Absolutely right. Paul Ingles wrote: Of course, if it was this simple then there would be masses of great protections. Some are better than others, but its really no substitute for creating one yourself. I'm not saying it is simple. I'm just saying it's possible. In fact, Paul, with respect, your second sentence contradicts your first one. If it isn't simple, why would you try to create one yourself? Everyone is basically saying "you can't sell a protection product that everyone can use without it being easily broken". I think this is based on these assumptions:
- a Software Protection System will have a single interface that can be targeted by crackers
- you can't spread the protection throughout your product
- coming up with your own solution will always be better
On this last point, what about cryptography? The best cryptographic systems are open source. Everyone gets to see how they work. But they are still difficult/impossible to break. We're still thinking about the source code issue, and we may well provide the source as part of our offering. In other words, we'll take the challenge that a cracker might say "I'll break it if I know how it works". Our system overcomes the first two assumptions. You *won't* have a single interface that can be targeted. You *will* be able to spread the protection throughout your product. I really like the idea of a collaborative area where we can test and discuss ideas. This will definitely be part of our offering. I'm simply asking whether developers would like a system that incorporates the good ideas, the ones that work, into a product they can purchase. Russell Robinson (russellr@rootsoftware.com) Author of TTMaker (Advanced Timetabling Software) http://www.rootsoftware.com
I still think the best way that protections can be produced is by doing them yourself, the problem is that it does require thought on the part of the developer. Not only that, but quite specialist thought. I accept the point about not providing a single interface, however, assuming that crackers do ever reverse code that implements your routines, there will effectively be code fingerprints. Things that would identify it as being an X Protection routine, for example, certain system calls that were used to identify hardware etc. By knowing that it could be a protection implementing your code, it might be possible to glean some light from other attacked applications to help its cracking. I totally agree about the point with Cryptography being a good benchmark. A good sign of security is that the data would remain secure, even if the method that it was protected with was made public. This is even more valid with .NET since the disassembler can produce fairly readable code, certainly more so than straight assembly that most disassemblers churn out -- making it easier for crackers to disassemble IL code and follow it. This is where the suggestion about a distributed protection come in. Since part of the code is stored on a server, it can't be modified. The problem with a .NET based solution is that people could be unwilling to be permanently connected to the Internet to use an application, also it would require absolutely mission critical webhosting -- since if you sell an application and your site dies for whatever reason, and people can't use your application that's been purchased then they're going to be pretty annoyed :) Assuming some important part of the code is implemented as a webservice, thus only licensed users will be able to have vital structures correctly initialised, it would then be necessary to ensure that they are authenticated properly and that nobody sniffing on network traffic could intercept messages and either impersonate the end-user, or work out how the webservice works. I might start doing a little thought into this and post an article over the weekend about my thoughts, set out possible plans for authentication, securing the communication and how it could then be called from an App. As for the collaborative environment glad to hear you like it, could be an idea for CodeProject, people could create projects, and then post articles like now, post comments like now, forums around that particular project etc. I suppose a bit like SourceForge :-) Paul