Today while walking up and down the hills at fast pace, I remembered something for no reason: How I had to deal with copy protection on extremely expensive specialized software long ago. What baffled me is that well-payed professionals fall for obvious mistakes when designing a protection: Permanent authorization of a computer under full system control by the customer with offline license management does not work. It can't. No matter how well you design your protection, offline license management will be the weakest link of the chain… and it breaks by looking at it once with a mean face.
Okay, what's this about? The software in question was distributed on a standard CD-ROM. After installing it, it was in demo mode. To activate the program, there was the need for an authorization file written by a helper program… which verified the presence of the authorization floppy disk with remaining keys. The floppy would authorize up to five computers at once, but it was also possible to move licenses back to the floppy. That was the weak link! The defeat was inevitable.
How would one attack this thing and why can't it work even against casual attackers? Let us think about the possible attack surfaces:
Since the authorization tool allowed moving a license to any Windows drive letter,smart stupid LittleSinchen just thought she could trick the software by using the heavily copy protected floppy disk in drive A:\ to authorize a normal floppy disk in drive B:\ This would produce a portable license (which could also be copied by trivial means). Well… that didn't work. They weren't that stupid: Congratulations, LittleSinchen, you just killed one of five license keys for a 3000 Euro expensive software. Good work, go on! Felt like somebody just slammed their knee into my abdomen.
Okay. Next idea. Can I use imaging software to backup the license? Of course I can! There is nothing it could do to stop me. To catch every possible trick imaginable, I pulled a full image of the complete 30GB HDD. Not on partition level and not a sparse file. Moved the license back to the floppy and restored the image. No matter how they implemented the check, the copy protection on the floppy disk, possible anti-crack… the possibility to move licenses back to the floppy broke the neck of that DRM.
Next up was a brave move: It would have been possible that the floppy contained actually different keys, so I can't uninstall the same key twice from HDD. Turned out: No. I could restore the image again and uninstall an additional key. The authorization software was well-behaved and increased a simple integer back to 5.
Even more brave: What would happen if the floppy had the full 5 keys an I was to uninstall another one? Would the protection acknowledge the obvious tampering and format the protected floppy disk as a cruel punishment? No, it didn't. It increased the number to 6 and 7 and...
Then I went a step further, created two tiny 100 MB partitions, installed a key on one and used the DOS version of Norton Ghost to duplicate the partition. Full HDD images were serious overkill resulting in long wait times. Partition level was enough. Now I could increase my key creations to about two in five minutes. At this point the protection was finished.
It was a little later that I found out the whole protected floppy disk could be copied with PC hardware (the floppy controller in common PCs can in fact evaluate/read things it can't write, but this disk was within range which surprised me).
I have to repeat the main point: Just using the end user interface and imaging software, the protection module itself would produce as many licenses as desired. It provides zero protection against any attacker. No matter how good the actual implementation is, there is no way to prevent this, when allowing moving licenses back.
Back to the title. Anti-Feature or Feature? While I consider any DRM an anti-feature (and this isn't an exception), the nonsense idea of trusting the PC under full user control is so d*mn facepalm-worthy that I would say it is a feature. From the perspective of the software vendor buying a protection on the other hand… Money well wasted!
If anybody got through this… as always: Thanks for reading.
Okay, what's this about? The software in question was distributed on a standard CD-ROM. After installing it, it was in demo mode. To activate the program, there was the need for an authorization file written by a helper program… which verified the presence of the authorization floppy disk with remaining keys. The floppy would authorize up to five computers at once, but it was also possible to move licenses back to the floppy. That was the weak link! The defeat was inevitable.
How would one attack this thing and why can't it work even against casual attackers? Let us think about the possible attack surfaces:
- Cracking the software -- removing the protection. This is theoretically always possible, but requires very special skills in assembly, reverse engineering, debugging and get arbitrarily ugly… depending on how well the DRM is implemented (encryption, anti-crack, anti-RE…). Having no skills in this regard myself at all, any software is uncrackable for me. Let us just assume they did everything right on the implementation and a talented reverse engineer would need as much time as for cracking Denuvo. (It wasn't the case, but please just pretend it was)
- Copy the authorization floppy disk. It was possible in this case, but they used some serious protection on it. Let us just assume they used laser marks/holes (they didn't) which are 100% uncopyable with consumer hardware.
- Duplicate installed authorization. Bingo! Anybody can do this.
Since the authorization tool allowed moving a license to any Windows drive letter,
Okay. Next idea. Can I use imaging software to backup the license? Of course I can! There is nothing it could do to stop me. To catch every possible trick imaginable, I pulled a full image of the complete 30GB HDD. Not on partition level and not a sparse file. Moved the license back to the floppy and restored the image. No matter how they implemented the check, the copy protection on the floppy disk, possible anti-crack… the possibility to move licenses back to the floppy broke the neck of that DRM.
Next up was a brave move: It would have been possible that the floppy contained actually different keys, so I can't uninstall the same key twice from HDD. Turned out: No. I could restore the image again and uninstall an additional key. The authorization software was well-behaved and increased a simple integer back to 5.
Even more brave: What would happen if the floppy had the full 5 keys an I was to uninstall another one? Would the protection acknowledge the obvious tampering and format the protected floppy disk as a cruel punishment? No, it didn't. It increased the number to 6 and 7 and...
Then I went a step further, created two tiny 100 MB partitions, installed a key on one and used the DOS version of Norton Ghost to duplicate the partition. Full HDD images were serious overkill resulting in long wait times. Partition level was enough. Now I could increase my key creations to about two in five minutes. At this point the protection was finished.
It was a little later that I found out the whole protected floppy disk could be copied with PC hardware (the floppy controller in common PCs can in fact evaluate/read things it can't write, but this disk was within range which surprised me).
I have to repeat the main point: Just using the end user interface and imaging software, the protection module itself would produce as many licenses as desired. It provides zero protection against any attacker. No matter how good the actual implementation is, there is no way to prevent this, when allowing moving licenses back.
Back to the title. Anti-Feature or Feature? While I consider any DRM an anti-feature (and this isn't an exception), the nonsense idea of trusting the PC under full user control is so d*mn facepalm-worthy that I would say it is a feature. From the perspective of the software vendor buying a protection on the other hand… Money well wasted!
If anybody got through this… as always: Thanks for reading.