views:

1429

answers:

8

I mean, I always was wondered about how the hell somebody can develop algorithms to break/cheat the constraints of legal use in many shareware programs out there.

Just for curiosity.

+12  A: 

The bad guys search for the key-check code using a disassembler. This is relative easy if you know how to do this.

Afterwards you translate the key-checking code to C or another language (this step is optional). Reversing the process of key-checking gives you a key-generator.

If you know assembler it takes roughly a weekend to lern how to do this. I've done it just some years ago (never released anything though. It was just research for my game-development job. To write a hard to crack key you have to understand how people approach cracking).

Nils Pipenbrinck
"Bad guys" and those wanting to protect their right to use the programs they've bought. With fiascoes like the recent Spore debacle, I'd trust a random hacking group more than I'd trust many game developers.
Just Some Guy
If you'd ask the game developers they would rather release the games without all that copy-protection stuff. It will get cracked anyways within days. For the developers it just costs money and raises support-efford. The publishers are to blame. They enforce the crappy copy-protection.
Nils Pipenbrinck
Trusting hackers is just plain stupid. Most of the downloadable keygens contain some form of malware (usually trojans or backdoors) and virus scanners typically don't find these. Sometimes crackers even say to ignore virus warnings, it's ok, there's no virus. Oh, really? Sure, it's just a trojan...
steffenj
Well, you're right. I spoke inaccurately. I have no idea why publishers think this will work when it provably can't. I mean, reports were that Spore was available on The Pirate Bay before it was available for sale. Note: I'm on Linux so I couldn't play it anyway. :-D
Just Some Guy
I've never heard of a keygen infected with SecuROM or a Sony rootkit.
Just Some Guy
steffenj
Several of my games have been available on the net before they even reached the disk manufactoring site.. Strange but true.
Nils Pipenbrinck
+1 for steffnj: That's my experience as well.
Nils Pipenbrinck
Oh, and just for the record so you don't think I'm a 13-year-old 1337 h4xx0r: I'm absolutely opposed to piracy. I don't engage in it and I don't approve of it. However, I totally sympathize with people who play cracked versions of games they've bought if the copy protection causes problems.
Just Some Guy
I spent 90 min trying to get Spore working until i used the crack as a last resort. Suddenly it worked. The morale of the story (to most people) is: if it won't run, install crack. Often the crack is even viewed as a general purpose solution to game bugs (slowdowns, audio probs, crashes, etc.).
steffenj
+2  A: 

First, most copy-protection schemes aren't terribly well advanced, which is why you don't see a lot of people rolling their own these days.

There are a few methods used to do this. You can step through the code in a debugger, which does generally require a decent knowledge of assembly. Using that you can get an idea of where in the program copy protection/keygen methods are called. With that, you can use a disassembler like IDA Pro to analyze the code more closely and try to understand what is going on, and how you can bypass it. I've cracked time-limited Betas before by inserting NOOP instructions over the date-check.

It really just comes down to a good understanding of software and a basic understanding of assembly. Hak5 did a two-part series on the first two episodes this season on kind of the basics of reverse engineering and cracking. It's really basic, but it's probably exactly what you're looking for.

foxxtrot
A: 

I assume each crack is different, but I would guess in most cases somebody spends a lot of time in the debugger tracing the application in question.

The serial generator takes that one step further by analyzing the algorithm that checks the serial number for validity and reverse engineers it.

mike511
well obviously...
advs89
+2  A: 

A would-be cracker disassembles the program and looks for the "copy protection" bits, specifically for the algorithm that determines if a serial number is valid. From that code, you can often see what pattern of bits is required to unlock the functionality, and then write a generator to create numbers with those patterns.

Another alternative is to look for functions that return "true" if the serial number is valid and "false" if it's not, then develop a binary patch so that the function always returns "true".

Everything else is largely a variant on those two ideas. Copy protection is always breakable by definition - at some point you have to end up with executable code or the processor couldn't run it.

Just Some Guy
+2  A: 

The serial number you can just extract the algorithm and start throwing "Guesses" at it and look for a positive response. Computers are powerful, usually only takes a little while before it starts spitting out hits.

As for hacking, I used to be able to step through programs at a high level and look for a point where it stopped working. Then you go back to the last "Call" that succeeded and step into it, then repeat. Back then, the copy protection was usually writing to the disk and seeing if a subsequent read succeeded (If so, the copy protection failed because they used to burn part of the floppy with a laser so it couldn't be written to).

Then it was just a matter of finding the right call and hardcoding the correct return value from that call.

I'm sure it's still similar, but they go through a lot of effort to hide the location of the call. Last one I tried I gave up because it kept loading code over the code I was single-stepping through, and I'm sure it's gotten lots more complicated since then.

Bill K
+11  A: 

Apart from being illegal, it's a very complex task.

Speaking just at a teoretical level the common way is to disassemble the program to crack and try to find where the key or the serialcode is checked.

Easier said than done since any serious protection scheme will check values in multiple places and also will derive critical information from the serial key for later use so that when you think you guessed it, the program will crash.

To create a crack you have to identify all the points where a check is done and modify the assembly code appropriately (often inverting a conditional jump or storing costants into memory locations).

To create a keygen you have to understand the algorithm and write a program to re-do the exact same calculation (I remember an old version of MS Office whose serial had a very simple rule, the sum of the digit should have been a multiple of 7, so writing the keygen was rather trivial).

Both activities requires you to follow the execution of the application into a debugger and try to figure out what's happening. And you need to know the low level API of your Operating System.

Some heavily protected application have the code encrypted so that the file can't be disassembled. It is decrypted when loaded into memory but then they refuse to start if they detect that an in-memory debugger has started,

In essence it's something that requires a very deep knowledge, ingenuity and a lot of time! Oh, did I mention that is illegal in most countries?

If you want to know more, Google for the +ORC Cracking Tutorials they are very old and probably useless nowdays but will give you a good idea of what it means.

Anyway, a very good reason to know all this is if you want to write your own protection scheme.

Remo.D
I doubt it is illegal. It may be illegal to use the cracked program if you haven't paid for it. But neither the crack, the process of developing the crack nor cracking the program would in my eyes be illegal.
erlando
Except in the US. But everything having to do with information technologies seems to be illegal there... All hail the land of the free.
erlando
Note that an application has no way of knowing if it's running inside a machine emulator, such as Qemu. A debugger need not be running in the same memory space as the application.
Just Some Guy
+1 for the +ORC reference alone. Those tutorials are gold, and fun.
Josh Matthews
@erlando. What is illegal in many countries (even outside US) is "circumventing a digital protection scheme". How and if you can be cought red handed it's a different matter :)
Remo.D
multiple of 7, Office 95, I remember this one.
ninendra
oh and by the way it was 7 digits long ;)
ninendra
this makes me want to go find my Office 95 cd just to test the multiple of 7 thing...
advs89
+6  A: 

Nils's post deals with key generators. For cracks, usually you find a branch point and invert (or remove the condition) the logic. For example, you'll test to see if the software is registered, and the test may return zero if so, and then jump accordingly. You can change the "jump if equals zero (je)" to "jump if not-equals zero (jne)" by modifying a single byte. Or you can write no-operations over various portions of the code that do things that you don't want to do.

Compiled programs can be disassembled and with enough time, determined people can develop binary patches. A crack is simply a binary patch to get the program to behave differently.

Daniel Papasian
+1  A: 

I wonder why they don't just distribute personalized binaries, where the name of the owner is stored somewhere (encrypted and obfuscated) in the binary or better distributed over the whole binary.. AFAIK Apple is doing this with the Music files from the iTunes store, however there it's far too easy, to remove the name from the files.

Nils
because then you just obtain the binaries from multiple locations and diff. the files... (i think)
advs89