[HN Gopher] Reverse engineering software licensing from early-20...
___________________________________________________________________
Reverse engineering software licensing from early-2000s abandonware
Author : whack
Score : 225 points
Date : 2021-08-30 13:48 UTC (9 hours ago)
(HTM) web link (yingtongli.me)
(TXT) w3m dump (yingtongli.me)
| q-rews wrote:
| I wish I knew how to do this. There's Mac software I bought 10
| years ago and found myself using it again today, but is buggy.
| The developer released a new major version in the meanwhile and
| then retired it due to low sales.
|
| I contacted him to sell me a license but he refused
| categorically, telling me I "should have bought it when it was
| being sold."
|
| Now I find myself using a buggy version and hoping I'd get around
| to cracking the new version myself. Heck I'd pay to get it
| cracked.
| aaaaaaaaaaab wrote:
| I can take a look at it. How do I contact you?
| bluedino wrote:
| After spending years in manufacturing IT, there are hundreds if
| not thousands of systems like these running, where the company
| that created the software is long gone.
|
| This where you end up with DOS, Windows 3.1 and even Windows NT
| computers controlling machines that make millions of dollars
| worth of product, 24 hours a day.
|
| We've spent hours scouring eBay or industrial auction sites
| finding parts of computers to keep 'just in case'. None of this
| software virtualizes easily or can even be moved to a machine of
| similar vintage without relicensing. Some of it is hardware
| dongles, some of it software keys.
|
| It seems like you could create quite a business being able to
| crack this software. Companies would pay tens of thousands to get
| these machines running. Often times the 'new' version of the
| hardware and software is $100,000 US.
|
| In a few years, internet-based licensing will be the thing to
| crack.
| fabianhjr wrote:
| > It seems like you could create quite a business being able to
| crack this software. Companies would pay tens of thousands to
| get these machines running.
|
| That would be against the copyright holder interests because as
| you point out:
|
| > Often times the 'new' version of the hardware and software is
| $100,000 US.
|
| An as per the Disney lobbied US copyright law you would have to
| wait at least the life of the author + 70 years or 95 years
| from publication depending on some circumstances.
| HPsquared wrote:
| The supplier of the "new" software often isn't the same as
| the (usually defunct, hence the trouble) legacy supplier.
| fabianhjr wrote:
| That doesn't mean the copyright ownership disappeared.
| Those either got acquired/merged into another entity or
| liquidated in case of bankruptcy.
| mikepurvis wrote:
| Right, but that's unlikely to be a scenario where there's
| any enforcement going on.
| fnord77 wrote:
| If this were tried, the present copyright holders would
| come out of the woodwork and enforcement would happen
| pretty quickly.
| mikepurvis wrote:
| Are there actual cases of this on the books?
|
| I'd be pretty surprised if a judge was like "ah yes the
| defendant's consultancy modified a piece of industrial
| control software that you haven't given a thought to in
| three decades to make it run on a modern computer and not
| require a parallel port dongle, and that's definitely a
| DMCA violation and you've been harmed by it and deserve
| all the money."
| sedev wrote:
| "Laches" https://en.wikipedia.org/wiki/Laches_(equity) is
| probably a relevant concept here. In a scenario like the
| one you're describing, the delay is likely to be taken
| into account, but it's unlikely to be the whole of the
| argument.
| zozbot234 wrote:
| That's irrelevant in many cases where you want to support
| existing _hardware_. Clean room reverse engineering for
| interop purposes is allowed under copyright law.
| mikepurvis wrote:
| Sure, but in fairness, this thread is about bypassing the
| copy protection in the existing software. Which I'm also
| arguing is safe, but it is not as _obviously safe_ as a
| clean room reverse engineering effort.
| giancarlostoro wrote:
| You can turn a Windows HDD into a VHD but I was never able to
| get it to boot up properly on a VM, so I just use Linux to view
| old files instead. I forgot the approach I used, but it
| probably isnt too complicated to google.
| ashleyn wrote:
| I recall reading that Windows historically built its hardware
| abstraction layer at install time and that's why you couldn't
| simply move a disk from like hardware to unlike hardware
| without a reinstall. You may want to try a fresh install of
| Windows, then copy over the application files. It might be
| tough if the vendor modified Windows libs and did not provide
| any installer.
| unilynx wrote:
| I think there was a way in NT (at least with NT5/2000) to
| replace HAL components with more 'generic' components (eg
| standard SATA drivers, uniprocessor kernel) so you could
| more easily move it to different hardware.
|
| I've only read about it but never tried it though, it may
| have been using the SYSPREP tools?
| user5994461 wrote:
| For Windows XP, you have to go to device manager and
| uninstall the CPU and/or the motherboard, that will reset
| them to generic ACPI something if I recall well.
|
| I've done it once, migrating a very old machine to new
| hardware by just moving the disk.
| giancarlostoro wrote:
| I just thought about this, but do you think upgrading the
| OS on the VM might trigger it?
| gootler wrote:
| Great! Now I can use Lotus 1-2-3 Finally!
| knbknb wrote:
| (Regarding footnote "3" of the post):
|
| Nice! Next time when I encounter an "Enter license key:" dialog,
| I'll simply try some simple registration codes first.
|
| I'll start with clever variations of the value "1", e.g. 00001,
| 00010, 00100 ...
| bri3d wrote:
| I had to do this in a past job too - a vendor provided a module
| with a license check which wouldn't allow the binary to run on
| Windows Server, but the "enterprise" solution which was licensed
| for Windows Server was not only not only sold anymore but lost!
|
| Ghidra didn't exist yet and I didn't care to deal with the IDA
| demo, so I used OllyDbg and then just manually hex-patched the
| binary. Simpler times :)
| chungy wrote:
| You had another problem too: Windows XP x64 Edition was built
| on NT 5.2, the same branch as Windows Server 2003.
|
| A few software (especially antivirus software) did a simple
| version check, Windows reports it's version 5.2, and the
| assumption was made that it must have been Windows Server 2003.
| Refuse to run because you have to pay more for a server
| edition.
| Nashooo wrote:
| Ah ollyDBG! Trip down memory lane. Also brings back memories of
| softICE.
| nick__m wrote:
| SofeICE was awesome! Did you studied at the +Fravia/+ORC
| +H.C.U. (High cracking university if I remember correctly) ?
| inetknght wrote:
| OllyDbg was basically the best-in-class of freeware tbqh; it's
| a shame the developer never really got the 64-bit version out.
| Other software, such as IDA, are leaps-and-bounds ahead of
| OllyDbg but IDA's crazy expensive. I've not yet tried Ghidra
| even though it's been out for a while. I hear it's great.
| garaetjjte wrote:
| x64dbg is probably spiritual successor to OllyDbg:
| https://x64dbg.com/
| philpem wrote:
| Very nice. I'm up to part 2
| (https://yingtongli.me/blog/2021/08/29/drm5-2.html) and I had a
| thought.
|
| The SEH pattern (PUSH 32bit address then RET) should be
| identifiable with a plugin, and a code flow override should fix
| the decompilation.
|
| I wonder, did you try this, and did it help fix the Ghidra
| decompilation?
| RunasSudo wrote:
| Good thought! I don't have enough understanding of Ghidra to
| attempt this myself I think, but it looks like it is already on
| the radar of the Ghidra folks:
| https://github.com/NationalSecurityAgency/ghidra/issues/2477
|
| Sounds like try-catch handling is not implemented in general
| yet, but is on the cards.
| musesum wrote:
| Fun read. I wrote a DRM system in the early 90's for try-before-
| you-buy. Instead of a gateway, we would perchlorate portions of
| code APIs through a lattice. Somewhat like a one-way hash. I
| think there 512 keys -- one for each node. You couldn't
| disassemble static code, you had to set breakpoints. But, there
| was a bug. Instead of extracting 512 keys, you only had to
| extract 9. So, it got cracked sooner than expected.
| bluesign wrote:
| Very nice writeup, brings up memories with Delphi.
|
| Looks like Armadillo protection at first sight, but not 100%
| sure, been too long :)
| pimlottc wrote:
| More precisely, this is about reversing the license key
| generation/verification algorithm.
|
| I got a bit confused by the title at first, thinking they were
| trying to deduce the specific licensing terms or something.
| komadori wrote:
| This tangentially reminds me of when I used to work on some
| commercial software which linked against a FlexLM binary blob for
| licence checking. We had a customer bug report where the software
| was occasionally crashing on start up on 64-bit Windows and it
| turned out to be happening in the licence checking code.
|
| I disassembled the blob and it turned out that it was down-
| casting a NT handle to 32-bits. This seemed to be fine in
| practice as I never observed the higher bits set. Unfortunately
| however, the code then used a signed load to read it in from
| memory and hence corrupted the handle if the 32nd bit was set,
| causing a crash.
|
| I made a patched blob which fixed the problem but sadly the legal
| department vetoed shipping it in case it violated our license
| with Flex :-P.
| RunasSudo wrote:
| Oh hey, I'm the author of the post! Happy to chat about any
| aspects of it.
|
| This project is a spiritual successor to an earlier project
| reverse engineering a gaming DRM system, so if you enjoy this
| post you might enjoy that older one too:
| https://yingtongli.me/blog/2018/11/16/drm1-1.html
| United857 wrote:
| What's the name of the app? Why the secrecy?
| RunasSudo wrote:
| It's a good question - I'll copy what I wrote for the
| Redditors who had the same thought:
|
| > _Copyright law is pretty scary around anti-circumvention
| rules - putting the name of the software right in an article
| about how to break its DRM /licensing just sounds like asking
| for trouble, so I never do. (Not legal advice - just my
| personal musings!)_
|
| > _At least if the software is unnamed, the article is
| clearly more for educational purposes - you won 't find the
| article if you've got the software and you're trying to break
| it, and you won't have access to the software if you're just
| reading the article._
| anaisbetts wrote:
| I mean, if the company that wrote the software doesn't
| exist anymore, who's going to bring that copyright claim?
| stewx wrote:
| Some other company or individual could have bought their
| IP portfolio and now own the rights. They have no
| obligation to publicize this, as far as I know.
| RunasSudo wrote:
| On a technical point, even if the company has ceased to
| exist, its assets might have been sold, or it might have
| assigned its copyrights at some point, or perhaps a third
| party has a copyright interest, and there would be no way
| for me to know about that.
|
| The broader point to make is that this is a general
| policy of mine - I deidentify all software that I discuss
| in any of my RE writeups. Having a blanket policy avoids
| needing to make ultimately arbitrary decisions about what
| to name and what not to name - and in any case, not
| naming the software doesn't prevent anyone from reading
| the writeup and taking inspiration from it if they
| choose.
| devmor wrote:
| Many companies don't just cease to exist, but rather the
| rights to their IP are purchased. Some of that IP is
| viewed as not valuable and ignored... but they still hold
| the rights to it.
| HPsquared wrote:
| It's a bit like landmines left over after a war.
| sam0x17 wrote:
| In some cases IP like this can be even more dangerous
| because there is some disgruntled CEO potentially sitting
| around with ownership of all the IP and he/she sees
| you're infringement as a quick cash grab.
| coldpie wrote:
| Wine dev, here :) Using Ghidra & winedbg is something I do
| quite often for Wine development, it's super cool to see
| someone using those tools for other purposes, too.
| RunasSudo wrote:
| Happy to oblige :P You know, now that you've mentioned that,
| it only just occurred to me that winedbg is probably mostly
| used for Wine-related debugging, not debugging things that
| happen to run in Wine!
| coldpie wrote:
| Sorta. Winedbg mostly exists because most native debuggers
| won't have support for the situation Wine creates (Windows
| PE files with a non-native memory layout co-existing with
| native libraries). Just turns out that debugging Windows
| software in Wine is not a very common usecase outside of
| Wine dev :)
| layer8 wrote:
| > However, the decompilation of the next part of the function
| is incorrect
|
| How (long) did (it take) you (to) find out?
| RunasSudo wrote:
| It was fairly straightforward to see in this case honestly. I
| made a habit of looking at both the disassembly and
| decompiled code - my previous project was in IDA Free which
| had no decompilation, so I was used to referring to the
| disassembly. The address to use for breakpoints also come
| from the disassembly, so one naturally spends a lot of time
| looking at it.
|
| In the first case, the decompiled code reports a function
| call, but in the disassembly it is preceded by pushing some
| suspicious-looking magic numbers onto the stack which are not
| reported in the decompiled code - clearly, something was
| going on there.
|
| In the second case, the "ret" instruction at the supposed end
| of the function was immediately preceded by pushing an
| address to the stack - so again fairly simple to determine
| that the return must necessarily jump to that address, rather
| than return from the function.
| ezekg wrote:
| Given that the application was written in Delphi, I'd bet it's
| using some form of Partial Key Verification [0], which I wrote
| a fun blog post about a couple months back [1]. :)
|
| [0]: https://www.brandonstaggs.com/2007/07/26/implementing-a-
| part...
|
| [1]: https://keygen.sh/blog/how-to-generate-license-keys-
| in-2021/
| RunasSudo wrote:
| Wow, that's super interesting reading! Thanks for the links!
| I will certainly be keeping this all in mind if I ever jump
| ship to proprietary software land ;)
|
| The key validation algorithm in this software is
| extraordinarily simple, so I'm leaning away from there being
| anything fancy. I was unable to correlate keys used in later
| versions of the software with this algorithm, though, so you
| might be on to something. (I don't have a copy of a later
| version, but would love to check if I ever get my hands on
| one.)
| RunasSudo wrote:
| Oh boy there are some interesting possibilities here with
| the partial key verification stuff.
|
| What if you release a new version where, if the key is
| valid under the old check but not under the new check
| (indicating a keygen-ed licence), you start subtly screwing
| with the user. Like EarthBound or Spyro...
|
| Quite off topic but very interesting!
| cyberge99 wrote:
| Interesting post! I recall a lot of older copy protection
| instructions around eax:edx register/space. Is there a reason
| you don't just JMP around the license validation entirely?
|
| Also, I love your anti-cv!
| RunasSudo wrote:
| Totally, putting some small patches into the binary would
| definitely work in the case of just wanting to get rid of the
| licence validation. The goal of my project, though, was to
| get to a state where the software could be used in its
| original unmodified state, with a "real" licence. Just felt
| more authentic! So the process over the 3 parts of the blog
| series is guided by that final destination.
|
| Re: anti-CV - Thanks! Imposter syndrome is a big problem in
| medicine, as it is in IT and probably every field, and I
| wanted to do my little bit to combat it. (Not my idea, got it
| from my seniors, who got it from some uni professors.)
| OnlyMortal wrote:
| If you ever get into reverse engineering Mac PPC copy
| protection, I'd be interested in your approach.
|
| You might be able to guess why I write this.
| smoldesu wrote:
| As someone who is significantly smarter than me, how does
| Ghidra compare to IDA? I'd love to get into decompilation, but
| I've heard that the free tools leave a bit to be desired.
| bri3d wrote:
| Ghidra is as good as IDA with caveats, in my opinion. If
| you're reversing a less-common architecture (not ARM/x86)
| which Ghidra supports well, it's much more effective than IDA
| simply by virtue of having a psuedocode decompiler (IDA's
| Hex-Rays is architecture-specialized).
|
| The IDA GUI and scripting functionalities are much more
| common in tutorials and the ecosystem, so the Ghidra learning
| curve can be greater, but it's not really inferior.
|
| IDA has fewer decompilation/disassembly bugs but in both IDA
| and Ghidra, bugs are usually fairly easy to spot and not a
| huge detriment to achieving a goal.
|
| IDA deals with C++ better than Ghidra (imo).
|
| Anyway, for free Ghidra eats IDA's lunch, and the IDA home
| edition offering is weak - so for a hobbyist, Ghidra is a
| clear home run.
| RunasSudo wrote:
| I haven't ever been able to test IDA's decompiler or
| debugger, as IDA Free only does x64, and all the RE I've done
| is on 32-bit binaries.
|
| Ghidra's decompiler worked fine for this project. It made 2
| relevant mistakes which I talk about in the blog posts, but
| they were fairly easy to identify when comparing with the
| disassembly.
|
| As I discussed in the post, Ghidra did have some difficulty
| (which IDA did not have) locating all the functions, so I did
| end up using both Ghidra and IDA in the initial stages.
|
| The progress that Ghidra is making though (e.g. the recent
| implementation of debugger support) is promising for the
| future.
| sam0x17 wrote:
| I've actually never seen reverse-engineering explained in a more
| straight-forward manner. I was able to skim the article and
| understand exactly what was done in a minute or so. Excellent
| article!
| RunasSudo wrote:
| Thanks for the feedback! I get this comment a bit, and I'm not
| really sure what it is that I'm supposedly doing right, but
| I'll do my best to keep doing it!
|
| I actually don't know all that much about binary RE - my usual
| work is generally high-level Python stuff - so I try to write
| how I would like things explained to me, which I think helps.
| aidenn0 wrote:
| I think not being an expert can contribute to clearer
| communication[1]. I sometimes joke that physics is such a
| hard class primarily because it's being taught by
| physicists...
|
| 1: Of course not being an expert can contribute to
| communicating the _wrong_ thing clearly, which is its own
| problem.
| sam0x17 wrote:
| The way you explain things doesn't require a ton of existing
| domain knowledge. Having basic intuitive understanding of
| binaries and the fact that different codepoints have
| different memory addresses was sufficient, whereas most
| articles on this topic get super technical super fast.
| diskzero wrote:
| This was a great article and makes me want to dig in to some of
| my own ancient software.
|
| Could these tools and techniques be used on older PowerPC Mac
| executables? I have some old software that was protected by ADB
| dongles. I own the software, and even have the dongles, but I
| don't have any PowerPC ADB-equipped machines.
| VortexDream wrote:
| Great series of articles. I also went through the other DRM
| article linked in part 3. I love the insight into how something
| like this was reverse engineered.
|
| Does anybody know any similar articles? Maybe something where the
| software is named and it's possible to follow along step-by-step?
| Seems like it'd be a fun exercise.
| RunasSudo wrote:
| Glad you enjoyed!
|
| It sounds like what you might be after is some content on
| crackmes/specific RE challenges. I'm not involved in that
| space, so someone else probably would have better links, but
| one challenge that was my start in RE was the Synacor
| Challenge: https://challenge.synacor.com/
|
| It starts off just as a programming challenge, no real RE
| knowledge required, but if you see it through to the end you'll
| definitely wind up with a bunch of foundational RE skills. And
| there are a whole bunch of public writeups online if you want
| to follow along with someone else's approach.
|
| (Just to note, though, that it's based on a custom CPU
| architecture - implementing that is the programming part of the
| challenge - so very much from the 'learn it the hard way so
| when you do regular stuff it feels easy' school of thought.)
|
| The Youtube channel LiveOverflow also has some videos going
| step-by-step through some RE puzzles, and his content is very
| digestible.
| coldpie wrote:
| I wrote a pair of articles earlier this year about hacking a
| GameCube game
|
| https://www.smokingonabike.com/2021/01/17/hacking-super-monk...
___________________________________________________________________
(page generated 2021-08-30 23:00 UTC)