Sunday, August 26, 2012

I saw a well designed protection!

I know that normally in this space I rant about how bad this protection was, or how pathetic THAT protection was. But this post will be different. I recently had the opportunity to see an amazingly well designed protection system. Strangest of all, it was a homegrown protection written by what looks like a small developer. No, I don't know the name of the protection, and I won't tell you what packages it was on, but I'll tell you ABOUT it. The packages are both from the same source, a presumably small independent developer who produced a package to aid in the generation, and distribution of test taking tutors. Say you want to get you Linux+ certification, you can go to the web, and buy their package, and it'll help you study for the test. The target installs, and presents you with a single .exe. A quick scan tells you that it's an encapsulated Java application, with an executable launcher. A quick search, and you can pull out the whole jar file that is the program, and a quick unzip later, and you have all the .class files. Run them through decompiler of your choice, and you'll soon see that they've been obfuscated. While the obfuscated code is difficult to follow, the error messages that the application prints leads you to the right place in record time. You can see that a particular function gets called, and it's return value means the code you entered is bad, or that you're running in demo mode, or that your trial has expired. So, now a quick note. I've never learned Java. C/C++, yes, Java? No. So, that means that I have to consult the web for parameters to APIs, or what a particular API itself does. So, I see the application getting a resource, and using it in what looks like a way that would tell me EVERYTHING. So, I google the string. And what I find, is absolutely shocking. I find the COMPLETE source to the package. ALL OF IT. For whatever reason, the developer at this company kept his Eclipse workspace on the web server machine. A quick "wget", and I had the complete source, with comments, and even notes to their customers describing how their protection works. Game over, right? NO. And here's why. The protection is well designed. When you hit their website, if you opt for the demo, you get that. A demo package, with only 10 questions. (Out of who knows HOW many for the regular package). If you don't BUY a test, you can't get the executable, and all the questions. That's good idea number 1. If a pirate can't TOUCH your app., he can't crack/pirate it. Number 2. Once you get the package, you also get a serial number. When you run the app., the first thing you are presented with, is a registration box asking for that serial number that you were given. It takes this, and grabs some stats like your MB serial number, your MAC address, etc., and interlaces all this data into a packet that it sends to their registration server. The registration server returns the time period that your application is authorized for, and, (Drumroll please), the AES key to decrypt the questions database. This data is all interlaced together, and BASE64'd for the trip. The client application pulls the packet apart, save the dates, and the key for the questions, and boom. Off you go. Now, as a pirate, I'm all about weaknesses in the system. YES, you could prolong the license period forever. YES, you could buy all the tests once, and pull the private key out, and release them at once. (That would probably be kinda obvious though). As part of the glob that I downloaded, there were all the tools to be used by the customers to enter test questions into the questions database, and, the private keys for a bunch that already exist. So, in THEORY, if you could get all the applications, you could release them all without having to BUY them. But, this takes us back to problem #1. You don't get the application if you don't BUY it first. So, on a tour de force level, this protection scheme is relatively low tech, but it is above all, EFFECTIVE. So, good job who ever you are that wrote it!

No comments: