Searching \ for 'Software copy protection help' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=software+copy+protection
Search entire site for: 'Software copy protection help'.

Truncated match.
PICList Thread
'Software copy protection help'
1998\07\19@133303 by Craig Webb

flavicon
face
Does anyone know how to add software copy protection in DOS and/or Windows?

Thanks,

Craig

P.S. Thanks to all who suggested low-priced LCD sources, I am still
following a number of leads...

1998\07\19@142610 by Peter L. Peres

picon face
On Sun, 19 Jul 1998, Craig Webb wrote:

> Does anyone know how to add software copy protection in DOS and/or Windows?

Do you have PIC dongles in mind ?

Peter

1998\07\19@164331 by Timothy D. Gray

flavicon
face
the best way is to use a "key" a pic connected to the serial port that
when it sees a magic number it does a mathematical process on it and
returns the proper response. (or on the parallel port) this is not fool
proof as any decent cracker can bypass your copy protection within a few
weeks of hacking. All copy protection can be broken, but if your software
is affordable the copying issue wont be a big concern. (AutoCAD is the
largest "pirated" program there is and they havent been hurt despite what
the corperate heads say.) base line is if your program is good and people
that need it can afford it it will sell, I'd zero in on marketing and
making it great before thinking about copy protection.

On Sun, 19 Jul 1998, Craig Webb wrote:

> Does anyone know how to add software copy protection in DOS and/or Windows?
>
> Thanks,
>
> Craig
>
> P.S. Thanks to all who suggested low-priced LCD sources, I am still
> following a number of leads...
>

1998\07\19@164337 by Ricardo Seixas

picon face
Craig,

       Before you decide to use some software/hardware copy protection scheme,
check it out http://www.fravia.org.
       There's a lot of information on what you can do to "hard" the reverse
enginnering.

Ricardo Seixas


{Quote hidden}

1998\07\19@210056 by Bob Blick
face
flavicon
face
At 11:27 AM 7/19/98 -0400, you wrote:
>Does anyone know how to add software copy protection in DOS and/or Windows?

Does anyone know how to increase the unit cost of a software product, while
at the same time frustrating legitimate users, reducing sales, and creating
incompatibility with laptops?

-Bob

http://www.bobblick.com/

1998\07\19@221300 by Montaigne, Mike

flavicon
face
If your software is any good, people will BUY it.  Just give good support
and provide upgrades at a nominal cost.  How many books have you copied
lately?  Much easier to buy.  I like to think that if you trust your
customers and give them a worthwhile product, they will honour you enough to
buy it.  Perhaps I am living in fantisy land, but the people who try your
program and use it seriously, for any lenght of time without paying for it,
probabily wouldn't buy it in the first place.  For example, I would NEVER
use a schematic/PCB layout package without support, so why do they put
dongles on them, so I can't work at home or on my laptop?  If you don't
trust your customers, are you not daring them in return to return your
mistrust and crack your code - or pay SAFESOFT to do it for you?  Just my
humble opinion.

{Quote hidden}

1998\07\19@232401 by Format

flavicon
face
Rightly said, Bobblick. Entering extra code into software to do copy protection
isn't hard, but it isn't foolproof to work, either. You just have to take that
chance, unless you are making some type of software that is worth hundreds, a
"dongle" is going to make people more reluctant to buy your software.

Bob Blick wrote:

{Quote hidden}

--
<------------------------------------------------------->
< Martin Klingensmith, AKA Format.                      >
< Pyrotechnics - Mountain Bikes - Electronics - Coding  >
< Aquaria - Computers - Computer Selling - And the list >
< Keeps going, and going...                             >
<------------------------------------------------------->

1998\07\20@142559 by Mark Willis

flavicon
face
Bob Blick wrote:
>
> At 11:27 AM 7/19/98 -0400, you wrote:
> >Does anyone know how to add software copy protection in DOS and/or Windows?
>
> Does anyone know how to increase the unit cost of a software product, while
> at the same time frustrating legitimate users, reducing sales, and creating
> incompatibility with laptops?
>
> -Bob
>
> http://www.bobblick.com/

 Exactly!

 Last product I used with a dongle, years ago, would refuse to save my
work, any time it decided the dongle wasn't present.  Every 20 minutes,
with no forewarning.  I lost MOST of my work and wasted most of my time
figuring out where I'd been when I saved last.  Want to bet the company
that wrote said CAD package paid a penny for this huge lost
productivity?  "It's a hardware problem"...

 This made my productivity about 1/8 of what it could have been (Ever
seen someone try to concentrate, while watching the clock to make sure
they saved their work every 10-15 minutes?  NOT a pretty sight!)  This
caused that project to slide & I did get more pay, but at the cost of
some sanity & anguish.  (Got a nice trip to the Arctic to finish the
project on-site, but the insanity of that CAD package was NOT worth it.)

 I DO NOT BUY, and I refuse to recommend or use, dongled software.
Period.  As one wise man said, "The GOOD thing about beating your head
against the wall, is it feels SO good when you Quit!"  I won't beat my
head against THAT particular wall, again.  I learned.  My palmtop has no
LPT port (IBM PC110 palmtop - no serial port either, DRAT!) - I'll be
using it for some limited CAD stuff...

 Copy protection says to customers, quite effectively, "We think you're
a THIEF, we're really sure of it, so we've provided this hardware device
to make it lots harder for you to steal from us, you evil person!  Too
bad if it's inconvenient."  Alienates ME, for one.

 Would you walk into a store and pay their guard's wages for the
duration of your visit, so that guard could follow you around, holding
you at gunpoint, to make sure YOU were honest as you bought your
groceries?  I think not.

 Mark Willis, mwillisspamKILLspamnwlink.com

1998\07\21@022311 by Dr. Imre Bartfai

flavicon
face
Hi,
I have developped a dongle for software copy protection. It seems to be
uncrackable. The host side is written in C. The dongle itself is based on
PIC16LF84, of course ;-)

Imre


On Sun, 19 Jul 1998, Craig Webb wrote:

{Quote hidden}

1998\07\21@025911 by tjaart

flavicon
face
Dr. Imre Bartfai wrote:

> Hi,
> I have developped a dongle for software copy protection. It seems to be
> uncrackable. The host side is written in C. The dongle itself is based on
> PIC16LF84, of course ;-)

An uncrackable dongle is easy. Uncrackable code doesn't exist.
With time, you can 'fix' all the locations where the host software
looks for the dongle. I hope this is the last message in this thread.

--
Friendly Regards

Tjaart van der Walt
.....tjaartKILLspamspam.....wasp.co.za

|--------------------------------------------------|
|                WASP International                |
|R&D Engineer : GSM peripheral services development|
|--------------------------------------------------|
|SMS EraseMEtjaartspam_OUTspamTakeThisOuTsms.wasp.co.za  (160 chars max)|
|     http://www.wasp.co.za/~tjaart/index.html     |
|Voice: +27-(0)11-622-8686  Fax: +27-(0)11-622-8973|
|          WGS-84 : 26¡10.52'S 28¡06.19'E          |
|--------------------------------------------------|

1998\07\21@025915 by antti

flavicon
face
> Hi,
> I have developped a dongle for software copy protection. It seems to be
> uncrackable. The host side is written in C. The dongle itself is based on
> PIC16LF84, of course ;-)

Oh my GOD! Another [...] For those who do think they have made an ultimate
copy protection here are the bad news - if it financally profitable then your
protection will be cracked. No matter what you do. The only way is to make
the crack painful enough to not be reasonable i. e.

resources needed to hack    >=    direct financial gain from crack

if the above formula is satisfied then you can hope that your software will not
be cracked, but even then you may not be sure. some student may do it for fun.

Things that where advertized to be uncrackable have been most vulnerable to be
cracked. If you think there is a real strong enrycption in the dongle (that cant
be
defeated, etc...) then the weak place is probably somewhere else.

just comments.

antti
anttispamspam_OUTsistudio.com
http://www.sistudio.com http://www.avrbasic.com http://www.picmicro.com

1998\07\21@043449 by Frank A. Vorstenbosch

flavicon
face
Dr. Imre Bartfai wrote:
>
> I have developped a dongle for software copy protection. It seems to
> be uncrackable.

OK, let's see your algorithm posted on sci.crypt then.  Even if the
crypto is strong enough, it might be simple enough to just take out the
calls to the check_dongle_present() function with a debugger.

Frank
------------------------------------------------------------------------
Frank A. Vorstenbosch     <SPAM_ACCEPT="NONE">    Phone: 0181 - 636 3000
Electronics and Software Engineer                 Mobile: 0976 - 430 569
Eidos Technologies Ltd., Wimbledon, London        Email: @spam@favKILLspamspameidos.co.uk

1998\07\21@150715 by Mike Ghormley

flavicon
face
Tjaart van der Walt wrote:

> An uncrackable dongle is easy. Uncrackable code doesn't exist.
> With time, you can 'fix' all the locations where the host software
> looks for the dongle. I hope this is the last message in this thread.

`Fraid not Tjaart!  Most new dongles do not perform some "magical
mathematics" as was suggested earlier by another poster.  The lastest
dongles are accessed with a "magic number" but then they download code
that is *missing* from the executable.

Thus, your idea of "fixing" the locations that access the dongle by
replacing a JZ with a JNZ or some such won't work as the executable that
is on the PC is incomplete.

The crack to this scheme of course is to take a "snapshot" of the
executable after the dongle access, and then remove the dongle access
locations.  But this is an order of magnitude harder than the simple
"magic number" tpye dongles of the past.

Best regards,

Michael

***********************************************
It's not what you are that holds you back,
it's what you think you are not. --Denis Waitly

1998\07\21@223324 by Mark Willis

flavicon
face
Mike Ghormley wrote:
{Quote hidden}

 Oh, wonderful;  Though I can see self-modifying code that spools down
from the dongle as you run the program - so that snapshotting the .exe
during execution wouldn't do you any good - imagine what the effects of
a ONE-bit error are.  A nice hard crash, GPF, that sort of thing...

 Everyone here writes perfect, bug-free code and makes perfect,
problem-free hardware, though, of course <G>

 I won't BUY anything with such a dongle.  Period.  There's always
competing software that's IMHO SANELY set up.

 Mark, KILLspammwillisKILLspamspamnwlink.com

1998\07\21@230821 by Timothy D. Gray

flavicon
face
This is a good point.. if someone can buy a program that is not dongled
they will buy that before the program that has $100.00 tacked on it to
cover the cost of the dongle. (Ever wonder why win95/98 doesn't have copy
protection?)


{Quote hidden}

1998\07\22@023503 by Dr. Imre Bartfai

flavicon
face
On Tue, 21 Jul 1998, Frank A. Vorstenbosch wrote:

> Dr. Imre Bartfai wrote:
> >
> > I have developped a dongle for software copy protection. It seems to
> > be uncrackable.
>
> OK, let's see your algorithm posted on sci.crypt then.  Even if the
> crypto is strong enough, it might be simple enough to just take out the
> calls to the check_dongle_present() function with a debugger.
>
> Frank
> ------------------------------------------------------------------------
> Frank A. Vorstenbosch     <SPAM_ACCEPT="NONE">    Phone: 0181 - 636 3000
> Electronics and Software Engineer                 Mobile: 0976 - 430 569
> Eidos Technologies Ltd., Wimbledon, London        Email: spamBeGonefavspamBeGonespameidos.co.uk
>
>
O.k. it is right but it is a general problem. I think to inhibit the
debugging of the software is another deal; there is a lot of anti-debug
trick and software encryption.

On the other hand, the implementation is not a simple
check_dongle_present(), rather a challenge-response sequence. I send some
random challenge to the dongle, and it produces some specific answer
computed using the particular dongle (custom-tailored with some customer
information) AND the random challenge. Only if the answer fit, so can be
the programmer sure it is the correct dongle.

As a small bonus, my dongle has also an user-accessible (of course not
end-user, rather the programmer) EEPROM memory (16F84) so a lot of fancy
stuff can be stored here: usage counter, expiry date, furthermore the
users for a particular software can have different rights and it can be
stored also in my "dongle" etc. etc.

My personal opinion is: I hate also dongles! But I hate also work without
to be honored. I am not against a humble single user who shares a product
with friends for nothing; but I AM against piracy where a dirty pig takes
one's product, hacks it if necessary, and sells in 1000's. For instance:
I have seen also ads from the old Yugoslavia where there was offered the
complete AutoCad for $10 (sic!), etc.

This is my two cent.

Imre

1998\07\22@064200 by Pavel Korensky

flavicon
face
At 12:01 21.7.1998 -0700, you wrote:
>`Fraid not Tjaart!  Most new dongles do not perform some "magical
>mathematics" as was suggested earlier by another poster.  The lastest
>dongles are accessed with a "magic number" but then they download code
>that is *missing* from the executable.
>
>Thus, your idea of "fixing" the locations that access the dongle by
>replacing a JZ with a JNZ or some such won't work as the executable that
>is on the PC is incomplete.
>
>The crack to this scheme of course is to take a "snapshot" of the
>executable after the dongle access, and then remove the dongle access
>locations.  But this is an order of magnitude harder than the simple
>"magic number" tpye dongles of the past.

Better is supply a patch which will emulate the key. This kind of patches
can supply the missing parts of code instead of real dongle.
And no, it is not an order of magnitude harder.

Best regards

PavelK

**************************************************************************
* Pavel Korensky                                                         *
* DATOR3 LAN Services spol. s r.o.                                       *
* Modranska 1895/17, 143 00, Prague 4, Czech Republic                    *
*                                                                        *
* PGP Key fingerprint:  F3 E1 AE BC 34 18 CB A6  CC D0 DA 9E 79 03 41 D4 *
*                                                                        *
* SUMMA SCIENTIA - NIHIL SCIRE                                           *
**************************************************************************

1998\07\22@064559 by Caisson

flavicon
face
> Van: Dr. Imre Bartfai <TakeThisOuTrootEraseMEspamspam_OUTPROF.PMMF.HU>
> Aan: RemoveMEPICLISTspamTakeThisOuTMITVMA.MIT.EDU
> Onderwerp: Re: Software copy protection help
> Datum: woensdag 22 juli 1998 8:22
>
> On Tue, 21 Jul 1998, Frank A. Vorstenbosch wrote:

[Cut]

> On the other hand, the implementation is not a simple
> check_dongle_present(), rather a challenge-response sequence. I send some
> random challenge to the dongle, and it produces some specific answer
> computed using the particular dongle (custom-tailored with some customer
> information) AND the random challenge. Only if the answer fit, so can be
> the programmer sure it is the correct dongle.

The above mentioned routine 'check_dongle_present()' could consists outof a
(the by you mentioned) Challenge-and-responce routine, but the routine will
will (mostly) answer in simple binary mode : Ok-to-go or Check-has-failed.
Hence the reference to the changing of a simple conditional jump.

As was/is stated, any protection that allowes the software to be run can be
defeated by mimicing the _effect_ of the protection, and not the protection
itself.

Greetz,
 Rudy Wieser

1998\07\22@103213 by Timothy D. Gray

flavicon
face
On Wed, 22 Jul 1998, Dr. Imre Bartfai wrote:

{Quote hidden}

1998\07\22@135217 by Mike Ghormley

flavicon
face
Pavel Korensky wrote:

> Better is supply a patch which will emulate the key. This kind of patches
> can supply the missing parts of code instead of real dongle.
> And no, it is not an order of magnitude harder.

I have to disagree with you this time, Pavel.  With the old style dongles (call
& response of "magic numbers") one only had to find the conditional test after
the dongle access and change the JZ to a JNZ or some such.  With the newer
dongles providing actual code that is missing from the executable it is no
longer just a matter of using DEBUG to find these conditionals.  Now hackers
must somehow find the missing code once it has been downloaded from the dongle
to make the patches, yes?  Isn't this at least an order of magnitude harder
than just finding the INT 17 calls and fooling with the conditionals after it?
Perhaps you are a more accomplished hacker than I!

Perhaps I am "telling tales out of school" but one of the newest schemes is to
provide more than one test point and to only provide the missing code for one
point at a time.  After using the code, the executable modifies itself back to
its previous state before accessing the dongle for the next missing piece.
Thus, the "snapshot" method can never capture a fully working executable.

Of course, the 2600 crowd is not idle.  Now they look for the hard writes to
memory.  I am sure that the dance will go on as long as copy protection is in
use.

We can both agree that dongles are an exercise in frustration for the user,
yes?  I would not use a dongle on any product of mine aimed at a large consumer
market, but I am not opposed to designing them for others that think and feel
differently.

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\07\22@140641 by ogerio Odriozola

flavicon
face
>(Ever wonder why win95/98 doesn't have copy protection?)
I'd say Microsoft wants the whole pie, eighter by selling his OS or by
pirating, who cares if they lose 50 % of sales, he's filthy rich working
this way, and this way even a 2 year old knows what Win95 is. He'l grow to
NEED microsoft products, yuuk.

Rogerio

1998\07\22@160923 by Timothy D. Gray

flavicon
face
do a simple file compare on the program... before running and after
running... the pic's code will stick out like a neon bulb. it would take
me 6 minutes to defeat that one (been there done that :-)


On Wed, 22 Jul 1998, Mike Ghormley wrote:

{Quote hidden}

1998\07\22@171157 by Mike Ghormley

flavicon
face
Timothy D. Gray wrote:

> do a simple file compare on the program... before running and after
> running... the pic's code will stick out like a neon bulb. it would take
> me 6 minutes to defeat that one (been there done that :-)

Tim,

It seems like folks are missing the point.  The file before and after running ar
e
exactly the same -- incomplete.

* The program on the PC begins to run.

* At point A, B, and C (ad nausium) in the executable there are a pack of NOPs
(usually other stuff, but this will do for the example) which will render the
program useless.

* Before the code at point A is executed, the program accesses the dongle with a
magic number.  The dongle responds by sending back the missing OP CODES, which t
he
program places into point A in place of the NOPs (or other stuff).

* The code at point A is run.

* After the code at point A is finished executing, the executable rewrites the N
OPs
(or other stuff) into the code space.

* Before the code at point B is executed, the program accesses the dongle with
another magic number.  The dongle responds by sending back the missing OP CODES
for
point B, which the program places into point B.

* The code at point B is run.

* After the code at point B is finished executing, the executable rewrites the N
OPs
(or other stuff) into the code space.

* Etc.

Nothing is ever written to the disk, and at no time is the executable complete s
o a
"snapshot" won't work as well.  The tip-off for the 2600's is the explicit memor
y
writes which do stick out like a sore thumb in Windows code to folks in-the-know
.

Sorry if I wasn't clear before.

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\07\22@172948 by samcovill

flavicon
face
how does one unsubscribe to this thing????

----------
> From: Mike Ghormley <EraseMEmikegspamBLACKSAND.COM>
> To: RemoveMEPICLISTEraseMEspamEraseMEMITVMA.MIT.EDU
> Subject: Re: Software copy protection help
> Date: 22 July 1998 22:07
>
> Timothy D. Gray wrote:
>
> > do a simple file compare on the program... before running and after
> > running... the pic's code will stick out like a neon bulb. it would
take
> > me 6 minutes to defeat that one (been there done that :-)
>
> Tim,
>
> It seems like folks are missing the point.  The file before and after
running are
> exactly the same -- incomplete.
>
> * The program on the PC begins to run.
>
> * At point A, B, and C (ad nausium) in the executable there are a pack of
NOPs
> (usually other stuff, but this will do for the example) which will render
the
> program useless.
>
> * Before the code at point A is executed, the program accesses the dongle
with a
> magic number.  The dongle responds by sending back the missing OP CODES,
which the
> program places into point A in place of the NOPs (or other stuff).
>
> * The code at point A is run.
>
> * After the code at point A is finished executing, the executable
rewrites the NOPs
> (or other stuff) into the code space.
>
> * Before the code at point B is executed, the program accesses the dongle
with
> another magic number.  The dongle responds by sending back the missing OP
CODES for
> point B, which the program places into point B.
>
> * The code at point B is run.
>
> * After the code at point B is finished executing, the executable
rewrites the NOPs
> (or other stuff) into the code space.
>
> * Etc.
>
> Nothing is ever written to the disk, and at no time is the executable
complete so a
> "snapshot" won't work as well.  The tip-off for the 2600's is the
explicit memory
> writes which do stick out like a sore thumb in Windows code to folks
in-the-know.
>
> Sorry if I wasn't clear before.
>
> Michael
>
> *************************************************************************
> When the way of the Tao is forgotten, kindness and ethics must be taught.
> Men must learn to pretend to be wise and good.  --  Lao Tzu
> *************************************************************************

1998\07\22@180707 by WF AUTOMACAO

flavicon
face
Samuel Covill wrote:
>
> how does one unsubscribe to this thing????
>
> ----------

Hummm,

Change your e-mail! :)

Miguel.

1998\07\22@194125 by Timothy D. Gray

flavicon
face
Ahh but a simple program watching system ram in the memory locations of
nop will display the missing code.  or snapshot the system ram during that
time will reveal it, this is a common tool used by software reverse
engineers and made alot easier with win-95.. One trick I saw in copy
protection was this way except the program was to reside in rom and tried
to write nop's to it's self during execution... if it was in rom then
everything was fine. if it was a copy running in ram then it ate
it's-self. this copy protection scheme has been around for years and has
been defeated many many times (remember the origional floppies with
special "bad blocks"?) the biggest advantage is that dongles are limited
in their storage so the blocks of "program" are very small and not 1-2 meg
blocks of missing program. typically it was the file write or read
function that the cracker was looking for anyways.  In fact the last
dongle crack I saw used a pic "dongle" that just recorded the
poll/response. this pic cracked 40 different types of dongles without
modification before it was stolen.


> Tim,
>
> It seems like folks are missing the point.  The file before and after running
are
{Quote hidden}

the
> program places into point A in place of the NOPs (or other stuff).
>
> * The code at point A is run.
>
> * After the code at point A is finished executing, the executable rewrites the
NOPs
> (or other stuff) into the code space.
>
> * Before the code at point B is executed, the program accesses the dongle with
> another magic number.  The dongle responds by sending back the missing OP CODE
S for
> point B, which the program places into point B.
>
> * The code at point B is run.
>
> * After the code at point B is finished executing, the executable rewrites the
NOPs
> (or other stuff) into the code space.
>
> * Etc.
>
> Nothing is ever written to the disk, and at no time is the executable complete
so a
> "snapshot" won't work as well.  The tip-off for the 2600's is the explicit mem
ory
> writes which do stick out like a sore thumb in Windows code to folks in-the-kn
ow.
{Quote hidden}

1998\07\23@021539 by Mike Ghormley

flavicon
face
Timothy D. Gray wrote:

> Ahh but a simple program watching system ram in the memory locations of
> nop will display the missing code.

Tim, there isn't any NOPs.  I was using them as an example.  The code that is wr
itten
over looks very real.  A typical serious dongle may have more than 50 snippets o
f missing
code.  It is not as simple as you imagine.

> or snapshot the system ram during that time will reveal it, this is a common t
ool used
> by software reverse engineers and made alot easier with win-95..

A snapshot won't work either.  Please reread my post.  I think I was reasonably
clear
about this.  Fifty snapshots -- taken at precisely the right moments -- could be
patched
together to make a working copy, but it would be a daunting task.

> One trick I saw in copy
> protection was this way except the program was to reside in rom and tried
> to write nop's to it's self during execution... if it was in rom then
> everything was fine. if it was a copy running in ram then it ate
> it's-self. this copy protection scheme has been around for years and has
> been defeated many many times (remember the origional floppies with
> special "bad blocks"?)

Yes, the scheme was called fingerprint and used a laser to zap the magnetic medi
a on a
spot on the floppy.  If the program could write and then read back from that sec
tor, then
it was a copy.  It was often defeated on the first try, by finding the visible b
lemish
on the master disk and then scratching the media off with a pin at the same spot
on the
copy disk.  Had they accessed the track just above and just below the laser dot
to see
that it was read/writeable it would have been a better scheme, methinks.

> the biggest advantage is that dongles are limited
> in their storage so the blocks of "program" are very small and not 1-2 meg
> blocks of missing program. typically it was the file write or read
> function that the cracker was looking for anyways.

That was then.  Now there is no file access other than loading the executable.
Even 512
bytes can hold up to 100 missing five-byte snippets.  This would take a while to
crack.

> In fact the last dongle crack I saw used a pic "dongle" that just recorded the
> poll/response. this pic cracked 40 different types of dongles without
> modification before it was stolen.

This would easily work on the "magic number" type and would have a pretty good s
uccess
with the early "snippet" models, but there have been changes (that I am not will
ing to
share) to defeat what we call a lurker.

Of course any dongle scheme can be cracked and any crack can be defeated.  As I
said, the
dance will continue as long as there is copy protection.  It is just not the two
-step
that you make it out to be.

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\07\23@064111 by Pavel Korensky

flavicon
face
At 10:48 22.7.1998 -0700, you wrote:
>to make the patches, yes?  Isn't this at least an order of magnitude harder
>than just finding the INT 17 calls and fooling with the conditionals after
it?
> Perhaps you are a more accomplished hacker than I!
>

Hmmm, it depends on how the "orders of magnitude" is defined :-)) Surely
the described scheme is harder, but I think that "several orders of
magnitude" is strong word.

>Of course, the 2600 crowd is not idle.  Now they look for the hard writes to
>memory.  I am sure that the dance will go on as long as copy protection is in
>use.

Yep, this is sure thing.

>
>We can both agree that dongles are an exercise in frustration for the user,
>yes?  I would not use a dongle on any product of mine aimed at a large
consumer
>market, but I am not opposed to designing them for others that think and feel
>differently.

Dongles are terrible. BTW, one think that I like on our Eagle PCB package
is the fact that there is no dongle.

Best regards

PavelK

**************************************************************************
* Pavel Korensky                                                         *
* DATOR3 LAN Services spol. s r.o.                                       *
* Modranska 1895/17, 143 00, Prague 4, Czech Republic                    *
*                                                                        *
* PGP Key fingerprint:  F3 E1 AE BC 34 18 CB A6  CC D0 DA 9E 79 03 41 D4 *
*                                                                        *
* SUMMA SCIENTIA - NIHIL SCIRE                                           *
**************************************************************************

1998\07\23@122310 by Mike Ghormley

flavicon
face
Pavel Korensky wrote:
>
> At 10:48 22.7.1998 -0700, you wrote:
> >to make the patches, yes?  Isn't this at least an order of magnitude harder
> >than just finding the INT 17 calls and fooling with the conditionals after it
?
> >
> > Perhaps you are a more accomplished hacker than I!

> Hmmm, it depends on how the "orders of magnitude" is defined :-)) Surely
> the described scheme is harder, but I think that "several orders of
> magnitude" is strong word.
Pavel,

You quote me in your last post.  I said: "...at least an order of magnitude hard
er..."
Not orders, but an order.  On this perhaps we can agree?  <G>

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\07\23@163342 by eslight

picon face
No there are ways to make "uncrackable" dongles, I've been working
on a project similar to this for over 6 months (personnal hobby),
but to be fully uncrackable, You'd have to be absolutely certain
that the code from the chip couldn't be read, and you can't be
sure of that with most microcontrollers.  So just for that, the
word "uncrackable" can't be used :), and crypto? I can't beleive
people are still using that for dongles, there's other approaches,
but let's not get into that buisness, because at the end you'll
probably do like me: find out that you must support 95/98/NT
and writing kernel mode drivers if you are an electronic hobbyist
that knows a bit a about C, is a pain in the ass unless you really
know what you are doing and how the kernel works.

God I miss the good old days of poke in here and there, computing
isn't fun anymore, everything gets too complicated with too many
layers of communication between the user and the hardware, just
for the sake of "standard" and "simplicity" (I'll pass on the
second one) :)

I was looking at the skeleton driver of the USB (WDM driver)
and I was wondering if it's really C that I've learned when I was
in school :)


{Quote hidden}

1998\07\23@172004 by paulb

flavicon
face
Mike Ghormley wrote:

> The tip-off for the 2600's is the explicit memory writes which do
> stick out like a sore thumb in Windows code to folks in-the-know.

 The big challenge will be for the dongle guys to make a dongle which
will work on Win NT!

 As to Imre, best of luck to him!  If you can sell people crap and make
money so doing, great!  That's Bill's way after all!

--
 Cheers,
       Paul B.

1998\07\24@025123 by Dr. Imre Bartfai

flavicon
face
Hi,
to INT 17:

normally, dongles do not use INT 17; to hack it it would be a light play;
they use rather in/out commands, i. e. they access the port directly.

Imre


On Thu, 23 Jul 1998, Pavel Korensky wrote:

{Quote hidden}

1998\07\29@211853 by Larry G. Nelson Sr.

flavicon
face
It all depends on how onerous you want to be to the end user. You can buy
Dongles from several sources and add in their routines. An alternative is
to block running unless they enter some random block of text from the
manual as done with some games and with Electronics Workbench.


At 11:27 AM 7/19/98 -0400, you wrote:
>Does anyone know how to add software copy protection in DOS and/or Windows?
>
>Thanks,
>
>Craig
>
>P.S. Thanks to all who suggested low-priced LCD sources, I am still
>following a number of leads...
>
>
Larry G. Nelson Sr.
RemoveMEL.NelsonTakeThisOuTspamspamieee.org
http://www.ultranet.com/~nr

1998\07\29@221939 by Timothy D. Gray

flavicon
face
And you will notice that the games that sold millions and actually became
the best of all, do not have copy protection  :-)  I.E. copy protection on
products destined for consumers is a great way to waste time and money.

On Wed, 29 Jul 1998, Larry G. Nelson Sr. wrote:

{Quote hidden}


'Software copy protection help'
1998\08\17@122723 by marc
flavicon
face
Hi Mike (Mike Ghormley), in <RemoveME35B6D3FF.1E1EKILLspamspamblacksand.com> on Jul 22 you wrote:

> > Ahh but a simple program watching system ram in the memory locations of
> > nop will display the missing code.
>
> Tim, there isn't any NOPs.  I was using them as an example.  The code that is
written
> over looks very real.  A typical serious dongle may have more than 50 snippets
of missing
> code.  It is not as simple as you imagine.

As long as the PC software authenticates the dongle and not vice-versa,
it's possible to just read all the code from the dongle (using an own piece
of software that talks to the dongle like the protected app).

Then all PC software calls to the dongle can be replaced by an emulation
function that returns the same code that the dongle would have returned.

The challenge-response inconsistency (if you're too tired to actually hack
the algo/key) can be overridden by changing the PC softwares' conditional
jumps.

It then does make no difference if the PC software patches the patched
locations back to their original content right after execution, or before
exiting.  Also it does not matter how often the dongle is read, and whether
there are 1 or 50 snippets in it, or if all 50 are applied at the same time
or just a single change is made at a time and then reversed back.


If the dongle authenticates the PC software, you'll either have to
reengineer the PC soft authentication algorithm, or manipulate the PC soft
to save the dongle code right after receival, or monitor the conversation
using software or hardware tools.  After successful extraction of the
dongles' code patches you can continue as described above.

> Of course any dongle scheme can be cracked

Dito.

1998\08\18@014130 by Mike Ghormley

flavicon
face
Marc Heuler wrote:

> Hi Mike (Mike Ghormley)  <snip>

Hi Marc.  Let me preface my reply by thanking you for not saying something sopho
moric
like "cracking a dongle is childsplay" as someone on this list did a while back.
 I
did not grace his post with a reply.

I have designed and built a (IMHO) rather nice dongle for a client which was not
for
commercial use, but was used for access to sensitive documents from within an
organization.  I have said before and will say again -- dongles/hacks is a dance
.
One will always outdo the other only to be outdone once again.

> As long as the PC software authenticates the dongle and not vice-versa,
> it's possible to just read all the code from the dongle (using an own piece
> of software that talks to the dongle like the protected app).

Well, this dongle-authenticating-pc idea was a cat that I did not wish to let ou
t of
the bag.

> Then all PC software calls to the dongle can be replaced by an emulation
> function that returns the same code that the dongle would have returned.

This is true.  My point is that having 50 snippets that come and go make it much
harder for a "lurker" to sniff or the "snapshot" to capture than the older
one-snippet method.  There is also a feline or two here that I wish to leave in
the
sack.

> The challenge-response inconsistency (if you're too tired to actually hack
> the algo/key) can be overridden by changing the PC softwares' conditional
> jumps.

Perhaps I am saying too much, but the old idea of conditional jumps has been rep
laced
(mostly but not exclusively) by an array of pointers to functions or other such
data
that is essential to the _flow control_ of the software.  Again, there is a cat
or
two...

> It then does make no difference if the PC software patches the patched
> locations back to their original content right after execution, or before
> exiting.  Also it does not matter how often the dongle is read, and whether
> there are 1 or 50 snippets in it, or if all 50 are applied at the same time
> or just a single change is made at a time and then reversed back.

Perhaps I am not clear.  Imagine an array of pointers to functions -- say 50 of
`em,
although it could just as easily be 256 or 1024, yes?  All the pointers point to
dummy functions that ultimately (but not immediately) result in some disfunction
ality
of the code.  As the code is run, it approaches it's first use of the array -- a
call
to function21(), for instance.  It then sends a call to the dongle and receives
the
real pointer for offset 21, then it accesses function21().  The first thing that
function21() does is to rewrite the old dummy pointer back into offest 21 of the
array.  The idea is that at no time is the code in memory fully operational.  Th
is
defeats the "snapshot" method that was/is popular in defeating the single-snippe
t
dongles.  I agree that that this alone will have little effect on the "lurker"
dongle, but read on.

> If the dongle authenticates the PC software, you'll either have to
> reengineer the PC soft authentication algorithm, or manipulate the PC soft
> to save the dongle code right after receival, or monitor the conversation
> using software or hardware tools.  After successful extraction of the
> dongles' code patches you can continue as described above.

The "lurker" or "sniffer" dongle may read the numerous call and responses and bu
ild a
table for the patch if the method was that simple, but the responses for a given
call
will be different for each session as you might expect.  Thus, the table that is
built will only work for one session in every 2.1475 billion sessions or so.

I don't claim that there is any infallible dongle method.  All that can be hoped
is
that the hacker will have to use up too many resources (time/energy/money) to ma
ke it
worthwhile.

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\08\19@122543 by Marc Heuler

flavicon
face
Hi Mike (Mike Ghormley), in <35D912F5.7949STOPspamspamspam_OUTblacksand.com> on Aug 17 you wrote:

> Perhaps I am not clear.  Imagine an array of pointers to functions -- say 50 o
f `em,
> although it could just as easily be 256 or 1024, yes?  All the pointers point
to
> dummy functions that ultimately (but not immediately) result in some disfuncti
onality
> of the code.  As the code is run, it approaches it's first use of the array --
a call
> to function21(), for instance.  It then sends a call to the dongle and receive
s the
> real pointer for offset 21, then it accesses function21().  The first thing th
at
> function21() does is to rewrite the old dummy pointer back into offest 21 of t
he
> array.  The idea is that at no time is the code in memory fully operational.
This
> defeats the "snapshot" method that was/is popular in defeating the single-snip
pet
> dongles.  I agree that that this alone will have little effect on the "lurker"
> dongle, but read on.

Your dongle design complicates the cracking process, and guarantees you at
least one sale (the attacker needs one dongle to gather the data from it).


The approach I would take to defeat such a dongle protection is to emulate
the dongle in software.  I can then view the PC software as two operations.
a) detect/authenticate the dongle, and b) receive code or data.

The detection and/or authentication has to be skipped.

The array you describe above, belongs to the dongles' data contents (just
like code to patch into the executable).  This would have to become part of
the emulation.

When you have no further encryption after successful authentication of the
dongle, I can take the plaintext data, and re-inject it into your execution
flow at runtime of the fooled software.

If you protect the data by encryption, I'd have to patch your software to
store the plaintext data (before it's used to apply patches to data or code
locations, but after receival/decryption) on disk.  In the pirate version
of your app, the plaintext data has to be inserted right after the
decryption function (which is patched to be skipped).

Your software will then automagically apply all correct patches to itself,
no matter whether it's code or data, index in tables or else.

The attacker just has to find the knot where the dongle info and data is
received, turned to plaintext, and _trusted_.



By the way, I have never actually cracked a dongle.  All related aspects
belong to fields that I have studied and worked on in the past, including
crpytographic protocols and analysing other peoples' code.

Personally I don't like dongled software.  I don't own a desktop PC with
network, USB, +-12V RS232, or slots.  I get my work done by choosing
products w/o dongle where possible.  (no offense)

1998\08\19@192322 by Mike Ghormley

flavicon
face
Marc Heuler wrote:

> Your dongle design complicates the cracking process, and guarantees you at
> least one sale (the attacker needs one dongle to gather the data from it).

<VBG>

Actually, this was not for commercial distribution but was used in-house by a me
dium-sized
company to limit access of sensitive files by their employees.  We made 100 of `
em and that
was it.  They opted for a custom design as they were concerned that their "techi
es" might be
able to find a "jump start" on a known design.  Of course, the commercial units
may be a
couple of steps ahead of me in the dance so I don't know that they made the corr
ect decision.

I did a little research and produced the best product that I could.  I think tha
t it is
crackable, but *much* harder than anyone without a lot of spare time could manag
e from the
software side.  Even with knowing the methods used, I would find it hard to get
the program
to work via software, methinks.  I would attack the thing by extracting the code
from the
dongle via hardware means.  It seems more cost-effective.

{Quote hidden}

I'm not sure that I am following you here.  The authentication was an ongoing ex
ercise.  As
calls were about to be made to critical functions the dongle was accessed.   The
re is never a
time when there is no further encryption.

However, I am not telling the whole story.  The method was not as simple as an a
rray of
pointers to functions.  I used it as an example of how to slow down the "snapsho
t" and
"lurkers" out there.  I don't want to reveal all of the methods used for three r
easons:  1)
the methods are proprietary to my customer, 2) I do not wish to give any ammunit
ion to
hackers-for-profit, 3) I don't want to spoil the hacker-for-challenge's fun -- k
inda' like
telling who-dun-it in a mystery.

> If you protect the data by encryption, I'd have to patch your software to
> store the plaintext data (before it's used to apply patches to data or code
> locations, but after receival/decryption) on disk.  In the pirate version
> of your app, the plaintext data has to be inserted right after the
> decryption function (which is patched to be skipped).
> Your software will then automagically apply all correct patches to itself,
> no matter whether it's code or data, index in tables or else.
> The attacker just has to find the knot where the dongle info and data is
> received, turned to plaintext, and _trusted_.

Pretty much I agree again.  The thought of trying to find all of these points in
the code is
daunting -- at least to me.  The idea of this part of the protection was to make
it so hard
that most hackers would just not care to spend the resources.  Also, the respons
e was
*different* for any given call to the dongle from session to session.  There wer
e 2^^31
possibilities.  If you succeeeded in getting all of the responses in a session,
you still
needed to figure out how to alter the code to make those responses work every ti
me.  And then
there are the other cats...

> By the way, I have never actually cracked a dongle.  All related aspects
> belong to fields that I have studied and worked on in the past, including
> crpytographic protocols and analysing other peoples' code.

I will admit that I have cracked a dongle or two in my day, but never for profit
or malice.
It was more for the challenge in my beery youth as well as research for this pro
ject.

BTW, the first dongle that I poked around on (way back in the Jurassic Period) t
urned out to
be a shift register!  It clocked out a bit stream and then read it back in, eigh
t ticks
later.

> Personally I don't like dongled software.  I don't own a desktop PC with
> network, USB, +-12V RS232, or slots.  I get my work done by choosing
> products w/o dongle where possible.  (no offense)

None taken.  Personally I have declined to buy dongled software (ChessBase 6, fo
r instance).
I would think very hard before attaching such a disruptive device to any of my
own code.  It
just doesn't make sense for commercial products, methinks.  Security is another
matter.

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

1998\08\19@195223 by Mike Ghormley

flavicon
face
John Payson wrote:

<big snip>

Call the SPCA!  There are cats everywhere!  ;^)

I generally agree with everything you say, John, except the point about "A
well-designed security system will remain secure even if its workings are
well-documented and understood by its adversaries."  I just am uncomfortable giv
ing
any ammo to the enemy.  Even DES can be broken, given enough time and horsepower
,
yes?

> [John]  There are some excellent methods in existence; spending $1B of effort
> to prevent piracy of $1M of software is ludicrous, however.

Like taking extra-long steps to save your $40 shoes and ripping your $100 pants?
Yep.  I agree.

This thread has taken up too much of my time and spilled a few too many beans fo
r my
comfort.  For my part, I would like to put it to rest.  Thanks to all (even
"childsplay") for the thought-provoking discussion.

All the best,

Michael

*************************************************************************
When the way of the Tao is forgotten, kindness and ethics must be taught.
Men must learn to pretend to be wise and good.  --  Lao Tzu
*************************************************************************

More... (looser matching)
- Last day of these posts
- In 1998 , 1999 only
- Today
- New search...