View and vote on the article here: Methods of Securing your Programs
Methods of Securing your Programs| Category | | | Summary | | | Body |
<strong>Methods of Securing your Programs</strong>
An Anti-Piracy, Anti-Hack, Anti-Reverse Engineering Tutorial
[url=mailto:mauroskoufis@hotmail.com?Subject=[cau_tutorials]]By crtw (a.k.a. Icydemon)[/url]
<hr>
<strong>1. Introduction</strong>
<p align="left]Welcome to this Programming/Security tutorial. Here are some general concepts & ideas for securing your applications from:
- Electronic Pirates (Creators of Illegal Copies)
- Hackers (People who want to hack your applications)
- Reverse Engineering (A term which will be introduced later
Generally, we want protection for commercial programs like games for example. Commercialization, nowadays, have been spreading through various industries, like the game industry, and the operating systems industry. Generally, people like making money from programs and not loosing money.
In fact, when piracy occurs, the price of the original programs become higher, and this inturn, creates more piracy etc. etc. I have made a diagram for a word processor to show that piracy is a real threat to companies, and companies are a threat for the public:
<img src="image.php?id=15" alt="example of program price and piracy" name="Stats" width="500" height="300" id="Stats]Image I: Statistical View of Price & Piracy
First of all I haven't made a perfect diagram (I prefer to leave those to mathematicians), piracy is measured in human units. Red boxes are the price of the product while the black curve is the number of pirates. So, we can see a program and its value through time. Note that if any economy change occurs (like big inflation), developers have to eat to continue producing, so they increase the value of the program. Pirates also increase because they have to crack the program or copy it to make illegal money. This, makes the developers to increase the price more, because they want to cover money lost from piracy etc. etc.
<p align="left]My experience in commercial programs is rather small, I have worked on 3-4 projects only. But when we had to decide what to do in terms of program protection (except from the copyrights), we started to argue. One of us wanted to put a serial-key check into setup, and another wanted live activation, yet another wanted registration to our server and then give all privileges to the user, etc. If you don't know the threats sometimes you help all individuals who want to illegally exploit your work.
<strong>2. Most Common Threats</strong>
<strong>2.1 Brute Forcing</strong>
<p align="left]Brute Forcing in plain english is "try all passwords from aaaaaaaaa to zzzzzzzz including numbers, symbols and other characters until you find the correct one". This is a very common way on cracking password encrypted zip archives. In this case the hacker tries any combination of digits (using a program) until he finds the/a correct one. If your program is protected by a serial code using this mask:
PLTG-V301---
the individual will try to replace ? with any character in sequence until he/she finds a valid serial key. This applies to programs using serial keys in setup applications or serial keys inside the application.
<strong>2.2 Disassembling</strong>
<p align="left]An experienced user with good understanding of assembly language can bypass your security checks just by altering a JE instruction to JNE. This is just a trick to bypass your security and check if there is no valid password. If there is no valid password the program will run, if there is one the program will refuse to run.
<p align="left]As far as I know, there is no way of securing the program against this kind of attack, as hackers alter pieces of code and release "cracks" or "patches" into internet. The only way not to avoid it but to fix it a little is to give updated versions with slightly (or greatly) changed code so to feel secure until the next "crack" is out.
<strong>2.3 Pirate Copies</strong>
<p align="left]Pirate copies are copies of your application that are not authorized by you, thus illegal. This is done via getting an original cd, finding the serial key or other type of protection and releasing it either through internet either in cds. This can be harmful for your budget because there can be 200.000 copies on the market and the 50% of them to be illegal. The loss of money is great.
<strong>2.4 Reverse Engineering</strong>
<p align="left]By the term "reverse engineering" we mean that one program is disassembled and then the individual person tries to understand how the program works by using many methods. This is the least common threat but there can harm you more than the others because if someone understands how your program works, he can make a clone of your program and release it under another name and/or extend its features for a lower price than yours.
<strong>3. Protecting Yourself</strong>
<strong>3.1 Tips on passwords/serial keys</strong>
<p align="left]If you want to secure your application using a password or a serial key you have to consider these:
- A key has to be consisted by a few (or no) constant characters and to use as many as it can. For example a serial key, 16 characters long where each character can be A-Z, a-z, 0-9, !, @, # etc. (in this example 100 different characters) and has no constant character (its format is this ---) has 100<sup>16</sup> combinations. Assume that a brute forcing program is able to try 1.000.000 keys/sec and there are 10.000.000.000.000.000 keys. He will need approximately 317years to try every combination. Even if the person is extremely lucky and needs the 1/100th of this time to find a valid key it is still 3,17 years, too much time for 1 program.
- Avoid as much as you can keygenerators. Keys are usually come from a function f(x). If the person who tries to hack your program understands that a function gives the keys or finds that function he will be probably able to construct a keygenerator for himself. So in my opinion it is better to randomly generate keys for each version and store them into a safe place and give them to clients into the cd case for example, rather than waiting for registration from the user.
- Finally, do include functionality for old keys in possible next version of your program but change your code each time you publish a new version. This will slow down the people who are trying to exploit your program for their own profit.
There are a great many of ideas I had from time to time during all these years I am learning programming:
- Create a check system like PIN identification on a cell phone. After some invalid keys lock the program and require a unlock code.
- Obtain the key though a safe (SSL) connection from your company's server. This is expensive and painful but also very secure.
- Except the key require also validation through net or phone (like Microsoft(r) Windows(r) etc.)
- Perplex your code to do a hacker's life more difficult
<strong>3.2 Internet Verification</strong>
<p align="left]Possibly the most difficult security type to implement and the most secure I know. Just implement SSL features on your programs and your server and each user has to activate his legal copy through internet. This will need some checking like an activation key provided by you and also checking the integrity (usually CRC method) of the executable file. This also requires a server application that can handle connections and authorize legal copies to run.
<p align="left]The most easy way to do is this:<ol type="A]
- Give an activation key along the cd
- Give instructions to the user (possibly via Program's Manual) on how to activate the program
- On program's connection to the server check if the activation key is legal (i.e. provided by you) into a database
- Check executable's integrity (alterations made by other persons)
- If all correct, enable the program and close the connection
There are applications out there which when a computer is connected to internet, they contact their server and ask for permission to run. This is good but I have no knowledge in legality of this (users can accuse you for collecting various elements about them i.e. their identification)
<strong>3.3 Using External/Encrypted Files</strong>
<p align="left]This is done by some programs which give an encrypted data file with the serial key to their users (sometimes they have 1024bit encryption), to run the application. This is not so good because:
- An encrypted file can be transferred through internet to many users and allow many users to run the program
- Generally ALL types of encryption can be broken
- External files can be modified in any way so possibly a user cannot run his/hers legal copy due to a unsafe shutdown of his/hers computer for example.
<strong>3.4 Perplex Your Code</strong>
<p align="left]If you are an assembly guru, you can perplex your code so to harden the work of a potential hacker. Nevertheless, there are many ways you can make your program more secure but out there, there are people who CAN harm both your program's security and your pocket.
[/list]
<strong>4. In Depth</strong>
<strong>4.1 The Art Of Serial Keys
</strong>
<p align="left]As you have noticed, many programs use serial keys on their installation to verify if you have a legal copy and if you can proceed into the installation of the specific program in your machine. There are many sites out there that can provide you serial keys for these programs so to run an illegal copy on your machine. This is based on Reverse Engineering. If you have a function [f(x)] which generates valid keys, the potential hacker will try to see how this function works and replicate it into a program, to create his own key-generator. Now if you have random keys (randomly generated), the hacker can collect as many keys as he can and then create a pseudo-key-generator which will have all the legal keys. Then this application will be spread through internet into various "security" sites and the simple user can download it and run it, so he will have a valid key for an illegal copy. Some possible ways of interrupting this are:<ol type="1]
- If you are selling your applications through a web site (electronic store), you can use a server scripting language and a database (like php & mysql) to get all information for the user, bought this program, like name, surname, country, etc. etc. then store them into your database and then provide him a serial key. Along with this you have to make a privacy notice (that the user's identity will not be sold or given to anyone blah, blah, blah). With this method you can see who has bought your program and have a list of all your clients. Extending this, a user who has to update his/hers program has to enter the page, insert his indemnity, and serial key and then he/she can download the update. This guarantees security (at about 90% because the program can be hacked but it can't be updated), and gives you a statistical view of your clients so more features will be implemented on your program depending on their country (language packs or other needs) etc. etc.
- If you aren't lazy to program, ensure that your program can run with a serial key from a lower version and for each version make a new list of serial keys. This must be done in such a way that a user who updated his program will not have to get another serial key but the program has to be activated (when running for the first time) with a valid serial key of the present version.
- Use large keys to avoid brute forcing. The general pattern of all keys is this:
(total number of characters)<sup>length of key</sup>. For example if for each character of the key there are 200 potential characters and the length of the key is 32 characters, then the potential hacker has to try approximately 200<sup>32</sup> combinations which is 4,294967296*10<sup>73</sup> combinations (wow!!!). Although brute forcing is used by a few people only (due to speed, programming, consumed time), ensure that you are secured against this
- If you want to get your serial keys through a function [f(x)], ensure that the function has to be reversed with great difficulty, because the program has to run the reverse code of the function which created the key. Use of large numbers and extremely complex function is recommended so the potential hacker will need more time to reverse it.
<strong>4.2 Internet/Phone Activation</strong>
<p align="left]In the latest versions of Windows(r), Microsoft(r) introduced activation. After the serial key into setup, the operating system (and the Office(r) suite) need activation to run. So Microsoft(r) provides 30 days to the user so he will activate his legal copy of windows and then use them normally. I dug inside windows registry and found that there is one value that checks how much time is left for windows' activation. Altering this value you can avoid activation (or even put a negative value in it). I will not get into details but in my opinion this is not the safest way to check the activation of an operating system which owns the 90% of the global market.
Anyway I will leave windows behind and hope that into a next version Microsoft's programmers will think something more secure, and I'll get into activation. The application user has, must be connected to internet, negotiate with a server program we run at our headquarters, sent for example the serial key and get back the activation key. This can change the executable file, or any other file, or windows' registry. In case the user has no internet connection, he can call our headquarters, supply the serial key and any other think needed, and then get the activation key. Although this method is very good for identification, it does not provide good security because people who have knowledge can crack the executable file or provide any other file activated and give it to the public.
Windows XP Service Pack 2 needs a valid key for its installation (thank god they increased their security). When surfing the net some days ago i saw a banner saying "Windows XP SP2 Activator". I was curious to see what it was, so i clicked it and then i saw that they provided information on how to install windows xp sp2 on a pirate copy. This is just an example of the lack of security provided by activation methods.
<strong>4.3 Encrypted Files/Keys in Files etc.</strong>
<p align="left]Some application come with a license.dat file or something similar. If that file is not found or is not correct (invalid) they refuse to run. This is security base of files (most of them encrypted), which provides security to users that they have no internet connection and thus cannot fount a valid license file for their legal (or illegal) copy. This most of the times, personalizes the application because such files include your identity (name etc.) and serial key.
A great example of this kind of security is Alias|Front Maya(tm), a program which is able to create 3D environments or objects for games, etc. Maya(tm) requires a license.dat file to run, a file which can be downloaded from internet at any time. In fact a potential hacker has either to find one file and give it into internet or try to create one file if he has broken the code behind the application.
Another type of security applying into this section are keys which are encrypted. I had bought a program some time ago which encrypted its keys through an 1024bit encryption algorithm (therefore there where a few patches and keys for this application). Although this method provides security against potential hackers, if there is one valid file somewhere into internet, anyone can download it and run the program.
<strong>4.4 CD protection</strong>
<p align="left]This kind of protection is used generally by games which need a legal copy of game's disk to run. I present you an overview of the most used Copy Protection here:<ol type="1]
[*]SafeDisc and SafeDisc 2 © by Macrovision Corp
[*]Securom © by Sony Corporation
[*]Laserlock © by MLS Laserlock, Inc
[*]Lockblocks © by Dinamic Mm
[*]Starforce © by Protection Technology Co.
[*]CD-Cops © by Link Data Security and Spinner Software
[*]ProtectCD © VOB[/list]
Although all of these protection can be beaten (you have probably seen pages which supply cracks to beat cd protection), consider them if you are going to sell a game of yours. A CD Copy protection will make more strong your protection along with a serial key or any other type of protection.
<strong>4.5 The Reverse Engineering Part</strong>
<strong>4.5.1 What is this?</strong>
<p align="left]Reverse engineering refers to the actions which are done to explain or see how a system works. In hardware systems like for example microprocessor, the potential person which applies reverse engineering want to know how exactly how it works and remade it in such a way that works (originally or modified). In software a potential person which applies reverse engineering wants to see which algorithm is behind the infinite zeros and ones of the binary code. Through the use of special programs called disassembles they get the binary code into assembly language and try to beat any kind of encryption or just see how it works. Not so simple but try to imagine yourself wanting to know how a clock works (you will demolish it to see how it works exactly won't you?).
<strong>4.5.2 What can it do?</strong>
<p align="left]People who have great experience and knowledge of assembly language can do many things. For example they can beat your protections and release a "crack" application which will probably distributed through the Internet so anyone can have an illegal copy of your program running this "crack" application which can be either an application which patches your executable, or a modified executable which needs to replace your original executable.
Also reverse engineering can be used to examine how a program works, why it works and the potential person which applies reverse engineering can write down how and why your program does what it does with detail so he/she can release a similar program to yours with more or less features at a lower cost so to compete your product. (Don't say that I watch too many science fiction films, this technique was performed (and still is?) by companies which have a very great name).
<strong>4.5.3 Ways of Protecting</strong>
<p align="left]Although there are only a few people which can perform real reverse engineering (and i'm not referring to some l@m3r5 who have cracked some protections using tutorials, I'm only referring to real assembly gurus), will not try to do anything with your program most of the times (and if they do, you are doomed, believe me). Now if you want to be protected against l@m3r5 which have cracked two or three programs by using tutorials found on the net and they have no real knowledge, just perplex your code a little (it is always helpful to have someone with good assembly knowledge on your team), so to make their life harder. Perplexing the code (most of the times) require modifications either into the compiled executable file or (if programming in C for example) to have a complex assembly code linked to your code (during linking the executable). As I said, if anyone who has great assembly knowledge is going to reverse-engineer your program there is no protection (as far as I have seen).
<strong>4.5.4 Legal things</strong>
<p align="left]As copying, lending etc. is illegal (must be stated in your license between you and your client), so reverse engineering is illegal. You have probably seen programs saying (into their splash-screens or about boxes, or setup) that: "Copying, hiring, lending, reselling, reverse-engineering, etc, without proper authorization is illegal and will be prosecuted to the maximal law extends." This gives the permission to the author to prosecute people that violate copyrights or harm the program in any other way (and thus harm the author). If you want to learn more contact a lawyer to see how you can protect yourself against those actions.
[/list]
<strong>Appendix</strong>
<strong>A. Cracks & Patches </strong>
<p aling="left]The term "patch" refers to an application that alters other applications (for example patching a game will update it to a more recent version). The term "crack" refers to modified program which some parts of it were altered to allow it run on pirate or illegal copies. Patches and Cracks do the same job when they are used to "break" the protections made by program's author.
<strong>B. Pirate Ways Of Distribution</strong>
<p align="left]If you want to be sure that there is no pirate version of your program you have to check "security" sites, usenet and irc networks. These are the most used ways of distributing pirate staff (known as Warez), and electronic catalogues of programs like NForce
<strong>C. "Security" Sites</strong>
<p align="left]There is a great number of sites in internet, that provide cracks and patches for applications stating that "Those are provided in case the legal owner of the program want to make a backup for himself...". Most of us have lost CDs with legal programs from scratches so it is a good though. From the other side people who have pirate versions can download those cracks & patches to run illegal copies.
<strong>D. Ready to Implement Protections</strong>
<p align="left]If you don't want to code your own protection (because there is no budget, or you are too lazy), you can license protections and implement them into your program. This is generally done with CD Copy protections but there are others too. Examine what costs your more and what provides you more security: Your way of protection or another company's way of protection.
<strong>E. Links</strong>
<p align="left]
Cyberarmy University Knowledge Bank, provides a great number of tutorials in security and other fields which can help you into diving deeper in security issues
NewOrder provides a great many of tutorials in many aspects and also some hack guides for known applications. Check them, find their mistakes and do not repeat into your application
Astalavista is one of the older "security" sites with search engines for cracks & patches, check there is your there is a crack for your application (fortunately I haven't found any cracks and patches for my own applications).
NForce is a portal which has a great list of all programs which are cracked and distributed into Internet. If you ever see "My Company, My Software" in there (replace my company and my software with your company's name and program's name), know that there are a pirate version out there.
A FRIENDLY ADVICE:There are numerous sites which provide information and cracks for pirate programs. If you see something there begin creating a new version of your program. This will both you and your users. Always follow the law, if you don't have permission to get into somewhere DO NOT GO. Sometimes you will try to prosecute someone for making pirate copies of your program and he will prosecute you because you haven't the right to enter his site etc. etc.
<strong>Conclusion</strong>
[list]
<p align="left]Piracy is harmful both to developers and to users. Users do not want to pay 600 or 1000 for programs instead paying 10 to get an illegal copy. Companies who need your programs and have to pay will increase their products' costs because they need more money to get things which are needed. Finally we have a circle that cannot be stopped. And the only one who earns are pirates. So you have 2 choices as developer. Either you increase the value of your product, or protect more your products.
<hr>
Written by <strong>crtw</strong> (27 March 2005)
<strong>crtw</strong> is a Member of <strong>Class Delivery
</strong><ahref="http://www.cyberarmy.net/brigades/101.html](Brigade #101)[/url]
<p class="style1].:edited by purefreak
|
|
This article was imported from the CyberArmy University site. (original author: crtw)
There are no replies to this post yet.
|