> I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number?
Seems like it was an appropriate amount of engineering. Looks like this took between an afternoon and a week with the help of an emulator and decompiler. Imagine trying to do this back then without those tools.
The tool of choice back then was SoftICE and it would have been trivial to trap even bios level LPT access.
More to the point the guy didn't even open the dongle, which in all likelihood was a simple set of logic gates in this case.
I'm assuming he did have a careful look at the caller to the function because his reasoning that the communicating function took no inputs is faulty.
What if the hardware has a LFSR in it and returns changing responses, and the caller can check them with a verify function else where that maintains a state and knows to expect the next in the sequence?
We have far better tools today for sure, but we understood the system better back then. The right tool is sometimes better than a sharper tool as they say.
Edit : I should add I'm aware it's very likely the actual reversing involved more steps and checks than Dimitrys blog which is narrowed to what worked.
Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races. As the author found, the tough part is just finding and interpreting where and how the protection was implemented. If throwing the exe in a hex editor gave you access to String Data References (not always the case, but more common than not) then you'd just fail the check you were trying to skip, find that string, hop over into assembly to see what triggered loading that, and then just alter the logic to jump over it when the time comes.
> Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races.
I did that with dBASE III, which used ProLok "laser protection" from Vault Corporation - a signature burned onto the diskette with a laser. Back then, I found it amazing that Ashton-Tate actually spent money to contract with a copy protection company for something that could be so easily defeated by a teenager reading assembler.
They could have easily just written the same kind of code themselves. An example of the power of marketing over substance.
I was able to replicate that protection mechanism just by scratching a diskette with a pin. The "laser" was a meaninglessly advanced-sounding solution that added no value compared to any other means of damaging a diskette.
There's a lot of things going on that lead to this.
One, the developers spend more time running this code than we do, and they have to get the program working before we can even use it. So any parts of the program that are hostile to the developers risks killing the entire project. Obfuscating the copy protection can hit a point where it makes bug fixing difficult.
Two, lack of training. If you, me, and Steve each have a bag of tricks we all use to crack games, whichever one of us figures it out gets bragging rights but the game remains cracked. Meanwhile Developer Dan has to be aware of all the tricks in all of our bags together if he wants to keep the three of us out. Only there's not three of us, there's 300. Or today, probably more like 30,000.
Three, lack of motivation, which is itself several different situations. There's a certain amount of passive aggression you can put into a feature you don't even really want to work on. You can lean into any of the other explanations to defend why your code didn't protect from cracking all that much, but it's a checkbox that's trying to prove a negative, and nobody is going to give you any credit for getting it to work right in the same way they give you credit for fixing that corner glitch that the QA people keep bitching about. Or getting that particle animation to work that makes the AOE spells look badass.
I remember I had some demo software that could be enabled with a code. I was just curious and at the code prompt, I entered the debugger. I dumped the process space and there was a nul-terminated string of letters and numbers. I restarted the process and entered them at the prompt and voila, it was enabled.
Many years ago I was a technician supporting a few custom programs on thousands of PCs. The developer of one of these programs had added a date check to his code so the program would refuse to run after a set date and each new release would increase this date by a few months so it would stop working after a few weeks if he ever stopped creating new releases. His contract ended and a few weeks later his software, now relied upon by hundreds of sites, stopped working. The contract for the software development was thoroughly checked and legal action against the developer was started but I asked to see if I could resolve the problem in the meantime.
It only took ten minutes with a dissassembler to find the JGT (Jump if greater than) and convert it to a JLT so the software would stop running if the date was before a certain date rather than after. I created a patching tool that simply flipped one bit that was sent out to all the sites and everything was good again. I don't think I'll ever beat the elegance of a single bit flip hack.
I remember an icon editor (or something similar) for Windows 3.1, it was a shareware where you could enter a code to remove the nag screen. No crack was necessary, I basically managed to enter valid registration codes by just typing random numbers. In the end I had enough valid numbers that I could figure out the logic, it was something about the sums of digit groups.
This was true for the 10-digit CD keys Microsoft used for many products in the 90s: the first three digits could be almost anything, and the last seven digits had to sum to a multiple of 7, so, e.g., 111-1111111 was a valid product key (for any product that used the scheme).
A certain automation system vendor uses proper USB license dongles in their PC software but they do not do challenge-response authentication. Instead they send a hardcoded string to the dongle and compare the response against a list that contains various software feature levels.
The whole automation system including machinery costs anywhere from 200k to 1M yet Vendor™ tries to milk the customers dry with a 1.5k software license that lets you manage up to 254 physically* connected systems. I'm pretty sure the license dongle is in reality designed to prevent casual tinkering of parameters, which is something only service techs should do.
*You can circumvent this with serial-over-Ethernet converters, which has resulted in an Industrial Internet of Shit-level security nightmare as companies happily expose their systems over the internet, thinking that license dongles are a substitute for authentication.
Another method (much more common for software that asks for two pieces of information, like a name and a key) is to take a memdump of the process at the "your key is invalid" dialog, find the invalid key you just typed, and hope that a valid key is somewhere nearby in memory. Unlike the assembly trick, this requires 0 programming expertise beyond the ability to type `strings` on the command line.
This works because some programs use a hashing algorithm to calculate the key based on the name, do a strcmp, and pop a messagebox if the keys don't match, without zeroizing the valid key buffer first. If the key buffers are on the stack (or if the two mallocs just happen to use the same region in memory), it is often easy to find a valid key if you know where the invalid one is.
I guess software that derives keys this way is far less common than it once was, but I know of somebody who cracked something using this method just a few years ago, so it still pops up from time to time.
Why wasn't (isn't) this more widely used? It was clearly more effective than a cdkey.
I know there is cost associated with the hardware, but surely the costumer can cough 15 more dollars.
The only reason I can think of is wanting as wide adoption before max revenue as possible. But then, this has never been too popular, not even for games!
Very cool to read an article about windows 95 still being used in production - a nice contrast to the infinite AI hype cycle over everything.
Tech may move fast in flashy areas but not in the more "boring" parts of the industry.
>Very importantly, there doesn’t seem to be any “input” into this routine. It doesn’t pop anything from the stack, nor does it care about any register values passed into it. Which can only mean that the result of this routine is completely constant!
This is not necessarily a fair assumption (though it worked this time). It could be some sort of a rolling code, where the reply is not constant but changes, and remains verifiable. Example: garge door openers have no input from the garage, but the sent signal differs every button click, and the garage can verify its correctness
i did not say replay was impossible. i said the statement in the article was overly broad, which it is. If it said "a single result could be hard-coded", it would be fine. but it said the function is constant, which it need not be.
But even that need not be true. here is how you could design that dongle to require no persistent state on RX and still not allow simple replay.
The company i work at has the same problem. We have some old mission-critical windows 2000 pc that runs the rpg compiler, with attached dongle. This gave me some clues on where to start - thanks author!
Back when I was a kid in the 80's. I cracked one of the Ultima games. I had it on my hard drive and didn't want to stick a floppy in every time I ran it.
The code decrypted itself, which confused debuggers, and then loaded a special sector from disk. It was a small sector buried in the payload of a larger sector, so the track was too big to copy with standard tools. The data in the sector was just the start address of the program. My fix was to change executable header to point to the correct start address.
my story of this is Atari Macro Assembler. The floppy had a specific sector that was damaged, and the loader would test this sector to ensure it was in fact damaged. this was obvious becuase whenever loading the floppy, you had to wait for one of those big "BZZT....BZZT" things where the 810 drive was trying to access a bad sector and giving up. I was able to disassemble maybe the first 30 bytes of the boot to see it checking this and doing the jmp. I just overwrote it with a single jmp and got not just a copy but much faster loading without the BZZTBZZT part.
I've heard that Happy Drive singlehandedly destroyed the commercial viability of the Atari 8-bit software market, because it was so widespread and is so powerful at duplicating games.
Yes, a neat follow-up would be to clone the copy protection device with a cheap microcontroller. A lot of these devices were filled with epoxy, but it would be funny to find out these were all just 1Kbit EEPROMs. Such an article could give some background on parallel port communication, EEPROMs, and how regular printer data was passed through.
This takes me back. There exist emulators for these dongles as well, you run the a dumper with the dongle attached and load the program and it makes a dump file which you then use in the emulator.
I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator.
I write civil engineering software [0] and am familiar with this kind of dongle. Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand.
Since we sold (and still sell) perpetual licenses, it becomes a problem when a dongle breaks and replacement parts are no longer available. Not all users want to upgrade. Also, you may hate cloud licensing, but it is precisely cloud licensing that makes subscriptions possible and, therefore, recurring revenue—which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Also, despite investing a lot of effort into programming the dongle, we can still usually find cracked versions floating online, even on legitimate platforms like Shopee or Lazada. You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected. It’s not as if we have the legal resources to pursue pirates.
> which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade
This take is diametrically opposite to what end users need. In a world where "if it ain't broke, don't fix it" is perfectly fine for the end user, buying a one off license for a software seems much more sane then SaaS. SaaS is like a plague for end users.
I don't condone piracy, but I also don't condone SaaS.
> from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Why should users upgrade or keep paying you when they already bought what they need and don't need anything else?
> Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand.
In my experience this continues to this day due to people who require drawing on air-gapped computers, because the drawings/simulations they work on are highly sensitive (nuclear, military, and other sensitive infrastructure).
But I'm sure there are also old-fashioned people who like the portability/sovereignty of not having to rely on a third-party license server as you suggest.
My dad used to use this kind of dongle for a civil engineering program called 'Cosmos'. Just wild to see it, it was so annoying to because sometimes it would simply not be detected on our 80386.
> You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected.
I understand you might feel this way, but it seems to me customers are mostly business clients, who would are more inclined to spare the expense of purchasing said licenses, since they're not personally buying it themselves, and would want to have support and liability (i.e: Someone to hold liable for problems in said software.). In fact, having no copy protection would probably have saved you the problem you mentioned where a dongle breaks and replacement parts are no longer available; this is one of the talking points that anti-drm/copy protection people advocate for, software lost to time and unable to be archived when the entities who made such protections go out of business or no longer want to support older software.
> even on legitimate platforms like Shopee or Lazada.
On a slight tangent, but I personally don't find either platform legitimate (Better than say, wish[.]com or temu, but not as "legitimate" as other platforms, though I can't think of a single fully legitimate e-commerce platform). Shopee collects a ton of tracking information (Just turn on your adblocked, or inspect your network calls. It's even more than Amazon!), is full of intrusive ads, sketchy deals, and scammers. You yourself said you can easily find cracked versions of the dongle there, which doesn't speak well for the platform. And Lazada is owned by Alibaba Group, which speaks for itself. I'm not sure why consumers in South East Asian regions aren't more outspoken about this, since they seem to be the some of the more popular e-commerce platforms there.
The problem seems the sales model rather than the dongle:
1) a hardware and software solution implies that hardware will stop working at some point. Customers should understand it
2) you could sell them a new dongle every time support contract ends which is what I’ve experienced with Xways as an example. Even if you’re air gapped once a year usage data upload and new dongle seems fine.
3) why should users receive free upgrades and bug fixes? No software is bug free.
Finally there are several brand protection shops that fight fakes and work well with Shopee, Lazada, Facebook etc. It’s not five dollars but they will take these down effectively
With the low cost & power of modern microcontrollers, instead of having the dongle act purely for licensing purposes you could offload some of your "secret sauce" to it (I assume your software does a lot of calculations with some hardcoded, industry-specific constants). This makes it somewhat crack-proof because cracking it would involve replicating your secret sauce - at which point they may as well just make and sell their own software instead of distributing cracks.
I use one engineering app that has a "soft" license. It has a lot of failure modes, all of which are essentially administrative not technological. A fair number of departments have to work together: IT, purchasing, and accounts payable (in case the company is on credit hold for non-payment of a previous license renewal) across multiple corporate divisions. It can eat up a few days of my life, and sometimes I lose access to the software for a few days.
The IT department restructures the license server or it goes down.
The vendor changes their license technology every few years.
If you have a physical dongle, the vendor will beg you to send it in and receive a soft license. The few remaining users with dongles refuse. The hardware is more reliable.
> I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number? Defeatable with a four-byte patch?
Nowadays we don't bother with copyright protection other than a license key, because we know enterprises generally will pay their bills if you put up any indication at all that a bill is required to be paid.
I mean, we used to turn single-sided 5 1/4" disks for the C64 into double-sided disks through the use of cutting-edge technology. Literally. I was fancy and got a $5 hole punch built for the job, but scissors worked too. Fast Hack'em may still be my favorite piece of software ever.
Is defeating a 40-year-old copy protection mechanism still illegal under Section 1201 of the DMCA, or have they changed the law to make an exception for "very old" software?
So what hardware would be inside the dongle? Would a small PAL be enough? 22V10? Maybe use a few registers to delay the values written by a few cycles, mixing in some decode logic? (Something cheaper than a microcontroller, I'm guessing... due to cost)
I think I remember hacking some of the copy-protection out of a version of Tetris using the Borland debugger. I definitely patched mouse support into a Chris Crawford "Battle of the Bulge" game using it (for my rather tricky platform). That was a good debugger, and probably the last one I have used much - prefer logging/printing for stuff I write myself.
I remember my Dragon 32 (6809, Color Computer clone) had a dongle you plugged into the joystick port to protect a really crap game - Jumping Knights? I never tried to defeat it.
>The only evidence for the existence of this company is this record of them exhibiting their wares at SIGGRAPH conferences in the early 1990s, as well as several patents issued to them, relating to software protection.
There is also their webpage for ordering PC RPG II. The company address is a residential house.
Yeah, Software protection was very naive in the beginning. Fun fact: I owned a windows 3.11 for workgroup UPGRADE disc collection, it was clearly explained and also enforced from the setup installer. So, no previous installed win 3.0 == upgrade installer will fail. The fix: just create an empty Textfile named win.com at any place - the installer simple scans the WHOLE disk just for this existing filename. Next fun fact: in reality, the Upgrade contained the full installation, no only a delta. Men, software was so simple these days....
I designed a security dongle a long time ago ... Used properly, it did rotations and XORs like a CRC. You could definitely make it hard to defeat but it was still ultimately deterministic.
100 comments
[ 3.4 ms ] story [ 82.8 ms ] threadSeems like it was an appropriate amount of engineering. Looks like this took between an afternoon and a week with the help of an emulator and decompiler. Imagine trying to do this back then without those tools.
More to the point the guy didn't even open the dongle, which in all likelihood was a simple set of logic gates in this case.
I'm assuming he did have a careful look at the caller to the function because his reasoning that the communicating function took no inputs is faulty.
What if the hardware has a LFSR in it and returns changing responses, and the caller can check them with a verify function else where that maintains a state and knows to expect the next in the sequence?
We have far better tools today for sure, but we understood the system better back then. The right tool is sometimes better than a sharper tool as they say.
Edit : I should add I'm aware it's very likely the actual reversing involved more steps and checks than Dimitrys blog which is narrowed to what worked.
I did that with dBASE III, which used ProLok "laser protection" from Vault Corporation - a signature burned onto the diskette with a laser. Back then, I found it amazing that Ashton-Tate actually spent money to contract with a copy protection company for something that could be so easily defeated by a teenager reading assembler.
They could have easily just written the same kind of code themselves. An example of the power of marketing over substance.
I was able to replicate that protection mechanism just by scratching a diskette with a pin. The "laser" was a meaninglessly advanced-sounding solution that added no value compared to any other means of damaging a diskette.
One, the developers spend more time running this code than we do, and they have to get the program working before we can even use it. So any parts of the program that are hostile to the developers risks killing the entire project. Obfuscating the copy protection can hit a point where it makes bug fixing difficult.
Two, lack of training. If you, me, and Steve each have a bag of tricks we all use to crack games, whichever one of us figures it out gets bragging rights but the game remains cracked. Meanwhile Developer Dan has to be aware of all the tricks in all of our bags together if he wants to keep the three of us out. Only there's not three of us, there's 300. Or today, probably more like 30,000.
Three, lack of motivation, which is itself several different situations. There's a certain amount of passive aggression you can put into a feature you don't even really want to work on. You can lean into any of the other explanations to defend why your code didn't protect from cracking all that much, but it's a checkbox that's trying to prove a negative, and nobody is going to give you any credit for getting it to work right in the same way they give you credit for fixing that corner glitch that the QA people keep bitching about. Or getting that particle animation to work that makes the AOE spells look badass.
(I did go on to pay for the software)
It only took ten minutes with a dissassembler to find the JGT (Jump if greater than) and convert it to a JLT so the software would stop running if the date was before a certain date rather than after. I created a patching tool that simply flipped one bit that was sent out to all the sites and everything was good again. I don't think I'll ever beat the elegance of a single bit flip hack.
The whole automation system including machinery costs anywhere from 200k to 1M yet Vendor™ tries to milk the customers dry with a 1.5k software license that lets you manage up to 254 physically* connected systems. I'm pretty sure the license dongle is in reality designed to prevent casual tinkering of parameters, which is something only service techs should do.
*You can circumvent this with serial-over-Ethernet converters, which has resulted in an Industrial Internet of Shit-level security nightmare as companies happily expose their systems over the internet, thinking that license dongles are a substitute for authentication.
This works because some programs use a hashing algorithm to calculate the key based on the name, do a strcmp, and pop a messagebox if the keys don't match, without zeroizing the valid key buffer first. If the key buffers are on the stack (or if the two mallocs just happen to use the same region in memory), it is often easy to find a valid key if you know where the invalid one is.
I guess software that derives keys this way is far less common than it once was, but I know of somebody who cracked something using this method just a few years ago, so it still pops up from time to time.
I know there is cost associated with the hardware, but surely the costumer can cough 15 more dollars.
The only reason I can think of is wanting as wide adoption before max revenue as possible. But then, this has never been too popular, not even for games!
I remember hearing a courier died overnighting a CAD dongle.
But even that need not be true. here is how you could design that dongle to require no persistent state on RX and still not allow simple replay.
TX code:
RX code: static u16 prevSeenCodes[16]; static u8 idx = 0; now you need to replay at least a sequence of 16 codesthat array is in ram and need not persist across program runs. dongle can be powered off or can be left on. all will work
The code decrypted itself, which confused debuggers, and then loaded a special sector from disk. It was a small sector buried in the payload of a larger sector, so the track was too big to copy with standard tools. The data in the sector was just the start address of the program. My fix was to change executable header to point to the correct start address.
I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator.
Since we sold (and still sell) perpetual licenses, it becomes a problem when a dongle breaks and replacement parts are no longer available. Not all users want to upgrade. Also, you may hate cloud licensing, but it is precisely cloud licensing that makes subscriptions possible and, therefore, recurring revenue—which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Also, despite investing a lot of effort into programming the dongle, we can still usually find cracked versions floating online, even on legitimate platforms like Shopee or Lazada. You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected. It’s not as if we have the legal resources to pursue pirates.
[0]: https://mes100.com
This take is diametrically opposite to what end users need. In a world where "if it ain't broke, don't fix it" is perfectly fine for the end user, buying a one off license for a software seems much more sane then SaaS. SaaS is like a plague for end users.
I don't condone piracy, but I also don't condone SaaS.
Why should users upgrade or keep paying you when they already bought what they need and don't need anything else?
In my experience this continues to this day due to people who require drawing on air-gapped computers, because the drawings/simulations they work on are highly sensitive (nuclear, military, and other sensitive infrastructure).
But I'm sure there are also old-fashioned people who like the portability/sovereignty of not having to rely on a third-party license server as you suggest.
I understand you might feel this way, but it seems to me customers are mostly business clients, who would are more inclined to spare the expense of purchasing said licenses, since they're not personally buying it themselves, and would want to have support and liability (i.e: Someone to hold liable for problems in said software.). In fact, having no copy protection would probably have saved you the problem you mentioned where a dongle breaks and replacement parts are no longer available; this is one of the talking points that anti-drm/copy protection people advocate for, software lost to time and unable to be archived when the entities who made such protections go out of business or no longer want to support older software.
> even on legitimate platforms like Shopee or Lazada.
On a slight tangent, but I personally don't find either platform legitimate (Better than say, wish[.]com or temu, but not as "legitimate" as other platforms, though I can't think of a single fully legitimate e-commerce platform). Shopee collects a ton of tracking information (Just turn on your adblocked, or inspect your network calls. It's even more than Amazon!), is full of intrusive ads, sketchy deals, and scammers. You yourself said you can easily find cracked versions of the dongle there, which doesn't speak well for the platform. And Lazada is owned by Alibaba Group, which speaks for itself. I'm not sure why consumers in South East Asian regions aren't more outspoken about this, since they seem to be the some of the more popular e-commerce platforms there.
1) a hardware and software solution implies that hardware will stop working at some point. Customers should understand it 2) you could sell them a new dongle every time support contract ends which is what I’ve experienced with Xways as an example. Even if you’re air gapped once a year usage data upload and new dongle seems fine. 3) why should users receive free upgrades and bug fixes? No software is bug free.
Finally there are several brand protection shops that fight fakes and work well with Shopee, Lazada, Facebook etc. It’s not five dollars but they will take these down effectively
Sometimes, there are network interuptions. Then it is the right time to work because youtube isn't available.
The IT department restructures the license server or it goes down.
The vendor changes their license technology every few years.
If you have a physical dongle, the vendor will beg you to send it in and receive a soft license. The few remaining users with dongles refuse. The hardware is more reliable.
Nowadays we don't bother with copyright protection other than a license key, because we know enterprises generally will pay their bills if you put up any indication at all that a bill is required to be paid.
This was basically the 80s version of that.
You have no idea how deep this rabbit hole goes.
Patents are barely better than copyright, as far as society net-positive.
There are more general exemptions, including dongle-based software. <https://en.wikipedia.org/wiki/Video_game_preservation#Legal_...>
I remember my Dragon 32 (6809, Color Computer clone) had a dongle you plugged into the joystick port to protect a really crap game - Jumping Knights? I never tried to defeat it.
There is also their webpage for ordering PC RPG II. The company address is a residential house.
https://web.archive.org/web/20010802153755/http://home.netco...
Not being snarky - genuine question! I am not from the US :-)
No. As of 2003 there is a DMCA exemption for "computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete". <https://en.wikipedia.org/wiki/Video_game_preservation#Legal_...>