KVR Audio

Urs · Post by **Urs** » Wed Jul 12, 2017 10:06 am

Chaotikmind wrote:Also i don't know if you ever read Fravia site, he was clearly a good reverser, and he also did cracks, he probably considered it as a good way to learn.

I read all of it. My concepts on copy protection started with his advice.

Chaotikmind wrote:Anyway , i don't get why people are protecting their software knowing it's so easy to defeat 99% of the time, they're loosing time that could be used in a more useful way, eventually it creates problems for the end user, and it doesn't prevent cracked version to be everywhere.

We can trace a 5-digit sum of annual revenue to people who believed that our software had been cracked (mostly leaked serial numbers). I spend 2-3 days a year on refinements based on previous cracks. That is a *very* good ratio between effort and profit.

resynthesis wrote:In EVERY university I've worked at there have been students (both UG and PG) who have been known to crack software.

I suspect in some student culture it's cool to be known as a cracker. Just like on warez forums, cracking is regarded as heroism. But it's really just twiddling bytes based on a very basic understanding of how a software works, aided by unimaginably good tools. Like Chaotikmind says, it almost always boils down to exchanging one conditional jump statement to another. As he says, it's easy in 99% of cases.

However, the disappearance of cracker groups is often related to users that became unhappy, e.g. when the "protectionists" reversed their MO and added too high of a challenge to the next update. It's when the obeisance of the masses vanish, the urge to crack vanishes with it.

Urs · Post by **Urs** » Wed Jul 12, 2017 10:49 am

For the sake of the topic, let me move away form the discussion of value of software versus effort spent to break a lock.

About 10 years ago I started a topic called "Fight Keygens!" here on KVR, and those who went on with "you'll fail" (like a record player on repeat!) have been wrong for many years. There hasn't been a keygen for our stuff since. The effort to make a complete keygen may be beyond anyone's skillset, it's likely to be impossible without physical access to u-he's infrastructure.

So I'd be very careful to say "you'll always be cracked". It's not a law of nature, it's just a fallacy based on observation (It's always been like that so it'll always be like that).

Once keygens are out of the picture, there are two attacks left: Leaked serial numbers and cracks.

We have met leaked serial numbers by seemingly letting them work with our updates. Six years after the leak, it's nearly impossible to find a download with a version of our software which really gets unlocked by those serials. The majority of downloads will work for a while, and then stop. This urges people to either give up the work they spent on their musical project, or shell out the bucks for a legit serial. Our support staff helps people remove the rouge serial und update to the full version quite often. A serial leak might be bad, but it really pays out nicely in the long run, if played right.

Cracks on the other hand are where the most fun is. It's obvious that over the past ten years, crackers have built their new cracks upon the methods of previous cracks. Instead of better places they twiddle the same bytes over and over, and slowly find new locks. Cat and mouse for sure, but with a wide product portfolio and frequent updates... doable! Just add something new that *seems* to work just like previous cracks at first, but then goes bad a bit later on. "Patience my dear, patience", he said.

In the meantime there's a tool that removes many of our locks automatically. Which is bad for the crackers, since it's utterly easy for a protectionist to defeat such a tool once he knows it exists. This can for instance be done by deploying honeypots. The tool seeks for data or signal flow patterns in the binary and changes a few jumps automatically, e.g. strips one RSA key for another. However, it's just a stupid batch search & replace. To defeat, one copies a code section from a previous crack into static memory of an update, and because it's now data instead of code, we can run a runtime check to see if it is been tampered with. While this won't trick IDA, it'll trick their tool, so they have to go back to IDA.

Can you tell I enjoy copy protection as much, maybe even more than they enjoy cracking? Pity I get to spend only 2-3 days a year on it.

kmonkey · Post by **kmonkey** » Wed Jul 12, 2017 10:52 am

Urs wrote:But it's really just twiddling bytes based on a very basic understanding of how a software works, aided by unimaginably good tools.

Hm hehe maybe in case of your plugins and their copy protection it is just a "basic understanding" for a cracker to crack it.

I think it is at least 4 years by now when i reported to you and to the public here that i have seen cracked Zebra in real life session with absolutely everything working for a long time like my legal version and nobody believed me.

Me personally: few month ago i was involved with testing (can't use names) in products from company which have been "compromised". I work with them for years now and person asked me do i have time and resources to check few things on these cracked plugins. Our motive was to disclose false claims and possibly warn users not to use such things. Mainly Virus scan, plugin testing and some bold claims i'll get on later for which we where under impression are a pure lie.

Products where (and still are) using latest ilok copy protection. Which to my understanding is pretty much last word today (there are other solutions obviously but ilok is most used copy protection in plugin industry by big names).

Specifically for that purpose I had clean installation on notebook and i downloaded all of their cracked plugins (which i and many people here use).

Cracking group claimed that to run these plugins you don't even have to install iLok driver and that these plugins run faster (i truly believed this is complete lie and bullshit) then their "legal" version. Firstly i compared installers. Well cracked installer is about 6x smaller in archive size. I was like WTF? Then i installed it by instructions from NFO file. To my shock and amazement plugin completely worked as expected?! Then i installed other products. Every single plugin worked as expected. Everything. Automation, preset recall everything. Okay. I then scanned the shit out of archives and my system and there was zero viruses inside. So then i compared plugin loading time. Man cracked version loaded faster.

Most shocking was that these cracked plugins load faster on my notebook then my legal versions which are installed on 4x stronger desktop computer.

Long story short - it saddens me to see something like that on the other side i must be honest and admit that i was impressed by the work done. When i asked developer why does he insist on using such expensive scheme i got (i am providing simplistic answer) answer that it's industry standard and especially among Mac users people are kinda adapted/comfort to such scheme and they use it. Plus many other people in industry use it. Plus there is a layer of "subscription" services in ilok service portfolio,. etc.etc.

EDIT: i also asked him (he is very experienced developer) does he even remotely know how is it possible for this group to offer such level of cracking - he had no idea

So to put it back in to your perspective - if it was just "twiddling bytes" i would expect that any kiddo can do it right? But these compromised products comes from a single group not the many of them. To my impression it is something developed specifically by them for them. And it offer them possibility to completely rip off copy protection and offer clean plugin like developer himself coded a free plugin. Wow what the hell.

IMO i think you are doing just fine job by not wasting time to make unbreakable copy protection and to serve people with great customer care, top notch products and everything U-he is well known for.

Plus somehow you survived without ilok. NI survived. Ableton Survived. Etc.etc. Sometimes i truly wonder why does people resist on using dongles...

Urs · Post by **Urs** » Wed Jul 12, 2017 11:06 am

I think the iLok guys are utterly incompetent. With that many f**k-ups ("iLokalypses") I'm surprised they're still in business. I guess it's because they're buddies with some guys at Avid, it's the only thing that gives them their market position. It's a protection scheme solely based on paranoia with too many side effects (customer punishment) due to bad implementation.

I agree that iLok is likely to require a huge skillset to defeat, and patience moreso. It is however also a very desirable target due to its market position.

My stance is: If everyone did their own proprietary solution, there would be fewer cracks in total. It would be a win for the industry, hence I see companies that provide anti-piracy measures (and thus benefit from the warez scene) as much as my business enemies as the crackers themselves. I.e. I don't like people who benefit from piracy regardless of which side they're on.

(Addendum: The biggest disadvantage of ilok's position is that, once it's cracked, there's a whole month of two of turmoil in the industry, which costs everyone, not just those who go with iLok)

You're right, it's absolutely possible to have a cracked Zebra run peacefully forever. Yet, many don't, and that is the key component of our scheme. Or, as someone once wrote, "Can you afford not to be cracked?". I think we're doing just fine, without punishing our customers.

Chaotikmind · Post by **Chaotikmind** » Wed Jul 12, 2017 6:25 pm

Urs wrote:Cat and mouse for sure, but with a wide product portfolio and frequent updates

Frequent update even if tiny are sure a good idea.

Urs wrote:My stance is: If everyone did their own proprietary solution, there would be fewer cracks in total. It would be a win for the industry, hence I see companies that provide anti-piracy measures (and thus benefit from the warez scene) as much as my business enemies as the crackers themselves

Obviously it would be a better situation, but ONLY if all those different protections are half decent, which i'm not sure is possible because we have too much code monkeys in the industry (in general i mean, i'm not talking only of dsp related stuff here, where the level is very probably higher on average)

kmonkey wrote: Cracking group claimed that to run these plugins you don't even have to install iLok driver and that these plugins run faster (i truly believed this is complete lie and bullshit) then their "legal" version. Firstly i compared installers. Well cracked installer is about 6x smaller in archive size. I was like WTF? Then i installed it by instructions from NFO file. To my shock and amazement plugin completely worked as expected?! Then i installed other products. Every single plugin worked as expected. Everything. Automation, preset recall everything. Okay. I then scanned the shit out of archives and my system and there was zero viruses inside. So then i compared plugin loading time. Man cracked version loaded faster.

Commercial protection are manipulating the executable, once protected it forces the system to load a single crypted section which is decrypted inplace in memory (i'm simplifying it here, don't want to write 3 pages about it)
add to that the high number of anti debug trick, self modifying code section, nanomites, etc
It's absolutely normal the cracked version load faster, (and if the protection is used in the wrong way, it can also slowdown the execution)

I'm not surprised either you didn't find virus, this is the exception not the norm.

Russell Grand · Post by **Russell Grand** » Wed Jul 12, 2017 6:32 pm

FabienTDR wrote:
Urs wrote:Oh, and once it's cracked, don't despair. Find out how they did it and add a delayed check that tests the vulnerability. Then release and update with better features (they'll crack it straight away, but the crack won't last long, due to your new check). Writing strong copy protection is also an iterative process, where the protection becomes gradually stronger, with the free help from crackers themselves.
Regular updates and a relaxed demo policy are probably the most effective measures.

In our specific case, the whole business model is designed to demotivate these activities to the max. Our products, when cracked (or rather simply uploaded with an .nfo), typically tend to provoke long ethical (!) debates in warez forums. I think that's a good sign.

In 2016, it's rather silly to ignore piracy in the business model/marketing. You simply can't sell plugins like luxury goods. You need a more organic product structure that's immune to regular copy and paste fraud.

Russell Grand · Post by **Russell Grand** » Wed Jul 12, 2017 6:34 pm

Urs wrote:I think we're doing just fine, without punishing our customers.

Urs · Post by **Urs** » Thu Jul 13, 2017 6:39 am

Inspired by this thread, I sat down and analysed a recent crack of a product which will soon be updated. So here's a practical example of our incremental approach:

First we ran the installer in Sandboxie to get a specimen of the dlls. What jumped right out was that they had added a registration file with a serial that does not work in the untampered binary. Then we compared the .dlls (binary diff) to the original, untampered ones. Three bytes were changed, but instead of the jnz (0x75) they changed the offset behind it to 0, so effectively no jump anymore in one place, a similar thing in another and one byte of data. We noted the offset into the binary and compared to a linker map file we kept in our archive.

It took us a few minutes to reconstruct what they did: They attacked our old serial number scheme (keygennable) which we had left for a honeypot. So obviously this group has not looked at previous cracks, as there's a reason why no-one ever touched the honeypot past Team AiR's failure. Hence, there are still a whole lot of delayed checks in place which will take the software away at certain times or user behaviour. They're super rare though, and I don't think they display a link to our website in the UI, which we use to track conversions. Hence we might want to upgrade our strength here... let's see...

What's interesting, instead of creating a working serial number generator, they just created (brute forced?) one serial that fullfills the formal criteria of being a serial, i.e. passes a simple checksum test. Then they added a crack to make this serial work with their user name, because maybe they couldn't figure out how to pass that test as well. This is a kind of attack we hadn't seen yet, so I guess I might add another layer or two of protection which is specific to this MO.

What's interesting about this attack is, it defeats my favourite check: Running the serial number evaluation with a bogus serial number and see if it passes. So my idea is to expand this test by running it twice again: This time with the current serial and two user names that can't possibly be assigned the same test criteria. If latter passes both times, we have a crack. Maybe based on a trigger like "if a D#4 is played in bar 47 after at least 10 minutes of rendering". And then bring back demo crackles and display a friendly invitation to buy our stuff.

Half a day in total.

Richard_Synapse · Post by **Richard_Synapse** » Thu Jul 13, 2017 3:06 pm

Urs wrote:Once keygens are out of the picture, there are two attacks left: Leaked serial numbers and cracks.

I wonder why people would bother cracking plugins when there's leaked serials, seems like a waste of time (?) For us it has been leaked serials like 99% of the time. This is why we switched to a one-time activation mechanism which defeats leaked serials. For the user there's no harm, once activated the plugins will never ever connect to the internet nor get slowed down in any way whatsoever.

Urs wrote:I suspect in some student culture it's cool to be known as a cracker. Just like on warez forums, cracking is regarded as heroism. But it's really just twiddling bytes based on a very basic understanding of how a software works, aided by unimaginably good tools. Like Chaotikmind says, it almost always boils down to exchanging one conditional jump statement to another. As he says, it's easy in 99% of cases.

Because most developers spend little to no time on protections, though I feel lately this has changed for plugins and protections have improved somewhat. About cracking as such I don't mind it, it's certainly possible for people to learn something along the way. The problem is entirely in spreading the cracks, this hurts us small developers big time. The idea that people who use cracks would never buy anything is simply wrong, of course there is such people but there's also a significant group of people who would buy, if no crack existed.

Richard

e@rs · Post by **e@rs** » Thu Jul 13, 2017 4:16 pm

What if God forbidden, something happens to Synapse Audio? How does one activate his purchased copy of your C/R product in the future?

I own DUNE and DUNE 2, but didn't even demo Legend when I heard you changed the copy protection.

Richard_Synapse · Post by **Richard_Synapse** » Thu Jul 13, 2017 5:36 pm

e@rs wrote:What if God forbidden, something happens to Synapse Audio? How does one activate his purchased copy of your C/R product in the future?

I own DUNE and DUNE 2, but didn't even demo Legend when I heard you changed the copy protection.

Activated plugins run forever, there is no delayed online checks or anything that could be a show-stopper. About reinstallation, we would of course simply remove the activation should we ever fear we might go out of business. Even then I doubt that is necessary, however, since running the servers costs essentially nothing these days. From all business cost that we have, the servers are by far among the least significant. The cost we have is >99% labor and advertising, plus buying a couple vintage synths now and then. Mostly just labor though

Richard

AnX · Post by **AnX** » Thu Jul 13, 2017 5:54 pm

You both (Richard and Urs) mentioned "leaked serials"

Do you mean someone has bought a synth (legally or not) and published the serial, or someone on the (testing/beta) team has?

Richard_Synapse · Post by **Richard_Synapse** » Thu Jul 13, 2017 6:10 pm

AnX wrote:You both (Richard and Urs) mentioned "leaked serials"

Do you mean someone has bought a synth (legally or not) and published the serial, or someone on the (testing/beta) team has?

Bought synths, usually via stolen credit cards.

I'm not aware anyone in our beta team has ever shared anything, not in 17 years - which is quite a miracle, come to think of it. I guess we are very lucky with our beta team

Richard

Urs · Post by **Urs** » Thu Jul 13, 2017 6:11 pm

AnX wrote:You both (Richard and Urs) mentioned "leaked serials"

Do you mean someone has bought a synth (legally or not) and published the serial, or someone on the (testing/beta) team has?

Typically, someone buys using stolen credit cards.

Chaotikmind · Post by **Chaotikmind** » Fri Jul 14, 2017 12:48 am

Urs wrote: "if a D#4 is played in bar 47 after at least 10 minutes of rendering".

That's evil

Side note: i had a very quick look at the code (5 min) and it's deceptively simple.
it's unusual to see non crypted / non protected code i think.
i can imagine the guy launching his disassembler, and saying himself "this will be easy".

Edit: that would be a interesting executable to crack if i had more time on my hand i think.

More copy protection...