then sent to the software vendor (either through the Internet connection or
manually, by phone). The software vendor verifies that the serial number in
question is legitimate, and that the user is allowed to install the software (the
vendor might limit the number of installations that the user is authorized to
make). At that point, the vendor sends back a response that is fed into the
installation program, where it is mathematically confirmed to be valid.
This approach, while definitely crackable, is certainly a step up from con-
ventional serial number schemes because it provides usage information to the
software vendor, and ensures that serial numbers aren’t being used unchecked
by pirates. The common cracking approach for this type of protection is to cre-
ate a keygen program that emulates the server’s challenge mechanism and
generates a valid response on demand. Keygens are discussed in detail in
Chapter 11.Hardware-Based Protections
Hardware-based protection schemes are definitely a step up from conventional,
serial-number-based copy protections. The idea is to add a tamper-proof, non-
software-based component into the mix that assists in authenticating the run-
ning software. The customer purchases the software along with a dongle, which
is a little chip that attaches to the computer, usually through one of its external
connectors. Nowadays dongles are usually attached to computers through USB
ports, but traditionally they were attached through the parallel port.
The most trivial implementation of a dongle-based protection is to simply
have the protected program call into a device driver that checks that the don-
gle is installed. If it is, the program keeps running. If it isn’t, the program noti-
fies the user that the dongle isn’t available and exits. This approach is very
easy to attack because all a cracker must do is simply remove or ignore the
check and have the program continue to run regardless of whether the dongle
is present or not. Cracking this kind of protection is trivial for experienced
crackers.
The solution employed by dongle developers is to design the dongle so that
it contains something that the program needs in order to run. This typically
boils down to encryption. The idea is that the software vendor ships the pro-
gram binaries in an encrypted form. The decryption key is just not available
anywhere on the installation CD—it is stored safely inside the dongle. When
the program is started it begins by running a loader or an unpacker(a software
component typically supplied by the dongle provider). The loader communi-
cates with the dongle and retrieves the decryption key. The loader then
decrypts the actual program code using that key and runs the program.
This approach is also highly vulnerable because it is possible for a cracker to
rip the decrypted version of the code from memory after the program starts
and create a new program executable that contains the decrypted binary code.
That version can then be easily distributed because the dongle is no longer316 Chapter 9