How to crack my software and add a back door
blog.strategiccyber.comThis is satire, right?
"A plaintext file requires a special tool, called a text editor, to change its content."
"I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe." [rofl]
EDIT: I think it's just the author's sense of humor, not actually satire.
Correct. Tongue was planted firmly in cheek of the authour when he wrote this. It's great.
lol, not just wrote it but did it. The screenshot at the end is Notepad in Linux.
I think this would be considered satire:
Jar files are complex. So complex, a major conference carried a talk on how to reverse engineer them in early 2012.
That triggered my bullshit detector. This also made me laugh " unzip tool uses a sophisticated algorithm based on LZ77 and Huffman coding."
That's an interesting anti-pirating technique... Demonstrate how to crack your own licensing, while at the same time adding a backdoor to make users conflate the two. Obviously, all cracked versions of his software have backdoors in them...
Except his attack is valid against all unsigned binaries... even his own. He could be distributing a backdoor and not even be aware of it...
My startup creates software for use in penetration tests and red team assessments. I distribute backdoors and I'm quite aware of it. :)
I wrote this post to show how to use my software to backdoor a pirated copy of my software.
That's brilliant. Make it as easy as possible for "cracked" versions of your product to contain malicious back doors, thus encouraging people to avoid the cracked copies and pay for a properly licensed one.
The downside for him may be that users don't really care whether they got a cracked version or a legitimate version when their computer gets infested with malware; they're going to write angry posts about it online and say his software is broken or broke their computer. So it may be in his brand's best interest to keep users from using malware versions, even if those users may deserve what they get.
The downside for him is that now also the average user has enough tips in order to crack the official trial by him/herself without risking to download it from peer to peer or other unknown site :)
I look at this as knowing my audience. I sell software for penetration tests and red team assessments (e.g., to hack into stuff; not check a box). The people who use my software easily have the skill set to do what I wrote about and defeat any anti-piracy measure I come up with. What to do? I think it's best to be very customer friendly, trust my audience, and make light of the 1337 cr4x0r who thinks they won a game I won't bother to play.
Nope... If his target audience was supposed to be average consumer then may be this will be an interesting move. But looks like his target audience is sufficiently sophisticated users. Those people will now realize that it is actually much easier to crack the trial software by themselves instead of getting from elsewhere. BTW, this software cost couple of grands PER user PER year. However I remain to be skeptical who wants this thing because (1) it requires social engineering and (2) there are much better and powerful and safer open source alternatives to run exploits.
(1) Social engineering is a key component of several high profile intrusions that happen today. The best way to help an organization understand their ability to detect, mitigate, and/or contain this type of attack is to do it.
https://www.google.com/#q=phishing&tbm=nws
(1a) Statements, such as "it requires social engineering" [it's not a valid vector] represent a dated understanding of hacker tactics and part of my work is to help folks with your view move their understanding forward. Usually the conversation is not a response to an adversarial comment like yours.
Here are a few talks/papers that I recommend:
http://blog.strategiccyber.com/2012/12/19/hacking-like-apt/
(2) Cobalt Strike builds on something called the Metasploit Framework. The Metasploit Framework is the largest open source collection of safe exploits. My product addresses gaps in this kit for executing attacks that mimic those high profile intrusions mentioned a moment ago. A successful operation requires more than an email with something bad attached.
http://blog.strategiccyber.com/2013/01/14/tactics-to-hack-an...
(2a) Cobalt Strike's open source little sister is Armitage. A popular user interface and collaboration tool for the aforementioned "better and powerful and safer open source alternative to run exploits". I'm the developer of Armitage as well.
Encouraging people to crack it themselves instead of downloading a cracked version is an interesting educational move.
That's fairly cheap relative to the competition. Software like Core Impact costs $40,000. MetaSploit Express (cheap version) is $5,000.
I'd love to hear what these better, more powerful, safer open source alternatives are though.
But now we can all crack it safely from the trial version.
By "we", you mean technically savvy people. The number of us who need this software but don't make enough money to pay for it, or for some reason don't want to pay for it, is likely small enough to be ignored completely.
Or, download the trial, and crack it from there? No malicious backdoors there.
This is really funny - but the content shows the author's dedication to teaching (and learning) penetration techniques, even when it involves his own software. I would imagine that losing potential customers isn't a concern because the kind of people buying this software (generally) wouldn't run pirated versions. So instead, it makes a cool demo. Very cool, raffi.
Good means of exercising damage control...
"The cracked versions are backdoored! Use official release to be safe."
Or "The cracked versions are backdoored! Use the official trial and crack it using the method I supplied to be safe", if you can't afford the hefty $2500 price tag due to not being a professional hacker/pentester.
I've actually wondered if the cracked versions of Photoshop tend to have backdoors... and with the recent articles on the NSA, if the NSA itself is trying to put out the most popular cracked versions. I mean, if there's a single piece of software that is more pirated, I don't know what it is. They probably have more sophisticated ways, but you never know.
Why bother with applications when you can have the OS?
That's why I am of a firm belief that if you are going to pirate software, at least have the common decency to crack it your self and NOT REDISTRIBUTE.
On a side note I am amazed that more developers do not sign their own code with checksums and alteration verification routines. Sign your software, then do a runtime check if the code has been altered. If so, after few hours of use, present the user with a nice message:
"Congratulations, you have a cracked copy of our software. We find it sad that you did not want to buy it from us. It's possible that we may starve as a result. In any case, we would like you to stop using this copy. To encourage you to do so we are going to begin now uploading the contents of your hard drive to our servers. You may stop this process at any time by closing the program and removing it from your computer. Thank you."
This DRM just turns things into an arms race, and eventually makes your software seem more and more like malware.
A non-game example off the top of my head is Milkshape 3d, a basic modelling software that was popular in the early 00s because it had importers and exporters for the games that were wildly popular then such as Counter-Strike.
The teenagers using it had no money to pay for the full version, so cracking of it was rife. Eventually the "anti-piracy" mechanisms built into it by the author got crazy enough that the program was essentially broken.
I can't really remember specifics, except that it crashed your computer (!) if you tried to use a certain app-sniffing software.
For a game example, google "starforce breaking dvd drives". The irony(?) here being that an on-disc copy protection mechanism breaks your disc reader and makes it impossible to play the game you bought.
I've cracked games, for lives, and so on, since I was about 14 years old. Then later I used to turn "demo" versions of PC-software into full versions and the vast majority of all the programs I attacked were trivial to defeat.
People tend to only add in the protection at the last minute; rather than making it an integral part of the code.
I only ever came up against a few programs that I couldn't hack. It genuinely became easier when people would use an off-the-shelf "protect my program" toolkit; crack one and you'd cracked all programs using that family of protection.
It was rare that I couldn't register demo/eval copies of programs. Sure I know assembly, and used SoftIce, but we're talking about a random guy in his late teens/early twenties who mostly learned by trial and error with random hints from +fravia.
(ObRandom: I know it must be a pain as a developer, but the best way to stop people cracking your demo is literally to have two binaries. Genuinely don't compile "file:save" or whatever feature you're keeping for paid users, into your demo version. Sure this will stop instant registration, and it won't stop somebody from leaking a full version, but it will absolutely stop the majority of attacks.)
> I know it must be a pain as a developer, but the best way to stop people cracking your demo is literally to have two binaries
I have done that but I'm not sure it's really the best way. My stats are very far from being statistically significant but I'd say this type of protection has increased the fraudulent (stolen credit card) orders about tenfold for me. Which means that if I don't catch it on time I'm hit with $15 chargeback fee. It's really frustrating because I've deliberately made the trial version very easy to crack. I have no problems with cracked copies floating around, I just didn't want serial codes being freely available.
That's completely pointless. If a cracker is able to remove the license check he will also be able to remove your checksum verification.
Putting yourself in a difficult legal position on top of it helps no one.
Well-implemented integrity checks are much harder to remove compared to nop'ing single conditional jump.
Ok, to be clear, the uploading of the hard drive content is a joke. I would not suggest you actually do it for legal and ethical reasons. As for DRM, I think Total Commander is a good example of good software protection in action. When I was a kid and could not afford to buy it, I tried to crack it a few times, with no luck. Nowadays, I own a copy, but just for fun I tried to crack it a few times, for educational purposes :), and still could not. If you are interested, take a look at it, I think TC has a very non intrusive DRM that works well but is not draconian. Of course, you can still grab a stollen key for it from any torrent site, but to my knowledge at least no one has cracked it yet.
Please do not follow this advice.
This would seem like the perfect tactic if the software also has a quiet phone-home system built in that contacts the author if the file checksums don't match. I bet you could get interesting statistics on how many people would try this method after publishing such an article.
That entitled attitude of the complainer is so familiar. Hate that shit.
He writes software to demonstrate security flaws to a fairly niche market. I'd say his actions are justified - he's just showing that it isn't safe at all to download a cracked version of a pentesting software package.
shadowOfShadow's wording is a little unclear, but I suspect he was talking about the email exchange with a non customer complaining about lack of support.
I read shadowOfShadow's comment the same way you do. (for others reading this): in the comments section, I reproduce an exchange (anonymized, of course) I had with someone complaining about my support--when they were trying to install a cracked version of my software. This exchange is what led to the blog post linked here.
@valleyer: He "signed up" for a trial and emailed me for help. But, when he asked for help, he provided the tar command he typed and the output of the tar command.
He changed the tar command he typed to make it look like he was trying to install my trial.
The output of tar told a different story though. The cracked trial was distributed as a .tgz with a space in it. Because this guy didn't know to put quotes around the filename, tar gave him an error he didn't know how to interpret.
He left the output untouched, and I was able to determine the name of the file he was trying to extract, google it, and strongly conclude he was asking for support for a cracked version of my software.
That user appears to claim he has a valid license to your software (third e-mail). Is that wrong?
He only has the license for a trial version.
What if the software requires an internet connection to dial back home & verify the software authenticity .. say once every 30 days? Is that too annoying for users?
I think it's quite obvious that the author is very well aware of how to implement DRM in such a way that it can't be circumvented, but it easily enters the territory of whether or not he would actually gain users from it.
Cobalt Strike isn't exactly a $100 copy of Office - potential users who are going to use it to its full extent are going to be willing to pay the steep cost of entry as it is.
In other words, while it would be possible to guard against piracy, the end result wouldn't be more sales of Cobalt Strike.
Oh, I was asking that for my knowledge. Since you can easily patch all licensing methods on a binary (I guess including checksums), the only way to verify integrity is to compare it with a trusted copy at the authors home.
Why don't you patch away that check?
I can only speak for my observations in the gaming community and there are more or less two camps, which can be summarized as:
No back-dialing, ever. Basically they do not want the company to have a remote-switch to disable the software after they've buyed it, do not want the risk to not be able to play a game anymore just because a company decided to put down the servers and want to be able to play everywhere without an internet connection (e.g. I sit at my laptop and cannot play your singleplayer game because you decided to need dial-back? No chance.)
The other camp doesn't care about it, more or less. Sure, they would like it if there was no dial-back for the games, but it doesn't hinder them from still buying and playing at platforms/games that require this as long as their playing experience isn't dimished by it. Steam is more or less the platform of choice for the second camp and seems to be growing all the time, so most users probably would acccept an dial-back connection once, every 30 days or even at every start. Quick note: Always-On is still something which is considered off-limits. Ubisoft tried it various times with their games and fell flat on the face. They've backpaddled to activate once by now.
Tru, I've seen lots of fury against gaming companies & Adobe too about connected licenses.
That kind of DRM technique was broken a half decade ago. If your software calls home, a cracker can record/simulate that behavior if needed.
The result in the end then becomes that pirates will still use the software, but people without a stable Internet connection can't use your software.
It also ads a problem for businesses. Suddenly, they need to poke holes into VPN's, and risk that the software will also become unusable if their Internet connection ever become a problem (lets hope they don't plan to draw fiber). The millions of military personal will also be unlikely customers, as their Internet connectivity in the field is not know for it up-time.
Thanks, good to know.
shell.sl? Is this a dialect of Smalltalk?
It the authors own programming language, Sleep: http://sleep.dashnine.org/manual/
Why is he root on his own machine when he uses unzip?
I hope this is satire. "The unzip tool uses a sophisticated algorithm based on LZ77 and Huffman coding". Oh wow. Who would have thought. " These files do not represent the socio-economic status of the code." Oh.
Lame humor.
Obviously he's just joking, and most of the people in this thread got it. He's not incompetent, he wrote both Armitage and Cobalt Strike, and the latter has some really incredible features that are hard to find elsewhere. I'd say he knows his way around a computer.
Snarking about why he's root when he runs unzip does not advance the discussion and despite your efforts, it does not make you look smarter than him.
It is just too lame humor, I wasnt criticizing or questioning the smarts of the author.
If anything, Im critizing his writing style, the blog article is not fun to read as it comes from a presumptions and arrogant/entitled position.
Or maybe its just me I dont see anything funny in that article, I just dont find the poking at virtual Linux users and people interested in cracking from a position of authority funny.
Effectively the entire article is making fun of hackers, people who are curious how to break software and make it do unspecified things, people who dare poke and dare crack. But its his software, so it is ok for him to make fun of others right?
The cracking culture is many peoples first step into hacking and programming, we wouldnt be here if all of us really payed for the stuff we used as kids.
He's walking through how to crack his own software and you are complaining that he is anti cracking culture? If this is your attempt at humor, it's really failing.
I'll answer to unzip. In the post, I'm using a Linux distribution called Kali Linux. Kali is the successor to BackTrack Linux. Most people who use my software, use it with Kali Linux.
Kali is a distribution with a focus on offensive security. Most tools require root to run. It's very rare to find a Kali user who uses sudo and works from a non-root account. root for all actions is normal.
Some people may use Kali day to day, but it's built to do a job.
I didn't call out Kali specifically, but all of my screenshots show Kali's default window manager theme. I don't know if my audience earns the "hacker" badge by your standards... but I suspect most of them recognize Kali from a distance.