lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <66743335-0E47-4443-B550-2BCC80A11A93@mac.com>
Date:	Tue, 4 Dec 2007 07:06:52 -0500
From:	Kyle Moffett <mrmacman_g4@....com>
To:	Matti Aarnio <matti.aarnio@...iler.org>
Cc:	Dan Kegel <dank@...el.com>, linux-kernel@...r.kernel.org
Subject: Re: Relax permissions for reading hard drive serial number?

On Dec 02, 2007, at 13:45:44, Matti Aarnio wrote:
> This lack of having stable(*) unique system identifier available to  
> applications is one of the small details that make node locked  
> commercial software delivery challenging thing in UNIX environments..
>
> *) "stable" as both stable data, and stable API to get it.

Well... There's that.  There's also the fact that anybody with a  
modicum of ASM programming skills can get clever with GDB and traces  
from "Correct HW serial" and "Incorrect HW serial" can write a 10- 
line GDB script to make it work regardless.  I did something similar  
with a popular FPS (which I legitimately own) on one of my Mac  
systems after having left the DVD behind when going to a LAN party.   
Addresses removed to protect the innocent^Wguilty, but they took  
maybe 15 minutes to acquire:

break *END_OF_CDKEY_CODE_DECRYPTION
run
delete 1
advance *JUST_AFTER_CDKEY_CHECK
set $r3 = 0
detach

At some point every such "locked" computer program has code like this:
> if (program_is_not_authorized()) {
>     display_nasty_dialog();
>     exit(1);
> }

All it takes for somebody with a debugger is to identify the last  
instruction of the "program_is_authorized()" function and change $r3  
(or whatever return register your system uses) from a 1 to a 0.  The  
fact remains that once the software is running on *THEIR* computer  
there is nothing you can practically do to forcibly prevent them from  
using it in whatever fashion they desire.  Typically if you price  
your software reasonably people will be willing to pay for multiple  
copies but there are no foolproof technical measures to enforce that  
they do so.

Cheers,
Kyle Moffett

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ