RIGHTS AND WRONGS (January 2010)

I installed a trial version of a game, so that I could see if it was really worth the $20 that they were asking for the full version. Some people might say that $20 is "only" $20. Okay, let's say that the game cost $200 or even $2000. The point would be the same. It's money that I could spend on something else, if I didn't like the game.

The trial had a limitation that it could be played for only one hour, and I played the game for the full hour. Unfortunately, that wasn't enough time to evaluate the game (there were a lot of repetitive puzzles, which consumed the time without revealing much), but since the license had expired, I uninstalled the game... Or so I thought.

Months later, having forgotten what the problem was, I decided to try the game again. I installed it and - surprise! - it didn't run. The license remained expired. So, the original installation something behind. When I uninstall something, I expect it to be really uninstalled. If my license expires and I'm willing to go to the trouble of uninstalling and reinstalling the application, why can't I do that? Windows lets me do that. I don't have to activate the installations in my VMs. So how about this game?

Naturally, I got curious about where the license was stored. The obvious candidate was the "HKEY_LOCAL_MACHINE\Software\Licenses" key, which the game created when it first ran. That key contained several values, all encrypted. I didn't care about the contents because I was just trying to clean up the installation. So I deleted the key, reinstalled the game and... yes, it still didn't run. That annoyed me because now we're talking about something to which I did not agree. When I installed the game, I agreed that it could place some files on my system, but I did not agree to the game placing arbitrary files in arbitrary locations on my system, nor to it creating arbitrary keys and values in my registry. Nothing in the license agreement mentions anything of the sort.

So I did what anyone else would do, if they could: I fired up a debugger and watched the game start. The game consisted of a launcher and a main executable. The launcher displayed the splash screen which talked about being a trial version, before running the main executable. The main executable could be run independently of the launcher. Both of them knew that the license had expired.

I started with the main executable. It was wrapped in a third-party protection layer whose identity will be immediately obvious to anyone who has seen it before, given the clues below. It was full of polymorphic garbage, anti-debugging tricks, and the like. That made me wonder - if some software is altered after production (as in this case), is it still the same software? The license agreement, to which I agreed when I installed the game, states explicitly that the software must not be reverse-engineered. But if I reverse-engineer the wrapper that encloses the application, am I reverse-engineering the application? The wrapper can be separated from what's underneath. I didn't think that it's the application at that point, but I'm not a lawyer. If I'm using a debugger to just watch the registry and file accesses, am I reverse-engineering the application? I didn't think so, because I could achieve the same thing using other tools, but I like my debugger. In any case, the debugger was detected almost instantly, because I made no effort to hide it. After writing several papers on anti-debugging tricks, I know all about how to hide a debugger, but that requires some effort. I spend my days analysing and breaking layers like this one, but when I get home, it's not what I do to relax.

So I switched to the launcher. Here we had a soft target - the launcher was not protected in any way. It loaded the licensing DLL and used some APIs to check the license state. I had what I needed. I set a breakpoint on a registry query API, and then let the launcher run. What did I find? Well, arbitrary (as in location) is the word. The DLL accessed the "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9450A3EE-950D-FCBE-D06C-6E49B18CA770}". The DLL had no business looking there, since the class belongs to the MTA Injector, which is all about e-mail transport. Just to emphasise that further, the DLL created values with names like "epqtfx", "feyudhKA", "fukjgi", "gDit", "sQdqvkmtand", and "ywBssp". Each of them contained part of an encrypted string which was contatenated to produce the same license key as one of the values found in the "HKEY_LOCAL_MACHINE\Software\Licenses" registry key, though the encryption key is different between the two. Just out of interest, I tried deleting the silly values and tried the game. Of course it didn't run. I set a breakpoint on a file access API, and then let the launcher run. What did I find this time? How about "Documents And Settings\All Users\Application Data\Temp:05113FB9". Yes, an alternative data stream on a directory. It contained yet another copy of the encrypted license information. That is really not cool.

I deleted that stream, and tried to run the game. Presto! Another hour of gameplay. The puzzles were also exactly the same as when I played it for the first time. I played for that hour, the license expired, I removed the changes, and played again. One more time and I finished the game.

$20 for a game that I finished in three hours? $20 for a game with absolutely no replay value? Not worth it. Now imagine paying $2000 for it. :-)

Copyright (c) 2010 Peter Ferrie
All rights reserved

This site is hosted by 000webhost.com



Free web hostingWeb hosting