It’s not possible to keep software secure from the person sitting in front of the machine; you can’t trust software running on an untrusted computer. Once you’ve given a piece of software to users to run on their computers, they have the ability to modify it in any way they choose. All you can do is try to make it difficult.
For our example program, I’ve chosen PKZip 2.70 for Windows, from PKWare. This program has an interesting, and somewhat controversial, fea- ture: The Shareware version displays ads. These ads are downloaded from the Internet, stored on your hard drive, and displayed whenever you run the unregistered version (see Figure 2.1).
Some folks might be curious as to what it would take to disable the ads. Some poking around reveals that an extra program, the Adgateway service, is installed along with PKZip for Windows. There is a FAQ for this service, located here:
www.pkware.com/support/tsadbotfaq.html
Naturally, the FAQ doesn’t include information on how to turn off the ads (other than purchasing the full PKZip product). On my system (running Windows 98), the PKZip install created a directory named C:\Program Files\TimeSink. It occurred to me that if the directory weren’t there, the ad function might break.
Whoever wrote the ad software thought of that problem. The next time PKZip was run, it re-created all the directories. Is there some way to prevent it from re- creating the directory? Under Windows 9x, the file system is either FAT or
FAT32. FAT-based file systems don’t allow for a file and directory with the same name to exist in the same directory. These commands seem to do the trick:
C:\Program Files>deltree timesink
Delete directory "TimeSink" and all its subdirectories? [yn] y Deleting TimeSink...
C:\Program Files>echo > timesink
After running these commands, running PKZip looks like Figure 2.2. Nice and clean; no ads. It appears to run fine, as well.
The point of this exercise, as with most of those you will find in this book, is to educate you and to prove a point. Ad revenue is as valid a mechanism as any for making money. If you perform the actions just described, you may be in vio- lation of your PKWare license agreement; check yours if you download PKZip for Windows. It should be noted that at least part of the reason for wanting to do something like this (aside from not wanting to see ads) would be suspicion that the ad program is sending information about you back to the ad server. In recent months, there have been numerous news stories about software packages that track users’ usage habits and send that information to the company providing the software. Many people consider this to be a violation of privacy.
The particular hack described here may not fix that aspect; this was not tested. According to the FAQ, the software doesn’t do that anyway, but it never hurts to check for yourself.
So have I done irreparable damage to PKWare’s ad revenue? Not likely. This particular hack was incredibly easy to find. It also would be incredibly easy to fix. It would take only a couple of lines of code to determine whether a file of the same name existed, and if it did, either to remove it or to use a different directory name. I fully expect that to happen as soon as they find out about this. I was able to find this for one of two reasons: The first possibility is that I thought of something the programmer didn’t, so he never accounted for it. The second is that the programmer knew that this was possible, but realized that trying to get the program to perform anything besides a cursory attempt to fix itself was futile. If it’s the latter, he will now have to add the check for the problem mentioned here, since it’s been published.
I can take the new version and find a new way to make a change to break the ads again, ad infinitum. It doesn’t matter how the programmer attempts to thwart us; we can get around it, since we have the ability to make whatever changes we need to the program. We could use a debugger to find and rip out all sections of the program that have to do with the ads. If he adds a check to see whether the program has been modified, we can rip out the check.
Back in the late 1970s and early 1980s, this type of attempt was made all the time; it was called copy protection. For every copy protection mechanism devised, there was a way to defeat it. Several companies made a living out of selling software that defeated such copy protection. Copy protection was most prevalent in the game market, but numerous business applications like Lotus 123 used it as well. Forms of copy protection still exist today.
A number of them center around some piece of hardware attached to the computer, usually called a dongle. These plug into the serial port, parallel port, Apple Desktop Bus (ADB) port, or Universal Serial Bus (USB) port. Naturally, the programs that come with this sort of hardware are designed not to run if they can’t communicate with the dongle. Is this effective? Can the dongles be copied? It doesn’t matter. You don’t attack the hardware problem; you attack the software. You find and remove the piece of the software that checks to see whether the hardware is present.
There is no tamper-proof client-side security solution. All you can do is make it more challenging.