All About Copy Protection
Read also Roger Mesters new article: Data Protection in a Nutshell.
WHAT IS COPY PROTECTION AND HOW DOES IT WORK?
MAKING THE SOFTWARE DEPENDENT ON THE GUARD MODULE
VARIOUS KINDS OF PHYSICAL KEYS
PRODUCTION: ADDING THE GUARD MODULE
HOW MUCH PROTECTION IS NEEDED?
OTHER WAYS OF COMBATTING PIRACY
NOTE!!! This article was written many years ago by Roger Mester. We have found parts of the article reused/stolen on many sites, even in Thai and Arabic.
It is pretty ironic that websites lecturing on piracy steal their information from other sites.
Copy protection hasn't always had a good reputation. At best, you didn't notice it. At worst, it could crash hard disks or simply refuse to run. People hated it on general principle. Still, it was necessary. Software houses lose huge sums annually to piracy. Although many are unaware of the fact, copy protection has quietly gotten over its childhood illnesses. What is more important, it has changed character. Copy protection in the old days was merely a technique for stopping diskette copying. Today, it is an integral part of the distribution of executable software as well as data, books, encylopedia and other multimedia products.
To a large degree, this is due to the advent of the CD-ROM which makes it possible to distribute large amount of data at low cost. Other methods of mass distribution such as electronic bulletin boards and the internet play a large part.
In some cases you don't want to limit the copying of data/programs. On the contrary, the idea is to copy them as widely as possible so that end-users can see them and try them out. You can then supply the end-user, via telephone or network, with an access code which allows him to use the program or data on a permanent or time-limited basis.
From a purely technical angle, copy protection is a fascinating subject. Few other topics require such an intimate knowledge of hardware and system software.
A diskette or CD with digital data on it is fundamentally different from a music cassette containing analog information. A copy made of a diskette or CDis exactly as good as the original. This is one of the great strengths of digital information. However, for the software manufacturer and distributor, it means that anyone with one of his distribution discs can easily make as many copies as he likes, and the quality of the copy will be 100% as good as the original. This fact is the driving force behind copy protection.
Digital information can be roughly categorized as code and data. Of course, both are data in the general sense, but computer programmers differentiate: data that can be run by a processor is called code, while data that is merely information is called data. In many cases, the executable code, so-called EXE files, must be protected. In other instances, pure data files need to be protected, but this requires a somewhat different technique: the data itself is encrypted, while the text retrieval utiltiy, the executable, is copy protected.
WHAT IS COPY PROTECTION AND HOW DOES IT WORK?
Since the binary information can always be copied, the manufacturer must make the operation of his program dependent on the presence of some physical key which cannot be copied. He does this by changing his software so that it cannot run unless some sort of initialization is performed. He then adds some additional program code, called the guard module, which carries out the necessary initialization if and only if it detects the presence of the physical key. This is copy protection in a nutshell:
All copy protection schemes are alike in that they must have these three parts in order to work. If any part is missing, the scheme fails. Let's look more closely at these three parts:
Dependency on External Action
The original software must be changed in some way so that it will not run without the action of the guard module. This could consist of merely including calls to the guard module in the software. However, the best way of making the software initialization-dependent is to encrypt it. Encryption means taking the code and scrambling it so that it cannot run and is no longer recognizable. The same techniques can be applied to computer programs as to secret messages.
The Guard Module.
This is the code that restores the software to executable form or in some other way initializes the software and allows it to run. It must do this only when the key is present. When the guard module is satisfied that the key is authentic, it initializes the software and executes it. Besides the function of recognizing the key and restoring the software to executable form, the guard module must do its job in complete secrecy. It must be impossible to see what it does, impossible to imitate what it does and impossible to trick it into doing its job when the key is not really present. This is called code security. Unless, the guard module itself is protected in some way, usually by encryption and debug-trapping, the protection can be disabled, and the software made to run without the key.
The Physical Key
This is the actual physical device or object that must be present as proof of ownership and the right to use the protected program. The key can take on many forms: an original CD, a key diskette, a dongle or a "smart card".
MAKING THE SOFTWARE DEPENDENT ON THE GUARD MODULE
There are various ways to do this, though techniques which do not include encryption cannot be considered very safe.
Building in Calls to the Key Check
The software can be made dependent on the guard module by building in calls to the key check in various places. To discourage the discovery and disabling of these calls, they are usually hidden throughout the program. Sometimes an attempt is made to confuse hackers by allowing the calls to jump to other areas in the program instead of simply returning. The problem here is that the programmer can often become as confused as the hacker.
Encryption
Encryption of the main EXE file is one of the best methods, since it protects the software in three ways: First, it makes the program impossible to run. Second, it makes it impossible to see what the program is doing and prevents stealing the know-how employed. Third, it makes it impossible to find and disable calls to the key check.
It is relatively simple to encrypt a program but difficult to decrypt one without knowledge of the algorithm. If the encryption key (not to be confused with the hardware key) is long enough, the number of computer-hours necessary to crack the encryption makes the job practically impossible. The real problem is hiding the key. Quite unlike the transmission of secret messages where the key is sent separately, the key for software decryption must be found either within the code itself or perhaps within the hardware key, and this makes it accessible to the hacker. Remember too, that even though the routine which does the decryption (the guard module) is itself encrypted, it must begin with un-encrypted code, and this gives the hacker a place to start. He can trace through the decryption code and discover how it is done, or even put a break-point after the decryption, stopping the execution when the code is wide open. Debug-trapping and other more or less successful schemes have been devised to prevent this.
Key Detection.
This is the part of the code that checks to see if the key is present. It is a requirement that the operation is as low-level as possible (i.e. direct hardware access of I/O ports), thereby preventing any sort of intervention. Note that this can give hardware compatibility problems.
Initialization.
This is the part of the code that does the necessary initialization of the software (decryption, re-location, etc.). Without this initialization, the software will not run.
Code Security
The guard module itself should also be encrypted (not to be confused with encryption of the user program itself). This is done to prevent disassembly of the guard module. If a hacker can understand how the initialization is done, he can throw away the guard module and do the initialization himself.
Debug Trapping
Even though a hacker may not be able to understand the workings of the guard module, if he can debug (trace) his way through it, or place a break-point after it has done its work, he can gain access to the initialized software which he can then save and use as a directly executable file. The guard module itself can never be totally encrypted. Somewhere, there must be a starting point. This code must be open and accessible, otherwise the CPU can't run it. Some technique must be used to stop the hacker from stepping through the code and finding out how the decryption takes place. One way to do this is to take over the debug and single-step interrupts and use them as part of the decryption. If a hacker then tries to use a debugger, he spoils the routine. The hacker can counter this by designing a debugger which uses another interrupt number. This, of course, requires a degree of programming skill, and even this ploy can be foiled by checking code integrity and thereby preventing the placement of break-points.
VARIOUS KINDS OF PHYSICAL KEYS
The key must be a physical object which is impossible or at least difficult to copy. No matter which type of key is used, the effectiveness of the protection is always dependent on the quality of the code security. If the call to the key can be disabled, then it doesn't matter whether it can be copied or not.
The Key Diskette
This type of protection relies on a specially produced key diskette which has something done to it to make it difficult to copy. Some primitive types of key diskettes employ extra sectors having unusual sizes and ID numbers. Others rely on hidden files. Good key diskettes base their security on the measurement of parameters which are nearly impossible to reproduce with any degree of accuracy. One way of making a key diskette impossible to copy is to physically bore a small hole in the magnetic media. This creates one or more bad sectors having bit patterns which cannot be overwritten. Manufacturers can also produce their key diskettes on special equipment which can do things that a PC cannot, thereby creating a diskette that can't be copied using ordinary controllers and drives.
The Original CD
This resembles the key diskette, the difference being that it is not necessary to make the CD hard to copy. This is already the case. Each glass master is slightly different, and if the software can recognize these differences, it can distinguish an original CD (one made by a particular glass master). Some manufacturers do try to change the CD to make it impossible to copy. The drawback is that these specially prepared CDs cannot be produced on ordinary glass mastering machinery.
The Dongle
Here, the key is an electronic circuit, usually employing a custom chip of some kind, which responds in a particular way to an electrical stimulus. One common type connects to the parallel printer port. When a query is sent to the printer port, the dongle replies according to a complex pattern which is difficult to predict if you don't know the algorithm. Dongles get high scores for non-copyability. One of their weaknesses is that you can run into trouble with several dongles on the same port.
The Hard Disk
Some schemes depend on special marks or deliberately-produced bad sectors on the hard disk. This is a common method of getting away from external keys such as diskettes or dongles, but has the great disadvantage that it can wreak havoc when the hard disk is backed up and restored.
Other Hardware
Other hardware devices can also be used, for example a plug-in board. A program such as an EPROM burner would rarely be copied, since it needs the plug-in board to function, but it can still be a good idea to lock the software to the board to prevent copying of the entire hardware/software package.
A "smart card" consisting of a chip mounted on a plastic card is another example. Of course, this requires a special card reader, but so-called "thin drives" are becoming more popular, making this an interesting possibility.
Even the computer itself can be used as the key. In this case, the protected program is said to be machine-installed.
Personal Characteristics
It is also possible to use human characteristics such as finger prints, voice prints or retinal images, though these require special sensors which are not generally found on personal computers.
PRODUCTION: ADDING THE GUARD MODULE
During production, the three elements of the protection scheme are brought together. This can be carried out, for example, by a separate utility that encrypts the bare EXE file, adds on the guard module and creates the new protected EXE file. Sometimes, the guard module is not a separate module, but consists of scattered calls to the key check which are built into the EXE file. In this case, the programmer of the original software includes the protection as part of his source code.
Internal Protection
The guard module can be programmed into the source code. In this case, the call which verifies the key is put in by the original programmer. He can try to confuse the enemy by placing calls in many areas of the code. If this is done without sophisticated encryption techniques, it is just a matter of hard work for the hacker to find the calls and disable them. The programmer can, of course, work out an encryption method, but often he does not want to be bothered nor does he have the necessary expertise. So the protection is usually added on afterwards by some kind of commercially available package.
Add-On Protection
The guard module can be added to the executable file after it has been compiled. This has the advantage that the programmer need not concern himself with copy protection when building his program, but can concentrate on making the best possible software. The protection is added on afterwards by a professional protection package. Many distributors do not have access to the source code and can therefore use only this type of protection.
Link-In Protection
It is also possible to use a combination of the above approaches. The protection manufacturer can supply the software house with object modules which can then be linked together with the package. In this way, the programmer need not design the protection, but has the flexibility of being able to put in as many key checks as he likes, wherever he wants them. However, this technique still requires access to the source code and object modules.
There are many ways of cracking a protection scheme, and the results have varying degrees of consequence for the distributor.
Reverse Engineering
By disassembling the program and finding out how it works, another programmer might use the principles involved to write his own program without actually copying the program itself. This process is time consuming and difficult.
Creating a "Cracked Copy"
If the protection can be disabled, the software will run without the key. The idea is to either peel off the guard module or find some other way to defeat it, so that the protection check is never made, but the initialization is made anyway.
Copying the key
If this can be done easily, it is almost as good as creating a cracked version. Dongles and diskettes with physical holes are extremely difficult to copy; for all practical purposes they cannot be copied. Key diskettes made from normal diskettes can or cannot be copied depending on the degree of sophistication of the diskette and of the equipment attempting to copy it. Commercially available copying boards can defeat many protection schemes. For the serious pirate, there is the synchronized bit copier which moves every bit directly from one diskette to another, using electronically synchronized drives. This can copy all but the very best key diskettes.
Assume, for example, that the key is a diskette that can be copied using a board costing less than $200. The end-user would have to buy and install the board and learn to use the accompanying software. This gives some degree of protection - enough to discourage the casual copier, but not a dedicated crook. The distributor must evaluate his needs and choose a system that fits.
Fooling the Protection
A memory-resident program can be installed which makes the guard module "think" the key is present. If, for example, the guard module checks the key diskette or dongle by way of the system BIOS, a filter can be set up to watch the interrupt and intervene when the key check is made, feeding false input to the guard module and simulating the expected signals.
HOW MUCH PROTECTION IS NEEDED?
Any scheme can be defeated by the use of expensive data analyzers, computer time and hard work. Therefore, all protection must be evaluated on the basis of how much time and money a pirate is willing to invest in order to crack the protection. There's little sense in heavily protecting a program that can be written from scratch for less than the cost of breaking it. One might think that an expensive program would need better protection than a cheap one. It ain't necessarily so. The expensive program might only be of interest to reputable customers who wouldn't dream of cheating. It also depends on the part of the world in which the software is to be distributed. Some countries have no legal basis for prosecuting pirates. In any case, you have to know your market. Remember, too, that some enthusiastic young hackers break programs just as a challenge. They are not really interested in selling pirate copies in large quantities, although a distributor can risk finding his program on an electronic bulletin board.
If the program being distributed is expensive, then the cost of the individual protection is not a determining factor. Dongles or diskettes with physical holes can be used in this case. If the price per protection is important, then a better choice would be one of the systems which lets you produce your own key diskettes. Remember that the best key is useless unless the quality of the code security is equally high.
OTHER WAYS OF COMBATTING PIRACY
There are other things a manufacturer can do to discourage unlawful copying without actually using copy protection.
The Manual
He can make his software dependent on the manual. Manuals are more expensive and harder to copy than diskettes. One could argue that this is a bad idea, because the software is poorly designed if it cannot be understood and used without reading the manual. Some manufacturers have their programs ask for a piece of information on a particular page in the manual. The page number changes each time the program is run.
Support
Constant improvement and updating of the software discourages copying, or rather encourages the purchase of legal versions, since pirates are stuck with the version they have. Good telephone support does the same, since owners of pirate copies can't call in for help. Providing legal users with newsletters, bulletin board access, and other services also encourages people to pay for the program.
Display of User Name
Equipping the software with an encoded user name which is displayed at run time is a good technique. While it's easy to make a copy and give it to another user, it is embarrassing to run a program with someone else's name on it. This type of copy protection actually comes under the heading of "copy discouragement"; it has the great advantage, though, of not creating pesky hardware compatibility problems. If the original program runs on a particular machine, the "protected" program will run too.
About the author Roger Mester was educated in the USA at Rensselaer Polytechnic Institute and Stanford University. He has worked for General Electric, Lockheed, Radiometer, and Great Northern Telegraph. He was one of the two founders of Link Computer - now Link Data Security - in 1982.