Simple but probably effective. In terms of protecting against regular end users fiddling with the system time I mean.
On a related note I remember many years ago when I was using Windows, and there was a third-party utility to monitor the registry for changes.
I only had the trial version of the utility, but using the utility itself I found that they were storing information in the registry about when the trial would expire. So I was able to use the utility to discover and defeat the trial protection of itself.
So that was cool in and of itself. But I also found that, even though this was in a time before most software would do online checks, many pieces of software were able to know that the trial had expired even if I tried things like setting the clock back or removing registry entries they had created.
Probably some of those pieces of software were doing similar things to the one mentioned in the OP. But it never occurred to me at the time. I’m not even sure I would have thought of this even today if I were to try it.
But these days I use software that’s open source for a lot of things instead, and where I need proprietary software I pay for it instead. If it’s proprietary and not worth the money then it’s not worth using either. Though I am still sad that Adobe switched to a subscription based payment which I ended up not being able to afford and don’t want to sign up for again because of their horrible billing practices. So I am stuck not being able to run Adobe software even though I would have liked to.
In the windows 9x days, software had direct access to hardware without needing any permission.
They could get very creative about where the trial end date could be hidden. They could write it to random blocks of the fat32 partition marked as "free". They could even find unallocated blocks outside of the partition table and write it there.
Or you could write it to the contents of a file without going though the regular file APIs, so it's modification date wouldn't change.
As long as just one copy of the trial end date stays intact, it can simply take the latest one.
I had a case of a program that had to run with admin rights, it was storing the info in some of the first sectors of the HD (yes it's possible without direct hardware access, you "just" need admin rights). Of course it corrupted my GRUB... they didn't think that there might be useful data between the MBR and the first partition. This happened around 2010, so no need to go back to Windows 9x to find very weird stuff ;)
You're giving me flashbacks to the bad old days when Opera was the only competent browser for Windows Mobile devices. What made them the bad old days? They only had a trial version, and some time after the paid version didn't come out the date limit on the trial version expired, so thousands of people turned the dates back and sacrificed the entire "organization" category of PDA functionality just to keep using a good browser.
I believe a full version of Opera was eventually released but it took a very long time.
Age of Empires 2 does something similarly tricky for beta/trial versions - when it's check_expiration check fails once, it writes some "hard to find" registry value (Software\X\DT2 to 1 for aok and Software\TC\XPX to 7 for aoc), and then thereafter also fails if this value exists and is the previously written value to prevent you changing your system clock to circumvent that check.
Of course that's all rather silly since a 1 byte change in WinMain also defeats this, but that requires modifying the program ...
Actually many programs write license/demo expiry/... data to very hard-to-find registry keys... maybe just in plain sight under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion which has so much stuff that basically nobody knows what actually belongs there, unless you are monitoring it for changes...
Keeping “snapshots” of your registry on a windows machine is one of the fastest ways to improve your understanding of how a lot of commercial software “does business”. From weird (or outright dangerous trial license tricks, I once saw a shareware program that stashed its keys with a fake program name in a legit Adobe registry tree path) to programs that store detailed settings to a level that really warrants a dedicated settings file/database or even what UI mode they are in just spamming the registry all the time… no wonder some people had constant problems with registry corruption back in the day!
Indeed, I've seen so many weird places program wrote license/demo timer data to... not sure if it was the same software as you (can't even remember which one it was) but a shareware writing to a legit Adobe key reminds me of something... ;-)
> So I was able to use the utility to discover and defeat the trial protection of itself.
This is why I used to feel bad for Hex Rays / IDA Pro. When your product is a disassembler, there's bound to be someone in your target audience capable of cracking your software.
P.S. Don't use a cracked IDA Pro. Checkout Hopper instead. It's reasonably priced and really solid software. Been using it on and off for years.
I'd suggest checking out Binary Ninja [1] as well. Also reasonably priced and very solid, but available on all platforms --- not to mention having a much nicer UI and API than all the other tools out there.
My Google-fu is failing me at the moment, but I remember a piece of malware actually included the copyright string of a disassembler so it would detect "itself" and not let you analyze the malware sample.
> One of the limitations to at-least the demo of Hopper is that it is not able to disassemble itself.
I was curious as to whether this limitation was present in the latest licensed version of Hopper (4.8.2).
I can confirm that I can indeed disassemble Hopper itself. Whether there's some intentional mistakes in that disassembly I don't really have time to delve into, unfortunately.
For me it was Numega's SoftICE, which was an amazing debugger. Using it to defeat it's own protection always struck me as ironic, but I guess also to be expected.
I hacked software for many years, for my personal amusement rather than profit, as it always reminded me of being a teenager hacking games for infinite lives, etc.
Now and again I take a stab at commercial linux software, but there isn't so much out there with the standard "Enter License Key" kinda protection.
This bit me once when I was hosting my FPGA design on an NFS server which lost the CMOS battery so it came up with a very weird date. The computer mounting it was fine but the files would get their access time screwed up. And then FlexLM bombed out. So very annoying.
Basic users don't even have to pay, and if you're doing something that requires the paid version you can buy and will benefit from the $300 control surface that also includes a Studio license.
Non-pro Resolve can't edit h265/HEVC, which is more and more common out of cameras (like my a7s3) these days.
The license isn't expensive for what you get. I bought the USB dongles so I can easily transfer it between computers and also completely block Resolve from accessing the network via Little Snitch.
I can also heartily endorse the Speed Deck control surface, which is way less than $300 and also comes with a pro license.
> Non-pro Resolve can't edit h265/HEVC, which is more and more common out of cameras (like my a7s3) these days.
When I come across files that DaVinci Resolve won’t open, I convert them to a format that DaVinci Resolve likes by first using the open source command-line utility ffmpeg.
I heard that the pricing on CC is now creeping into a point where some large media companies are now looking for alternatives and spending money retraining their staff.
Been using DaVinci Resolve for a couple of years and love it to bits :) It’s Photoshop and Illustrator that I miss the most. Occasionally I also miss Adobe Animate.
Capture One? Not cheap, admittedly, and you only get updates for the major version number you bought, but I guess it depends what you miss most about Lightroom?
Darktable has its fans as well, but I haven't tried recent versions.
That sounds like the steps I saw to get a free version of the original version of Little Snitch. Simply use Little Snitch to stop Little Snitch from phoning home.
FLEXlm was originally written by just one guy. I think I remember his name -- his initials are M.C. if anyone would like to confirm that I'm recalling correctly. When he sold his stake he got ~$10 million. The software went through many ownership changes. I think this was when it went from Globetrotter to Macrovision. When he got his ~$10 million he gave about $2 million to his current employees as a gift. I thought it was a very honorable thing. He had no legal obligation to do so.
This isn't inside information; it was all published somewhere but it's funny how the web can "forget" things after a couple decades.
EDIT: I found something that at least confirms the name I was remembering, Matt Christiano, and a history[1] of license management that he wrote in 2007.
When I see the word "security" used like this, I wish the person who used it would be honest about whose security they have in mind. (Also, they should be clear about whether they are talking about cyber security, or financial security, or personal security.)
It's like the word "protection" in the terms "copy protection" or "content protection". Those at least make clear that it is not the user who is being protected, but it's still disingenuous to suggest that a file is somehow harmed by being copied. If anything, having more copies of a file only makes it safer.
"Revenue security" is something every startup, YCs included, ought to spend a notable chunk of their time considering. It fits the bill for clearly stating who's protecting, as well as clearly stating what's protected. And it can be easily applied:
"Does having more copies of a file generally improve revenue security?" is probably a solid "no, not generally" with some very interesting exceptions.
Yes, I hope so, that’s what “copy protection” is and I wanted to maintain that obviousness. DRM is just fancy digital shoplifting “loss prevention” security tags.
I don't use any licensed software with enforcement methods like this, but it looks trivial to defeat.
A string dump of the binary would likely show these directories, and even if they were obfuscated, an strace would reveal them as they probed the file dates.
It's "trivial" to you, for sure, but as many have noted it's not intended for "advanced" users, but for a target audience who happens to be not computer-savvy.
And not just not computer-savvy, it's also about making it painful enough a business will pay the license fee rather than trying to jump through hoops to work around licensing problems.
If it has to execute on a PC, there is a way to break the protection. It's simply about making it too difficult to bother trying to break the protection.
Yup. It's just a cliché of modern life. You hear it at train stations: "For security reasons, <anything>".
It's the same in medium-size and large companies with "legal". All you need say is "Oh that's required by legal" and no-one applies any rational scrutiny to it because for some reason the "legal" and "security" departments are considered to house minds far superior to those of anyone else.
Back in the days we actually had to use this trick. We knew we had enough licenses but at some point people started complaining that others wouldn't give back shared licenses.
It turned out the server didn't register them in when someone signed off.
So after troubleshooting we ended up doing exactly what this trick is protecting against, setting the server clock to somewhere in the future.
Worked nicely back then.
This was just as I left that place, a few weeks later my college told me they had found the problem: our previous it manager had installed a new instance of the license server on a faster machine. He had not installed the license files (nor documented it anywhere) though so the new server would just say thank you and discard the license token whenever anyone signed out.
FlexLM --- certainly gave me a bit of nostalgia from all the time I spent on it as a cracker few decades ago... I guess it's still found on very expensive/specialist software which hasn't become entirely service/cloud-based.
I think Autodesk still uses it. I vaguely recall running into some trouble with the FlexLM service and Autodesk Inventor when I still worked as a Windows admin/helpdesk monkey.
Yes they still do, at least for floating licenses, I'm running a FlexLM server for our lab with several Autodesk floating licenses on it. MATLAB also uses it, and so do many others scientific software packages (e.g., ANSYS).
I expect the purpose of enterprise license management software like this is less to prevent unlicensed use (which is basically impossible) and more to help organizations track their license usage and stay compliant with whatever the terms are.
It's a beautiful comment though, and an interesting scheme that could potentially break relatively easily.
In my experience, the license manager usually goes out to lunch at the most inopportune moment – usually before some important deadline, coincident with IT support (or anyone who is capable of fixing the license manager) being out of the office for an extended period.
They regularly do "license compliance shakedowns". This is not some trade secret, lots of ISV's do it. So the following is describing broadly how ISV's do it and nothing specific to Flexera.
The way it works is to have a licensing model not enforced perfectly by the DRM. Sell licenses per user, per machine, but allow usage outside that in some way. Make it the customer's duty to enforce license usage instead of the vendor.
Wait a while. Sales comes back and runs an audit, they see more users than licensed in the last X amount of time and require a "true up" fee before more licenses can be sold, or possibly under threat of terminating existing licenses.
The intent is to use the threat of disruption to the business as leverage to cough up more revenue than the customer planned to provide initially per their license agreement.
It is shady, but it works, and a widespread practice.
Assuming the original version from 2007 was guaranteed to be internal only, it's not looking good for whoever decided to expose the knowledge base. Bonus points for outsourcing to a third party support forum so we can admire the self-pwn while they struggle to find who has admin privileges to take it down. How much was that MBA's bonus?
Back in my days of programming shiny round discs, we had a client request to put a time bomb in an interactive CD-ROM. To test it, we adjusted the date on the computer that did our MPEG-2 encoding for DVD. As was bound to happen, the date did not get reset to current time, so that some DVD encodes were encoded in the future. It took so many calls back&forth with support to figure out why these files were misbehaving.
TL;DR becareful when adjusting the dates as there may be unintended consequences
I work in Security and we talk about barrier management. A security barrier is be something you implement to avoid a certain hazard to begin traversing your bowtie risk model (google it).
This particular case of doing a technical check by chcking files" timestamp for timestamps set in the future is NOT a security reason. It is a license compliance check, but has nothing to do with security.
Also, if I were a customer of this company which apparently sells me IT Lifecycle tools that should help me with IT cataloging and omventory, I would be livid if the solution stopped working because it had identified "bad date" files somewhere in my IT landscape. I would migrate the hell away from it there are plenty of other vendors.
The customers for this software are companies like Cadence or Synoptics, who then use it to encourage license compliance by their customers. As a Cadence customer, my employer could use strace to observe the license daemon behavior and figure out how to cheat, but we're not at all interested in doing so, both from an ethical position and as a matter of maintaining a long term relationship.
We have dedicated VMs to host the license daemons, so the failure scenarios proposed are unlikely: we've experienced - and corrected - time skews, but they didn't come close to affecting the license servers. Maintaining the license servers are an accepted part of the license cost.
the flexlm usecase is: protect revenue for vendors that sell into large companies/organizations by making drm that is sufficiently annoying to defeat and/or live with in a degraded state such that it's more annoying than dealing with internal bureaucracy to get accounts payable and information technology to actually pay the software vendor.
saas of course just threatens to turn things off when the bill isn't paid.
it's how big organizations work, nothing happens until it's annoying.
Sadly, my experience with FLEXlm has been far from fascinating. Matlab uses it, and Matlab has some weird license types (that we use) that don't map well to FLEXlm, so they approximate it in odd ways.
I build (internal only) Debian packages for Matlab and FLEXlm, and admin the license server. I've seen far more of FLEXlm than I care to.
Mathworks made the mistake once of asking for my feedback about their product, from a sysadmin's perspective. They received about three earfuls from me, about half of which was dedicated to my disdain for FLEXlm.
FLEXlm seems simple on the surface, but has poor and outdated documentation (even once you find and read through the 300-400 page tome that's floating around) and is a pain to debug when under fire.
We have it running well enough now, but the road to get there should frankly embarrass those who ship (and/or rely on) the software today. Frustratingly, Mathworks' response to my feedback largely boiled down to "it's 3rd party software, so we can't do anything about it." As if FLEXlm were a force of nature, and there were no viable alternate models for physics. Not a good look.
Ha. Files that won’t be made for >24hr according to your system clock in important directories will flag for abuse. Good to know how to screw with your users I guess?
I don’t know much about DRM methods, but I assume this is a Windows95-level weak one?
> I don’t know much about DRM methods, but I assume this is a Windows95-level weak one?
Checking for files-from-the-future as evidence of clock-tampering is certainly not a new technique - and I'm sure it predates Windows 95.
I am familiar with a slightly improved version of the technique: rather than checking actual filesystem files, instead the DRM opened the HDD as a raw device and would write multiple redundant copies of timestamps and usage logs to unallocated parts of the disk - so even restoring a HDD (at the filesystem level) wouldn't be enough to make the DRM system think it was back-in-the-past. You'd have to do a raw low-level HDD restore that included the state of unallocated - but written - disk contents. I gather it would also raise a fuss if it couldn't find any of its previously written logs either.
...I don't know what happens if you try to run the software on a disk with zero free disk space, however.
I think it was used by some Macromedia titles in the late 1990s - or software of that variety.
If you are on windows, I guess ntfs alternative data stream is a good places to hide random items. You can write whatever information into it while not visible to user or most of file explore because it is so rarely used and windows hide it intentionally (excepts the windows itself use it to mark downloaded files)
Windows also uses it for metadata, e.g. if you edit the "Comment" of a DLL file. The problem with NTFS alternate streams it's that they are very easy to find if you know what you're looking for. It might be better to hide data in plain sight in the middle of existing registry keys. Or actually you can create inaccessible registry keys (depending on the API you use, you can actually put NULLs in registry key names, making them inaccessible for regedit... but there are programs to easily detect this as it's known since a long time, see https://docs.microsoft.com/en-us/sysinternals/downloads/regd...)
`it's that they are very easy to find...` is probably true for most methods. Those methods aren't magic anymore if you knows about them. And that is also the reason everybody why don't want to talk about how they hide thing?
People assume that DRM is way stronger than it actually is. Most DRM for engineering software (>$20k per license) is easily defeated by just changing your MAC ID to match.
Using a special MAC ID is way more convenient each time you buy a new workstation, or i.e. get it back with new components on warranty, or whatever, than waiting days or weeks for support to generate new keys.
But yeah, it's 2021, and most DRM is pathetic. Hardware keys are honestly the only truly effective DRM. (Although re hardware keys: Very annoying when you have 5+ softwares and need 5+ USB ports ... perhaps someone should create a bluetooth based DRM dongle or something like that.)
Is flexlm comprehensively cracked yet? It seems like a juicy target.
Honestly, I hate all of these things. My employer spends multi-millions on software licenses every year. All these DRM schemes are painful, insulting, and inevitably break at the worst possible moment. We have one box -- legally acquired -- with a hardware dongle, plugged in the back of the machine. Someone smashed it when moving the thing accidentally. Were we inclined, with SEM, TEM, AFM and plenty of x-ray facilities, I'm sure that it's not beyond our ken to crack the sodding thing, and honestly, after that experience I was sorely tempted.
I'm fed up of being treated as a rich criminal by businesses. They want an un-get-out-able subscription agreement, for life, and with "markets made" at every available opportunity, i.e. $METRIC_FUCKTON_OF_MONEY for $MINIMAL_INCREMENTAL features. One commercial FEM solver I use charges per GPU, per CPU, and per year. The whole thing is based on maths invented in my university!
I worked at a company which made heavy use of a math library that had license enforcement via a method rather like FlexLM. After enough complaining, we got them to send us an unenforced version -- and they became a little more proactive in sending us annual bills and asking if we needed a new number of licenses.
If you're paying bigbucks, try asking for better terms. Explain how painful it is for you, not to pay them, but to not be able to use their software. Maybe it will work.
"Oh, OK. We will investigate alternatives at price points above what we currently pay you but less than 10x. Thanks for letting us know how much you value this relationship."
There are (with varying degrees of shadiness) cracking services which specifically cater to people who have legally purchased software but are hampered by the DRM. Dongles are a bit of an interesting case in that a lot of the time the software they protect is something like the control program for a 6-,7-,or 8-figure priced piece of industrial machinery, without which the software would be useless anyway, so the hardware is already effectively a dongle.
One of the pieces of hardware controlled is exactly that (albeit only six figure). The only thing that single usb dongle does is make me nervous about our backup strategy. I can't imagine that they prevent much piracy at all, to honest. Commercial reverse engineering and espionage in East Asia maybe, but even then I'm not so sure it's a real problem as the other commercial suppliers of $MACHINE don't really do it. It's hard to take it as anything other than a giant "f-you" to the end users.
I worked a contract for some industrial equipment where the log data was manipulated specifically to ruin the results of anyone who tried to replicate it. This manufacturer knew their stuff was being cloned in Asia.
Yes it is, and while I've not seen any evidence, I suspect that's partially why AutoDesk are changing their subscription model.
As for dongles, you can pay to have them cloned. Claimed turnarounds cheaper and faster that getting them from the software supplier in at least one instance. I've not used it, but godamn was tempting.
Can confirm. I looked at DRM for a certain FPGA vendor's EDA tools once. The license is MAC-tied, and on Linux, sometimes it picks the MAC of tun0 or some other virtual interface... which is the same on every host. Then your license works everywhere. Or you can just LD_PRELOAD a library that hijacks the relevant glibc function to always return a static MAC.
They also use encryption for their IP cores. It's RSA. The private key is conveniently called "rsa_key" in their binary. Which they shipped with symbols. Once you decrypt the IP cores you get the full source code, with original comments, to do with as you please.
It's all for show; the DRM in these "professional" tools is sillier than what games used in the 90s.
>is easily defeated by just changing your MAC ID to match.
HA I may or may not have cracked something similar back in the day. It was using GetIfTable() which meant that you'd need to have a NIC with the exact same name and mac address.
Of course just dumping the output from a licensed machine and injecting it into the memory when needed did the trick.
There's been lots and lots of titles with Denuvo cracked by scene groups like CODEX and CPY/Conspiracy and EMPRESS[1]. There's also controversy with the DRM's highly excessive and arguably wasteful use of resources. Some games were much more performant after Denuvo was removed
The target audience of FLEXlm is large companies with the ability to pay for many licenses of expensive per-seat software. For instance, MATLAB, AutoCAD, and various commercial FPGA and hardware design tools (Altera, Xilinx, Synopsis, etc.), etc. use FLEXlm.
So the threat model isn't really folks who are pirating any of this software off random warez sites and finding a crack - those users wouldn't be able to pay for a legitimate license anyway, so it's not like you're really losing profit from them.
This is more of a "locks keep honest people honest" licensing scheme. Your IT department is unlikely to set up a large-scale system for distributing cracks, so it makes sure that a company that can afford it and is willing to pay for it is paying for the right number of licenses. But just like mostly-well-meaning people might wander into a place without locks, mostly-well-meaning people might "temporarily" forget to get a proper license for a new hire and then forget to ever fix it, or put the software on a shared drive, or never get around to doing the paperwork to buy a renewal, or whatever. Having any license-checking scheme at all makes them remember to do that.
MATLAB, for instance, currently sells a "standard" license for $2,150, not counting annual support costs. They also sell a "home" license for $149. By doing that, they're already banking on the fact that no serious company's IT department is going to just buy a bunch of "home" licenses and save themselves 93% of the licensing cost. They clearly don't need the DRM for the last 7% to be foolproof.
I'd think the strongest answer for "keep honest people honest" is to streamline licensing as much as possible. In a fundamentally well-intentioned organization, what's the ratio of "dishonest" to "doesn't understand the license specifics?" (i. e. not recycling licenses properly when a user replaces his machine)
Vendors should be pushing for organization-level licensing. Anything per-user/core/project/etc. is going to require a lot of tracking overhead, and create much more incentives to game and gimmick it. I'm picturing the shops which stagger shifts at sites in different time zones so as to keep the simultaneous user count low, or people buying specific weird hardware to keep core counts low on per-core-licensed software.
If you're just doing organization-level licensing, you can scale all the counting back to a less disruptive and intensive "analytics-only" level, and just use it to inform the next round of negotiated pricing. "We know you have 500 simultaneous users, so we know this package is worth $50,000 per year to you."
> "We know you have 500 simultaneous users, so we know this package is worth $50,000 per year to you."
That's like 1-2 simulator licenses per year. You really don't know the cost of the software generally being protected by FlexLM do you? When I was working in defense contracting, every new grad that we hired into our FPGA or ASIC groups had to be accompanied by a $100,000/yr budget just to pay for EDA tools for their jobs. For more senior employees who'd generally work more in parallel, it wouldn't be odd to see $300-500k/yr in software licenses budgeted. Because of this, we basically tried to staff as many software engineers as possible on projects as most of what we billed them at was just profit as they're incredibly cheap to employ compared to other engineering disciplines.
FlexLM is annoying, but the things it's usually protecting are so expensive (and often extremely niche use) that companies actively try to find every legal way to avoid paying for it.
I see the appeal, but, I work at a couple-thousand-person company (an electronic trading firm) where we have a few diehard MATLAB users (we officially support the scientific Python ecosystem) and a small handful of folks doing FPGA work. If either of these licensed based on the total size of the organization, it would likely make us reconsider whether these products are worthwhile for us at all. I wouldn't be surprised if lots of FLEXlm's customers' customers were similar.
The problem with org-level licensing is that it prevents more discriminatory licensing models from being viable. The kinds of software being protected by FLEXlm have customer counts in the tens to hundreds, with every licensee almost certainly requiring additional development work or other forms of support or documentation be done and folded back into the upstream project at some point. Complicated licensing models, at least here, more or less exist to estimate how much a customer costs to support.
Mass-market proprietary software generally has far simpler licensing, purely because their customer lists are far larger relative to their staff. The actual development costs spread out more.
I remember the date trick, many computers were set at the wrong date back then for that reason.
But nowadays, a computer at the wrong date is pretty much unusable because of certificates, so much that it has become one of the typical tech support question, just after "is it plugged in".
On a related note I remember many years ago when I was using Windows, and there was a third-party utility to monitor the registry for changes.
I only had the trial version of the utility, but using the utility itself I found that they were storing information in the registry about when the trial would expire. So I was able to use the utility to discover and defeat the trial protection of itself.
So that was cool in and of itself. But I also found that, even though this was in a time before most software would do online checks, many pieces of software were able to know that the trial had expired even if I tried things like setting the clock back or removing registry entries they had created.
Probably some of those pieces of software were doing similar things to the one mentioned in the OP. But it never occurred to me at the time. I’m not even sure I would have thought of this even today if I were to try it.
But these days I use software that’s open source for a lot of things instead, and where I need proprietary software I pay for it instead. If it’s proprietary and not worth the money then it’s not worth using either. Though I am still sad that Adobe switched to a subscription based payment which I ended up not being able to afford and don’t want to sign up for again because of their horrible billing practices. So I am stuck not being able to run Adobe software even though I would have liked to.