1

With reverse engineering, you can disassemble, edit and do a lot more. This is probably used for cracking software in order to get the full versions and avoid using actual money.

I do not really know how keygens work though... but I have read a lot of articles about the difficulty of protecting your work from reverse engineering.

Let's focus on the part of a program where you have to pay in order to get the full protection, then people can do some reverse engineering and find out how to program work and then replace some variables in order to crack the access point or by doing another smart move.

Is it even possible to protect yourself from such things? I mean even with an obfuscated coding style, it is still possible to disassemble and edit the program correct?

schroeder
  • 125,553
  • 55
  • 289
  • 326
That Guy
  • 119
  • 5
  • Short answer: an end user can always reverse engineer the code. Obfuscation makes it harder, not impossible. If part of your code is secret, make it a client/server application and put the secret part on the server. – S.L. Barth Feb 14 '17 at 13:44
  • @S.L.Barth but if a software was in trail version and the user click "enter activation key" then the software would check if the entered key matched an entry on something like an sql database(they use an online database in order to avoid these persons from checking keys). However, can't reverse engineers simply find the place where the comparison happens and then if the output would return true or false, change the output to always return true as if the entered key matched an entry in the online database? Thank again! – That Guy Feb 14 '17 at 14:08
  • 1
    @npp You could avoid that by returning something a bit more involved than a true-false value. The decryption key for the data required, for example (ideally keyed to the specific user). – Matthew Feb 14 '17 at 14:11
  • But in fact, couldn't the "attackers" also find out about that by learning how the code works? – That Guy Feb 14 '17 at 14:13
  • @npp You need the server to return something that the client doesn't have access to. A banking app, for example, gives access to the user's bank account. The user could fake these values on the client - but that won't change the amount of money they really have on the bank. That is controlled by the server. – S.L. Barth Feb 14 '17 at 14:22
  • @npp If they can find the key from the encrypted data and the method, it's a really poor encryption method, or they should be going after much bigger targets! Encryption methods are designed to only produce the right output given the correct key. – Matthew Feb 14 '17 at 14:31
  • I know but they do not have to find a specific key if they find the place where it the entered key is being compared to an encrypted entry from an online database right? Because then they could simply make the output of the comparison to return the wanted value in order to access the state where a correct key have been entered. Am I misunderstanding something? Thanks again bud! – That Guy Feb 14 '17 at 14:59
  • I mean because if so, is it even worth bothering? – That Guy Feb 14 '17 at 21:23
  • 1
    @npp The key isn't compared to anything, it is used. With a incorrect key decryption takes the encrypted stuff that looks like random garbage and makes it random garbage, the correct key makes it runnable code or useful data. –  Feb 14 '17 at 23:25

1 Answers1

2

As long as the user has full control of the hardware where the software is running on (i.e. typical PC) it is impossible to fully protect the software. At most one can make it harder with code obfuscation or similar techniques.

To get better protection one has to move at least some essential parts of the software into an area which can not be controlled or reverse engineered by the user, i.e. specialized tamper resistant hardware or a remote system which is under your control. An example for hardware are smart cards which only allow operations using a secret key but don't give access to the key itself. An example for remote system is the typical setup of a browser and a web server where the business logic is running on the server and only the frontend is running in the browser. This way the software implementing the business logic can not be directly accessed and reverse engineered by the client. An attacker is thus restricted to a black box approach, i.e. can only deduct the functionality by comparing input and output and maybe replicate part of the functionality in its own software. But the attacker cannot access, modify or copy the original software.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Another crucial advantage of having core functionality on your own servers is that you can write the word "cloud" all over your marketing material. :) – Philipp Feb 14 '17 at 15:58
  • @Philipp: true, but since you moved the core functionality into the *cloud* for security reasons you should at least add *cyber* too. – Steffen Ullrich Feb 14 '17 at 16:27