iPhone Piracy Protection Code 2 - Another Tutorial - Page 5

proberts9999 · 04-10-2010, 04:11 AM

My thanks to OP and other contributors! Great info on this and prev. thread.

I'm getting ready to release my first iPhone app and have a friend with 4:1 piracy ratio on his app (4 pirates for 1 paid)...so I find myself here, starting to work on (c) code.

I wanted to contribute some general (non-iPhone) specific advice that makes it harder to crack at the assembly level. This is my first project using Xcode and IPhone, and most of it we did in C instead of Obj-C, so some of these may not be applicable to the Obj-C pre-processor.:

BTW - If you've never loaded a stripped app you've written into a RE app like IDA. download the free demo and give it a try. You'll be surprised how easy it is to see lots symbols and function names, especially if you're using ObjC or C++.

So, some basic stuff:

Never do this:

Code:

if( isPirated() ) {
exit_routine()
}

All a cracker has to do is nop your call to exit_routine() or make isPirated() always return 0x00. Both are incredibly easy.

Obfuscate your copy protection routine names using the preprocessor. For example:

Code:

#define isPriated isAudioEnabled

The preprocessor basically performs a search and replace when you use a #define like this. If the symbol for the isPirated() routine ends up making it through to the executable, it will be called "isAudioEnabled", but in your source you use isPirated() so it's easy to remember what you're doing.

Crackers usually ONLY check some basic functionality for a short time before assuming their crack succeeded. Delay your reaction somehow, and try not to make the reaction exit the app. For example, if you detect a pirated copy, wait until half-way through the second level and display something like a "missing sound asset" error message and hang the app. (Make sure the error message you show is not easy to find - put code in lots of places to show that message, even if they're inside if-blocks that never get executed.). First, the cracker will suspect there's some other problem. You'll get users asking for support and/or complaining on forums about the issue. Normally legit users will reply back that it works for them, and you can put a note in your FAQ something to the effect of "we have seen this issue with some illegal copies of the game. If you experience this on a legitimate copy, please re-download from iTunes." You could also just do something annoying like XOR all the PCM audio at some point, or change some of the sprites into solid colored rectangles.

Call your copy protection check routines through multiple references, and store references in an unrelated structs. This makes the calls much harder to find. The reference is also handy for checksumming your protection routine.

Pass a variable to your copy protection routine that has subtle influence over its success or failure. In your code, sometimes call checks you know will fail. If they don't fail, the copy is pirated (probably routine is modded to always return 0 or 1).

Use multiple setjmp() and longjmp()s to react to piracy triggers. They're hard to trace in assembly and most programmers have no idea what they do.

Obfuscate important strings with ^0xFF on each chars. It makes text look like binary data and is easy to forward/backward encrypt. It's not hard to decrypt but makes it harder to find strings than just looking with a hex editor or software like IDA. If you want to get facny, you can do something simple like char[1-n] = char[1-n] ^ char [0-(n-1)] to make it a little harder.

Release your own "0-day" cracked version of your own software the day before it hits the iPhone store. Grab some other cracked app and copy the cracker's template. Doesn't also hurt to insult other cracking teams in the release. Put it up everywhere you can. Make this version of the app just a little more than any free demo version, but not the full app, and have it stop with errors or some sort. Think of this as your "second" free demo for the piracy crowd. It's a great marketing tool. If you don't want to use this as a marketing tool and are feeling malicious, have it email soft-core gay **** to everyone in the user's contact list.

muthuka · 04-21-2010, 06:10 PM

Quote:

Originally Posted by Shmoopi

The absolute last thing I have for you today is some not so covert exits:

Code:

close(0);
[[UIApplication sharedApplication] terminate];
[[UIApplication sharedApplication] terminateWithSuccess];
UIWebView *a = [UIWebView alloc];
UIWindow *b = [UIWindow alloc];
UIView *c = [UIView alloc];
UILabel *d = [UILabel alloc];
UITextField *e = [UITextField alloc];
UIImageView *f = [UIImageView alloc];
UIImage *g = [UIImage alloc];
UISwitch *h = [UISwitch alloc];
UISegmentedControl *i = [UISegmentedControl alloc];
UITabBar *j = [UITabBar alloc];
[a alloc];
[b alloc];
[c alloc];
[d alloc];
[e alloc];
[f alloc];
[g alloc];
[h alloc];
[i alloc];
[j alloc];
system("killall SpringBoard");

Probably the second most searched thing by iPhone crackers in a hex editor, is Close(0). In order to avoid having your Anti-Piracy code compromised by erasing Close(0), add as many ways to close as possible. Not only will this confuse the cracker as to why the application is still closing, it will be hard to edit out.

Well, thats everything. Enjoy it, and good luck to everyone with apps in the App store!
Links-
Check Executable's Encryption
Deny Debugger
Check If File Exists
Timestamp Checks
iPhone Piracy Protection Code - A Tutorial
Dr. Touch Anti-Crack
JavaConvert
Source Code

Is it better to send him to Safari and launch apple.com ???

Tambourin · 04-28-2010, 09:09 AM

Quote:

Originally Posted by muthuka

Is it better to send him to Safari and launch apple.com ???

activate subliminal messages telling him to p.i.s.s in his pants

dustbyter · 05-09-2010, 11:13 AM

Looks like this thread has slowed down a bit. I've included all the items listed in this thread except for the encryption check into my app. Didn't seem to do anything as only hours after releasing my newest app, it was cracked/pirated and provided on Installous.

Tambourin · 05-09-2010, 03:32 PM

Did you check if the cracked version actually works?

dustbyter · 05-09-2010, 04:56 PM

Yes I did. I confirmed it.

Per the name also it was patched which means it the executable was reverse engineered and modified to jump past the checks which are suppose to kill the application.

muthuka · 05-15-2010, 01:31 AM

mtiks - an anti-piracy solution for iPhone/iPad apps. Private beta invitations: mtiks.

Quote:

Originally Posted by dustbyter

Yes I did. I confirmed it.

Per the name also it was patched which means it the executable was reverse engineered and modified to jump past the checks which are suppose to kill the application.

muthuka · 05-15-2010, 01:36 AM

Apple rejected the code for using terminateWithSuccess. It's better if you stay away. You can also check out mtiks.com for a solution. Private beta is open.

Quote:

Originally Posted by Shmoopi

The absolute last thing I have for you today is some not so covert exits:

Code:

close(0);
[[UIApplication sharedApplication] terminate];
[[UIApplication sharedApplication] terminateWithSuccess];
UIWebView *a = [UIWebView alloc];
UIWindow *b = [UIWindow alloc];
UIView *c = [UIView alloc];
UILabel *d = [UILabel alloc];
UITextField *e = [UITextField alloc];
UIImageView *f = [UIImageView alloc];
UIImage *g = [UIImage alloc];
UISwitch *h = [UISwitch alloc];
UISegmentedControl *i = [UISegmentedControl alloc];
UITabBar *j = [UITabBar alloc];
[a alloc];
[b alloc];
[c alloc];
[d alloc];
[e alloc];
[f alloc];
[g alloc];
[h alloc];
[i alloc];
[j alloc];
system("killall SpringBoard");

Probably the second most searched thing by iPhone crackers in a hex editor, is Close(0). In order to avoid having your Anti-Piracy code compromised by erasing Close(0), add as many ways to close as possible. Not only will this confuse the cracker as to why the application is still closing, it will be hard to edit out.

Well, thats everything. Enjoy it, and good luck to everyone with apps in the App store!
Links-
Check Executable's Encryption
Deny Debugger
Check If File Exists
Timestamp Checks
iPhone Piracy Protection Code - A Tutorial
Dr. Touch Anti-Crack
JavaConvert
Source Code

iPhoneConnection · 05-16-2010, 08:57 AM

Great post. Many thanks

RanReloaded · 05-21-2010, 07:49 AM

The Last two methods, they have 3 and 4 "blank imports" at the top. I get compiler errors from that and things like Dl_info not being defined... How come no one has the same problem so far? What am I missing?

RanReloaded · 05-21-2010, 08:05 AM

Forget it... I just #import'ed (after googling for dlopen, etc) and now the second-from-last method works. If I bypass the simulator check return at the beginning, Xcode debugger fails!

Some thoughts:

1)Probably I should NOT call this function from main(). main() itself is a pretty small function and the crackers will soon realize there's some other function call besides the usual template (autorelease pool, etc.). May be I can bury it among all the pre-launch processing I do in the huge appDidFinishLaunch.

2)I should improve the ptrace obfuscation, though someone said strings are NEVER safe.

3)Before calling dlclose, I could do some more damage and corrupt some of the resource files. Is this possible?

EDIT: Now I see why the #imports were missing. Likely Forum post parsing does something to the angled brackets. I meant "dlfcn.h"

RanReloaded · 05-21-2010, 09:04 AM

I just tried deleting Everything one folder above /Documents, and I bricked the simulator!

Installing SDK again...

I could delete png's only and render the binary unusable, but don't want to include the string "png" anywhere...

RanReloaded · 05-21-2010, 12:05 PM

So...

I planted a lot of decoys. First, the most basic methods exposed here. Second, lots of 'close(0)' everywhere, under conditions that NEVER hold (but you have to know how the program works to figure that out).

...and other methods I better not discuss in public!

pofak · 06-03-2010, 12:08 PM

This is a great thread and I have learned a lot.

I need your opinion/suggestion about what I am about to do in for piracy checking in my app. I estimate about 50%-75% users of my app use pirated version.

The app visits a page on my server and, if it's the first visit of the day for that user, the page delivers the next record of a database. New users always starts from the 1st record.

My plan is to make the new version of the app visit a new page and pass some encrypted value that tells the page it comes from a pirated app or not. If it is from a pirated one, it stop delivering new records if say 5 records have been delivered. No error no warning. A few days after new app, I would change the existing page so it won't work for new users. People who were using the old app (legal or illegal) can still use the app.

What do you think about this approach?

Which one of the methods mentioned in this great thread you suggest to use?

Thanks to all who contributed to this article.

Jules2010 · 07-02-2010, 03:08 PM

I've had my app rejected due to a crash, think its the timeIntervalSinceReferenceDate stuff with OS4 which is causing the problem.

Thoughts?

dustbyter · 07-03-2010, 06:37 PM

They usually send you an email with the rejection reason.

I'd check that out first. Also, can we have this moved from this thread as it doesn't apply to it?

Jules2010 · 07-04-2010, 03:09 AM

In the rejection email, I get a none decript error, when I comment out that code mentioned and get my friend to try it on his iPhone4 it doesn't crash.

This thread talks about code to use to give some protection from piracy, if that code no longer work on newer equipment, its VERY relevant to everyone using it. So I can't say why on earth you say it doesn't apply!!!!

dustbyter · 08-12-2010, 04:40 PM

anyone else seeing with Xcode 3.2.3 a message that getgid() is an implicit declaration?

Suppose I'm missing a library that was prob shifted around in iOS4.

Sai Baba · 09-20-2010, 06:22 PM

make your app work wrong when pirated, dont use close ...

muthuka · 09-21-2010, 01:09 AM

Quote:

Originally Posted by Sai Baba

make your app work wrong when pirated, dont use close ...

Few more to do it when you detect pirated:

- Show iAd
- Show a survey and annoy him!
- Show popup in an important time (save button or post data somewhere)

I guess you are trying to reach a new set of users with your code. Good to ask him to pay...

msencenb · 09-25-2010, 05:00 PM

Are the methods for detecting a cracked app described in this thread still working?

All I need to do is detect if an app is cracked (rather than add crack protection) and was wondering if this post is still updated/recent (since the original post is from 09)

meleader2 · 09-25-2010, 06:29 PM

Quote:

Originally Posted by msencenb

Are the methods for detecting a cracked app described in this thread still working?

All I need to do is detect if an app is cracked (rather than add crack protection) and was wondering if this post is still updated/recent (since the original post is from 09)

read the thread if you actually care

mesohorny · 09-27-2010, 06:56 AM

F*** all those piracy protection codes they are useless give a cracker 1 hour and he has figured them out. The only thing that works and I use it to is Index of / - they efficiently remove the pirated content and even provide free anti-piracy monitoring and consulting.

Speed · 09-29-2010, 09:37 AM

If this helps anyone, I know that the cracker M0st_Unique (who prowls this forum for promo codes) always leaves a blank file with his name inside of the cracked bundle. You can then check if this file exists and then feign an error to the application if it does.

dustbyter · 09-29-2010, 11:28 AM

Doesn't always work.

Was something I had started checking for in my apps as well.