I’ve learnt quite a few things from this:

AquaticPrime works just as intended. The flaw I highlighted yesterday isn’t a flaw because AquaticPrime wasn’t designed to defeat attacks of the kind described. Although nowhere on the AquaticPrime website or inside the documentation will you find any of this discussed. We can generously put this down to an innocent omission.

Even though this isn’t a flaw it seems great efforts are made in people’s code to prevent runtime attacks. Remember, it isn’t a flaw, it is a design decision.

Paradoxically, even though my posting failed to identify a flaw in AquaticPrime (so no harm done right?), several people are rather quite angry that I have discussed it in the open. Apparently openly criticising open source software is not allowed. In fact I have been called some very nasty names from one particular AquaticPrime supporter over this.

It seems that some developers have given up the fight with pirates over runtime/binary attacks. Granted this is a really tough fight to fight, but i find it very interesting that the recommended tactic is to just give up. I think this is wildly underestimating pirates and especially the more casual pirates. The argument seems to be that the casual pirates will not bother finding/installing/running runtime cracks. And that spending effort trying to defeat the hardcore pirate is a waste of time.

However, with all the file sharing sites/software available to anyone today, casual pirates will be able to find cracks rather easily. And casual pirates probably won’t have any problems running these cracks on their machines (after all they’re probably already running keygens for their stolen Adobe software). Giving this fight up seems to be giving up a little too easily.

So finally be really careful when claiming that the “emperor has no clothes”. Such claims will never be received in a positive manner, regardless of whether the emperor is indeed stark naked or in fact wearing the latest, most advanced, invisible wardrobe.

AquaticPrime uses “RSA encryption to provide excellent security – the same that is used to protect government documents”. This makes it sound like AquaticPrime is a great solution for Software Developers wanting to prevent piracy by adopting a software licensing scheme. A lot of Macintosh Small Business developers are using or are considering using AquaticPrime.

Unfortunately for them, AquaticPrime is incredibly easy to crack. I am not a computer security expert and I am definitely not a software cracker, but I was able to crack an application that used AquaticPrime in less than thirty minutes with almost no preparation time. In fact, I am pretty sure that my crack will work with almost all applications that use AquaticPrime.

Aquatic Prime uses a technique similar to one discussed by Allan Odgaard on his blog. Public Key cryptography techniques are used to generate linked public and a private keys. The private key is kept by the software developer and the public key is shipped inside the application’s binary. When a user buys a copy of the software, a license file is signed using the private key. The software can then use its public key to verify that the license key was signed by the public key. Someone trying to steal a copy of the software would be unable to forge their own license files because the public key works with one and only one private key.

The technique I used to defeat AquaticPrime involved creating my own private and public keys (using the AquaticPrime utility itself) and then generating a fake license key (registered to a “John Doe”) using the new private key. The trick then was cracking the test application and convincing it to use my public key instead of the real key.

To track the application, I needed a way of writing code that could be executed by the targeted application. Fortunately, there are a plethora of methods to do that on Mac OS X: Application Enhancer, MachInject, InputManagers, and SIMBL plugins are just some of the many ways of forcing third-party applications to run foreign code. I chose to use a SIMBL plugin because I had never used SIMBL before and wanted to learn a little about it. Creating a SIMBL plug-in turned out to be incredibly easy and I had my code running inside the targeted application in just a few minutes. In a couple of minutes more, I had created an object that was masquerading as an AquaticPrime object. The final step was to make my masquerading object ignore the application’s public key and use my fake public key instead. Once this was achieved I loaded my (or rather John Doe’s) fake license key into the application and found that I had cracked the application.

It really was as simple as that. Of course there were a few WTF moments and application crashes, but nothing unusual during development (especially development of this kind). The code currently only works with AquaticPrime’s Objective-C interface, but the same principles can be used for the pure C interface too. I have tried this technique on two shareware applications and it worked fine with both. I am reasonably confident that it should work with most AquaticPrime using applications.

The method used to defeat AquaticPrime isn’t particularly obscure, and in fact is just one of many methods that could be used to defeat it. However this method is particularly nice in that you’re not really hacking the application using a more brute force method. You’re merely providing it with bad data, which it then uses to validate your bad license (kind of like Garbage In, Garbage out), in all other ways AquaticPrime is working as normal and is blissfully unaware that it has been cracked. This means that some of the techniques that developers can use to find out if their software has been cracked are impossible.

AquaticPrime is a well written, documented and marketed piece of software. But it suffers from this huge design flaw. AquaticPrime is exceptionally easy to crack, either with this method or with a variety of other, possibly cruder methods. Many of these methods are equally applicable to other registration schemes, so it is somewhat unfair to single AquaticPrime out. But because AquaticPrime provides all the source code and headers to anyone, it makes it really easy for anyone to crack. Although hiding the source code would have been a form of “security through obscurity“, this would have at least slowed me down considerable. As it was, I was handed everything I needed to crack this software on a plate. And if I can crack this software in less than 30 minutes, I am sure crackers who do this thing professionally would have had even less trouble.

Even more worrying, this technique doesn’t just work on a single application, it will work on all applications that use AquaticPrime. I don’t know how many applications out there use AquaticPrime, but each is vulnerable to the same crack and all would be cracked essentially “for free”. There are some things a developer could do to shore up this vulnerability, but in reality most solutions are probably just as easily cracked.