Shareware Insight: Piracy / by Murray Hurps

I launched Ad Muncher 15 years ago.  In that time, I've paid myself much less than the market rate for my work, but was powered to continue by a passion for what I was producing.

It was therefore hard to see the rampant piracy of Ad Muncher, with cracked versions often being released the day after a new version became available, with their own pirate list update servers and thousands of posts across forums discussing how to use them:

Forum2.png

My intention in addressing this was not to stop all piracy, but just to increase the time between a new release and a cracked version being available, so that truly passionate users could be motivated to support further development.

"ProHart"

My solution was a proprietary obfuscation system I named Pro Hart, as it made such a mess of the code I'd worked so hard on.

Name inspired by the wonderful work of Australian artist Kevin Charles "Pro" Hart.

The process worked as follows:

Document_2014-04-22_08-24-32.png

Here's an example before and after of just one obfuscated instruction:

Before:

mov	eax, offset szMyString

After:

call 	?PH_OPUSH_5
dd 	offset szMyString + PH_OPUSH_5_ALGORITHM_RETURNSIGN ($ - offset codeStart) + PH_OPUSH_5_ALGORITHM_RANDOM
pop	eax

; one of many randomized push handling functions,
; each with randomly selected code paths and constants

PH_OPUSH_5_ALGORITHM_RANDOM		equ 2966022664
PH_OPUSH_5_ALGORITHM_RETURNSIGN	equ <->

?PH_OPUSH_5:
	push	edx
	push	ecx
	push	edi
	mov	ecx, dword	ptr [esp + 8 + 4]
	lea	ecx, [ecx + 4]
	mov	edi, dword ptr [ecx - 4]
	lea	edi, [edi + ecx - 4 - codeStartAddress - PH_OPUSH_5_ALGORITHM_RANDOM]
	mov	dword ptr [esp + 4 + 4 + 4],	edi
	pop	edi
	mov	dword ptr [esp + 4], ecx
	pop	ecx
	ret

The kind of obfuscation applied had many different variations and they were applied in different ways to all applicable instruction types.

The end result of all the different code changes were:

  • Static analysis was made harder by hiding references to functions, values and data locations.
  • Live analysis was made harder by making code tracing extremely time-consuming.
  • Anti-debugging checks could be hidden more easily.
  • Self-verifying code functions could be hidden in enough places, each with different triggers, that an attacker would find it difficult to be certain they were all disabled before releasing their modified version to other users.

ProHart increased the time between our releases and pirated releases to around two months, which achieved our goals and produced a new and noticeable spike in sales whenever a new version was released.

Thank you

To any software cracker that managed to make it through the hoops: Kudos for your skills and persistence, I hope the extra complexity was an enjoyable challenge for you.

To any Ad Muncher users who have ever supported development by registering: I appreciate your support hugely.  I hope you understand the need for this slight diversion in development and the net positive return it had on development resources.

The future

After 15 years, last week I announced that Ad Muncher will soon be released for free.

Nobody will ever need to download another cracked version from an untrusted source, and I'm able to do this thanks to the support of 100,000+ people who have contributed their hard-earned money to Ad Muncher's development.