Copy Protection Overview

From The Apple Wiki

Landscape and Motivation

Applications downloaded from the iTunes App Store are protected by FairPlay DRM. The FairPlay copy protection has been cracked some time ago [1] [Archived 2009-04-26 at the Wayback Machine]. What's worse, the copy removal method has been automated by the infamous Crackulous application [2]. The silver lining is that removing the copy protection from applications invalidates Apple's signature, so these applications cannot be run on phones without the jailbreak.

iPhone application piracy is significant [3][4] [Archived 2009-05-11 at the Wayback Machine][5], so relying on Apple's protection scheme is not a solution for most developers.

Fighting one particular automated process for removing copy protection is easy [6], but curbing iPhone application cracking is difficult, because of the many undocumented moving pieces (Apple's signatures, protection mechanism, application approval process, and iTunes distribution). Learning all this is a lot of work, which is currently duplicated by all independent developers. If developers pool their knowledge into The Apple Wiki, the learning effort will not be duplicated anymore, and applications will have higher overall quality. Ideally, developers will produce an open-source obfuscation mechanism that is trivial to apply to applications, but takes a non-trivial amount of time to reverse.

Copy Protection Removal Overview

Developers that want to guard against copy protection removal must understand how it works. [7] [Archived 2009-04-26 at the Wayback Machine] documents the process in a tutorial fashion. A summary follows.

The only encrypted part in an iPhone application is the executable file. The cracking process starts the victim application, then uses a debugger to suspend it. The application's executable code lies unprotected in RAM, and the debugger dumps it on disk. Then, the encrypted part of the executable file is replaced with the unencrypted code dumped from memory.

The application's Info.plist is modified so that the jailbroken iPhone kernel does not check the application's signature, which is invalidated by the modification of the executable file. A more rigurous cracking process could remove Apple's signatures and certificates, and replace them with a self-signed certificate, as is done when developing with the jailbroken toolchain.

Defeating Copy Protection Removal

RIPdev suggests the following methods to counter copy protection removal.


Covert Exit

You can use:

  __asm__ volatile("swi 0x11");

instead of calling exit(); since that it more obvious, but you may want to have the "swi 0x11" part be a NOP then use STRB to reconstruct it opcode by opcode. The reason I did not include an example of "reconstructing" it in the above snippet is simple. If everyone uses it, then it would be reduced to a simple byte search by crackers. If everyone does it in a different way, then it would be much tougher.

Integrity Checks

An increasing trend among application developers is to use inexpensive integrity checks, and revert into a trial mode or shut down the application, some time after the integrity checks fail. An essential step is making sure the application does not act too soon, so that "crackers" do not notice the integrity checking process, and release the application as cracked immediately after removing the FairPlay encryption.

[8] suggests examining the Info.plist file, and checking for the existence of the SignerIdentity key that is added in the cracking process, and would not exist on any applications originating from the App Store. However, this is not advisible, as it can be patched simply by the cracker searching for either the "SignerIdentity" string in your code, or a bunch of MOVs if you used stringWithFormat to construct the string character by character. Anyway, it would probably be more beneficial if you checked the size and sha1 of the Info.plist, as although people will find this, it just makes it a bit harder than it would have been. Hell, with the check for the existence of SignerIdentity Check, someone could put together a program to automatically search for that string and then put patch it to be "SignerIdentitx" or something, so that your program obviously won't find it in the Info.plist. [9] suggests reading the executable file, and checking for the Mach-O directives for an encrypted section, as FairPlay introduces an encrypted section which is removed by cracked applications.

These methods are cheap to implement. They are also easy to break, once the cracker is aware of them. This explains the need for introducing a delay between the crack detection and the delivery of the punishment, which can be as mild as popping a dialog box appealing to the user to purchase the application [10] [Archived 2009-05-13 at the Wayback Machine].