Malwarebytes Offers Pirates Its Premium Antimalware Product For Free

An anonymous reader writes: If you have a cracked or pirated version of Malwarebytes Anti-Malware (MBAM) product the company has debuted an Amnesty program for you. Venturebeat reports: "If you pirated Malwarebytes Anti-Malware, purchased a counterfeit version of the software, or are having problems with your key in general, the company is offering a free replacement key." CEO Marcin Kleczynski explained the program and his statement reads in part: "When I started Malwarebytes, I absolutely had no idea how successful we would be today. I am extremely grateful for all of the support from everyone and how fast we’ve grown. That being said, I picked a very insecure license key algorithm and as such, generating a pirated key was, and is, very simple.

The problem with pirated keys is that they may collide with a legitimate key just by the sheer numbers. For example, Larry may generate a pirated key that matches the exact key that I already bought. Yes, this is silly, and yes, this is literally the first thing a professional software company thinks of when building license key generation, but when you think you’re building a product for just a few people you don’t hash out these details.

Now we’ve grown up, and we’ve got a new licensing system that we’ve rolled out in stages. The only problem is that we have millions of users that we’ve sold keys to, or a reseller has sold keys to, or we’ve given out keys to without keeping track. It is a mess, and you as a consumer have every right to be upset.

Hardware Locking

[idbeholda]

It's pretty easy to lock down these things via hardware. In fact, I have a working model that's (theoretically) infinitely scale-able on any given server, ignoring file number restraints from the hosting provider. http://www.tot-ltd.org/WMSDK.h... [tot-ltd.org]

Re:

[sexconker]

Burned-in MACs? My nForce 2 motherboard's NIC (the nVidia one, not the Realtek one) has a MAC that's user-definable in BIOS.

Re:

[idbeholda]

Well, that's generally the idea when it comes to refining specific skill sets.

Re:

[idbeholda]

CLI = Command Line Interface.

Re:

[sexconker]

There is no "Windows CLI". I even told you that when I said "(Hint - there is no such thing.)".
Windows is a GUI. Windows does not have a CLI. The CLI you are referring to is a faked, extended DOS environment (to various degrees of fakeness depending on your version and bitness of Windows, cmd.exe vs. command.com, etc. ).
It is not Windows. Windows has PowerShell now, but it's not a core part of the OS.
In short, Windows does NOT have a true CLI.

Re:

[idbeholda]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[omnichad]

There's no such thing as an interface where you can type commands? There are two available (Command Prompt and Powershell). Whether they are any good or not doesn't change their name.

Re:

[sexconker]

command.com and cmd.exe are different, both are NOT DOS, and both are NOT Windows.
PowerShell isn't a core part of Windows (yet) and doesn't have anywhere near the coverage necessary to be a true CLI.

These things may be CLIs, but they are not "Windows CLI". There is no "Windows CLI". idbeholda has no idea what he's doing. He seems to think running pulling some strings from some cmd.exe commands let him create strong, hardware-locking DRM.

Re:

[omnichad]

The only thing required to make either one a "true" CLI is that there be a command line that lets you interface with things. It does not have to be a core piece of the OS to fit the definition. Otherwise, you could say that Linux distros don't have a true GUI.

Re:

[idbeholda]

They call said company, give them the old hardware ID code, then the new hardware ID code. From there, the administrative side takes less than 5 minutes to do, which the old profile is copied to the new server-side hardware identifier, and the appropriate adjustments are made to the encrypted profile. They restart the application, and the software automagically works. As I said earlier, a 5 year old could do it.

Re:

[idbeholda]

Also, they would need to know the following 1) Another client's hardware ID 2) location of every module/software they plan on downloading while directory views on the server are disabled. The cracking part is a lot easier said than done.

Re:

[idbeholda]

If they do, then there's a bigger problem to worry about, and it's not DRM.

Re:

[thegarbz]

Many MACs are adjustable in the drivers.

And yet some are not and are hardcoded. I.e. The Surface Pro series has a MAC that isn't adjustable. The registry hacks don't work because the registry keys don't exist and if you use some software to spoof the MAC you end up in a BSOD loop.

Re:

[vidarlo]

Yeah, nearly. I didn't say it was FULLY crackproof, but you have to know what you're doing in order to bypass it. Which is why server authentication is BUILT IN. So, unless you've got a direct proof-of-concept exploit, such as faking burned in MAC address codes, along with simple bios info (which amazingly, can be brought up via windows commandline), I would make the educated guess that you're upset in regards to me further maintaining already solid code which someone else can build on.

Or what happends i

Re:

[idbeholda]

That's generally the idea to bypass most types of DRM. External/Internal patching is not a new thing. However, even disassemblers still have problems with truly decompiling P-Code, since most of the internal routines are technically "undocumented" and have been for quite some time. More than that, code obfuscation techniques aren't new either, and by definition, anything can be cracked. It just depends on how much work you want to put into it.

As for an API wrapper, considering that most of the code is

Re:

[idbeholda]

As is every other piece of DRM. Nothing is crackproof, which is why I used the term "(nearly)". With this type of DRM, the more important part is to make sure the authentication server isn't easily compromised.

Re:

[idbeholda]

Unfortunately, no, due to the NDA I signed with a previous company I worked for. The entire software archive they had totaled around 2.5GB, which with this, along with rewriting major parts of their main application, reduced the total disk space requirements down to 398MB. And instead of having 20+ keys (in some cases 150+ keys) for each user and application, each user ended up only having 1 key to deal with.

The only reason they didn't implement the new system was because they were "afraid they would s

Re:

[idbeholda]

Ah. The target vector would be emulating not only the server, but the actual files that are distributed FROM the server itself. When the user would access their profile (autoloading from 24-digit HWID, based off of hardware identification), the data that dictates expiration dates, hardware codes, modules, modulenames, etc, is where secondary encryption comes into play. Even emulating server side authentication using VMs is a lot more difficult than it would seem, since the actual content HAS to be copied

Re:

[idbeholda]

Less than 2 years ago*

Re:

[idbeholda]

The whole point of the recipe is for the developer to make the cake. That's what software development is. As for the padlock metaphor NOTHING is crackproof, and I never claimed that it was anyway.

Re:

[idbeholda]

I understand why you'd want the cake without having to bake it. I get that, I really do. But the point is, IDGAF either way. I'm not the one wanting the pre-baked cake, and if I did, much like yourself, I'd go to the store and buy one. If someone wants me to bake that cake for them, well, cough up some cash and make the adventure worth my time.

Re:

[goose-incarnated]

You haven't answer AC's question - do you have some software that uses this, so we can have a crack at writing a... uh, crack :-) Hell, just package something off of github, put the executable on your site and even I'll have a bash neutering the software.

Re:

[idbeholda]

That goes without saying.

Re:

[idbeholda]

If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

Re:

[sexconker]

If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

Hopefully you move onto something you understand.
Do you REALLY think you're the first person to think they've got good DRM?

Re:

[idbeholda]

Look, if you're upset that it's written in VB6, fine, whatever. Unless you've actually got something like a direct proof of concept exploit, you have nothing to bring to the table. As for other things, I'm well aware of my own skillsets and limitations. That's why I don't just limit myself to programming. Unfortunately, I would have to make a moderately (un)educated guess that the extent of your interest in this discussion is simply to bitch because you can.

Re:Hardware Locking

[vidarlo]

We're upset because you're peddling snakeoil. Here is an excercept generating the hardware ID:
If Dir("gethwi.bat") "" Then Kill "gethwi.bat"
Open "gethwi.bat" For Append As #1
Print #1, "w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5 >gtime.dat"
Print #1, "systeminfo >gsys.dat"
Print #1, "getmac >gmac.dat"
Print #1, "exit"
Close #1
Shell "gethwi.bat", vbHide

You use this information to generate an ID. But you don't even hash it with a one way hash, which means it's possible to forge a reply to give an desired result. A good one way hash would at least make that impossible. It is also not scaling very well - you will need a lot of support for pissed customers who changed parts of their computer or changed timezone.

Furthermore, you do no authentication of the answer from the server. Anyone can send the response, and be accepted. You do not have any security. It would be trivial either remove your DRM by jumping over it, or supplying the very wrong values. A race condition would also work - overwriting the gsys.dat, gtime.dat, gmac.dat before your program reads it. Or simply replacing the code snippet above with a batch file which state echo "Desired values..." > gsys.dat.

So take an evening, think about how you can bypass your system. Try my suggestions. Fire up an debugger, and have a look at the software.

Re:

[idbeholda]

I'm glad you left the rest of the source code out that generates the inital hardware spec. If someone wants to add additional layers of modified hashing they can. The stuff you're complaining that's lacking is already in there. Each system will generate a unique 24-digit hardware ID code.

QED

Re:

[idbeholda]

Yep, that would be for checking individual expiration dates for different modules, if the developer is going to use it to manage software content. That's what it's for.

Re:

[idbeholda]

There doesn't need to be, but in order for that to actually work, you have to know the exact make of another user's computer, along with the resulting hardware ID code. It can be done, but it's not as easy as you think.

Re:

[idbeholda]

Also, you might want to look into this, since it doesn't exist. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[goose-incarnated]

If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

Hopefully you move onto something you understand. Do you REALLY think you're the first person to think they've got good DRM?

He's been repeatedly asked for an executable we can have a bash at, and he's refused (apparently it's too much work). I've seen this on usenet waaaay too many times in the 90's. Some new aspiring unsung-encrypting-genius will pop up on comp.programming (or similar) and boast about their encryption algorithm without giving any details about it. Suffice to say someone usually managed to decode their ciphertext within a few hours.

This appears to be more of the same - at least the usenet newbies had the grace t

Re:

[idbeholda]

3/10 - Ctrl + Mouse Scrollwheel = Zoom in/out.

Re:

[omnichad]

I can read it just fine - but it does appear to be designed for much lower DPI screens (1024x768 @ 17"). So the design is probably over a decade old.

Do you know how zoom works?

Re:

[idbeholda]

It's actually about 6 years old. Eventually, I'll get around to changing it to a different theme/style.

Re:

[mwvdlee]

Can I move my license over to new hardware without having to rely on the software vendor's cooperation?

Re:

[mwvdlee]

Also, how well does your system stand up to NOP?

Re:Hardware Locking (BIN SPAM)

[Anonymous Coward]

It's pretty easy to lock down these things via hardware.

NOP
NOP
NOP

In fact,

cough (me think he protest overly so) "to be frank", "to be honest" (trust me, that warm feeling is not me pissing in your pocket, in fact...)

I have a working model that's (theoretically) infinitely scale-able

So much for the fact. The "theoretically" taketh away the impossible "infinitely"....

on any given server, ignoring file number restraints from the hosting provider.

tl;dr? rhetoric + sophism + bullshit = pure_weasel

http://www.tot-ltd.con/WMSDK.h... [tot-ltd.con]

FTFY

Now stop spamming and fuck off back to Intertubes Worriers where you belong. Surely they need more of your fake malware products more than /. readers? (Erick - that is you isn't it? Your self-promotion is almost as good

How stupid could someone be?

[xxxJonBoyxxx]

>> cracked or pirated version of Malwarebytes Anti-Malware

Really? Could anyone on SlashDot really be this dumb?

Re:

[xxxJonBoyxxx]

On second thought, it looks like the AV company is staffed with idiots.

>> keys is that they may collide with a legitimate key just by the sheer numbers...when you think you’re building a product for just a few people you don’t hash out these details...

C'mon guys. Your wrote your own clue in the summary. (Starts with "h" rhymes with "trash"...)

Re:

[sexconker]

Hash collisions happen.
The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.
Software installation/runtime checks locally against the generation algorithm, allowing for offline installations, bundled installers, old version installs, use in 50 years after all the servers are gone, etc.
Updates ask for your key and the server decides if it's valid (an approved string that hasn't been used by thousands of PCs across the net

Re: How stupid could someone be?

[corychristison]

To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

On update you validate both the key, and the installation ID.

In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

Re: How stupid could someone be?

[jarfil]

To further expand on this... keep talking, meanwhile as a client I'll be looking for software with none of that crap.

Re:

[AmiMoJo]

Please don't try to limit the number of installs. It breaks horribly when you try to do a re-install, or move to a new PC, or run in a VM. The nature of this software is that techs will often install it on customer's PCs, clean them and then remove it.

Install counters are evil.

Re: How stupid could someone be?

[corychristison]

Really depends on the nature of the software, I guess. For Malwarebytes it probably isn't the best idea, but at the same time it could easily de-reg the install ID upon uninstall.

There are various ways to do it. My example was one such way, that is all. There is no one-size-fits-all.

Re:

[tlhIngan]

The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.

Hash collisions will eventually happen. I believe Windows XP suffered from it where the sheer number of installations has meant that there was a good chance a keygen will also make a valid key that's already been issued. Sure you are blocking a good chunk of them at the beginning, but eventually a keygen will stumble upon a valid key that you DID issue.

I believe it also

Re:

[mwvdlee]

Generation algorithms for software license keys is fine.
Simple generated keys stop casual sharing of licenses. Nothing stops dedicated hackers.
Why invest time and money in a very expensive license key system when all you're doing is providing the hackers with a more interresting challenge.
The problem here isn't generating keys, it's the relatively high chance of colission; it's badly generating keys.

Re:

[Mashiki]

On second thought, it looks like the AV company is staffed with idiots.

Yeah that pretty much sums it up. I have a legit copy through work and it gave me the 'blahblahblah ur a pr8' bit the other day.

Re:

[Anonymous Coward]

Have you read slashdot commentary lately?

It's a great idea

[the_Bionic_lemming]

It's a good marketing move - most people just download the free version and scan. Problems fixed so they won't buy it for the bells and whistles - now they'll get lots of people to try the bells and whistles and might retain future revenue.

It's better than them canceling the free version and make it pay only for revenue.

Re:

[KGIII]

I have used their service in the past but I never bought their program. I did some debugging and definitions work with a security company as a lark and have free access to their software. Anyhow, it took a minute to find a code online which I entered (use the ID too) and it offered me a free key after that. It was pretty painless. I will give their monitoring service a try on this laptop and see how it works out. I often do not use real-time AV anyhow.

Fair is Fair?

[digitaljc]

So let's see if I have this right. With this initiative pirates get free product while customers are charged for the same product? Score: Pirates 1 / Customers 0 I say they expand the initiative to include providing existing customers with a free 1 year license extension and 1 year free to new customers. In that way, everyone can fairly enjoy the same benefits while being properly exposed to the premium product.

Re:

[nhat11]

Pretty much, I have almost no incentive to buy the product if I can pirate it then get it for free

Reddit

[kidsizedcoffin]

Several months ago after one of the Internet large password breaches the company offered several "forever" codes on Reddit as a gesture of goodwill. Amazingly enough those are now coming up as these suspicious licenses now. I suppose you can't complain about something you got for free, even if it wasn't pirated. I have another year of the license now before it expires instead of lifetime.

Snake oil product vendors

[ruir]

offer free license key. Colour me impressed and dully excited. (disclaimer nothing against the particular vendor)

A software company showing respect for customers?

[Kevin108]

Damned if this isn't a first. I've never needed a licensed version of their software, but the transparency, respect, and benefit of the doubt they are giving users of their software, both paid and otherwise, truly impresses me. As such, I will be happy to purchase a license the next time I need their software.

Only on slashdot..

[kuzb]

..would people shit on someone for acknowledging a problem, admitting fault, and then moving to fix it in a way that benefits not just the consumer, but everyone else too.

Fishy

[sentiblue]

I just have a feeling this "free" version will do things like Superfish on Lenovo... stealing info, or gathering non-private data to boost their advertising campaign....

Re:

[clickclickdrone]

They all run Linux servers, big difference. Makes perfect sense there. Desktop, for most people, not so much.

Re:

[crypticedge]

Short answer is no. Long answer is yes.

Some versions of the crypto viruses have the keys released so you can decrypt. Others do not. If you know how to google, you know how to find out what version it is and if it's been released. If you've got cryptolocker it's simple.