Sunday, May 11, 2014

Registration loophole

I use software XPTO on a regular basis, XPTO as being a fake name to protect the innocents :)
XPTO has a very nice design and protection scheme, I really admire the original developer(s) (he's gone to Germany by now).
However, when testing features at home I need a valid license for the extra modules.
XPTO company provided a trial, limited date, serial number for me, which is nice, but I need to use XPTO everyday and can't be always asking for such codes.
So I've visited the partners website, and searched for a customer serial number that has all the modules included.
This is where the loophole is found.
You see, XPTO doesn't generate a serial like most of the softwares do. Instead, XPTO checks for the serial number of the hardware and matches it against the provided serial in software.
This last serial will activate the modules and number of records.
In practice, you can have as many valid serials as modules available on XPTO, plus, if it has a time limit, there's an unlimited number of serials possible.
Is this a bad scheme? well... it seems so, but I couldn't crack it so far, and XPTO company doesn't deserve because their such nice guys with us.
Well, back to the loophole.
XPTO can have many hardware pieces registrated. And each one of them has a distinct serial number.
Also, XPTO has two kinds of hardware: master and slave.
Master's serial number will determine what kind of modules will activate on start.
But... what if we have 2 master serials? Which will prevail?
Let's find out, fire up SQL Management Studio and quickly write a SQL query to insert a new, fictitious hardware piece, plus a valid serial number (with all modules included).
Start XPTO again, success, all modules are working fine.

So, what happened here!?
The protection scheme is great, but this little detail was left out.
Ok, so I can't generate working serials, but only one is needed. XPTO will assume the one that has more features enabled.

No comments:

Post a Comment