This is a real phenomenon. As I recall some years ago Ubisoft tried to come out with a (single-player) video game which couldn't be played offline, and which was dependent on an online server as an anti-piracy tactic. I believe this game was still pirated using some kind of fake server.
It's also interesting how common it is for people to create replacement servers for popular MMOs, given the extent of the reverse engineering that this requires, using custom non-HTTP protocols which are much harder to reverse. MMOs should be "unpirateable" yet unofficial open source server reimplementations are a real thing.
But of course, on launch it was quickly discovered the game ran just fine without an internet connection. After 30 minutes, the game would complain the server would time out and shut down voluntarily. But all it took was patching the "30 minutes" magic number. Poof, problem solved.
Long story short, it is an ongoing problem that pirates receive a superior product. (A problem for publishers anyways, not one for pirates.)
Simcity was an excellent example of DRM providing no benefits and actively lowering the user's experience - that's almost always the case but it's rarely this extreme and obvious.
1. https://arstechnica.com/gaming/2013/03/clogged-streets-simci...
You don't even have to go to this extreme to make conventional piracy all but intractable. As a concrete example, take Civilization 6, and suppose it had been released as a client/server application where the server handled all enemy AI. While creating functional but inequivalent replacement backends may not be terribly difficult — and might even lead to an interesting alternative AI ecosystem — reproducing the precise behavior of the vanilla AI via "black box" reverse engineering would require considerably more effort than cracking an offline game or reimplementing a backend that acts as a mere license server.
Compared to a traditional, fully offline model, moving large portions of a single-player game online would increase both upfront development costs and marginal cost and would be met with disapproval by a nontrivial fraction of potential customers who, for this reason, might choose not to purchase the game. It would also have a slightly smaller potential market to begin due to "always-on" Internet access being commonplace, but not universal.
Still, at this point, there are no real technical obstacles to developers adopting such a model.
In other words, I presume the forces keeping games "crackable" are primarily economic rather than technical.
I was always fascinated by software reverse engineering and I spent years researching it. Quite interesting computer science area.
I believe it might make good money as long as you can dodge legal issues, but I might be wrong.
Personally, I wouldn't count this as a win, more of a lack of curiosity/failure to be adventurous enough to be in a situation where piracy is advantageous
Also consider that streaming (music, TV, movies) has been decently plentiful and cheap for the entirety of his teen years. He may not have had a need to pirate anything just because his parents paid for Netflix and Spotify accounts.
For games, most have an online component and are more difficult to pirate, as he points out in his article. Certainly it's not impossible (there are many single-player/offline games that just want to do a license check, which can often be hacked, and others where the server components have been reverse-engineered and clones), but it was a lot easier to pirate games when you just had a CD or floppy that you could disassemble and poke at to create a patch. And again, maybe he and his parents have been able to afford to buy whatever games he's wanted to play.
But I also see this as a result of the newest generation of computer users being raised in restrictive computing environments. iOS and Android don't encourage you to tinker; their security and product model tries to preclude that. Desktop macOS is more and more locked down with every release. Windows is... well, Windows. Desktop Linux still has yet to develop any kind of traction (and I say this as someone who has been using Linux on the desktop, nearly exclusively, for 20 years). Even many people I know who grew up in the 80s and 90s like I did, who used to have desktop or laptop computers, have shelved them and replaced them with iOS/Android/iPad OS.
In many ways, I think this is really a crappy time for computing. Sure, we have all this cheap computing power, but for the most part we're using it just to consume mainstream media. I say this even with the explosion of easy creation tools like digital cameras, and things like Instagram and TikTok. Fortunately there are still a lot of healthy hacker/maker communities, but I think their percentage of the whole of computing has been steadily dropping over the past 15 years.
He writes rather well btw.
Use software for which you have legitimate access to a Windows version but you need it on another OS.
The personal satisfaction and skill demonstration of doing reverse engineering (RIP fravia).
Mmm, what? Adblockers aren't piracy.
Pirates often argue that they aren't causing a lost sale, because if the product wasn't free, the pirate customer simply wouldn't use the product in the first place.
Pirates however, generally aren't putting sustained load on the IP-holders' servers. Whereas adblockers are putting load on the companies' servers while not "paying" for the services, by blocking the ads.
If sites offered consent - like "Welcome to this site, you'll see 10 ads per page, sold through google's ad network. Our content is written by humans not robots. Please disable adblock and proceed." That's a different relationship. Perhaps then it's more like taking something without paying ("piracy").
Perhaps in a sustained relationship, where you repeatedly visit a site, you know what it offers you and you want it, but are unwilling to pay the price of ads... maybe that starts to edge towards a piracy like situation.
Ad blocking users won't reduce the entire ad revenue that is flowing through the system.
From the perspective of a company this is different of course - a company can increase revenue by maximizing the number of ads shown to users. But when you look at it from the perspective of the entire system, the more users are forced to view ads, the less valuable an ad becomes, so it's a race to the bottom.
The biggest problem is that ads are the wrong solution. In earlier times, many services that operate for free now were primarily paid services - paid voluntarily, which is based on respect and human dignity. And the ads were just printed in paper form, so there was a limit to how much money you could extract out of it. Ads had their place, but were limited in their scope. Publishers of paper newspapers would have never thought to maximize revenue by forcing users to actually look at an ad, because there was no technical way to do it. Now they think they are entitled to be intrusive, and to control user behavior while legally giving away something for free without any legal obligation for readers to return anything. So those who benefit from ads resort to moral pressure.
They have developed feedback systems, and the feedback systems are carefully designed to extract as much money out of people with no regard for anything else, which is dehumanizing, and this means ads (like all systems that use psychology to manipulate behavior) are actively destroying what makes us human.
They will only stop once the ad system has been dried out, and when that happens we finally may get meaningful content and journalism again.
Look - you can attempt to send me any content you'd like. You absolutely (as in utterly, morally, ethically) have zero claim to force me to receive it.
I have autonomy. I can choose what to view, and what not to view.
If you don't want me to get your content without paying for it - ask me to pay for it before sending it to me. EASY FUCKING PEASY.
If you've asked me to pay and I go download it somewhere else: fine, call me a pirate.
If you haven't asked me to pay and you're sending me a firehose of unrelated bullshit every time I attempt to interact with your service - expect me to filter that bullshit out.
If a website needs money to exist, paywalls and donations exist. If a website serves content without payment, that's their problem not mine.
[0]:https://www.abc.net.au/news/2022-06-21/scammers-using-text-m...
This idea though is totally wrong, and is some serious post-hoc BS after over a decade of this internet advertising business model becoming comfortable. Linus's business is GIVING AWAY content and hoping that advertisers (his real customers) will want to agree to pay him according to his terms. You can say things about TOS and EULA and how that is totally a legally and morally binding or whatever but that's moving the goalposts now that folks have found a way to exploit audiences for money after years of GIVING AWAY content for free.
I don't have to read each advertising flyer that comes with my pizza, even if the pizza store decides to give me 100 advertising flyers in exchange for making the pizza free, and no amount of EULAs will make it so. It's my computer, I can throw out the garbage you give me if I want.
Get access to one of the machines hosting the backend and download it..
I guess, an even more true way would be to don the wooden leg, cannons and drive up to a data center fueled primarily by rum and old-time maritime jargon xD
It also lets companies play both sides by releasing clients open source but keeping the real value back in the cloud. They can be considered "FOSS" while at the same time being even more closed than closed-source software.
You could say the industry has found a way to comply with the letter of FOSS licenses while avoiding the spirit, namely the idea of empowering the user.
The software landscape has changed so much since the conception of GPL and all it stood for. Back then, freedom was about expert users having autonomy over their own systems. These days, I think the real fight for freedom is about user communities and general end-users.
I think there is potential in the emerging field of community authored software. Community's coming together to build their own platforms is an ethos that I think has gained some traction and, if it builds more momentum, could become the next free software movement.
The reality is that software is extremely expensive, especially polished software with a good user experience that's usable by non-experts. Good UX can take many times more effort than just getting something working. Without an economic model, FOSS will always lose in the general market.
I've been ranting about this for years on this site and elsewhere. Doctrinaire FOSS people seem to largely not get it or not care.
If you try to introduce any alternative license or distribution model it'll be rejected by the OSI, which is largely captured by the big surveillance capitalist companies like Facebook and Google. These have no incentive to change anything about the landscape. They're perfectly happy with open source as free labor for them and with competitors being unable to grow revenue.
It’s been emerging for the past 30 years, it’s called Open Source. As opposed to commercial projects releasing a “technically open” source code, like with Chrome.
2 examples: World of Warcraft and Netflix.
WoW had FOSS implementations of server patches, with different success. It eventually lead to Classic Vanilla, Classic TBC (1st expansion), and soon Classic WotLK (2nd expansion). Each of these spanned ~2 years of content.
Netflix is an easy example. Together with everything else streaming services it gets pirated.
In a ways, definitely yes. But I was speaking more in terms of modifying frontends to convince providers' backends to grant stuff straight from the source, not reuploaded to a mirror.
WoW server patches and pirated backends I would count since you're getting pirated content on a mostly official frontend.
Though the argument is somewhat flimsy. Can't say I've played many games with reverse-engineered servers.
Licenses like AGPL are necessary to preserve our freedoms in this cloud DRM world.
I remember friends running World of Warcraft private servers back in '08 and '09. Heck, we even hosted one as a class project in high school.
World of Warcraft Classic exists partially due to the number of fans who ran private servers as a way to properly experience previous versions of the game as current expansions have you steamroll through older content.
A fitness tracker I have (Jawbone Up Move) is coupled with an app, which is coupled with an online service, which has been dead since 2017.
Are there any tips, tricks or resources regarding this? Best I can currently do is `mitmdump –set connection_strategy=lazy` (the last part is important so it doesn't try to connect to the original server and throw a weird error), but I don't know what the app wants as a response to its login request.
A look at the decompiled code doesn't immediately reveal much. Are there any common patterns for this type of stuff?
Typically, the response to authentication is a yes/no plus a token or other piece of session state for the authenticated app to store. You might poke through the structure of the in-app storage to see where the authentication information lives, and then go backwards from there to where it is set.
Edit: On a cursory google search, https://github.com/ryanseys/node-jawbone-up looks like it might help you.
Trying to reverse engineer the API the app uses seems harder, and is a less direct solution to your problem, IMO
For games where the server is doing the work and clients are just thin frontends which don't even know all the rules, it is basically impossible.
As web apps and web services get more and more e2e encryption and strong privacy, the backends become dumber and dumber. If the backend can't see the data it's working with, it can't have much business logic in - instead the backend ends up looking much like a dumb storage service or message queue. Some companies will just make their app talk direct to S3/pubsub rather than run their own application servers.
At that point, some 'hacker' can download the APK or the javascript bundle of the frontend, and simply put up a replacement backend that does the same storage service.
Well done, you now have a 'pirate' web service.
The original way to pirate is to bring your vessel in close proximity and then jump aboard the target vessel and have your way with it.
Something like that could be done with a back end.
then https://sorry-cypress.dev/ came which is a self-hosted version for free. Then came a commercial offering that directly competes with cypress' official version
At the end of the day, you're just trying to model a black-box function, mapping inputs to outputs. And most of that is CRUD with some basic access control on top. There are definitely complications (e.g. 3rd party integrations, a properly designed/named database schema), but you might be able to get 80% of the way there in an automated way...
It's not piracy doing this though. Technically you might still be in breach of some intellectual property but since it's usually discontinued services a lot of games publishers turn a blind eye.
I grew up in the private server scene for a popular MMO and you're absolutely right. It was a whole lot of teenagers with energy drinks grinding through reverse-engineering minutia that adults would gawk at and make excuses to avoid doing.
That said there was a lot of automation, scripts, and other tooling, to make it easier. The best were able to i.e. update a private server automatically when the base game updated. We were doing automation at a higher level then F500 companies were at the time (mid 2000s) and we were just kids.
In some of the cases mentioned (e.g. Spotify, Chegg, etc) you can't really do this, because the actual value in the app is just the copyrighted material being purchased. Reverse-engineering is protected under US law for a variety of reasons, mostly that you can't copyright basic functionality (that's for patent law) and that copyright shouldn't extend to interfaces[0].
AI trying to reverse-engineer all of music or art or writing already exists. They're called MuseNet, DALL-E, and GPT-3 respectively. While you can sort of trick them into regurgitating training data in a way that would make their use to create novel works legally perilous, it's still kind of difficult to get them to generate exact copies in a way that would be useful for "pirating" all of Spotify.
[0] SCOTUS tried very very hard in the Google v. Oracle decision not to actually say this. However, the actual ruling has a similar effect.
https://www.vice.com/en/article/y3mb3w/people-are-jailbreaki...
Whereas a crack of a desktop app will allow users to "misuse" the app (by circumventing the license protection or other limitations), a backend can be "cracked" through scraping, botting, or creating alternative clients.
If a backend somehow limits your access to content, a skilled user can scrape that content and make it available through their own alternative backend.
If a backend somehow limits functionality, you can reverse engineer their API and build an alternative client which interacts with the API in a way not intended by its creators, and misuses it.
If a backend rate limits access to it, you can write bots to interact with the backend through multiple proxies and alt-accounts, thereby circumventing the rate limits.
I'm not advocating for any of the above techniques, any more than I advocate for cracking and software piracy. I just want to offer them as examples of how backends are not magically immune to tampering and misuse.
I posit the opposite. In the future, it will be impossible (in many cases) to crack even client-side applications. Reverse engineering and de-obfuscation are a cat and mouse game. However it's been proven that it's possible to obfuscate a program such that it's effectively impossible to deobfuscate. This is called indistinguishable obfuscation [1]. Basically like encrypting a program. And even though current implementations are impractical, I'm sure it will get better.
[1]: https://en.m.wikipedia.org/wiki/Indistinguishability_obfusca...
- FHE-based implementation of whatever function you want to hide, say, a DRM circuit that sends your TV the symmetric key to a movie if you give it the TV's chained certificate along with a token proving you rented it.
- shortened zk-SNARK proof that you evaluated the FHE circuit correctly.
- simple (iO) obfuscated gadget that decrypts and returns the output of the FHE circuit only if 1) the FHE message says evaluation completed and 2) the zk-SNARK proof checks out; otherwise, return random garbage.
in order for this to work, the gadget must have enough entropy in its class of alternative obfuscations, that you can't distinguish it. but what I'm not sure about is, you still can distinguish the gadget from one that simply always outputs garbage. I don't know how you can prove that reverse-engineering a given iO circuit is infeasible. I just don't have the first clue. Help?
2. There is an easy way to pirate backends, you just do some network capture and figure out what the SYN ACK messages between your client and API are.
3. There's plenty of instances of pirated web-based games. (KanKolle comes to mind).
While this has nothing to do with pirating directly, it would still allow to replicate the backend (without business logic).
I worked on Socrative for several years (similar to Quizlet), and we had backlash when we introduced a "Pro" version with paid features. All existing free features, which had been developed over several years, could still be used for free—it was only new features that would be behind the paywall. Many users lamented all over social media that Socrative was no longer "free." But it had never been free—it had been losing over $1m per year!
But really, where would that be in the world?
Also, FWIW, both localstack and the moto library that it wraps are Apache 2
Edit: Didn't know that Adobe didn't move its portfolio to the cloud yet. I thought Adobe Creative Cloud is all about that plus subscription model. My bad.
