Marketplace "copy protection" cracked

Search This thread

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,441
87,703
www.chainfire.eu
I will not do anything with this, or publish how. But you can be assured the "warez" guys from that one site will figure this out within a day or so as well...

As most of you will know I am a software developer by trade, with some commercial offerings from my company.

And then there was Marketplace. For commercial devs, something nice to have. But if you have followed the news, the piracy protection for commercial developers is not much to speak of. See this document http://download.microsoft.com/downl...tplace for Mobile Anti-Piracy White Paper.pdf.

I will refrain from quoting the obvious mistakes in this document, if you give this thing a read, you will notice them soon enough. What it all comes down to is that there is no copy protection, not even at the advanced level, at least if they implement it in the way I interpret from reading that document.

So today I started up Marketplace and it worked. Hurrah. The current level of protection is making sure the CAB files are deleted upon install - which is obviously not a way to protect anything - but even this, I thought, should easily be circumventable.

Now, because I wanted to see how fast it could be done, I went with a hunch instead of doing any investigation. And that hunch worked like charm. It took me less than five minutes to circumvent this "protection", and get the ability to save the CABs the MarketPlace app downloads to a different folder. As the CAB file is the same for every downloader, you could just give this CAB you payed for out to all your friends.

Obviously I will not disclose the method, because that would be working against other commercial developers, and ultimately myself. It's just to let you know how ridiculously easy it is, and to give fair warning to those looking to sell apps on the Marketplace.

So, the moral of the story is... WTF MICROSOFT?

I know firsthand there is no such thing as perfect copy protection, but this is just plain ridiculous.

What we really need is for apps to be able to use our own copy protection schemes... you know, like the good web-based app stores out there.

EDIT: l3v5y has also succeeded in doing something similar, and it seems the WMPowerUser admin also found another easy way to do it... Yay, and it ain't even out yet!
 
Last edited:

maati

Senior Member
Aug 13, 2006
790
1
Oh noes.... that's not good!
Imagine Microsoft reads this and decides to offset tomorrow's Marketplace launch...
Or even worse, Microsoft launches the Marketplace but developers decide not to submit their apps because they're concerned that their apps get pirated.
 

mr_Ray

Senior Member
Feb 9, 2006
306
2
That sounds bad, but it's really no different to how things are today. Perhaps there are some apps that have more security than either nothing or a serial key, but none that I use have anything more sophisticated.

Even as a developer myself, I'd easily take this over some DRMfest.
 

Farmer Ted

Senior Member
Nov 30, 2008
2,374
90
So, if I'm reading this correctly, when you buy something from marketplace it's not tied into your username with a password like most apps? Instead, you just buy it and it installs the app, but doesn't give you a cab? Yeah, I don't think it's that hard to work around that and get a cab for yourself. Some of the cheaper apps at Handango are like that. Can you re-download an app onto a new device or if you have to hard reset, and is it free or do you need to buy download protection like form Handango?
 

loomx

Senior Member
Apr 7, 2005
631
14
Good, copy protection pisses me off, all it does is piss of the genuine users. We have to deal with codes and activation to be legit, while people getting it free, just click here and there, copy a code here and huzah.

Copy protection doesnt work, someone will always find a way around it. Unless its linked to a windows live profile/xbox live profile. Which I can see probably happening when they bring out Zune on mobile phones, which sounds like it might be sooner rather than later! :D
 
Last edited:

l3v5y

Retired Senior Moderator
Sep 13, 2007
7,485
44
29
Bristol
I did something like this earlier... MS haven't quite got security done yet, though my guess is the iPhone is no better...
 

vexingv

Senior Member
Oct 26, 2008
121
0
I'm really surprised by the lack of any drm; what's the point of signing in w/ one's Windows Live account? The easiest thing to do is to associate valid applications w/ one's Window's Live account. That's what itunes does for music at least (I don't know about apps as I don't have an iphone/ipod touch). Of course, what would happen is that an internet connection of some form is needed when the application is first installed, which could become inconvenient.
 

alabij

Senior Member
Mar 8, 2006
284
1
Atlanta
The truth of the matter is that the percentage or ratio of people who would bother to do this is pretty small. Most WinMo usersbarely even know how to setup e-mail not to mention install a cab file.

Most of the people in this forum already know how and where to get cracked apps or warez if they wanted too. I don't see this so called "flaw" as being an issue to MS or developers.
 

fatmonk

Senior Member
Sep 8, 2005
159
1
www.GonMad.co.uk
Must admit that I find it a bit worrying that your not able to make a backup of the applications you buy by taking a copy of the cab file somewhere safe.

After having sent back 4 HTC phones (two different models) in the last 10 months, and having an SD die on me I'd really like to know that I have a backup of anything I've paid for.

Can anyone confirm if its possible to reinstall something you've paid for through the Marketplace app if it gets removed from your phone, or you get another phone? ie if you log into Marketplace with the same Lice ID does it show apps that you've bought but which aren't on the phone your connected with?

If I look at an app that I have installed through Marketplace there is no install button anymore and Marketplace tells me that it is installed... so no obvious way to get the application back...

Not enough free apps on the UK store for me to mess about with really (have installed Shazam trial but don't want to risk uninstaling it just to see what happens).

-FM
 

thedicemaster

Senior Member
May 10, 2009
1,747
852
Must admit that I find it a bit worrying that your not able to make a backup of the applications you buy by taking a copy of the cab file somewhere safe.

After having sent back 4 HTC phones (two different models) in the last 10 months, and having an SD die on me I'd really like to know that I have a backup of anything I've paid for.

Can anyone confirm if its possible to reinstall something you've paid for through the Marketplace app if it gets removed from your phone, or you get another phone? ie if you log into Marketplace with the same Lice ID does it show apps that you've bought but which aren't on the phone your connected with?

If I look at an app that I have installed through Marketplace there is no install button anymore and Marketplace tells me that it is installed... so no obvious way to get the application back...

Not enough free apps on the UK store for me to mess about with really (have installed Shazam trial but don't want to risk uninstaling it just to see what happens).

-FM

looks like it keeps track of all apps you purchased.
 

Vledderos

Senior Member
Feb 5, 2009
57
4
ow well, I guess it's a matter of time when there will be sites that point to all the cabs available on upload sites and stuff. Just like those sites exists for iphone/ipod (appulo.us for example)

I guess that's what happens when people see that there a lot of apps available on other country stores..

what do you think...
 

fatmonk

Senior Member
Sep 8, 2005
159
1
www.GonMad.co.uk
looks like it keeps track of all apps you purchased.

Hi dicemaster,

How did you try this? Uninstalling and reinstalling on the same phone or another phone? Or the same phone after a hard reboot / content erase?

I'm just interested to know from what state you can get back to your purchased applicationsand whether is purely your windows live id that connects you to your purchases or if there is some device specific stuff checked as well.

Cheers,

FM
 

vijay555

Retired Moderator
Jun 4, 2005
5,791
68
Witch Space
www.vijay555.com
Is there anything to stop Software Authors implementing (or continuing to use) their normal Serial number protection systems?
Looking at the Market Place, there are obviously some of the Big Names we all know and love, and I don't see why they would remove protection systems they have in place already, unless it was a MarketPlace requirement.

Personally, I can't say I'm at all impressed with the MarketPlace implementation - it heralds back to the early days of PocketPC. Maybe they're going for lowest common denominator hardware support, but frankly even the relatively poor Android marketplace on Hero is massively better. And the Appstore even more so. And I think Cydia tops most of them!

Let's hope that the MarketPlace at least drives prices down.

V
 

zim2323

Senior Member
May 27, 2008
101
1
I am assuming it's more difficult then just going to \Windows\AppMgr\Install folder while the installer is running and copy the CAB file to another location. This is how I get the CAB files from PC only installers.

I personally use SKTracker a lot. I take a snapshot before, and then during the install and see what has changed. That generally tells me right where any install files/CABs are that I need to grab.
 

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,441
87,703
www.chainfire.eu
Is there anything to stop Software Authors implementing (or continuing to use) their normal Serial number protection systems?
Looking at the Market Place, there are obviously some of the Big Names we all know and love, and I don't see why they would remove protection systems they have in place already, unless it was a MarketPlace requirement.

Personally, I can't say I'm at all impressed with the MarketPlace implementation - it heralds back to the early days of PocketPC. Maybe they're going for lowest common denominator hardware support, but frankly even the relatively poor Android marketplace on Hero is massively better. And the Appstore even more so. And I think Cydia tops most of them!

Let's hope that the MarketPlace at least drives prices down.

V

Microsoft does not support your own serial systems. There is no information you can compare runtime vs purchases either, so you can't roll your own. Well ok, you DO actually have device ID information you could use, but that way purchasers can only run the application on the phone they actually bought it on. It is not clear how 're-download' information will be transmitted. If that also transmits a device id, then it is possible to roll your own, though it would be pretty nasty.
 

Farmer Ted

Senior Member
Nov 30, 2008
2,374
90
I am assuming it's more difficult then just going to \Windows\AppMgr\Install folder while the installer is running and copy the CAB file to another location. This is how I get the CAB files from PC only installers.

I personally use SKTracker a lot. I take a snapshot before, and then during the install and see what has changed. That generally tells me right where any install files/CABs are that I need to grab.

If you go to C:\Program Files\Microsoft ActiveSync on your PC, you'll probably find an archive of many things that you installed over active sync.

SK Tools is a good way to re-pack any installed programs into cabs. I would guess that it works with programs from Market Place.