PDA

View Full Version : sort of legal question...


Darkelf
September 15th, 2010, 15:45
Hi there,

in a couple of month my studies going to come to an end. Therefore I'm looking for a decent topic for my bachelor thesis. Of course it will be something from the realm of reverse engineering. I ogle with an in-depth examination of some packer/protector to show the weak spots of recent protectors and some basic attempts to overcome it's weakness. Now my question: Let's imagine I own a legal copy of some packer/protector (say ASProtect SKE or similar) and I wrap a program I coded myself. Am I - under these circumstances - allowed to dissect the resulting binary, showing the modus operanti of the protector and revealing it's internals? I asked my professor in charge but he just didn't know. He said I'm the very first student of our faculty who chose such a topic. Since I don't want to get into trouble (had enough in the past -I'm sick of it ), I would like to ask you if this sounds OK. Maybe some of you did something similar in the past, maybe someone knows somebody who did. You know what I mean.

Thanks a lot in advance.

Regards
darkelf

Woodmann
September 15th, 2010, 18:59
Howdy,

You can do that with no problems in the USA.
It's not a commercial release for profit of ripped code so you can
do whatever you want with it.

Even if you dont own it, it's not for profit, so it's ok.

Woodmann

Polaris
September 16th, 2010, 00:36
Hello,

Personally, I have to disagree with Woodmann here. Doing what you describe may put to harm the business model of the developer of the protector you will dissect, resulting in money loss on their side; harming someone's business is usually a good recipe for trouble.

This said, and as Woodman says above, it may be that on a legal standpoint you could come out clean and victorious depending on where you are and on the local legislation, but I would recommend avoiding getting anywhere close to courts and legal proceedings.

Take care and good luck with with your projects!

Maximus
September 16th, 2010, 01:11
In Europe,
you may have quite a bit of troubles, I fear.
In a bunch of nations the laws changed so that 'password hacking tools' and similar were declared forbidden, one way or another.

You better spend a bit of time looking for your local laws (ask to a lawyer's friend/student to aid you in the articles' research).

rendari
September 16th, 2010, 12:52
I'm planning on doing something similar at my University in the USA. You'll be fine.

Woodmann
September 16th, 2010, 19:33
Well.......

Since I don't know the laws of every country, I suppose you could get into some trouble.

But, Since it will only be between you and your professor I dont see any problem, no matter what country you live in.

It's an academic paper, not a commercial release.

Woodmann

Aimless
September 16th, 2010, 22:30
Even Better, code your own packer/protector.

THEN, break it.

No harm done. You can't sue yourself.

And as an added bonus, you get to understand packing/protecting from a programmer's viewpoint too... helps you later crack with a deeper, erudite knowledge.

Have Phun

CluelessNoob
September 17th, 2010, 08:10
Quote:
[Originally Posted by Aimless;87739]You can't sue yourself.


What a silly thing to say... You don't live in the states, do you?


Woodmann
September 17th, 2010, 22:47
Quote:
What a silly thing to say... You don't live in the states, do you?
BWahahahahaahahahaaaa.............

Well said

Over here you could very well sue yourself.
You would need to be really waney but, shit, anything is possible.


Woodmann

I forgot to add, waney/wany means decreasing.
In this instance it means decreasing intelligence.
It's a rural term for nit-wit, idiot, moron, pea brain,
jerk wad, dimwit............

Darkelf
September 18th, 2010, 08:58
Hi guys,

thank you all very much for your answers. For the last two days I was busy figuring out the legal situation in my country. Unfortunately I'm straight from the nation of the weirdos (at least that's the impression I got while doing this research) and hence Maximus is perfectly right. The government of Germany changed §202 of the criminal code with a law called "Strafrechtsänderungsgesetz zur Bekämpfung der Computerkriminalität" which means "amendment of the criminal code to fight computer crime", in a way that even whitehat pentesters have one foot in prison. This §202 states that one is not allowed to create, program, hand over, spread or obtain any tool that is suitable to break computer security. This includes even Wireshark (that's crazy, isn't it?). Computer security means software protections, too. Explicitly! So if I write a thesis about the weakness of a "software protection", I'd commit a crime because somebody could use it to overcome this protection. That's so fucking nuts, I hardly find words for it. I should have gone to another country from the start. I wonder how science will handle this in general. In Germany they discuss a governmental trojan for quite some time. Regarding this, this changed (or new) §202 makes sense. You cannot capture a trojan, if you'll have no tools to do so.
So right now I'm somewhat pissed because I'm forced to write about some completely different topic.
Again, thanks for your answers.

Regards
darkelf

evaluator
September 19th, 2010, 01:12
look here, you can do this:

USE FREEWARE protector, analyze & make good hints for upgrade.

everyone will Happiey!

disavowed
September 27th, 2010, 08:06
Regarding the laws in Germany related to "security"-software, you may want to talk to Halvar and see if he has any suggestions for you or knowledge of legal loopholes.

Bengaly
October 11th, 2010, 14:59
Write your thesis,
when it's done, PGP it and print it.
when the test comes, decrypt the digital form for their 'eyes only' (on the fly) and than close it.. enjoy :

When I was forced to write thesis + software application in 2002, I introduced first version of PVDasm to my university assembler professor and the board of testers.
The good thing out of it was: the testers understood shit of what I did, they did not know what to ask and were forced to ask me 1 question: they pointed on a disassembled line in pvdasm and said: "what that instruction does?" ...

well you see, the board of testers will know nothing of your doing and will care less about it. It's all about formality... so, who gives a #$%$#%$!

Darkelf
October 11th, 2010, 16:39
I wish it would be that easy. I can't even begin to tell you how desperate I wish it would be that easy! In Germany you MUST hand in your thesis as a book (2 copies - the only decision you can make is the color of your hardcover) AND one digital copy (you're free to choose if it's a CD or a DVD). Additionally, your digital copy must contain every single line of source code. This is because every thesis is digitally archived in the German National Library. The Germans really elevated bureaucracy to an art form. It sucks so hard . But I see a small light at the end of the tunnel. My prof in charge tries to find a way to circumvent the strict regulations of German law. I really hope he will be successful.

Thanks for taking interest.

Regards
darkelf

Woodmann
October 11th, 2010, 20:26
Howdy,

I am very interested in how this plays out.
If you need my help, ask and I will do what I can .

Woodmann

Maximus
October 12th, 2010, 05:44
I dont remember exactly the text of that law, but it was worrysome, yes.

Let me suggest you, in order to have a minimal margin, to:

1) do NOT produce any tool - do not make an unpacking tool of anything. This will keep you safe from 'making/owning tools' claims.

2) "the part is not the whole". You can discuss features, as long as you do not make a source to bypass them. Let me also suggest you to discuss features of different protection tools (always check their licenses etc), not focusing on only one.

The most important thing, ever, is that you MUST not produce a working source for bypassing protection tricks, this would make you fall into such category. Anyway, you can analyse and describe how to bypass them (as long as you dont make a working source!). Check this against the law, if I remember well this is the escamotage for doing your thesis.

Bengaly
October 12th, 2010, 07:14
Quote:
[Originally Posted by Darkelf;87901]I wish it would be that easy. I can't even begin to tell you how desperate I wish it would be that easy! In Germany you MUST hand in your thesis as a book (2 copies - the only decision you can make is the color of your hardcover) AND one digital copy (you're free to choose if it's a CD or a DVD). Additionally, your digital copy must contain every single line of source code. This is because every thesis is digitally archived in the German National Library. The Germans really elevated bureaucracy to an art form. It sucks so hard . But I see a small light at the end of the tunnel. My prof in charge tries to find a way to circumvent the strict regulations of German law. I really hope he will be successful.

Thanks for taking interest.

Regards
darkelf


I understand your concerns, it is sucks I know,
but I still think there is no problem here! here is why:

1. You don't have to put a working unpacker code/solution in your thesis. (PVDasm code v1 is in my school's thesis, so what? after 10 years, code changes, evolves..etc)

2. Do not write about the key areas of the packer/protector so much that people could break it on their on (if it's a protector who people buy).

3. Write generic approaches, methods and solutions, without giving specific packer name/version

No one said you have to write your thesis on ASPROTECT x.x or ASPACK x.x or FLEXM x.x or one of those packers who serve as a $ solution for companies out there.

it's only a thesis, for school, after you finish it, no one will care anyhow!