Saturday, April 23, 2011

Fravia+ || Legal aspects of reverse engineering

__Is reverse engineering legal?__

Version November 1998


[European Union's laws] ~ [United States' laws] ~ [Why we crack]
[The 'legal scarecrow' saga] ~ [Intellectual Property Protection]

Additions and slightly different positions
1) The+Starling's essay


Reverse engineering a program you have legitimately bought and studying or modifying its code is perfectly LEGAL, at least in the European Union, as long as
* You do it only for your personal use or for "educational purposes" (i.e. study)
* You do not use big chunks of the code for applications you SELL
You may for instance completely modify Wordpad for your personal use, as I did, in order to have as defaults *.txt, *.alf and *.asm instead of the almost useless *.doc
You may rip off whatever code you want from whichever application you want in order to use it, modify it, squash it with a mace or throw it away :-)

Well, let's demonstrate it... here is the law:

European Union Directive, (Software Copyright Protection) 14 May 1991:

Article 6: Decompilation   1. The authorization of the rightholder shall not be required where reproduction of the  code and translation of its form within the meaning of Article 4 (a) and (b) are  indispensable to obtain the information necessary to achieve the interoperability  of an independently created computer program with other programs, provided that  the following conditions are met:...
This, translated, means that you do not need "the authorization of the rightholder" like you would for 4a (temporary reproduction of a program) or 4b (translation, adaption, arrangement and any other alteration of a program) if this is necessary to debug and/or run the crap you have bought. The "following conditions" are that you do it yourself and only insofern as you deem to need it really.

Note -what's even MORE important for reverse engineering- that at article 5 there are some EXCEPTIONS to the restricted acts:

Article 5:  Exceptions to the restricted acts   1. In the absence of specific contractual provisions, the acts referred to in  Article 4 (a) and (b) shall not require authorization by the rightholder  where they are necessary for the use of the computer program by the lawful  acquirer in accordance with its intended purpose, including for error correction.   2. The making of a back-up copy by a person having a right to use the  computer program may not be prevented by contract insofar as it is  necessary for that use.   3. The person having a right to use a copy of a computer program shall be  entitled, without the authorization of the rightholder, to observe, study  or test the functioning of the program in order to determine the ideas  and principles which underlie any element of the program if he does so  while performing any of the acts of loading, displaying, running,  transmitting or storing the program which he is entitled to do.

Quite right! Obviously there cannot be a "looking under the cover is forbidden" policy, which would lame all technical development (it's already lamed enough like it is now), therefore you may observe, study or test the functioning of any program you fancy (the reason is that they could not have forbidden it anyway :-) sipping your favourite Martini
There is another point at art.7.1.(c) that refers to "technical devices which may have been applied to protect a computer program", which could be of interest for us:
...Member States shall provide, in accordance with their national legislation, appropriate remedies against a person committing...   (c) any act of putting into circulation, or the possession for commercial purposes  of, any means the sole intended  purpose of which is to facilitate the unauthorized  removal or circumvention of any technical device which may have been applied to  protect a computer program.

But this refers -at most- to dongles-cracking and it is clearly intended for mass-burning of pirated cd-roms (which BTW is a big industry in the far East and in the Ex-Yugoslavian Lilliput states)

US law seems to be more restrictive (which is obvious, given the way our planet is ruled, since the States lead themselves the software industry and therefore defend their own interests... software protection laws will probably be much more permissive only when the new software will be mainly produced by the poor countries), see, for the differences between European Union's laws and US' laws , the articles at

Here is an interesting snippet about disassembling and law in the States, 1992

Disassembly of Object Code

Sega v. Accolade, decided by the Ninth Circuit in 1992, makes clear that, in certain instances, the unauthorized disassembly of a computer program's object code in order to derive source code is not a copyright infringement. The Ninth Circuit applied the 'fair use' balancing test to determine that Accolade's use of reverse engineering techniques to produce an 'intermediate copy' of Sega's source code did not constitute copyright infringement. Accolade never distributed the intermediate copy commercially, but instead used it only to extract unprotectable ideas � a sequence of bytes which act as a software key � from Sega's game program. This key was then incorporated into Accolade's games, enabling them to 'unlock' and run on Sega's game platforms. The court cautioned, however, that disassembly involves the making of a literal copy of a program, and it is permissible only when necessary to extract the unprotectable ideas. It is unclear how far this fair use right extends.

This brings us nowhere... the whole subject seems pretty unregolated as for now... it would be worth to examine and "reverse engineer" (if you are a lawyer or a specialist in applied semantics) the various "scarecrow" information that we always find inside all software packages... some of them are so severe and unpolite that seem written by an Orwellian fanatic or a "Farenheit 451" follower :-). See below about this aspect.


Now the "why we crack" part: We are defeating mainly copy protection schemes (but see my two lessons on how to completely reverse engineer a Windows 3.1 application) bacause that's fun, and this way we can get a lot of people on the bandwagon, for the challenge, and because we believe firmly that every knowledge (in fact I believe everything) should be free (in the web and in the whole world)... but we are doing NOTHING at all compared with that what is really happening around you:
Every program you can think of can be found on the web, (in thousand different ftps) in its COMPLETE version many WEEKS before it ever appears in the best shops, as everyone with intelligence level "eggplant" soon discovers.
There are obviously differences among all the stupid countries of the planet... You may want to have a look here in order to consider where you would be able to buy/produce pirated software or where you should install your server for more "aimed" reverse engineering activities or whatever:-) Besides, since there are "money" and "tax" paradises (and -how funny- nobody makes much fuss about that), why shouldn't there exist "software" paradises? (Obvious answer: because money paradises are useful for the rich, software paradises would be useful for the poor :-(

And that's the huge "illegal" part of it, but there is also a huge "legal" pirating (forced by the fierce concurrence in the software market and by the mere existence of the warez scene on the Web):

Programs and applications are being now sold on Magazine's CD-ROMs IN THEIR COMPLETE VERSION few months after their first appearence for next to nothing... this began in Europe 5 months ago and the rithmus (and the quality of the software) has increased enormously: I saw some days ago Panzer general 2 complete (CD Player n.19), Ticonderoga complete (both not at all so old games: late 1996!) Database 5 and the whole Lotus set '97 complete and unrestricted (PcPlus 35b, with the complete Borland Delphi 1 and the complete "ImagePals" as well) on various magazine's cd-rom. The same Lotus set was, for instance, sold in its boxes at the software retailer for TWENTY times the magazine price, it may sound illogic, but it is exactly so... Lotus is scared dead to disappear (thanks to the Micro$oft war against all other software producers... funny, there never seem to be any law against this kind of actions , btw :-( and Lotus is therefore compelled, like Netscape, to give away for free its software just in order to survive... yet even these magazines with 600 megabytes of good software on them every month are selling less and less (hence the fierce concurrence) because everything is already on the web for free...

And all this is only the top of the Iceberg: Hundred of THOUSAND of BBS all around the world push around tons of Megabytes of pirated software, which to day you may easily burn on cd-roms in order to distribute them at your friends on your birthday party. Cheaper than buying a cake

And that was for the big commercial" software companies. Shareware programmers are NOT damaged by good crackers (who study assembly and are mostly programmers themselves) but by themselves, when they program with useless overbloated languages huge toy-applications and by "serial numbers aficionados", people that prepare and distribute huge lists with millions of validation codes that you can find everywhere on the web.

On our pages there is not a single pirated copy of software... we do not need pirated copies since we are able to crack them in spades anytime we fancy (or to fetch them immediately from the web... we don't even need to keep programs on our harddisk any more, would be like hoarding leaves in a forest) besides we do not even care much for the software we crack... in fact (apart our beloved Softice) we are much more interested in the protection schemes themselves than in the software they protect, which most of the time is pure crap. As you'll see in some examples of +ORC's tutorial and in many students' essays, we even AMELIORATE the programs we crack.
We do not steal, we study, and the software development will soon depend (and in part depends already) from the capacities that we (and almost nobody else) are developing: who else if not a cracker will in few years time be able to compact and ameliorate already existing, lame applications? I believe the society is already changing, and in my opinion the fact that you have worked in something like the +HCU will soon open you quite a lot of doors :-)

As you'll read on the (very important) red student page, one of our problems, is that the protection schemes are (mostly) incredibly stupid. That's why we have decided to begin writing and devising much stronger protection schemes ourselves... for the challenge and in order to improve ourselves, seen that the commercial programmers are not able to give us any "cheap thrills" any more... how could they? Most programmers seem to work for useless money, not for the (very important) pleasure, nor for the only thing that really matters in this new age we are already in: knowledge!

You may want to have a look at some programmers' discussions in my counter intelligence section, at some advices for programmers in my How to protect better and programmers' corner sections.


('Legal scarecrow' agreements are NOT legally binding)
Most licence agreement (that thing that you click "I agree" on and never read, where you agree to give up your first born child and let your sister be sold as a slave :-) include a clause that prohibits reverse engineering. A couple of examples...
IF YOU AGREE TO THE DISCLAIMER AND LICENSE YOU MAY:  (i) use this software on as many computers as you wish at no charge for  up to but no more than 30 days. After 30 days of use you must either  discontinue the use of this software or purchase a registered version  for each computer that you are going to use this software on.  YOU MAY NOT:  (i) sublicense, rent, sell,  or lease any portion of this software;  (ii) reverse engineer, decompile, disassemble, modify, translate,  make any attempt to discover the source code of this software, or  create derivative works from this software; or  (ii) continue use of this software after your 30 day trial.  DISCLAIMER OF DAMAGES:  We have made every effort possible to ensure that this software is free  of any bugs or errors, however in no way is this software to be considered  error or bug free.  By using this software you assume all responsibility  for any damages or lost data that may result from any errors or bugs in this software.  Regardless of whether any remedy set forth herein fails  of its essential purpose, in no event will our Software house be liable  to you for any special, consequential, indirect or similar damages,  including any lost profits or lost data arising out of the use or inability  to use this software...

Note that you should not "reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code", as if the source code of a software product were a 'private secret' that third parties are not even allowed to examine...

Here another example:
You may not:  * permit other individuals to use the Software except  under  the terms listed above; * permit concurrent use of the Software; * modify, translate, reverse engineer, decompile, disassemble  or create derivative works based on the Software; * copy the Software other than as specified above; * rent, lease or otherwise transfer rights to the Software; or * remove any proprietary  notices or labels on the Software.  TITLE  Title, ownership rights, and intellectual property rights in  the Software  shall  remain  in  Our Software house  and/or  its   suppliers.  The Software is protected by the copyright laws and treaties.  Title and related rights in the content accessed through the Software is the property of the applicable content owner and may  be  pro- tected  by  applicable  law.  This License gives you no rights to such content.  TERMINATION  The license will terminate automatically if you  fail  to  comply with  the limitations described herein.  On termination, you must destroy all copies of the Software and Documentation.

Here there seems to be an interesting possibility. I reverse the software. License has been violated and terminate. I then destroy all copies of the software, and have then respected the licence. And so on ab absurdo. Like the never-ending sentence "All crackers are liers, lied the cracker".
OK, it is clear that such 'scarecrow' agreements are as funny and preposterous as you wish, yet of course NOT legally binding. Let's demonstrate it ab absurdo: If they were legally binding, then ANY agreement of this sort would be, and then anyone, you or me, could prepare on his own a small program (I promise that I'll really write it myself as soon as I find the time) that acts as a small 'wrapper' for all this kind of software (I really wish that a good lawjer will correct this in order to make our own 'legal scarecrows' even more dangerous-looking than those used by some softwarehouses...):
Your software is entering my private computer. By trespassing this memory point you agree to allow complete possession  of your software to the legitime owner of this computer, and specifically  you completely and irrevocabily agree to allow  any modify, translate, reverse engineer, decompile, disassemble  or create derivative works based on this Software that  the legitime owner of this memory fancies. You also declare as void and inexistent any  other conditions/agreements regarding your software that may preposterously  be triggered by your software inside  the RAM hosting you. Finally you accept also COMPLETE RESPONSABILITY for any malfunctioning your  software will have caused to the owner of the hardware you are allow  to visit -take note- ONLY if you accept this. If you don't wish to accept these conditions, please leave immediatly this private  memory and completely remove you software from this private hardware. By trespassing this memory point you have completely agreed to the above. [add  date with hours, minutes and seconds here] + [Sign with the version name of the  software]

. Ab absurdo, as I said... yet, see, either both "agreements" are valid or neither is... you cannot have the cake and eat it.
I would say that we could keep it this way: anyone may reverse the hell out of everything, provided he does not steal or sell alien code.
The only binding texts are the NATIONAL LAWS governing software reversing and we have already seen that 'at least in the European Union): 5(3): 3. The person having a right to use a copy of a computer program shall be entitled, without the authorization of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do..
And that's it, if you want to have a look at OTHER METHODS to avoid this legal hassle, have a look at my short essay Scarecrow license agreements and how to defeat them.


(Patents, Trade secrets, copyrights and trademarks)

Patents for new ideas and designs, are registered in the Public record at the Patent Office
Some encryption algorithms (like the RSA Public-Key algorithm) are patented.

Trademarks are not a problem if you write somewhere the following (I'm writing it here and yet it covers my whole site! :-)

All Fravia products and scripts are trademarks or registered trademarks of  Fravia. Other brand and product names are trademarks or registered trademarks of  their respective holders
And that's all.

Trade secrets are information of a given company that give competitive advantages, like the CocaCola recipe.
To protect against revealing other people secrets when you publish information gained from others (like I do continuously, for instance, on my student page), you better write the following somewhere:

All authors whose scripts are accepted for publishing on Fravia's site  warrant and represent that their work is original; that the author is either  its sole author, or that he or she has the legal power to make this agreement  if there are coauthors and that he or she has notified the co-authors of this  agreement; and that the work does not impair anyone else's rights of any kind.  The author agrees to indemnify Fravia against loss or damage (including  reasonable attorney's fees) arising out of any claim alleging a breach of  these warranties and representations.
And that's all following some european attorneys, it's not enough following some american ones (please write me more :-).

Copyright on everything one's write is automatically created at the time you create an original work, provided you add somewhere on your site the following:

Copyright (c) 1995, 1996, 1997, 1998, 1999 Fravia. All rights reserved
Which I do here :-)

Theoretically, after having written all what you can read above, noone should be able to use any part of my site without asking for permission or paying me royalties, unfortunately, given some of the subjects of my site, I doubt that I would find a court able to help much in case of a claim of mine :-)

You are deep inside Fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays toolscocktails
search_forms antismut mailFravia

red (c) Fravia 1995, 1996, 1997, 1998. All rights reserved

Posted via email from Whistleblower

No comments:

Post a Comment