Software cracking (known as "breaking" in the 1980s) is the
modification of software to remove or disable features which are
considered undesirable by the person cracking the software, especially
copy protection features (including protection against the
manipulation of software, serial number, hardware key, date checks and
disc check) or software annoyances like nag screens and adware.
A crack refers to the means of achieving software cracking, for
example a stolen serial number or a tool that performs that act of
cracking. Some of these tools are called keygen, patch, or loader.
A keygen is a handmade product serial number generator that often
offers the ability to generate working serial numbers in your own
name. A patch is a small computer program that modifies the machine
code of another program. This has the advantage for a cracker to not
include a large executable in a release when only a few bytes are
changed. A loader modifies the startup flow of a program and does
not remove the protection but circumvents it. A well-known
example of a loader is a trainer used to cheat in games. Fairlight
pointed out in one of their
.nfo files that these type of cracks are
not allowed for warez scene game releases. A nukewar has
shown that the protection may not kick in at any point for it to be a
The distribution of cracked copies is illegal in most countries. There
have been lawsuits over cracking software. It might be legal to
use cracked software in certain circumstances. Educational
resources for reverse engineering and software cracking are, however,
legal and available in the form of
4 See also
The first software copy protection was applied to software for the
Apple II, Atari 800, and
Commodore 64 computers..
Software publishers have implemented increasingly complex methods in
an effort to stop unauthorized copying of software.
On the Apple II, unlike modern computers that use standardized device
drivers to manage device communications, the operating system directly
controlled the step motor that moves the floppy drive head, and also
directly interpreted the raw data, called nibbles, read from each
track to identify the data sectors. This allowed complex disk-based
software copy protection, by storing data on half tracks (0, 1, 2.5,
3.5, 5, 6...), quarter tracks (0, 1, 2.25, 3.75, 5, 6...), and any
combination thereof. In addition, tracks did not need to be perfect
rings, but could be sectioned so that sectors could be staggered
across overlapping offset tracks, the most extreme version being known
as spiral tracking. It was also discovered that many floppy drives did
not have a fixed upper limit to head movement, and it was sometimes
possible to write an additional 36th track above the normal 35 tracks.
Apple II copy programs could not read such protected
floppy disks, since the standard DOS assumed that all disks had a
uniform 35-track, 13- or 16-sector layout.
programs such as Locksmith and Copy II Plus could sometimes duplicate
these disks by using a reference library of known protection methods;
when protected programs were cracked they would be completely stripped
of the copy protection system, and transferred onto a standard format
disk that any normal
Apple II copy program could read.
One of the primary routes to hacking these early copy protections was
to run a program that simulates the normal CPU operation. The CPU
simulator provides a number of extra features to the hacker, such as
the ability to single-step through each processor instruction and to
examine the CPU registers and modified memory spaces as the simulation
runs (any modern disassembler/debugger can do this). The Apple II
provided a built-in opcode disassembler, allowing raw memory to be
decoded into CPU opcodes, and this would be utilized to examine what
the copy-protection was about to do next. Generally there was little
to no defense available to the copy protection system, since all its
secrets are made visible through the simulation. However, because the
simulation itself must run on the original CPU, in addition to the
software being hacked, the simulation would often run extremely slowly
even at maximum speed.
On Atari 8-bit computers, the most common protection method was via
"bad sectors". These were sectors on the disk that were intentionally
unreadable by the disk drive. The software would look for these
sectors when the program was loading and would stop loading if an
error code was not returned when accessing these sectors.
programs were available that would copy the disk and remember any bad
sectors. The user could then use an application to spin the drive by
constantly reading a single sector and display the drive RPM. With the
disk drive top removed a small screwdriver could be used to slow the
drive RPM below a certain point. Once the drive was slowed down the
application could then go and write "bad sectors" where needed. When
done the drive RPM was sped up back to normal and an uncracked copy
was made. Of course cracking the software to expect good sectors made
for readily copied disks without the need to meddle with the disk
drive. As time went on more sophisticated methods were developed, but
almost all involved some form of malformed disk data, such as a sector
that might return different data on separate accesses due to bad data
alignment. Products became available (from companies such as Happy
Computers) which replaced the controller BIOS in Atari's "smart"
drives. These upgraded drives allowed the user to make exact copies of
the original program with copy protections in place on the new disk.
On the Commodore 64, several methods were used to protect software.
For software distributed on ROM cartridges, subroutines were included
which attempted to write over the program code. If the software was on
ROM, nothing would happen, but if the software had been moved to RAM,
the software would be disabled. Because of the operation of Commodore
floppy drives, one write protection scheme would cause the floppy
drive head to bang against the end of its rail, which could cause the
drive head to become misaligned. In some cases, cracked versions of
software were desirable to avoid this result. A misaligned drive head
was rare usually fixing itself by smashing against the rail stops.
Another brutal protection scheme was grinding from track 1 to 40 and
back a few times.
Most of the early software crackers were computer hobbyists who often
formed groups that competed against each other in the cracking and
spreading of software. Breaking a new copy protection scheme as
quickly as possible was often regarded as an opportunity to
demonstrate one's technical superiority rather than a possibility of
money-making. Some low skilled hobbyists would take already cracked
software and edit various unencrypted strings of text in it to change
messages a game would tell a game player, often something considered
vulgar. Uploading the altered copies on file sharing networks provided
a source of laughs for adult users. The cracker groups of the 1980s
started to advertise themselves and their skills by attaching animated
screens known as crack intros in the software programs they cracked
and released. Once the technical competition had expanded from the
challenges of cracking to the challenges of creating visually stunning
intros, the foundations for a new subculture known as demoscene were
Demoscene started to separate itself from the illegal
"warez scene" during the 1990s and is now regarded as a completely
different subculture. Many software crackers have later grown into
extremely capable software reverse engineers; the deep knowledge of
assembly required in order to crack protections enables them to
reverse engineer drivers in order to port them from binary-only
drivers for Windows to drivers with source code for
Linux and other
free operating systems. Also because music and game intro was such an
integral part of gaming the music format and graphics became very
popular when hardware became affordable for the home user.
With the rise of the Internet, software crackers developed secretive
online organizations. In the latter half of the nineties, one of the
most respected sources of information about "software protection
reversing" was Fravia's website.
Most of the well-known or "elite" cracking groups make software cracks
entirely for respect in the "Scene", not profit. From there, the
cracks are eventually leaked onto public
Internet sites by
people/crackers who use well-protected/secure FTP release archives,
which are made into full copies and sometimes sold illegally by other
The Scene today is formed of small groups of skilled people, who
informally compete to have the best crackers, methods of cracking, and
The High Cracking University (+HCU), was founded by Old Red Cracker
(+ORC), considered a genius of reverse engineering and a legendary
figure in RCE, to advance research into Reverse Code Engineering
(RCE). He had also taught and authored many papers on the subject, and
his texts are considered classics in the field and are mandatory
reading for students of RCE.
The addition of the "+" sign in front of the nickname of a reverser
signified membership in the +HCU. Amongst the students of +HCU were
the top of the elite Windows reversers worldwide. +HCU published a
new reverse engineering problem annually and a small number of
respondents with the best replies qualified for an undergraduate
position at the university.
Fravia was a professor at +HCU. Fravia's website was known as
"+Fravia's Pages of Reverse Engineering" and he used it to challenge
programmers as well as the wider society to "reverse engineer" the
"brainwashing of a corrupt and rampant materialism". In its heyday,
his website received millions of visitors per year and its influence
Nowadays most of the graduates of +HCU have migrated to
Linux and few
have remained as Windows reversers. The information at the university
has been rediscovered by a new generation of researchers and
practitioners of RCE who have started new research projects in the
The most common software crack is the modification of an application's
binary to cause or prevent a specific key branch in the program's
execution. This is accomplished by reverse engineering the compiled
program code using a debugger such as SoftICE, x64dbg,
OllyDbg, GDB, or
MacsBug until the software cracker reaches the
subroutine that contains the primary method of protecting the software
(or by disassembling an executable file with a program such as IDA).
The binary is then modified using the debugger or a hex editor or
monitor in a manner that replaces a prior branching opcode with its
complement or a
NOP opcode so the key branch will either always
execute a specific subroutine or skip over it. Almost all common
software cracks are a variation of this type. Proprietary software
developers are constantly developing techniques such as code
obfuscation, encryption, and self-modifying code to make this
modification increasingly difficult. Even with these measures being
taken, developers struggle to combat software cracking. This is
because it is very common for a professional to publicly release a
simple cracked EXE or Retrium Installer for public download,
eliminating the need for inexperienced users to crack the software
A specific example of this technique is a crack that removes the
expiration period from a time-limited trial of an application. These
cracks are usually programs that alter the program executable and
sometimes the .dll or .so linked to the application. Similar cracks
are available for software that requires a hardware dongle. A company
can also break the copy protection of programs that they have legally
purchased but that are licensed to particular hardware, so that there
is no risk of downtime due to hardware failure (and, of course, no
need to restrict oneself to running the software on bought hardware
Another method is the use of special software such as
CloneCD to scan
for the use of a commercial copy protection application. After
discovering the software used to protect the application, another tool
may be used to remove the copy protection from the software on the CD
or DVD. This may enable another program such as Alcohol 120%,
CloneDVD, Game Jackal, or
Daemon Tools to copy the protected software
to a user's hard disk. Popular commercial copy protection applications
which may be scanned for include
SafeDisc and StarForce.
In other cases, it might be possible to decompile a program in order
to get access to the original source code or code on a level higher
than machine code. This is often possible with scripting languages and
languages utilizing JIT compilation. An example is cracking (or
debugging) on the .NET platform where one might consider manipulating
CIL to achieve one's needs. Java's bytecode also works in a similar
fashion in which there is an intermediate language before the program
is compiled to run on the platform dependent machine code.
Advanced reverse engineering for protections such as SecuROM,
SafeDisc, StarForce, or
Denuvo requires a cracker, or many crackers to
spend much time studying the protection, eventually finding every flaw
within the protection code, and then coding their own tools to
"unwrap" the protection automatically from executable (.EXE) and
library (.DLL) files.
There are a number of sites on the
Internet that let users download
cracks produced by warez groups for popular games and applications
(although at the danger of acquiring malicious software that is
sometimes distributed via such sites). Although these
cracks are used by legal buyers of software, they can also be used by
people who have downloaded or otherwise obtained unauthorized copies
(often through P2P networks).
List of warez groups
^ Kevelson, Morton (October 1985). "Isepic". Ahoy!. pp. 71–73.
Retrieved 27 June 2014. The origin of the term probably lies in the
activity burglars perform in the still of the night.
^ Tulloch, Mitch (2003). Microsoft Encyclopedia of Security (PDF).
Redmond, Washington: Microsoft Press. p. 68.
^ Craig, Paul; Ron, Mark (April 2005). "Chapter 4: Crackers". In
Software Piracy Exposed - Secrets from the Dark Side
Revealed. Publisher: Andrew Williams, Page Layout and Art: Patricia
Lupien, Acquisitions Editor: Jaime Quigley, Copy Editor: Judy Eby,
Technical Editor: Mark Burnett, Indexer: Nara Wood, Cover Designer:
Michael Kavish. United States of America: Syngress Publishing.
pp. 75–76. doi:10.1016/B978-193226698-6/50029-5.
^ a b FLT (2013-01-22). "The_Sims_3_70s_80s_and_90s_Stuff-FLT". This
can be the only reason you have come to the conclusion that a modified
startup flow is the same like the imitated behavior of a protection,
like an EMU does it.
^ Shub-Nigurrath [ARTeam]; ThunderPwr [ARTeam] (January 2006).
"Cracking with Loaders: Theory, General Approach, and a Framework".
CodeBreakers Magazine. Universitas-Virtualis Research Project. 1 (1).
A loader is a program able to load in memory and running another
^ Nigurrath, Shub (May 2006). "Guide on how to play with processes
memory, writing loaders, and Oraculumns". CodeBreakers Magazine.
Universitas-Virtualis Research Project. 1 (2).
^ FLT (2013-09-29). "Test_Drive_Ferrari_Legends_PROPER-FLT".
Test.Drive.Ferrari.Racing.Legends-SKIDROW was released with a "Loader"
and not a cracked exe. This is why you see the original exe renamed to
"TDFerrari_o.exe". As this is not allowed and in this case
considerably slows down the game with Xlive messages while starting
and playing the game, you can see why we have included a proper
^ SKIDROW (2013-01-21).
"Test.Drive.Ferrari.Racing.Legends.Read.Nfo-SKIDROW". Yes our "method"
is a loader and our competitors have used the same method for
"cracking" xlive games like this.
^ "Batman.Arkham.City-FiGHTCLUB nukewar". 2011-12-02. Archived from
the original on 2014-09-13. UNNUKED: game.plays.full no.issues
^ Cheng, Jacqui (2006-09-27). "Microsoft files lawsuit over DRM
crack". Ars Technica.
Fravia (November 1998). "Is reverse engineering legal?".
^ Pearson, Jordan (24 July 2017). "Programmers Are Racing to Save
Software Before It Goes Extinct". Motherboard. Archived from
the original on 26 December 2017. Retrieved 27 January 2018.
^ a b c d e Cyrus Peikari;
Anton Chuvakin (12 January 2004). Security
Warrior. "O'Reilly Media, Inc.". p. 31.
^ Ankit, Jain; Jason, Kuo; Jordan, Soet; Brian, Tse (April 2007).
Software Cracking (April 2007)" (PDF). The University of British
Columbia - Electrical and Computer Engineering. Retrieved 27 January
^ Wójcik, Bartosz. "
Reverse engineering tools review". pelock.com.
PELock. Archived from the original on 13 September 2017. Retrieved 16
^ Gamecopyworld Howto
Amateur press association
Tracker (MOD) music
Experimental musical instrument
Cinema of Transgression
No budget film
No Wave Cinema
Open-source video game
Independent soft drink
Independent circuit (wrestling)
Independent TV station
Do it yourself
Do it yourself (DIY ethic)