Cracking Enterprise Software for Fun and no Profit
Ever since I was a broke teen, I've had an interest in reverse engineering software, and cracking it. I've always been one of those weird people who want to run a bunch of enterprise software.
I've censored company and product names, mostly because I don't want to end up high on Google when you search for "Company A crack". Also, as I post this, I've updated the theme to increase readability, and done a quick design pass on the code blocks. Feedback welcome.
Legalities
I'll start with the obvious - I haven't actually made a crack in about 10 years, and I no longer have any devices with those cracks on them. Now that police and lawyers have no more reason to read...
When talking about whether something is legal in practice, there are two factors to consider.
Legal liability
Your legal liability is the laws and agreements you break, and how fucked you are if arrested or sued.
This is one of the more complex topics, and generally something to approach Legal over if you're doing this as part of a company.
In the European Union, you are largely going to operate under Article 5 § 3 of Directive 2009/24/EC, which grants exceptions to the rights enumerated in Article 4. Fundamentally, it means that if you have the right to use a program, you have the right "to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do", even without the permission of the rightsholder.
Important thing to note there is "any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do" which means you're severely limited on what you're actually allowed to do - you may not decompile code, for example. At least case law allows you to decompile software in order to fix bugs.
But, this is nuanced, I am not a lawyer, and if you care about this part, you need to ask one. I usually rely on the second factor.
Enforcement
This one is pretty simple - will the police come to arrest you, or will the company sue you?
First of all, if you're running around cracking shit, and constantly uploading them under a pseudonym, the police is going to come knocking on your door. Don't do that. Don't distribute cracks, use it as a learning opportunity at best.
Second, if you're doing things as part of your job, and your company is paying their license fees, and there's no way paying more money to the software company solves the problem, they probably don't care. Suing your customers is bad for business.
For example, say Company A makes some enterprise software that your company has purchased, which is used on an automatically provisioned machine. This has a DRM system that requires manually authorizing and deauthorizing it, or you have to contact their support to have a license key reissued. Your company has a policy that all automatically provisioned machines must be replaced monthly. Figuring out how this DRM ticks, and how to transfer the registration is technically against the license agreement, but in the end, Company A does not offer floating licenses, you're not using it on more machines than what you pay for, and you don't have to contact their support every three months because the machine got wiped before you could deauthorize it. Not that I would know.
Next, if you're cracking some enterprise software for your homelab, and not distributing the crack, most companies really don't care. If their minimum price is five digits USD, or "contact us", you're not a potential customer with your clapped out Dell PowerEdge that's 10 years out of support and requires an old version of Java 8 to run the remote KVM.
Some companies are more litigious though. You probably don't want to invite the trouble of any company whose running joke is that they have a bigger legal department than they have R&D.
Why Enterprise Software?
Now that we've gone over legalities and your risk, and you've decided you want to try this, either as a first reverse engineering stint, or to try out making cracks, why enterprise software?
The simple answer is that copyright protection, DRM, whatever you want to call it, is a cost. Companies really don't want to spend more money on it than they have to, and for regular consumer software, they have to. All you have to do to see why is to use Google. CensoredEnterpriseProduct "crack" returns 11900 results, while CensoredDeveloperProduct "crack" returns 71500 results.
What this means in practice, is that enterprise software tends to not have obfuscation, or a bunch of third party tools trying to make your life harder. I've seen plenty of enterprise software ship with a class called LicenseManagement
that has a function called Verify
. You'll never find this in regular consumer software. This is great for getting started.
However, unlike a lot of customer software, they are snitches.
Snitches?
Enterprise software loves to snitch on the people running them. They will print licensing information in places obvious, in places non-obvious, and in some cases, especially for hosted software, have undocumented API endpoints that reveal enough information about the license key used that the software company can even scan the internet for improperly licensed instances.
The one thing they tend to not do, is call home. Enterprise comes with weird requirements and obstacles in deployment, and calling home is a sore subject at times. Usually, it's solved by enabling audits though the license signed when buying the software instead.
In other words, if you're cracking some enterprise software to run in a lab, don't expose it on the internet. It will probably rat you out.
The Novelty
Enterprise software is rarely looked at and appreciated - they are bought by higher ups in suits, and employees are forced to use them in their day to day work. Some of them are quite different when viewed from a different light - the technical side that enables it, using it when you feel like it, and exploring the possibilities and downright weird features that you know were added because of some requirement from a big customer.
It's a new frontier for technical exploration. Give it a shot.