Gumroad is part of a movement of “friendly” drm. You’re paying for support and updates. Intercepting a tls call is easier said than done, but the ethos is around accepting pirates gonna pirate.
Intercepting a TLS call is dead easy if you are one of the endpoints, namely the client. You can just add your proxy's certificate to the machines valid certs and bobs your uncle. Cert pinning is a thing but it can also be defeated, especially if all the app is doing it to pin cert is asking the OS TLS facilities nicely to pin a cert, because OS TLS facilities are also user-controlled.
Any shop worth their salt is going to embed the cert chain in their app. In fact, you get that for free with pretty much every drm lib, such as the ones major providers like steam, gumroad, etc suggest
Cert pinning can defeated, but like I said, easier said than done. Not super advanced, but still requires specialized knowledge and a willingness to put the effort in.
themoonisachees|3 years ago
Hellion|3 years ago
Cert pinning can defeated, but like I said, easier said than done. Not super advanced, but still requires specialized knowledge and a willingness to put the effort in.