Homegrown protector system, bad idea?

[utopiomania]

I have a vague idea about a homegrown protection, or licencing system, but I'm not shure how good or bad the
idea is. If you have any opinions please tell me. I'm shure there are som major flaws in there:


The idea is to create a small plugin for the IDE tool menu, called 'Protect'. When a user buys a licence via
PayPal:

1 - I load the source, open 'Tools/Protect' which asks for theusers name/email address.

2 - The protector swaps REM'ed tags in the source for code that protects the app (using the name/email details).

3 - It then creates a unique download page for the program and a unique distribution folder for it and compiles
the program into it.

4 - The protector then opens Outlook and fills in the details with the download link and a password and mails
them to the user.

5 - Finally, I grab all generated downloadpages and folders and upload them to the site.

The idea behind REM'ed tags is for simplicity. That way I could simply add, say 100 tags to the program to
avoid clutter and to stop the protection from interfering during coding.

I'm not shure what the protection code should do yet, but it could either add a username/password to the
program to allow the buyer to unlock it, or it could simply add the users name / email to the program in a
'registered to:' somewhere and make shure it isn't altered.

Well, there you are. Rip it apart.

[Trond]

Your hard disk will fill up quickly with one download for each customer.

[utopiomania]

Yes that could become a problem, but my offerings are so bad, they won't sell much anyway.

Seriously, I figured that if I could fit say 1000-2000 users into a Gb of webspace and make them
available for a limited period of time, <= 1 month for example (or by request) it could handle quite
a number of sells each year.

[Trond]

Yes, but many more if you simply check the password against a database before download. Very easily done with a php script.

[josku_x]

But be aware that nowadays hackers are more skilled at hacking databases. My server's database was hacked when I was testing our new cms. The hacker added several instructions for the database so it would accept all names and all passwords. Ofcourse I shutted down the server for a while as the hacker started to ping me... And I had all necessary protection you need.. But, now I have a more stable server

[thefool]

trouble is if just 1 user gets the software out on a filesharing thingy, its doomed.
Unless, you make your program download a sort of blacklist if it can find any internet connection (i know this can be cracked and so on, but it will stop the newbies..)

[dagcrack]

Talk about rudimentary systems "opens outlook" that one was funny!

For the emailing you should programm a service that does it for you ... using either your ISP's SMTP server/s or your own..

[thefool]

Wouldnt be hard

IF you want it to be proff, YOU send the email. NOT microsoft (besides, i don't use outlook for handling emails there are MANY that doesnt. Of course many that does too, but still. that would be pretty lame )

[techjunkie]

I have a vague idea about a homegrown protection, or licencing system, but I'm not shure how good or bad the
idea is. If you have any opinions please tell me. I'm shure there are som major flaws in there:

I'm not sure, but I think DDH Software is using a system like that (they have done PC and PDA Applications for a very long time). If you buy a product from them you get a unique binary that you can download "on-the-fly". The same goes for several other American Software Companies.

[EDIT]

I don't know if they just patch the binary with user identification or have some kind of compiler that creates a unique executable. Maybe a "jump-table" based on the user personal data?!?!

[utopiomania]

@Trond, is this what PureBasic does with our personal accounts? It seems ok, but a bit risky if the
program gets copied around like thefool said.

My scheme would produce unique binaries like the ones techjunkie describes. If I stamp them with the
users name/email and some user copies it around, he gets spammed!

@dagcrack, heh, you got me, ...but I never said this was rocket science.

[techjunkie]

My scheme would produce unique binaries like the ones techjunkie describes. If I stamp them with the
users name/email and some user copies it around, he gets spammed

Is it possible to read a computers MAC-adress over the Internet (or you can make an ActiveX component to do it)? If so, make a special compiler or change the assembler code to use the MAC-adress for all kind of operations.

[blueznl]

utopiomania, your idea has merit, what it would mean is that every executable is tailor made for every user out there

there is however another risk: that is you can't do 'streaming updates' or 'hot updates' as every executable is different

that, in turn, would mean you would have to limit the personalized stuff to a small section of the code, an external dll, whatever, or you would have to used fixed length fields (filled in with data at compilation time, true)

now, putting all exe's on a server appears to me to be not very usefull, what you might consider is writing a 'loader', a small program that downloads the code from a machine under your control, and that initializes a compilation action by your machine, that way you do not have to store countless versions of the code as it is generated all the time on the fly

such a 'loader' could identify the users machine etc. but should have the option of using a before downloaded copy, or a new one form the server

it's just an idea, and may make no sense

[techjunkie]

that, in turn, would mean you would have to limit the personalized stuff to a small section of the code, an external dll, whatever, or you would have to used fixed length fields (filled in with data at compilation time, true)

Why? You can embed it in the code in a smart way. Use the user data for functions in the program.

now, putting all exe's on a server appears to me to be not very usefull, what you might consider is writing a 'loader', a small program that downloads the code from a machine under your control, and that

Or - you can only saves the "deltas" / differens / patches of the binary. No need to save the whole executable when the process is automatic and repeatable.

[thefool]

you just forget one thing. Everything can be cracked

[utopiomania]

Thanks for the input. I would love to come up with a simple, good enough system but it's
not going to be as easy as my first thoughts suggested... Bad idea so far.

I'm not giving up, but the problem seems to be to keep it simple and practical. This isn't
easy, and I'm beginning to think it's better to just pay some company for a protector.