Security Tool/DLL for Online Activation

[kinglestat]

Ladies & Gentlemen,

I'm not sure if this is the right place to publish this
But I have seen many posts regarding security piracy etc
And it concerned me too.....so I diverged from my actual project and developed a system for securing apps against duplications with online activation. My intention is to have a beta ready for cebit....maybe I find a good client there (wishful thinking?) but completion would not be far off. I have lots of experience with security since I work as a consultant and have and have had many bank as clients.

I do not want to divulge many details, but me being totally paranoid, all security measures have backup....ie 4 different types of encryptions are used. Activation has to be done online....though I also devised a clever semi offline activation process...later on this one. Anti-clock features and anti debug, data & code packing, obfusciation. And the possibility to activate features server side (both online and offline)

Of course I'm sure there might be some questions or ideas which I might have missed...so please advice.

Its developed in PB....so once I figure out how to make user libraries I can make it a library for PB...but my intention is to make it as a DLL. I also found a way how to protect from it being bypassed, allowing me also to create a demo for it.

Of course I would also be interested if there are people frequenting this forum who would be interested in it ?

Cheers

KingLestat

[Sabour]

virtual virtualizer has been cracked + they released some analysis about how to crack this :/ am i allowed to post the link to cracked one?or i can p.m you the link

[kinglestat]

My code hasnt been released yet
so how can it be already cracked ??
I am still working on it!
I'm just looking for feedback about it!

[Joakim Christiansen]

I know many here would be interested in something like this and I am too.

[Derek]

'online activation'

Very microsoft, people were all against this when it first started and yet now it seems quite the norm, how quickly peoples views change.

[thefool]

All that online crap is _way_ overrated. Really, there is no big difference for the crackers point of view cracking online checks or offline checks. No matter if its a duplication check or whatever.

The only reasonable places to check is at autoupdates or something else that requires an internet connection anyway.


I can say for sure that it can and will be cracked. Nevertheless i find it interesting and I would like to try it
Whole point is to delay the crackers.

How do you protect against memory dumping and in-memory patches? I have various way's here, but really its not something easy to protect against. The only good way is to only decrypt a part of the code at a time. And still there are ways to crack this, as you would have to decrypt the checks to use them, and if you smack a breakpoint there, you can view it. Then you just gotta apply the in-memory patch at the right time

But throw it up. I'm interested

[FloHimself]

Ok, I follow this and the other thread for some time now.

And isn't it ironic...

Before spending money and time for protecting your piece of software, check if you've purchased valid licenses for all the applications you've installed.

[kinglestat]

thanks for the feedback

And I do apologize if I was rather cryptic about explaining the inner workings. From experience many cracks/hacks usually start "at home". Ie a developer willfully or unwillfully gives out pieces of code or info which somebody misuses....hence my paranoia. But I promise to divulge more and more info...as for me this is only a pet project, so I get some finances for the real project I wish to develop.

To answer a question...I use original and free software. On occasion I have used cracked software myself before buying. Nowadays really you can buy many reasaoble software, and some free stuff much better than originals.

Now to my reasoning and why I call it online
Let us start with the serials:

Lets say the serials are generated mathematically. OK you can have a very good encryption and generator. But fact is time works against us (faster computers) and eventually a generator match is found. So in my case the serial are pre-generated per customer, split, and stored in the program and in the registry. And stored in my activation server. Client decides how often a sync happens with online server. And with each registerred serial + activation code there is client registration and a hw id (if client wants it) Each location uses a different encryption algorithim with a different key. So a software cannot be activated twice...or client is contacted via his contact details to verify theft...and new activation generated...etc.

The second assumption is that code should follow a certain logic. I have tried to make code which is not "clean". Eg I dont necessarily know which algorithim was used toi encypt....I will try each one till I hit the right one. None the less 3 out of 4 are always called in any case. And various keys are used.

When sendng data to and from server, data is kept and stored encrypted and to decrypt it I need a template file which is created unique per customer (and which is not available online). The server uses a man-in-the-middle approach to decrypt. Ie server is connected to another server on an internal 2 IP subnet with private IPs with all ports blocked barring the port used to communicate with the decryptor and field splitter.

I can see somebody thinking....what if you have 20,000 (oer more serials??)
Well, if I DO get such clients...I will affford to buy a new car! Though I do have an idea for this as well....just dont see it as a high priority, as my belief is that its "small" developers who suffer most from piracy. After all somebody who (like me) has to develop during "sleep" or "fun" time as his daytime job already consumes lots of hours...then they write a piece of software, ask a small price for it....but people still pirate it!

Of course there is much more. I do agree that everything can be hacked given time, patience and money. Yet avoiding standards and known "proven" techniques and combining diverse approaches to the same end I beleieve is a key which is often missed by even the cleverest...for the reason of not being logical. To give an example which I have seen posted before....about the best sorts

testing sorts with up to 100,000 items nowadays doesnt make such a big difference. But when elements go to millions ? So a developer COULD make different sorting techniques for the different scenarios. But it is not often done. Correct me if I am wrong...as this has been my perspective.

Yes I have seen in these forums some really brilliant guys with excellent code, and is why I thought was a good place to start

Your comments are, of course, appreciated, as always
cheers


KingLestat

[kinglestat]

btw thefool, I had missed out your post so I answer you now

To be honest, I DID find a solution to that problem (I think)
And I am using a known hacking technique...this time to my advantage.
Keep in mind my intention is to release it as a DLL which goes against the approach of integrated library. The idea is that a hacker will think its easier to crack...but its the opposite. I find this a flaw in many of the general protectors (execryptor for example). From my point of view, a hacker doesnt know anything of my techniques because I am trying to be original! And for sure this will by time! And with time I will keep improving! (I suspect I will keep having bugs!!)

The only flaw I can see in my own apprach is (and generally this is true with any security system) that an insider (either myself or the client) can give out a "key". That would create an opening. I have no reason to shoot myself in the leg. And I guess nor does the client! The "key" is a part of the template file.

cheers

KingLestat

[Tommeh]

Prehaps a good protection against cracking is creating the download dynamically. When a user pays, and registers, a program server side, opens the source file up, jumbles the code around (So it still compiles but the mem offsets are different) change the variable names and jump names to random ones, and add some encrypted (different method each time) and then compile, zip it up and put it up as a download for the paying customer.

The end result is that the program is different each time, so simply creating a keygen each time won't work, because it will use a different algo and salt each time, you can't create a patch to tell it to jump somewhere else when it hits the condition because the patcher won't be able to find the jump again cause it will be called something different and at a different address, so you would effectivly have to recreate the patch per download

Good, bad idea, should i run and patent it now? hehe

[FloHimself]

To answer a question...I use original and free software. On occasion I have used cracked software myself before buying. Nowadays really you can buy many reasaoble software, and some free stuff much better than originals.

kinglestat: I take this as reply to my statement... but... this wasn't directed to you. It goes out to the *users* of anti-cracker- / protection- / registration-toolkits. In the Windows world, it is "common practice" to use cracked or pirated software. That's a fact that I've seen for more than 1 decade. And I bet, many software developers out there, trying to protect their hard work, are using pirated / cracked software, too. Sure, not here. The people here don't pirate software. Everyone paid for a Windows XP Professional license... heck... most just upgraded to Vista Ultimate...

Anyway, I wish you success for both projects!

[kinglestat]

FloHimself: you where correct on both counts. I forgot to mention by nick. But the comment on pirated software was directed to you. And I agree with you on the statements and thanks.

tommeh: originally I thought about that and it is how I was going to do it. But then I ran into 2 problems: how to keep distibuting updates ? You all agree that one way to stay ahead is to keep introducing new feautures?If you have diff code for each customer how can you cope? And there is a second issue: Doing it with diff code per customer eliminates the possibility of creating a kind of demo (though to date I have no idea of what to demo) I'll ask you later about this!

thefool: I thought more on your comment and got another couple of ideas which would effectively negate any form of memory patchers. But my time is limited. The first release will not have these new ideas in them. Its a technique I had used 19 years ago...way before DLLs existed. THAT was when I was a good programmer *sigh*

another thing. The most easy to attack and crack the protected software (using my system) is to attack the "client" code. I forgot to mention that. It will always be my reccomendation never to rely on 1 protection system...I call this the ConC principle (Condom on Condom) as no 1 system is flawless. And it goes to me as well...an NO I have nothing against kids!

incidentally, considor exeryptor for example. It doesnt offer online activtion as 1 of its features as far as I know. But to use it, you NEED to activate it. Now THAT is something fishy for me. So you sell me security which you dont trust for yourself? I apologize I digress....

Finally some simple hints
Some maybe obvious, some not. But I havent seen any posts mentioning them. So I thought to include them here.

You finish your code and want to make some simple security.
and This is ALWAYS a good idea! No need to worry about complicated stuff.

First of all, try to make data not so obvious
No need to use complicated encryption. Compressed or substitution routines work well

Secondly, no need to remove not used routines. And no need to remove reference to them!

Third, use more macros which re-use variabled streamlined in your code
eg

i = 5
SomeMacroWhichWillNotAlterI ( i )
j = i * 7

Call your useless function prior to some useful macro

Make assignments as obscure as possible

Code: Select all

Define.l  i, j, k, l
Define.s  text.s = "text which looks like a cipher key"

Macro AssignFive ( var )

  i = Len ( text )    ; Here you can make your own version of len pref
                      ; as a macro and which does not necessarily return the
                      ; correct lenght!
  j = Sin (73) * Log (i)
  k = i % 17
  
  var = j + k
  
  If k 
    j + 8
  Else
    j + 7
  EndIf
  
  var = j + k                        

EndMacro

;MyVar = 5

AssignFive ( j )
AssignFive ( MyVar )
Debug Str (MyVar)

you make 20 of such macros and put them close to where you want to hide code and you finish with thousands of extra machne code...which serves no purpose except to hide your steps. Important thing is NOT to post them on any forum so they stay unique to your code!

Good day

KingLestat

[Tommeh]

1) When i say change around the code, i mean like re-arranging the procedures, so you don't rewrite the code per user, its more a case of just doing it so the variables have different address's each time

2) You could either keep the details in a database of what was used for that customer, or you could just require the program to be redownloaded, unless its a game with big graphics or sound files, this shouldnt be too much of a problem because the size of the file will be small.

You will not be able to patch the program to update it.. but that is the whole point, if you can't patch it, you can't create a patch and distribute it to everyone as it will only work on theirs.

[kinglestat]

hmmmm.
I did think of making a kind of code organizer which just places random code blocks.

Maybe should be a feature in PB....random amount of data between datablocks for each compile

But cant really visualize what you are saying tommeh. The database part I understand though: eseentially the db has the info needed to reconstitute that particular client's needs.

so demo would be generic, then when user registers he gets a custom dll. Seems sound. Thanks

KingLestat

[localmotion34]

I really hate to burst your bubble, but Paradox, ZWT and others have obliterated FlexM. And Softwrap, and Armadillo, and EXecryptor.

RELOADED routinely defeats Starforce, which sometimes does reqire activation online.

SND and TSRH will just tear you to pieces. ICU is pretty much unstoppable, and they have unpacked every packer that is known.

The ONLY real way to successfully MARGINALIZE cracking is to update frequently, and have the shareware sites you post on update your package.

Most warez sites link to your actual donwload page, and then post a rapidhsare link to ONLY the keygen or crack.

Code: Select all

APP:

www.yourdomain\yourapp

CRACK:
www.rapishare.de\blabblahv1.0

But, if you update every week, a person finding these links a month later will end up downloading your UPDATED software, which of course will NOT accept serials from the keygen, or be able to be patched with the crack.

The best way is to have a multi-part serial

XXXX-XXXX-XXXX-XXXX-YYYY-YYYY-YYYY-ZZZZ-ZZZZ-ZZZZ-encrypted name-encrypted date of purchase.

in future updates, you can check the YYYY series, verify the name, ect to accept legitimate keys, but reject ones from previous keygens.