Protecting your software - A good aproche?

[reisve]

I've been reading allover about how to protect you apllications. I came up with a strategy to protect mine:

1.At compilation time the program creates a var with compilation date. This will became the program serial number
2.This var is converted to HEX
3.At installation time / first run, this Hex var along with the actual installation date (in HEX) are written to a not obvious Registry key with also not obvious value names
4.When the user runs the program, it checks if the days after the installation are within the trial period if any, or tif he program is registered
5.If the the program is over the trial period, the user is offered the option to register
6.The user is given a product ID
7.This product ID is (in my case): the HD serial number (not the volume serial number) converted to an MD5 string, plus the HEX compilation date referred before
8.The user then connects to a Web Server, call the vendor or send an e-mail, with this product ID and the user / company name
9.At the web server (a spreadsheet or a piece of paper) the compilation date is extracted from the product ID and recorded along with the product ID and user / company name
10.This information will form a string to be converted to MD5
11.This MD5 string, in a whole or just part of it (MID function is very useful here) is given to the user as the validation code
12.The process is repeated at the application and the result validation code compared with the one supplied by the user
13.The validation code is written in the registry in an obvious key with an also obvious value name.
14.Every time the program starts will check for this validation code.
15.If it exists, the program is registered. If not checks the installation date and trial period

It shure does not make it Hacker fullproof, but gives them an hard time to crack the application. An the aplication only runs in a computer. Does not run if it is not registered, and can only be registered once. If the user (in my case) replaces the HD, well, it will have to call you and give a good explanation for you to give him a new validation code

Hope this has any value for anyone

[Rook Zimbabwe]

Some hard drives (like mine) don't show a serial number unless you physically remove the HDD and look for one. There is no way to get it via software.

[Kukulkan]

Some hard drives (like mine) don't show a serial number unless you physically remove the HDD and look for one. There is no way to get it via software.

That is interesting! What type of harddrive is this? What is the result of this small program in case of such a drive?

Code: Select all

Procedure.s GetHarddiskID()
  ; returns the ID of the harddisk in HEX. 
  ; This id will not change even if the disk gets formated...
  lpRootPathName.s = Left(GetCurrentDirectory(), 3) ; "c:\"
  pVolumeNameBuffer.s = Space(256)
  lpFileSystemNameBuffer.s = Space(256)
  
  Result=GetVolumeInformation_(lpRootPathName.s, pVolumeNameBuffer.s, 256, @lpVolumeSerialNumber.l, @lpMaximumComponentLength.l, @lpFileSystemFlags.l, lpFileSystemNameBuffer.s, 256)
  id.s = Hex(lpVolumeSerialNumber.l) ; here is the ID of the HD
  
  ProcedureReturn id.s
EndProcedure

Debug GetHarddiskID()

Kukulkan

[pdwyer]

Wonder what happens when you run this on a virtual machine? Or even better, a redirected drive like the "C:\" in a citrix session

Something to test

[c4s]

Just what i thought right now:

3.At installation time / first run, this Hex var along with the actual installation date (in HEX) are written to a not obvious Registry key with also not obvious value names

There are (many) tools that display which program does what to the registry..

4.When the user runs the program, it checks if the days after the installation are within the trial period if any, or tif he program is registered

..and what the program is reading.

5.If the the program is over the trial period, the user is offered the option to register

And the good old trick with changing the system date for the runtime?

12.The process is repeated at the application and the result validation code compared with the one supplied by the user

Maybe the part all hackers are waiting for.

If the user (in my case) replaces the HD, well, it will have to call you and give a good explanation for you to give him a new validation code.

Good explanation.."I changed my hd to a newer one" - "Ok, here is the
new code!".

As you already wrote..
If someone want to crack it, it's - as always - possible!

[PB]

Hi, my thoughts on your plans:

> 3.At installation time / first run, this Hex var along with the actual
> installation date (in HEX) are written to a not obvious Registry key
> with also not obvious value names

Doesn't matter how obvious they are, because they are instantly found
with an app like RegMon or RegShot. Same with files on the hard drive.
You can't hide anything, trust me.

But if you want to do that, how will you check the date of installation?
The user might set their PC to the year 2039, and install your app then,
so the trial period doesn't expire for another 31 years.

> 7.This product ID is (in my case): the HD serial number (not the
> volume serial number)

What happens if they install to a 4 GB flash disk?

> 14.Every time the program starts will check for this validation code.
> 15.If it exists, the program is registered. If not checks the installation
> date and trial period

Unless they install it with ThinApp or Sandboxie, whereupon they just
delete the sandbox and restart the trial period again. And again.

> If the user (in my case) replaces the HD, well, it will have to call you
> and give a good explanation for you to give him a new validation code

Not fair. Don't force your customers to justify anything. It's treating them
as thieves. Have some sort of license transfer scheme in place; plenty of
apps do that without annoying the user.

[pdwyer]

Not fair. Don't force your customers to justify anything. It's treating them
as thieves. Have some sort of license transfer scheme in place; plenty of
apps do that without annoying the user.

I thought you were pro DRM

[PB]

> I thought you were pro DRM

What? I hate DRM! I've never defended it. What made you think so?

[pdwyer]

oops

Sorry, I thought you were a "anything goes in the persuit of preventing piracy" type. My mistake

[PB]

If I came across like that in one of my posts, then you were mistaken.
I'm all for protecting software, but not via DRM and locking down to a
single PC.

[Rook Zimbabwe]

I am also anti-DRM (Draconian Rights for Morons!) but FOR protecting software.

I did a Screen Saver for a buddy that works at Coca Cola...

The IT guys copied it and have passed it around like the clap... I was going to charge them for it, but now??? I can't even get them to remove it.

[PB]

> The IT guys copied it and have passed it around like the clap

[pdwyer]

Opportunity there Rook!

Time for CC.scr v2 !

Seems free but expires in 6 months, by that time v1 should have been cleared out of their systems

Then CC.scr v2.1 they can buy



Or you could be nicer to them a give them v2 but pops little ads for prodcuts you sell but keeps working

[case]

give them a nice free brand new screensaver with the cc logo on a nice can rotating spining etc... then after 6 month change the logo with the pepsi one

XD

[devski]

one way to improve a crackers skill is to give them something new to work on. if they initially dont know anything about hard disk serials, i bet they would knows tons after tying to crack this program