Kript-On Beta Released

srod · Post by **srod** » Fri Sep 21, 2007 2:18 pm

Hi,

must admit that I'm new to these kind of applications; as attractive as they nevertheless seem.

You keep mentioning how this can help beat the hackers and crackers etc. but as I see it any application using this system of yours will require a routine (presumably the dll) to check your server for valid keys etc. If none is found then the application will not run fully registered etc.

What's to stop the hackers and crackers from simply bypassing the code used to check the server etc?

Sorry if I'm being a little dense here

but I'm struggling to see how this gives extra protection for my applications!

kinglestat · Post by **kinglestat** » Fri Sep 21, 2007 4:16 pm

srod: not at all. It is a very good question.

First of all I recommend the use of some form of code virtualizer and/or packer. I think I mention this on the site. Adding a good packer (ExeCryptor, Oreans Themilda, Armadillo etc) + Kript-On gives you the best of both worlds as Kript-On fills out what most of these apps lack.

But the most powerful anti cracking is by using "easter eggs"

The only way an attacker can defeat your program is debugging and reverse engineering...with testing. You have the ability to change user data online, so you can insert snippets in your code to monitor future dates for particular user data...which if not present...you know you have been fibbed. Since this data will only be changed AFTER you release your program, a hacker cannot test.

Lets take a sample algorithim

1. Start app
2. Check if activated
3. OK its activated letc continue
4. Accounting Package active

Attacker would make sure that 2 always returns activated

With kript-on we can do the following

1. Start app
2. Check if activated
3. OK its activated letc continue
4. Accounting Package active
5. ->when printing an invoice get userdata from kript-on
6. ->Its march 2008...userdata should have "mar2008" in it
7. ->userdata has "dec2007" in it abort

Attaker can defeat 2. again and program will keep working
till March

Obviously you will need to make sure that 1st march of 2008 you log on site and update userdata for that customer

srod · Post by **srod** » Fri Sep 21, 2007 5:10 pm

Hi, thanks for the answer; I'm beginning to understand, although still in need of a little more convincing!

(Still being dense I'm afraid!)

I can appreciate what you're saying about these 'time delayed' Easter eggs, but at the end of the day they are still reliant upon snippets of code resident within the client application; all of which can be got at with a hex editor by my old friend Ned Nerd. Still I can see that it does add another layer of security and one which Ned Nerd may not be looking for because of the time delay feature.

How secure is such a system on the server side? I mean would it be possible for Ned Nerd to purchase (or implant) a rogue set of keys on the server which basically allow cracked versions of the application to run derestricted?

Thanks again for your explanations.

kinglestat · Post by **kinglestat** » Fri Sep 21, 2007 7:38 pm

bring it on

To your first question:

When you protect your app, kripton encodes a checksum of your app plus up to 9 other files if you wish. These will be monitored and that code is inside the Kripton DLL. Kripton also checks itself to see if its being debugged, alterred etc. Also, Kript-On monitors to check if an application tries to patch in-memory, so if somebody hex edits your app or tries to patch it in memory kript-on will abort. So hacker has the crack the kripton.dll AND your application and if you have easter eggs he has to find them as well.
It can get even more complex, but I think its a good summary. Now, if you added some other patcher into the story, Mr Nerd has to untagle all that. Its not something which can be done quickly or easily.

To your server question.

It is very simple really. Billing and Serial data have to match (if you bought 100 keys, then you paid for 100 keys), and billing is not an online server, and not even in the same building. Daily the serial count is matched, if there is a mismatch the account is disabled. This would automatically disable all serials by that account, so if he had "sold" any apps they would revert to demo mode. I'm not sure how they can add serials....as even the comms between Kript-on and server uses an innovative protection scheme to protect against man-in-the-middle attacks and spoofs. I cant see it happen, provided attacker doesnt have insider help. But if you have any ideas, I would sure like to hear them!

There is also the issue of serial numbers. Unlike other software products where a generator is used, and thus it is possible for our friend Nerd to make a similar generator, in Kript-On case a unique tag is added, in a a master set of 2000. So it is not possible to make a generator for kript-on. Only brute force try. If a developer makes a mistake, and for some reason "looses" a batch, we can invalidate that batch of 2000. The other batches have a different "masterkey" and are safe.

I do realize skepticism is unavoidable towards a new product. I have tried not to reinvent the wheel, and I believe this is the next step in anti-piracy. using multiple level of security, with remote update functionalities. But teh idea why I would prefer to push it as a portal rarther then sell server versions is that I need to keep making adding other security measures.

Brice Manuel · Post by **Brice Manuel** » Fri Sep 21, 2007 7:48 pm

This all sounds great, but I mainly use EBASIC & Aurora. Will your product support non-PureBasic languages?

I am still confused as to how much your product will cost us

srod · Post by **srod** » Fri Sep 21, 2007 7:52 pm

Now I'm impressed.

I wouldn't say it's scepticism as much as a lack of understanding!

I must admit that I was a little unclear from your website what exactly Kripton did; how it worked and, to be honest, what it offered me as a developer etc? I understand a lot more now and, in principal at least, would certainly be willing to consider buying into such a system.

Food for thought indeed.

Thanks.

kinglestat · Post by **kinglestat** » Fri Sep 21, 2007 7:55 pm

its a DLL can be used with any language
has been tested with PB and being tested with MS C++

price for few keys < 100 around $5 per key
more around $3 per key

kinglestat · Post by **kinglestat** » Fri Sep 21, 2007 8:14 pm

srod: Unfortunately many people have commented about that. We changed the text already several times. But its not easy to understand, and not easy to explain. Unfortunately from my experience, developers either are too skeptic to protect their apps, or dont care - so there isnt much "education" about it. Finally there are so many ways an application can be attacked that a developer can hardly be blamed to protect against all of them. But my formula is the following

1) Serial Number (we start from here)
2) Serial number can be cloned or copied
3) Encode user and hardware details
4) We need a serial number generator
5) ->if sombody makes a similar generator?
6) ->then we need to compare it with an online database
7) -->ah, but they can patch my exe

-->then we need to verify checksum frequently
9) --->still somebody can get around this somehow
10)--->then we try to add another virtualizer/patcher to my exe
11)---->but this attacker is a genius
12)---->Then we need to add some time delay factor with an external input

ricardo · Post by **ricardo** » Fri Sep 21, 2007 11:24 pm

kinglestat wrote:I am a bit surprised by the lack of interest towards this product.
Are there possibly no comments from the PB community?

Maybe because using a dll is not much secure. A lib could be much more interesting i guess.

mskuma · Post by **mskuma** » Fri Sep 21, 2007 11:38 pm

kinglestat wrote:I am a bit surprised by the lack of interest towards this product.
Are there possibly no comments from the PB community?

Now the details are starting to filter through, I think you'll have a better chance. For me personally, I found the inconsistency I pointed out earlier to be disconcerting, because with a tool like this, you're inherently seeking level of trust and faith in the developer community. Good luck with your product.

DoubleDutch · Post by **DoubleDutch** » Sat Sep 22, 2007 7:46 am

The problem with all these systems is that they are a standard system. Once they are popular and included in an application that people REALLY want, they are cracked. I don't care what anyone says, imho it's crazy to go with a bought system. Virtually all of these systems say they are hack proof, etc. total rubbish! Nothing is unhackable, it's just a matter of how persistant people are to make a crack. Even if the system has anti-debug protection (usually fairly easy to bypass, if it isn't then if it can run on virtualpc then you have other debug methods that cannot be detected).

EG Adobe have a good/great protection system, but it's standard across all the apps and gets cracked on day of release!

99% of people out there do not know anyone who can get pirate stuff. If it's good they will buy it.

Don't get obsessed by the 1% who use a copy. They would never buy your product anyhow! If you really want to protect your system then what you could do is put your own CUSTOM protection in there, have multiple checks and don't change the version number if you just change the protection. Also check the home folder for files that shouldn't be there (usually a patch!).

mskuma · Post by **mskuma** » Sat Sep 22, 2007 7:58 am

I agree - perhaps if kinglestat wants to put out a challenge to the people here to crack it, and it proves difficult, it would be a good selling point.

kinglestat · Post by **kinglestat** » Sat Sep 22, 2007 9:39 am

Well, I'm in it for the long haul and I guess time will tell.
There is negativism for any software created but hey you cant win them all! I personally think that innovation and common sense defeats attackers (not just in software).

DoubleDutch:

re adobe if you notice most of the attacks are to their offline activation - due to key generators

re kript-on: I'm afraid you miss the most important point
kript-on doesnt ONLY give security
It give the ability to unlock certain features of program remotely with its userdata feature, and in release will give info about crashes or failures to developers. To my knowledge only Microsoft does this, but now will be available to everybody.

You can bundle multiple software or features in your software. Then enable them remotely for client to try...then disable again...again remotely.

This is safer than having full-feature keys - which has been the standard way of unlocking features as you can target a particular client...and you can be sure that the serials you distribute do not unlock your other product features without your knowledge.

DoubleDutch · Post by **DoubleDutch** » Sat Sep 22, 2007 10:34 am

re adobe if you notice most of the attacks are to their offline activation - due to key generators

True, but that was just an example. If it can be executed, it can be hacked. The ultimate protection would therefore take execution off the users machine, just use the users machine as a client. This is the approach use by games such as Eve, etc where there is no piracy at all.

kinglestat · Post by **kinglestat** » Sat Sep 22, 2007 6:55 pm

yes. a very good point DoubleDutch.

But unfortunately in many companies internet is firewalled or controlled. So there is no guarantee your software would work without an internet connection; what happens to travelling people with laptops?

Then there is the effect of Denial of Service attacks....considering that attackers manage to down Yahoo or eBay (companies with very huge resources) imagine what they can do to smaller operations.

That is why I opted for the middle ground....with best of both worlds.