The problem with all protection systems is that the program need to be able to verify itself, or able to decrypt itself or parts of it self.
Or as mentioned, modify itself.
It's strength is also it's weakness. The method to decrypt etc. is THERE,
in the software. all a cracker need to do is bypass or reverse engineer it.
Or trick it or emulate it.
The systems that truly work well (and is insanely hard to crack/circumvent)
are usually so sluggish (due to all the security/encryption stuff).
They are unstable (anything remotely suspicious can trigger them).
If they tied into the hardware you might end up with a headache each time you change hardware. Or want to use it on your laptop etc.
At the top of my head the only truly secure method against cracking in any form,
is remote applications.
I.e. you login remotely and run the program on a secure server,
the program is never ever run on your system,
nor can it be "downloaded".
Obviously, hardly anyone would use such software, it's way to inconvenient.
As I said earlier, good protection is a lot of work and expensive.
And not really worth the effort (in my eyes).
So my method/idea described in a post above somewhere plus a standard
entering of the serial into the program.
(the program won't really do anything fancy with it, just for update checks
and thinks like that, i.e the app won't poke the net without the user having allowed it first.
(i.e manual or automatic updates etc)
The application serial + user login & pass would be enough.
The server/database would after the user login/authenticate,
check that the serial is valid/registered, and then allow the update.
Fake serials won't work as I said earlier, there only exist as many application serials as there are buyers of that application.
The serials won't be anything fancy either,
just a serial/product id. Maybe like:
00000001-20050225-00000001
In this example, the first is a 32bit hex indication of what application it is, (product id)
then the date the serial/app was registered or bought.
(in this case year month day)
and finaly the "serial"
This example serial is very simple, it basically allows the server to see that
this is product 1, bought on the 25th February 2005, and that this serial was the 1st one bought on that day.
The database also has this cross-referenced to user 0000000001 or something.
There is no way to fake these serials as they are made at buy time only.
(confirmed purchase) and is only used as a proof of purchase in the database.
The program will pass along the serial each time a update is done,
along with the user login and pass. (just like when you update PureBasic for example).
Most likely a lot of crackers will try to disable the entering for a serial.
Which is pointless as the software doesn't really check it at all
Other crackers may disable the updating.
Which kinda is silly (except for ensuring they don't accidentaly get "caught" when trying to update
Most likely (and really the only way to "crack" this) is that somebody
who IS a original byer and registered user pass around HIS copy.
Some of you might think. "OOh, we could make custom versions with a embed/secret tracking id"
Yeah you could, but most likely crackers etc would catch on to that quickly and just hack that part of the software replacing it with some fake id instead. so instead of catching the "bad" users you will only be able to follow the migration of it around the net instead.
Also, if crackers does make a keygen that on accident happen to match
a real serial. it is very easy to catch that.
First of all, the ones using the fake id (if it happens to match at all that is)
won't be able to do updates or get extra content since they have no user account at all.
Even if they did have a user account, the database/server knows that THEY aren't the rightful owner of the serial,
and will raise a warning flag localy, and also BAN that ip semi-temporarily.
And make sure the person knows that he/she has been "caught" as well,
and their account would be disabled along with all their serials if any.
The thing is, you could sell full boxed versions.
And also have a super simple variation available for download.
But once a serial has been bought the user can just use the updater
and get the full app and all extras.
I mean checking the keys -validating- server-side, not client-side, what about that.
