Cracking methods and how to stop them

[AndyMK]

I know this has been brought up many times in the past and there is no bullet proof method to stop your app getting hacked but can anyone here explain in moderation the process they use to crack your app? Imagine the scenario;

1.You have a launcher app that connects to a server. The server authenticates you as a valid user and sends you an encrypted version of the application EXE.
The EXE is stored in memory on the client PC, never touches the harddrive. The EXE is the decrypted to another memory location and RunPE from there. Obviously, the EXE is now in its normal form in memory. Can the hacker dump the EXE to the harddrive? Is there anything the launcher app can do to monitor if the EXE is being dumped? Would they just have to hack the launcher to stop that also? Basically, what can we do to make things very difficult for them?

[Mr Coder]

You have a launcher app that connects to a server. The server authenticates you as a valid user

That's what they'll crack: the launcher app, so that the server sees you as a valid user.

You can do all sorts of remote checks and authentication, but they'll just crack the local exe so the server thinks nothing is wrong, and the local app will receive the full exe as a result.

Also, don't forget not all users are connected 24/7 to the net either, which alienates them from using your app.

[AndyMK]

The App is internet based so connecting to the server to use it shouldn't be a problem. What if i was to make the server check for simultaneous logins with the same user name/password? The thing i am most worried about is the hacker making the app work without a connection to the server.

[DoubleDutch]

Just make your app work well and don't go too expensive and then forget about the piracy - you won't be able to stop it anyhow.

Focus more on marketing, rather than protection. A month mrketing your program will make you more sales than a month improving the protection.

Don't forget that most people out there don't know that sometimes they don't have to buy programs and will buy if they like it, so if it's a good app then don't worry as you will get lots of sales from proper users.

I would however at least just put something simple in there like a licence key assigned to an address or email address to just discourage rampant piracy.

[Rescator]

Listen to DoubleDutch, that is the right attitude.
Because you see Andy, what you are talking/asking about is exaclty what Ubisoft did with Assassin's Creed 2, and failed.
Their's "always on" internet based savegame storage and exe "module download while you play" has been cracked.
Heck, normal users actually managed to circumvent things partially even before the cracker scene.

Basically, if it can run on the user's system, then it can be cracked.
The question is what do you do...?
1. Do you make things horribly inconvenient for the user or do you make it comfortable for the user?
2. Or do you make things inconvenient for the cracker or easy for the cracker?

If you even considered 2 then you've already lost.
As #1 is the only thing that matters! Why? Because "they" are your customers. Ubisoft forgot that, and EA got burned badly previously too.

Myself I've always been believed in the core principles of original capitalism...
A. Lower prices and more people will buy, as more people buy the production is cheaper and can lower the prices even more.
B. Treat customers well and they will be happy and most likely return, treat them really well and they will be fiercely loyal to your brand.

I think everyone here can agree that Fred really nailed B. here
And he's handled A. damn well too, despite inflation the price for PureBasic has remained pretty cheap over the years.

[case]

i don't buy anymore ubi games while they keep this protection sheme, this include consoles games as well, they don't protect'em this way but i will not support any company taking customers in hostage. also thinking of the future, how will you play the games when they stop the servers ?

also for your exemple if you stop any activity, because of bankrupt for exemple ( well hope this don't arrive) if you've got server based auth, people that buyed from you can't use anymore the software they paid.. pretty anoying imho...

[AndyMK]

Ok guy's, i get the message now Thanks for the reply's.

[PureLeo]

how will you play the games when they stop the servers ?

This is what makes me think twice about many games/apps.. I don't like the idea that maybe, but probably, someday i won't be able to play/use the program.

[Blue Steel]

on the other side of the coin though.. if you write a great game or app and the warez pirates get wind of it without any protection your product will be out there for about 1 hour till its available everywhere. and theres a lot of warez sites / methods out there so suck away any decent income. there are always other sides to the coin. sometimes more than 2.

0. Make it freeware and not worry about the money

1. write great software and make donation ware (not very good as most don't donate or anything when they already have the product)

2. encrypt/product your software to the max and alienate some potential users, but those that really need or want it will pay for it. those that don't pay might not have purchased your product anyway. and then you attract the hackers trying to prove their skills

3. like stated above , marketing instead of protecting .. this can be expensive. and ongoing. those that get it from warez and pirates probably weren't going to pay anyway

4. write cut down demo ware and release that and say pay me for full product. If your product is good enough and does what the end user needs then they'll pay. if they don't then they wouldn't have paid anyway. also they'll be less likely to distribute your product because they've had to pay for it. But then they don't get to see your full product until they've paid and you may loose some sales because they didn't see some of the features

5. write crappy software that you might get some buyers for and that pirates may think its not worthwhile cracking (unlikely though.. and who wants to write crappy software anyway..)

and many more variations all with pro's and cons.

no one knows the best way. because there isn't one. it depends on your situation , your market, (everyone, large, medium, small, limited market). If there was a best way then everyone would be using it. and the originator could make heaps out of marketing that way of distribution , until the clones (clowns) get in on the act as well.

Ask yourself a couple of questions.
. can you live without this software
. how much will this product improve your end line. ie: speed , cost , reliability, fun, etc
. what competing products are out there and how do they compare to yours
. how much do your competitors products cost (money and inconveniences .. eg: protection, stuffing around registering etc)
. would you pay for this product
. how much would you pay for this software

ask your testers what they think. (what no testers .. then your only going off your own opinion.. thats only 1 person)

It doesn't matter how much work,time,love,blood,sweat,tears,money you've put into it. because the end user doesn't know or care. they only care what the product is going to do fore them.

generally most sales are generated in the first term of the life of the product (generally in the first 3 to 6 months if your lucky)

Online services / products have their place and can get a great market share. its easier to regulate pirated stuff if your charging ongoing fees to access. but in my opinion they'll never fully replace the purchased product (well i hope not anyway)

hope this has helped.. either by answering some questions or maybe even posed more that you haven't thought of.

[SFSxOI]

All ur codz are belongz to uz

Seriously; You could lock the software use to a specific user/computer using a hash system which consists of a combination of file hash (to make sure the file is not altered) and computer hardware hash combined with the IP address. This requires you to set up a system on the web that reads and compares the hash each use which means communication across the internet, and coding in something that tells the user the hash has changed and they will need to contact you for a "hash reset" at which time you challenge them to verify their identitiy and licensing status. If the IP address changes the hash changes requiring a "hash reset" and if the IP appears in a different domain and geographic location its also a clue that the person is using a pirated version and you simply do not perform a "hash reset" so the software doesn't work. If the file is altered by cracks or direct reversing in some way the hash changes and the software doesn't work. It is a lot of trouble at times though, especially if the user changes some hardware like plugging in a USB device or something.

The hash reset system needs to be able to read the hardware in the computer also, so your software will need to send a hardware list each time along with hardware serial numbers. This is so you can verify the user is a legit user by use of key identifying hardware information such as the motherboard serial number. Say for example you had a user change out all his/her hard drives and move to a different ISP, now they have differnet hardware and a different IP address in a different domain, but the motherboard serial number is still the same, so based on the motherboard serial number (because its highly unlikely another motherboard with the same serial number will exist for someone who has pirated your software and is trying to use it in another country) you could authenticate the user as legit and do a hash reset and their software will work again. If the user gets a brand new computer of course everything is going to be different, but the IP may still be the same, but in the case of new computers you simply charge a small "new computer" fee for the hash reset which discourges a pirate from using the software because they hate to pay for anything (its why they got a pirated version to begin with so they would not have to pay for the software).

The main problem in using the hash system is time and money. If the software costs $10.00 and you have for example 100 users, is it worth your time to do hash resets or be available for hash resets on a timely basis when needed? After all, you do need to be available to "service" your customers (no pun intended) in such a system. On the other hand, if the software costs $300.00 and you have 100 users then it might be worth the time to spend doing hash resets when needed. Keep in mind also that hash resets will probably not be that frequent, but in a system like this your probably going to have those users who are constantly plugging in things and unplugging them so your going to get requests from them more fequently. To solve the "frequent user hash reset " issue you simply put a limit on the number of free resets then after that charge a small fee but that depends on the cost of the software also because if it costs $10.00 then a reset fee is warranted, but if it costs $1000.00 then it might not be warranted because after all for $1000.00 people expect a full package and expect things to work when they use them so expedient fast free resets included is probably better then charging for them for simply plugging in some frequently.

[klaver]

[...] If the IP address changes the hash changes requiring a "hash reset" [...]
[...] If the user gets a brand new computer of course everything is going to be different, but the IP may still be the same [...]

My IP changes about 2 times a day. Ever heard of dynamic IP address?

[SFSxOI]

[...] If the IP address changes the hash changes requiring a "hash reset" [...]
[...] If the user gets a brand new computer of course everything is going to be different, but the IP may still be the same [...]

My IP changes about 2 times a day. Ever heard of dynamic IP address?

Sure I have, but it probably stays in the same domain in the same geographic area, and probably in the same general IP subnet range, and most key identification items with hardware hasn't changed so a hash reset could be performed if needed. Some hash reset systems also have the capability to include that possibility of changing IP address by including a check for IP subnet instead of specific IP to keep the software running if all the hardware matches. Your situtaion is not a problem and could be accomodated. Its not a problem for most because over 80% of internet users today have the same IP address for a while.

Why would your IP change twice a day or more anyway? You on some type of dial up? Or wireless or what?

[c4s]

Why would your IP change twice a day or more anyway? You on some type of dial up? Or wireless or what?

PC off, PC on -> New IP. I think that's common for most users.

[SFSxOI]

Why would your IP change twice a day or more anyway? You on some type of dial up? Or wireless or what?

PC off, PC on -> New IP. I think that's common for most users.

Actually its not that common. Most people now a days are on some type of broadband system that assigns IP's based upon the computer interface MAC address (a NIC card for example) (cable, dsl, even wireless to a large extent) so it doesn't matter if the computer is on or off as long as the interface MAC doesn't change. For example, here in the U.S. on cable systems the Ip stays the same regardless of computer status because the computer MAC doesn't change unless the user has specifically changed it. And I know also from my own work with European ISP's that their systems in most cases also do the same thing. This is why a change in MAC address changes the IP address, if I change my NIC MAC address I get a new IP address, most people don't change their MAC address anyway (or even have a clue how to change their MAC address and could really care less about changing their MAC address). Besides, the Ip thing doesn't have to be used in the system because the hardware verification could suffice, however, if it is used then the subnet method could be ued to check because if the IP does change its a good chance its in the same subnet, and at the very least a verification of the ISP could be performed as most IP addresses will resolve to include the ISP name in some way like 75.xx.xx.xx = [ c-75-xx-xx-xx.hsd1.tn.comcast.net ] where 'hsd1.tn.comcast.net' says its still in the same domain in the same hub (or subnet) with the same ISP.

But....the IP thing doesn't need to be used, its an additional check.

If the person uses the software on two different computers, like a laptop with wireless to one ISP and a home computer with another ISP, they simply purchase two seperate licenses - one for each computer.

[Trond]

All ur codz are belongz to uz

Seriously; You could lock the software use to a specific user/computer using a hash system which consists of a combination of file hash (to make sure the file is not altered) and computer hardware hash combined with the IP address. This requires you to set up a system on the web that reads and compares the hash each use which means communication across the internet, and coding in something that tells the user the hash has changed and they will need to contact you for a "hash reset" at which time you challenge them to verify their identitiy and licensing status. If the IP address changes the hash changes requiring a "hash reset" and if the IP appears in a different domain and geographic location its also a clue that the person is using a pirated version and you simply do not perform a "hash reset" so the software doesn't work.

Wow. So not only will your software cease working if you bring your laptop to somewhere else than your own home, you also can't take the software with you when you move. Or if you upgrade your computer. Or buy a new computer.

And in reality, such a system will be cracked like any other system, by obtaining the full executable code (at some point it has to be on the user's computer) and disabling the check for server contact.

If the person uses the software on two different computers, like a laptop with wireless to one ISP and a home computer with another ISP, they simply purchase two seperate licenses - one for each computer.

This is exactly the kind of policy which causes people to pirate software in the first place.