Piracy - Combating jack sparrow & evil forces

[minimy]

The protection of our software is an important chapter. I think.
I will say that I believe in free software , but only if it is free. Linux +1, Gimp +1
I'm trying to find the best method to do this.
I would like to open this topic with your help.

My personal system is make bad software. so nobody wants. But i think this not work for every body.

How to protect comercial software?
What is the best protection for our soft?
Device ID?
Windows registry?
A little terminator (T1000 or +) hide in code, ready to kill anybody?
it is possible to put a terminator in the code ?

any suggestions?

[ts-soft]

Let the user register the software per e-mail. With the code, show the e-mail or name in the registered program!

It is not sure, but should help.

[em_uk]

Get a server to allow updates. If you see more than one copy checking for updates with the same hash start secretly deleting windows files.

Harsh, but you have to teach them a lesson.

[idle]

There's no sure way to add protection to software and the more you try, just increases the risk of annoying your softwares users
You can easily generate a unique license file for a user on a server and add results for multiple tests, locking it to a specific user or machine
though it'd be still be fairly trivial to patch the test points in the exe to circumvent them.

Something like this maybe?

Code: Select all

;on server 
Procedure hidekey(MasterKey.s,publicKey.s,privateKey.s) 
  Protected result.q,MasterPublic.s
  
  fn = OpenFile(#PB_Any,"randomfile.dat")
  If fn
    For a = 0 To 2048
        WriteByte(fn,Random(42)+48)
    Next
   For a = 1 To Len(MasterKey)
       MasterPublic + Chr(PeekC(@MasterKey+a) ! PeekC(@publicKey+a))    
   Next 
    
    For a = 1 To Len(MasterKey)
      result = CRC32Fingerprint(@MasterPublic,Len(MasterKey),result) & $FFFFFF
      result % 2048
      FileSeek(fn,result)
      byte = Asc(Mid(privatekey,a,1))
      WriteByte(fn,byte)
    Next
    ;add aes encypted data block using the users private key containing results of fingerprints ... 
    
    CloseFile(fn)
EndIf   
EndProcedure     

;in client 
Procedure.s GetKey(MasterKey.s,publicKey.s)
  Protected key.s,result.q,MasterPublic.s
   
  fn = OpenFile(#PB_Any,"randomfile.dat")
  For a = 1 To Len(MasterKey)
      MasterPublic + Chr(PeekC(@MasterKey+a) ! PeekC(@publicKey+a))    
  Next 
    
  If fn
    For a = 1 To Len(MasterKey)
      result = CRC32Fingerprint(@MasterPublic,Len(MasterKey),result) & $FFFFFF
      result % 2048
      FileSeek(fn,result)
      key + Chr(ReadByte(fn))
  Next
  CloseFile(fn)
EndIf   

ProcedureReturn key
   
EndProcedure 

Define SharedKey.s,DecryptionKey.s,PublicKey.s
Global dump.s=Space(2048)

;On first run of program, it regsiters the user sending to the server the users data and fingerprints 
;Server generates a random license file for the user to use the application 
;appends the encrpyted data block to the license file with specific test results, could be hardware fingerprints
;to tie the license file to a specific machine or user 

SharedKey = MD5Fingerprint(@"TheSharedKey",12)  ;A shared key in the exe and used on server  
DecryptionKey = MD5Fingerprint(@"DecryptionKey",13)  ;A user specific decryption key to an encypted data block   
PublicKey = MD5Fingerprint(@"bob@billbob.com",15) ;The resistered users key sent back to the user 
hidekey(SharedKey,PublicKey,DecryptionKey) ;Generate the license file hides the decryption key 
;Server returns the PublicKey, RandomFile with appended encrpyted data block, saves them in the application data dir     

fn = OpenFile(#PB_Any,"randomfile.dat")
ReadData(fn,@dump,2048)
Debug dump
CloseFile(fn)
Debug "---------------------------------------------------"

;client gets the decyption key from the publickey  
Debug getkey(SharedKey,PublicKey)
Debug DecryptionKey    
;decrypts the data block used for multiple validation tests while running the exe     

[firsttimer]

Get a server to allow updates. If you see more than one copy checking for updates with the same hash start secretly deleting windows files.

Harsh, but you have to teach them a lesson.

Lucky, I'm not nasty enough, if not I would wipe off their hard disk instead.

Anyway, I'm the lazy type, so normally I would try to lock the program to one hardware id instead, but the hardware id is not OS dependent(for windows, in case they reformat/hard disk die/crash...) I usually lock it to one hardware, it's either mainboard or hard disk serial number.

Currently, I'm interested in locking the mainboard serial number(I can use vbscript to do it, havent got around to using pb to do it yet since I'm just a beginner).

[heartbone]

What is the best protection for our soft?
Device ID?
Windows registry?
A little terminator (T1000 or +) hide in code, ready to kill anybody?
it is possible to put a terminator in the code ?

any suggestions?

Distribute your software on burnable CD or DVD.
I believe each "blank" physical disc has unique IDs encoded.
Allow the program to be copied to and run from the harddrive,
but only allow the application to run after the disc ID check passes.

[GPI]

little suggestion:
load a "key"-file in your directory. Then you should validate the information (for example with aesencode/decoder and a valid-data in the key-file). When the check finish successfull -> Fill version, otherwise demo-version.

You can Send this key in a mail.

Don't waste to much time on a copy-protection. When somebody has the necassary knowlege, he can break ever copy-protection-system. PCs (Linux,Windows,Mac) are open System.

[minimy]

Thanks very much to every one. Many ideas to start the battle.

What is the best whithout server?

Is possible auto-rewrite the exe file when run on first time?

[Jagermeister]

Heh. Long before I started programming (true story!), I disabled every protection mentioned here. Wdasm, pedit, and back in the day Softice were all you needed. The best one was where seemingly every procedure did a CRC check. There were over a hundred zombie procedures that made that simple check. It still isn't 100% but tracing each call gets tiring and most n00bs would think their cracks simply weren't working. If your security boils down to a single call to a single protection scheme, the entire idea is futile. If you choose to hardcode the serial, encrypt it AND the text ("Serial accepted!") or it's easy to find the call offset with Wdasm and disable it. One thought I had is to encode all source strings in AES or whatever, embed the key and let the app decode at runtime that way the exe doesn't contain readable text. It would look scrambled in a disassembler. As with anything, not 100% but makes life harder for the casual cracker.

[PB]

> makes life harder for the casual cracker

That's the fallacy: a pro cracker will do the job instead.
It's not only casual crackers that try to attack your app.

[Tenaja]

One thing I have done is read a checksum on my anti-piracy registration code. If it does not match, I introduce a few bugs, which reveal the pirates. Legit users never complain of the bug; others, just tell them to sign into their account and get the current update... or ban them... either way, their theft is revealed, and they do not get support. This is an undocumented feature...

[swan]

> I introduce a few bugs, which reveal the pirates

Good thinking. The problem with that is the rest of the code must be bug free ...

[nblackburn]

I would suggest to keep as much of your protection online as it is more secure and less likely to be attacked than a piece of software as you have a certain level of protection and control over it's distribution.

P.S - a bug is an unexpected behavior so how to you plan to introduce bugs without expecting them?

[Tenaja]

I expect the bugs, but the users do not. Things like making the Tips always show at startup regardless of the setting, or randomly capitalize a few characters when a file is saved...

[Danilo]

How to protect comercial software?

There is a book: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection