Software protection - any suggestions?
-
Hi All, My company is planning to create an evaluation version of our product for marketing purposes. Obviously we don't want potential customers to just keep using the evalution version, so we'd like to limit it in some way - it only works for 2 weeks, or 15 application starts, or whatever. Does anyone have any suggestions for a third-party Software Protection suite? We are NOT interested in developing something in-house - frankly I don't think we have the required security skills/knowledge. We DO need a software-only solution. If anyone can give me feedback on products they've had personal experience with I'd be really grateful. Obviously I've googled "software protection", but some impartial recommendations would really help narrow down the (seemingly extensive) options. Cheers, Pete
-
Hi All, My company is planning to create an evaluation version of our product for marketing purposes. Obviously we don't want potential customers to just keep using the evalution version, so we'd like to limit it in some way - it only works for 2 weeks, or 15 application starts, or whatever. Does anyone have any suggestions for a third-party Software Protection suite? We are NOT interested in developing something in-house - frankly I don't think we have the required security skills/knowledge. We DO need a software-only solution. If anyone can give me feedback on products they've had personal experience with I'd be really grateful. Obviously I've googled "software protection", but some impartial recommendations would really help narrow down the (seemingly extensive) options. Cheers, Pete
Hi Pete. Let me tell you what I know. As of my analysis, there are three types of protection that could be introduced to a proprietary software. 1. Weak 2. Strong 3. Rugged Weak: Can be cracked by some external tools without many hussles. For eg., our good old Winzip. These softwares keep a track of the current system time, judge the evaluation sessions according to it. But there are other softwares which record some entries in the registry while installation and find out the evaluation session. Strong: This type of protection records some read only registry entries, so that the entries are not tampered at any cost. But if the system is reformatted, the same session can be continued without any major issues. Rugged: This type of protection is really hard to break. There are some softwares which while installation asks the user to go online. These softwares get the system information like, their ethernet addresses, and sends it over the line. This address is later used to generate a serial number and the user is notified of his authentication by a mail. Now its your turn to decide, to what extent you are destined to protect your software. All the best... Regards Sreekanth Muralidharan, Corporate Systems Consultant [Embedded Systems], INDIA
-
Hi Pete. Let me tell you what I know. As of my analysis, there are three types of protection that could be introduced to a proprietary software. 1. Weak 2. Strong 3. Rugged Weak: Can be cracked by some external tools without many hussles. For eg., our good old Winzip. These softwares keep a track of the current system time, judge the evaluation sessions according to it. But there are other softwares which record some entries in the registry while installation and find out the evaluation session. Strong: This type of protection records some read only registry entries, so that the entries are not tampered at any cost. But if the system is reformatted, the same session can be continued without any major issues. Rugged: This type of protection is really hard to break. There are some softwares which while installation asks the user to go online. These softwares get the system information like, their ethernet addresses, and sends it over the line. This address is later used to generate a serial number and the user is notified of his authentication by a mail. Now its your turn to decide, to what extent you are destined to protect your software. All the best... Regards Sreekanth Muralidharan, Corporate Systems Consultant [Embedded Systems], INDIA
Hi Sreekanth, Thanks for the response, and thanks for the classification of protection schemes that you came up with - it seems to mesh well with the impression I have of the available schemes. It also seems to me that there is probably an inverse relationship between the security offered by a scheme and its convenience, both to us as developers and to the end user. We currently implement a "Weak" protection scheme (well, maybe "Pathetically Weak" would be more accurate). I'm sure if I asked my boss he would say we NEED a Rugged scheme. Personally, I think Strong is adequate. Guess who gets the final word... I think Rugged is probably the way to go. Would you or anyone else have a shortlist of candidate products? Cheers, Pete
-
Hi All, My company is planning to create an evaluation version of our product for marketing purposes. Obviously we don't want potential customers to just keep using the evalution version, so we'd like to limit it in some way - it only works for 2 weeks, or 15 application starts, or whatever. Does anyone have any suggestions for a third-party Software Protection suite? We are NOT interested in developing something in-house - frankly I don't think we have the required security skills/knowledge. We DO need a software-only solution. If anyone can give me feedback on products they've had personal experience with I'd be really grateful. Obviously I've googled "software protection", but some impartial recommendations would really help narrow down the (seemingly extensive) options. Cheers, Pete
See here.
"Let us be thankful for the fools. But for them the rest of us could not succeed." - Mark Twain
"There is no death, only a change of worlds." - Native American Proverb
-
See here.
"Let us be thankful for the fools. But for them the rest of us could not succeed." - Mark Twain
"There is no death, only a change of worlds." - Native American Proverb
Hi David, Thanks for the reference. All due respect to Nish, but I don't think this implementation is strong enough to satisfy our requirements Firstly, as I understand the implementation, all that is required to beat the protection is to delete a file in the system directory and a registry key (both of which share a similar name). Secondly, it would presumably be fairly trivial for a cracker to modify the executable by inserting an implementation of CExpire::HasExpired() that always returns false. I think maybe I should have mentioned in my original post that we need something that is reasonably crack-proof :-O Cheers, Pete
-
Hi David, Thanks for the reference. All due respect to Nish, but I don't think this implementation is strong enough to satisfy our requirements Firstly, as I understand the implementation, all that is required to beat the protection is to delete a file in the system directory and a registry key (both of which share a similar name). Secondly, it would presumably be fairly trivial for a cracker to modify the executable by inserting an implementation of CExpire::HasExpired() that always returns false. I think maybe I should have mentioned in my original post that we need something that is reasonably crack-proof :-O Cheers, Pete
more dip wrote:
Firstly, as I understand the implementation, all that is required to beat the protection is to delete a file in the system directory and a registry key (both of which share a similar name).
Right, but the selection of said names is very important. Naming them Expiry Date, or something equally as naive, is obviously a bad choice.
moredip wrote:
Secondly, it would presumably be fairly trivial for a cracker to modify the executable by inserting an implementation of CExpire::HasExpired() that always returns false.
So name the function something else.
"Let us be thankful for the fools. But for them the rest of us could not succeed." - Mark Twain
"There is no death, only a change of worlds." - Native American Proverb
-
more dip wrote:
Firstly, as I understand the implementation, all that is required to beat the protection is to delete a file in the system directory and a registry key (both of which share a similar name).
Right, but the selection of said names is very important. Naming them Expiry Date, or something equally as naive, is obviously a bad choice.
moredip wrote:
Secondly, it would presumably be fairly trivial for a cracker to modify the executable by inserting an implementation of CExpire::HasExpired() that always returns false.
So name the function something else.
"Let us be thankful for the fools. But for them the rest of us could not succeed." - Mark Twain
"There is no death, only a change of worlds." - Native American Proverb
Hi David, I think what I was trying to say is that I don't want a solution that relies totally on security through obscurity. I agree with your response, but I'm also sure we could go back and forth for eternity suggesting holes and solutions to those holes. I have to work under the assumption that any solution I handcrafted would be VERY inferior to one I buy in from a company who essentially get paid to be good at this stuff. An analogy would be when I needed some image processing functionality. First off I wrote my own stuff, then realized that for the development costs of my crappy, slow thresholding algorithm I could buy in a third party imaging library that did a MUCH better job. Cheers, Pete -- modified at 14:49 Monday 13th March, 2006
-
Hi Sreekanth, Thanks for the response, and thanks for the classification of protection schemes that you came up with - it seems to mesh well with the impression I have of the available schemes. It also seems to me that there is probably an inverse relationship between the security offered by a scheme and its convenience, both to us as developers and to the end user. We currently implement a "Weak" protection scheme (well, maybe "Pathetically Weak" would be more accurate). I'm sure if I asked my boss he would say we NEED a Rugged scheme. Personally, I think Strong is adequate. Guess who gets the final word... I think Rugged is probably the way to go. Would you or anyone else have a shortlist of candidate products? Cheers, Pete
Dear Pete, That was a simple explanation and as you have said there's an inverse relationship between protection and ease of use. As regards to the candidate products, I will just search for it and will ping you in a day or two. Regards, Sreekanth Muralidharan, Corporate Systems Consultant [Embedded Systems], INDIA
-
Hi All, My company is planning to create an evaluation version of our product for marketing purposes. Obviously we don't want potential customers to just keep using the evalution version, so we'd like to limit it in some way - it only works for 2 weeks, or 15 application starts, or whatever. Does anyone have any suggestions for a third-party Software Protection suite? We are NOT interested in developing something in-house - frankly I don't think we have the required security skills/knowledge. We DO need a software-only solution. If anyone can give me feedback on products they've had personal experience with I'd be really grateful. Obviously I've googled "software protection", but some impartial recommendations would really help narrow down the (seemingly extensive) options. Cheers, Pete
Pete, You can go for something similar to Product Activation which would use your database in conjunction with the software with your client. Vasudevan Deepak Kumar Personal Web: http://www.lavanyadeepak.tk/ I Blog At: http://www.dotnetjunkies.com/weblog/deepak/
http://deepakvasudevan.blogspot.com/
http://deepak.blogdrive.com/ -
Pete, You can go for something similar to Product Activation which would use your database in conjunction with the software with your client. Vasudevan Deepak Kumar Personal Web: http://www.lavanyadeepak.tk/ I Blog At: http://www.dotnetjunkies.com/weblog/deepak/
http://deepakvasudevan.blogspot.com/
http://deepak.blogdrive.com/ -
Hi All, My company is planning to create an evaluation version of our product for marketing purposes. Obviously we don't want potential customers to just keep using the evalution version, so we'd like to limit it in some way - it only works for 2 weeks, or 15 application starts, or whatever. Does anyone have any suggestions for a third-party Software Protection suite? We are NOT interested in developing something in-house - frankly I don't think we have the required security skills/knowledge. We DO need a software-only solution. If anyone can give me feedback on products they've had personal experience with I'd be really grateful. Obviously I've googled "software protection", but some impartial recommendations would really help narrow down the (seemingly extensive) options. Cheers, Pete
Their are a few ways that I have tried to add protection to a program of my own. However how I have done my software protection is not using third-party programs. 1) Use the registry with encryption. Write an encrypted value with the number of days that the program will work and decrement it accordingly. Keep the value encrypted so if it is changed in the registry the program will stop working. 2) Have the program only to run from a CD and write the computer serial number and CD serial number to the disc and if either of the two values are not what their are suppose to be then the program will not run. 3) Disable specific features that will require the full version of the program to use. 4) Set a specific date for the application and when the date is reached all programs that are evaluation versions will stop running. Regards, 1tg46 Check out 3D Game Development with Dark Basic Professional [^]programming.