Licensing, Obfuscation and Copy Protection Tools
-
If some one want to copy your software then I believe you should let them to a degree. It can generate sales. The main project I was involved with used email service to send an activation and product options based upon the generated userid and payment receipt! UserID generate from hardware, receipts that are unique, and some simple mathematics and well placed calls. This worked well because the company was also the primary sales outlet. Even so, setting up a system to verify software based on UID is not to difficult with modern technologies. Making software that is good, and value for money is by far the best method of sales in comparison to overpriced, bloated bugware. I'd avoid any form of dongles, copy protected CD's etc as these do nothing but aggrevate the customer, and decrease the potential of sales. If you want to go with commercial systems then theres items like CopyMinder, CrypKey, Exe Lockdown, Logic Protect and ShareGuard are a few that were getting around. Personally, creating your own protection, licencing system would be the best and probably safest bet.
Programit wrote:
Personally, creating your own protection, licencing system would be the best and probably safest bet.
Man you are soooo far away from it, sooo far away. Google something about code reverce engeneering. And then read your post again. I use similar(to the one you described) system for our company software, but it is not secure. The only thing that protects our software applications is that they usually come with a pretty expensive peace of hardware equipment.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
I've used Armadillo which at the time I bought it was inexpensive. Since then it's been acquired by Digital River and rebranded as SoftwarePassport. The price has also gone up, especially as the reduced feature version I bought is no longer available. They used to not support .NET so you'd need to check if they do now. I found it after doing a bit of research and noticed that a lot of people were talking about it. I'm confident that the developers really know what they're doing and the documentation is comprehensive so you can see exactly what you get for your money. It's packed with features and well supported. Some other products say they offer great protection but don't elaborate much on that. You build your app as normal then run Armadillo on your executable (and dlls) to provide a wrapped-up exe with page swapping, debug blocking, key based licensing etc built in. It comes with a library that allows you to check for key expiry etc from within your own code for added flexibility, or you can just use the Armadillo interface to determine how such events are handled. I prefer the old Armadillo interface which should still be available as an alternative to the "improved" SoftwarePassport one.
-
From my experience, dongle-based safety is often a pain, and expensive. If it's .net obfuscation you're after, I'd go with Smart Assembly. It's easy to use, fairly well priced, and whenever I've come up against a problem the developers have been very responsive. http://www.smartassembly.com/
From my experience dongles are not hard at all to program and VERY effective. Look at HASP by Aladdin. Also take a look at CrypKey as it is very effective too. I used both on the same project and it has yet to be cracked after several years of production use.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
fingoo.net is pretty good. no set up fee and you only pay a tiny percentage of the licenses you actualy sell. Automated license purchasing is also provided where your users pay direct to your PayPal account. with a friendly free support service too :o) what is really needed is a decent site that reviews the variaous software activation services, like www.adslguide.org is for adsl. a lot of them have hidden charges and other such nasty surprises :o( keith
-
I've used Armadillo which at the time I bought it was inexpensive. Since then it's been acquired by Digital River and rebranded as SoftwarePassport. The price has also gone up, especially as the reduced feature version I bought is no longer available. They used to not support .NET so you'd need to check if they do now. I found it after doing a bit of research and noticed that a lot of people were talking about it. I'm confident that the developers really know what they're doing and the documentation is comprehensive so you can see exactly what you get for your money. It's packed with features and well supported. Some other products say they offer great protection but don't elaborate much on that. You build your app as normal then run Armadillo on your executable (and dlls) to provide a wrapped-up exe with page swapping, debug blocking, key based licensing etc built in. It comes with a library that allows you to check for key expiry etc from within your own code for added flexibility, or you can just use the Armadillo interface to determine how such events are handled. I prefer the old Armadillo interface which should still be available as an alternative to the "improved" SoftwarePassport one.
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=cgv&q=softwarepassport+armadillo+v6.0.0.600+crd&btnG=Search[^] do some research and find out which of the commercial copy protections are the hardest for reversers to reverse. nothing is safe to be realistic, if you can build it, it can be unbuilt, aside from actually leaving code out and truly limiting a shareware version, but then you have to worry about your truly registered users giving out their copy to friends etc. never ending circle eh ;)
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
User of Users Group wrote:
Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks
Well the ones on A list games typically get cracked in hours to days, but I suspect that's not what you want... :doh:
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall
-
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=cgv&q=softwarepassport+armadillo+v6.0.0.600+crd&btnG=Search[^] do some research and find out which of the commercial copy protections are the hardest for reversers to reverse. nothing is safe to be realistic, if you can build it, it can be unbuilt, aside from actually leaving code out and truly limiting a shareware version, but then you have to worry about your truly registered users giving out their copy to friends etc. never ending circle eh ;)
You're right it's all a question of degree and if a vendor says their system is impossible for anyone to crack, it's either dishonest or they don't really know what they're doing. At least Armadillo tell you exactly what their product does and don't sell it as some kind of magic box. Whether there is a real crack for Armadillo I don't know, but I do know it was cracked in the past once for sure and they fixed the problem. Friends passing keys around is unavoidable unless you generate a key that is locked into the user's hardware so the program can't be used on another machine, but that is an admin nightmare and will probably put people off unless they really need your software. If the key contains the name of the person the software was sold to, at least if it appears on a website somewhere it's obvious who put it there. None of it's foolproof but if you provide software that you want people to pay for and it is easy to continue using it without paying, most people will. If it requires a bit more work, most people won't know how to break it. Armadillo can give you a custom build to help prevent generic crack tools from working on your app. So in general I think some decent protection is better than none.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
I know this is probably not what you want to hear... but the answer is mostly no. You're probably not going to find some OTS copy protection that crackers won't rip apart that isn't ridiculously expensive. Here's a bit of an overview of the different protections and why they're good/bad: Dongles - Generally you shouldn't bother with these. They are expensive, unwieldy, and a PITA for customers. Software developers that use them also rarely implement the protection properly. If you're just checking whether the dongle is there and that it's your dongle, you're doing it wrong. The one way you can make it effective is to put critical data or even code inside the dongle's memory, then handle the failure case as best you can without giving away too much information about what that critical data or code should be. As you can imagine, this isn't easy. Internet Activation - They can be relatively inexpensive and easy to use. However, as we've seen with some music DRM there is risk. Does your app require internet access? If not, why should your copy protection? And can you make sure your customers can still use your product even if your servers go down (or if you would go out of business)? These products can be good for keeping people honest, but will not keep out crackers because you still will most likely keep track of activation status on the client or you'll have to provide a non-internet alternative. Obfuscators/Encryptors - IMO obfuscators are pointless. They'll only slow down a cracker slightly because most of them are used to reverse engineering apps without any useful names anyway. Encryptors can be better, but of course there is the risk of compatability issues. Products like Armadillo, Execryptor, etc. can work, but only if you don't open a loophole by having a trial. If at any time the app can be run without the customer having paid you, the protection is worthless because the cracker can unwrap and save the code during the trial period. If the encryptor uses strong encryption and will not run without a valid serial number, then it can be effective. Serial Numbers - If strong encryption is used, you can prevent a key generator from being made. Of course this may result in the customer having to input very long license keys. This does not prevent someone from just modifying your app to always accept any serial number. You'll see a lot of products like this that claim to be easy to use and secure, but are really as secure as a wet napkin. CrypKey that some other posters have men
-
You're right it's all a question of degree and if a vendor says their system is impossible for anyone to crack, it's either dishonest or they don't really know what they're doing. At least Armadillo tell you exactly what their product does and don't sell it as some kind of magic box. Whether there is a real crack for Armadillo I don't know, but I do know it was cracked in the past once for sure and they fixed the problem. Friends passing keys around is unavoidable unless you generate a key that is locked into the user's hardware so the program can't be used on another machine, but that is an admin nightmare and will probably put people off unless they really need your software. If the key contains the name of the person the software was sold to, at least if it appears on a website somewhere it's obvious who put it there. None of it's foolproof but if you provide software that you want people to pay for and it is easy to continue using it without paying, most people will. If it requires a bit more work, most people won't know how to break it. Armadillo can give you a custom build to help prevent generic crack tools from working on your app. So in general I think some decent protection is better than none.
computer_nerd wrote:
some decent protection is better than none.
yup, agreed. I didn't post that link to try and give someone a crack to it, hopefully it didn't come across as such.. merely as an example that it had been cracked, and if folks can get the beast itself to study, it helps the chances of it being reversed easier. packers/crypters at a minimum help keep the run of the mill hobbyist cracker from getting into your stuff, which is definitely better than nothing. I believe a PE packer/crypter and obfuscation can be a really pain for folks to attack, so if you can use a combo of that, you could at least fend off the bad guys for some time.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
The only way that really works is to use a client-server approach. Think about how online games work. I don't know of any way to take a copy of World of Warcraft and make it work on their servers without actually buying it and getting an account key. You could also try and make your app web-based, if that's appropriate. Then each user has to have a username and password to use it. Then you never even give the code -- compiled or otherwise -- to your clients. I've seen all different kinds of copy protection, and I've seen them all cracked. EXCEPT for a client-server approach. You can't crack code that's running on someone else's machine. As other posters have said, it's really an issue of how high-profile your application is. It takes a lot of real skill to be able to crack something -- usually by disassembling it and modifying the assembler code. Not every script kiddie can do something like that, so you'd have to attract the attention of some very skilled people who have motivation to crack your software.
-
I know this is probably not what you want to hear... but the answer is mostly no. You're probably not going to find some OTS copy protection that crackers won't rip apart that isn't ridiculously expensive. Here's a bit of an overview of the different protections and why they're good/bad: Dongles - Generally you shouldn't bother with these. They are expensive, unwieldy, and a PITA for customers. Software developers that use them also rarely implement the protection properly. If you're just checking whether the dongle is there and that it's your dongle, you're doing it wrong. The one way you can make it effective is to put critical data or even code inside the dongle's memory, then handle the failure case as best you can without giving away too much information about what that critical data or code should be. As you can imagine, this isn't easy. Internet Activation - They can be relatively inexpensive and easy to use. However, as we've seen with some music DRM there is risk. Does your app require internet access? If not, why should your copy protection? And can you make sure your customers can still use your product even if your servers go down (or if you would go out of business)? These products can be good for keeping people honest, but will not keep out crackers because you still will most likely keep track of activation status on the client or you'll have to provide a non-internet alternative. Obfuscators/Encryptors - IMO obfuscators are pointless. They'll only slow down a cracker slightly because most of them are used to reverse engineering apps without any useful names anyway. Encryptors can be better, but of course there is the risk of compatability issues. Products like Armadillo, Execryptor, etc. can work, but only if you don't open a loophole by having a trial. If at any time the app can be run without the customer having paid you, the protection is worthless because the cracker can unwrap and save the code during the trial period. If the encryptor uses strong encryption and will not run without a valid serial number, then it can be effective. Serial Numbers - If strong encryption is used, you can prevent a key generator from being made. Of course this may result in the customer having to input very long license keys. This does not prevent someone from just modifying your app to always accept any serial number. You'll see a lot of products like this that claim to be easy to use and secure, but are really as secure as a wet napkin. CrypKey that some other posters have men
Thanks to all, above and below in CP BB layout :), for the thoughtful responses. Whilst client/server scenarios are one of many, they are not always/solely applicable (or unbreakable like in the old days of patching games and more). Cracking (volume sales) is also not my primary concern, plus I hear some vendors prefer to encourage it. In particular, I believe your reply nails it on the head for my sketchy question.. but it also gives a hint on few ideas that are worth pursuing.
modified on Thursday, December 4, 2008 5:27 PM
-
From my experience dongles are not hard at all to program and VERY effective. Look at HASP by Aladdin. Also take a look at CrypKey as it is very effective too. I used both on the same project and it has yet to be cracked after several years of production use.
-
As tech support for a product that uses a dongle-based approach, I say screw the dongles. I get sick and tired of all the headaches that damn thing causes. For the record, it's a HASP by Aladdin.
I'm with you! I've been a user of multiple software packages that rely on dongles, as well as tech support for others. I refuse to consider purchasing any product that uses them, even if a competing product is not as effective.
"A Journey of a Thousand Rest Stops Begins with a Single Movement"
-
As tech support for a product that uses a dongle-based approach, I say screw the dongles. I get sick and tired of all the headaches that damn thing causes. For the record, it's a HASP by Aladdin.
@original poster to this thread: See I told you - use a dongle - it stops theft cold. Get paid for the work you do. Heck with the admins. In this economy the admin ain't gonna make your house payment.
-
@original poster to this thread: See I told you - use a dongle - it stops theft cold. Get paid for the work you do. Heck with the admins. In this economy the admin ain't gonna make your house payment.
I work for a LICENSED VAR, not a thief. That shit stops paid-for services cold, as well. And paid through the nose, not just a few hundred dollars. If you were attempting to be humorous, next time try using an emoticon or some other indicator. Using straight text that directly calls me a thief is not a recognized way of being "funny".
-
I work for a LICENSED VAR, not a thief. That shit stops paid-for services cold, as well. And paid through the nose, not just a few hundred dollars. If you were attempting to be humorous, next time try using an emoticon or some other indicator. Using straight text that directly calls me a thief is not a recognized way of being "funny".
Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all. The original poster on this thread was asking for comments on how to protect the investment of his time in writing his software so he could get paid for his work. I'm an ISV so he and I share similar interest, and since I protect my software against piracy I shared my techniques. I use CrypKey, Microsoft SLPS, and HASP dongles. Stops thiefs cold. Allows software authors to feed their families, make house payments, and most importantly, make payroll so they can pay admins like you, so you can feed your family, make your house payment, etc. I realize people hate dongles but I dont care. If a company doesnt like it they can buy a competitors product. This does nothing but give me incentive to make my product better so people will buy it and put up with the dongle hassle.
-
I know this is probably not what you want to hear... but the answer is mostly no. You're probably not going to find some OTS copy protection that crackers won't rip apart that isn't ridiculously expensive. Here's a bit of an overview of the different protections and why they're good/bad: Dongles - Generally you shouldn't bother with these. They are expensive, unwieldy, and a PITA for customers. Software developers that use them also rarely implement the protection properly. If you're just checking whether the dongle is there and that it's your dongle, you're doing it wrong. The one way you can make it effective is to put critical data or even code inside the dongle's memory, then handle the failure case as best you can without giving away too much information about what that critical data or code should be. As you can imagine, this isn't easy. Internet Activation - They can be relatively inexpensive and easy to use. However, as we've seen with some music DRM there is risk. Does your app require internet access? If not, why should your copy protection? And can you make sure your customers can still use your product even if your servers go down (or if you would go out of business)? These products can be good for keeping people honest, but will not keep out crackers because you still will most likely keep track of activation status on the client or you'll have to provide a non-internet alternative. Obfuscators/Encryptors - IMO obfuscators are pointless. They'll only slow down a cracker slightly because most of them are used to reverse engineering apps without any useful names anyway. Encryptors can be better, but of course there is the risk of compatability issues. Products like Armadillo, Execryptor, etc. can work, but only if you don't open a loophole by having a trial. If at any time the app can be run without the customer having paid you, the protection is worthless because the cracker can unwrap and save the code during the trial period. If the encryptor uses strong encryption and will not run without a valid serial number, then it can be effective. Serial Numbers - If strong encryption is used, you can prevent a key generator from being made. Of course this may result in the customer having to input very long license keys. This does not prevent someone from just modifying your app to always accept any serial number. You'll see a lot of products like this that claim to be easy to use and secure, but are really as secure as a wet napkin. CrypKey that some other posters have men
I completely agree with the comments on dongle usage. Dongles generally come with an "envelope" utility and a programming API. You must use the API to store some critical data (I store database connect strings and system passwords) inside the dongle's memory. In addition to the API use the envelope utility which will encrypt the executable. Consider it wearing 2 rubbers. Retrieve the dongle's data at runtime and if you cant retrieve the data then silently let your program die. Dont bother giving the user any warning messages or anything as that only tips the cracker off as to where to hijack your program. (Legitimate users will call tech support if they have problems - crackers dont.) Create a system timer and call your dongle routines frequently. When you suspect someone is cracking your application because the dongle doesnt return the correct value dont let your program die immediately, let it die at random intervals - sometimes after 1 minute sometimes after 5 minutes. This way as the cracker is attempting to hack your program there doesnt seem to be any reason as to where or why the application "freezes up." Seriously folks, you have to wear your black hat when coding anti-cracker routines. Just think nasty - after all the black hats do. If you are positive a cracker is working on your system (like after your dongle has failed 20 times or so) just destroy some system data and make them re-install. Your job is to slow them down at all cost. Maybe they will freak out that your are going to start deleting folders and they will stop hacking your application. I have used Aladdin HASP dongles for years and the API isnt difficult to program at all - especially compared to all the time you spent writing your program anyway. It's time well spent. As a side note - everything above applies to software only licensing schemes like CrypKey et. al. Happy cracker killing to all. I find it very enjoyable outsmarting them.
-
Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all. The original poster on this thread was asking for comments on how to protect the investment of his time in writing his software so he could get paid for his work. I'm an ISV so he and I share similar interest, and since I protect my software against piracy I shared my techniques. I use CrypKey, Microsoft SLPS, and HASP dongles. Stops thiefs cold. Allows software authors to feed their families, make house payments, and most importantly, make payroll so they can pay admins like you, so you can feed your family, make your house payment, etc. I realize people hate dongles but I dont care. If a company doesnt like it they can buy a competitors product. This does nothing but give me incentive to make my product better so people will buy it and put up with the dongle hassle.
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
-
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
Ok. You're a thief and my dongle stopped you from stealing my program. Now I can feed my family and make payroll so all your buddies can have a job. Maybe you'll get laid off and drive a dumo truck or operate a backhoe for Obama's new road construction project. Satisfied now?
-
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
Hello Naruki :confused: With respect, some research into colloquial, conversational English will reveal that you were not being called a thief. I suggest that your apology is in order. Please be a bit less 'trigger happy'. Warrick
Troft not lest ye be sponned on the nurg! (Milligan)