Licensing, Obfuscation and Copy Protection Tools
-
As tech support for a product that uses a dongle-based approach, I say screw the dongles. I get sick and tired of all the headaches that damn thing causes. For the record, it's a HASP by Aladdin.
I'm with you! I've been a user of multiple software packages that rely on dongles, as well as tech support for others. I refuse to consider purchasing any product that uses them, even if a competing product is not as effective.
"A Journey of a Thousand Rest Stops Begins with a Single Movement"
-
As tech support for a product that uses a dongle-based approach, I say screw the dongles. I get sick and tired of all the headaches that damn thing causes. For the record, it's a HASP by Aladdin.
@original poster to this thread: See I told you - use a dongle - it stops theft cold. Get paid for the work you do. Heck with the admins. In this economy the admin ain't gonna make your house payment.
-
@original poster to this thread: See I told you - use a dongle - it stops theft cold. Get paid for the work you do. Heck with the admins. In this economy the admin ain't gonna make your house payment.
I work for a LICENSED VAR, not a thief. That shit stops paid-for services cold, as well. And paid through the nose, not just a few hundred dollars. If you were attempting to be humorous, next time try using an emoticon or some other indicator. Using straight text that directly calls me a thief is not a recognized way of being "funny".
-
I work for a LICENSED VAR, not a thief. That shit stops paid-for services cold, as well. And paid through the nose, not just a few hundred dollars. If you were attempting to be humorous, next time try using an emoticon or some other indicator. Using straight text that directly calls me a thief is not a recognized way of being "funny".
Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all. The original poster on this thread was asking for comments on how to protect the investment of his time in writing his software so he could get paid for his work. I'm an ISV so he and I share similar interest, and since I protect my software against piracy I shared my techniques. I use CrypKey, Microsoft SLPS, and HASP dongles. Stops thiefs cold. Allows software authors to feed their families, make house payments, and most importantly, make payroll so they can pay admins like you, so you can feed your family, make your house payment, etc. I realize people hate dongles but I dont care. If a company doesnt like it they can buy a competitors product. This does nothing but give me incentive to make my product better so people will buy it and put up with the dongle hassle.
-
I know this is probably not what you want to hear... but the answer is mostly no. You're probably not going to find some OTS copy protection that crackers won't rip apart that isn't ridiculously expensive. Here's a bit of an overview of the different protections and why they're good/bad: Dongles - Generally you shouldn't bother with these. They are expensive, unwieldy, and a PITA for customers. Software developers that use them also rarely implement the protection properly. If you're just checking whether the dongle is there and that it's your dongle, you're doing it wrong. The one way you can make it effective is to put critical data or even code inside the dongle's memory, then handle the failure case as best you can without giving away too much information about what that critical data or code should be. As you can imagine, this isn't easy. Internet Activation - They can be relatively inexpensive and easy to use. However, as we've seen with some music DRM there is risk. Does your app require internet access? If not, why should your copy protection? And can you make sure your customers can still use your product even if your servers go down (or if you would go out of business)? These products can be good for keeping people honest, but will not keep out crackers because you still will most likely keep track of activation status on the client or you'll have to provide a non-internet alternative. Obfuscators/Encryptors - IMO obfuscators are pointless. They'll only slow down a cracker slightly because most of them are used to reverse engineering apps without any useful names anyway. Encryptors can be better, but of course there is the risk of compatability issues. Products like Armadillo, Execryptor, etc. can work, but only if you don't open a loophole by having a trial. If at any time the app can be run without the customer having paid you, the protection is worthless because the cracker can unwrap and save the code during the trial period. If the encryptor uses strong encryption and will not run without a valid serial number, then it can be effective. Serial Numbers - If strong encryption is used, you can prevent a key generator from being made. Of course this may result in the customer having to input very long license keys. This does not prevent someone from just modifying your app to always accept any serial number. You'll see a lot of products like this that claim to be easy to use and secure, but are really as secure as a wet napkin. CrypKey that some other posters have men
I completely agree with the comments on dongle usage. Dongles generally come with an "envelope" utility and a programming API. You must use the API to store some critical data (I store database connect strings and system passwords) inside the dongle's memory. In addition to the API use the envelope utility which will encrypt the executable. Consider it wearing 2 rubbers. Retrieve the dongle's data at runtime and if you cant retrieve the data then silently let your program die. Dont bother giving the user any warning messages or anything as that only tips the cracker off as to where to hijack your program. (Legitimate users will call tech support if they have problems - crackers dont.) Create a system timer and call your dongle routines frequently. When you suspect someone is cracking your application because the dongle doesnt return the correct value dont let your program die immediately, let it die at random intervals - sometimes after 1 minute sometimes after 5 minutes. This way as the cracker is attempting to hack your program there doesnt seem to be any reason as to where or why the application "freezes up." Seriously folks, you have to wear your black hat when coding anti-cracker routines. Just think nasty - after all the black hats do. If you are positive a cracker is working on your system (like after your dongle has failed 20 times or so) just destroy some system data and make them re-install. Your job is to slow them down at all cost. Maybe they will freak out that your are going to start deleting folders and they will stop hacking your application. I have used Aladdin HASP dongles for years and the API isnt difficult to program at all - especially compared to all the time you spent writing your program anyway. It's time well spent. As a side note - everything above applies to software only licensing schemes like CrypKey et. al. Happy cracker killing to all. I find it very enjoyable outsmarting them.
-
Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all. The original poster on this thread was asking for comments on how to protect the investment of his time in writing his software so he could get paid for his work. I'm an ISV so he and I share similar interest, and since I protect my software against piracy I shared my techniques. I use CrypKey, Microsoft SLPS, and HASP dongles. Stops thiefs cold. Allows software authors to feed their families, make house payments, and most importantly, make payroll so they can pay admins like you, so you can feed your family, make your house payment, etc. I realize people hate dongles but I dont care. If a company doesnt like it they can buy a competitors product. This does nothing but give me incentive to make my product better so people will buy it and put up with the dongle hassle.
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
-
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
Ok. You're a thief and my dongle stopped you from stealing my program. Now I can feed my family and make payroll so all your buddies can have a job. Maybe you'll get laid off and drive a dumo truck or operate a backhoe for Obama's new road construction project. Satisfied now?
-
"Not sure how you read I was calling you a thief into my response. I'm not calling you a thief at all." It's an understandable mistake: 1) You replied to my comment, thereby indicating your comment was related to mine somehow. 2) You directed your comment at the OP, not at me. 3) You said "see ... it stops theft cold" about the dongle. 4) My comment was about how the dongle stopped me from doing my job. What's completely mysterious to me is why you think you weren't calling me a thief. I can't wait to see this one. :suss:
Hello Naruki :confused: With respect, some research into colloquial, conversational English will reveal that you were not being called a thief. I suggest that your apology is in order. Please be a bit less 'trigger happy'. Warrick
Troft not lest ye be sponned on the nurg! (Milligan)
-
Hello Naruki :confused: With respect, some research into colloquial, conversational English will reveal that you were not being called a thief. I suggest that your apology is in order. Please be a bit less 'trigger happy'. Warrick
Troft not lest ye be sponned on the nurg! (Milligan)
With all due respect, I suggest you try not to let your preconceptions fool you: I am a native English speaker, and statistically better than average according to standardized testing. Certainly, my reading comprehension and analytical skills outstrip your own in this case. I don't think you need to apologize, but you really do need to use a little logic before committing yourself to public expression. If you can show how my conclusions are mistaken, I am all ears. But if all you are going to do is declare me incorrect, then you are doing nothing more than trolling.
Don't let my name fool you. That's my job.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
I'll add one more to the recomendation for dongles - we use Rainbow Sentinel ourselves. We have protected several million dollars worth of software written & sold by us at a cost to us of maybe US$40 per licence for the dongles. Yes, it's a hassle - even more of a hassle for me as a developer & maintainer of all the licences. But, so far nobody has cracked the dongles in order to give themselves more licences - orders are still coming in. Personally I hate the things but these do work - as a small company with bills to pay we can't afford our products to be pirated. As for the other person who said they wouldn't buy software with dongles, I have to agree with the replier - administrators don't make the decision to purchase in the first place & their opinion on dongles doesn't appear to hold much weight - I have had no software sales rejected because of dongles.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
For what it's worth... We have looked around several times. Originally we ended up with Hardlock from ///FAST. Fast was acquired by Aladdin in the 90ies. It took some time until they had a better product than what we had with Hardlock, but since a year we are on their latest generation: HASP SRM system. And it really is a new dimension. It gives you the best flexibility we could find and and on the security side they have gone a long way building up something well thought thru. One of their guys from R&D gave a presentation at the Developer Summit in Stockholm 2008 on their .NET protection. It can give you some ideas on what is important and not so nice on the managed side. http://www.cornerstone.se/upload/Web/Downloads/slides/DevSum08%20presentationer/Werner_Dondl.pdf Also our product management is happy. They do not need to come to us every time they want new license types. It is engineered in a clean way to isolate what we have to do in R&D from all the licensing stuff that is not really our R&D business. In addition it can be used with software only licensing or with a dongle so from trial licenses up to hardware protected license terms - without us having to do extra efforts. Maybe it helps ;)
-
computer_nerd wrote:
some decent protection is better than none.
yup, agreed. I didn't post that link to try and give someone a crack to it, hopefully it didn't come across as such.. merely as an example that it had been cracked, and if folks can get the beast itself to study, it helps the chances of it being reversed easier. packers/crypters at a minimum help keep the run of the mill hobbyist cracker from getting into your stuff, which is definitely better than nothing. I believe a PE packer/crypter and obfuscation can be a really pain for folks to attack, so if you can use a combo of that, you could at least fend off the bad guys for some time.
The combo of CryptoLicensing (http://www.ssware.com/cryptolicensing/cryptolicensing_net.htm)+Crypto Obfuscator (http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm) works well for .Net software. Flexibile and affordable.
-
I could swear I saw some recommendations here in the Lounge but the name escapes me.. With the usual caveat, 'determined can bla bla', 'put it behind the service' etc: Are there any decent products for licensing, protecting software, Internet activation, on-demand delivery/auto-updates etc that don't get broken by H20, OzOne and friends within few weeks? MS has recently pulled out from its idea that didn't live longer than few months, Dotfuscator guys are still charging silly money and so on.. Both native and managed hints would be welcome, and ideally without a 4 digit price for proprietary 'invention' that will be busted sooner or later, or not work with reflection and who knows what else... Dongles, drivers, PKI-based, anything would be acceptable.. Cheers
Check out Quick License Manager (http://soraco.co). It has online/offline activation, auto-updates, computer bound license keys, eCommerce integration, etc.