Keygens, Cracks, Etc.
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
Frank, I agree, it sucks. I'm sure you can understand the position we put ourselves in selling sourcecode based products. I've actually caught people posting snippets our code on CodeGuru if you can believe it. I play EverQuest and their copy protection model is pretty simple: It's useless w/o also buying a subscription to their service. I think the "ultimate" :) goal is to make your software offering much more valuable to own than steal. Does anyone actually run their company on pirated Accounting software? Or write code on a pirated compiler? Maybe they do, it would scare the crap out of me though.
-
Frank, I agree, it sucks. I'm sure you can understand the position we put ourselves in selling sourcecode based products. I've actually caught people posting snippets our code on CodeGuru if you can believe it. I play EverQuest and their copy protection model is pretty simple: It's useless w/o also buying a subscription to their service. I think the "ultimate" :) goal is to make your software offering much more valuable to own than steal. Does anyone actually run their company on pirated Accounting software? Or write code on a pirated compiler? Maybe they do, it would scare the crap out of me though.
Dave, I can see how your situation is different. And, for the life of me cant imagine why someone would post your code on CodeGuru. Thats amazing to me. I also agree with you that the "ultimate" protection is to make your software valuable enough that people will "Want" to own it rather than use a chopped copy. But, we have to be realistic. I've spent hours trying to figure out ways of making my software "crack proof". And, I've come to a conclusion. That is, there is only 2 ways to do that. Maybe I'm missing something, so I'll accept comments on this... 1. Use 2 versions of your software. Trial versions and Registered versions. Of course the cons of this are increased development times, and multiple build versions to deal with when upgrading. But this is the most secure way. There is no code to crack, and no Key to Gen (as it were). :) 2. Use a registration validation server. Similar to what ID Software is doing with Quake3 Arena. Gamespy also uses this model, but theirs if for other reasons. I think the cons to this type of model are obvious. No internet connection, no program. And, you have to deal with breakdowns in the traceroute, and server outages. End result is upset customers. So, which is the best. If there is such a thing in this arena. No matter how good your product is, no matter how much time/money you spend on your registration system, this type of thing will happen. I think its sad. :( Cheers, Fran
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
Frankly, you can't make software crackproof. In the end, the computer must always be able to understand the code, and thus it must have algorithms to decode it, which can be understood by anyone with a disassembler and a bit of expertise. Even if you build in things like internet validation, they can still disable the code which calls the validation. You can put CRC checks in to validate that the program is unmodified, but they can disable that code as well. You can make it so difficult to crack that users will simply give up, but that would require putting thousands of different checks in there of varying types, plus sending the cracker on wild goose chases. Simply put, this would require thousands of hours of work on your part, and still could be defeated by a determined enough cracker. Hardware dongles don't work either, since the code that checks them can be removed. You could encrypt each download of the software with a different PGP private key, then send that key to registered users. This would prevent keygen programs, but would not stop a registered user from taking that program and then posting it on some ftp site. The same could always happen with your non-shareware program as well. Fact is, authorization keys only keep honest people honest. Much like locks on doors. That's the best you can hope for.
-
Frankly, you can't make software crackproof. In the end, the computer must always be able to understand the code, and thus it must have algorithms to decode it, which can be understood by anyone with a disassembler and a bit of expertise. Even if you build in things like internet validation, they can still disable the code which calls the validation. You can put CRC checks in to validate that the program is unmodified, but they can disable that code as well. You can make it so difficult to crack that users will simply give up, but that would require putting thousands of different checks in there of varying types, plus sending the cracker on wild goose chases. Simply put, this would require thousands of hours of work on your part, and still could be defeated by a determined enough cracker. Hardware dongles don't work either, since the code that checks them can be removed. You could encrypt each download of the software with a different PGP private key, then send that key to registered users. This would prevent keygen programs, but would not stop a registered user from taking that program and then posting it on some ftp site. The same could always happen with your non-shareware program as well. Fact is, authorization keys only keep honest people honest. Much like locks on doors. That's the best you can hope for.
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
Have a look around here... http://www.instinct.org/fravia/protec.htm
-
Have a look around here... http://www.instinct.org/fravia/protec.htm
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
I agree with Erik. I work peripherally on our company's security system for our applications (hardware protection) and honestly at the end of the day as hard as we try we just end up shaking our heads and saying "All we can do is keep the honest people honest and make it really hard to crack, but it CAN be cracked" Frank, I'm curious what your app is? As you said, if it's worth cracking, that's a compliment in a strange way and probably a worthwhile program. Maybe I could use it. :) Good luck ... Ps. Funny story; I searched the web once for stuff related to our app and found a request for a dongle crack on a message board. The person had used their real name so we looked in our database and found the person was a client. I guess they didn't want to pay for second copy!
-
You are absolutely correct Erik. And you have (In a way) validated my opinion. Anyone else have any thoughts on this? Cheers! Frank
Like everybody here points out - as frustrating :mad: as this may be - there is no crack-proof software or security. Protecting software is as difficult as protecting a "bit stream" (cfr DVD, DECSS, ...). If it's 'ones and zeros', it can be copied, dissected, cracked and altered. That does not mean you do not have to try, as Shane Hyde implies. Maybe a third party library can do the trick. Our company uses "Sheriff software" :eek: (http://www.sheriff-software.com) which is relatively cheap and offers in my opinion an acceptable level of protection. (NB: Please note that this is not a sales speech) I tested the library and it is possible to crack at least a part of it. (NB2: So this is definitely NOT a sales speech) It depends on the license policy you use. If you automatically issue a "fully functional for a limited time" evaluation licenses you are more vulnerable to an attack. I did not exhaustively test :cool: the key generation scheme but it 'seems' robust enough. At least a third party software library might be the answer since they are (hopefully) constantly improving their product, and they are more focused and putting more effort into the software security design goal than you and me have time for. Just my 2 cents. NB3: These Board Emoticons :rolleyes: are cool !
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
There is an alternative approach... Putting *Required* Processing Power into the Dongle, that is, not only some 'key verification', but something that is intrinsic to your app's function. A crack would require to re-invent the section of code placed into the dongle. Admittedly, this is only feasible for applications in the $1K+ range, and there are no development costs included. And it might cause a shift in the crackers profile, but it's worth the idea, isn't?
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
Hi All! I'm working in a company developing timetabling software for schools and universities. This software incorporates a sophisticated Artificial Intelligence algorithm, which automatically performs all the scheduling. We consider this algorithm to be a bit of a breakthrough in that area. As a result, our protection needs grew with the development of this algorithm, and the following type of protection came to my mind: the software will lack the automatic timetabling engine, and will be shipped to everyone without it. Instead, our company's Internet servers will be running an application that'll be waiting for an *online* request for timetabling, so that the algorithm will sit only on our servers. The input data will arrive online, the server will build the timetable, and some time later will email it back to the sender. In that way no one in the world can use the software without "our permission". I guess that approach isn't applicable to every kind of software, but for the kinds that fit, it's almost 100% crack proof. David
-
I agree with Erik. I work peripherally on our company's security system for our applications (hardware protection) and honestly at the end of the day as hard as we try we just end up shaking our heads and saying "All we can do is keep the honest people honest and make it really hard to crack, but it CAN be cracked" Frank, I'm curious what your app is? As you said, if it's worth cracking, that's a compliment in a strange way and probably a worthwhile program. Maybe I could use it. :) Good luck ... Ps. Funny story; I searched the web once for stuff related to our app and found a request for a dongle crack on a message board. The person had used their real name so we looked in our database and found the person was a client. I guess they didn't want to pay for second copy!
Thanks for the info Farzad. Both my apps are NNTP news related. You can check them out at my website http://www.x3software.com Fran
-
Hi All! I'm working in a company developing timetabling software for schools and universities. This software incorporates a sophisticated Artificial Intelligence algorithm, which automatically performs all the scheduling. We consider this algorithm to be a bit of a breakthrough in that area. As a result, our protection needs grew with the development of this algorithm, and the following type of protection came to my mind: the software will lack the automatic timetabling engine, and will be shipped to everyone without it. Instead, our company's Internet servers will be running an application that'll be waiting for an *online* request for timetabling, so that the algorithm will sit only on our servers. The input data will arrive online, the server will build the timetable, and some time later will email it back to the sender. In that way no one in the world can use the software without "our permission". I guess that approach isn't applicable to every kind of software, but for the kinds that fit, it's almost 100% crack proof. David
David, I think your approach is pretty much ideal, and it could apply to almost every kind of software if you think about the design issues up-front. Every program receives periodic updates, bug fixes, patches, etc., and I've purchased a number of packages that use this method, not specifically as a copy protection, but as an integral part of their service. I think in countries other than the US, that demanding an internet connection is quite a bit more difficult, but it shouldn't be a problem in the US, Canada, Europe, Australia, etc. Really, the Internet becomes the dongle. My concern with internet based authentication isn't that I'm being authenticated, but rather that I don't know what information is being sent over the wire.
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
First off, I'm a veteran of shareware, both as a programmer and a user, having been "doing it" since the C64 days, and have done it for C64, Apple ][, Macintosh, Win3.1 and Win32. I’ve been around this issue for a very long while, and have done a lot of research into it. The bad news: As others have put it, if it's on the computer, it can be cracked, given enough time. Doing separate builds - one for trial, one for full - doesn't really solve anything. It may make your “manager” types happy, but someone will still buy it, get the full version, demand a refund, and then post the program everywhere. Yes, this has happened to me. Using a 3rd party protection tool is a SERIOUS waste of money - they all have a formulistic crack or patching method, and I haven't seen any pass a half-assed attempt. Examples: www.gamecopyworld.com, astalavista.box.sk, crackstore.com, suddendischarge.com, and w3.to/protocols - you can sadly find lots and lots of others. Anytime I hear about a game that’s “gone gold” on avault, almost always there is a crack ALREADY UP on gamecopyworld.com – and the thing hasn’t even hit my local MicroCenter’s shelves yet! As for people willing to use development tools and other stuff without paying for them: yes they do - check ANY of the binaries newsgroups if your ISP carries them. Borland 5 C++ compiler is free, yet people seem willing to trade VC++ and Metrowerks. Now, the good news: Generally, the reason people pay for a product is less than trialware and being forced to buy, than actually getting something for the money, be it continual upgrades, or helpful tech support (of course, if you did a good job on code and docs, tech support is probably minimal). If you find that people are ripping you off for a $30 program, try dropping the price to $20 - if they are still doing it then, then there is nothing you can do, and perhaps your program needs a re-write, if it's irritating people that much. Combating the cracks or keygens falls into two groups: if it's a patch (crack) to your program, simply make a new version. Hell, make one a week. I recommend using something like UPX or Shrinker to compress/encode the exe if this is a continual patching problem – this causes the exe image to change more than normal. If the problem is a keygen (making a new key), the crackers usually use something like "UpN Phrac-e" or “TNO-LamerBeach” or some such stupid thing. Gather all the keygens, and lock out the names. If you can det
-
First off, I'm a veteran of shareware, both as a programmer and a user, having been "doing it" since the C64 days, and have done it for C64, Apple ][, Macintosh, Win3.1 and Win32. I’ve been around this issue for a very long while, and have done a lot of research into it. The bad news: As others have put it, if it's on the computer, it can be cracked, given enough time. Doing separate builds - one for trial, one for full - doesn't really solve anything. It may make your “manager” types happy, but someone will still buy it, get the full version, demand a refund, and then post the program everywhere. Yes, this has happened to me. Using a 3rd party protection tool is a SERIOUS waste of money - they all have a formulistic crack or patching method, and I haven't seen any pass a half-assed attempt. Examples: www.gamecopyworld.com, astalavista.box.sk, crackstore.com, suddendischarge.com, and w3.to/protocols - you can sadly find lots and lots of others. Anytime I hear about a game that’s “gone gold” on avault, almost always there is a crack ALREADY UP on gamecopyworld.com – and the thing hasn’t even hit my local MicroCenter’s shelves yet! As for people willing to use development tools and other stuff without paying for them: yes they do - check ANY of the binaries newsgroups if your ISP carries them. Borland 5 C++ compiler is free, yet people seem willing to trade VC++ and Metrowerks. Now, the good news: Generally, the reason people pay for a product is less than trialware and being forced to buy, than actually getting something for the money, be it continual upgrades, or helpful tech support (of course, if you did a good job on code and docs, tech support is probably minimal). If you find that people are ripping you off for a $30 program, try dropping the price to $20 - if they are still doing it then, then there is nothing you can do, and perhaps your program needs a re-write, if it's irritating people that much. Combating the cracks or keygens falls into two groups: if it's a patch (crack) to your program, simply make a new version. Hell, make one a week. I recommend using something like UPX or Shrinker to compress/encode the exe if this is a continual patching problem – this causes the exe image to change more than normal. If the problem is a keygen (making a new key), the crackers usually use something like "UpN Phrac-e" or “TNO-LamerBeach” or some such stupid thing. Gather all the keygens, and lock out the names. If you can det
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
This isn't an actual response to the question at hand, but I thought I'd share something I'm using in my current development project having to do with keygens etc... The program I'm writing is for a very, very small market, consisting only of our 10-20 customers, so crackers are not a worry for me. However, to make this program worthwhile, we are charging a quarterly fee to actually use the app, which presents the problem of what to do if somebody will not pay. Most of out customers (believe it or not) do not have internet access, so that method is immediately tossed out the window. My theory here is to make the app expire at a certain date, and require a new code to unlock it until a new future time. Luckily for me, each customer has a unique identifier already used in the program, and the program is date sensitive, so I don't have to worry about them changing their computer clocks to run it. I'm also dealing with some VERY dumb users, so the less things they have to deal with, the better. What I've done is to create a code based on the expiration date (expressed as a true julian date - this was a very usefull thing) and their unique ID, along with a checksum or two built-in to the code (kind of the like credit card numbers). Really wasn't all that difficult, and all they have to do is enter a 8 digit code every 3 months, and the program can decode the date and unlock itself. Obviously this won't work in a lot of cases, but its a good solution for this situation, so I thought I'd share.. I guess I'm just in a typing mood today :) Back to work! Danie
-
David, I think your approach is pretty much ideal, and it could apply to almost every kind of software if you think about the design issues up-front. Every program receives periodic updates, bug fixes, patches, etc., and I've purchased a number of packages that use this method, not specifically as a copy protection, but as an integral part of their service. I think in countries other than the US, that demanding an internet connection is quite a bit more difficult, but it shouldn't be a problem in the US, Canada, Europe, Australia, etc. Really, the Internet becomes the dongle. My concern with internet based authentication isn't that I'm being authenticated, but rather that I don't know what information is being sent over the wire.
> Really, the Internet becomes the dongle. My concern with > internet based authentication isn't that I'm being > authenticated, but rather that I don't know what > information is being sent over the wire. That's exactly the problem. I don't know many people being willing to give an application full access to the internet to call it's mama. There could be any kind of information (and not only pure application data) being transfered and for me, as a user, this is really nothing I would like. Why else do I install personal firewalls ? I don't think a program uses this technique finds many friends, at least not here in Europe where there a many security concerns about the internet. Regards, Tom
-
> Really, the Internet becomes the dongle. My concern with > internet based authentication isn't that I'm being > authenticated, but rather that I don't know what > information is being sent over the wire. That's exactly the problem. I don't know many people being willing to give an application full access to the internet to call it's mama. There could be any kind of information (and not only pure application data) being transfered and for me, as a user, this is really nothing I would like. Why else do I install personal firewalls ? I don't think a program uses this technique finds many friends, at least not here in Europe where there a many security concerns about the internet. Regards, Tom
Tom, I think fundamentally putting a "lock" on software puts people off. There has to be some value in connecting to a server beyond copy protection, and I think having some part of the app centrally hosted is not a bad approach in the grander scope of things. FWIW, I don't think I have a piece of software right now that doesn't greatly benefit from an internet connection. Your point about the about of trust you have to have to give an application full access to your machine is well taken. Maybe there's an opportunity for a web service in that...? A trusted company (IBM, Microsoft, Rainbow, etc.) offers a web authentication service, and it ensures that no sensitive data is exchanged. Might work, but it would have to be totally free and probably be integrated into the OS so it was standardized enough to be valuable
-
I agree with Erik. I work peripherally on our company's security system for our applications (hardware protection) and honestly at the end of the day as hard as we try we just end up shaking our heads and saying "All we can do is keep the honest people honest and make it really hard to crack, but it CAN be cracked" Frank, I'm curious what your app is? As you said, if it's worth cracking, that's a compliment in a strange way and probably a worthwhile program. Maybe I could use it. :) Good luck ... Ps. Funny story; I searched the web once for stuff related to our app and found a request for a dongle crack on a message board. The person had used their real name so we looked in our database and found the person was a client. I guess they didn't want to pay for second copy!
Not necessarily, the user may have simply wanted to use the program without having to have the hardware installed (For instance, a paralell dongle can often interfere with certain kinds of printers). I often apply cracks to programs (mostly games) that I use to remove the CD protection so I can copy it to disk and not have to find the CD when I want to play it.
-
Hi! Well, I've just been notified that two of my programs have keygens available for download. I look at this in two ways. 1st. It sucks. For obvious reasons. 2nd. Wow...somebody actually liked my software to waste a bunch of time tearing it up to figure out the registration algorithm. So, my question is...short of re-writing all my programs to use a shareware/release version (stripped down) and creating dual releases...how can we prevent this sort of thing? Its obvious that we as software developers are vulnerable to this sort of thing. How do we make our software crack proof? Fran
I've recently noticed Microsoft using a new approach to prevent their Age of Empires II game from being pirated. They require the original CD to be in the drive for the game to start. If you make a copy of the CD and try it, it just prompts you for the original CD. This leads me to believe that they have something special on the original CD that the program looks for when it starts. So essentially, the CD behaves like a dongle. Pretty clever, don't you think