|
Part 1 of 4 was written in 2002.
It's now 2011. Is part 2 ready yet?
|
|
|
|
|
Regrettably most developers don't know squat about copy protection or how pirates crack copy protection and licensing schemes. Some of the these comments illustrate that well. [Disclaimer: I work for a company (www.wibu.us) that does nothing but make systems for licensing and anti-piracy. We've been doing it for over 20 years. We have a full time cryptographer. We have repeatedly exposed our solutions to the world of crackers and offered large prizes for anyone who could break our system (how else can you really test it?). So far no one has. This isn't an ad--it's to establish credibility.]
There are three ways to protect software:
1. Roll your own system (it will be effortless to crack). But it will perhaps defeat the casual would-be pirate from giving copies away to his friends. The tradeoff (in addition to your dev time, testing and debugging) is the risk that your system will create false negatives and tick off legitimate users--this is how copy protection got a bad rap in the old days.
2. Buy a software-only based activation system from an external vendor (like us or SafeNet). These systems will save you dev time, are reliable, work on multiple platforms, and won't irritate your customers when they fail improperly. However, ANY software-based system is potentially crackable. Why? Because they rely on asking an OS for some information, so they are subject to a man-in-the-middle or spoofing attacks. This is why you see Windows, OFfice, Photoshop, etc cracked up on torrent sites--they have patched various parts of the app or dlls to simulate a correct OS response to a licensing query.
3. Buy a hardware-based system from a vendor like us, SafeNet, KeyLok, or other. These "dongles" are used in various ways. The correct way is as a dynamic, secure, key generator for decrypting the protected app and dlls on program load. Secure because you don't want someone to just crack the dongle to do their own keygen. Dynamic because you don't want a single key that can decrypt multiple copies of your app, thus the need for multiple keys. For example, CodeMeter uses 2^32 keys for every protection, so no brute force or master crack is feasible.
If you sell cheap software the additional cost of a dongle probably doesn't make sense (although we have a customer with a game who uses our dongles--they've never been cracked). If you sell software to businesses that costs $1000s it makes sense to avoid piracy with a small additional cost. The dongles themselves need to be ideally driverless (so no user install problems), based on a smart-card chip, include debugger detection, and use strong encryption (like AES 128-bit, ECC, or similar). These systems ARE reliable and secure, regardless of the popular (and incorrect) belief that any copy protection system can be cracked.
Just wanted to set the record straight.
|
|
|
|
|
Hi there
In the past few months / years I was working on implementing / integrating copy protection system and function encryption to avoid code theft. I would like to help for some of you to clear the big picture.
Basically, there are two major type of market you might want to enter with your application.
1. B2C (business to customer), when you have a product which anyone can buy. Ie. games, os such as windows, editors, etc... endless.
2. B2B (business to business), when your client are companies. (ie. Hospital data system, Racing track, game studios, etc)
Depends on which business are you entering there are real big differences on copy protection requirements.
I believe every protection can be cracked, but some are really difficult while others are easy. I don't see the reason to put too much effort on B2C side, since anyone can get your app, and if it's a cool one it will be cracked! I would recommend to go for a simple enough solution which helps you to protect your app from an easy duplication. So your user cannot copy it, but needs to be cracked first. Even if it is easy, 99.999% of the users are not capable of that. Once you see that someone crack it and it's spreading on the net, you should feel good about it, since it means you made a cool app. And it's probably the time to think about some update of your app.
(another nice trick is to use upgrade mechanism to check validity - and deny upgrade if the application not authorized)
If you are in this business make it easy for you! Make a free version and a paid one with extra features which your users will love! If the price of your features worth, people will buy it! (even if some will not.. )
Once it's about B2B, then it's a different scenario. I am using a copy protection / encryption system which is used by airports, hospitals, race tracks and many other big firms. Cracking an application like that are a different scenario, even if the protection is bad and easy to crack. These companies are connected in business level and you have written contract with them. While a hacker from nowhere who downloaded your app and crack it in Apatfalva hard to identify, the same type of activity would easily put someone to prison in B2B.
When it's about B2B, things are more serious and there are lawyers and big budget also involved. There is no "bored" hacker who come along in an airport and want to crack the control system just for fun and give it away for free for some other countries where law not yet known. Cracking such a systems requires lots of details and access which is only possible if your client allow that, which would be a serious crime and can be tracked down.
Yes it is hard to track down who cracked a $10 tools which anyone can get from internet, but it is not that hard when the tool worth more then few $100000 and you know all the customers who have it.
So If you are fishing for small fish, don't use your big metal wire it would just give you more headache then profit.
Once you are go for big fish, then you need to take it seriously and not only thinking in a good protection as part of your system, but as part of your contract too.
And yes, there are protection system which was not yet cracked since its existence, but those are heavy, expensive and needs experts to installing them in client environment.
Hope this helps for someone..
Have Fun!
|
|
|
|
|
hello friends ,,,
I am working a c# desktop application in which I want add functionality of cd to cd data copy protection,
I have tried this enough but Still I unable to solve a problem ,and I have crosed deadline which was given to me.
PLZ Help Me
I would be very thankful of codeprojects developers in Advance
thanks,
|
|
|
|
|
the last is open to the same flaws as the second. a crcaker needs only to log the inof sent out and received to 'crack' the program. esaier still just to dissasemble and force the check to true.
any better ideas?
|
|
|
|
|
one idea is at:
http://www.codeproject.com/win32/certificate_manager.asp
Manish Agarwal
manish.k.agarwal @ gmail DOT com
|
|
|
|
|
Microsoft never copy-protected Word or Excel for many years.
This allowed the two programs to be copied widely.
So if you got a DOC instead of a TXT from someone else, you needed Word to read it.
This meant that Word became the universal standard.
In the original days of shareware (early 1980s), a shareware program was 100% fully functional with a nag screen only,
but there were no disabled features, no time limits etc. Shareware with such limitations was called "Crippleware",
and Crippleware was A Bad Thing.
When you sent in your money, the shareware company sent you a version containing no nags.
One successful shareware owner was asked "doesn't this cost you money?"
He replied "about 10% of my users have purchased the software, which is a much higher percentage than Microsoft has."
And currently, Winzip is fully functional shareware. If you don't register, all you get is a nag screen.
But you can zip and unzip as much as you want.
So apparently the original shareware concept still works,
as long as you provide bang for the buck.
Copy-protection that phones home is no better, because you just crack that remote protocol.
Also, you cannot sell your program to the user who puts it on his laptop:
suppose he's out there in the middle of nowhere,
but he can't start up the program, because he has no Internet connection. That's silly.
And for every copy-protected program, there's a crack available after about 5 minute's searching on the Internet.
Even ones that use dongles get cracked. So apparently, every copy-protection idea can be worked around.
The moral of the story is:
- Copy protection is unnecessary.
- It's just going to piss off your legitimate users.
- It won't stop the hackers.
- Implementing copy protection is going to cost you a lot of programming effort or $$$ if you buy a protection SDK.
- It won't make you an extra nickel of income.
|
|
|
|
|
This post sounds like the familiar whine of those who have no appreciation whatsoever that some us need to get paid for our work because we are adults, no longer supported by mum and dad, and not on the dole!
I have been distributing my own software for more than a decade and I can tell you this for a fact:
- software protection has not cost me any loss of sales whatsoever!
|
|
|
|
|
Here's why I won't pay $$$ for a phone-home style product.
As much as we'd all like to have an endless influx of cash from our products, realistically a lot of us will not keep paying to keep the "key server" up and running for the next 50 years. I'm gonna be pretty mad when, 6 months or 2 years from now, my product stops working because the company went out of business or decided to stop running the key server.
Even if you only do the unlock at install instead of every time it runs, I still may be reinstalling in 2 years (when I buy that new Pentium 7).
So, here's my shopper's guide to buying shareware:
1) If you click on "register" and see an authentication/registration code pair, don't buy it.
2) If you don't get a simple serial number, don't buy it.
3) If the instructions say you need an internet connection to register, don't buy it. (e.g., NewsBin Pro 4)
Otherwise, if it's a good product and you'll be able to use it as long as you want, pay for it and support the guys & gals who made it.
|
|
|
|
|
Hi,
InstallWizard - http://www.digitalweb.com.br/installwizard can do easily the method 3. Using LIVE UPDATE software.
regards,
Rogerio Silva
|
|
|
|
|
Before people go overboard and think of clever ways to protect their software I think they should stop and think about their legitimate users.
The schemes suggested here can all be broken quickly by most semi-competent crackers. This shouldn't be news to anyone.
The problem is that Joe Sixpack is gonna be mighty when he can't use the software he paid for just because his connection to the Internet happens to be down and the software wants to phone home to verify itself. I know people that download cracks for legitimate copies of products just because the copy protection schemes on these products are so much of a hassle. Hardware dongles, which were popular a decade ago, had a strange habit of going missing and getting a new dongle from the company would be a pita. What did these people do? They downloaded a crack for their legitimate copy and continued work.
Someone here suggested putting business logic on a server and basically having a dumb client. This obviously makes it a lot harder to crack a product but it's not a general solution to this problem. It applies only to certain families of products.
The most that can be done right now is non-intrusive copy-protection that might stop 'casual copying'. Don't for a second think that one of these suggested schemes will stop a product from being pirated. If the product is popular it will be cracked - it's just a matter of time.
Just my two cents.
|
|
|
|
|
you're right, but if the user don't want to hassle with internet connections and activation then he will order a CD which won't have any copy protection, Microsoft sells their products on CD's without any copy protection, except WinXP and Office XP ...
|
|
|
|
|
And the CDs are freely traded in the images newsgroups
|
|
|
|
|
Enough companies are finding ways to protect there code, that's just as simple as that. They are trying it with authentication codes, region codes (DVD players, etc), Server authentication, motherboard-authentication and more. Fact is that if there will always be people who can disassemble the code, and making it work.
So -> more protection means less chance, but stiull it can be done.
Sjoerd
LPCSTR Dutch = "Double Dutch "
|
|
|
|
|
Totally agree with your points.....
and it only takes 1 person to crack it and then distribute the "broken" copy.
The same is true for any media:
lets say a conglomerate of companies headed by Sony and MS get togeather and produce a music player with their own propritary (sp) file format, plugs, media (say 197pin card) and internet download protocol. The file format is a kind of exe that actually interrogates the player. Music companies then start exclusively releasing in this format. Are you going to buy it ?
Nope, cos 1 person buys one and hacks it: then puts the music on the net in MP3 (or even just takes the audio O/P and digitises+rips it to MP3).
next day it's on the net.
Are you going to buy it ?
If sex is a pain in the ass, then you are doing it all wrong!
|
|
|
|
|
Until they wisen up, set up a firewall/gateway, and either:
1. Block the host
Back to the problem of whether or not you allow people without a continus net connection to use your product. If not, you're losing a _lot_ of business; the types of people (IMO) that pay for shareware/etc are in general the ones whom have a cheap dial up; you know, older people. Mom and pop. They wouldn't think of cheating someone.
2. Modify where that host points
Pretty simple to reverse-engineer the protocol. Worked a project previously that got the Diamond Rio 600 working under Linux; that was a case of a protocol being reverse engineered, albeit being serial (over USB).
Don't forget applications like 'libfaim', and 'gaim' that actively reverse-engineer the AIM protocol. It's an easy enough thing to do.
|
|
|
|
|
I'm sure there's a way around it if you look at it long enough.... I'll go into detail about it in the second article of the series. Thanks for the suggestions so far.
It's good to see kids turning their minds to wholesum activities such as programming, instead of wasting their lives in the hedonistic disciplines of Sex, Drugs, & Rock & Roll... or Sex with Drugs, or Sex with Rocks while Rolling in Drugs, or whatever new-fangled perversions you little monsters have thought up now...
[Shog9 on Kid Programmers]
|
|
|
|
|
The problem with server-based authentication is that TCP/IP is the weakest link.
* The user must have connectivity to the server
* The server must be up (never any maintenance or hardware failures
* The server must be able to accept connections and respond in a timely fashion
* The software company must not go out of business
The current implementation of such "spy-ware" is to accept the user's credentials in
the foreground, try to phone home and validate the credentials quietly in the background
(hence "spy"). People running hardware or software firewalls (e.g. ZoneAlarm) may be
alarmed by the surreptitious IP activity and be wary of trojans. Realizing that you
must not deny service to a valid user (aka REFUND), only a REFUSAL from the server can
block execution of the program in question.
A tweak of the "hosts" file; a touch on the firewall; and your program is enabled.
The most effective marketing strategy I have seen from small-scale developers is to
allow free individual use (to gain market penetration), charge businesses a fair price
for commercial use, and use the SPA to ensure revenues (sue for copyright violations).
After employees become familiar with a program, and find it useful in their work, they
are able to pursuade their employer to purchase the program, and while at home, they
can continue to work at no extra charge.
I am still looking for something beyond the key disk, direct hardware i/o, "bad sectors",
and laser holes on the disk.
|
|
|
|
|
Anonymous wrote:
The user must have connectivity to the server
Yeah, I hate to see company (like Microsoft) thinking that all the users have a permanent, fast Internet connexion. It can be true in the future, but personnaly, I download some softwares at work, and use them at home, on a PC without Internet connexion.
And if such behavior is acceptable for a program related to Internet, I won't like to see my paint program, or word processor, use my Internet connexion without asking me...
Don't forget some users (in France at least) pay their connexion by the time they spend on line. Bandwith is precious.
Philippe Lhoste (Paris -- France)
Professional programmer and amateur artist
http://jove.prohosting.com/~philho/
|
|
|
|
|
the first two methods can be cracked in less than 5 minutes
so the third is near something better , but still can be cracked as long as all things are based on an authorisation code
the only solution which is more efficient is to place a dll on the server which provides the aditional functionality of the application which is a limited trial, so a remote aplication included in the main trial application will download the full version dll after it verifies the user authenticy, there is an alternative to include the full version dll in the application, but encrypted with a public/private key, and decrypted with the key from the server. So then your application can be just copied and distributed on warez sites with all the files...instead of a simple crack or a key
|
|
|
|
|
Mario M. wrote:
the only solution which is more efficient is to place a dll on the server which provides the aditional functionality of the application which is a limited trial, so a remote
Oh, I guess I shouldn't point out that any such form of software protection would be broken in less than 4 minutes. (heh)
Mainly because to decrypt the DLL your application downloaded (see below) you'd have to include your secret key somewhere inside your application; pattern matching would find that easily.
Oh, also, the DLL would _have_ to be decrypted at some point to run; you can't change that. Once it's decrypted to run, simple matter to take out the decryption code, and push the DLL to disk.
Also: are you going to not permit people without a continus net connection to use your product? that's what your scheme seems to imply.
(below: no way in HELL would I ever let a random company download random DLL's and execute them.. That would be like, something WINDOWS updating my stuff without my UPDATE knowledge DOT COM.
lol
|
|
|
|
|
negacao wrote:
Oh, I guess I shouldn't point out that any such form of software protection would be broken in less than 4 minutes. (heh)
Not quite. I think what he was saying (forgive me if it wasn't) is to separate the business logic from the GUI and put the business logic on a remote server. This server is administered by the software developer. This method is effectively uncrackable. The only way to break this is for the hacker to rewrite the business logic themselves, or to hack into the server.
Aside from doing this, I dont think there is currently any method of software protection that cannot be cracked.
|
|
|
|
|
Mr Morden wrote:
I dont think there is currently any method of software protection that cannot be cracked
From what I've seen this is certainly the case. The only way that this protection can be afforded would be to incorporate the APIs directly in hardware on the machine, and into the OS itself. However, you would probably then be in a similar situation to games consoles -- modchips which bypass the hardware protection. Or rogue motherboard manufacturers who decide not to put the relevent chips on etc.
In the end, there's really very little that can be done.
By putting code into a web service that is then called remotely, you can place the important bits away from the client. However, this (as pointed out) requires that a user have a continuous net connection (which may be appropriate for certain applications). Not only that, but you'd also need 100% reliability from the hosting -- I wouldn't be surprised that in a few years a new type of hosting company appears offering this very service.
My own personal opinion on piracy is that lost revenues tend to be over-exaggerated by Companies. This is because they assume every pirate copy was potentially a customer. My experience is that this definitely is not the case. After all, a 13 year old kid who wants to learn 3D Animation is not going to be able to shell out the thousands of pounds for something like 3D Studio Max etc.
As a result, I would place far greater emphasis in producing a software product that was such good value that customers would not consider using a pirate copy, especially with extra fringe benefits that can be offered as part of the registration.
If I have enough time I might start a series of posts on developing a distributed protection system, but this would be a C#/.NET post, and not regular MFC.
|
|
|
|
|
you're right most of the users who use illegal software won't buy it even if they can't copy and I think that warez can promote your products, more users will download your application from a warez site than your trial version and sometimes users get used to your application and when you will release a newer version they will look for it on warez sites and if they will not find it some of them will buy it.
|
|
|
|
|
Thanks, it seems that you get my point
|
|
|
|
|