-
Anti Piracy Techniques Questions
Hey guys,
My developer and I are working to create a solution to
help make it difficult for our software to be cracked.
We know that what we can do won't stop the dedicated
but if we place enough road blocks in their way they may
just give up.
I need some advice on some things and where to locate
any help on the below situations. If you know how to accomplish
these things please let me know where we can research
this further.
We want to use custom string encryption so that our strings
can't be searched easily and bypassed. Where can I find more
information on best type of string obfuscation / encryption?
Also, we are looking at byte checks that will check to see if
any bytes have changed. Can you recommend sample code
or where to research that too?
I was also going to use a new online activation method that
doesn't use traditional name / serial number activation. Instead,
you enter your email and transaction id, software checks activation
server-side and sends back unique code to software which will
either deactivate software or allow it to run licensed. This would
be done at every launch rather than enter a serial and it's fully
activated every time after.
Any other ideas or techniques you use / recommend would be really appreciated.
-Chris
-
Re: Anti Piracy Techniques Questions
If you put too many checks, legitimate users may start running away. If you put too less, then you risk getting it cracked. It depends on how important your software is and who are your target customers, and on what scale your software is selling. If you have just a small group of customers, then putting too many checks is just a waste of time, as it is a rare chance that someone would try dirtying their hands into it.
Anyways those were my views.
This topic has been discussed many times in this forum. So searching with appropriate keywords shoud reveal many threads.
-
Re: Anti Piracy Techniques Questions
Thanks Pradeep. My developer has over 10K members using his software but it's easily cracked and he's using WinLicense as well on top of it. Cracked usually in a matter of an hour or less.
A friend of mine has another software using some of the above and theirs has yet to be cracked. I know they're using string encryption and the strings are not readable even in source, she's using something but I'm not sure what. That is what I'm looking at.
-
Re: Anti Piracy Techniques Questions
Agreed with Pardeep2010.
Regarding your following statement, especially the bolded part. I'd be a really mad customer if I cannot use an app I bought from you as stand-alone. What if my internet is down? I can't use the app because it failed to activate/validate. A really bad idea IMO.
Quote:
was also going to use a new online activation method that
doesn't use traditional name / serial number activation. Instead,
you enter your email and transaction id, software checks activation
server-side and sends back unique code to software which will
either deactivate software or allow it to run licensed. This would
be done at every launch rather than enter a serial and it's fully
activated every time after.
-
Re: Anti Piracy Techniques Questions
What language is your application developed in?
-
Re: Anti Piracy Techniques Questions
LaVolpe, in this niche it's customary to have that going
on and it's a monthly subscription software so we're not
worried about anyone complaining because they they can't
use the software without paying monthly for it anyhow.
If your internet is down the software is no good anyhow,
it uses the internet to work regardless so no internet, no
need for the software anyhow.
-Chris
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
Pradeep1210
If you put too many checks, legitimate users may start running away.
ONLY if those checks interfere with the normal running of the program. A well-written security check would happen in the background and no-one would even know it is there :-)
-
Re: Anti Piracy Techniques Questions
VB6 but we'd like to port to vb.net soon.
-
Re: Anti Piracy Techniques Questions
Some simple obfuscation for strings. Encryption of the array is a plus.
One bad thing about strings. Once you use literals, i.e., "Password" in your code, those strings are easily found simply by opening the exe in NotePad or WordPad. I've read from others that using String functions is another way hackers can find them rather easily. The hackers know those function's entry offsets within the DLL and place stops in the code where they are used. Since the functions want pointers to the strings, identifying the strings is then relatively easy. So, you'd want to avoid using VB string functions too. Now we are getting into a mess.
How to compare strings without using string functions? Easy, compare byte arrays and avoid those string functions. But never using a dim statement in your code where a variable is declared as String is going to be painful.
-
Re: Anti Piracy Techniques Questions
I don't have any proper expertise in the matter (I'm sure RhinoBull is nodding his head vigorously as he reads this :-P) but I've had a play about with control systems in my programs, and the method I used was to have important strings in the data encrypted and for a key to be required to decrypt it...the key itself would be different for everyone as the program then scrambles the key you input based on a value taken from the computer (hard drive name, computer name, that sort of thing) and the unscrambled key would be used to decrypt those important strings.
As your program has to be online to be used though, perhaps a server/client auth system would be better, and the authentication data would be based on the above plus the current hour and date on the client's PC...the server then sends the right data for the client to use for that hour and an hour later it needs to reauth (or every minute, every day, it's entirely up to you :-))
I am considering writing a bit of code which would encrypt and hard-wire the encryption key into the program and then compile the project so that everyone who gets a copy has a slightly different version with different methods, so if it did get out then I'd know who it was...one day I will do it, probably...one day!
-
Re: Anti Piracy Techniques Questions
Honestly I contacted the developer who did the string encryption and she's not giving up the technique she used to make the strings unreadable. I thought it was base64 or something because opening in ollydbg shows 0 strings and they're weird random code that looks like base64.
I wonder if it's not done that way. Is that possible?
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
smUX
I don't have any proper expertise in the matter (I'm sure RhinoBull is nodding his head vigorously as he reads this :-P) but I've had a play about with control systems in my programs, and the method I used was to have important strings in the data encrypted and for a key to be required to decrypt it...the key itself would be different for everyone as the program then scrambles the key you input based on a value taken from the computer (hard drive name, computer name, that sort of thing) and the unscrambled key would be used to decrypt those important strings.
As your program has to be online to be used though, perhaps a server/client auth system would be better, and the authentication data would be based on the above plus the current hour and date on the client's PC...the server then sends the right data for the client to use for that hour and an hour later it needs to reauth (or every minute, every day, it's entirely up to you :-))
I am considering writing a bit of code which would encrypt and hard-wire the encryption key into the program and then compile the project so that everyone who gets a copy has a slightly different version with different methods, so if it did get out then I'd know who it was...one day I will do it, probably...one day!
That sounds like a good idea, at least we'd know the cracker or leaker.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
I was also going to use a new online activation method that
doesn't use traditional name / serial number activation. Instead,
you enter your email and transaction id, software checks activation
server-side and sends back unique code to software which will
either deactivate software or allow it to run licensed. This would
be done at every launch rather than enter a serial and it's fully
activated every time after.
thats what adobe uses, but failed because pirates figured they could disturb the signal by setting the hosts file to return the url to localhost instead of the activation server and in that case the server cant register the activation code, and i don't really know how this works...
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Honestly I contacted the developer who did the string encryption and she's not giving up the technique she used to make the strings unreadable. I thought it was base64 or something because opening in ollydbg shows 0 strings and they're weird random code that looks like base64.
I wonder if it's not done that way. Is that possible?
I wouldn't worry too much about how they've encrypted it...all you need is a decryption module in your own code that decrypts it on-the-fly and you can encrypt the data using whatever method you want (personally I make my own quick encryption functions for it and vary it with each program I write) and have it call the decryption function to decrypt it as needed.
Quote:
Originally Posted by
cmmorris1
That sounds like a good idea, at least we'd know the cracker or leaker.
I was looking into it and it seems simple enough to edit the VB source code on a server and compile it over commandline then have it served up to the client for download...I just haven't got around to doing it :-)
(of course, as it's compiling each time, it could be intensive to the server...and the code has to be 100% bug-free or the compiler would fall down crying)
-
Re: Anti Piracy Techniques Questions
Yeah, I'm aware of the Adobe work arounds. Commercial
software has a big disadvantage because every cracker
wants the notoriety of cracking a brand like that.
I just want enough roadblock in the road to make cracking
it not worth their time. It's cheaper to buy a license and
with enough updates and our support we know we'd have
better clients.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
smUX
I wouldn't worry too much about how they've encrypted it...all you need is a decryption module in your own code that decrypts it on-the-fly and you can encrypt the data using whatever method you want (personally I make my own quick encryption functions for it and vary it with each program I write) and have it call the decryption function to decrypt it as needed.
See that's the thing, they're using something that is working, so for example instead of them opening a url as hxxp://www.whatever.com/ it is encrypted so even with the source it's unreadable.
That's what I want to figure out.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
That sounds like a good idea, at least we'd know the cracker or leaker.
Hmmm.. but also consider the pain you would have to take to complie it separately for each of those 10,000 customers :afrog:
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
Pradeep1210
Hmmm.. but also consider the pain you would have to take to complie it separately for each of those 10,000 customers :afrog:
Well that would be done server side right? So how hard would it be?
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
See that's the thing, they're using something that is working, so for example instead of them opening a url as hxxp://www.whatever.com/ it is encrypted so even with the source it's unreadable.
That's what I want to figure out.
Yeah, that's how I do it too...for instance...
While some people might use webbrowser1.navigate "http://www.google.co.uk"
I use webbrowser1.navigate decrypt("gjroigmrjgijmoimhoitrjhjrwoihith,rwoojm")
That way it is encrypted from the start...the encryption key used in the decryption module is generated using an algorithm taken from the product key, so both keys are obviously going to be different every time...or if I make a project that I am going to give to lots of people but only give out the one program, I make it so the key has two uses...firstly an algorithm can get the encryption key from the scrambled data (by using brute force scrambling to find a scrambled key that matches the requirements...doesn't usually take long) and the descrambled key is then used in the program elsewhere to verify the user is allowed to use the program.
It's probably harder to understand than I am trying to make it, it's a custom method I've been using for a while and I've had no problems...but then again I don't have a huge base of users who are paying me for the use and would love to get it for free :-)
Quote:
Originally Posted by
cmmorris1
Well that would be done server side right? So how hard would it be?
Also it would be 100% automated, so there's no need to worry about having to do the work...although it might be better for the server if the code was pre-compiled...or there is always the option of having a "downloader" program which downloads a shell (the program with blank spaces where the encrypted data would go) then writes the correct bytes into the spaces...this would be a HUGE reduction in the load on the server :-)
-
Re: Anti Piracy Techniques Questions
Thanks smUX, that sounds like what we're looking for. Is there any online reference on how to accomplish that so I can forward to my developer to reference?
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Thanks smUX, that sounds like what we're looking for. Is there any online reference on how to accomplish that so I can forward to my developer to reference?
Probably not, the methods I mentioned above I designed myself, I didn't find them online...however, I'm not trying to say they're not out there, just I didn't find them online. Someone else might have an idea for places to look. Plus, if they were out there, the hackers would also have access to it and would be able to circumvent the protection a lot easier...these sort of things are done in-house and the exact methods are kept a closely guarded secret (as you know with the friend of yours who has the encryption she won't tell you about) to keep it as secure as possible...a door is only as secure as the number of people who have don't keys for it :-)
Injection (using the downloader to get a shell program and "inject" the encrypted data) is a simple enough process, would just require the server to provide the encrypted data, and AFAIK it isn't even a popular process for security but I am pretty sure a few companies and programmers use some level of it from just putting in a random string to identify to the full-blown encryption method I mentioned.
Oh, and one last thing...security is only as strong as its weakest point...don't use branches that go one way on success and the other way on fail with regards to authentication, it's ALWAYS the hacker's first destination...if the authentication data is integral to the running of the program elsewhere then hacking that branch would be rendered useless...that's basically why I encrypt the internal data :-)
-
Re: Anti Piracy Techniques Questions
Heres how i do it:
1. Encrypt the reg file
2. Hide the reg file
3. Use an online vendor that accepts credit cards and emails the reg number.
Eg:
Code:
fileName = App.Path & ":test.dat" 'Hide the file
Decrypt and incrept the file:
Public Function Encrypt1(Txt As String, CodeNr As Integer) As String
Dim I As Long
Dim Out As String
'Inital output value is empty string
Out = ""
'Change ASCII codes
For I = 1 To Len(Txt)
Out = Out & Chr(Asc(Mid$(Txt, I, 1)) + CodeNr)
Next I
Encrypt1 = Out
End Function
Public Function Decrypt1(Txt As String, CodeNr As Integer) As String
'Decryption is the same as encryption with CodeNr*-1
Decrypt1 = Encrypt1(Txt, CodeNr * -1)
End Function
Using the encrypt-decrypt
sText = Encrypt1(sText, 7)' incrypt
sText = Decrypt1(sText, 7) 'uncrypt the string
Don't remember why i used 7
Pay and get registration number emailed
http://www.fastspring.com/
-
Re: Anti Piracy Techniques Questions
smUX that's exactly it. I want to encrypt that data so that it is useless and even if they wanted to go that route it wouldn't be worth the time / effort and move on to an easier target.
I brought that stuff up to my developer and he wanted information to look at how to accomplish it. He a good programmer but I guess isn't so good with the protection aspect. I wish I knew more to help you help me but I'm pretty lost with all this stuff. In my head it works fine but I've not got a clue of how to actually develop it.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
isnoend07
Heres how i do it:
1. Encrypt the reg file
2. Hide the reg file
3. Use an online vendor that accepts credit cards and emails the reg number.
Eg:
Code:
fileName = App.Path & ":test.dat" 'Hide the file
Decrypt and incrept the file:
Public Function Encrypt1(Txt As String, CodeNr As Integer) As String
Dim I As Long
Dim Out As String
'Inital output value is empty string
Out = ""
'Change ASCII codes
For I = 1 To Len(Txt)
Out = Out & Chr(Asc(Mid$(Txt, I, 1)) + CodeNr)
Next I
Encrypt1 = Out
End Function
Public Function Decrypt1(Txt As String, CodeNr As Integer) As String
'Decryption is the same as encryption with CodeNr*-1
Decrypt1 = Encrypt1(Txt, CodeNr * -1)
End Function
Using the encrypt-decrypt
sText = Encrypt1(sText, 7)' incrypt
sText = Decrypt1(sText, 7) 'uncrypt the string
Don't remember why i used 7
Pay and get registration number emailed
http://www.fastspring.com/
Doesn't that only encrypt after it reads plain text? I'm trying to encrypt the code so that instead of typing hxxp://www.mysite.com it would be random jibberish that is unreadable from the start, even in source code. Anyhow, I don't want a reg file on the pc at all, I want it to verify the codes serverside using the email / transaction id instead of a key that can be keygenned.
-
Re: Anti Piracy Techniques Questions
Tell him that the MOST important part of any security and encryption is to make it as complicated as possible. Obviously don't make it so complicated that he himself can't understand it, but have many different things happening to the data before it is used. Also, don't make it so complicated that it takes ages to do its stuff, it needs to do everything within a few milliseconds preferably, but it needs to be designed in such a way that if the hacker is trying to bruteforce the data there'll be exponentially so many possibilities that they'd spend an eternity trying to work it out...and by then you could have implemented something new into the security that'll again make it exponentially harder to beat.
For instance...have an algorithm that takes each byte of the key and generates a value from them using simple arithmatic and using mod() to limit the resulting value to a lower and more manageable number...then that number would be used elsewhere for decryption. The key would be generated using a personal piece of data from the client's computer (I mentioned a few possibilities before, and there'll be countless others available in the forum) and your key generator would just have to scramble it and check to see if the resulting value with the above algorithm matches the value you're looking for to decrypt. Me, I use two bytes at the start of the key to tell me how to descramble the rest of the characters, that way there's 65536 possible combinations from the scrambling and at least one of them HAS to output the required value with the algorithm :-)
Quote:
Originally Posted by
cmmorris1
Anyhow, I don't want a reg file on the pc at all, I want it to verify the codes serverside using the email / transaction id instead of a key that can be keygenned.
Reg files are about as secure as server-side verification...the key to either is the methods used to secure the data. If you have the right security you'll have no problem with people writing keygens for your programs.
I'd also bet that the people who write the keygens have had some level of inside help from people who have been a part of the programming process, which is how it's so easy for them to do it...that or lazy programming on the part of the developer, of course :-)
-
Re: Anti Piracy Techniques Questions
Thanks smUX, that's a great start. I will send this to him to look over. How about byte checking, how is that done? The other developer mentioned to have a lot of byte checks to see if the code has changed and render it useless.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Doesn't that only encrypt after it reads plain text? I'm trying to encrypt the code so that instead of typing hxxp://www.mysite.com it would be random jibberish that is unreadable from the start, even in source code. Anyhow, I don't want a reg file on the pc at all, I want it to verify the codes serverside using the email / transaction id instead of a key that can be keygenned.
Step back a second. You can't send gibberish to an API or control function that doesn't know what to do with it. It has to be decrypted before that. Here is a really simple starting point using byte arrays:
Code:
Private Sub GetMyText(Index As Long, outArray() As Byte)
Select Case Index
Case 0:
ReDim outArray(0 To 20) ' http://www.mysite.com
outArray(0) = 104: outArray(1) = 116: outArray(2) = 116: outArray(3) = 112: outArray(4) = 58: outArray(5) = 47: outArray(6) = 47: outArray(7) = 119
outArray(8) = 119: outArray(9) = 119: outArray(10) = 46: outArray(11) = 109: outArray(12) = 121: outArray(13) = 115: outArray(14) = 105
outArray(15) = 116: outArray(16) = 101: outArray(17) = 46: outArray(18) = 99: outArray(19) = 111: outArray(20) = 109
' other case statements for other strings
End Select
End Sub
' Possible sample usage.
Dim myBStr() As Byte
GetMyText 0, myBStr()
webbrowser1.navigate StrConv(myBStr(), vbUnicode)
If someone was looking for your website in the exe, they wouldn't find it as text since it only exists as byte data now. If you wanted the array encrypted in the GetMyText routine, you'd do that in advance, return the bytes, then decrypt them before using the string/array.
-
Re: Anti Piracy Techniques Questions
Thanks LaVolpe. So by doing it this way is there any way for the hacker to decrypt the code in memory or any other possibilities?
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Thanks smUX, that's a great start. I will send this to him to look over. How about byte checking, how is that done? The other developer mentioned to have a lot of byte checks to see if the code has changed and render it useless.
I would assume byte-checking would involve checking specific bytes within the code to see if the EXE has been tampered with...some people hash the EXE to confirm that it is the same as it was when they downloaded it, that's probably doable if you're doing server-side authentication, but personally it's not something I've ever considered doing or needing to do...
...however, and this is where it gets really complicated...if you wrote the code in such a way that adding random data elsewhere in the code allowed you to modify the hash value, you could use brute-force to change this random data and keep on changing it until the hash for the file matched the one you want AND the hash could be stored internally, but again that's where hackers target and they do exactly the same thing when they modify code...they keep on editing other unimportant parts until the hash matches and it works...so it might not be the best solution.
Perhaps what the developer needs to do is research into how other people hack the programs and see if he can see ways to stop them from doing the same things...who knows about security better than a hacker :-)
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Doesn't that only encrypt after it reads plain text? I'm trying to encrypt the code so that instead of typing hxxp://www.mysite.com it would be random jibberish that is unreadable from the start, even in source code. Anyhow, I don't want a reg file on the pc at all, I want it to verify the codes serverside using the email / transaction id instead of a key that can be keygenned.
Yes, plain text. i realize that my method is not fool proof, but my intended customers are roofing contractors and in the last 5 yrs have not been hacked that i know of.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
LaVolpe
Step back a second. You can't send gibberish to an API or control function that doesn't know what to do with it.
The suggestion I made previously would decrypt the gibberish before it was sent, otherwise (as you said) it'd be useless :-P
SOMEONE isn't reading my posts which described the exact same sort of method :-)
-
Re: Anti Piracy Techniques Questions
Exactly, I guess I need to hire a hacker then huh? :)
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Exactly, I guess I need to hire a hacker then huh? :)
(dons his "Linux hackers do it to the kernel in a darkened room" cap and smiles sweetly)
Or get more knowledgeable in the ways of the hacker, yeah...I'm not a hacker, despite seeming to be one...I know a few though :-)
If you can't beat them, join them...always a good motto to have, especially when its your income on the line if people are stealing your well-earned profits from a program.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
Thanks LaVolpe. So by doing it this way is there any way for the hacker to decrypt the code in memory or any other possibilities?
There is always a way.
That "my.web.site" example is probably not really worthwhile. Since you can't send a gibberish url, other simple tools could be used to get what is passed to your server: packet sniffing for example.
What I provided might work well for internal activation/hashing. Instead of passing a string to a hashing/encryption routine, you pass an array. The idea is you don't want to use literals in your activation/validation code.
-
Re: Anti Piracy Techniques Questions
Yeah, well I started out learning to crack software programs for fun, always seemed interesting to me so I learned a little bit, I also wanted to learn to code but I haven't mastered that one yet.
Now I wish I did so I could use both in this instance. I know some hackers too, I doubt they'll give away this kind of information but I guess it doesn't hurt to ask :)
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
LaVolpe
There is always a way.
That "my.web.site" example is probably not really worthwhile. Since you can't send a gibberish url, other simple tools could be used to get what is passed to your server: packet sniffing for example.
What I provided might work well for internal activation/hashing. Instead of passing a string to a hashing/encryption routine, you pass an array. The idea is you don't want to use literals in your activation/validation code.
The url thing was an example of what I'd like encrypted but I know there is a way to decode that. I was more concerned with strings like "Wrong Serial, Try Again!" And they'd know where the check is made and patch it.
-
Re: Anti Piracy Techniques Questions
Quote:
Originally Posted by
cmmorris1
The url thing was an example of what I'd like encrypted but I know there is a way to decode that. I was more concerned with strings like "Wrong Serial, Try Again!" And they'd know where the check is made and patch it.
And don't forget to put a few dummies in there too, so they think it's there when it's not :-P
-
Re: Anti Piracy Techniques Questions
Another great idea smUX. I am sending him over to this thread hoping this will help him.
-Chris
-
Re: Anti Piracy Techniques Questions
As I said before, "learn to hack"...think like a hacker and you'll realise how people do these things and how you can prevent them doing it in your code...I've never hacked a program in my life, can't even use a hex editor properly, but I know the grounding info about how hacking works so I can think outside the box and stop them as best I can :-)
-
Re: Anti Piracy Techniques Questions
Cool. well thanks smUX. I just forwarded this to my friend to look over.
-Chris