how to stop code being pirated

[Megalith]

Hi, I've seen on here how easy it is to dissassemble code and wondered what levels of precautions people here have used or would use to make the process of hacking ones hard work.

All methods i have come up with are easily worked around. simply swapping the condition for a jump in assembly code would undo even password security.

Probably the most interesting idea i have come up with would need a c module in the project that would write into memory part of the routine on the fly (i.e. it writes the conditional jumps into memory using pointers but again all that is needed is to remove the c block and write the correct code into the exe file.

The only way i have seen is to create 2 passwords one for the application and a secondary one which is stored on a server so the software checks against a serial number database, this also is limited as unmodded it cannot detect if the user is legitimate, only that there is one person using a specific password at a particular time, and in any event it is still a case of changing the conditional jumps so it works when it is the wrong password or doesn't contact the site in the first place (or another site with a valid password and allows multiple users on its database)

So what methods have been used by people here to protect their code? Do microsoft expect its consumers to pay large amounts of money to write software that anyone with a basic understanding could hack within minutes.

As i see it one of the best methods is to make code hard to understand (obfuscation) but again searching for conditional jumps you can bypass anything without knowing what the code is doing

[HanneSThEGreaT]

Doesn't matter what you do, nothing will stop people from getting access to your code.

[Shaggy Hiker]

No kidding. If you make code that somebody wants to steal, they will steal it. There are ways to make it more difficult, but nothing can totally prevent it, especially for a small program.

[stanav]

Are you talking about protecting the actual code of the program from being pirated or the program itself? If it just the code itself, you can prevent prevent the program from being decompiled back into usable code by obfuscation or simply write your program in another language that is impossible to decompile such as C++. On the other hand, if it's the program that you want to protect from being pirated then there is no foolproof way to do it. Even the software giant Microsoft can't protect there software from being pirated, so don't feel too bad if you can't for your little program.

[weirddemon]

Are you talking about protecting the actual code of the program from being pirated or the program itself? If it just the code itself, you can prevent prevent the program from being decompiled back into usable code by obfuscation or simply write your program in another language that is impossible to decompile such as C++. On the other hand, if it's the program that you want to protect from being pirated then there is no foolproof way to do it. Even the software giant Microsoft can't protect there software from being pirated, so don't feel too bad if you can't for your little program.

To be fair, when it comes to large companies like Microsoft, there are professionals in their field just waiting to get their hands on that software nad break it down.

.NET applications can be easily disassembled by using a program like Red Gate's .NET Reflector. But through obfuscation, you can at least protect it from most people. The "problem" with obfuscation is that, in order to get a program to do it, you're going to have to pay some decent money for it. I've only ever run into one free program, but it was "meh" at best

Also, it's unlikely that you'll find a large group of people who want to pirate a small application.

[Megalith]

@ stanav im talking of both really, but more the program than the code.

if i was to write something that was useful to a large community then someone will either rewrite the code or bybass any security i used.

I'm not sure how much commercial freelance work people here have done but i have worked for companies that ask for this kind of thing and saying there is nothing you can do doesn't go down too well. I guess what i'm asking is what methods have people used in there software to make the task harder.

I know the big companies use sophisticated entry ways into there software so that simply changing a few conditional jumps wont fix the issue, at that level getting a program to work is like a jigsaw puzzle with certain conditions triggering changes that other conditions look for.

[weirddemon]

@ stanav im talking of both really, but more the program than the code.

if i was to write something that was useful to a large community then someone will either rewrite the code or bybass any security i used.

I'm not sure how much commercial freelance work people here have done but i have worked for companies that ask for this kind of thing and saying there is nothing you can do doesn't go down too well. I guess what i'm asking is what methods have people used in there software to make the task harder.

I know the big companies use sophisticated entry ways into there software so that simply changing a few conditional jumps wont fix the issue, at that level getting a program to work is like a jigsaw puzzle with certain conditions triggering changes that other conditions look for.

We didn't say there wasn't anything you could do. Stanav and I both mentioned obfuscation and that is probably your best method.

As for making sure the software is only used by it's intended audience, (I'm assuming paid customers or whatever) you could just use a serial key method. Obfuscation will prevent most people from cracking that as well.

The point that we're trying to make is that you have methods to protect your application. But in the end, if someone dedicated enough wants to crack it, then they will. All you can do is make is harder for them.

At the very least, it will put off most people.

[Megalith]

@ weirddemon, yes thats my point too, what this thread is intended for is what methods people here have used to make it harder, i mentioned obfuscation in my initial post and also that any method can be bypassed but what levels have people gone to in order to make this harder? Has anyone here say used some asp on a site to communicate with the software to validate its security? how would you go about this? I've heard programmers over the years advocate pretty much everything that i or most here would consider bad practice, using variables and function names that do not in any sense describe the function or even names that describe another process. using goto (:-o) and other non logical spaghetti code ideas and the already mentioned use of very sophisticated methods that all need to unlock before the software works. My own favourite method i will say is to make the password in some way part of the codes functioning i.e. in psuedocode

vb Code:

if password.split("a").length = 3 then initialise some parameters
if password.contains("b234") then check for a file existing and load its contents into memory in a variable called loadedfile
if loadedfile.contains("some sequence of bytes") then hide the splashscreen
if password.contains("a76f") and (some initialised parameter from above) = its correct value then start the main application.

The strings could be stored in say a property bag. This code like any solution could be easily adjusted if the code is dissassembled and it could be written into assembly language or C or any language but changing the conditional jumps is not that easy as you need to make a few more than just one or 2 adjustments to make the code work. I would use about 10 of these conditional statements in my application and some further down the line for simple functions like saving a file for example (the user will think they have cracked the code but will not have full functionality)

I remember many years ago trying to hack a game and i was thrown into confusion when the software told me to stop hacking it or it would erase itself. Obviously i dont do this anymore or advocate this to anyone

[Pradeep1210]

Frankly speaking, these are useless ways to protect your code. (or at-least I think so!)
That would make things harder for you maintain rather than the cracker. Think of a situation you would have to face while upgrading your application. Will that confuse more or make the upgrades easier?

A determined cracker is following your code and he would obviously know what you are upto and what actions the application is performing. Moreover he may be able to device a shortcut way to bypass these useless things so that it outperforms your actual application performance-wise.

Moreover this may work for any one person coding and maintaining the application. But what do you do when you are working in a team?

[Shaggy Hiker]

Another option, though a strange one, is to not give out your code. This has not been truly feasible, but is becoming more so. What if you were to use something like WCF so that you have a UI sitting on the target computer, but so much work is done off of a server connected across the internet that hacking the UI will get you nowhere.

Though, of course, that is the basis for e-commerce, online banking, and many web sites. The interaction with the server is critical to the functioning of the program, and the hacker doesn't necessarily have access to the server side code. Bad practices can negate this, but good practices can make it work well enough....for those problem domains where it applies.

[TokersBall_CDXX]

In this example, the actual application would be encrypted and loaded via an apploader that decrypts the application before launching it.

Instead of base64 encoded string of dll, your application can be encrypted using a typical encryption routine and
stored in a dat file with this app loader... when this apploader starts, load the encrypted data file, request
key via user input...attempt to decrypt dat file, if succeeds, call start app function... if it fails
play an audio snippet of class jarrasic park computer access denied scene.
naturally alot more can be played into this.

VB Code:

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
 Dim b64Assembly As String =  "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA=="  ' <-- shortened for  forum display (base64 encoded string of testdll.dll)
 Dim binAssembly As Byte() = Convert.FromBase64String(b64Assembly)
 Dim A As Assembly = Assembly.Load(binAssembly)
 Dim Plugin As Object = A.CreateInstance("testdll.Class1")
 Dim t As Type = Plugin.GetType()
 Dim mi As MethodInfo = t.GetMethod("startApp", BindingFlags.Public Or BindingFlags.Instance)
 Dim Ret As String = mi.Invoke(Plugin, New Object() {"test"}).ToString
End Sub

Contents of testdll.dll:

VB Code:

Public Class Class1
    Public Function startApp(ByVal Message As String) As Boolean
        Dim newForm As New Form1
        newForm.ShowDialog()
        Return True
    End Function
End Class

[ntg]

Megalith, any kind of security that relies purely on software can be bypassed so you need to get over it. As you said, it only takes a few NOPs or a changed JUMP instruction to bypass a security check - same is true for .Net IL. As you can see in any torrent site, even complex copy protection schemes that go as far as to decrypt/change code during runtime (found a lot in computer games) are hacked. And even Windows activation, a process that depends on a remote server, has been bypassed in the past.

The least you can do is make certain that your application is not easily decompiled or, if decompiled, is not easy to reverse engineer. You can use an obfuscator or protector for that. In addition you can use a free scheme like Activelock to thwart casual copying.

If you're serious about protecting your runtime you should use a USB dongle. Latest generations even have a smart card inside that is used to securely decrypt parts of your application during runtime. This is as good a copy protection as they get but it's not really applicable to a wide range of applications.

I would say that the most important thing to note is the value of the application itself. If your application provides great value and acquires a good rep, this fact initself will be sufficient to make sure you get a large base of legitimate customers. I don't know how relevant it is to your situation but I'll take an extreme example here - VMWare Workstation which, IMHO, is an unsurpassed product. It's a well known fact that you can download the latest VMWare along with a key generator from any file sharing network out there. Microsoft and others have created competitive products and very few companies like having Microsoft as a competitor. Still, VMWare has a commanding market share of over 80% (read "dominates the market") simply because they've made an amazing product. And since they have so many customers, they can sell at a very low unit price - I think that VMWare Workstation 7 comes at something like $190. With this price, serious customers don't think about pirating the software. And people who do would never be legitimate customers anyway but still VMWare has them locked in.

[stanav]

I totally agree with ntg on this:

... any kind of security that relies purely on software can be bypassed...

So you will need a combination of both software and hardware to secure your program. For example, my company uses a textile design software that costs over $10K per license. It came with a USB dongle that they called the license key. The program will not run if that dongle is not plugged in.

[Negative0]

One thing about the USB dongles. I have worked with a piece of software that uses dongles for the past few years and one of the biggest complaints I get these days is around VMWare. ESX Server does not support USB devices. Customers do have a few options around this (using a network version of the dongle or AnywhereUSB), but there are usually additional costs associated with doing that.

Just something to keep in mind if you decide to go down the dongle path.

[keystone_paul]

Also don't fall into the trap of thinking that dongles are un-copyable. I used to work in the oil industry and our software cost $50,000 per license and was protected using the leading hardware dongle at the time - we still found copies of the software on sale in Shanghai complete with fully working faked dongles.

Sometimes I think the best security is obscurity - if you use a widely recognised system the chances are that someone will have found it worth their while to identify, analyse and crack it because it will then open the door to many different products, whereas if you are using a unique form of security unless there's a compelling cost/benefit advantage for someone to spend a lot of time on your own specific case to try and break it.

I'm now working for a company where our products have in excess of 500,000 users in the UK alone and our security can be (and has been) readily cracked because with a market that size it is worth hackers spending as long as it takes to get around it.

[Megalith]

Problem with dongles from what ive seen is these too can be bypassed by recreating the function the dongle provides in software and pointing the dongle detection software at it instead of the dongle. coming from an electronics background hardware solutions are equally flawed. It is however a lot harder to undertake than altering a few conditional jumps at assembly level.

Having a server do a lot of the tasks is a great solution to many problems, particularly upgrading the code, upgrade the server and all your userbase have the new edition, problems are when the server is down however or your update doesn't work. This is something that is increasingly an option as mentioned by shaggy hiker and with increasing bandwidth and more powerful servers increasingly available it is fast becoming a market for internet application engineering.

Just for you guys information, i have contributed a lot to opensource software and have no personal wishes of world domination through software security but some of my past clients have wanted security built in (even if you know an i know its all bs)

[Philly0494]

Just pack your application with .NETZ ( http://madebits.com/netz/download.php ) before you deploy it and Reflector becomes com useless.

[jmcilhinney]

There are lots of software licensing systems out there. None are uncrackable but you really have to consider how hard people are likely to be prepared to try to pirate your app. The .NET Framework includes XML-based licensing functionality and Infralution Licensing System is a relatively cheap, simple-to-use licensing component based on that. It's a relatively small financial investment for relatively good protection designed specifically for .NET apps. Of course, you then have to invest the time and resources to manage the licenses.