xtremecris
asked on
how to protect source-code
I need a FREEWARE utility that will cript(and hopefully pack) an .exe so that dissasembly would become too difucult.
The program is done with delphi and I tryed to protect it with UPX. But if someone realises that it's packed with UPX he can get the full exe right away. Then it's just a step away from getting the source code.
What should I try?
Best regards,
Chris.
The program is done with delphi and I tryed to protect it with UPX. But if someone realises that it's packed with UPX he can get the full exe right away. Then it's just a step away from getting the source code.
What should I try?
Best regards,
Chris.
Éric Moreau
see www.activelock.com
ASKER
How does it protect de source code? I can see only the register function in it, there is no mention that it will cript the .exe.
it will encrypt the .exe.
go to the download section: http://www.activelock.com/download.html
and also read the FAQ: http://www.activelock.com/faq.html
go to the download section: http://www.activelock.com/download.html
and also read the FAQ: http://www.activelock.com/faq.html
ASKER
I still cannot find any documentation that sais it will crypt the .exe.
Please be more specific and indicate where on the page it sais that it will encrypt the executable.
Please be more specific and indicate where on the page it sais that it will encrypt the executable.
Sorry. It is not for encryption. It is to protect against piracy.
From the FAQ page:
ActiveLock is a free ActiveX control that can be used to protect your VB programs from piracy and sell your programs online. Using ActiveLock you can add registration features to your softwares, create trialware and raise your sales.
From the FAQ page:
ActiveLock is a free ActiveX control that can be used to protect your VB programs from piracy and sell your programs online. Using ActiveLock you can add registration features to your softwares, create trialware and raise your sales.
Here is Excellent resource with hunderads of FREE ways to stop you exe being cracked, however be prepared to read for about an hour ;)
http://www.inner-smile.com/nocrack.phtml
There is also alot of Delphi Sepific Tips and tricks on the page
David
http://www.inner-smile.com/nocrack.phtml
There is also alot of Delphi Sepific Tips and tricks on the page
David
ASKER
Nothing there that will tell me how to encrypt an .exe
?? but there is alot there to tell you how to stop it being cracked !
it is very likely that the majority of freeware encrypters have been cracked them selfs...
A simple tip would be, before you compile for the finaly release use find and replace to change all the varibles to meaningless letters SDAF ASFFA DSF so even if the exe was decrypted amd the source taken it would mean nothing to anyone!
David
it is very likely that the majority of freeware encrypters have been cracked them selfs...
A simple tip would be, before you compile for the finaly release use find and replace to change all the varibles to meaningless letters SDAF ASFFA DSF so even if the exe was decrypted amd the source taken it would mean nothing to anyone!
David
ASKER
I wasn't too clear...
My main concern is not that the exe would be cracked but that it would get decompiled and somebody could find out a lot of db's user/pass that should remain a secret.
The registration process is on-line and is done be me and since it is a client/server driven application I can cut off his licence any time. The main value behind my program is all the db's that come with it, plus all the online updates that are available to the registered user. Source code is very important and should not fall into the wrong hands because they would have user/pass to open all the db's outside my program.
The setup package is given only to registered users so even if there was a crack available they would still have to convince a registered user to run it. If that would happen I can cut-off his user/pass that do the loggin to the update server and is very easy to see who has done illegal activities. You can guess that there aren't a lot of clients and that's why it is easy to make them behave...
So... what possibilities do I have to make the exe ecripted?
My main concern is not that the exe would be cracked but that it would get decompiled and somebody could find out a lot of db's user/pass that should remain a secret.
The registration process is on-line and is done be me and since it is a client/server driven application I can cut off his licence any time. The main value behind my program is all the db's that come with it, plus all the online updates that are available to the registered user. Source code is very important and should not fall into the wrong hands because they would have user/pass to open all the db's outside my program.
The setup package is given only to registered users so even if there was a crack available they would still have to convince a registered user to run it. If that would happen I can cut-off his user/pass that do the loggin to the update server and is very easy to see who has done illegal activities. You can guess that there aren't a lot of clients and that's why it is easy to make them behave...
So... what possibilities do I have to make the exe ecripted?
just a thought, why not give out the details of a dummy db in the exe, the user would then log into that, you could check the license and if its ok return the real db username and password
Encrypting the executable isn't really an option. You'd need yet another program to decrypt and run the encrypted program since it would no longer be executable in encrypted form. If it's just program strings you're concerned about, you could just encrypt the databse names and passwords and decrypt them only for the call to connect to the database. They are still vulnerable during the call setup and execution, but it's a pretty small window of opportunity and it would have to be a pretty sophisticated hacker to take advantage of it. As it sits, you don't even need to decompile to see strings. A text editor will probably be sufficient. If you are not concerned about someone snooping memory at runtime, you can just do a one-time decrypt of usernames/passwords at program startup.
If you're trying to protect the actual code as well, you'll have to look into code obfuscation.
If you're trying to protect the actual code as well, you'll have to look into code obfuscation.
ASKER
Are there any free utilities that would acomplish code obfuscation for delphi?
Even if the exe is encrypted, it has to be decrypted in order to run. There are tools that can dump out the address space of a running process and reconstruct it into an exe which can then be disassembled.
I think your energy would be better spent finding a way to not hardcode user names and passwords into your exe; or if you absolutely have to, encrypt just those strings and have them only be in memory in a decrypted state for exactly as long as it takes to make a connection, then clear the memory. That way if your exe has it's memory dumped, the user name and passwords won't appear as clear text.
BTW, there are packers/encrypters available for cheap (say, < $50 for shareware developer, <$200 for commercial developer) that don't provider unpackers. They've all been cracked at some point, but it is not always easy to figure out which program was used to encrypt and track down the crack. Don't be afraid to spend a few $$ on your tools.
I think your energy would be better spent finding a way to not hardcode user names and passwords into your exe; or if you absolutely have to, encrypt just those strings and have them only be in memory in a decrypted state for exactly as long as it takes to make a connection, then clear the memory. That way if your exe has it's memory dumped, the user name and passwords won't appear as clear text.
BTW, there are packers/encrypters available for cheap (say, < $50 for shareware developer, <$200 for commercial developer) that don't provider unpackers. They've all been cracked at some point, but it is not always easy to figure out which program was used to encrypt and track down the crack. Don't be afraid to spend a few $$ on your tools.
I have not seen any free/cheap obfuscators for Delphi, but I've been looking for .NET/Java products.
My recommendation would be to review your requirement carefully. If this is a high-value production database, then you'll definitely want to look into industrial-strength encryption of the usernames/passwords, decrypt them only at point-of-use and erase unencrypted data immediately after use. You'll also want to check if they are going over the wire in cleartext if the database is on another machine.
If you are merely worried that someone can take a hex editor and see the names and passwords, then you can do pretty much any basic transformation of the text and theh do the one-time decode at startup.
If you're worried about the source code as well as the string constants, then it's time for code obfuscation. There may be a couple of other shades between these options, but I'd say these are the basic choices.
My recommendation would be to review your requirement carefully. If this is a high-value production database, then you'll definitely want to look into industrial-strength encryption of the usernames/passwords, decrypt them only at point-of-use and erase unencrypted data immediately after use. You'll also want to check if they are going over the wire in cleartext if the database is on another machine.
If you are merely worried that someone can take a hex editor and see the names and passwords, then you can do pretty much any basic transformation of the text and theh do the one-time decode at startup.
If you're worried about the source code as well as the string constants, then it's time for code obfuscation. There may be a couple of other shades between these options, but I'd say these are the basic choices.
If you have merely embedded usernames and passwords in the code, chances are good that
trying to decompile or reverse-engineer your executable isn't the most straightforward way of
extracting them.
Consider other attack models... an obvious attack against the executable is for someone to simply
search the binary data for meaningful strings in the ASCII range and locate usernames/passwords that way.
(Reverse engineering is laborious... if the attacker can avoid it, they probably will)
A better approach would seem to be to assign each user of the software their own username/password
combination to access your database and store that along with their reg details.
Or require the application to fetch the information from you, and change the valid user/password for the database on some schedule to enforce that.
You could try to store the information encrypted, but a persistent attacker can probably defeat this:
there is that problem of getting the information out of the computer and to the server after it's decrypted,
while at the same time trying to prevent the local user from intercepting it through various means...
An attacker might start capturing your network calls to try and intercept the information as your
application is sending it to the database server unless you have SSL implemented in your app (or similar) that could be a quick way around.
A secure channel would make it harder but not impossible for an attacker to extract the information.
When your program needs to decrypt something, your .exe file has to have in it (somewhere)
the key, and the method it uses to decrypt data.
trying to decompile or reverse-engineer your executable isn't the most straightforward way of
extracting them.
Consider other attack models... an obvious attack against the executable is for someone to simply
search the binary data for meaningful strings in the ASCII range and locate usernames/passwords that way.
(Reverse engineering is laborious... if the attacker can avoid it, they probably will)
A better approach would seem to be to assign each user of the software their own username/password
combination to access your database and store that along with their reg details.
Or require the application to fetch the information from you, and change the valid user/password for the database on some schedule to enforce that.
You could try to store the information encrypted, but a persistent attacker can probably defeat this:
there is that problem of getting the information out of the computer and to the server after it's decrypted,
while at the same time trying to prevent the local user from intercepting it through various means...
An attacker might start capturing your network calls to try and intercept the information as your
application is sending it to the database server unless you have SSL implemented in your app (or similar) that could be a quick way around.
A secure channel would make it harder but not impossible for an attacker to extract the information.
When your program needs to decrypt something, your .exe file has to have in it (somewhere)
the key, and the method it uses to decrypt data.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just keep in mind that there is no such thing as 100% secure... if something is worth cracking, it will get cracked no matter what you do
ASKER
www.chosenbytes.com
it hasn't been cracked for 4 years. If you try to run a debbuger it will stop it! I secure my app with their system i can't even run the program in the IDE it will immediatly stop. I can only compile the program and run it from windows explorer.
I think it's really good.
it hasn't been cracked for 4 years. If you try to run a debbuger it will stop it! I secure my app with their system i can't even run the program in the IDE it will immediatly stop. I can only compile the program and run it from windows explorer.
I think it's really good.