Solved

Protecting my software

Posted on 2002-07-07
30
296 Views
Last Modified: 2008-01-09
Hello,

I write Shareware programs in Visual-Basic. How can I protect them (anti-debugger, ciphering, ...)?
0
Comment
Question by:slavikn
  • 14
  • 7
  • 7
  • +2
30 Comments
 
LVL 6

Expert Comment

by:ebosscher
Comment Utility
listening
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
Hello ebosscher,
I suppose there is nobody to listen to. Nobody answers...
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
There is no absolute way to protect your shareware software from copying (except to not distribute it!) but there are ways to make it tough.

Are you looking for ways to prevent people from reverse-engineering, or from simply making illegal copies?

For the first, you'll need to make sure it's compile in Native Code (the default.)

For the second, the only reliable way I've found is to have the software look for a key on your local server  (or something under your control) before it will launch, or at least sometime while it's running.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
> Are you looking for ways to prevent people from reverse-engineering, or from simply making illegal copies?

I don't want them to debug it, to get the source code, to make illegal copies.

What you advised doesn't prevent debugging and getting the source code. I know there is a good ciphering program for programs written in Delphi - EXECryptor. I want something simular for VB programs.
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Maybe there's a misunderstanding here...

When you create a Visual Basic application, you add source code to essentially customize it.

When you want to deliver it, you *compile* it into object code.  If compiles with the "Native" attribute, it build code that is essentially non-reversible.  Certainly, the user cannot obtain things such as comments or the original variable names.

This object code, combines with dependency files, defines the project.

--
Using the automobile as an analogy, this is like creating a set of blue-prints for the car design.  You use this to build the car, but you don't deliver the blueprints.  People who buy the car can do a bit of reverse-engineering to recreate the functions, and possibly rebuild a nearly identical vehicle, but they will never recreate the original blue-prints.

If you deliver the product, you will not be able to prevent this.  What you can prevent, to a large degree, is the unauthorized copying of the product.
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
if your program is compiled to native code nobody will be able to decompile it, ofcource it can be disassembled
(i pity anyone trying to disassemble a vb program)
to protect againts it beeing run in a debugger:
Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Sub Form_Load()
    If IsDebuggerPresent <> 0 Then End
End Sub
>>. I know there is a good ciphering program for programs written in Delphi - EXECryptor. I want something simular for VB programs.
you can use any ciphering program to encipher native .exe's to encipher vb exe's compiled to native code
but i suspect programs enciphered by that program to need a deciphering program that launches that program
so just change the first byte(s) of your .exe to anything you want and make a program that changes them back to the original, and have that program shell the true program
however about securing programs:
if it is worth cracking a program it will be cracked
so the best anti-cracking protection simply is make your program extremely powerfull, extremely user friendly,and very cheap, and chances are it wont be cracked
also consider the following:
what would you rather have
10 legal and paid for copies of your program running
or 1000 unlegal copies and 100 paid for
this reminds me of lotus 123
they had very good copy protection, as a result they did sell almost nothing, so when on the brink of bankrupcy the ceo desided that if they were not able to sell copy protected copies the might as well try selling non-copy protected copy
as a result in a few months time it was the most sold program in history (then not now)(hundreds of thousands programs sold,and probably millions running)

0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
Hello pierrecampe,
You wrote:

Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Sub Form_Load()
   If IsDebuggerPresent <> 0 Then End
End Sub

Can the user start a debugger when the program is already running? If yes, I should use a timer (Interval=5000, for example) to use your code there. Right?
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
no, it only works if your program is started in the context of a debugger
and it wont protect against harware debuggers(i think)
but i dont readily see how a debugger started after/before your program could run your program
also that api is very well known in cracker circles(or so i suppose)so it would be relatively easy to jump around or nop out the function call simple by scanning a disassembler listing
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
Thanks for the anti-debugger code, but still crackers (even beginners) can change strings in the EXE file etc...

Points are increased to 125!
Please help!!!
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
I think that you're missing one issue:

When you distribute object code, the user cannot retrieve the source code.

If you're concerned about people tracing through your object code, probably your best bet is to apply the ASP (application service provider) concept which is to put the app on your own server and create a portal for others to access it.  When it runs, it runs on your server (with no way for the user to trace it.)  It will produce outputs that are delivered to the user, usually through an HTML page.

Obviously, for this to work, you'll need to create a web-based client-server application, which has been quite a challenge when dealing with lots of users across the Internet.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
My users don't have access to the Internet.
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Then another choice is to give them a system that is essentially a black box that prevents them from getting into the file system.  From there, you have full control over everything.  To do that, you'll have to deliver the software with all the hardware, like the XBox...however, Microsoft tried this with its XBox and it was cracked within a few weeks.  I hear that people are now looking into loading Linux on these inexpensive machines!

Yet another choice could be to use donglization, which is what we're doing where I work.  We use something call a Wibu-key which is a hardware key used to decrypt an executable that we previously encrypted using their encryption tool.  Without the dongle, the software doesn't run.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
The program is 150KB. I cannot sell it with a computer. What I want to do is to chipher the code. Something like EXECryptor (for Delphi). It allows:

 · polymorphic encryption with no constant signatures in encrypted fragments.
 · encrypted fragment will only be decrypted immediately before its execution; after the execution of the particular fragment it will be encrypted again (at any time during the execution there is only one protected fragment decrypted).
 · encryption has unlimited nesting (encrypted block inside encrypted block inside...).
 · single-use fragments: it is possible to mark a fragment of code so that fragment will be erased after the very first execution.
 · user-key encryption.
 · detect SoftIce, NtIce, FrogIce, TD and other debugger.
 · detect registry/filesystem/API monitors.
 · counteraction to dumping application with tools like ProcDump.
 · anti-tracing measures.
 · anti-disassembler measures.
 · direct WinAPI support working around import table.
 · full integration with HardKey registration keymanager.
 

0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
I am not familiar with such a product for VB.  And, again, the compiled version of your code will not show any of your original source code--it will only show machine opcodes.

And the dongle concept used to be very popular among shareware programmers.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
I know there is a program in which you select an EXE file (Native code of VB) and it returns the full code in VB.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
>>I know there is a program in which you select an EXE file (Native code of VB) and it returns the full code in VB.
allow me to say that i extremely doubt that
and the reason is that there is no such a thing as a vb compiler
vb5-6 does not have its own compiler it 'borrows' the 'C' compiler C2.EXE
it is possible to disassemble a .exe, and although 'in theorie' it should be possible to decompile an .exe i have never known it to be done
but lets suppose it has been done then the source the decompiler generates would be totally unreadable, there would be no things such as 'understandable' variables, it would be spaghetti code 'to the extreme', just because machine code IS spaghetti, and dozens of high-level-language constructs translate to the same spaghetti machine code
to test just write any imaginable loop construct in vb and have a look at the generated machine code
what i just mean to say is that if there was such a thing as a vb decompiler the generated source would be parsecs away from the original source
if you still have doubts just think about the following:
if it were possible to decompile an .exe, what would stop  me to decompile say MSWord to say cobol and then recompile it, and MS would be utterly defenceless cause then i can 'prove' i wrote it (after all i have the source)

   
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
> if it were possible to decompile an .exe, what would stop  me to decompile say MSWord to say cobol and then recompile it, and MS would be utterly defenceless cause then i can 'prove' i wrote it (after all i have the source)

Don't you think that they encrypted the EXE files 100 times? Of course they did! That is why I also want to encrypt my EXE files.
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
if you are still not convinced try the following:
get your hands on the source of any program written in assembler
then disassemble that program and compare the sources
you'l find that even the disassembled assembler source will be miles away from the original assembler source
(of cource it IS possible to write assembler source in such a way it gets assembled to the same,but for that the programmer has to be a masochist)
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
So what you say is that I don't have to worry about distributing my software without using any protection?
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
>>Don't you think that they encrypted the EXE files 100 times? Of course they did!
well just try it
run some .exe's trough a disassembler and reassemble the generated source
>>That is why I also want to encrypt my EXE files
well just go ahead, i told you the easy way to do it
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
> And the dongle concept used to be very popular among shareware programmers.

Where can I get his "dongle"?
I will accept your answer if this helps.
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
>>So what you say is that I don't have to worry about distributing my software without using any protection?
what i am saying is that i'd rather have 1000 illegal copies of my program running and 100 paid for,
than have 10 legal copies running and 10 paid for
(but that is just my idea,feel free to disaggree)
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
The program is written for a specific company. It has 15-20 branchs. I want them to pay for every copy. No one except for them needs this program.

I still don't understand about the "dongle". Sorry...
0
 
LVL 6

Expert Comment

by:pierrecampe
Comment Utility
dongle protection is advertised in almost every programming magazine
sorry i have no examples
please if you accept the dongle, remember it was rspahitz who suggested it not me
slavikn please excuse me for leaving now, urgent things to do
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
rspahitz wrote:

...We use something call a Wibu-key which is a hardware key used to decrypt an executable that we previously encrypted using their encryption tool.  Without the dongle, the software doesn't run.

Where can I get this encryption tool? How do I decrypt it later? Please give me links.

P.S.  I am sorry that I ask too much.....
0
 
LVL 22

Accepted Solution

by:
rspahitz earned 125 total points
Comment Utility
The dongle we use can be seen at www.wibu.com with info at http://www.wibu.com/us/start.htm

These don't come cheap, at $50 per distributed dongle, but if you want that level of pretection, you have to pay for it.  It's just like an alarm system--you can get some for practically nothing, but they may not give you the protection you need.

The process works like this:

* We buy an access dongle from them that allows us to encrypt our software.  
* We run their software against our executable and it encodes it using a number of our choice, plus it restricts it so that it can only run if the correct dongle is located on the machine's parallel port.
* We encode a blank dongle with a number of our choice which corresponds to the number used to encrypt the software.
* We deliver the encoded executable (which is another executable) along with the dongle hardware.
* If the user runs the software without the dongle, it says something like, "please supply wibu-key 12 [OK] [Cancel]"  Cancel exits the app; [OK] only works if the correct dongle is put on the parallel port.

Using this you can control which branch office runs the software, but we control it based on the company and product combined.

--
>The program is written for a specific company

Quite honestly, if you're dealing with a specific company, you can have them agree to a license that restricts their use of the software.  If they don't abide, you can take legal action against them.  Obviously you want to reduce their temptation, but that can be done simply by compiling and not giving them the source code.

--
On a side note, I once wrote a decompiler and ran it against a simple assembler program which was created by a BASIC project I had created.  The resulting source code, as pierre indicated, was very unstructured and huge.  The original was about 10 lines of code--a simple loop that printed a bunch of numbers; the decompiled code took about 200 lines and was about 500 times slower.  Of course, I didn't optimize the code, but it taught me a lot about how difficult it is to decompile, and how the compilation process actually throws things away that prevent decompiling.  (i.e. variable names get converted into register references, loops get converted into goto structures, etc.)  With the concept of objects thrown into the puzzle, it seeming becomes even more ominous a task.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
Very helpful.
0
 
LVL 22

Expert Comment

by:rspahitz
Comment Utility
Thanks for the "A" and good luck.  ...and go with a license agreement if you can deal with the legal mumbo-jumbo.
0
 
LVL 1

Author Comment

by:slavikn
Comment Utility
:-))))
0
 

Expert Comment

by:zevok
Comment Utility
It's few techniks to protect programs like your one.
I suppose that for not too popular applications you could use some algorithms based on open+private code combination for demo/fully-functional versions.
We use same techniks for our cheaper sw products.
For the more serious and more costly applications I could refer you to the dongle based solution and techniks like:
http://www.guardant.com/protection/index.htm
Their descisions both quite cheap and safe (and if I'm not err available around the Europe now).
Regards
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Introduction I needed to skip over some file processing within a For...Next loop in some old production code and wished that VB (classic) had a statement that would drop down to the end of the current iteration, bypassing the statements that were c…
I was working on a PowerPoint add-in the other day and a client asked me "can you implement a feature which processes a chart when it's pasted into a slide from another deck?". It got me wondering how to hook into built-in ribbon events in Office.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now