Solved

Protecting my software

Posted on 2002-07-07
30
300 Views
Last Modified: 2008-01-09
Hello,

I write Shareware programs in Visual-Basic. How can I protect them (anti-debugger, ciphering, ...)?
0
Comment
Question by:slavikn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 7
  • 7
  • +2
30 Comments
 
LVL 6

Expert Comment

by:ebosscher
ID: 7137656
listening
0
 
LVL 1

Author Comment

by:slavikn
ID: 7137770
Hello ebosscher,
I suppose there is nobody to listen to. Nobody answers...
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7138393
There is no absolute way to protect your shareware software from copying (except to not distribute it!) but there are ways to make it tough.

Are you looking for ways to prevent people from reverse-engineering, or from simply making illegal copies?

For the first, you'll need to make sure it's compile in Native Code (the default.)

For the second, the only reliable way I've found is to have the software look for a key on your local server  (or something under your control) before it will launch, or at least sometime while it's running.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:slavikn
ID: 7138610
> Are you looking for ways to prevent people from reverse-engineering, or from simply making illegal copies?

I don't want them to debug it, to get the source code, to make illegal copies.

What you advised doesn't prevent debugging and getting the source code. I know there is a good ciphering program for programs written in Delphi - EXECryptor. I want something simular for VB programs.
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7138887
Maybe there's a misunderstanding here...

When you create a Visual Basic application, you add source code to essentially customize it.

When you want to deliver it, you *compile* it into object code.  If compiles with the "Native" attribute, it build code that is essentially non-reversible.  Certainly, the user cannot obtain things such as comments or the original variable names.

This object code, combines with dependency files, defines the project.

--
Using the automobile as an analogy, this is like creating a set of blue-prints for the car design.  You use this to build the car, but you don't deliver the blueprints.  People who buy the car can do a bit of reverse-engineering to recreate the functions, and possibly rebuild a nearly identical vehicle, but they will never recreate the original blue-prints.

If you deliver the product, you will not be able to prevent this.  What you can prevent, to a large degree, is the unauthorized copying of the product.
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7138910
if your program is compiled to native code nobody will be able to decompile it, ofcource it can be disassembled
(i pity anyone trying to disassemble a vb program)
to protect againts it beeing run in a debugger:
Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Sub Form_Load()
    If IsDebuggerPresent <> 0 Then End
End Sub
>>. I know there is a good ciphering program for programs written in Delphi - EXECryptor. I want something simular for VB programs.
you can use any ciphering program to encipher native .exe's to encipher vb exe's compiled to native code
but i suspect programs enciphered by that program to need a deciphering program that launches that program
so just change the first byte(s) of your .exe to anything you want and make a program that changes them back to the original, and have that program shell the true program
however about securing programs:
if it is worth cracking a program it will be cracked
so the best anti-cracking protection simply is make your program extremely powerfull, extremely user friendly,and very cheap, and chances are it wont be cracked
also consider the following:
what would you rather have
10 legal and paid for copies of your program running
or 1000 unlegal copies and 100 paid for
this reminds me of lotus 123
they had very good copy protection, as a result they did sell almost nothing, so when on the brink of bankrupcy the ceo desided that if they were not able to sell copy protected copies the might as well try selling non-copy protected copy
as a result in a few months time it was the most sold program in history (then not now)(hundreds of thousands programs sold,and probably millions running)

0
 
LVL 1

Author Comment

by:slavikn
ID: 7140076
Hello pierrecampe,
You wrote:

Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Sub Form_Load()
   If IsDebuggerPresent <> 0 Then End
End Sub

Can the user start a debugger when the program is already running? If yes, I should use a timer (Interval=5000, for example) to use your code there. Right?
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7140233
no, it only works if your program is started in the context of a debugger
and it wont protect against harware debuggers(i think)
but i dont readily see how a debugger started after/before your program could run your program
also that api is very well known in cracker circles(or so i suppose)so it would be relatively easy to jump around or nop out the function call simple by scanning a disassembler listing
0
 
LVL 1

Author Comment

by:slavikn
ID: 7140270
Thanks for the anti-debugger code, but still crackers (even beginners) can change strings in the EXE file etc...

Points are increased to 125!
Please help!!!
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7141118
I think that you're missing one issue:

When you distribute object code, the user cannot retrieve the source code.

If you're concerned about people tracing through your object code, probably your best bet is to apply the ASP (application service provider) concept which is to put the app on your own server and create a portal for others to access it.  When it runs, it runs on your server (with no way for the user to trace it.)  It will produce outputs that are delivered to the user, usually through an HTML page.

Obviously, for this to work, you'll need to create a web-based client-server application, which has been quite a challenge when dealing with lots of users across the Internet.
0
 
LVL 1

Author Comment

by:slavikn
ID: 7141345
My users don't have access to the Internet.
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7141467
Then another choice is to give them a system that is essentially a black box that prevents them from getting into the file system.  From there, you have full control over everything.  To do that, you'll have to deliver the software with all the hardware, like the XBox...however, Microsoft tried this with its XBox and it was cracked within a few weeks.  I hear that people are now looking into loading Linux on these inexpensive machines!

Yet another choice could be to use donglization, which is what we're doing where I work.  We use something call a Wibu-key which is a hardware key used to decrypt an executable that we previously encrypted using their encryption tool.  Without the dongle, the software doesn't run.
0
 
LVL 1

Author Comment

by:slavikn
ID: 7141514
The program is 150KB. I cannot sell it with a computer. What I want to do is to chipher the code. Something like EXECryptor (for Delphi). It allows:

 · polymorphic encryption with no constant signatures in encrypted fragments.
 · encrypted fragment will only be decrypted immediately before its execution; after the execution of the particular fragment it will be encrypted again (at any time during the execution there is only one protected fragment decrypted).
 · encryption has unlimited nesting (encrypted block inside encrypted block inside...).
 · single-use fragments: it is possible to mark a fragment of code so that fragment will be erased after the very first execution.
 · user-key encryption.
 · detect SoftIce, NtIce, FrogIce, TD and other debugger.
 · detect registry/filesystem/API monitors.
 · counteraction to dumping application with tools like ProcDump.
 · anti-tracing measures.
 · anti-disassembler measures.
 · direct WinAPI support working around import table.
 · full integration with HardKey registration keymanager.
 

0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7141558
I am not familiar with such a product for VB.  And, again, the compiled version of your code will not show any of your original source code--it will only show machine opcodes.

And the dongle concept used to be very popular among shareware programmers.
0
 
LVL 1

Author Comment

by:slavikn
ID: 7142689
I know there is a program in which you select an EXE file (Native code of VB) and it returns the full code in VB.
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7142874
>>I know there is a program in which you select an EXE file (Native code of VB) and it returns the full code in VB.
allow me to say that i extremely doubt that
and the reason is that there is no such a thing as a vb compiler
vb5-6 does not have its own compiler it 'borrows' the 'C' compiler C2.EXE
it is possible to disassemble a .exe, and although 'in theorie' it should be possible to decompile an .exe i have never known it to be done
but lets suppose it has been done then the source the decompiler generates would be totally unreadable, there would be no things such as 'understandable' variables, it would be spaghetti code 'to the extreme', just because machine code IS spaghetti, and dozens of high-level-language constructs translate to the same spaghetti machine code
to test just write any imaginable loop construct in vb and have a look at the generated machine code
what i just mean to say is that if there was such a thing as a vb decompiler the generated source would be parsecs away from the original source
if you still have doubts just think about the following:
if it were possible to decompile an .exe, what would stop  me to decompile say MSWord to say cobol and then recompile it, and MS would be utterly defenceless cause then i can 'prove' i wrote it (after all i have the source)

   
0
 
LVL 1

Author Comment

by:slavikn
ID: 7142887
> if it were possible to decompile an .exe, what would stop  me to decompile say MSWord to say cobol and then recompile it, and MS would be utterly defenceless cause then i can 'prove' i wrote it (after all i have the source)

Don't you think that they encrypted the EXE files 100 times? Of course they did! That is why I also want to encrypt my EXE files.
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7142890
if you are still not convinced try the following:
get your hands on the source of any program written in assembler
then disassemble that program and compare the sources
you'l find that even the disassembled assembler source will be miles away from the original assembler source
(of cource it IS possible to write assembler source in such a way it gets assembled to the same,but for that the programmer has to be a masochist)
0
 
LVL 1

Author Comment

by:slavikn
ID: 7142900
So what you say is that I don't have to worry about distributing my software without using any protection?
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7142907
>>Don't you think that they encrypted the EXE files 100 times? Of course they did!
well just try it
run some .exe's trough a disassembler and reassemble the generated source
>>That is why I also want to encrypt my EXE files
well just go ahead, i told you the easy way to do it
0
 
LVL 1

Author Comment

by:slavikn
ID: 7142919
> And the dongle concept used to be very popular among shareware programmers.

Where can I get his "dongle"?
I will accept your answer if this helps.
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7142920
>>So what you say is that I don't have to worry about distributing my software without using any protection?
what i am saying is that i'd rather have 1000 illegal copies of my program running and 100 paid for,
than have 10 legal copies running and 10 paid for
(but that is just my idea,feel free to disaggree)
0
 
LVL 1

Author Comment

by:slavikn
ID: 7142926
The program is written for a specific company. It has 15-20 branchs. I want them to pay for every copy. No one except for them needs this program.

I still don't understand about the "dongle". Sorry...
0
 
LVL 6

Expert Comment

by:pierrecampe
ID: 7142936
dongle protection is advertised in almost every programming magazine
sorry i have no examples
please if you accept the dongle, remember it was rspahitz who suggested it not me
slavikn please excuse me for leaving now, urgent things to do
0
 
LVL 1

Author Comment

by:slavikn
ID: 7143135
rspahitz wrote:

...We use something call a Wibu-key which is a hardware key used to decrypt an executable that we previously encrypted using their encryption tool.  Without the dongle, the software doesn't run.

Where can I get this encryption tool? How do I decrypt it later? Please give me links.

P.S.  I am sorry that I ask too much.....
0
 
LVL 22

Accepted Solution

by:
rspahitz earned 125 total points
ID: 7143962
The dongle we use can be seen at www.wibu.com with info at http://www.wibu.com/us/start.htm

These don't come cheap, at $50 per distributed dongle, but if you want that level of pretection, you have to pay for it.  It's just like an alarm system--you can get some for practically nothing, but they may not give you the protection you need.

The process works like this:

* We buy an access dongle from them that allows us to encrypt our software.  
* We run their software against our executable and it encodes it using a number of our choice, plus it restricts it so that it can only run if the correct dongle is located on the machine's parallel port.
* We encode a blank dongle with a number of our choice which corresponds to the number used to encrypt the software.
* We deliver the encoded executable (which is another executable) along with the dongle hardware.
* If the user runs the software without the dongle, it says something like, "please supply wibu-key 12 [OK] [Cancel]"  Cancel exits the app; [OK] only works if the correct dongle is put on the parallel port.

Using this you can control which branch office runs the software, but we control it based on the company and product combined.

--
>The program is written for a specific company

Quite honestly, if you're dealing with a specific company, you can have them agree to a license that restricts their use of the software.  If they don't abide, you can take legal action against them.  Obviously you want to reduce their temptation, but that can be done simply by compiling and not giving them the source code.

--
On a side note, I once wrote a decompiler and ran it against a simple assembler program which was created by a BASIC project I had created.  The resulting source code, as pierre indicated, was very unstructured and huge.  The original was about 10 lines of code--a simple loop that printed a bunch of numbers; the decompiled code took about 200 lines and was about 500 times slower.  Of course, I didn't optimize the code, but it taught me a lot about how difficult it is to decompile, and how the compilation process actually throws things away that prevent decompiling.  (i.e. variable names get converted into register references, loops get converted into goto structures, etc.)  With the concept of objects thrown into the puzzle, it seeming becomes even more ominous a task.
0
 
LVL 1

Author Comment

by:slavikn
ID: 7144139
Very helpful.
0
 
LVL 22

Expert Comment

by:rspahitz
ID: 7144184
Thanks for the "A" and good luck.  ...and go with a license agreement if you can deal with the legal mumbo-jumbo.
0
 
LVL 1

Author Comment

by:slavikn
ID: 7144223
:-))))
0
 

Expert Comment

by:zevok
ID: 7949112
It's few techniks to protect programs like your one.
I suppose that for not too popular applications you could use some algorithms based on open+private code combination for demo/fully-functional versions.
We use same techniks for our cheaper sw products.
For the more serious and more costly applications I could refer you to the dongle based solution and techniks like:
http://www.guardant.com/protection/index.htm
Their descisions both quite cheap and safe (and if I'm not err available around the Europe now).
Regards
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’ve seen a number of people looking for examples of how to access web services from VB6.  I’ve been using a test harness I built in VB6 (using many resources I found online) that I use for small projects to work out how to communicate with web serv…
When designing a form there are several BorderStyles to choose from, all of which can be classified as either 'Fixed' or 'Sizable' and I'd guess that 'Fixed Single' or one of the other fixed types is the most popular choice. I assume it's the most p…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
Suggested Courses
Course of the Month9 days, 5 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question