Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


effective, reliable method to protect software against piracy

Posted on 2004-03-22
Medium Priority
Last Modified: 2010-04-05

I'm just about to offer my first commercial Delphi project to puiblic and I am now looking for a effective, reliable and low priced way to protect my software against any kind of piracy by hackers & crackers.

As this is my first commercial project, I lack experience with this stuff. Any help and suggestions are welcome.

I tried the possibilities of ISe, but found out that it's not possible to check the number against a username for example.

Thanks, Chris

Question by:chkorte
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3

Expert Comment

ID: 10648113
take a look at this solution:

I had the same Problem!! :)


Author Comment

ID: 10652720
Hi k4hvd77,

for protection this was a good start. I assigned all these functions to a timer event, when I tried to run the app from within Delphi, it terminated directly as expected.

Which approach would you recommend to check a username or a customer number against a provided serial key?
Do you have experience with trial versions, limited to 30 days use for example?
Where would you store the serial infos? Perhaps registry or some file?
Which encoding / decoding algorithms do you use?

Install Shield express is only of limited use here because I cannot check, if a valid username is entered. According to this I decided not to use this feature of ISe and to write my own Serial dialog instead, that appears after the installation process when the app is started.

Thanks in advance, Chris

Expert Comment

ID: 10653090
Why not add some functions which work out a checksum for each major funcion used in your code, store it in data somewhere and re calculate the function checksums at runtime to compare against the original stored checksums.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Expert Comment

ID: 10656359
I what I do is:
1. Encrypt the Installation Date and Add it to the Binary: for 30 Day Limit
2. Make a Signature of the Binary and add it too: to check if something is changed using another Programm (Hex or Resource Editor or....)
3. Make Private and Public Key, use RSA Algorithm and Private Key to Generate a Serial Number ( just Encrypt the Username )
4. Add the Public KEy to my Binary and use it to Decrypt the username and Validate the Serial number; Using this methos you will need the Private key to write a Keygen/Crack Serial Numbers.
5. Use Anit Debugger and anti softice Check in each function and procedure

there is NO 100% PROTECTION, but I think that's "enough" to make it hard to crack my Programm ;)
LVL 14

Expert Comment

ID: 10656968
k4hvd77, what if somebody purchases your software, then publishes the username/serial?

One alternative that M$ tried was to somehow tie the username to the installation machine as well (e.g. BIOS number, HDD serial, etc), but that is not an effective way either, because everytime the user changes the hardware/machine, they will need to request for a new serial.

I have no solution to offer, but just something for you to ponder :-)

Author Comment

ID: 10656969
Hi, thanks so far. There are few questions left (I increased points to 500!)

> 1. Encrypt the Installation Date and Add it to the Binary: for 30 Day Limit
I assume, you check the installation date while the enduser installs the product. Is there a way to perform this out of Install Shield express? Do youi simply append the floating point value of the date to your exe file?

> 2. Make a Signature of the Binary and add it too: to check if something is changed using another Programm (Hex or Resource Editor or....)
Can you provide a sample how to make a signature?

> 3. Make Private and Public Key, use RSA Algorithm and Private Key to Generate a Serial Number ( just Encrypt the Username )
How can I implement this RSA stuff? Are there any standard classes or units in Delphi? When does your customer provide his username: during the installation or at the first start of the program?

> 4. Add the Public KEy to my Binary and use it to Decrypt the username and Validate the Serial number; Using this methos you will need the Private key to write a Keygen/Crack Serial Numbers.
Where do you store username and serialnumber? Probably registry values?!?

> 5. Use Anit Debugger and anti softice Check in each function and procedure
Is it more secure to call these functions from any other function than to let a timer event do this work?

Thanks a lot, Chris

Expert Comment

ID: 10657035
You are right, the best way is to Read the BIOS Number and use it in your encryption algorithm.

I think that's not possible to all them from Installshield, you could do all of them after Installation.

I will send you an example how to do that ;)

LVL 14

Expert Comment

ID: 10657094
You can also do it this way...

1. everytime your app connects, it tries to detect an Internet connection
2. if Internet connection exists, try to send username/serial/ip/some hardware info to server
3. server checks record and see if hardware always changes (meaning multiple users?) or if IP indicates different country, then disable that serial

duno if this violates privacy laws, though.
LVL 11

Expert Comment

ID: 10658056
Dragonslayer is right because .Its the only way. I do this (sort of) with an application of mine. I decided that it's the only protection you can have. If you want to protect your software from crackers you have to know how they think and how they work.
                 If your software is worth to crack it will be cracked in no time, if not then why bother?. With all the encryption you want to do on your password or whatever, think that the cracker will not try to brake your password using bruteforce or methods like that which are very slow.
                 He runs a softice like application that allows him to "debug" an application. And when the cracker notices that a user name and password are required by your software ant there is an if password=.... then he makes a goto and jumps over the question. This is the way (one way) to build a crack for an application. He modifyes the exe and removes from it the If-then-else part and only leaves the part that alows you to acces the program as a registered user.

If you want to give the cracker a hard time cracking your program try to place checkpoints in your software and check 10-20 times while running that this user is definitely a registered user. And try to avoid the "if" word. And do not showMessage like "You are not a registered user" after you discover an attempt of Cracking because this is what the cracker also looks for: the exact text you are using in your ShowMessage. So if you discover a cracking attempt in one of the checkpoints then you should try to execute some more code that does nothing or whatever and afterwards just close the application without notifying the user (cracker).
This is all I can tell you now about this right now. Because my day ended at my office and I'm heading home. I can't wait to get there.

Author Comment

ID: 10689303
Hallo, thanks for all your comments.

my first idea was to drive any potential customer into getting himself a new serial key, each time he changes his hardware. But that means additional costs and expenses as well as presumably minor consumer acceptance.

As I can't prevent potential hackers from unlocking the software, I don't like to bother all honest users with additional effort.

Dragonslayer and calinutz,
As many other software vendors use the internet to check the serial, this must be an effective method for validation.

Yet I don't know, how time-consuming and expensive this is to implement. I do not own a web server myself, instead I've leased a small webspace of about 50MB.

I have abolutely no skills in setting up any internet application, web services or anything like that. Seems to be complicated. Perhaps its time to concern myself in this topic.

Can you help me with sample code?

it would appreciate it very much, if you could send me some more infos to your approach.

Thanks to all
Have a nice weekend

Accepted Solution

k4hvd77 earned 1400 total points
ID: 10694793

1. Data Encryption

There is a lot of Librarys that allow you to do that, but the best OpenSource Solution I  found is Lockbox ( Using lockbox you are able to Generate Public and Private Keys, Sign Files, RSA and RDL Encryption and... .So there are more Example around all of these functions.

2. Save something into Binary

take a look at this  Solution "", Download The EXEMOD Unit and put it to your Lib, there are some examples too.

If you would use a Serial Number Validation from Internet, you don't need your own server or Webservices, you could use simply a MySQL Database and PHP Scripts to do that.



Assisted Solution

delphinewbie earned 600 total points
ID: 10747399
Visit Armadillo.

reasonably priced and dead easy to use.

Their support is also very good, and most larger registration sites are able to generate the sewrial numbers immediately.

A few key features discussed above include the ability to :
hardware fingerprint - with hardware changes permitted
stolen serial number database
soft ice detection
temporary keys
plus much more

In addition in all my applications when the user registers I link to my web page so i can keep track of what names and numbers are being used. Of course any decent firewall will block this link.


Author Comment

ID: 10953705
Thanks to all of you.

I finally decided to use a combination of Armadillo and the way suggested by k4hvd77.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question