Solved

effective, reliable method to protect software against piracy

Posted on 2004-03-22
13
266 Views
Last Modified: 2010-04-05
Hi,

I'm just about to offer my first commercial Delphi project to puiblic and I am now looking for a effective, reliable and low priced way to protect my software against any kind of piracy by hackers & crackers.

As this is my first commercial project, I lack experience with this stuff. Any help and suggestions are welcome.

I tried the possibilities of ISe, but found out that it's not possible to check the number against a username for example.

Thanks, Chris

0
Comment
Question by:chkorte
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 4

Expert Comment

by:k4hvd77
ID: 10648113
Hi,
take a look at this solution:
http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20895027.html

I had the same Problem!! :)

k4hvd77
0
 

Author Comment

by:chkorte
ID: 10652720
Hi k4hvd77,

for protection this was a good start. I assigned all these functions to a timer event, when I tried to run the app from within Delphi, it terminated directly as expected.

Which approach would you recommend to check a username or a customer number against a provided serial key?
Do you have experience with trial versions, limited to 30 days use for example?
Where would you store the serial infos? Perhaps registry or some file?
Which encoding / decoding algorithms do you use?

Install Shield express is only of limited use here because I cannot check, if a valid username is entered. According to this I decided not to use this feature of ISe and to write my own Serial dialog instead, that appears after the installation process when the app is started.

Thanks in advance, Chris
0
 
LVL 3

Expert Comment

by:JDuncan
ID: 10653090
Why not add some functions which work out a checksum for each major funcion used in your code, store it in data somewhere and re calculate the function checksums at runtime to compare against the original stored checksums.
0
 
LVL 4

Expert Comment

by:k4hvd77
ID: 10656359
Ok,
I what I do is:
1. Encrypt the Installation Date and Add it to the Binary: for 30 Day Limit
2. Make a Signature of the Binary and add it too: to check if something is changed using another Programm (Hex or Resource Editor or....)
3. Make Private and Public Key, use RSA Algorithm and Private Key to Generate a Serial Number ( just Encrypt the Username )
4. Add the Public KEy to my Binary and use it to Decrypt the username and Validate the Serial number; Using this methos you will need the Private key to write a Keygen/Crack Serial Numbers.
5. Use Anit Debugger and anti softice Check in each function and procedure

there is NO 100% PROTECTION, but I think that's "enough" to make it hard to crack my Programm ;)
0
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 10656968
k4hvd77, what if somebody purchases your software, then publishes the username/serial?

One alternative that M$ tried was to somehow tie the username to the installation machine as well (e.g. BIOS number, HDD serial, etc), but that is not an effective way either, because everytime the user changes the hardware/machine, they will need to request for a new serial.

I have no solution to offer, but just something for you to ponder :-)
0
 

Author Comment

by:chkorte
ID: 10656969
Hi, thanks so far. There are few questions left (I increased points to 500!)

> 1. Encrypt the Installation Date and Add it to the Binary: for 30 Day Limit
I assume, you check the installation date while the enduser installs the product. Is there a way to perform this out of Install Shield express? Do youi simply append the floating point value of the date to your exe file?

> 2. Make a Signature of the Binary and add it too: to check if something is changed using another Programm (Hex or Resource Editor or....)
Can you provide a sample how to make a signature?

> 3. Make Private and Public Key, use RSA Algorithm and Private Key to Generate a Serial Number ( just Encrypt the Username )
How can I implement this RSA stuff? Are there any standard classes or units in Delphi? When does your customer provide his username: during the installation or at the first start of the program?

> 4. Add the Public KEy to my Binary and use it to Decrypt the username and Validate the Serial number; Using this methos you will need the Private key to write a Keygen/Crack Serial Numbers.
Where do you store username and serialnumber? Probably registry values?!?

> 5. Use Anit Debugger and anti softice Check in each function and procedure
Is it more secure to call these functions from any other function than to let a timer event do this work?

Thanks a lot, Chris
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Expert Comment

by:k4hvd77
ID: 10657035
DragonSlayer,
You are right, the best way is to Read the BIOS Number and use it in your encryption algorithm.

chkorte,
I think that's not possible to all them from Installshield, you could do all of them after Installation.

I will send you an example how to do that ;)

k4hvd77
0
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 10657094
You can also do it this way...

1. everytime your app connects, it tries to detect an Internet connection
2. if Internet connection exists, try to send username/serial/ip/some hardware info to server
3. server checks record and see if hardware always changes (meaning multiple users?) or if IP indicates different country, then disable that serial

duno if this violates privacy laws, though.
0
 
LVL 11

Expert Comment

by:calinutz
ID: 10658056
Dragonslayer is right because .Its the only way. I do this (sort of) with an application of mine. I decided that it's the only protection you can have. If you want to protect your software from crackers you have to know how they think and how they work.
                 If your software is worth to crack it will be cracked in no time, if not then why bother?. With all the encryption you want to do on your password or whatever, think that the cracker will not try to brake your password using bruteforce or methods like that which are very slow.
                 He runs a softice like application that allows him to "debug" an application. And when the cracker notices that a user name and password are required by your software ant there is an if password=.... then he makes a goto and jumps over the question. This is the way (one way) to build a crack for an application. He modifyes the exe and removes from it the If-then-else part and only leaves the part that alows you to acces the program as a registered user.

If you want to give the cracker a hard time cracking your program try to place checkpoints in your software and check 10-20 times while running that this user is definitely a registered user. And try to avoid the "if" word. And do not showMessage like "You are not a registered user" after you discover an attempt of Cracking because this is what the cracker also looks for: the exact text you are using in your ShowMessage. So if you discover a cracking attempt in one of the checkpoints then you should try to execute some more code that does nothing or whatever and afterwards just close the application without notifying the user (cracker).
This is all I can tell you now about this right now. Because my day ended at my office and I'm heading home. I can't wait to get there.
Cheers
0
 

Author Comment

by:chkorte
ID: 10689303
Hallo, thanks for all your comments.

Dragonslayer,
my first idea was to drive any potential customer into getting himself a new serial key, each time he changes his hardware. But that means additional costs and expenses as well as presumably minor consumer acceptance.

As I can't prevent potential hackers from unlocking the software, I don't like to bother all honest users with additional effort.

Dragonslayer and calinutz,
As many other software vendors use the internet to check the serial, this must be an effective method for validation.

Yet I don't know, how time-consuming and expensive this is to implement. I do not own a web server myself, instead I've leased a small webspace of about 50MB.

I have abolutely no skills in setting up any internet application, web services or anything like that. Seems to be complicated. Perhaps its time to concern myself in this topic.

Can you help me with sample code?

k4hvd77,
it would appreciate it very much, if you could send me some more infos to your approach.

Thanks to all
Have a nice weekend
Chris
0
 
LVL 4

Accepted Solution

by:
k4hvd77 earned 350 total points
ID: 10694793
Ok,

1. Data Encryption

There is a lot of Librarys that allow you to do that, but the best OpenSource Solution I  found is Lockbox (http://sourceforge.net/projects/tplockbox/). Using lockbox you are able to Generate Public and Private Keys, Sign Files, RSA and RDL Encryption and... .So there are more Example around all of these functions.

2. Save something into Binary

take a look at this  Solution "http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20851849.html", Download The EXEMOD Unit and put it to your Lib, there are some examples too.

If you would use a Serial Number Validation from Internet, you don't need your own server or Webservices, you could use simply a MySQL Database and PHP Scripts to do that.


k4hvd77




0
 
LVL 1

Assisted Solution

by:delphinewbie
delphinewbie earned 150 total points
ID: 10747399
Visit Armadillo.

reasonably priced and dead easy to use.

Their support is also very good, and most larger registration sites are able to generate the sewrial numbers immediately.

A few key features discussed above include the ability to :
hardware fingerprint - with hardware changes permitted
stolen serial number database
soft ice detection
temporary keys
plus much more

In addition in all my applications when the user registers I link to my web page so i can keep track of what names and numbers are being used. Of course any decent firewall will block this link.

http://www.siliconrealms.com

0
 

Author Comment

by:chkorte
ID: 10953705
Thanks to all of you.

I finally decided to use a combination of Armadillo and the way suggested by k4hvd77.

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now