I don't believe there's anyway of providing the kind of protection
any of us want without tying it to the hardware and/or OS at some point.
And that means that if the user upgrades and/or buys a new machine he or she
has to re-register. As soon as you make the application autonomous...that
is, all security is within the app which gets unlocked when the proper
code(s) are given, the user can sell copies of it to anyone! Also, if you
need to store a date time in the registry and/or an inifile, no matter how
you encode it once someone finds out which entry it is they can simply copy
it over, or break the encoding and enter a new date time! So you have to
provide some means for the application to stop working after a certain date
IF it isn't registered. And it has to be hard coded into the app itself
which also must be crc'd to stop tampering!
I don't try to hide it somewhere in the registry, but obfuscate it
right in the normal registry entries for the application along with other
important and dummy characters mixed right it. By transposing and slitting
up the characters into pieces that have to be decoded separately and then
put back together and re-decoded again by a different method it gets so
confusing that I even have a hard time following my own map! <g> So I
wrote an encoder/decoder utility in which I can simply plug in the necessary
data and get the results I need. When the info comes back to me I run it
through the decoder part and match the result with the one I've documented
for that particular application series. When you ask how many times should
you allow a user to get new registry info, I say none if it's already past
the hard-coded date time of the app itself and tell them to get a new copy
and register it. If the info is the same or they corroborate it well
enough...in case they've moved or something...I give them a code. And if
one person abuses this by asking over and over again you simply put a stop
to it. No one goes thru 5 machines in one year...right? <g>
from Robert Meek dba Tangentals Design CCopyright 2006
"When I examine myself and my methods of thought, I come to the conclusion
that the gift of Fantasy has meant more to me then my talent for absorbing
positive knowledge!"
Albert Einstein
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Human
Sent: Monday, April 03, 2006 11:03 AM
To: Delphi-Talk Discussion List
Subject: RE: What VCL do you use for protecting your application?
Hello again.
At this moment I am looking for theoretical solution, not a piece of code or
something precisely.
I will repeat: I'm not looking for a full proof solution because it doesn't
exist.
And I don't want to annoy my customers with a very complicated/unstable
schema knowing that sooner
or later it will/can be cracked.
So, I want to keep my honest customers form becoming un-honest (as Robert
said) not to offer to
those crackers from India a real challenge. My application is not a chat
client, free SMS tool or
game but a tool for genetic research. So I hope no crackers will ever try to
use my application in
his computer.
I already made few functions that return me the hardware ID for few
components of the computer.
The main problem is
-where to securely store the information
-what I should do if the user change/upgrade the hardware
-how to prevent/detect system time (windows clock) alteration -> this is
related to first problem:
where to store the information (the last good time). Checking the time from
Internet doesn't seems
a good solution.
------
Reformulating my question:
-how to prevent my users to activate with one key 20 applications/computers?
(the answer obvious
should be: unique keys based on hardware ID)
-how to prevent it from changing the system time, so it not will remain
always in 30 days trial
mode? This is also related to reinstalling Windows since it can be
reinstalled in less than 2-4
minutes from an image (from DVD).
-should I use an already made VCL? (the answer I think it is 'NO!')
And one more question came in my mind after your first email:
-should we protect our applications mainly against hackers or against users?
(Yes, against both
will be great but it seems that keeping the crackers away, also might keep
the buyers away).
--
> Who knows, maybe next year a
> script kiddie with too much free time will write a "security" application
> that would make identifying the "commercial grade" protection schema a
snap!
This is a good one. I am sure this will happen one day (very soon).
Somebody should hire those damn kids or to give them more test at schol to
keep them bussy.
PS: when I corrected the spells in this email I've found that I wrote hacker
instead cracker in
several places.
I apologies if in my previous emails I made the same spelling mistake.
--- Cosmin Prund <[EMAIL PROTECTED]> wrote:
> What I've sad is especially true for limited-market, not so popular
> applications! If opening up your exe file with notepad provides the name
of
> the "protection schema" readily available, any Jon Doe user would be able
to
> crack your application using google! No more disassembling and no more
real
> cracking. Just plain matching your application's security method to a list
> of known commercial "protection schemas"! Who knows, maybe next year a
> script kiddie with too much free time will write a "security" application
> that would make identifying the "commercial grade" protection schema a
snap!
>
> If on the other hand you're interesting in keeping and improving your own
> protection schema, just come up with specific questions. I'm sure lots of
us
> will follow the discussions.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:delphi-talk-
> > [EMAIL PROTECTED] On Behalf Of Human
> > Sent: Monday, April 03, 2006 4:50 PM
> > To: Delphi-Talk Discussion List
> > Subject: RE: What VCL do you use for protecting your application?
> >
> > Thanks allot for your indications.
> > I already looked on cracking forums and web sites and the conclusions
are
> > pretty 'dark'.
> > Those guys can crack anything. For example this guy was quite funny
> > http://www.woodmann.com/fravia/compro2.htm.
> > As I know, until now there is no application that poses a real challenge
> > to those crackers. All
> > applications were cracked sooner or latter.
> >
> >
> > Anyway I am not interested in implementing a very powerful protection
> > scheme since my software
> > have a very limited marked so it won't be very popular like Winamp,
> > Windows, Delphi, ACDSee.
> > So there will be very little interest for crackers to crack my software.
> > I just want a very flexible and STABLE solution.
> > A solution which will allow me to generate unique keys, temporary keys,
> > partially keys...
> >
> > The main problem for unique (hardware based) keys is: what will happen
if
> > the customer will
> > upgrade his hardware.
> > I should generate for him a new key. But the question is how often
should
> > I allow a customer to
> > ask for a new key?
> > I really need some opinions about this issue.
> >
> >
> >
> >
> >
> >
> >
> > --- Cosmin Prund <[EMAIL PROTECTED]> wrote:
> >
> > > Tip:
> > >
> > > Before you make your decision on a component for trialware-enabling
your
> > > application consider looking it up on "cracking" forums and P2P
> > programs.
> > > There might be a "generic crack" available for that component and that
> > would
> > > make cracking your programs very easy.
> > >
> > > Also be aware a crackers interest in cracking a given protection
schema
> > is
> > > based on the popularity of the protected software. When you're sharing
> > your
> > > protection schema with many other applications you're automatically
> > > increasing cracker interest in your application.
> > >
> > > If you're unlucky enough to select a "popular" protection schema with
> > > available generic cracks, it will be worst then using your own code.
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED] [mailto:delphi-talk-
> > > > [EMAIL PROTECTED] On Behalf Of Human
> > > > Sent: Sunday, April 02, 2006 7:05 PM
> > > > To: Delphi-Talk Discussion List
> > > > Subject: What VCL do you use for protecting your application?
> > > >
> > > > Hello.
> > > > I want to implement a protection for one of my programs to make it
> > > > trialware.
> > > > I used until now my own component but now I want to use a
professional
> > > > solution that allow me to
> > > > generate unique keys based on hardware ID.
> > > >
> > > > I've tried TmxProtect but it is unstable and has almost no
> > documentation
> > > > (but is free).
> > > > With a little improvement it will be the best VCL around. But until
> > then I
> > > > need something else.
> > > >
> > > > I also tried other VCLs but I've found only bad jokes. For example a
> > VCL
> > > > at 199$ which was weak
> > > > then mine and had no hardware ID options.
> > > >
> > > >
> > > > Any idea?
> > > >
> > > >
> > > > If I choose Christianity then the Islamic will say I'm a pagan.
> > > > If I choose Islamic then the Buddhism will say I'm a pagan.
> > > > If I chose Buddhism then the Jewish will say I'm pagan.
> > > > If I choose no God then everybody will say I'm pagan.
> > > > Please, can I be free? Can you NOT tell me how I should live MY
life?
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > > http://mail.yahoo.com
> > > > __________________________________________________
> > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > > > http://www.elists.org/mailman/listinfo/delphi-talk
> > >
> > >
> > >
> > > __________________________________________________
> > > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > > http://www.elists.org/mailman/listinfo/delphi-talk
> > >
> >
> >
> > If I choose Christianity then the Islamic will say I'm a pagan.
> > If I choose Islamic then the Buddhism will say I'm a pagan.
> > If I chose Buddhism then the Jewish will say I'm pagan.
> > If I choose no God then everybody will say I'm pagan.
> > Please, can I be free? Can you NOT tell me how I should live MY life?
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> > __________________________________________________
> > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > http://www.elists.org/mailman/listinfo/delphi-talk
>
>
>
> __________________________________________________
> Delphi-Talk mailing list -> Delphi-Talk@elists.org
> http://www.elists.org/mailman/listinfo/delphi-talk
>
If I choose Christianity then the Islamic will say I'm a pagan.
If I choose Islamic then the Buddhism will say I'm a pagan.
If I chose Buddhism then the Jewish will say I'm pagan.
If I choose no God then everybody will say I'm pagan.
Please, can I be free? Can you NOT tell me how I should live MY life?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________
Delphi-Talk mailing list -> Delphi-Talk@elists.org
http://www.elists.org/mailman/listinfo/delphi-talk
__________________________________________________
Delphi-Talk mailing list -> Delphi-Talk@elists.org
http://www.elists.org/mailman/listinfo/delphi-talk
