Thank you VERY much to everybody for your opinions.

After reading all your emails and thinking 2-3 nights about how to design this 
new protection
scheme I decided that:
-I don't need to protect against crackers because it is absolutely impossible
-a complicated scheme will create difficulties for my honest customers to 
register and use my
application
-I don't need to protect against crackers because my application have a very 
limited market:
'genetic research' which is not very interesting for crackers.
-I really need a protection based on hardware since my customers will never buy 
less then a 3
copies so I must not allow them to use the simple key which will unlock un 
unlimited number of
copies.
-existing VCLs are already cracked. I think I found cracks for at least 75% of 
them without
searching too hard. I didn't have access to the source code for all of them but 
for the ones that
I had access, I hound that the part that generate the serial from hardware ID 
is at least
HILARIOUS!!!!!! (look for example at TmxProtector and OnGuard)
-connecting to Internet directly from your application is a bad idea for at 
least to reasons and
it may scare the customers
-letting few copies to be pirated will give you free publicity will help the 
software to spread
-hardware devices (dongle) are expensive jokes
-I have to design it by my self because I already spent too much time looking 
for a simple but
good third party solution.



I thank you again to all who answered me.



--- Robert Meek <[EMAIL PROTECTED]> wrote:

>       I don't believe there's anyway of providing the kind of protection
> any of us want without tying it to the hardware and/or OS at some point.
> And that means that if the user upgrades and/or buys a new machine he or she
> has to re-register.  As soon as you make the application autonomous...that
> is, all security is within the app which gets unlocked when the proper
> code(s) are given, the user can sell copies of it to anyone!  Also, if you
> need to store a date time in the registry and/or an inifile, no matter how
> you encode it once someone finds out which entry it is they can simply copy
> it over, or break the encoding and enter a new date time!  So you have to
> provide some means for the application to stop working after a certain date
> IF it isn't registered.  And it has to be hard coded into the app itself
> which also must be crc'd to stop tampering!
>       I don't try to hide it somewhere in the registry, but obfuscate it
> right in the normal registry entries for the application along with other
> important and dummy characters mixed right it.  By transposing and slitting
> up the characters into pieces that have to be decoded separately and then
> put back together and re-decoded again by a different method it gets so
> confusing that I even have a hard time following my own map!  <g>  So I
> wrote an encoder/decoder utility in which I can simply plug in the necessary
> data and get the results I need.  When the info comes back to me I run it
> through the decoder part and match the result with the one I've documented
> for that particular application series.  When you ask how many times should
> you allow a user to get new registry info, I say none if it's already past
> the hard-coded date time of the app itself and tell them to get a new copy
> and register it.  If the info is the same or they corroborate it well
> enough...in case they've moved or something...I give them a code.  And if
> one person abuses this by asking over and over again you simply put a stop
> to it.  No one goes thru 5 machines in one year...right? <g>
> 
> from Robert Meek dba Tangentals Design  CCopyright 2006
> 
> "When I examine myself and my methods of thought, I come to the conclusion
> that the gift of Fantasy has meant more to me then my talent for absorbing
> positive knowledge!"
>                                                     Albert Einstein
> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Human
> Sent: Monday, April 03, 2006 11:03 AM
> To: Delphi-Talk Discussion List
> Subject: RE: What VCL do you use for protecting your application?
> 
> Hello again.
> At this moment I am looking for theoretical solution, not a piece of code or
> something precisely.
> I will repeat: I'm not looking for a full proof solution because it doesn't
> exist.
> And I don't want to annoy my customers with a very complicated/unstable
> schema knowing that sooner
> or later it will/can be cracked.
> So, I want to keep my honest customers form becoming un-honest (as Robert
> said) not to offer to
> those crackers from India a real challenge. My application is not a chat
> client, free SMS tool or
> game but a tool for genetic research. So I hope no crackers will ever try to
> use my application in
> his computer.
> 
> 
> I already made few functions that return me the hardware ID for few
> components of the computer.
> The main problem is 
> -where to securely store the information
> -what I should do if the user change/upgrade the hardware
> -how to prevent/detect system time (windows clock) alteration -> this is
> related to first problem:
> where to store the information (the last good time). Checking the time from
> Internet doesn't seems
> a good solution.
> 
> 
> 
> ------
> Reformulating my question:
> -how to prevent my users to activate with one key 20 applications/computers?
> (the answer obvious
> should be: unique keys based on hardware ID)
> -how to prevent it from changing the system time, so it not will remain
> always in 30 days trial
> mode? This is also related to reinstalling Windows since it can be
> reinstalled in less than 2-4
> minutes from an image (from DVD).
> -should I use an already made VCL? (the answer I think it is 'NO!')
> 
> And one more question came in my mind after your first email:
> -should we protect our applications mainly against hackers or against users?
> (Yes, against both
> will be great but it seems that keeping the crackers away, also might keep
> the buyers away).
> 
> 
> --
> > Who knows, maybe next year a
> > script kiddie with too much free time will write a "security" application
> > that would make identifying the "commercial grade" protection schema a
> snap!
> This is a good one. I am sure this will happen one day (very soon).
> Somebody should hire those damn kids or to give them more test at schol to
> keep them bussy.
> 
> 
> 
> PS: when I corrected the spells in this email I've found that I wrote hacker
> instead cracker in
> several places.
> I apologies if in my previous emails I made the same spelling mistake.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> --- Cosmin Prund <[EMAIL PROTECTED]> wrote:
> 
> > What I've sad is especially true for limited-market, not so popular
> > applications! If opening up your exe file with notepad provides the name
> of
> > the "protection schema" readily available, any Jon Doe user would be able
> to
> > crack your application using google! No more disassembling and no more
> real
> > cracking. Just plain matching your application's security method to a list
> > of known commercial "protection schemas"! Who knows, maybe next year a
> > script kiddie with too much free time will write a "security" application
> > that would make identifying the "commercial grade" protection schema a
> snap!
> > 
> > If on the other hand you're interesting in keeping and improving your own
> > protection schema, just come up with specific questions. I'm sure lots of
> us
> > will follow the discussions.
> > 
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:delphi-talk-
> > > [EMAIL PROTECTED] On Behalf Of Human
> > > Sent: Monday, April 03, 2006 4:50 PM
> > > To: Delphi-Talk Discussion List
> > > Subject: RE: What VCL do you use for protecting your application?
> > > 
> > > Thanks allot for your indications.
> > > I already looked on cracking forums and web sites and the conclusions
> are
> > > pretty 'dark'.
> > > Those guys can crack anything. For example this guy was quite funny
> > > http://www.woodmann.com/fravia/compro2.htm.
> > > As I know, until now there is no application that poses a real challenge
> > > to those crackers. All
> > > applications were cracked sooner or latter.
> > > 
> > > 
> > > Anyway I am not interested in implementing a very powerful protection
> > > scheme since my software
> > > have a very limited marked so it won't be very popular like Winamp,
> > > Windows, Delphi, ACDSee.
> > > So there will be very little interest for crackers to crack my software.
> > > I just want a very flexible and STABLE solution.
> > > A solution which will allow me to generate unique keys, temporary keys,
> > > partially keys...
> > > 
> > > The main problem for unique (hardware based) keys is: what will happen
> if
> > > the customer will
> > > upgrade his hardware.
> > > I should generate for him a new key. But the question is how often
> should
> > > I allow a customer to
> > > ask for a new key?
> > > I really need some opinions about this issue.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > --- Cosmin Prund <[EMAIL PROTECTED]> wrote:
> > > 
> > > > Tip:
> > > >
> > > > Before you make your decision on a component for trialware-enabling
> your
> > > > application consider looking it up on "cracking" forums and P2P
> > > programs.
> > > > There might be a "generic crack" available for that component and that
> > > would
> > > > make cracking your programs very easy.
> > > >
> > > > Also be aware a crackers interest in cracking a given protection
> schema
> > > is
> > > > based on the popularity of the protected software. When you're sharing
> > > your
> > > > protection schema with many other applications you're automatically
> > > > increasing cracker interest in your application.
> > > >
> > > > If you're unlucky enough to select a "popular" protection schema with
> > > > available generic cracks, it will be worst then using your own code.
> > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED] [mailto:delphi-talk-
> > > > > [EMAIL PROTECTED] On Behalf Of Human
> > > > > Sent: Sunday, April 02, 2006 7:05 PM
> > > > > To: Delphi-Talk Discussion List
> > > > > Subject: What VCL do you use for protecting your application?
> > > > >
> > > > > Hello.
> > > > > I want to implement a protection for one of my programs to make it
> > > > > trialware.
> > > > > I used until now my own component but now I want to use a
> professional
> > > > > solution that allow me to
> > > > > generate unique keys based on hardware ID.
> > > > >
> > > > > I've tried TmxProtect but it is unstable and has almost no
> > > documentation
> > > > > (but is free).
> > > > > With a little improvement it will be the best VCL around. But until
> > > then I
> > > > > need something else.
> > > > >
> > > > > I also tried other VCLs but I've found only bad jokes. For example a
> > > VCL
> > > > > at 199$ which was weak
> > > > > then mine and had no hardware ID options.
> > > > >
> > > > >
> > > > > Any idea?
> > > > >
> > > > >
> > > > > If I choose Christianity then the Islamic will say I'm a pagan.
> > > > > If I choose Islamic then the Buddhism will say I'm a pagan.
> > > > > If I chose Buddhism then the Jewish will say I'm pagan.
> > > > > If I choose no God then everybody will say I'm pagan.
> > > > > Please, can I be free? Can you NOT tell me how I should live MY
> life?
> > > > >
> > > > > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam?  Yahoo! Mail has the best spam protection around
> > > > > http://mail.yahoo.com
> > > > > __________________________________________________
> > > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > > > > http://www.elists.org/mailman/listinfo/delphi-talk
> > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > > > http://www.elists.org/mailman/listinfo/delphi-talk
> > > >
> > > 
> > > 
> > > If I choose Christianity then the Islamic will say I'm a pagan.
> > > If I choose Islamic then the Buddhism will say I'm a pagan.
> > > If I chose Buddhism then the Jewish will say I'm pagan.
> > > If I choose no God then everybody will say I'm pagan.
> > > Please, can I be free? Can you NOT tell me how I should live MY life?
> > > 
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > > __________________________________________________
> > > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > > http://www.elists.org/mailman/listinfo/delphi-talk
> > 
> > 
> > 
> > __________________________________________________
> > Delphi-Talk mailing list -> Delphi-Talk@elists.org
> > http://www.elists.org/mailman/listinfo/delphi-talk
> > 
> 
> 
> If I choose Christianity then the Islamic will say I'm a pagan.
> If I choose Islamic then the Buddhism will say I'm a pagan.
> If I chose Buddhism then the Jewish will say I'm pagan.
> If I choose no God then everybody will say I'm pagan.
> Please, can I be free? Can you NOT tell me how I should live MY life?
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> __________________________________________________
> Delphi-Talk mailing list -> Delphi-Talk@elists.org
> http://www.elists.org/mailman/listinfo/delphi-talk
> 
> __________________________________________________
> Delphi-Talk mailing list -> Delphi-Talk@elists.org
> http://www.elists.org/mailman/listinfo/delphi-talk
> 


If I choose Christianity then the Islamic will say I'm a pagan.
If I choose Islamic then the Buddhism will say I'm a pagan.
If I chose Buddhism then the Jewish will say I'm pagan.
If I choose no God then everybody will say I'm pagan.
Please, can I be free? Can you NOT tell me how I should live MY life?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__________________________________________________
Delphi-Talk mailing list -> Delphi-Talk@elists.org
http://www.elists.org/mailman/listinfo/delphi-talk

Reply via email to