Thank you VERY much to everybody for your opinions. After reading all your emails and thinking 2-3 nights about how to design this new protection scheme I decided that: -I don't need to protect against crackers because it is absolutely impossible -a complicated scheme will create difficulties for my honest customers to register and use my application -I don't need to protect against crackers because my application have a very limited market: 'genetic research' which is not very interesting for crackers. -I really need a protection based on hardware since my customers will never buy less then a 3 copies so I must not allow them to use the simple key which will unlock un unlimited number of copies. -existing VCLs are already cracked. I think I found cracks for at least 75% of them without searching too hard. I didn't have access to the source code for all of them but for the ones that I had access, I hound that the part that generate the serial from hardware ID is at least HILARIOUS!!!!!! (look for example at TmxProtector and OnGuard) -connecting to Internet directly from your application is a bad idea for at least to reasons and it may scare the customers -letting few copies to be pirated will give you free publicity will help the software to spread -hardware devices (dongle) are expensive jokes -I have to design it by my self because I already spent too much time looking for a simple but good third party solution.
I thank you again to all who answered me. --- Robert Meek <[EMAIL PROTECTED]> wrote: > I don't believe there's anyway of providing the kind of protection > any of us want without tying it to the hardware and/or OS at some point. > And that means that if the user upgrades and/or buys a new machine he or she > has to re-register. As soon as you make the application autonomous...that > is, all security is within the app which gets unlocked when the proper > code(s) are given, the user can sell copies of it to anyone! Also, if you > need to store a date time in the registry and/or an inifile, no matter how > you encode it once someone finds out which entry it is they can simply copy > it over, or break the encoding and enter a new date time! So you have to > provide some means for the application to stop working after a certain date > IF it isn't registered. And it has to be hard coded into the app itself > which also must be crc'd to stop tampering! > I don't try to hide it somewhere in the registry, but obfuscate it > right in the normal registry entries for the application along with other > important and dummy characters mixed right it. By transposing and slitting > up the characters into pieces that have to be decoded separately and then > put back together and re-decoded again by a different method it gets so > confusing that I even have a hard time following my own map! <g> So I > wrote an encoder/decoder utility in which I can simply plug in the necessary > data and get the results I need. When the info comes back to me I run it > through the decoder part and match the result with the one I've documented > for that particular application series. When you ask how many times should > you allow a user to get new registry info, I say none if it's already past > the hard-coded date time of the app itself and tell them to get a new copy > and register it. If the info is the same or they corroborate it well > enough...in case they've moved or something...I give them a code. And if > one person abuses this by asking over and over again you simply put a stop > to it. No one goes thru 5 machines in one year...right? <g> > > from Robert Meek dba Tangentals Design CCopyright 2006 > > "When I examine myself and my methods of thought, I come to the conclusion > that the gift of Fantasy has meant more to me then my talent for absorbing > positive knowledge!" > Albert Einstein > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Human > Sent: Monday, April 03, 2006 11:03 AM > To: Delphi-Talk Discussion List > Subject: RE: What VCL do you use for protecting your application? > > Hello again. > At this moment I am looking for theoretical solution, not a piece of code or > something precisely. > I will repeat: I'm not looking for a full proof solution because it doesn't > exist. > And I don't want to annoy my customers with a very complicated/unstable > schema knowing that sooner > or later it will/can be cracked. > So, I want to keep my honest customers form becoming un-honest (as Robert > said) not to offer to > those crackers from India a real challenge. My application is not a chat > client, free SMS tool or > game but a tool for genetic research. So I hope no crackers will ever try to > use my application in > his computer. > > > I already made few functions that return me the hardware ID for few > components of the computer. > The main problem is > -where to securely store the information > -what I should do if the user change/upgrade the hardware > -how to prevent/detect system time (windows clock) alteration -> this is > related to first problem: > where to store the information (the last good time). Checking the time from > Internet doesn't seems > a good solution. > > > > ------ > Reformulating my question: > -how to prevent my users to activate with one key 20 applications/computers? > (the answer obvious > should be: unique keys based on hardware ID) > -how to prevent it from changing the system time, so it not will remain > always in 30 days trial > mode? This is also related to reinstalling Windows since it can be > reinstalled in less than 2-4 > minutes from an image (from DVD). > -should I use an already made VCL? (the answer I think it is 'NO!') > > And one more question came in my mind after your first email: > -should we protect our applications mainly against hackers or against users? > (Yes, against both > will be great but it seems that keeping the crackers away, also might keep > the buyers away). > > > -- > > Who knows, maybe next year a > > script kiddie with too much free time will write a "security" application > > that would make identifying the "commercial grade" protection schema a > snap! > This is a good one. I am sure this will happen one day (very soon). > Somebody should hire those damn kids or to give them more test at schol to > keep them bussy. > > > > PS: when I corrected the spells in this email I've found that I wrote hacker > instead cracker in > several places. > I apologies if in my previous emails I made the same spelling mistake. > > > > > > > > > > > > > > > > > > > > > > > > --- Cosmin Prund <[EMAIL PROTECTED]> wrote: > > > What I've sad is especially true for limited-market, not so popular > > applications! If opening up your exe file with notepad provides the name > of > > the "protection schema" readily available, any Jon Doe user would be able > to > > crack your application using google! No more disassembling and no more > real > > cracking. Just plain matching your application's security method to a list > > of known commercial "protection schemas"! Who knows, maybe next year a > > script kiddie with too much free time will write a "security" application > > that would make identifying the "commercial grade" protection schema a > snap! > > > > If on the other hand you're interesting in keeping and improving your own > > protection schema, just come up with specific questions. I'm sure lots of > us > > will follow the discussions. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:delphi-talk- > > > [EMAIL PROTECTED] On Behalf Of Human > > > Sent: Monday, April 03, 2006 4:50 PM > > > To: Delphi-Talk Discussion List > > > Subject: RE: What VCL do you use for protecting your application? > > > > > > Thanks allot for your indications. > > > I already looked on cracking forums and web sites and the conclusions > are > > > pretty 'dark'. > > > Those guys can crack anything. For example this guy was quite funny > > > http://www.woodmann.com/fravia/compro2.htm. > > > As I know, until now there is no application that poses a real challenge > > > to those crackers. All > > > applications were cracked sooner or latter. > > > > > > > > > Anyway I am not interested in implementing a very powerful protection > > > scheme since my software > > > have a very limited marked so it won't be very popular like Winamp, > > > Windows, Delphi, ACDSee. > > > So there will be very little interest for crackers to crack my software. > > > I just want a very flexible and STABLE solution. > > > A solution which will allow me to generate unique keys, temporary keys, > > > partially keys... > > > > > > The main problem for unique (hardware based) keys is: what will happen > if > > > the customer will > > > upgrade his hardware. > > > I should generate for him a new key. But the question is how often > should > > > I allow a customer to > > > ask for a new key? > > > I really need some opinions about this issue. > > > > > > > > > > > > > > > > > > > > > > > > --- Cosmin Prund <[EMAIL PROTECTED]> wrote: > > > > > > > Tip: > > > > > > > > Before you make your decision on a component for trialware-enabling > your > > > > application consider looking it up on "cracking" forums and P2P > > > programs. > > > > There might be a "generic crack" available for that component and that > > > would > > > > make cracking your programs very easy. > > > > > > > > Also be aware a crackers interest in cracking a given protection > schema > > > is > > > > based on the popularity of the protected software. When you're sharing > > > your > > > > protection schema with many other applications you're automatically > > > > increasing cracker interest in your application. > > > > > > > > If you're unlucky enough to select a "popular" protection schema with > > > > available generic cracks, it will be worst then using your own code. > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] [mailto:delphi-talk- > > > > > [EMAIL PROTECTED] On Behalf Of Human > > > > > Sent: Sunday, April 02, 2006 7:05 PM > > > > > To: Delphi-Talk Discussion List > > > > > Subject: What VCL do you use for protecting your application? > > > > > > > > > > Hello. > > > > > I want to implement a protection for one of my programs to make it > > > > > trialware. > > > > > I used until now my own component but now I want to use a > professional > > > > > solution that allow me to > > > > > generate unique keys based on hardware ID. > > > > > > > > > > I've tried TmxProtect but it is unstable and has almost no > > > documentation > > > > > (but is free). > > > > > With a little improvement it will be the best VCL around. But until > > > then I > > > > > need something else. > > > > > > > > > > I also tried other VCLs but I've found only bad jokes. For example a > > > VCL > > > > > at 199$ which was weak > > > > > then mine and had no hardware ID options. > > > > > > > > > > > > > > > Any idea? > > > > > > > > > > > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > > > > > If I choose Islamic then the Buddhism will say I'm a pagan. > > > > > If I chose Buddhism then the Jewish will say I'm pagan. > > > > > If I choose no God then everybody will say I'm pagan. > > > > > Please, can I be free? Can you NOT tell me how I should live MY > life? > > > > > > > > > > __________________________________________________ > > > > > Do You Yahoo!? > > > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > > > http://mail.yahoo.com > > > > > __________________________________________________ > > > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org > > > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > > > > > > > > > __________________________________________________ > > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org > > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > > > If I choose Islamic then the Buddhism will say I'm a pagan. > > > If I chose Buddhism then the Jewish will say I'm pagan. > > > If I choose no God then everybody will say I'm pagan. > > > Please, can I be free? Can you NOT tell me how I should live MY life? > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > http://mail.yahoo.com > > > __________________________________________________ > > > Delphi-Talk mailing list -> Delphi-Talk@elists.org > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > __________________________________________________ > > Delphi-Talk mailing list -> Delphi-Talk@elists.org > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > If I choose Islamic then the Buddhism will say I'm a pagan. > If I chose Buddhism then the Jewish will say I'm pagan. > If I choose no God then everybody will say I'm pagan. > Please, can I be free? Can you NOT tell me how I should live MY life? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > __________________________________________________ > Delphi-Talk mailing list -> Delphi-Talk@elists.org > http://www.elists.org/mailman/listinfo/delphi-talk > > __________________________________________________ > Delphi-Talk mailing list -> Delphi-Talk@elists.org > http://www.elists.org/mailman/listinfo/delphi-talk > If I choose Christianity then the Islamic will say I'm a pagan. If I choose Islamic then the Buddhism will say I'm a pagan. If I chose Buddhism then the Jewish will say I'm pagan. If I choose no God then everybody will say I'm pagan. Please, can I be free? Can you NOT tell me how I should live MY life? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Delphi-Talk mailing list -> Delphi-Talk@elists.org http://www.elists.org/mailman/listinfo/delphi-talk