David wrote:
> My problem with this is that the product keys need to be embedded in the
> application. With these keys and their own copy of OnGuard a user/hacker
> could build their own valid codes for any site name or expiry date. I
> don't know how hard it would be for a hacker to extract the keys from an
> application (the recommended approach for embedding them would appear to
> be constants of type TKey which is a 16 byte binary value) but I suspect
> it wouldn't be too hard.
You may want to go one step further and use Shrinker to shrink-
and-encrypt the finished app. No security scheme is perfect (e.g.
there are hacks to unShrink code too, and an in-memory
debug/disassemble renders your logic transparent), but one extra
layer of obfuscation is worth having, as is the side-benefit of a
smaller EXE. I haven't found any issues in years of using Shrinker
with some products.
That aside, you may wish to take pains to assemble your key from
diverse bits and pieces, not one single structure (especially if it has
predictable content in some way). "Just in time" delivery of the key
is nice, but still prone to disassembly at the moment of use, if they
can find a way to hook into that.
Like I say (and which Max repeats in his far more thorough outline),
no scheme can promise utter security...
cheers,
peter
============================================
Peter Hyde, WebCentre Ltd & SPIS Ltd, Christchurch, New Zealand
* Web automation for online periodicals: http://TurboPress.com
* TurboNote+: http://TurboPress.com/tbnote.htm
-- easy, small, handy onscreen sticky notes
---------------------------------------------------------------------------
New Zealand Delphi Users group - Delphi List - [EMAIL PROTECTED]
Website: http://www.delphi.org.nz
To UnSub, send email to: [EMAIL PROTECTED]
with body of "unsubscribe delphi"
