hey guys Ive been working on another program which Im going to charge for and I need a good serial number protection scheme to use. Id like it to generate a random number then generate the key from that number (would probably be a lot safer then generating it from anything else). anyone know if any sources that I might be able to look at? Ive already tried searching the boards and cant find anything to my liking. Any help is very much appreciated
RIF
Posted on 2002-08-04 17:12:56 by resistance_is_futile
IMHO 'a good serial number protection scheme' is a contradiction in terms. If you use a name and serial number to produce a registration hash it can be easily unprotected. Using a complex algorithm and writing meaningless spaghetti code to confuse the cracker means it will take 10 minutes to unprotect your program instead of 2 minutes. Maybe I'm naive and an idealist but I think that if your program is good the honest people will buy it and the crooks will steal it. Most people are honest, so what's the problem?

If you're still worried, another approach is to disable parts of your program. By that I mean don't even include the code to enable the disabled features, they are available in only the purchased version. This is harder to implement because if you disable too much people won't recognize the potential of your program; if you disable too little some people will accept the program as it is and treat it as freeware.

best regards

czDrillard
Posted on 2002-08-04 17:42:25 by czDrillard
dongle...

Sell your product through authorized resellers and direct contact to the reseller between customers must be the only way of purchasing the software and do not make it available for download. This way you can monitor the "culprits". But this is not an easy task nor is it a good marketing strategy IMO.

Try FlexLM licensing this is what "modern" expensive commercial softwares use nowadays. But don't count on this one since I've seen "loop holes" on this kind of protection.

Just remember there is no "sure way" to protect your software from pirates and cr*ckers. So forget about serial number, patches, keys... you'll be wasting your time and money on these forms of protection.
Posted on 2002-08-04 18:20:52 by stryker
Study crackers and their techniques... fravia's messageboard (now maintained by tsehp) is a good place to lurk. And tsehps archives of fravia's old site also has some good pieces of information (if you dig long enough). Some moderator will probably edit out the URLs (sigh), but the stuff is easy enough to find with google.

protection: ***
messageboard: ***

Ready-made wrappers generally don't provide much protection once they have been broken once. Asprotect gets broken daily, so does FlexLM and all sorts of other protections, including dongle stuff. Asprotect is not as lame as some cr4ckers would make it; the reason asprotected apps are released as much as others, is that the programmers using asprotect don't know what they're doing, and often forget to use asprotect's code-block encryption. If that is applied correctly, it should be impossible to w4rez the app without a leaked key.

If your app is small enough that you can do individual builds for each customer, or if you have control of the download webserver, it's possible to set up a scheme that's almost uncrackable, even with leaked keys. IDA is a good example of something done well; watermarks everywhere. IIRC, some of the better reversers were able to remove most of it, but the executable modules built specifically for each customer thwarted the plans of unwatermarked executables.

*EDIT* : Sorry guys, no direct nor indirect links to reverse-engeenering related websites... even if it is for legitimate reasons as protecting software. The community won't support illegal activities as cracking and reversing or websites promoting those activities.
Posted on 2002-08-04 19:21:39 by f0dder
That IDA developer must be mad. That crazy Russian!
Posted on 2002-08-04 22:39:39 by comrade

That IDA developer must be mad. That crazy Russian!


2 comrade
Don't be too angry. IDA could be uncr*ckable, but it is software. Every software can be w*rezed. IDA is not exception, I saw working links to it.

2 resistance_is_futile

If your application is not something unique (like IDA) it is no big sense in strong protection: you'll spend a lot of time, efforts and finally your application will be cr*cked anyway.
Posted on 2002-08-05 05:55:05 by Aquila

.DATA
code_crc DD <crc32_of_the_code_block>

.CODE
<ask for username/password/whatever>
<generate a key or something like this from the inputs above>
<DEcrypt the code-block with that key>
<generate a crc value from the Decrypted code block>
<check if that crc is equal to the hardcoded one (in the data section)>
<if NO: quit program>
<else : jump to the code block!>

code_blk_start:

<paste your code here!>

code_blk_end:

<exit program>


this will need a few fixups AFTER compiling... all you have to do is ENcrypt
the code block and store the crc somewhere. if you didn't use plain XOR
encrypting or use you own implementation of CRC this would be very hard
to crack... f0dder wrote a good essay about this and i wanted to link to it
but i couldn't reach his site...

the best thing would be if you write a little tool that you can include in bldall.bat
it should do all the encrypting and crc stuff oh and include a few free spaces in
the code block, your tool could paste a few random numbers into this fields so
that the checksum changes on every compiled output.

maybe this is possible at link time with macros too but i don't know much about
macros, this after-link tool wouldn't be so hard to code...
Posted on 2002-08-05 06:17:43 by mob
thx for the replies guys. Mob yea I will try it and see. I think that this area isnt for me lol. still going to try it though..
Posted on 2002-08-05 20:39:39 by resistance_is_futile