Another method I’ve toyed around with is having a unique assembly for every machine. The installer reads unique values from your client’s machine and sends them to the server. The server then Modifies constants based on the unique IDs of the machine.

ie. newConstant = originalConstant ^ uniqueID

(calculated inline ofcourse)

But even this is just another hindrance to the cracker whereas a web service is as close to perfection as one could hope to achieve. It really is about maintaining your control over the product.

- Server-side security.

- Total program obfuscation.

I primarily work with c# .NET, so bear with me.

The first thing to note is that what pirates want is to be able to run your product as if they bought it, with as little crap bugging them as possible. So I implemented server-side security, using Windows Communication Foundation, I am using functions that are implemented on my own server. Then whatever data is generated, is returned back to me, in an SSL-secured fashion. Therefore much of the functionality of my program, comes from being able to login to my server, and use what functionality my server offers to them.
Now this is what allows me to channel the attacks. All of my security is centered around “This user on our server does not have the permissions to do this” or “This user does not even exist”. Because of this, the attacker cannot crack my server, and therefore bypassing my security is not so simple.

The attacker must emulate much of my server functionality in a cracked executable. He must rewrite large portions of my code, and recompile those into a new executable, or even rewriting them directly into my executable. Now this is where the obfuscation comes in. I will use Smartassembly for this example, but there are other solutions much like this. With Smartassembly, it both protects your executable and obfuscates the code. Meaning that even if someone is able to get your code into readable format, it will still be one giant jumble. A big bonus to this is that the executable will no longer run anymore, so the attacker is left to only being able to read obfuscated code.
Well this makes it difficult for the attacker to actually crack my executable, because they can only edit it if they remove the protection, and they can only run it if the protection is still there. Even to this date, Smartassembly 2/3 have not been cracked to a point where attackers could run the program after stripping the protection.

So by forcing the attacker to a route where they MUST crack the executable, and then making it nearly impossible to crack the executable, I make a fairly formidable opponent in terms of protection for my program. Of course, after a given amount of time, presumably years, the protection scheme may be cracked wide open. But the entire point is outlasting the hackers until I can get a much newer version of my product, which will be protected with a much newer protection scheme. If the hackers want a product that’s been outdated for a couple years, be my guest.

int DemoCode()
{
DEMO_START

printf(“You will need a license key to run this code”);

DEMO_END

return 0;
}

I admit my software isnt’t as popular as I would expect it to be hehe, but it hasn’t been cracked yet, I guess more popular copy protections are already better analyzed and described.

Can you please explain me how the Online Activation technique works coz i need to implement it in one of my product (some basic steps as in what all inputs are requried to the registration server and what is the best way to secure this activation process) and what are the best possible ways to store the license info on machine for example registry, license file etc.

I have integrated the manual activation for this product already.

Thanks