- Server-side security.

- Total program obfuscation.

I primarily work with c# .NET, so bear with me.

The first thing to note is that what pirates want is to be able to run your product as if they bought it, with as little crap bugging them as possible. So I implemented server-side security, using Windows Communication Foundation, I am using functions that are implemented on my own server. Then whatever data is generated, is returned back to me, in an SSL-secured fashion. Therefore much of the functionality of my program, comes from being able to login to my server, and use what functionality my server offers to them.
Now this is what allows me to channel the attacks. All of my security is centered around “This user on our server does not have the permissions to do this” or “This user does not even exist”. Because of this, the attacker cannot crack my server, and therefore bypassing my security is not so simple.

The attacker must emulate much of my server functionality in a cracked executable. He must rewrite large portions of my code, and recompile those into a new executable, or even rewriting them directly into my executable. Now this is where the obfuscation comes in. I will use Smartassembly for this example, but there are other solutions much like this. With Smartassembly, it both protects your executable and obfuscates the code. Meaning that even if someone is able to get your code into readable format, it will still be one giant jumble. A big bonus to this is that the executable will no longer run anymore, so the attacker is left to only being able to read obfuscated code.
Well this makes it difficult for the attacker to actually crack my executable, because they can only edit it if they remove the protection, and they can only run it if the protection is still there. Even to this date, Smartassembly 2/3 have not been cracked to a point where attackers could run the program after stripping the protection.

So by forcing the attacker to a route where they MUST crack the executable, and then making it nearly impossible to crack the executable, I make a fairly formidable opponent in terms of protection for my program. Of course, after a given amount of time, presumably years, the protection scheme may be cracked wide open. But the entire point is outlasting the hackers until I can get a much newer version of my product, which will be protected with a much newer protection scheme. If the hackers want a product that’s been outdated for a couple years, be my guest.

int DemoCode()
{
DEMO_START

printf(“You will need a license key to run this code”);

DEMO_END

return 0;
}

I admit my software isnt’t as popular as I would expect it to be :P hehe, but it hasn’t been cracked yet, I guess more popular copy protections are already better analyzed and described.

Can you please explain me how the Online Activation technique works coz i need to implement it in one of my product (some basic steps as in what all inputs are requried to the registration server and what is the best way to secure this activation process) and what are the best possible ways to store the license info on machine for example registry, license file etc.

I have integrated the manual activation for this product already.

Thanks

I am thinking I’ll just create a list of product keys and issue one of these keys to the customer when they make a purchase. In the app I’m selling I’ll have code that checks the key to see if it meets some scheme I’ll come up with. I know if it is decompiled that the scheme will be known but it sounds like it’s not worth worrrying about that.

First, it appears that it does not matter how you impliment a product key protection scheme for your app as there will always be a group of hackers who will decomplie your app to learn how the product key protection scheme works.

Second, it appears that the next group of hackers may not go to the trouble to decompile but spent time trying to crack the scheme used to create the product key itself.

I read where one way to keep the hackers at bay is to “patch” (whatever that means) the app so that the product key protection scheme is changed regularly in some small way. Does not doing this break the keys issued for earlier “patched versions” of the app?

I am thinking I’ll just create an app to generate a list of product keys and issue one to the customer when they make a purchase. In the app I’ll have code that checks the key to see if it meets some scheme I’ll come up with. I know if it is decompiled that the scheme will be known but it sounds like it’s not worth worrrying about that.

Any thoughts on my thoughs?
TD

Yeah, I liked the cryptography advice in “Blue Skies for Everyone”, though you kinda have to read between the lines to get it.

Also, I heard Bruce Schneier had his own rock and roll song steganographically embedded into the text of Applied Cryptography. Who would have thunk it?

:)

Best regards