How to protect your software against piracy! (Fernando Martins) an article on delphi3000.com ||

495 Users Online NOW

	This is the place for your member-information! Sign Up or Login

- Recent Articles

RSS feed for Recent Articles on delphi3000.com

  - List of All Articles
  - Top Viewed Articles
  - Articles (+Attachem.)
  - Articles Of Interest
  - Categories
  - Top Uploader
  - Search
  - Index

  - My Home
  - Submit an Article
  - My Articles
  - My Personal Data
  - My Bookmarks
  - Activities
  - Login/Logout

  - Sign Up
  - Why Sign Up
  - Newsletter

- Press
- Advertise

- Contact
- Feedback

Community
Borland ClubeDelphi Dr. Bob UK-BUG Delphi Meetings Planeta Delphi

Loremo - the 1.5 liter car coming in 2009

Share this article with friends

Share this article with friends

Rate this article - to keep the quality of delphi3000.com !

Comment this article or read through previous comments (32)

How to protect your software against piracy!

Product: Delphi all versions	Category: Security	Skill Level:	Scoring:	Last Update: 01/25/2002
Search Keys: delphi delphi3000 article borland vcl code-snippet piracy install installation register legal			Times Scored: 23	Visits: 12475
Uploader: Fernando Martins Company:		Reference: N/A

Question/Problem/Abstract: Here's my own experience on how to reduce the number of non-legal installations of software.
Answer: Before I start, let me tell you that whatever protection system you use it's just a matter of time until someone's break it! So what you must have in mind is: "what is the best protection system for this special case ?" You also must have in mind that the best you got is still breakable! Once I needed to develop an application where preventing piracy was a must. I did some investigation and found out what were the possible systems to prevent this. I also did some investigation on how to break those same protection systems. Let me say that I got a bit disappointed... I though that mass protection systems would be better then they are... Here's a summary of what I found among the most common: - Anti-Copy: prevents the disk copy, CD in this case. - Disk check: when application starts up check for the original disk, CD in this case. - Hardware check-up: you plug-in some hardware on your RS-232 port and check for it in your application from time to time. - Key activation: the software requires a key to be activated. Here's what I found out about breaking thoes systems: - Anti-Copy: can be broken with a "clone copy" (bit-by-bit) of the disc... - Disk check: can be broken with a "clone copy" also... - Hardware check-up: read too much complains about it interfering with the system, and it also generates too much calls into your help-line... Plus read somewhere that this can be fooled through software also... - Key activation: once the user registers, it can spread the key among friends and everybody can activate the application. If someone takes some time, one can break the code and create a patch to ignore activation or create a key generator. Looking at this, you must agree that it didn't look too good... After thinking a while on each of these systems I concluded that: - Anti-Copy: to easy to break! - Disk check: to easy to break! - Hardware check-up: causes to much troubles and can make customers to become un-satisfied. - Key activation: would be great if key proliferation could be stopped! So I stick on the key activation idea and gave it a second though, exploiting the pros and cons of this system! I simulated the regular use of this system to better understand it: 1. Get the product 2. Install the product 3. Request key 4. User requests the key 5. User gets the key 6. User activates the product Here's another way to do it: 1. Get the product from friend 2. Install the product 3. Request key 4. User asks friend for friend's key 5. User uses the friend’s key I concluded that if was definitely the best - having in mind what I needed to protect this specific product - if I could prevent the key from spreading! Preventing key spreading became my next goal! I knew I needed something that could give me guarantees that the application being activated was a legal copy and not a pirate one! How could I guarantee this ? How do you prove that what you own is legal ? How do you prove that you bought something ? The answer was easy: invoice! Every product sold comes with an invoice, which has different data, like the invoice number, date and entity sold to! My next step was using the invoice data on activation product. But invoice data "per se" it was not enough, I mean, if someone gives a copy of the product can also give the invoice data to activate the product! I simulated the piracy process again, using the invoice data: 1. Get the product from friend 2. Install the product 3. Request the invoice data 4. User requests the invoice data from friend 5. Request the key 5. User requests the key from friend Now, that has a the same hole that usual key activation has... I knew that I needed to force the key request for all installed products! That became my next goal. How could I force the user to request a new key ? After some more neuron work, I came up with the answer: time! On my simulations, both users, the legal an non-legal, did the same steps to activate the product, but they didn't do it at the same time... Time is continuous and non-repeating, so time was the answer! What did I do with time then ? Basically, I generated a key using it! To activate the product you must have a key, which is generated using the invoice data and the time you have installed the product in the system! Here's how I made it work: 1. After product installed an encryption of the current time - year, month, day, hour, minute, second, millisecond - is saved somewhere in the system! This is easy to do and there's a lot of ways to hide something is the system. 2. Invoice data request. 3. Generate a "request-key" using the time from 1. and the invoice data from 2.. 3. Inform the user that it must request the activation key for the "request-key". 4. Key for product activation request. I had found the solution! To request the activation key, the user must specify what is the "request-key", which is guaranteed to be unique, since time is involved and the algorithm I used makes sure of that! ;) Here's a simulation of the legal case: 1. Buy product and receive invoice 2. Install the product 3. Request invoice data 4. Inform user what the "request-key" is 5. User requests the activation key referring the "request-key" and the invoice data 6. User receives the key 7. User activates the product It's quite simple, really, the only "visible" change from the original key activation system is the "request-key" that the user must specify when requesting the key! But this is just half the solution, the other half is you controlling the number of installations! But that is quite easy! Every time a key is requested, you know who is requesting it, since the invoice data is specified, so if you got a customer that has 154 key requests in one month, there's something wrong... :) I've also exploit the possible holes on the system: 1. A couple of non-legal installations may be done, the customer - or "customer friend" - may say that the system crashed and must reinstall... That will just work for a couple of non-legal installations, since you may ask why that is the 98th key request done this week or the 3rd this day... 2. Disk clone can be done. There are tools on the market that clone hard-disks. But what the hack, you cannot prevent that! 3. Some one takes some time and patches the security or creates a key generator. Like said in the beginning, there's no way to prevent this... This system does not work just as a piracy stopper, it also prevents it. When the invoice data is requested, it's more unlike to someone to give it away, since you can track the customer that gave the invoice data to a friend, that gave it to a friend, that gave it to a friend... The original customer knows it can get troubles with the law by giving that information. If you get some "customer" requesting its 10th activation key because "We got a new computer that is faster and want the application running on it.", you can say "Why have you bought 9 computers in the last 4 weeks ?"... If you get some "customer" requesting its 50th activation key because "the system crashed and need to reinstall everything", you can say "Maybe there's something wrong, I'll send someone there to take a look at it! Please have your invoice in hand!"... If you get some "customer" requesting its 154th activation key, you can say that unless proven to be the legal owner of the product you will not give the activation key... The "customer" may say it is - it even can be -, but unless it has the invoice, it cannot prove it!... And if you want to be a bit "nasty", you code a special key that will show the "Do you know that non-legal software may give you 3 years in jail ?" and uninstalls the application from the system... The "customer" will get the point! ;)

Please rate this article!
Skill level:
Beginner		Expert
Useful:
No!		Very!
Overall rating:
Poor		Excellent

Comments to this article
Write a new comment

Easily Broke A B (Aug 16 2003 7:21AM)
This system is easily broke. If I were faced with this program, I would first: 1) Start SoftICE (debugger) 2) Start a registry and file monitor 3) Intsall product 4) Request key 5) Activate After that, I then know exactly where the data was saved and if it were done inside the program instead of file/registry (if the program had to be activated before closing the install) then the debugger would help with that. Also, using a debugger it is very easy to just change a jump, for example I could find where you checked for a valid activation, and then change the jump to where it is an invalid activation to a valid (jne to je in assembly). This system works but for the experienced cracker, its just another 5 minutes of their life not including install time. Respond RE: Easily Broke Abdulla ameer (Feb 4 2007 4:18AM) very nice very nice very nice very nice very nice very nice very nice very nice Respond

Component for some protection. John Mollll (Mar 25 2002 4:05PM)
Have a look at my TNoCopy component at http://www.geocities.com/jaymol/ It's a basic component, but has proved to be very effective. Create an application, put a TNoCopy on it, compile it and run it, outside Delphi IDE. Then, copy it to another machine and try running it. Respond

Simple solution Nenad Fidanovski (Mar 6 2002 12:52PM)
There is a simple solution for that, and can be used anywhere in the world. 1. User buys a product 2. User installs the product 3. Product gives unique request activation key (like serial no of HDD) 4. User asks seller and gets the activation key if a freind gets a pirate copy the unique request activation key will be different from the one that his freind has it, so the activation key from his friend will be worthless. So the friend must ask and pay for activation key for his unique request activation key. If the copy freind tries to activate with other key you should give him a message ('Your tries to brake this product will cost you more than buying a legal copy. if you try once more I will shut down your computer. If you keep trying I will destroy Your computer') This will might help with software piracy. Any more details can be obtained nenadf@freemail.org.mk Respond RE: Simple solution Fernando Martins (Mar 7 2002 12:21PM) Hi. I agree it would be easier, but in this case it's necessary to know "who" is requesting the key... That's why the invoice data is requested. As I say on the article, this article is a know-how share about a specific experience... It's a good boot-strap that anyone can use , change and perfect to any case... Respond RE: RE: Simple solution Nenad Fidanovski (Mar 7 2002 12:36PM) Ok yes, mainly I was talking about selling products internally, not over Internet or to persons you dont know. So when you sell to persons you know you only need the payment and thats all. Otherwise on internet you should get the payment with a notice either to invoice no or to request activation key, Noone will pay and ask for somebody elses copy of the program. even if you make a mistake, you can waste 1 - 2 copies of yr product not more i.e. you will give as many activation codes as you got payments not more or at least 1 - 2 more Regards, Respond

Thanks anyway and pre-compiled? Mike Eden (Feb 22 2002 11:23PM)
Despite all the negative criticism, I appreciate your article. I had not followed the KISS approach and used a method scrambling disk serial numbers, datetimes, computer name, logged-on user, dumping files and registry settings galore. It worked - for a time and then was too hard to trace and was p*ing off customers so I stopped (for now). I wondered about getting an automative compiler routine that embedded what you would call 'invoice details' into a unique exe for them - still possibly worth a shot, but obviously wouldn't stop the most ardent hacker. As you said, its all about prevention (and risk reduction). Thanks again Mike Respond RE: Thanks anyway and pre-compiled?** Fernando Martins (Feb 27 2002 6:03PM) Hi. First, thanks for your support! :) well, we all must admit it, there's no secure system! And, as you and I sayd, this is all about prevention. Thanks again, Fernando Martins Respond

Not original Fabrice Vigne (Jan 31 2002 11:10AM)
Not original. This system already used in Winlogo (http://danmo.free.fr/logs/MWinlogo.exe) Respond RE: Not original Fernando Martins (Jan 31 2002 5:49PM) Hi. Never sayed it was original! :) But I didn't knew any real product that really used it. Thanks for showing! Respond

Easy Medardo Rodriguez (Jan 31 2002 3:27AM)
Your solution is just a matter of minutes for a mediocre cracker: think on run monitors (register, file system, etc.) and see which data your program is modifying when you install it, and send to your friends a copy. Respond RE: Easy Fernando Martins (Jan 31 2002 5:46PM) Hi. I assumed that in my article. I even say how it can be cracked... I also know that some non-legal copies will be done, but not many... As I stated, it works mainly as prevention... Respond

No easy solution Jan Horn (Jan 28 2002 8:20AM)
I've also tried to copy protect a few programs and cracked a few, and the best solution (I think) is to use the 100 methods suggested above. The idea of datatime wont work, because all you need to do is use DateCrack. Datecrack runs the program from itself with a hook on the time functions and report whatever date and time you want to give it. HD serial wont work because its easy to change the serial. There are programs out there that will change it for you or you can use this bit of code which I used in the turbo pascal days ... FUNCTION SetSerial(DiskNum : Byte; VAR I : InfoBuffer) : Word; ASSEMBLER; ASM MOV AH, 69h MOV AL, 01h MOV BL, DiskNum PUSH DS LDS DX, I INT 21h POP DS JC @Bad XOR AX, AX @Bad: End; Respond RE: No easy solution Fernando Martins (Jan 28 2002 11:36AM) Hi. I agree that date time "per se" won't work! That was why I mixed the invoice data and a "home made" algorith that creates a "request key"! The "request key" algorithm gives me some guarantee that on each installation a different "request key" will be generated, even if the date time will always be the same. Please note that I do accept that some non-legal installations are done, and I do know that there is no secure system! Respond

Fast and SECURE protection Delphi C4F (Jan 27 2002 12:35PM)
I've been using ASProtect (http://aspack.com) for a year now and NO keymaker was released since. Only a bunch of stolen keys that are easily put on the black list. Armadillo is also a very good solution judging by the comments of some Association of Shareware Professionals members. So instead of making the customer going through all those steps why not simplificate things? Use the KISS concept (Keep It Simple Stupid). Respond RE: Fast and SECURE protection Jan Horn (Jan 28 2002 8:30AM) ASPack is just a false sense of security. It might stop the beginner cracker or the guy who wants to change some text in the app, but all you need to do is get unASPack from exetools to unpack even version 2.12. Its very usefull to compact you EXE and get it to load faster, but thats about it. Respond RE: RE: Fast and SECURE protection Delphi C4F (Jan 28 2002 11:06AM) But I am refering to ASPROTECT not ASPack. Respond RE: RE: RE: Fast and SECURE protection Fernando Martins (Jan 28 2002 12:01PM) Hi. I did found some software to generate keys for AS Protect 1.1... The current version, 1.2 looks much better. What they do is what I do: key activation! They just don't request the invoice data to do it!... Both systems are similar, probably AS Protect is better but, for the product in question, the invoice data is very important... It's a special case. Respond

Wrong ThrawN (Jan 26 2002 9:32PM)
Using HD serial to calculate the registration code is easly avoidable either by patching or key generating programs. There really is no secure way of protection. Just implement 100 tricks. Crackers dont like having to sort out hundreds of fucken things. Make additional checks to registration codes much later after the user has entered the serial. Better still, make DEMO (with code bits missing) so they cant crack it. The user has to purchase it to get the final. However thats when carders come into it :) theres a solution for every positive Respond RE: Wrong Fernando Martins (Jan 28 2002 12:07PM) Hi. As I state in the beggining of my article, I know that there's no secure system! I do have a bit more security then the key activation, but that's a secret! ;) I disagree that implementing 100 tricks is the sollution, it will consume you too much time and you will lost focus on the end product! The best, in my oppinion, is a compromise between security, security implementation and easy to use for end user! I know that there's some non-legal installations around, but that does not boders me, because they will not even reach 1% of them all! That's "acceptable loss"! Respond

another suggestion Eber Irigoyen (Jan 25 2002 6:36PM)
how about, after any installation, you make your program send information about the registration key and some other information (as disk serial number, etc) to some internet server, that way, even if the user reinstalls the program on his system, you know he installed it in the same system that was installed the first time, but if you get a different disk serial number the second time, then... something's going on you could even send information to the server when the user uninstalls the program, so that way you would let him install it in a new system ...what do you think? of course this is restricted to users with internet access... which, lets move on, internet is everywhere by now EberSys Respond RE: another suggestion Fernando Martins (Jan 28 2002 12:11PM) Hi. Well, first of all, that's not legal! That's trespassing! Beside, no one would trust a product that seeks and sends info without your knoledge! Second: your are assuming that everyone is connected, which is wrong! Most of the end users do not even connect to the net! Respond RE: RE: another suggestion Eber Irigoyen (Jan 28 2002 5:41PM) it doesn't have to be illegal, because it doesn't have to be without the user knowledge and that process can also be done over the phone how's that? Respond RE: RE: RE: another suggestion Fernando Martins (Jan 28 2002 8:00PM) Hello again. Well, it would simplify things, because it is already done by phone, fax and e-mail! But as I told before the end users that do have a connection are just a small part, and so that did not became part of the design. Respond RE: RE: RE: RE: another suggestion Mike Fitzgerald (Jan 31 2002 1:41PM) Am I missing something here? What's to say the users hard drive will never break down and the user installs the software on his new hard drive... complete with different serial number? Respond RE: RE: RE: RE: RE: another suggestion Fernando Martins (Feb 1 2002 11:42AM) Hi. If the user installs on a new hard drive, a new registration key will be necessary. That happens with, e. g., any shareware application that use, for instance, the hard drive serial number to force a new key request, even if the user is already registered. Respond

more secure

Jean Claude Servaye (Jan 25 2002 5:49PM)

use the hard disk serial number to create your request key, so, the program MUST be installed on the same hard drive....

Just my 2 cents...

RE: more secure
Fernando Martins (Jan 28 2002 12:18PM)

Hi.

That occured to me!
But the invoice data, date time and some "magic dust" do the same and that way I know who is trying to use/install the product! It's not the guy who has the HD serial number "foo-bar", it's someone name "XPTO", or pretending to be "XPTO" who's address and fiscal number I have, since the invoice is necessary!
It works mainly as prevention before it works as a stopper!
Respond

RE: RE: more secure
Michael Kochendoerfer (Mar 7 2002 10:51AM)

And... don't forget to print the licence holder's name/company somewhere on each report and each screen mask, it may help though...
Respond

RE: more secure
Setki (Jan 30 2002 11:21PM)

Yes, that's more or less what ActiveLoc does.

Anybody, any idea if this is a good locker ?

http://www.activelock.com

Grtz, SETKI
Respond

RE: RE: more secure
John Aitchison (Feb 17 2002 9:35AM)

I had a look at ActiveLock and it seems to use the serial number
of the Windows install .. not a bad idea. Does anyone know the API call to get the serial number of the Windows disk ? or is it in the registry somewhere?

Respond

RE: RE: RE: more secure
Nenad Fidanovski (Mar 7 2002 11:22AM)

Yes,
you can read serial no from HDD with
GetSerialInformation or something
there some articles under system with all necessary
data.

Regards,
nenadf@freemail.org.mk
Respond

Sign up to consume product discounts for Bronze memberships !

Visit our Sponsor

	Community Ad of M. Maes

Copyright © 2000 - 2007 delphi3000.com - All rights reserved. Terms of use. || Privacy
delphi3000.com is a service by bluestep.com IT-Services GmbH (Vienna)