antiwa1.htm: Rob's (and others) <B>views on software protection</B>: a game of lesser and lesser returns for time invested

Back to protec

June 1999
Views on software protection
(by various programmers and crackers)
"a game of lesser and lesser returns for time invested: there are always going to be those with more time on their hands than you have, who crack it"
"you don't have to be nice to crackers, or people using cracks - they aren't nice to you"
read and enjoy!

Rob ~ Devin ~ Chris

Courtesy of fravia's pages of reverse engineering

Rob
I really don't think you need to know much (if anything) about assembler to do well in shareware (and make a good living for that matter) and make adequate protection.

There are several levels of protection, each with their own tradeoffs in time spent on making it, and protection they offer (balanced with the level of protection you need, something much overlooked!). To take my own software: It has some protection, one needs a registration key to make it work. There have been key generators out for it for ages, yet my sales have only gone up over the years and I certainly can't complain. The moral of this story is that I believe a bit of protection can go a long way in that it makes people think of registering and lots of them actually will. This in contrast to having no protection at all. Others have experimented with releasing the exact same program through different channels with the only difference being one stopped working after a while (and needed a key), the other just had nag screens telling users they really should register by now. Turned out most people will not register unless there is a compelling reason to do so (ie. it stops to work and they need a key). Of course, a number of those in need of a key will get it from a warez site, but my own experience shows there's still a large group that'll buy a key.

I'm moving to what I see as the next level of protection, making it hard to make key generators, and building in ways to block stolen keys in subsequent releases. This can be done using public key encryption, and doesn't require assembler at all. The consequence is that to crack the program the warez scene has to bring out patches rather than just release keys. This is a whole different ballgame, and far fewer user will want to run a patch vs. typing in a fake key.

Beyond this one can add more and more code to make debugging/disassembling/patching the software harder and harder. While interesting, this is a game of lesser and lesser returns for time invested. There are always going to be those with more time on their hands than you have, who crack it. Personally I'm more interested in spending that time in furthering my business, and believe that yields more (monetary) returns when compared to spending it on coding the ultimate protection.

There you have it! My views on software protection. Of course, feel free to disagree...

Rob
-/-

Devin
I work as a programmer in a large company with several hundred employees, I have briefly mentioned cracks around the office, I have found that most people don't even know what it means.
They think you're talking about some kind of drug.

The few that have heard the term told me it wasn't worth the bother to try to find a crack. They'd just rather pay for it and be done. I know maybe three people in our company who look for cracks.

From what I've been told some people spend days and weeks even looking for crack for $15.00 shareware program. Now when you consider that the guys are making 30plus an hour it sorta of doesn't make sense does it?

For the most part, most people I know say programs are cheap enough that the time searching for a crack especially if its going to take a long time just isn't worth it.

Frankly I think the time spent on writing better protection would be more helpful than trying to shut down a crack site for a few days and we all know that's all you will succeed in doing.

I don't think its worth the effort. Better to spend the time on making a better program with a tougher code to crack.

Devin

Chris
there are examples on Fravias pages which describe how to put markers in C/C++ code. the markers are byte sequences which will never produced by a compiler. you just use asm / emit to put them where you need them. then, you write a little app to scan for these markers, do a checksum between them and store that checksum somewhere. it's fun and easy.

Fravia+
Yep, -c, yet I hope you understand that this approach can ALSO be easily reversed. The problem is the "somewhere" in your assumption. Chris

yep.

still, it's always good to have yet-another trap for crackers to fall into.

and, the nicest thing to do with the fileCRC!=appCRC info is to not put up dialog box and yell at the user, but to do something subtle like :

a) reset the user parameters
b) corrupt the data in subtle ways
c) start a (long, 5 minute) timer, shut down when the timer goes off
d) refuse to print certain things
e) write random data to the middle of the EXE
etc..

the point is, if the app has been modified, you don't have to be nice to the user. and, you don't have to make it easy for the cracker to know that the app even does a CRC on itself. just cruise along nicely, make the cracker think everything is fine. maybe he'll even distribute the crack he's made. people will use the crack, and the app won't work.

remember, you don't have to be nice to crackers, or people using cracks - they aren't nice to you.

-c

You are deep inside fravia's pages of reverse engineering, choose your way out!