Fog Creek Software
Discussion Board

Software protection

I am thinking about how to protect my upcoming software.
I saw that - a popular web site for payment supports ASProtect, Sikandersoft Safeserial, and Armadillo.
So far so good.
But just a quck search on google with "ASProtect crack" and I found a tutorial how to crack ASProtect itself.
So I am wondering if these protection really work.
I know I can protect my software relatively well, because I have read a lot about this matter. But protecting it with a popular Protection System I may actually make it easier for the crackers.
Do you have any experience regarding this topic?

Boris Yankov
Saturday, June 28, 2003

No software protection technique is going to be invulnerable to piracy, but that isn't really what you should strive for: The productive goal is to make it inconvenient enough for the majority of your potential customers that they just won't bother, and presuming that the cost of your product isn't too onerous, they'd just as well rather pay the honest price rather than hang around in IRC looking for cracks which might be loading their system full of trojans.

Jimmy Chonga
Saturday, June 28, 2003

I will certainly make the app easy for the registered users to use.
But that doesen't mean I don't want a decent protection of my program.
Other opinions?

Boris Yankov
Sunday, June 29, 2003

Boris, I don't think anyone has the perfect solution to this problem. I've been reading about products and mechanisms to protect software for 15 years, and have never heard of one that couldn't be cracked. Even hardware protection (like dongles) can be cracked. The hackers disassemble the app and remove the checks. They are exceedingly good at this.

Troy King
Sunday, June 29, 2003

Wait until TCPA/TPMs are incorporated inside MS Windows/Intel CPUs/Mainboards. If it yields true what I've read so far about the combination of the three components, you as a developer will be able to run your code in a protected environment where tampering your code will be prohibited at the lowest level, which is in hardware.

Johnny Bravo
Sunday, June 29, 2003

Hardware features may make something more difficult to crack, but it is still crackable.  As long as your program resides on the disk as a pile of bytes accessible to anyone, it is possible to crack.

Just look at the XBox, Microsoft could have done anything they wanted and it still got cracked.  Well I'm not sure it's the exact same thing, but now you can run any executables on XBox, not just Microsoft's signed executables.

Sunday, June 29, 2003

Content management keeps honest people honest. *Nothing* has ever worked to keep programs from being stolen - they've only made it harder.

There's a digital rendering package that has a hardware dongle (Maya?). I've had it running on my PC.

The lesson - be careful how much effort you put into your software protection schemes. I think you quickly pass the point of diminishing returns, especially when you consider that protection schemes piss your users off.

Also - time spent implementing software protection is time better spent working on your code.

What makes me pull out the credit card:
a) Quality code with the features I need
b) Nag screens
c) 30-45 day expiration date

If it's a component for use in distribution packages, make sure to render "EVALUATION USE ONLY" in the client UI if you can.


Sunday, June 29, 2003

Change protection schemes from time to time and keep up on what the hackers are doing so that old cracks, hacks, public serial numbers, etc. are no longer valid in the next version. Do small dot releases basically for this reason alone. Make your app large enough to dissuade anyone from posting it in it's entirety on a hack site. Once you become big enough it'll be unavoidable... everyone and their brother can get a copy of Potoshop..

Sunday, June 29, 2003

My actual question was:
If you think that a ready-made protection is better from a self-made.

Boris Yankov
Monday, June 30, 2003

Boris, that's not how your question came off at all. My opinion would be you might as well do home-made, because it's not going to stop the crackers any more than ready-made will.

Troy King
Monday, June 30, 2003

I have tried to discuss this kind of issue on the board before, but unfortunately the discussons degenerated

Whatever you do, I'd suggest you make sure the method is deeply embedded throughout the logic of your application.  Don't have a single test which says something like

if (EnteredCode) { AfxMessageBox( "Thanks for registering" ) ; bRegistered = TRUE ; }

As this is is trivially easy to reverse engineer and modify (change one JE to JNE or vice-versa).  Read the tutorials on how these crackers work - and then work out strategies to frustate them, for example, typically they only disassemble part of the application.

S. Tanna
Monday, June 30, 2003

Interesting - I'd suggest just the opposite of Troy, for the same reason - the crackers are going to crack it anyway, why waste your effort on something that's doomed to fail? Instead, get someone else's protection and use it (assuming the cost structure supports doing so, of course.).

Michael Kohne
Monday, June 30, 2003

It seems that the most secure method is to have separate "evaluation" and "registered" distributions of your software. The "evaluation" version is restricted subset of the "registered". Keep in mind, that this limits your shareware options to the "features-based" model, where you offer only a subset of the full functionality of the "registered" product.

However sending the registered distribution of your product for each new release to all your customers could be troublesome for both you and the customer. This is why I still use software protection schemes (my program is already cracked as you may expect).

As for the question, whether "self-made" or "ready-made" protection is better: it depends on your own skills.
If you are good at creating software protections, it is better that you develop your protection alone. At least your protection will be unique and the crackers will have to break it from the scratch.
If you are not experienced with software protection, you may try with "ready-made" solution, but there is no guarantee that you will have any success with it.

Petko Kafedjiski
Monday, June 30, 2003

What is the verdict on protection schemes such as iLok?

This is used by audio software such as Logic and related plug-ins. Apparently it hasn't been cracked yet, but I guess that it should be possible.

Frederik Slijkerman
Monday, June 30, 2003

I worked for a guy (doing software for sale) and he was using the method where he was offering a crippeled version for download, not containing some features at all. This seems to work well, because web sites like the ones you may search in astalavista are all providing only cracks and serials. So the only way to aquire the full version is through Kazaa or warez web site.
The advantage of using a ready-made protection is that their authors are improving it and you get the benefits without further efforts. But they are not very cheap ($300 and up).
And I also find a walkthrough of how to crack an ASProtect protected app. So I think that even if the apps are protecting well, hackers already know how to crack them.
Of course I know that everything is crackable. But that doesen't mean I will give my app without protection with the hope that some 'honest' customers will buy it :)
I have read quite a lot about protecting shareware apps so I guess I will just try to make a good protection on my own.

Boris Yankov
Monday, June 30, 2003

Code your own adaptable, probabilistic security scheme. There is nothing like doing things yourself.

Monday, June 30, 2003

I'm surprised nobody mentioned our great host for this evening: Joel. He's got three different versions for download, only one of which is freely available.

Tuesday, July 01, 2003

Oddly, I found this looking for an iLok crack :-)

My perspective is this:
1. I am a software developer. I know casual piracy is VERY bad for our industry, and us personally.
2. I am a software customer. I know crappy software is very bad for me personally, and for our industry.

In the past I've both written extensive anti-piracy tools into demos, AND stolen software over P2P networks.

The software I wrote was never stolen (I through in all sorts of stuff that would have let me know, and tried to "steal" it myself to no avail); but it didn't sell well because my company overpriced it, quite a bit.

The software I've pirated, I've ultimately never kept. Not 'cause I'm a good guy (though I am enough to pay for what I use); but because I only pirated software I wasn't sure would work for me.  And so far, it really hasn't.

So, what I've learned is that
a) If you don't want people to casually steal your software (you'll never stop real hackers from stealing it - don't waste your time trying); don't give them a reason (pun intended). Release realistic demos that will allow a user to determine if they really have the horsepower to run your stuff, and if your products works the way they need it to.

b)Keep your prices reasonable. Even if your dealing with a very tiny market, always choose volume over profit margins - you'll walk away richer, and with more brand respect, in the long run.

c)Unless a company has a rock solid reputation, or is willing to accept returns - don't blow hundreds of dollars on software you haven't tried yet, unless you're so well-off that you make more money in the time it takes to pirate a program than it would cost to buy it outright.

d)Size doesn't really matter. DVD movies get pirated all the time, but e-books don't. If you want to know why, look at the protection scheme used by First, the re-release the "peanut reader" every month or so - even really good hacker can't write tools for casual pirates that fast. Second, the content is unlocked using the buyer's name and credit card number; which isn't the type of thing you give out to strangers looking to steal content over the internet, if you know what's good for you.

Techincally, the entire publishing industry could have been crushed by Xerox machines. But it wasn't, because it's easier for the casual reader to buy a book than Xerox it. And, because books aren't so over priced, or so consistently worse than they're made out to be, that anyone ever bothered to build some sort of cheap, convenient, easy way for people to casual copy them.

If you want to protect yourself from piracy, don't try to "think like a hacker". Try to think like a customer.

Thursday, January 29, 2004

What about SDProtector ( ) and ElecKey ( ) ?

Serge Sokolov
Friday, August 13, 2004

*  Recent Topics

*  Fog Creek Home