Home > Archive > Visual Basic > February 2005 > Shareware licensing
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Shareware licensing
|
|
| Elmo Watson 2005-02-25, 8:55 pm |
| I've been looking at Shareware licensing apps and solutions - generating
license keys, etc - -
In particular - Visual Protect
has anyone had any experience with this product? feedback?
Plus - if you have any that you swear by - I'd like to know - - too much
information to sort through, using Google - thought I'd try to compile a
short list here - - by your recommendations.
thanks
| |
|
| There is NONE to swear by. If your application is popular and the crackerz
want to crack it doesn't matter what you implement it will be bypassed...
Article to read:
http://www.searchlores.org/protec/protec.htm
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
> I've been looking at Shareware licensing apps and solutions - generating
> license keys, etc - -
> In particular - Visual Protect
> has anyone had any experience with this product? feedback?
>
> Plus - if you have any that you swear by - I'd like to know - - too much
> information to sort through, using Google - thought I'd try to compile a
> short list here - - by your recommendations.
>
> thanks
>
>
>
>
>
>
| |
| Elmo Watson 2005-02-26, 3:55 am |
| The point is that I want to get a pretty good one - -
what you said, goes without saying -
I just wanted to get opinions on what people thought were some of the better
apps available.
"Veign" <NOSPAMinveign@veign.com> wrote in message
news:%23kA9%23k4GFHA.3612@TK2MSFTNGP09.phx.gbl...
> There is NONE to swear by. If your application is popular and the
crackerz
> want to crack it doesn't matter what you implement it will be bypassed...
>
> Article to read:
> http://www.searchlores.org/protec/protec.htm
>
> --
> Chris Hanscom - Microsoft MVP (VB)
> Veign's Resource Center
> http://www.veign.com/vrc_main.asp
> --
>
> "Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
> news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
>
>
| |
|
| You could spend $1 or your could spend $1000 on a protection scheme. The
difference is that the $1 will be cracked in 30secs, while the $1000 will be
cracked in 30min - either way it will be cracked...
The best protection schemes are the ones not discussed. That is, a
non-commercial, custom built one will have a better chance as the cracker
would have limited exposure to its protection schemes. Anything you get off
the shelf would have tutorials on the net on how to crack it...
Basically, save your money and use the information in the article link I
posted to develop you own. The more you think outside the box, the better
chance it will have to hold up....
Good Luck...
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Elmo Watson" <sputnik@nospam.yahoo.com> wrote in message
news:e5tnqp5GFHA.3628@TK2MSFTNGP15.phx.gbl...
> The point is that I want to get a pretty good one - -
> what you said, goes without saying -
>
> I just wanted to get opinions on what people thought were some of the
better
> apps available.
>
>
> "Veign" <NOSPAMinveign@veign.com> wrote in message
> news:%23kA9%23k4GFHA.3612@TK2MSFTNGP09.phx.gbl...
> crackerz
bypassed...[color=darkred]
generating[color=darkred]
much[color=darkred]
a[color=darkred]
>
>
| |
| Greg Teets 2005-02-26, 3:55 am |
| >Article to read:
>http://www.searchlores.org/protec/protec.htm
>
>--
>Chris Hanscom - Microsoft MVP (VB)
>Veign's Resource Center
>http://www.veign.com/vrc_main.asp
I enjoyed that article. It makes perfect sense. As with many other
things, its points seem pretty obvious after reading them. For most
of us, these hints would provide a "pretty secure" deal.
A little bit of extra effort would make it hard enough for the
non-techie to hack. Depending on your target market for your program
and the volume you can sell, that could be plenty of protection.
If somebody wants it bad enough without paying for it, they will hack
it, as everybody knows and says.
Thanks for the link.
Greg Teets
Cincinnati Ohio USA
| |
|
| Whenever I release a new shareware application I seem to find myself
re-reading that article along with many other I have locally (wish I could
publish them).
Glad you found the link helpful....
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Greg Teets" <gteets99@yahoo.com> wrote in message
news:3tiv11tcemtffes4q9cmb7ub0ak5dug2mk@
4ax.com...
>
> I enjoyed that article. It makes perfect sense. As with many other
> things, its points seem pretty obvious after reading them. For most
> of us, these hints would provide a "pretty secure" deal.
>
> A little bit of extra effort would make it hard enough for the
> non-techie to hack. Depending on your target market for your program
> and the volume you can sell, that could be plenty of protection.
>
> If somebody wants it bad enough without paying for it, they will hack
> it, as everybody knows and says.
>
> Thanks for the link.
>
> Greg Teets
> Cincinnati Ohio USA
| |
|
| I wrote my own "Key" pattern. Good luck figuring it out, but like any
other, it has a weakness. Make the most complicated key in the world, and
integrate it into your entire app, but where and how do you store it?
There's always a way.
BT3
"Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
> I've been looking at Shareware licensing apps and solutions - generating
> license keys, etc - -
> In particular - Visual Protect
> has anyone had any experience with this product? feedback?
>
> Plus - if you have any that you swear by - I'd like to know - - too much
> information to sort through, using Google - thought I'd try to compile a
> short list here - - by your recommendations.
>
> thanks
>
>
>
>
>
>
| |
|
| Really doesn't matter how complicated your Key is. What the cracker will do
is just provide a NOP in place of your jump routine and set any internal
flags to succeed - pretty simple using an program like OllyDbg...
Did you know that VB EXE's store the original function names as a comment of
the assembly code? Crackerz will first look for funcition names that give
things away - like IsRegistered..
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"BT3" <honeypot@epmctc.com> wrote in message
news:7jUTd.90979$GT.10199@okepread01...
> I wrote my own "Key" pattern. Good luck figuring it out, but like any
> other, it has a weakness. Make the most complicated key in the world, and
> integrate it into your entire app, but where and how do you store it?
> There's always a way.
>
> BT3
>
> "Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
> news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
>
>
| |
| Jonathan Wood 2005-02-26, 3:55 pm |
| Veign,
> The best protection schemes are the ones not discussed. That is, a
> non-commercial, custom built one will have a better chance as the cracker
> would have limited exposure to its protection schemes. Anything you get
off
> the shelf would have tutorials on the net on how to crack it...
Actually, I've been convinced that crackers are unable to come up with a key
for a public/private key encryption scheme.
The result is that the only way to hack the program, is by modifying the
executable image. Yes, you could say the program has then been hacked.
However, crackers prefer to come up with valid keys rather than modifying
the executable image for the following reasons.
1. When you patch an EXE, it's not possible to know if there are still
execution paths that would detect the patch. For example, an EXE might make
a particular check for a valid key only every so many runs. So an EXE could
be designed specifically to foil being patched.
2. Patches are broken with even the slightest update to the EXE.
So, yes, they can be cracked. But I've thought of developing and marketing a
public/private key encryption scheme myself for shareware. No matter how
many people know about it, it would still be very secure. (Although, steps
would need to be taken so that crackers writing patches would need different
patches for each application that used the tool.)
Just my thoughts.
--
Jonathan Wood
SoftCircuits
http://www.softcircuits.com
Available for consulting: http://www.softcircuits.com/jwood/resume.htm
| |
|
| right. Anytime the code gets into somewhere "significant", it stops to ask
a function if to decrypt part of the Key to see if it is allowed. Sometimes
that is, other times it uses code built right into the already executing
code. Both crackeable, sure, but not without intending to per say.
I do user rights verification much like Novell does. A database that
contains object rights, etc. That makes the code a bit more tedious to get
around, but sure, still do-able.
Locks only stop honest people anyway.
And no, I didn't know that about the function names. I don't hack much
anymore. Short of the occasional, been maybe 20 years or so.
BT3
"Veign" <NOSPAMinveign@veign.com> wrote in message
news:ueg5hDCHFHA.3612@TK2MSFTNGP09.phx.gbl...
> Really doesn't matter how complicated your Key is. What the cracker will
do
> is just provide a NOP in place of your jump routine and set any internal
> flags to succeed - pretty simple using an program like OllyDbg...
>
> Did you know that VB EXE's store the original function names as a comment
of
> the assembly code? Crackerz will first look for funcition names that give
> things away - like IsRegistered..
>
> --
> Chris Hanscom - Microsoft MVP (VB)
> Veign's Resource Center
> http://www.veign.com/vrc_main.asp
> --
>
> "BT3" <honeypot@epmctc.com> wrote in message
> news:7jUTd.90979$GT.10199@okepread01...
and[color=darkred]
generating[color=darkred]
much[color=darkred]
a[color=darkred]
>
>
| |
| Jonathan Wood 2005-02-26, 3:55 pm |
| You should never store the key within the application.
That's why my shareware apps use hash algorithms to verify the key. If your
code simply compares a key to an existing key, then cracking the program is
a breeze. Even if you encrypt the key, the hacker can trace through to the
point you compare the two and simply copy the key it is compared to.
--
Jonathan Wood
SoftCircuits
http://www.softcircuits.com
Available for consulting: http://www.softcircuits.com/jwood/resume.htm
"BT3" <honeypot@epmctc.com> wrote in message
news:7jUTd.90979$GT.10199@okepread01...
> I wrote my own "Key" pattern. Good luck figuring it out, but like any
> other, it has a weakness. Make the most complicated key in the world, and
> integrate it into your entire app, but where and how do you store it?
> There's always a way.
>
> BT3
>
> "Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
> news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
>
>
| |
|
| The problem isn't in the public / private key and having the right
combination the problem will be in how your application checks for valid
keys. The EXE is the same for each user regardless of the key combination
and therefore can be cracked - you are following a set of steps and rules to
identify a properly registered application and the cracker just needs to
figure them out and NOP where you jump into routines that check and set
default values for any flags you use...
If you have a single point in the application for checking for a registered
version or you have a single boolean flag that sets a registered version
than it will be cracked in seconds. The key is to hide the registration
code inside of actual application functions and spread them around. Also,
creating a false positive crack which doesn't show its error until days /
w s later becomes very difficult to crack...
You want to make sure your application is never cracked then create an
application that nobody wants<g>
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Jonathan Wood" <jwood@softcircuits.com> wrote in message
news:uHS1jrCHFHA.2156@TK2MSFTNGP09.phx.gbl...
> Veign,
>
cracker[color=darkred]
> off
>
> Actually, I've been convinced that crackers are unable to come up with a
key
> for a public/private key encryption scheme.
>
> The result is that the only way to hack the program, is by modifying the
> executable image. Yes, you could say the program has then been hacked.
> However, crackers prefer to come up with valid keys rather than modifying
> the executable image for the following reasons.
>
> 1. When you patch an EXE, it's not possible to know if there are still
> execution paths that would detect the patch. For example, an EXE might
make
> a particular check for a valid key only every so many runs. So an EXE
could
> be designed specifically to foil being patched.
>
> 2. Patches are broken with even the slightest update to the EXE.
>
> So, yes, they can be cracked. But I've thought of developing and marketing
a
> public/private key encryption scheme myself for shareware. No matter how
> many people know about it, it would still be very secure. (Although, steps
> would need to be taken so that crackers writing patches would need
different
> patches for each application that used the tool.)
>
> Just my thoughts.
>
> --
> Jonathan Wood
> SoftCircuits
> http://www.softcircuits.com
> Available for consulting: http://www.softcircuits.com/jwood/resume.htm
>
>
| |
|
| >> Locks only stop honest people anyway.
That's the key right there...
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"BT3" <honeypot@epmctc.com> wrote in message
news:7C2Ud.91018$GT.7199@okepread01...
> right. Anytime the code gets into somewhere "significant", it stops to
ask
> a function if to decrypt part of the Key to see if it is allowed.
Sometimes
> that is, other times it uses code built right into the already executing
> code. Both crackeable, sure, but not without intending to per say.
>
> I do user rights verification much like Novell does. A database that
> contains object rights, etc. That makes the code a bit more tedious to
get
> around, but sure, still do-able.
>
> Locks only stop honest people anyway.
> And no, I didn't know that about the function names. I don't hack much
> anymore. Short of the occasional, been maybe 20 years or so.
>
> BT3
>
> "Veign" <NOSPAMinveign@veign.com> wrote in message
> news:ueg5hDCHFHA.3612@TK2MSFTNGP09.phx.gbl...
will[color=darkred]
> do
comment[color=darkred]
> of
give[color=darkred]
> and
> generating
> much
compile[color=darkred]
> a
>
>
| |
| Rick Rothstein 2005-02-26, 3:55 pm |
| > You want to make sure your application is never cracked
> then create an application that nobody wants<g>
That is the tact that I take... I must have written thousands of
programs that no one has wanted to date and I'm happy to say that not
one of them has ever been hacked.<g>
Rick
| |
|
| And think of all the time and energy you saved by not having to implement
any security<g>...
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Rick Rothstein" <rickNOSPAMnews@NOSPAMcomcast.net> wrote in message
news:e$8miDDHFHA.3076@tk2msftngp13.phx.gbl...
>
> That is the tact that I take... I must have written thousands of
> programs that no one has wanted to date and I'm happy to say that not
> one of them has ever been hacked.<g>
>
> Rick
>
| |
|
| I don't, just the pattern. If mid(Key,11,1)="B" then Call CheckBCode, etc.
CheckBCode might check that mid(Key,15,2) is some multiple of mid(Key,2,1),
might not too.
"Jonathan Wood" <jwood@softcircuits.com> wrote in message
news:Oqks4sCHFHA.2736@TK2MSFTNGP09.phx.gbl...
> You should never store the key within the application.
>
> That's why my shareware apps use hash algorithms to verify the key. If
your
> code simply compares a key to an existing key, then cracking the program
is
> a breeze. Even if you encrypt the key, the hacker can trace through to the
> point you compare the two and simply copy the key it is compared to.
>
> --
> Jonathan Wood
> SoftCircuits
> http://www.softcircuits.com
> Available for consulting: http://www.softcircuits.com/jwood/resume.htm
>
> "BT3" <honeypot@epmctc.com> wrote in message
> news:7jUTd.90979$GT.10199@okepread01...
and[color=darkred]
generating[color=darkred]
much[color=darkred]
a[color=darkred]
>
>
| |
| Jonathan Wood 2005-02-26, 8:55 pm |
| Veign,
> The problem isn't in the public / private key and having the right
> combination the problem will be in how your application checks for valid
> keys. The EXE is the same for each user regardless of the key combination
> and therefore can be cracked - you are following a set of steps and rules
to
> identify a properly registered application and the cracker just needs to
> figure them out and NOP where you jump into routines that check and set
> default values for any flags you use...
Well, at least in C++, it is possible to have the checks be compiled inline.
When an application sprinkles these checks throughout, it's a little more
difficult for the crackers to know where they will be.
Yes, they will probably need to call a common function, where the
instructions could be NOP'd out, but that could be minimized by carefully
written inline checks.
> If you have a single point in the application for checking for a
registered
> version or you have a single boolean flag that sets a registered version
> than it will be cracked in seconds. The key is to hide the registration
> code inside of actual application functions and spread them around. Also,
> creating a false positive crack which doesn't show its error until days /
> ws later becomes very difficult to crack...
Right, my apps include several of these as well.
> You want to make sure your application is never cracked then create an
> application that nobody wants<g>
Basically, true, although WebPosition, which I worked on for a while, must
check with an online server to update its database. While doing so, it also
tests for revoked licenses. Kind of  to be able to revoke a license you
have either given out or you find out about, but certainly not practical for
all applications.
--
Jonathan Wood
SoftCircuits
http://www.softcircuits.com
Available for consulting: http://www.softcircuits.com/jwood/resume.htm
| |
| Jonathan Wood 2005-02-26, 8:55 pm |
| Or fill any orders.
--
Jonathan Wood
SoftCircuits
http://www.softcircuits.com
Available for consulting: http://www.softcircuits.com/jwood/resume.htm
"Veign" <NOSPAMinveign@veign.com> wrote in message
news:ufit1MDHFHA.1476@TK2MSFTNGP09.phx.gbl...
> And think of all the time and energy you saved by not having to implement
> any security<g>...
>
> --
> Chris Hanscom - Microsoft MVP (VB)
> Veign's Resource Center
> http://www.veign.com/vrc_main.asp
> --
>
> "Rick Rothstein" <rickNOSPAMnews@NOSPAMcomcast.net> wrote in message
> news:e$8miDDHFHA.3076@tk2msftngp13.phx.gbl...
>
>
| |
| Greg Teets 2005-02-26, 8:55 pm |
| On Sat, 26 Feb 2005 11:29:18 -0500, "Veign" <NOSPAMinveign@veign.com>
wrote:
>Really doesn't matter how complicated your Key is. What the cracker will do
>is just provide a NOP in place of your jump routine and set any internal
>flags to succeed - pretty simple using an program like OllyDbg...
>
I know hardly anything about this. What is "NOP"?
Thanks.
Greg Teets
Cincinnati Ohio USA
| |
|
| NOP = No OPeration
--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp
--
"Greg Teets" <gteets99@yahoo.com> wrote in message
news:hl1221lup5orjh2q7f8eol8p8rm0hkct2g@
4ax.com...
> On Sat, 26 Feb 2005 11:29:18 -0500, "Veign" <NOSPAMinveign@veign.com>
> wrote:
>
do[color=darkred]
>
> I know hardly anything about this. What is "NOP"?
>
> Thanks.
> Greg Teets
> Cincinnati Ohio USA
| |
| Elmo Watson 2005-02-27, 3:55 am |
| That's really great - I'm so proud of you guys knowing how to do it all on
your own.
Unfortunately, I don't have the slightest idea - I know how to create an
application to do what I need it to do - and I've never come anywhere close
to doing something like this. None of my apps don't use any fancy, long
algorithms, so I don't need to go there, during the the writing of the apps.
And like you say - if it's going to be cracked - it's going to be cracked
whether I spend ws learning how to do it, or I buy a program to do it for
me. Unfortunately, time is money and I don't have that kind of extra time on
my hands (after my two jobs and my family) to sit down, and find out how to
do something like this and then do it.
That's the reason I asked one question and one question only - if there was
one application to do this for you - (ok, for arguments' sake - one that
makes it hardest to hack - 30 minutes, as said before, instead of 10
minutes) - what would it be?
"Elmo Watson" <sputnik@nospamYahoo.com> wrote in message
news:%23W6QgX4GFHA.3272@TK2MSFTNGP10.phx.gbl...
> I've been looking at Shareware licensing apps and solutions - generating
> license keys, etc - -
> In particular - Visual Protect
> has anyone had any experience with this product? feedback?
>
> Plus - if you have any that you swear by - I'd like to know - - too much
> information to sort through, using Google - thought I'd try to compile a
> short list here - - by your recommendations.
>
> thanks
>
>
>
>
>
>
|
|
|
|
|