12

For my current application I use a very simple scheme to register new users. When a new user registers an email is sent with a key. To check wether this key is correct a kind of checksum is computed (3-7-11 digit check) which is added as the last 2 digits of the key. There is no check on any further validity of the key. The application does not check whether the key got invalidated.

It is a simple scheme and someone took the time to crack it by deassembling the code. I want to use another scheme for my new application but I am not sure what is the best way to do this.

  • Is there a Delphi library I could use?
  • Is it advisable to use some user supplied info in the key, like his name?
  • Is there a best practice way of registering users?
  • Anything else I have forgotten?

Some registration schemes require an application to check each time at a webserver whether the key is still valid. I'd rather not go that far because this requires a lot of effort on the server side.

Any suggestion or link for a robust way to register new users is very welcome.

Arnold
  • 4,016
  • 5
  • 42
  • 82
  • What do you want to do? Register users is easy; just save them to your database. Do you want to have a license key to use with your software? ("activating" it?) – Leonardo Herrera Jan 09 '12 at 19:21
  • 4
    Whatever you do it will be cracked. The question is, how much does that concern you? – David Heffernan Jan 09 '12 at 19:23
  • @David You are completely right and it causes me to miss money for each non-registered product. That's why I would like to have some way of protection. – Arnold Jan 09 '12 at 19:57
  • 3
    In that case, invest in a commercial solution. They are much better positioned to keep up with hackers than any homegrown solution would be. Personally I use Armadillo (now part of Software Passport). – Marjan Venema Jan 09 '12 at 20:13
  • @Marjan Does this force the user to use his application on one platform? Don't you have trouble with users who want to be able to switch between their PC and laptop? – Arnold Jan 09 '12 at 20:27
  • 1
    @Arnold, Armadillo gives you the choice of whether or not to use "hardware locking" or not. You could have the key tied to a particular machine, or just have it be tied to a username. You also get to choose how many times a particular key can be used at the same time, if you want them to be able to run concurrently on their desktop and laptop, for example. – Chris Thornton Jan 09 '12 at 20:33
  • @Chris This sounds quite flexible, will look at it. – Arnold Jan 09 '12 at 20:36
  • David is right, any determined person or group can break your software in no time. All you can do really is deter them by making their task harder. I don't know much about assembly or how visible delphi code would appear in your exe, but a thought would be to not use stand out variable or type names such as TMyRegistrationKey. Also rather than having one procedure or function to manage your registration, spread out the code into different places and units, that might make dissasembling more of a task trying to find the locations etc. Also consider UPX packer or other exe compressor. –  Jan 09 '12 at 23:27
  • @Arnold: no I don't that could only be a problem if you use hardware locking or possibly with an activation server. For the latter you could of course set it up to allow two installs... for example from the same IP. It really is up to you. – Marjan Venema Jan 10 '12 at 10:35

4 Answers4

11

A better registration scheme is based on asymmetric cryptography (usually RSA algorithm). The idea is that only you can generate a valid key, while everybody can check that a key is valid (asymmetric cryptography allows this trick). So when you see your program with a valid key on torrents you just cancel support for a customer who was given this key.

kludg
  • 26,590
  • 4
  • 63
  • 115
  • This sounds interesting. Do you have any link to algorithms or so? – Arnold Jan 09 '12 at 19:58
  • 2
    +1 Any examples or links to those for this specific use of RSA? – Marjan Venema Jan 09 '12 at 19:59
  • @Marjan - No. AFAIK these solutions are either commercial or personal (and since that is a sensitive matter an author is not willing to share). – kludg Jan 09 '12 at 20:07
  • @Marjan It appears that this question was answered earlier: http://stackoverflow.com/questions/2998885/delphi-asymmetric-encryption. A Delphi crypto package in source forge. I'll dive straight into it. EDIT: sorry for the wrong link, it's now correct. Look for lockbox. – Arnold Jan 09 '12 at 20:09
  • 2
    @DavidHeffernan not if you only withdraw support and do not make use of the software impossible. Depends on what you offered when the license was sold whether you could exclude them from further updates, but unless you sold them a lifetime license, updates/upgrades beyond the support cycle should be possible to withdraw. Then again, IANAL... – Marjan Venema Jan 09 '12 at 20:11
  • @marjan point is you need to be careful in such a situation and you do need a good lawyer – David Heffernan Jan 09 '12 at 20:14
  • @DavidHeffernan: yep absolutely. – Marjan Venema Jan 09 '12 at 20:16
  • 3
    @David Technically, the key became invalid for the future updates. That is all. A customer willing to upgrade should contact you with the problem. Everything else is up to you - you can warn him and give him a new key, or act differently. – kludg Jan 09 '12 at 20:19
  • @Serg If you deny support for the duration of the pre-existing contract then you may invite problems, but yes you can refuse to do business in the future. On the other hand you may well be chopping your nose off to spite your face. These acts are often carried out by rogue employees who may well have left the company in question. It is a truly fascinating topic though and one that my org is grappling with at the moment. – David Heffernan Jan 09 '12 at 20:22
  • 5
    And then someone patches the IsValidKey function to always return true. – The_Fox Jan 10 '12 at 08:29
  • @The_Fox Key generation/validation is only a part of software protection. A mathematically perfect key scheme is useless if it can be switched off by changing 2 bytes in executable. – kludg Jan 10 '12 at 10:55
  • 1
    Protecting against such reverse engineering is tricky indeed. – Warren P Jan 10 '12 at 23:35
4

There are Delphi and non-Delphi libraries (i.e Protexis) available to protect your software - remember that almost anything that works with C can work with Delphi as well. But a sound copy protection scheme may be hard to achieve. A simple key may not work, usually it used together a machine fingerprint to allow it to be used on given system only.

A good key generator algorithm should generate keys that are not easily predictable, yet can be checked if valid. There are different ones around, there is not a "generic" one, depends on your needs, some may also include what features to activate or expiry informations. Some keys can be strings, other can be whole license files (as those used by Delphi itself). Anyway code can be disassembled to try to guess the algorithm, some techniques to obfuscate it and make it harder to understand can be used.

Also, one simple key check is not enough because it can be easily bypassed patching the executable. If you really need copy protection, you should scatter checks all around the code, maybe encrypting and then decrypting data or code sections using the key - it won't protect you against keygen, anyway and will require more code changes, it's not as simple as calling one function at startup.

The level of protection is up to you. If you need just a simple registration mechanism and you don't mind much about your software being cracked you can use a simple one. If you need a more secure one then there are more sophisticated one.

  • Thanks for the link. I was rather flabbergasted when I saw that someone had gone to the trouble of disassembling the program. That taught me that cracking is always possible, but I can make their life a little harder. Your tips will help. – Arnold Jan 09 '12 at 20:35
  • Note that hardware fingerprinting is going to annoy users, and generate more support calls/emails/tickets. So it is more attractive for high-value apps, as compared to low-cost apps where your profit margin (per sale) gets cut in half for every support call. – Chris Thornton Jan 09 '12 at 20:38
  • @Arnold, I once found a cracking TUTORIAL that used my app as the target. The cracker was very complimentary of my app though, and described how it was very useful for his cracking activities. – Chris Thornton Jan 09 '12 at 20:40
  • @Arnold, then I switched to Armadillo, and the cracks stopped for a few years. Unfortunately, credit card fraud went way up. – Chris Thornton Jan 09 '12 at 20:41
  • @Chris Hardware fingerprinting annoys me so I will not use it. You said it may be tied at the user name and that sounds a modest approach. – Arnold Jan 09 '12 at 21:45
4

If your goal is to force people to download a cracked EXE from the Internet instead of a key generator from the Internet, then asymmetric cryptography is your answer.

If your goal is to be able to void serial numbers that have been released to the wild, restrict the number of installations, or force the user to have a real "paid for" serial number, then activation is your answer. Still, if they crack your EXE, they can get around this.

You only have control up to the point that someone cracks your EXE. We have to accept this and move on. We must figure out other ways to reach out to our customers, such as more affordable versions, value added support options, web services, and other ways that convince the user that the price of our software is fair, and there is a benefit in paying.

On my latest release, I use activation, so the serial numbers are randomly generated, though checked for uniqueness, and associated with an email address.

After all of this, the application is just $4.99, but with no individual support. The goal is to make it so affordable that if they want to use it, even just once, it's a good value.

Marcus Adams
  • 49,523
  • 8
  • 81
  • 132
  • This is a sensible approach, I was thinking of a lower price as well, though $20 is not much for a complex application. I used activation until now, but decided to investigate for alternatives, hence this question. Thanks for your considerations. – Arnold Jan 09 '12 at 21:42
2

We've been using Oreans' WinLicense for two years and are quite happy with it. They handle key generation (with the user name embedded), trial versions that time-out, hardware keys (where the key you send them is unique for their computer) and VM detection. They also use a variety of other techniques to make it harder for your code to be disassembled, including wrapping code of your choice in an encrypted VM they provide.

You can also disable specific keys if you determine that they are "stolen." Having done this, future updates you supply will no longer run with those keys.

We also have our software "phone home" at certain times to see if their key is stolen.

Any protection scheme can be broken by someone who is determined and skilled enough. But, we've been happy with the degree of security we believe that WinLicense gives us. Their support is also excellent. The library is callable from Delphi.

RobertFrank
  • 7,160
  • 10
  • 48
  • 93