Back to protec
Views on software protection
(by various programmers and crackers)
"a game of lesser and lesser
returns for time invested: there are always going to be those with more time on
their hands than you
have, who crack it"
"you don't have to be nice to crackers, or
cracks - they aren't nice to you"
read and enjoy!
Rob ~ Devin ~ Chris
Courtesy of reverser's pages of reverse engineering
I really don't
think you need to know
much (if anything) about assembler to do well in
shareware (and make a good
living for that matter) and make adequate protection.
There are several
levels of protection, each with their own tradeoffs in
time spent on making
it, and protection they offer (balanced with the level
of protection you
need, something much overlooked!). To take my own
software: It has some
protection, one needs a registration key to make it
work. There have been
key generators out for it for ages, yet my sales have
only gone up over the
years and I certainly can't complain. The moral of
this story is that I
believe a bit of protection can go a long way in that
it makes people think
of registering and lots of them actually will. This in
contrast to having
no protection at all. Others have experimented with
releasing the exact
same program through different channels with the only
difference being one
stopped working after a while (and needed a key), the
other just had nag
screens telling users they really should register by
now. Turned out most
people will not register unless there is a compelling
reason to do so (ie.
it stops to work and they need a key). Of course, a
number of those in need
of a key will get it from a warez site, but my own
experience shows there's
still a large group that'll buy a key.
I'm moving to what I see as the next level of
protection, making it hard to
make key generators, and building in ways to block
stolen keys in
subsequent releases. This can be done using public key
doesn't require assembler at all. The consequence is
that to crack the
program the warez scene has to bring out patches
rather than just release
keys. This is a whole different ballgame, and far
fewer user will want to
run a patch vs. typing in a fake key.
Beyond this one can add more and more code to make
debugging/disassembling/patching the software harder
and harder. While
interesting, this is a game of lesser and lesser
returns for time invested.
There are always going to be those with more time on
their hands than you
have, who crack it. Personally I'm more interested in
spending that time in
furthering my business, and believe that yields more
when compared to spending it on coding the ultimate
There you have it!
My views on software protection. Of
course, feel free to
I work as a programmer in a large company with several hundred
employees, I have briefly mentioned cracks around the office, I
have found that most people don't even know what it means.
think you're talking about some kind of drug.
The few that have heard the term told me it wasn't worth the bother
to try to find a crack. They'd just rather pay for it and be done. I
know maybe three people in our company who look for cracks.
From what I've been told some people spend days and weeks even
looking for crack for $15.00 shareware program. Now when you
consider that the guys are making 30plus an hour it sorta of
doesn't make sense does it?
For the most part, most people I know say programs are cheap
enough that the time searching for a crack especially if its going to
take a long time just isn't worth it.
Frankly I think the time spent on writing better protection would be
more helpful than trying to shut down a crack site for a few days
and we all know that's all you will succeed in doing.
I don't think its worth the effort. Better to spend the time on making
a better program with a tougher code to crack.
there are examples on Reversers pages which describe
to put markers in C/C++ code. the markers are byte
sequences which will never produced by a compiler.
just use asm / emit to put them where you need them.
then, you write a little app to scan for these
markers, do a checksum between them and store that
checksum somewhere. it's fun and easy.
Yep, -c, yet I hope you understand that this
can ALSO be easily reversed. The problem is the
"somewhere" in your assumption.
still, it's always good to have yet-another trap for
and, the nicest thing to do with the fileCRC!=appCRC
info is to not
put up dialog box and yell at the user, but to do
something subtle like :
a) reset the user parameters
b) corrupt the data in subtle ways
c) start a (long, 5 minute) timer, shut down when the
timer goes off
d) refuse to print certain things
e) write random data to the middle of the EXE
the point is, if the app has been modified, you don't
have to be
nice to the user. and, you don't have to make it easy
for the cracker to
know that the app even does a CRC on itself. just
cruise along nicely, make
the cracker think everything is fine. maybe he'll even
distribute the crack
he's made. people will use the crack, and the app
remember, you don't have to be nice to crackers, or
cracks - they aren't nice to you.
You are deep inside reverser's pages of reverse engineering, choose your way out!
how to use our tools
how to protect better
how to search
Is reverse engineering legal?