How do I stop my software from getting cracked?

[i]

Hi,

I have benefited from a profitable idea for a stand-alone program that
I've created in C#. Up until recently, my method of licensing hasn't
been touched. I base authorization on user accounts, and the program
sends and receives RSA encrypted data in order to determine whether or
not the end user is allowed to continue using the program. This has
worked out for about a year without any problems.

What I've found recently is that a certain person has entirely
bypassed this setup by taking it upon himself to remove or alter - via
a hex editor, I assume - the "checking" parts of my program.
Yesterday, I put all the license check code in a method critical to
the program's functionality and pushed out the update to all my
clients. I assumed this would solve the problem, because up until now
all I've seen this person do is remove entire methods and flip class
variables. I was wrong in my assumption that one cannot edit or
remove individual lines of code within a method. My code is set up
roughly as the following:

public void method_always_called()
{
try
{
check license

if (result != expected)
{
exit
}
}
catch
{
exit
}

some critical functionality here...
}

The crack isn't just to change the != to a ==, because otherwise
accounts that are authorized wouldn't work, and such is not the case.

What do I do? I can't afford an expensive obfuscator, and the free
ones I can find are limited in what they can do. I have no training
in computers - everything is self-taught. Programming is something I
do in my spare time, after school (I graduate high school this year).
I really don't want to have to end my programming ambitions if/when
this cracked version gets out of hand.

Thanks in advance.

 

[Michael A. Covington]

Presumably this person has signed a license agreement, or agreed to one in
the process of installation. Get a lawyer and bring a lawsuit...

 

[Ashot Geodakov]

If it was made by a human, it can be broken by a human.

You can not protect your software 100%, but you can make the process of
cracking it quite difficult for an inexperienced cracker.

My recommendation would be to place your critical functionality into a
separate DLL. Write that DLL in a good ole C. Make calls into that DLL from
your C# UI.

Once your DLL is created, you can do all sorts of tricks.

You can write self-modifying code to confuse the cracker. You may encrypt
pieces of the binary and decrypt them "on the fly" and execute them after
they are decrypted. Write some 'decoy' code that looks like a real one but
does nothing in particular. Place a time bomb into your code that does
something harsh once it detects that your product is not being used
accordingly. Write in your license agreement that "you are not responsible
for any damages if the copy is unlicensed". Use your fantasy.

 

[i]

Michael - this person obtained a copy without entering into any sort
of agreement with me.
Ashot - I don't have this level of experience. Is there any reference/
tutorial material that you could point me toward?

Thanks - I really appreciate everyone's help.

 

[Michael A. Covington]

Write some 'decoy' code that looks like a real one but does nothing in

particular.

Very good move.

Place a time bomb into your code that does something harsh once it detects
that your product is not being used accordingly.

Certainly, having your program checksum itself somehow is a very good idea.
Does .NET provide any mechanisms for doing this?

 

[Michael A. Covington]

Michael - this person obtained a copy without entering into any sort
of agreement with me.

Stolen? Violation of copyright law?

 

[Dave]

Why can they not just be changing the '!=' to a '==' not work? They're only
changing their own code so authorised account not working wouldn't be a
problem would it?

One of the things I like to do in my own code is use the registration
code/user ID/etc in as many places in the program as possible. Then after
they work around the need for registration the code is set up to crash on
invalid codes in various other methods.

For example, the code bellow is easily modified to not throw an exception
when 'RegID' is not correctly obtained from your registration process, but
the other uses of 'RegID' are not as easy to find in the first place. The
more places the registration code are used the harder it is to crack.

class Registration
{
static int RegID = 0;

public static void RegisterUser()
{
// Attempt to obtain a registration ID

// Fail registration if registration ID is invalid
if (RegID == 0) // EASILY WORKED AROUND
throw new Exception();
}

public static void SaveSettings()
{
if ((RegID & 16) != 16)
throw new Exception();
// Actually save data
}

public static void LoadSettings()
{
if (RegID < 125)
throw new Exception();
// Actually load settings
}
}

 

[Jon Skeet [C# MVP]]

Very good move.


Certainly, having your program checksum itself somehow is a very good idea.
Does .NET provide any mechanisms for doing this?

It could use MD5 to get a hash of itself - but that won't do much good.
The cracker could easily work out the "proper" MD5 hash and then
replace the code which works out the hash with something which just
returns the correct one.

 

[Jon Skeet [C# MVP]]

What I've found recently is that a certain person has entirely
bypassed this setup by taking it upon himself to remove or alter - via
a hex editor, I assume - the "checking" parts of my program.

The "via a hex editor" assumption is almost certainly wrong. Download
Reflector and have a look what it does to your program.

However, you need to ask yourself a couple of questions:
1) How much damage is this cracker doing compared with the cost of
protecting your code? (Even the simple tricks suggested so far have
cost in terms of the readability of your program.)

2) Can you seek non-technical means, eg a cease and desist letter
followed up by lawyers if necessary, if the technical cost is too high?

 

[Peter Duniho]

[...]
What do I do? I can't afford an expensive obfuscator, and the free
ones I can find are limited in what they can do. I have no training
in computers - everything is self-taught. Programming is something I
do in my spare time, after school (I graduate high school this year).
I really don't want to have to end my programming ambitions if/when
this cracked version gets out of hand.

How much time do you want to spend on this? Especially knowing that you
*cannot* make it impossible for anyone to bypass your
registration-checking code.

I have a friend whose full-time job is protecting a popular online game
from hackers. He enjoys the work, but even he understands that his
efforts will always and inevitably fail (actually, sometimes I suspect he
likes that "job security" aspect of his assignment...there's always going
to be more work around the corner ).

The only way to ensure that someone cannot hack your code is to not give
it to them in the first place. Of course, that's pretty much the opposite
of the only way to profit from your code in many cases.

Ashot has posted several usual means of protecting code. But keep in mind
that none of those methods are unknown to hackers, and anyone serious
about getting your code to run without a legal license will be aware of
them. You can slow them down, but you cannot stop them.

If you still aren't convinced, consider that Microsoft, a company with
practically unlimited resources when it comes to software design and
production, has invested enormous amounts of money and manpower in
implementing their "product activation" technology for Windows and
Office. And yet, it is trivial to obtain pirated copies of Windows and
Office. Likewise, after the original DVD encryption scheme CSS failed,
the content owners got together and came up with what they felt would be a
very secure system, AACS.

But guess what happened...that encryption has also been cracked, and in
spite of the design including a way to revoke after the fact encryption
keys that have been discovered, that process has been demonstrated to be
unworkable. For practical reasons, they cannot (by contract agreement)
revoke a key until 90 days after the public release of the key, while the
hackers can easily obtain new keys in less than 90 days. In fact, so far
what hackers have done is to release only one key at a time, waiting until
that key is finally revoked before they release another key they've
already found, ensuring that there is never any time period during which
encrypted content is published that cannot be decrypted with a known key.

Anyway, that's a long way of saying, even if you have enormous resources,
if your product is desirable enough you cannot stop people from stealing
it. Your best defense is to make your product available at a reasonable
price, and make it very convenient to buy. Your second best defense is to
make sure egregious piracy (illegal redistribution, as opposed to the
occasional unlicensed user) of your application is prosecuted to the
greatest extent possible. Certainly you can implement some limited
license verification technology, and certainly it sounds like you could
improve at least somewhat on the mechanism you've already got in place.
But IMHO it's a waste of your resources to invest more than 5% or so of
your development time on that particular "feature" (a couple of weeks out
of a year of work). Your time is much better spent making sure you've got
a product people really want to spend money on, and which they don't have
to worry too much about whether the built-in anti-piracy technology is
going to interfere with them using the software

Pete

 

[Alun Harford]

Presumably this person has signed a license agreement, or agreed to one in
the process of installation. Get a lawyer and bring a lawsuit...

That's unlikely to work in civilized parts of the world (if you have to
agree to the EULA after you've bought the product, where's the
consideration?), and even in the US it's vastly too expensive to do
anything about it (odds are that somebody who cracks your software
doesn't have enough money to be worth suing - you'll just have lots of
expensive legal fees to pay and get nothing when you win).

Alun Harford

 

[Ashot Geodakov]

Why not to place that critical functionality on the server that does the
license checking?

This is not absolutely hacker-proof, but it's a lot more difficult to alter
the code that you have no access to.

For instance:

void CriticalFunctionality()
{
// need to perform some calculations that the entire program depends on...
send_local_data_to_server();
receive_calculated_results_from_the_server();
// continue with regular stuff
}

And make the server check the license before calculations. Send some bogus
results back if not licensed.

Now, your only problem that will remain is that someone who already
possesses the valid license will share that license with someone else. In
which case you may perform additional checks, like, "which IP-address this
request comes from, and is it registered to a license holder?" or send some
PC-specific data for verification. Like CPU ID (this can be faked easily of
course).

Or make it extremely unattractive to share their license with anyone, it's
up to you how you'd achieve this.

Oh, and I agree with other responders, that you may not gain much by wasting
your time and resources protecting your software.

 

[Dave]

It may not be worth the time if you'll just protect a single app, but it is
a good learning experience and the next times it gets easier and easier,
often just a matter of copying and pasting code.

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

If it was made by a human, it can be broken by a human.

You can not protect your software 100%, but you can make the process of
cracking it quite difficult for an inexperienced cracker.

My recommendation would be to place your critical functionality into a
separate DLL. Write that DLL in a good ole C. Make calls into that DLL
from your C# UI.

Once your DLL is created, you can do all sorts of tricks.

You can write self-modifying code to confuse the cracker. You may encrypt
pieces of the binary and decrypt them "on the fly" and execute them after
they are decrypted. Write some 'decoy' code that looks like a real one but
does nothing in particular. Place a time bomb into your code that does
something harsh once it detects that your product is not being used
accordingly. Write in your license agreement that "you are not responsible
for any damages if the copy is unlicensed". Use your fantasy.

What is the cost of this?

And how this compare to just buying and using a good obfuscator?

 

[Ashot Geodakov]

Hi,




What is the cost of this?

And how this compare to just buying and using a good obfuscator?

I never said this would be cheap or easy, and most of all, hacker-proof.

And it all depends on the software that you try to protect. I wouldn't use a
commercial obfuscator for missile defence system software...