I am currently looking at the various packages that are available for
software protection. I have a particular question that I'd welcome
your feedback on.
Background info:
I work for a company that develops software, and typically releases
software SDKs. Development is in C++ using MS Visual C++. We need to
apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days)
2) Machine-locking (once activation key entered, software will only
run on the machine it was installed on)
3) Anti-debugging/reverse-engineering protection
We had been using PCGuard, which can cover all these aspects. However,
we have a particular problem due to the fact that our software is
released as an SDK.
3rd party developers using our SDKs access the core functions using a
supplied dll, and it is the dll which needs to be protected. We do not
want them to be able to debug the dll we supply, but we *do* want them
to be able to debug the code that they write!
The encryption/anti-debugging employed by PCGuard means that they are
not able to debug their own code, which is a major problem.
My question is: is it possible (using another package) to apply
protection which covers all 3 aspects above yet still allows 3rd-party
developers who use our SDK to debug their own code?
My feeling is that protection options 1+2 (time limited versions,
machine locking) can be achieved without blocking the debugging of
3rd-party code, but I'm not sure if protection option 3 can also be
included without blocking all debugging.
Any thoughts or info on this greatly appreciated. Comments on the
pros/cons of the various protection packages available also welcome!
(please post replies to newsgroup *not* via email)
many thanks,
Howard Wright 9 2366
On Fri, 9 Jan 2004, Howard wrote: I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on.
Your question has nothing to do with the C++ language, and is
off-topic in comp.lang.c++.
We need to apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days)
Trivially circumvented by a user who controls the system clock
(as most Microsoft OS users do).
2) Machine-locking (once activation key entered, software will only run on the machine it was installed on)
Trivially circumvented by a user who controls his hardware
(which unfortunately very few users do, IME, especially in the
desktop mass-market).
3) Anti-debugging/reverse-engineering protection
Trivially circumvented by a user who has read access to the code
in question (e.g., most users on Microsoft OSes, and admins or
the moral equivalent thereof on OSes that support that kind of thing).
3rd party developers using our SDKs access the core functions using a supplied dll, and it is the dll which needs to be protected. We do not want them to be able to debug the dll we supply, but we *do* want them to be able to debug the code that they write!
God forbid anyone should try to debug *your* DLL! Debugging is
the work of the devil and should be prevented at all costs.
The encryption/anti-debugging employed by PCGuard means that they are not able to debug their own code, which is a major problem.
Yes, I can see that. But are you sure that the programmers'
inability to debug their own code stems from their use of PCGuard,
or is it a more deeply-rooted problem, perhaps due to lack of
education or practice? I know a few people who can't debug their
own code, and they don't even *use* PCGuard.
My question is: is it possible (using another package) to apply protection which covers all 3 aspects above yet still allows 3rd-party developers who use our SDK to debug their own code?
A good license agreement would help. For example, you could
insert a clause that said essentially, "Thou shalt not attempt to
reverse-engineer the contents of this DLL, unless given permission
by the creators thereof." That would keep all law-abiding intruders
out. Then you could even compress or encrypt the code, thus keeping
out the less-persistent debuggers.
That should be enough -- you're never going to stop the persistent,
intelligent debuggers who don't care about laws, anyway. The CPU
knows what the code does, and the programmer can talk to the CPU.
That just about sums it up, doesn't it?
My feeling is that protection options 1+2 (time limited versions, machine locking) can be achieved without blocking the debugging of 3rd-party code, but I'm not sure if protection option 3 can also be included without blocking all debugging.
I think it would be a nice gesture if you allowed the programmer
to find bugs in your code, as well as in his own. Certainly it
would make your life a hell of a lot simpler.
-Arthur
In article <5c************ **************@ posting.google. com>, do************* *********@hotma il.com (Howard) wrote: I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on.
Background info: I work for a company that develops software, and typically releases software SDKs. Development is in C++ using MS Visual C++. We need to apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days) 2) Machine-locking (once activation key entered, software will only run on the machine it was installed on) 3) Anti-debugging/reverse-engineering protection
I would recommend you take a look at Armadillo from www.siliconrealms.com . I know it has some restrictions relating to
debugging and DLLs, but I suspect it can be configured suitably. You
can download a trial version and check it out.
3rd party developers using our SDKs access the core functions using a supplied dll, and it is the dll which needs to be protected. We do not want them to be able to debug the dll we supply, but we *do* want them to be able to debug the code that they write!
The encryption/anti-debugging employed by PCGuard means that they are not able to debug their own code, which is a major problem.
If all else fails, an alternative option you might consider is to issue
two separate DLLs, with the same general functionality. One would be
the distributable DLL, protected but not debuggable. The other would be
debuggable, but would have undesirable behaviours that prevent it being
used in a distributed program. Of course, care would have to be taken
to make this hard to crack.
- Gerry Quinn
In article <Tz************ ****@news.indig o.ie>, ge****@indigo.i e says... If all else fails, an alternative option you might consider is to issue two separate DLLs, with the same general functionality. One would be the distributable DLL, protected but not debuggable. The other would be debuggable, but would have undesirable behaviours that prevent it being used in a distributed program. Of course, care would have to be taken to make this hard to crack.
Why would you want to debug code that is NOT what your customer will be
using? You're assuming that the changes in behavior (unspecified) will
not impact bugs, races, or add new bugs or mask off those in the
production DLL.
--
Randy Howard
2reply remove FOOBAR
In article <MP************ ************@ne ws.megapathdsl. net>, Randy Howard <ra**********@F OOmegapathdslBA R.net> wrote: In article <Tz************ ****@news.indig o.ie>, ge****@indigo.i e says... If all else fails, an alternative option you might consider is to issue two separate DLLs, with the same general functionality. One would be the distributable DLL, protected but not debuggable. The other would be debuggable, but would have undesirable behaviours that prevent it being used in a distributed program. Of course, care would have to be taken to make this hard to crack.
Why would you want to debug code that is NOT what your customer will be using? You're assuming that the changes in behavior (unspecified) will not impact bugs, races, or add new bugs or mask off those in the production DLL.
The point was that his current protection system correctly prevented
customer 'debugging' his proprietary DLL, but also prevented them
debugging their own stuff.
I was suggesting that customers wanting to debug their own code could be
substitute an alternative DLL which would (for example) pop up messages,
or quit after an hour's running.
I suspect another protection system will allow a better solution,
though.
- Gerry Quinn ge****@indigo.i e (Gerry Quinn) writes:
]In article <5c************ **************@ posting.google. com>, do************* *********@hotma il.com (Howard) wrote:
]>I am currently looking at the various packages that are available for
]>software protection. I have a particular question that I'd welcome
]>your feedback on.
]>
]>Background info:
]>I work for a company that develops software, and typically releases
]>software SDKs. Development is in C++ using MS Visual C++. We need to
]>apply software encryption/protection to achieve:
]>
]>1) Time-limited versions (e.g software expires after X days)
Impossible. The software has no way of knowing what the time is.
]>2) Machine-locking (once activation key entered, software will only
]>run on the machine it was installed on)
Possible but extremely inconvenient to your users.
]>3) Anti-debugging/reverse-engineering protection
Impossible. ( Well, write it in Forth, and you will have pretty good
protection).
]>3rd party developers using our SDKs access the core functions using a
]>supplied dll, and it is the dll which needs to be protected. We do not
]>want them to be able to debug the dll we supply, but we *do* want them
]>to be able to debug the code that they write!
The machine MUST load the dll into memory to use it. At that point the
code can be captured and analysed.
In article <bt**********@s tring.physics.u bc.ca>, un***@string.ph ysics.ubc.ca (Bill Unruh) wrote: ge****@indigo. ie (Gerry Quinn) writes: ]> ]>1) Time-limited versions (e.g software expires after X days)
Impossible. The software has no way of knowing what the time is.
That's what they said about black holes, and yet they seem to be able to
evaporate on schedule ;-)
Software can read the computer clock, and store data in sufficiently
obscure ways that user tampering between runs will be difficult to hide
from it.
]>3rd party developers using our SDKs access the core functions using a ]>supplied dll, and it is the dll which needs to be protected. We do not ]>want them to be able to debug the dll we supply, but we *do* want them ]>to be able to debug the code that they write!
The machine MUST load the dll into memory to use it. At that point the code can be captured and analysed.
That is easier said than done. For example, the protection system may
include a separate process that decrypts portions of the dll on demand,
and will also attempt to detect debugging attempts and shut down if any
occur.
- Gerry Quinn
Thanks for the info. Armadillo is one of the packages I have come
across while searching the web, and I will definitely be checking it
out.
The other posts/comments etc have been interesting reading, but as my
original post said, I'm mainly interested whether it's possible to
allow debugging for the application code written by users of our SDK,
whilst still preventing them from seeing/debugging our own code.
There are clearly different philosophies on the pros and cons of
giving people access to your source code, but this choice has already
taken by our company.
I'm also well aware that code protection can never be perfect - people
will always be able to find a way to break into your code. However, we
want to put in some measures that will at least mean it takes a
reasonable amount of time and effort to do this. This should prevent
all but the most determined hackers.
I like the locks/keys analogy. I know that I cannot prevent someone
from breaking into my house and stealing my possessions, and I know
that locks can be broken, but I still put locks on the doors and
windows to stop the less determined thieves!
Howard ge****@indigo.i e (Gerry Quinn) wrote in message news:<Tz******* *********@news. indigo.ie>... In article <5c************ **************@ posting.google. com>, do************* *********@hotma il.com (Howard) wrote:I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on.
Background info: I work for a company that develops software, and typically releases software SDKs. Development is in C++ using MS Visual C++. We need to apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days) 2) Machine-locking (once activation key entered, software will only run on the machine it was installed on) 3) Anti-debugging/reverse-engineering protection
I would recommend you take a look at Armadillo from www.siliconrealms.com . I know it has some restrictions relating to debugging and DLLs, but I suspect it can be configured suitably. You can download a trial version and check it out.
3rd party developers using our SDKs access the core functions using a supplied dll, and it is the dll which needs to be protected. We do not want them to be able to debug the dll we supply, but we *do* want them to be able to debug the code that they write!
The encryption/anti-debugging employed by PCGuard means that they are not able to debug their own code, which is a major problem.
If all else fails, an alternative option you might consider is to issue two separate DLLs, with the same general functionality. One would be the distributable DLL, protected but not debuggable. The other would be debuggable, but would have undesirable behaviours that prevent it being used in a distributed program. Of course, care would have to be taken to make this hard to crack.
- Gerry Quinn
Looking toward CompTIA Security+ Certification , Here is greate Link
for Excellent Security+ Certification Guide, http://www.studyexam4less.com/mb.asp
Also here is another Money saving idea for Security+ Testing exam fee. buy voucher
and Scheduale the exam using Security+ voucher for Only US $165.00 saving of
US $ 60 http://www.getcertify4less.com/mb.asp do************* *********@hotma il.com (Howard) wrote in message news:<5c******* *************** ****@posting.go ogle.com>... Thanks for the info. Armadillo is one of the packages I have come across while searching the web, and I will definitely be checking it out.
The other posts/comments etc have been interesting reading, but as my original post said, I'm mainly interested whether it's possible to allow debugging for the application code written by users of our SDK, whilst still preventing them from seeing/debugging our own code.
There are clearly different philosophies on the pros and cons of giving people access to your source code, but this choice has already taken by our company.
I'm also well aware that code protection can never be perfect - people will always be able to find a way to break into your code. However, we want to put in some measures that will at least mean it takes a reasonable amount of time and effort to do this. This should prevent all but the most determined hackers.
I like the locks/keys analogy. I know that I cannot prevent someone from breaking into my house and stealing my possessions, and I know that locks can be broken, but I still put locks on the doors and windows to stop the less determined thieves!
Howard ge****@indigo.i e (Gerry Quinn) wrote in message news:<Tz******* *********@news. indigo.ie>... In article <5c************ **************@ posting.google. com>, do************* *********@hotma il.com (Howard) wrote:I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on.
Background info: I work for a company that develops software, and typically releases software SDKs. Development is in C++ using MS Visual C++. We need to apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days) 2) Machine-locking (once activation key entered, software will only run on the machine it was installed on) 3) Anti-debugging/reverse-engineering protection
I would recommend you take a look at Armadillo from www.siliconrealms.com . I know it has some restrictions relating to debugging and DLLs, but I suspect it can be configured suitably. You can download a trial version and check it out.
3rd party developers using our SDKs access the core functions using a supplied dll, and it is the dll which needs to be protected. We do not want them to be able to debug the dll we supply, but we *do* want them to be able to debug the code that they write!
The encryption/anti-debugging employed by PCGuard means that they are not able to debug their own code, which is a major problem.
If all else fails, an alternative option you might consider is to issue two separate DLLs, with the same general functionality. One would be the distributable DLL, protected but not debuggable. The other would be debuggable, but would have undesirable behaviours that prevent it being used in a distributed program. Of course, care would have to be taken to make this hard to crack.
- Gerry Quinn
Looking toward CompTIA Security+ Certification , Here is greate Link
for Excellent Security+ Certification Guide, http://www.studyexam4less.com/mb.asp
Also here is another Money saving idea for Security+ Testing exam fee. buy voucher
and Scheduale the exam using Security+ voucher for Only US $165.00 saving of
US $ 60 http://www.getcertify4less.com/mb.asp do************* *********@hotma il.com (Howard) wrote in message
news:<5c******* *************** ****@posting.go ogle.com>... Thanks for the info. Armadillo is one of the packages I have come across while searching the web, and I will definitely be checking it out.
The other posts/comments etc have been interesting reading, but as my original post said, I'm mainly interested whether it's possible to allow debugging for the application code written by users of our SDK, whilst still preventing them from seeing/debugging our own code.
There are clearly different philosophies on the pros and cons of giving people access to your source code, but this choice has already taken by our company.
I'm also well aware that code protection can never be perfect - people will always be able to find a way to break into your code. However, we want to put in some measures that will at least mean it takes a reasonable amount of time and effort to do this. This should prevent all but the most determined hackers.
I like the locks/keys analogy. I know that I cannot prevent someone from breaking into my house and stealing my possessions, and I know that locks can be broken, but I still put locks on the doors and windows to stop the less determined thieves!
Howard ge****@indigo.i e (Gerry Quinn) wrote in message news:<Tz******* *********@news. indigo.ie>... In article <5c************ **************@ posting.google. com>, do************* *********@hotma il.com (Howard) wrote:I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on.
Background info: I work for a company that develops software, and typically releases software SDKs. Development is in C++ using MS Visual C++. We need to apply software encryption/protection to achieve:
1) Time-limited versions (e.g software expires after X days) 2) Machine-locking (once activation key entered, software will only run on the machine it was installed on) 3) Anti-debugging/reverse-engineering protection
I would recommend you take a look at Armadillo from www.siliconrealms.com . I know it has some restrictions relating to debugging and DLLs, but I suspect it can be configured suitably. You can download a trial version and check it out.
3rd party developers using our SDKs access the core functions using a supplied dll, and it is the dll which needs to be protected. We do not want them to be able to debug the dll we supply, but we *do* want them to be able to debug the code that they write!
The encryption/anti-debugging employed by PCGuard means that they are not able to debug their own code, which is a major problem.
If all else fails, an alternative option you might consider is to issue two separate DLLs, with the same general functionality. One would be the distributable DLL, protected but not debuggable. The other would be debuggable, but would have undesirable behaviours that prevent it being used in a distributed program. Of course, care would have to be taken to make this hard to crack.
- Gerry Quinn This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: David |
last post by:
I would like to set up a copy protection scheme where the application must
be provided
with an unlock code before it can be installed.
Any ideas for a relatively simply system for doing this ? I seem to remember
something like reading PC BIOS, adding the current date and XORING with a
fudge factor to create a code that the user rings up and quotes. In return
we give then an unlock code.
(I have also forgotten how to read BIOS).
|
by: dm4714 |
last post by:
Hi -- does anyone know of any good VB.NET software registration, protection
and activation components. I guess I'm looking for something similar to
http://www.ionworx.com/solutions.html
|
by: Mitchell Vincent |
last post by:
I'm in the market for a new software licensing system to protect my
shareware.
Can anyone make some suggestions of protection/licensing systems
(especially for .NET, but not exclusively)?
My budget is less than $500 with royalty free distribution licensing.
BTW, I do know about the Shareware Starter Kit, but I'm afraid it will
come too late for the launch of this newest product!
|
by: John |
last post by:
Hi,
I would like to protect my software from copying. What are best tools for it
(hardware protection is not an option), do you have some reccomendation for
protection or third party software that works?
Thanks very much
John
|
by: P1ayboy |
last post by:
I need advice on how to best to protect software with licenses.
We are developing a windows application that people can purchase and
download off the net, but the software needs to be protected by licensing.
The software is being written in vb.net v1.1.
If anyone knows any beeter places to post this message, please let me know.
Many thanks
| |
by: John |
last post by:
I would like to use some third party software for copy protection, software
that prevents from copy paste program to another computer (not obfuscator).
I am looking for some good solution (hardware lock is not an option).
Can you reccomend me software based on your experiences?
|
by: jeanjean_5 |
last post by:
Hi all
I'm looking forward to purchase ExeCryptor (www.strongbit.com) to
protect my shareware. But before I'd like to know independent
opinions/experience if any.
My question is: Anybody uses execryptor? Can you tell me smth about?
Are there some problems? Is it cost-effective?
Thank you in advance for any reply
|
by: Jens |
last post by:
Hello Gents,
I'm searching a good and affordable (max 160$) license copy protection
library for C#. All solution I founds are very expensives...
Any recommandations ?
Thank you.
Regards,
|
by: farsheed |
last post by:
I wrote a software and I want to protect it so can not be cracked
easily. I wrote it in python and compile it using py2exe. what is the
best way in your opinion?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |