[sensui]

Hi,


Can someone recommend me a way to protect a program? I want to distribute a program I created, but I also want to prevent unauthorized distribution and protect the source code from being reverse engineered (decompiled). The program is in java (compiled to byte code, not machine code) so it's very easy to use a tool like DJ Java Decompiler on it. I don't want to limit this conversation only to java tools. If you have suggestions for protecting programs written in other languages please list them here.


Software License

Can someone recommend me a modern way to protect a program? I heard of SecuROM and SafeDisc, but I don't know if they are appropriate for a small program (smaller than 50 MiB). If I understood well, these copy protection methods are only for protecting big games stored on CDs/DVDs. Please correct me if I'm wrong... I've also heard of CSS (Content Scramble System), but this doesn't apply to software.


Trial Mode

I tried to set a dead end (for example 12/11/2009) for my program. After that date the program stops running (you try to run it, but it shows just a Message Box telling you the trial is over). But I have a small problem: if you turn the system date to a date before the dead end, the program WILL work and I don't want that to happen. Please recommend me a good method to implement "the trial mode".


I'm thinking a better method would be to use the classical trial mode:
1. Give a small period of time (like a month or so) for trial;
2. Allow only a limited number of runs (for example 100 runs) after that the program will request a license.


The problem is that I don't know how to do this in a professional way... Do I need to store the first running date in a file? (for trial mode nr. 1) And then every time the program starts it will check the initial date from the file to decide if it's still in the trial mode or it should request the license. Or another method would be to store that information in the registry (Windows Registry), but this method will break the portability (the program is written in java).


For all these methods (date stored in a file or registry) there are very easy methods to break the protection. One example would be Process Monitor from sysinternals (for M$ Windows). You find where the program stores the initial date (be it a registry hive key or a file), change it (let's call it "the anchor") and effectively crack the program.


One possible solution would be to encrypt the contents of the file... to create a so called license file where you store the date in an encrypted format but then you need to obfuscate the source code of the program so if someone tries to decompile the program he/she won't be able to see what type of encryption was used. For code obfuscation I found ProGuard (for java). But for encryption I don't know what to use (what algorithm is best, hard to crack etc.). Can someone detail how to do this entire process?



I don't know how to do this (what I wrote is just mere guessing).
I just want someone to guide me how to do this.

[erik.price]

There are several byte code obfuscators which work to make it difficult if not impossible to decompile:

RetroGuard
http://www.retrologi...guard-main.html
Marvin Obfuscator
http://www.drjava.de/obfuscator/
yGuard
http://www.yworks.co...guard_about.htm
CafeBabe
http://www.geocities...4/programs.html
ProGuard
http://proguard.sourceforge.net/
JavaGuard
http://sourceforge.n...ects/javaguard/
JMangle
http://www.elegant-s...ngle/index.html

(I found this list on Google, so I cannot vouch for quality)

[sensui]

Thank you for your reply.

How about "the trial mode"?

[erik.price]

Unfortunately, I can't think of a way to completely protecting the trial.

You could try taking the ending date, hashing it, and storing it in the Windows registry (or equivalent), so users couldn't tamper with it without knowing which hash algorithm you used.

I'm not sure if that would be feasible, as I have no experience in this regard.

[sensui]

So what hash algorithm should I use? md5? SHA-1?
I haven't used them before, so I'm asking for some advice...

And the method you described has a small weak point: you hash the date, but then the end-user just needs to set the system date some days back and the program still works...

This post has been edited by sensui: 11 December 2009 - 01:44 PM

[PsychoCoder]

Excellent topic, let's see what kind of professional opinions we can come up with.

[pakkuman_shinde]

If you went the run amount route, you could just keep a variable stored in an encrypted file and increment it every time the user uses it. If they take the time to decrypt it, then you can assume they probably won't ever buy a license.

LOL, you could keep a separate file with separate encryption that tracks file changes in the file with the run variable, and resets the file back to what it was before it was altered. That would have to be hilarious, pop-up window: "Epic Fail!"

[WolfCoder]

It's better to have a trail program that only does a few things free to download, and then have a whole online store thing that lets you download a program you buy so that only people who buy it will let the server give it to them.

However, realize that in the end, if people find your program useful, it will get cracked, patched, hacked, or whatever. There's people in China/Russia who undo the DRM to anything in a short amount of time.

This post has been edited by WolfCoder: 11 December 2009 - 02:51 PM

[nick1200]

Trial Mode

Well you could learn how to connect java to a database then have a time stamp in the db
or have a html page with the time and date on ( you can get 1 of google )
then the java programs checks that for the date and not the computer

i donno if that's the best thing to do... but i think it would be best if you try and get the date from some were else and not the user's computer

[snoj]

I'd almost recommend you forget about trying to stop people from cracking in and pirating it. Instead, I'd recommend that you just focus on making an awesome product that people will want to buy.

For me, it comes down to time, why waste all that time trying to protect something when you'll be handing over the keys anyway?

Effectively, what you're trying to accomplish is DRM, which is a fairly flawed concept. Cory Doctorow, did an excellent paper/workshop a while ago for Microsoft on the subject. You can find it here, http://craphound.com/msftdrm.txt.

[brennydoogles]

I agree with snoj about the futility of attempting to create a good DRM setup, but I also know that many people who download a trial version of software really just want to see if software is decent before buying it. One way you could accomplish your goal would be to use the file created attribute and file last modified attribute on a file to figure out how long a trial has been running. For example, if you created a file (binary or text) upon the program's first run, you could then write a small bit of data (junk data is fine) to that file every time the program is run. By comparing the file's creation date and last modification date (easily accessible file Attributes, at least in .net), you could do basic error/tamper checking in the following way (pseudo-code):

if(File.CreationDate > Today || File.LastModificationDate < Today){
	 Someone is messing with the system time trying to fool you... end the trial immediately
}
else if((File.LastModificationDate - 14Days) < File.CreationDate){
	 The Trial still has a few days left, carry on
}
else {
	 Trial is over time to pay up!
}

This combined with possibly obtaining the date from an external source could provide a basic authentication that would keep the honest in line. As for everyone else, there will always be a hacker smarter than us, and if we make software (s)he wants there will be no stopping the cracks.

[crummydo]

Good topic. I actually looked into this a while back when I was working on a quiz system in Javascript. I used a website called Obfuscator (don't remember the link to it) that changed my script into machine code. Im sure that nobody would really try to find the .js file that had the quiz answers, and if they did they definitely wouldn't take the time to try and decode the file. I will have to check out these other links. My next project is a quiz in Ruby.

[SpeedisaVirus]

Why not trip a variable when the date passes the trial period so once it passes the date, rolling back the time will be irrelevant.

I don't know much but is there a way to access bios time rather than windows time? Most people aren't going to roll back their bios date. A quick google search makes it look like its not very easy to do with windows since like 98. Maybe in assembly?

How about referencing time on the web when a connection is detected to ensure its accurate?

This post has been edited by SpeedisaVirus: 12 December 2009 - 09:48 AM

[skorned]

I was actually just wondering the same thing, and came to the same conclusion. I've used a few pirated softwares myself, and the only way to stop a cracker is to have the software phone home to your server. And even that can be spoofed. And it also requires you to have a constant server running to verify keys, which adds to costs while making the use of the software impossible without the internet.

That being said, if you want to continue with the online route, there are ways softwares can create unique id for a PC, by creating a combined hash of the hardware and OS installed on it. You could log this unique ID onto a database on your server. Or use keys.

If you want to go with local protection only, you could check the time using one of the online time sync servers. For example, my mac uses time.asia.apple.com to figure out my time. You could use this along with a really random hash to store the timestamp. All I can recommend you is security through obscurity. Don't use one of the more commonly used hashes, especially md5. There's just way to many people out there working their hardest to crack md5's.

Also, most importantly, I have seen many posts on warez forums where people who usually pirate paid a small amount to use quality apps that they needed on a regular basis. Remember to keep it cheap, affordable for people without 6 figure incomes, living in other countries, and in proportion to the utility of your app. Also, you could look into providing value added services like giving people with keys technical support in case something goes wrong, or the first updates to new features.

[pbl]

A program like J2EXE will convert your Java byte code into a .exe lot more difficult to crack but as Snoj recommend the best way is to provide a copy with lesser or limited features and sell the complete copy that you can customize to customer name.