FRAVIA'S "HOW TO PROTECT BETTER"
A good protection is NOT an impossible dream!
Ivan Bilibin:
Last updated: January 2001
  How to (try to) protect software effectively
[as introduction...]
Advices
[Mark's]
[Tidbit's]
[Stone's]
[More tips]
[To shrink?]
[essays]
[tricks]
[links]
[Oldies]

Software Protection, an impossible dream?

Jump +fravia's Intro and go directly to [All the advices you may need]
INTRODUCTION: The never never ending dongles discussion...

CONTRA: fravia+ on dongles

I have recently (26 January 2001) received this mail...
         I am looking for information about hardware locks, 
         how effective they are, and if they are reliable 
         enough to safeguard new software.
         Your expertise would be appreciated...
What you call 'hardware locks' are more commonly known as 'dongles' in the scene, I didn't follow the most recent developments, but as far as I know:

They still are expensive, cumbersome for users and relatively easy to circumvent unless correctly programmed (newbies can crack and disable all sort of simple checks for the existence of the dongle).

Even when correctly implemented through your software, dongles can be reversed in a couple of days -at most- and they will be reversed if the program is worth it (this on the other hand being a bigger and bigger if nowadays :-)

If I were you I would rather go for the usual serialnumber approach based on the harddisk-number checking. You can get the harddisknumber with
GetVolumeInformationA(*), that you should not call but REPRODUCE with your own assembly code, else it will be easily breakpointed, duh), and combine such routines with one of the many unobtrusive "phoning home" approaches.

This will give you a light protection... thus few zombies will deprotect your soft (if everything has been implemented in assembly, that is: if you use visual basic any kid will be able to 'smartcheck' it) and when crackers will crack it you will, at least, know how many people are really using your software around the planet and, grossomodo, where. Pack everything with a good packer after having thrown in a small assembly written softice-checking routine which will slightly change the serial number needed only if softice is present and running on the machine (and which will abstain from doing ANYTHING else), and you'll have what in my opinion amounts to be the "state of the art non-dongled protection" that your knowledge can buy... still crackbar of course :-)

Good luck
fravia+


PRO: Mike Stay on dongles

The only way to prevent someone from reverse-engineering your code is not to give it to them (see: Tidbit's #18). On the other hand, you can't expect people to pay for functionality they don't get (unless you're Microsoft), so your customers need to be able to execute the code.
One way: a dongle that executes code, like Dallas semiconductor's Java iButton. Put a small but vital piece of code there; make it complex enough so that reversers can't just figure out what it does and patch the exe. Short of differential power analysis, reversers are pretty much screwed. Another way: put the code on your server and force the client to authenticate itself; a simple challenge / response system can work fine.
But the secret that allows authentication can be shared among pirates.
You can watch (i.e. write a program to watch) to see if the IP address of the client changes a lot and disable it if you think it's being abused. For a perfect system, a time-based cryptographically secure pseudo-random number generator in a dongle (a la RSA SecurID) is synchronized with your server. This can get expensive, but it can't be broken without hacking into your server.

Mike Stay
Programmer / Crypto guy, AccessData Corp.


red

protec Mark's famous 14 protector's commandments

protec Tidbit's 'common sense' rules


protec More tips you might take into consideration

protec

Software Protection, an impossible dream?
The Shrinkers discussion

On [Richard Fellner]'s page I found this snippet:
Don't rely on "EXE-packers". For almost any tool which compresses EXE files
(Shrinker, WWPack32, NeoLite - to list the most popular ones) there's an
uncompressor around, so compressors capable for software-protection
should at least support configurable encryption. Unpackers for the above (and
other) tools are not very wide-spreaded, however, don't rely on them as your
program's one and only "protection"!
Now the question is: is this true?

A shrinker, like the one from Blinkinc should be seen as a 'first line of defense' for a protector. The application will be uncompressed when it is loaded and cannot therefore be decompiled from disk. This makes the possibility to mess with it a little more complicated for the cracker, especially if, after having compressed the application with Shrinker or with WWpack32 you checksum (twice) the compressed EXE.

The standard binary post-processors seem at the moment to be:
Shrinker
VBox
and WWrap32
And for these shrinker there are corresponding unshrinkers in the scene... where are they?
Well, a first good tool (yet not for beginners) is procdump a very good unpacker by Riz+la, Stone and G-rom (btw: in the unpack.txt companion file you'll find VERY USEFUL information about the most common commercial' packers). I'm presenting here version 1.1, build 4 from 11 October 1998. Visit Stone's page to fetch more recent versions.
protec

Software Protection, an impossible dream?
Links



red

Anti-Cracking sites

Vitas Ramanchauskas' site: http://www.soft4you.com/vitas/antihack.htm
Some interesting techniques and original ideas

Richard Fellner's anti-crack tips [http://inner-smile.com/nocrack.htm]
(a part of them has been taken from my site :-)

Rob Beckers' How to Battle Warez: http://www.cat-soft.com/warez.htm
A VERY interesting part about site tracking and elementary/intermediate stalking techniques

Anti-Cracking discussions

You may be interested in my Counter Intelligence page.
Cracking discussions

You may be interested in my Why crackers crack? (Reversing reversers' psychology) 'late November' thread.
Tricks

0. Most recent tricks!

The following idea courtesy of Steven Martins

" I used a function to check for SoftICE and it worked great. If the user had SoftICE loaded the program would use a different routine to generate the serial key. The cracker then thinks he found the correct code but on machines without SoftICE it's useless."


1. Let's melt softice? Pro and contra

Here you'll be able to check David Eriksson's original (Mid-97) meltice! A tool for detecting softice written in C, and here you'll have the same code ported by PhR to Pascal/Delphi (with Hoffmeister's corrections).
Anyway such an approach is of limited use. You may succeed in annoying some casual crackers, yet the fact that Numega chose to name their kernel drivers that way doesn't mean much... there is nothing that prevents any reveser from renaming them...

So I publish the snippets above because this can give some ideas to good protectors. Go beyond and prepare some good code for Sice detection (or even some 'retaliating code'... come to think of it, if I were a protection scheme and if I would detect on a computer -say- softice, wdasm and smartcheck I would know that I should ring all possible defcom red alert bells... but READ (and head) THE FOLLOWING CAVEAT!

First of all you should UNDERSTAND what Softice is... many 'sunday' programmers don't have the slightest clue...

SoftICE is - same as WDEB386.EXE of Microsoft a completely different story, from turbodebugger... much to shareware-authors and driver developers dismay.
First of all, SoftICE is started before Windows starts (more exactly - you run winice.exe and winice in turn runs win.com). This applies to win9x . configured to run as a boot driver, kernel driver, or a dynamic loadable (kernel) driver under NT.
When the gui starts SI is already present and can be invoked via ALT-D (preset). So there is no "present-not present" thing with softice, it sits beneath windows and waits till you need it. as the bulk of softice consists of ring 0 software, you're not limited in what you can view. driver writers for that reason quite routinely start their machine with si present.
Therefore you go about detecting it like you'd detect any other vxd - seeking the VMM's DDB and then just walking the linked list of DDBs in the case of Win9x, and examining the list of loaded drivers in NT.
The problem rather is, what are you going to do if you find it? Nuke the machine?
The world increasingly seems to fill up with authors, who think, just because somebody (mostly by accident) installed one of their vanity proggies, they got the right to nuke others peoples machines.
As it's part of my job to work with softice I just can't work with some programs without reversing them at the moment - o.k. so what, but what will annoy almost all VXD authors is if you just go about rebooting the machine if they start your software... maybe putting a link into the autostart group before.
Therefore do me and people like me a favor please: forget that debugger detection crap, do a little bit of math and firgure out how to en- and decrypt your software at runtime (as it is to valuable to be looked at by other people), be creative and contructive instead of just destructive.

Btw, there is no law against people debugging and reversing your software, as strange as this may seem to you, but there surely is a law against deliberatly risking to damage other peoples' property.

Oldies (ancient tricks)

1994
inbarraz.txt: Anti Debugging Tricks
by Inbar Raz
Release 5, Preventive actions & Self-modifying code.



1993
razrefut.txt: Anti Debugging Tricks
by Michael Forrest
(Refers to Imbar Raz's release 1), Why Raz tricks don't work anymore in to-days debuggers world



1998
insi_faq.txt: "Insider FAQ"
by Christoph Gabler
Source code galore: Anti Trace Code, Anti-AntiVirus Code, How to fool unpackers code.





(c) 1952-2032 Fravia, All rights reserved
How to Obtain the Serial Number of a Drive... see introduction
Public Function VolumeSerialNumber(ByVal RootPath As String) As String
    Dim VolLabel As String
    Dim VolSize As Long
    Dim Serial As Long
    Dim MaxLen As Long
    Dim Flags As Long
    Dim Name As String
    Dim NameSize As Long
    Dim s As String
    If GetVolumeSerialNumber(RootPath, VolLabel, VolSize, Serial, MaxLen, Flags, Name, NameSize) Then
        'Create an 8 character string
        s = Format(Hex(Serial), "00000000")
       'Adds the '-' between the first 4 characters and the last 4 characters
        VolumeSerialNumber = Left(s, 4) + "-" + Right(s, 4)
    Else
        'If the call to API function fails the function returns a zero serial number
        VolumeSerialNumber = "0000-0000"
    End If
End Function