0

I recently launched my desktop application and it got cracked after a few days. I posted a question on stack overflow and people said that i cannot stop that. In the start of the software i cannot allow this to happen and i want a solution. So, following is what i am thinking.

Currently, I have desktop application that communicates with the web server to verify the user. Once the user is verified it saves the values in Registry. The hacker has bypassed the communication code and added fake values in registry and he can use my software now.

Now, i am planning to take some of my code from MAIN features of the software to a WEB SERVICE hosted somewhere else on a web server. Whenever the software needs to run that feature the software will give a call to the WEB SERVICE with the values in REGISTRY. I will verify those values and return the results. But if the values will not match my database then i will reject the call.

So, my questions is:
1- Do you think this solution is feasible ?
2- According to my thinking, it will make the software useless to the hacker. What do you think ?
3- Any flaws in this solution ?

Behroz Sikander
  • 3,885
  • 3
  • 22
  • 36
  • I don't think it is much different than your current version. – L.B Jul 30 '12 at 19:42
  • If the cracked version will not be able to access the data then it will be useless. since the data will be returned from the webservice. in what terms are you saying this ? – Behroz Sikander Jul 30 '12 at 19:54
  • So your software will run only on on-line mode? If so, you can verify the user's registry every time the program get loaded on the user's machine. Maybe you'll get some users frustrated in case they can't use your *desktop software* because their internet link is down.... hmmm – Marcelo De Zen Jul 30 '12 at 19:59
  • Someone will find out the values in the registry and crack your software again. – L.B Jul 30 '12 at 20:09
  • here is an example, Let say Feature A has a Grid in it. The Grid will populate from the data returned from the WEB SERVICE. If some hacker will crack my software then he will get my code but he cannot get what is inside the WEB SERVICE hosted on a remote server. So, even if he cracks the software he will not be able to use it. Since the data will come from WEB SERVICE and web service will always verify the incoming request by its Username and license key stored in the registry. – Behroz Sikander Jul 30 '12 at 20:10
  • @L.B let me add some more to what is implemented currently. When the user pays us for the software we email him the username and license key. User installs our software and a register form pops up. User inputs the values and hit Register. On registering we get the MACHINE ID and save it in the database hosted on a remote server. Now, if someone tries to read the registry value and install it on some other computer. He will not get registered because when he will try to do it. The MACHINE ID will not already be in our database and we will reject his call. – Behroz Sikander Jul 30 '12 at 20:17
  • Your idea will not stop them editing the software on their end to have always return the correct value to get the results your Web Service expects. Your idea about the Machine ID will work until they modify the code to always send the same machine id. – Security Hound Jul 31 '12 at 15:44
  • @Ramhound, you are right. They can still send the same MACHINE ID and REGISTRY values and they can trick the webservice :@. What should i do ? – Behroz Sikander Jul 31 '12 at 18:57
  • @Behroz - You don't mention what you originally did in enough detail to make a suggestion. I would say you first need to use an obfuscator to protect the source code. Do you have serial keys? The simplest way to avoid the situation I gave is to limit how many `users` can use a single instance of your application. Record the date and time each time the application checks in. – Security Hound Aug 01 '12 at 11:33

1 Answers1

1

You don't have to get cracked. Jeez, everybody thinks there's no solutions available to prevent piracy, but there are. Disclaimer: I work for a company (Wibu Systems) that prevents software piracy and provides license management solutions.

Here's the thing: this (like all security issues) is a highly specialized area of focus and the crackers are smarter at this than you are. They are already familiar with the different home-grown solutions people roll themselves and can crack those quickly.

Commercial solutions (ours is CodeMeter; in all fairness other companies make good solutions too like SafeNet and KeyLoc) rely on strong encryption with multiple layers of protection against key discovery. These companies have spent years developing, improving, and testing their solutions; it's unlikely you will be able to come close to the robustness and quality of such a solution on your own. I can almost guarantee you that any solution you create on your own will get cracked very quickly, unless your product is uninteresting to the crackers.

I'm not trying to create an ad here; I just want to set the record straight. Companies that traditionally got cracked constantly who switched to CodeMeter stopped getting cracked. Check out Propellerhead's Record product for a good example.

John Browne
  • 700
  • 4
  • 6
  • This is dangerously close to an ad. There any way you can avoid that, perhaps make it more generic, and less ad like? – Security Hound Jul 31 '12 at 15:47
  • I got you. But i am saying that let him crack my software. I am trying to make it useless for anyone by removing some code from the software and making it a webservice. how does that sound ? – Behroz Sikander Jul 31 '12 at 18:54
  • @Behroz - You are trying to solve the piracy problem the incorrect way. All you can do is make it difficult. How difficult you make it will depend on how much time you are willing to invest. Even CodeMeter is not a guarantee way to prevent piracy, I guarantee you, somebody out there could crack an application protected by CodeMeter eventually. – Security Hound Aug 01 '12 at 11:30