tags:

views:

413

answers:

10

What are some good conventions to follow if I want to make my application harder to crack?

+11  A: 

As long as your entire application is client side, it's completely impossible to protect it from being cracked. The only way to protect an application from being cracked is to make it have to connect to a server to function (like an online game, for example).

And even then, I have seen some cracks that simulate a server and send a dummy confirmation to the program so it thinks it's talking to a real, legit server (in this case I'm talking about a "call home" verification strategy, not a game).

Also, keep in mind that where there is a will, there's a way. If someone wants your product badly, they will get it. And in the end you will implement protection that can cause complications for your honest customers and is just seen as a challenge to crackers.

Also, see this thread for a very thorough discussion on this topic.

ryeguy
Completely impossible to crack, or completely impossible to protect?I know what you mean, I just don't have suffficient rep to fix it :).
Oops, thanks ;)
ryeguy
A: 

this is almost like mission impossible, unless you have very few customers.

just consider - have you ever seen a version of Windows that is not cracked?

Francis
+3  A: 

Book: Writing Secure Code 2

Brian
+3  A: 

There are 3rd party tools to obfuscate your code. Visual Studio comes with one.

BUT, first, you should seriously think about why you'd bother. If your app is good enough and popular enough to desire being cracked, it will be, despite all of your efforts.

Geoff
+1  A: 

The thing with .NET code is it is relatively easy to reverse engineer using tools like .NET Reflector. Obfuscation of code can help but it's still possible to work out.

PeteT
A: 

If you invent a way to protect it, someone can invent a way to crack it. Spend enought effort so that when people use it in an "illegal" way, they are aware of it. Most things beyond that risk being a waste of time ;o)

Fredrik Mörk
+1  A: 

If you want a fast solution (but of course, there's no promise that you won't be cracked - it's just some "protection"), you can search for some tools like Themida or Star Force. These are both famous protection shells.

Francis
+1  A: 

It's impossible really. Just release a patch often then change the salt in your encryption. However if your software get's cracked be proud it must be really good :-)

drikoda
+5  A: 

A lot of the answers seem to miss the point that the question was how to make it harder, not how to make it impossible.

Obfuscation is the first critical step in that process. Anything further will be too easy to work out if the code is not Obfuscated.

After that, it does depend a bit on what you are trying to avoid. Installation without a license? The timed trial blowing up? Increased usage of the software (e.g. on more CPUs) without paying additional fees?

In today's world of virtual machines, the long term anti-cracking strategy has to involve some calling of home. The environment is just too easy to make pristine. That being said, some types of software are useless if you have to go back to a pristine state to use them. If that is your type of software, then there are rather obscure places to put things in the registry to track timed trials. And in general a license key scheme that is hard to forge.

One thing to be aware of though - don't get too fancy. Quite often the licensing scheme gets the least amount of QA, and hits serious problems in production where legitimate customers get locked out. Don't drive away real paying customers out of fear of copying by people would most likely wouldn't have paid you a dime anyway.

Yishai
+2  A: 

Here are some tips, not perfect but maybe could help:

  • update your software frequently
  • if your software connects to some server somewhere change the protocol now and then. you can even have a number of protocols and alternate between them depending on some algorithm
  • store part of your software on a server which downloads every time you run the software
  • when you start your program do a crc check of your dlls that you load i.e. have a list of crc's for approved dll's
  • have a service that overlooks your main application doing crc checks once in a while and monitoring your other dependent dll's/assemblies.

unfortunately the more you spend on copy protecting your software the less you have to spend on functionality, all about balance.

another approach is to sell your software cheap but to do frequent, cheap upgrades/updates, that way it will not profitable to crack.

Anders K.