tags:

views:

244

answers:

7
+2  Q: 

Need advice to design 'crack-proof' software

I am currently working on a project where i need to create some architecture, framework or any standards by which i can "at least" increase the cracking method for a software, i.e, to add to software security. There are already different ways to activate a software which includes online activation, keys etc. I am currently studying few research papers as well. But there are still lot of things that i want to discuss.

Could someone guide me to some decent forum, mailing list or something like that? or any other help would be appreciated.

+5  A: 

Isn't it a sign of success when your product gets cracked? :)

Seriously though - one approach is to use License objects that are serialized to XML and then encrypted using public/private key pairs. They are then read back in at runtime, de-serialized and processed to ensure they are valid.

But there is still the ubiquitous "IsValid()" method which can be cracked to always return true.

You could even put that method into a signed assembly to prevent tampering, but all you've done then is create another layer of "IsValid()" which too can be cracked.

We use licenses to turn on or off various features in our software, and to validate support/upgrade periods. But this is only for our legitimate customers. Anyone who wants to bypass it probably could.

We trust our legitimate customers to not try to bypass the licensing, and we accept that our illegitimate customers will find a way.

We would waste more money attempting to imporve the 'tamper proof' nature of our solution that we loose to people who pirate software.

Plus you've got to consider the pain to our legitimate customers, and asking them to paste a license string from their online account page is as much pain as I'd want to put them through. Why create additional barriers to entry for potential customers?

Anyway, depending on which solution you've got in place already, my description above might give you some ideas that might decrease the likelyhood someone will crack your product.

Michael Shimmins  2010-03-05 01:51:07
yeah, i understand the pain and cracking the "validate" method. I know that making an ultimate crack proof thing is not possible as long as your validation depends on some mathematical calculation and some communication between server and client, since communicaton can be spoofed and math can be reserse engineer.The point i am looking for all the possible solution or some forum where i can discuss different things with geeks who are already working on it.
alee  2010-03-05 02:14:47
+9  A: 

I'll tell you the closest thing to "crackproof": a web application.

Desktop applications are doomed, for many other reasons, but making your application run "in the cloud", in a browser, gives you a lot more control about security.

A desktop software runs on the client's computer, so the client has full access to it. A web app runs on your server, so the client only sees a tiny bit of it.

nute  2010-03-05 02:25:39
Also, if you absolutely need a desktop app. You could also make some of the core features run on a remote server. That way the user can only work while you let him, and you can revoke access remotely. Of course this means the application will only work while online. But hey, this is the 21st century, who's offline?
nute  2010-03-05 02:29:18
Anyone who lives in a suburb with old cables, underground, into which the water gets whenever it rains heavily...
detly  2010-03-05 17:22:17
+3  A: 

As others have mentioned, once you release the bits to users you have given up control of them. A dedicated hacker can change the code to do whatever they want. If you want something that is closer to crack-proof, don't release the bits to users. Keep it on the server. Provide access to the application through the Internet or, if the user needs a desktop client, keep critical bits on the server and provide access to them via web services.

Brian  2010-03-05 02:25:54
+2  A: 

Like others have said, there is no way of creating a complete crack-proof software, but there are ways to make cracking the software more difficult; most of these techniques are actually used by bad guys to hide the malware inside binaries and by game companies to make cracking and copying the games more difficult.

If you are really serious about doing this, you could check e.g., what executable packers like UPX do. But then you need to implement the unpacker also. I do not actually recommend doing this, but studying game protectors and binary obfuscation might help you in your quest.

Tuomas Pelkonen  2010-03-05 16:00:40
thanks a lot. thats are a helpful advice and a new guidelines :)
alee  2010-03-05 20:35:20
+3  A: 

You need to begin by infiltrating the local hacking gang, posing as an 11 year old who wants to "hack it up". Once you've earned their trust you can learn what features they find hardest to crack. As you secretly release "uncrackable" software to the local message boards, you can see what they do with it. Build upon your inner knowledge until they can no longer crack your software. When that is done, let your identity be known. Ideally, this will be seen as a sign of betrayal, that you're working against them. Hopefully this will lead them to contact other hackers outside the local community to attack your software.

Continue until you've reached the top of the hacker mafia. Write your thesis as a book, sell to HBO.

s_hewitt  2010-03-05 16:21:24
lol .. .. can i get some underground contacts of that mafia?
alee  2010-03-05 20:36:23
+3  A: 

As nute said, any code you release to a customer's machine is crackable.

Don't try for "uncrackable." Try for "there's enough deterrent to reasonably protect my assets."

There are a lot of ways you can try and increase the cost of cracking. Most of them cost you but there is one thing you can do that actually reduces your costs while increasing the cost of cracking: deliver often.

There is a finite cost to cracking any given binary. That cost is increased by the number of binaries being cracked. If you release new functionality every week, you essentially bifurcate your users into two groups:

  1. Those who don't need the latest features and can wait for a crack.
  2. Those who do need the latest features and will pay for your software.

By engaging in the traditional anti-cracking techniques, you can multiply the cost of cracking one binary an, consequently, widen the gap between when a new feature is released and when it is available on the black market. To top it all off, your costs will go down and the amount of value you deliver in a period of time will go up - that's what makes it free.

The more often you release, the more you will find that quality and value go up, cost goes down, and the less likely people will be to steal your software.

 2010-03-24 04:57:48
+1 for "deliver often", plus many other great points in this post.
mxmissile  2010-03-24 05:04:07
+1 to your +1 for agreeing with me. :)
 2010-03-24 05:10:38
A: 

First of all, in what language are you writing this? It's true that a crack-proof program is impossible to achieve, but you can always make it harder. A naive approach to application security means that a program can be cracked in minutes. Some tips:

If your deploying to a virtual machine, that's too bad. There aren't many alternatives there. All popular vms (java, clr, etc.) are very simple to decompile, and no obfuscator nor signature is enough.

Try to decouple as much as possible the UI programming with the underlying program. This is also a great design principle, and will make the cracker's job harder from the GUI (e.g. enter your serial window) to track the code where you actually perform the check

If you're compiling to actual native machine code, you can always set the build as a release (not to include any debug information is crucial), with optimization as high as possible. Also in the critical parts of your application (e.g. when you validate the software), be sure to make it an inline function call, so you don't end up with a single point of failure. And call this function from many different places in your app.

As it was said before, packers always add up another layer of protection. And while there are many reliable choices now, you can end up being identified as a false positive virus by some anti-virus programs, and all the famous choices (e.g. UPX) have already pretty straight-forward unpackers.

there are some anti-debugging tricks you can also look for. But this is a hassle for you, because at some time you might also need to debug the release application!

Keep in mind that your priority is to make the critical part of your code as untraceable as possible. Clear-text strings, library calls, gui elements, etc... They are all points where an attacker may use to trace the critical parts of your code.

Waneck  2010-07-16 04:02:50

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security