Re: Trying to build a copy protection system

Discussion in 'C++' started by Nobody, Aug 9, 2012.

  1. Nobody

    Nobody Guest

    On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:

    > I am trying to build a copy protection system where the user authenticates
    > to my server and the server sends a decryption key. Then without writing
    > the key to the hard drive I want to load an encrypted executable in
    > memory, decrypt it, leaving the decrypted form in memory and run the
    > executable from there.


    Any information which could possibly be of use to you is OS-specific, so
    you'd be better off asking on a group dedicated to your target OS.
     
    Nobody, Aug 9, 2012
    #1
    1. Advertising

  2. Nobody

    Sjouke Burry Guest

    jeff <> wrote in
    news::

    > On 08/08/2012 07:54 PM, Nobody wrote:
    >> On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:
    >>
    >>> I am trying to build a copy protection system where the user
    >>> authenticates to my server and the server sends a decryption key.
    >>> Then without writing the key to the hard drive I want to load an
    >>> encrypted executable in memory, decrypt it, leaving the decrypted
    >>> form in memory and run the executable from there.

    >>
    >> Any information which could possibly be of use to you is OS-specific,
    >> so you'd be better off asking on a group dedicated to your target OS.
    >>

    >
    >
    > Thanks, finally someone actually provides an answer instead of just
    > saying that the effort is futile. Well last time I ever consider
    > posting in this group since it seems no one is interested in providing
    > answers, and instead just wants to criticize what I am trying to do.
    >


    Why should we assist to write shady software?
    Why try to **** your cutomers?(with our assistance?)
     
    Sjouke Burry, Aug 9, 2012
    #2
    1. Advertising

  3. Nobody

    Jorgen Grahn Guest

    On Thu, 2012-08-09, jeff wrote:
    > There is
    > still only one person who has responded with anything that is helpful.


    By your criteria, I count at least two. I think it was Paavo who early
    on sketched up the connection (or lack thereof) between what you
    wanted to do and the C++ language.

    /Jorgen

    --
    // Jorgen Grahn <grahn@ Oo o. . .
    \X/ snipabacken.se> O o .
     
    Jorgen Grahn, Aug 10, 2012
    #3
  4. Nobody

    Lynn McGuire Guest

    On 8/10/2012 2:37 PM, jeff wrote:
    > On 08/10/2012 12:15 PM, Scott Lurndal wrote:
    >> jeff<> writes:
    >>> On 08/10/2012 07:08 AM, Scott Lurndal wrote:
    >>>> jeff<> writes:
    >>>>> On 08/09/2012 02:42 PM, Scott Lurndal wrote:
    >>>>>> jeff<> writes:
    >>>>>>
    >>>>>>> I would suggest that you do not continue to post on here talking about
    >>>>>>> things you are completely ignorant of. Just because some companies have
    >>>>>>> put in oppressive DRM and have caused problems for legitimate users
    >>>>>>> (some of which I have ran into and have dealt with the problems caused
    >>>>>>> by it) does not mean that everyone who wants to protect the software is
    >>>>>>> going to do that.
    >>>>>>
    >>>>>> Why don't you just use FlexLM (FlexNet Publisher) like everyone else that
    >>>>>> licenses commercial software?
    >>>>>>
    >>>>>> scott
    >>>>> Because everyone (Including me) knows how to crack or get around that.
    >>>>
    >>>> You have a pretty low opinion of your customer, it appears.
    >>> I happen to be working with companies that are currently using software
    >>> where they have cracked FlexLM. I also have talked to people who do not
    >>> know anything about DRM and they were able to get around restrictions on
    >>> FlexLM licenses. Using FlexLM is pretty much the same as using nothing
    >>> therefore it is a waste of money.

    >>
    >> So ARMH, Cadence, Synopsis, Intel, AMD, et. al. are wasting money by relying on
    >> FlexLM for their licensed software?
    >>
    >> Having run licensed software for 30+ years, I've never seen a company
    >> attempt to bypass or otherwise eliminate flexlm restrictions on the
    >> software they run (even my startup, which had several hundred cadence
    >> licenses, had no incentive to attempt to cheat cadence).
    >>
    >> That isn't meant to imply that no company will attempt to bypass licensing
    >> restrictions, but I'd argue that the number of companies which do attempt
    >> to bypass such license restrictions are a significant minority and not really
    >> worth worrying about.
    >>
    >> If you suspect, or become aware of such poor behavior, feel free to get the
    >> BSA involved (no, not the Boy Scouts of America) - they'll be happy to do
    >> an audit and take a cut of the results.
    >>

    > The point is that to get around some restrictions in FlexLM in Linux takes no more than a single line change in a config file. Also
    > there is apparently no verification on the date so simply changing the date in the BIOS on the computer appears to remove time
    > restrictions. Minimal knowledge and no programming are required for that. There is obviously more to some of it than I mention here
    > but that is the basic idea. Also if you think that those companies are not wasting their money then I would point out to you that
    > many companies have invested in copy protection and DRM methods that never really worked but they continued to put millions of
    > dallars into it, the only reason I can come up with for that is someone at the company mistakenly thought that it was worth the money
    > and did not have enough knowledge of what went on under them to realize that it really did nothing.
    >
    > I also happen to know from talking to people who work at and have worked at Cadence for many years that the company knows that there
    > are companies that are using their software without paying them and in many cases they will either ignore it because they could not
    > get enough money from the company to justify legal expenses required to stop it, or they sent sales people there to give the company
    > a good deal on getting the software legally. This has not prevented thousands of Cadence licenses that are being used without being
    > paid for in places like China where they mostly ignore US patent and copyright.
    >
    > I would also say that in about 12 years in IT I have seen about 20+ instances of companies either violating or out right cracking
    > licensing. In most cases it was either a single employee who brought it in and indicated that it was legal, or the company was
    > completely unaware that what they did violated the licensing (usually because no one read the EULA that came with the software they
    > are using). I have made it a point to read the licensing agreements and understand the legal aspects of it because I have seen so
    > many cases of ignorance, but I have yet to see one case where there was any legal action. I have seen cases where the publisher or
    > developer of the software was made aware and they ended up just having sales people contact the company and in some cases scare the
    > company into paying for licenses where they were previously using licenses illegally.


    Go google "Drink or Die". Or just go here:
    http://en.wikipedia.org/wiki/DrinkOrDie
    They were selling a cracked version of our software
    on their server in San Fransisco when the FBI took
    them down. The FBI told me that they made quite
    a bit of money from our software.

    I have successfully sued companies here in the USA
    for using our software without a license.

    However, I have sold two licenses in China and we
    appear to have several hundred users there.

    Lynn
     
    Lynn McGuire, Aug 11, 2012
    #4
  5. Nobody

    Liviu Guest

    "jeff" <> wrote...
    > On 08/09/2012 01:29 PM, Sjouke Burry wrote:
    >>
    >> Why should we assist to write shady software?
    >> Why try to **** your cutomers?

    >
    > How am I trying to **** my customers?
    > What makes this software shady?


    Let me count:

    - you deliberately attempt to obfuscate your actual executable from
    peeping eyes, on the paranoid assumption that any such is malevolent
    towards you; just the opposite, your kind of subversive behavior will
    raise any responsible anti-virus's and rootkit detector's reddest flags;

    - you want to block memory snapshots, which (on the offchance you
    succeed) would also deny legitimate crash dumps; not even insinuating
    that you may someday write a bug ;-) but if that were to ever happen
    and you are not able to duplicate it in house, or if the client has some
    other unique misconfig which crashes _your_ software, and you deny
    yourself the last line of defense, a full memory dump, you'll lose both
    credibility and clients very soon;

    - you wish to disallow running inside virtual machines; it's illusory
    that you can even come close to foolproofing that wish, but again
    on the offchance that you managed to, you'd aggravate many
    corporate ITs who migrated their users to VMs in recent years;

    - under your scheme, if the client is on a flight without 'net access,
    he can't run the program; if your site is down, the client software
    stops working; if your site is hijacked, you've just provided a vector
    into your client's network; if your company vanishes entirely, the
    already "sold" software dies with it.

    I did read most of your (highly OT for that matter) thread, and I do
    remember you said it's a vertical high value market. I am somewhat
    familiar with the context, and my comments still apply. Hope you
    have all of the above crystal-clearly spelled out in your contracts,
    otherwise you may find yourself in heaps of real trouble down the road.

    That said, I realize you are too far invested down this dead end to turn
    back now, and will shrug mine off as just another "unhelpful" reply.

    So I'll just echo the sentiment from earlier in the thread:

    >>> Could you let us know what programs/methods/systems
    >>> these are so we could best avoid them?


    Liviu

    P.S. << Also when the companies buy the software (which they will
    buy it because the benefits of using it are to good to ignore) then the
    users will not have a choice on what to use. >>

    "Famous last words" collection never ceases to grow and amaze ;-)
     
    Liviu, Aug 11, 2012
    #5
  6. On Aug 10, 7:24 pm, jeff <> wrote:
    > On 08/10/2012 12:56 AM, David Brown wrote:
    > > On 09/08/2012 20:59, jeff wrote:
    > >> On 08/08/2012 11:53 PM, David Brown wrote:
    > >>> On 09/08/2012 05:20, jeff wrote:
    > >>>> On 08/08/2012 07:54 PM, Nobody wrote:
    > >>>>> On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:


    > >>>>>> I am trying to build a copy protection system where the user
    > >>>>>> authenticates
    > >>>>>> to my server and the server sends a decryption key. Then without
    > >>>>>> writing
    > >>>>>> the key to the hard drive I want to load an encrypted executable in
    > >>>>>> memory, decrypt it, leaving the decrypted form in memory and run the
    > >>>>>> executable from there.


    <snip>

    > > The implication from your posts is that your software is large,
    > > valuable, and will only have a few customers in a specialised market.
    > > Customer-hostile DRM is not the way to go. [...]


    > Guess what I am already doing almost everything you have suggested. I
    > have been planning on most of it from the beginning and if you look at
    > my other posts you would know that for starters I am looking for
    > something that will stop at least some users from copying the software,
    > or getting the IP. You will also note that I never mentioned anything
    > that is customer-hostile. If you believe that I did then please by all
    > means point it out and I will probably change it.


    it's a political thing. Some people believe *any* form of DRM is
    customer
    hostile. See Stallman.

    > In another post that I made I said that I do not think that a simple
    > login screen is too much to ask for when the user wants to access the
    > software. I am purposely doing everything that I can to make sure that a
    > legitimate user will see no more than that login screen. Once again I am
    > repeating myself because people apparently are not reading everything
    > that I am posting.
    >
    > Also you are not the one who has provided help.
    >
    > I would also like to point out that I have dealt with and I really hate
    > any Customer-hostile DRM and I believe that all companies take the wrong
    > approach to DRM and I am doing everything that I can to avoid that
    > because I know that it does not work and in the end it just pushes
    > people to cracking the DRM so they do not have to deal with it.


    if you have a small number of users, have you considered a dongle
    approach?
     
    Nick Keighley, Aug 11, 2012
    #6
  7. Nobody

    Nobody Guest

    On Thu, 16 Aug 2012 12:11:11 -0700, jeff wrote:

    > I am really confused about you saying that it adds nothing to security
    > when I know that is not true.


    The check for the dongle or server is still in software, and can be
    removed.

    If you want DRM which actually works, you need to leave some critical
    portion of your program on the dongle or server, so that any would-be
    cracker has to re-implement that code in spite of not knowing what it's
    supposed to do. For a dongle, this means that it has to include some form
    of processor.
     
    Nobody, Aug 16, 2012
    #7
  8. On Aug 16, 8:11 pm, jeff <> wrote:
    > On 08/11/2012 11:52 AM, Andy Champ wrote:
    >
    > > On 11/08/2012 13:07, Nick Keighley wrote:
    > >> if you have a small number of users, have you considered a dongle
    > >> approach?

    >
    > > That gets around the problems of the software not working when the
    > > customer has no network connection (etc).

    >
    > > It adds nothing to security.


    it appears to

    > Dongles can help as long as they are implemented correctly. As will all
    > security they are not perfect but it is an easy way to add some
    > security. I do not believe it is too much to ask to have the
    > workstations able to communicate with my server for authentication


    a network connection is not always available in my case

    > so I
    > am not worried about that. If the company is worried about that part I
    > can always setup a VPN connection that they connect through.
    >
    > I am really confused about you saying that it adds nothing to security
    > when I know that is not true. I have read a lot of information about it
    > and spoken with engineers at the companies that make the dongles and the
    > modern ones that are used have not been emulated yet that anyone knows
    > about. That does not mean that the checks for the dongles cannot be
    > disabled but that requires someone with a lot of technical expertise to
    > make those changes to the software. I am by no means saying that it
    > cannot be done, I am just saying that it makes it considerably more
    > difficult and therefore it adds to security.
     
    Nick Keighley, Aug 22, 2012
    #8
  9. Nobody

    Guest

    On Thursday, August 16, 2012 9:03:48 PM UTC+2, jeff wrote:
    > I am using a dongle. I am just looking for more, since the dongles are lacking in certain areas that I am trying to close without causing problems for the users.


    I was working in a place that was using a dongle (world-known provider of such solutions). Well, it turns out that there was a virtual driver that that would imitate the dongle on a given port. We knew about it, we knew whichcustomer was doing it, and we did strictly nothing. Why? It was a good customer. He was using our software and was bringing a lot of money in for us.We could have gone after him about it, but

    1. this would cause us work (e.g. legal)
    2. it could ("would" is a better word) have alienated the customer.

    This is the position you want to be in - you want your product to bring money by virtues other than being hard to crack. From this discusssion, it certainly looks like that is not the case.

    Goran.
     
    , Aug 22, 2012
    #9
  10. Nobody

    Dombo Guest

    Op 22-Aug-12 11:42, schreef:
    > On Thursday, August 16, 2012 9:03:48 PM UTC+2, jeff wrote:
    >> I am using a dongle. I am just looking for more, since the dongles are lacking in certain areas that I am trying to close without causing problems for the users.

    >
    > I was working in a place that was using a dongle (world-known provider of such solutions). Well, it turns out that there was a virtual driver that that would imitate the dongle on a given port. We knew about it, we knew which customer was doing it, and we did strictly nothing. Why? It was a good customer. He was using our software and was bringing a lot of money in for us. We could have gone after him about it, but
    >
    > 1. this would cause us work (e.g. legal)
    > 2. it could ("would" is a better word) have alienated the customer.


    3. The customer might have a valid reason to do so.

    I understand the (IMO justifyable) desire for DRM. The problem with DRM
    is that it tends to hurt paying customers much more (especially the
    aggressive ones) than the dishonest users. Some DRM mechanisms have such
    severe side effects that the only reasonable course of action is to use
    the hacked version, even if you have paid for the product.
     
    Dombo, Aug 22, 2012
    #10
  11. Nobody

    Guest

    On Thursday, August 23, 2012 12:48:08 AM UTC+2, jeff wrote:
    > On 08/22/2012 02:42 AM, wrote:
    >
    > > On Thursday, August 16, 2012 9:03:48 PM UTC+2, jeff wrote:

    >
    > >> I am using a dongle. I am just looking for more, since the dongles arelacking in certain areas that I am trying to close without causing problems for the users.

    >
    > >

    >
    > > I was working in a place that was using a dongle (world-known provider of such solutions). Well, it turns out that there was a virtual driver thatthat would imitate the dongle on a given port. We knew about it, we knew which customer was doing it, and we did strictly nothing. Why? It was a goodcustomer. He was using our software and was bringing a lot of money in forus. We could have gone after him about it, but

    >
    > >

    >
    > > 1. this would cause us work (e.g. legal)

    >
    > > 2. it could ("would" is a better word) have alienated the customer.

    >
    > >

    >
    > > This is the position you want to be in - you want your product to bringmoney by virtues other than being hard to crack. From this discusssion, itcertainly looks like that is not the case.

    >
    > >

    >
    > > Goran.

    >
    >
    >
    > First I have to say that would have to have been an old dongle because I


    That was in 2010. I don't work there anymore, so I don't know what the status is now. I don't know what you consider "old".

    Goran.
     
    , Aug 23, 2012
    #11
  12. Nobody

    Robert Miles Guest

    On 8/22/2012 5:37 PM, jeff wrote:
    > On 08/22/2012 01:56 AM, Nick Keighley wrote:
    >> On Aug 16, 8:11 pm, jeff<> wrote:
    >>> On 08/11/2012 11:52 AM, Andy Champ wrote:
    >>>
    >>>> On 11/08/2012 13:07, Nick Keighley wrote:

    [snip]
    >>> Dongles can help as long as they are implemented correctly. As will all
    >>> security they are not perfect but it is an easy way to add some
    >>> security. I do not believe it is too much to ask to have the
    >>> workstations able to communicate with my server for authentication

    >>
    >> a network connection is not always available in my case

    >
    > I can tell you that is not the norm especially when you consider that it
    > is not likely that users would even be allowed to use the software when
    > they are travelling.


    So you prefer to require all your customers to have a backup internet
    connection from a different ISP, and test the backup frequently, to
    cover times when their primary ISP does not provide a working internet
    connection?

    For this problem, traveling is not an issue.
     
    Robert Miles, Sep 15, 2012
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Cooper
    Replies:
    7
    Views:
    495
    Robert Miles
    Sep 15, 2012
  2. Replies:
    0
    Views:
    401
  3. Lynn McGuire
    Replies:
    2
    Views:
    446
    Lynn McGuire
    Aug 21, 2012
  4. Replies:
    1
    Views:
    353
    Pavel
    Sep 18, 2012
  5. Öö Tiib
    Replies:
    1
    Views:
    351
    Öö Tiib
    Aug 23, 2012
Loading...

Share This Page