What can a developer REALLY do

[Jasper]

Use of the Unique ID, coupled with effective online tracking as users change hardware, should allow developers to prevent that particular copy of their software from being used on another device. Assuming the check code is cleverly and cunningly hidden.

All this assumes your EULA only allows for one device at a time, but this is reasonable I believe. After all how many different players can be playing the SAME (uncopied) music CD, at the same time.

[BurningSheep]

[BS[214]]

[BurningSheep]

[Jasper]

[BS[214]]

[Jasper]

[randall]

[Malmer]

[Hosed]

Malmer: About a private forum for this. VERY bad idea. If you wish to discuss the matter with someone and share ideas just do it PM with people you know and trust. A private forum would serve nothing more then to become a target for hackers so they can see what we're talking about.

Not only that, but the point Phantom and others are making is that the source for the checks isn't going to help anyone because they still have to edit the executable and remove the ludicrous number of them.

This all reminds me of the discussion from a year ago on Flipcode in response to an article by Phantom or Mignight (can't recall who now).

The best thing developers can do is openly share ideas about protection just like crackers openly share ideas about cracking that protection. Just don't name specifics about your particular app and talk about the ideas behind it. Yeah, it gives them an idea of where to start, but remember, any good cracker can identify your scheme in a matter of minutes just from experience anyways. We're combating people who do this for a profession. They'll always know more then we as individuals, but if we pool our ideas in threads like this we can atleast find out what didn't work and that's a definate advantage over how protection schemes have been developed in the past.

Anyone remember those retarded manual based protection schemes for disk games from the 80s and early 90s?

We'll never stop warez and that shouldn't be the goal. Our goal, as developers, is to slow it down so we can have the maximum reasonable sales cycle unhindered and the only way to do that is to not use one all-encompassing scheme.

[BS[214]]

Hosed comment about the crackers knowing what your protection is in a few momments reminded me of a major weakness the crackers usualy use.. String Searches.

All they have to do is open your registration dialog and write down what your prompt says. Then open a Decompiler and rin a string search for the exact same text (ie: 'Enter serial number' or whatever you ask)

This pops them strait into your registration routines, where they can get the variable for the stored serial and run searches from there.

The way around it, use a variable to store this string. A good cracker will realize they are still in the declerations portion of your program and search for a variable link, but it will throw off a large number of inexperanced crackers.

Also, Copy that exact phrase to several other locations in your program, perhaps assigning it to diferent variables to make backtracking the real variable even harder.

note, this is not the only text string they use. You will also need to do this with strings from any pop-up nag screens, if the title says [unregistered] or something like that, and if your help=>About screen displays the registration status.

[Malmer]

Or one could just use an image to display the text...

An other thing that should be avoided is registry checks in the wrong places.

[fzammetti]

What it seems that it comes down to, and this also jives with my experience from years ago, is that the best way to slow down a cracker (remembering that you probably can't stop them outright) is not to try and be so clever, but to instead make it so hard as to not be worth their time and effort.

Bits of varied check code all over your game, key values stored in numerous locations (registry, CE datastore, file system, etc.), obviously a file checksum for the entire file, keys that are of sufficient length and based on something unique to each user (First Name/Last Name, things that won't change too often or at all), no obvious strings to search for...

It's kind of like being a magician actually... most of the best illusions you see are based on very simple concepts, but there is so much misdirection going on that the audience doesn't have a clue.

It'll all get cracked, but if it takes a week to do, most will just give up, leaving only the top crackers, which you weren't going to stop in the first place.

At least that's my strategy going forward. I'm not going to do anything that takes me a great deal of time, but just enough that it takes THEM a great deal of time!

[Jasper]

[simonjacobs]