More copy protection...

[CurryPaste]

Vertion, thanks for the insider info. Now the interesting question becomes: how would you crack Urs idea described above?

[Vertion]

[Urs]

Well, from what I read above in this thread, he is trying to use a kind of steganography and encryption, at least in part.

I never bothered with encryption. I actually recommended the same kind of hashing like you proposed (a fixed number of key/hash pairs), as an extenion to per-customer unique elements (which may be reversible). This is to avoid keygens. As there haven't been many keygens these days...

As for the delays... we're talking about audio plug-in software. Audio is about a lot of processes that take time. There is no need to call system routines to measure time when we're dealing with bars, measures, events and samples being processed.

There's a simple way to make monitoring system calls really tedious, especially file access. Firstly, one need to randomize. A simple randomize without system access is

int randomIndex = (AnyPointer >> 4) & 0x3FFF; // let malloc be your random number generator

Then, while accessing all the files your stuff needs to work (e.g. hundreds of UI image files), decrement randomIndex. Once it's at 0, load the file you don't want the cracker to follow up upon:

myDispatcher->dispatch( k_LoadFile, "pathToImage", myPicLoader );
randomIndex--;
if( !randomIndex ) { myDispatcher->dispatch( k_LoadFile, HIDESTRING("pathToFile"), myCP_Handler ); }

This way the file won't be loaded every time, and never at the same position within the necessary file loads. If you choose 0x3FFF (whatever) to be, say, 1000 times larger than the number of files your plug-in loads, there's a good chance a cracker will never see this. A collector will never run into this. But a power user will.

- U

[joshb]

Hey Urs,

Maybe you missed my earlier question...

Do you any thoughts on using some form of a machineID in the serial?

I was thinking about doing something similar to what you suggested above with hashing the name of the user, and when he registers the plugin, get a machineID and make a new license code out of that and the hash of the user, and that's what get's saved to disk. The idea being that a user couldn't then just share the license file with others because the machineID wouldn't match.

Thoughts?

[Vertion]

[Urs]

Hehehe, you're giving me too much credit. I'm not working in isolation, I have a great team doing stuff.

You have a good point about statistical analysis. I'll mull over this for a bit.

Thing is however, plug-ins write a lot. There are preferences files, there are presets and - most importantly - plug-in states saved with host projects. So there area various document files and formats that can be used to store stuff. We also have a license file, which we don't hide.

My mantra for copy protection is to move things from the realm of logic to the realm of data. I'm sure that code wizzards with the right tools (IDA?) can easily find and understand portions of code. However, my protection stuff is never "one thing in one place". It's usually a set of simple mechanics that span different areas. The most important bit is to use sections of code that are generally necessary to run the plug-in. So the stuff called in one sequence does this or that for the plug-ins purpose, but when called in another sequence or with a different set of data it does copy protection.

[Urs]

Do you any thoughts on using some form of a machineID in the serial?

I have not done any form of challenge/response, so I don't know much about it... you need system calls though, which is an easy trace (because you won't need it for anything else)

[nonnaci]

Are there automatic ways to deeply entangle copy-protection schemes with the functionality of the code so that tampering with the former results in the failure of the latter at some pseudo-random date or set of conditions?

[Urs]

Are there automatic ways to deeply entangle copy-protection schemes with the functionality of the code so that tampering with the former results in the failure of the latter at some pseudo-random date or set of conditions?

That smells like trouble to me.

[Richard_Synapse]

Afaik everything that uses encryption/decryption will be cracked quickly. They usually just swap the public key for their own out of the binary and write a keygen for it.

Not sure about packing/encrypting, but (randomized) code obfuscation seems rather unbreakable to me. Unfortunately, those techniques are prone to produce false AV positives, precisely for that reason.

Richard

[Vertion]

[FabienTDR]

I seriously wonder how all this invested energy, time and complexity really improves profitability and popularity at the end of the day.

Especially in a scene typically offering regular updates and as experience shows, rather limited product life-spans ("version 2 next year").

Every developer, audience and business model certainly has its own optimal balance between anti piracy and profitability. But all this feels a bit like throwing nukes on pigeons. 15 years ago, with a much lower acceptance for digital products and online payments, the situation certainly was a different one, but is anti piracy really a wise investment in 2017?

[nonnaci]

I seriously wonder how all this invested energy, time and complexity really improves profitability and popularity at the end of the day.

Especially in a scene typically offering regular updates and as experience shows, rather limited product life-spans ("version 2 next year").

Every developer, audience and business model certainly has its own optimal balance between anti piracy and profitability. But all this feels a bit like throwing nukes on pigeons. 15 years ago, with a much lower acceptance for digital products and online payments, the situation certainly was a different one, but is anti piracy really a wise investment in 2017?

Probably will need statistics and analytics to back some of those decisions up. e.g. is the younger generation pirating the most? Sale distribution between amateurs vs professionals? Competing products more accessible / also piratable?

[Vertion]

I think piracy has tanked over the years because the latest generation is a different sort (cell phones, social media). I grew up in the early MSDOS days..first PC was actually a TI-99..then a Tandy 286xt.. back then ASM was hot on and off. Demo groups and cracker groups often went hand in hand. I remember when I was a kid and I played Lemmings on my uncle's PC, looked at the other executables in the directory and found a little animated musical ANSI demo that captivated me.. I had no idea at the time it was a cracker group demo. It turned me towards the 90s demoscene and ASM, and my uncle gave me his used college books.. the dragon book, nortons guide to asm, data compression book, encryption book, general algorithms, and renderman/graphics algorithms.. i was like 12 years old when it started.. i kept a large green notebook and tried to come up with novel algorithms every night as I laid in bed.. skip forwards about 26 years, and.... Hi!

I don't mean to sound old, but it's not like it used to be. BBSes were the thing until prodigy, then aol, then early internet, and the arrival of social networks and super-surveillance systems started (Echelon, Prism, etc).. some things are better now but the tech world lost all it's novelty and zing for me some time ago.

I'm pretty sure every one remembers the once famous search engine named after a phrase from the movie Terminator 2. At my age, I'm simply not interested in software subversion. I buy absolutely everything I use so I can feel righteous (smugly so) and pride in that ownership. For example, I want Hive, but until I have the money handy for it.. I will respect the demo.. end of story. Once I buy it, I will feel proud to own it, and it will sound that much sweeter.

The new generation seems like they haven't a clue into our world. Knowing what I know, that's why I suggest keeping the copy protection simple. I'm a guy that actually buys software (being a developer too), so please don't make a hassle for me to install and use because I'm actually giving you my hard-earned money for your work.

[Urs]

I seriously wonder how all this invested energy, time and complexity really improves profitability and popularity at the end of the day.

For me it's more of a psychological thing. Being cracked sucks - very depressing. But being cracked knowing that at some point someone will get "this demo has expired" written all over it when he was in the middle of a production - invaluable.

That said, we can track quite a few sales to anti-piracy measures. The time invested was well spent.