copy protection with hardware dongles

[mr2b]

Hi all, I know there are a few topics here about copy protection but I have one question about hardware dongles like iLok and eLicenser. I'm thinking of using a dongle for one of my future plug-ins and I'm interested if there is someone out there who uses a dongle already for his own project and can tell me a bit about his/her experience with it. I heard that even Cubase was cracked, but I'm not use if this is true.

Are dongle protected plug-ins uncracked for a longer time than plug-ins without (and are they cracked at all?)

Thanks.

[Xenakios]

Are dongle protected plug-ins uncracked for a longer time than plug-ins without (and are they cracked at all?)

Thanks.

If the product is interesting enough, it will be available cracked on Windows within a month of product release. Both iLok and Syncrosoft dongles have been cracked already, there's not much extra effort the crackers need to take for new products. You might try counting on the crackers being lazy and not providing cracks for updated versions of your product. Some pirate users might get frustrated enough having to use an old version of the product to buy it or cease using it. (The latter will be the very likely case anyway.)

The best course of action of course would be no dongle at all. You just cause more effort and expenses to yourself (licensing iLok/Synchrosoft etc is very expensive), that you must transfer in the cost of your product to your customers and high prices never make potential buyers happy.

[djanthonyw]

Instead of using a dongle why don't you just embed the registered user details in the purchased software. It's what Cytomic is doing with The Glue and Camel Audio is doing with Alchemy. It's way more cost effective and apparently works a hell of a lot better than dongles ever will. Don't burden your customers.

[ford442]

i will personally not buy any software with a dongle unless it is something vital like Cubase.. many people run out of USB space especially on laptops.. your other methods are basically just as effective - one very good tactic is to release plenty of updates and support restricted to the registered users..

[aciddose]

cubase was never officially cracked from what i can see, rather they just modified the protection driver renaming it an "emulator". it's probably similar to the BD+ "cracks" where they just took an already decoded key and fed it to their "emulator". the "crack" only works with a specific version of the protected code included in those torrents and doesn't work with anything else at all. if the protection was really cracked or if it was a true emulator, you could run any software using it as if it was a real dongle, and that isn't the case.

ultimately, like any protection, the only way to really protect something is not to reveal it. if you actually let the code run on the host cpu, eventually it can be manually decoded and made to run without the protection.

considering it was around for so long without any problems i'd say it's a pretty secure protection. like BD+, they can just change the format and render the old "cracking" methods obsolete. unlike BD+, they don't need to support the old format anymore meaning it will be literal hell for the crackers to attempt the same trick twice.

[otristan]

Instead of using a dongle why don't you just embed the registered user details in the purchased software. It's what Cytomic is doing with The Glue and Camel Audio is doing with Alchemy. It's way more cost effective and apparently works a hell of a lot better than dongles ever will. Don't burden your customers.

Yep. But either it's just some string in your code that you search replace and it's easy to crack or you need to recompile the whole software for each of your clients and it's a bit painful to implement. You'll need to ask Andy or Ben if I missed something.

As far as I know, latest version of both syncrosoft and iLok have not been cracked.(with non demo version)

No problem regarding implementation on our side.(iLok in our case)

HTH

[Ben [Camel Audio]]

Instead of using a dongle why don't you just embed the registered user details in the purchased software. It's what Cytomic is doing with The Glue and Camel Audio is doing with Alchemy. It's way more cost effective and apparently works a hell of a lot better than dongles ever will. Don't burden your customers.

Yep. But either it's just some string in your code that you search replace and it's easy to crack or you need to recompile the whole software for each of your clients and it's a bit painful to implement. You'll need to ask Andy or Ben if I missed something.

As far as I know, latest version of both syncrosoft and iLok have not been cracked.(with non demo version)

I don't want to go into too many details about exactly how we do things on a public forum, but ... we embed the information in many places and represent the information in different ways. For example, if you simply used 2 bytes and gave each user a unique number, and you put those two bytes in lots of place in the code, and performed different logical operations on those two bytes in different places - eg. xor... then clearly no one can search for that based on just having their licensed version of the program. Sure - they could hack out the information that was displayed visually, but that doesn't mean that if we got hold of the leaked version we couldn't figure out who leaked it, and lock their account, preventing them from getting all the benefits of being a registered user.

The great thing about this approach from a user perspective is that its just as little hassle as having no copy protection at all - they don't need a dongle, they don't need to perform challenge response... Its not copy protection in that I could take my copy and transfer it to as many machines as I like. In the last 10 months since we've been doing this, none of our updates have been released as warez versions (that we could find on the web/torrent trackers, anyway), so the only people who've been using all the new features, fixes and all the new soundbanks and additional free soundbank content have been legit users, which is good for them and good for us. Prior to that, our updates were cracked within less than a week. I'm under no illusions that this may change tomorrow, no system is uncrackable and of course someone may simply spread a licensed version.

Ben

[mr2b]

Hey, thanks for all your replies, very insteresting! I see there are other ways of protection beside dongles.

Just to see, if I understand: if I embed user information, I have to do an individual compile for each download or write the information in the compiled binary to certain places bevore the user downloads its personal copy, right? If I distribute updates via a user area, that can only be accessed by registered user, there are just copies with individual signatures around. Then If a hack comes up I can retrace it back to a single license (if the hacker didn't erase all embedded personal information). That's a cool thing.

But what if one hacks the latest demo version that is free to download? Or are the demos limited in funcionallity in this scenario (e.g. no "save preset" implemented) ?

[John-E34]

Thanks for the explanation Ben, it's why I'm a happy (paying) customer.

I just wish other companies would adopt your approach, and sell products, rather than protection schemes...

(I have the money for Blue AND Sub Boom Bass, but their e'crap prevents me from paying them... ).

[Ben [Camel Audio]]

Just to see, if I understand: if I embed user information, I have to do an individual compile for each download or write the information in the compiled binary to certain places bevore the user downloads its personal copy, right? If I distribute updates via a user area, that can only be accessed by registered user, there are just copies with individual signatures around. Then If a hack comes up I can retrace it back to a single license (if the hacker didn't erase all embedded personal information). That's a cool thing.

Yes - thats all correct. We do the embedding on the server and its entirely automated - not at compile time. This is quite a lot of hassle tho to get right - mainly from the perspective of the server code. A good general rule is to make sure you are using less than 1% of your development time on copy protection issues. So unless this is quite a big product which has had several man years, I'd probably just go with serial or keyfile.

But what if one hacks the latest demo version that is free to download? Or are the demos limited in funcionallity in this scenario (e.g. no "save preset" implemented) ?

Thats certainly a risk. You could remove the save preset functionality. But if you want fully functional time limited demo, the only thing you can do to mitigate this risk is to put in lots of different checks - but of course its crackable if someone is prepared to spend enough time. The demo could exclude some features of the full version - such as containing only a small amount of the preset and sample content, for a start (the amount of content with our Alchemy demo is a small fraction of whats included in the full version). The demo updates could also lag behind the latest full version release too.

Thanks for the explanation Ben, it's why I'm a happy (paying) customer.

Thanks for buying our stuff - I appreciate it

Ben

[DaveHoskins]

Hey Ben, embedding user data is a really great idea, I'm guessing you use a map file to find unused program areas to do this, and update the server offset data every time you make a new release?

I use Share-it for my shop, as I've got little PHP knowledge - too many 'hats' to wear as it is!

I feel like I want to buy your checkout code!

Cheers,
Dave.

[Ben [Camel Audio]]

Hey Ben, embedding user data is a really great idea, I'm guessing you use a map file to find unused program areas to do this, and update the server offset data every time you make a new release?

I use Share-it for my shop, as I've got little PHP knowledge - too many 'hats' to wear as it is!

I feel like I want to buy your checkout code!

Cheers,
Dave.

I can't take the credit for the embedded data idea - it was Arne from Wallander who helped me get going with this approach. Urs started an area where developers can discuss issues like this which they would rather not discuss on a public forum - I gave more details about this approach on there, so take a look there. If you're not a member of that, email Urs about it.

Ben

[GeorgeZ]

and lock their account, preventing them from getting all the benefits of being a registered user

...but then, lets say my PC gets hacked, unbeknownst to me... my account data is stuck in the file, and you close the account...HE'S the LEAKER BOYZ! Ye, job well done...?

It won't be done this simple will it?

I know, hacking a system remotely, and downloading a complete and working version is virtually impossible seeing as I have the right measures in place on my system.... but lets just say, if? What then.

-GeorgeZ

PS: Not giving you shit in any way, shape or form Ben I love my Alchemy, and
wouldn't want anyone to get their grimy mits on it... and not needing
any other bullshit dangly bits to make it work, makes it even doubly more
special to me

[ericj23]

Are dongle protected plug-ins uncracked for a longer time than plug-ins without (and are they cracked at all?)

Thanks.

If the product is interesting enough, it will be available cracked on Windows within a month of product release. Both iLok and Syncrosoft dongles have been cracked already, there's not much extra effort the crackers need to take for new products. You might try counting on the crackers being lazy and not providing cracks for updated versions of your product. Some pirate users might get frustrated enough having to use an old version of the product to buy it or cease using it. (The latter will be the very likely case anyway.)

The best course of action of course would be no dongle at all. You just cause more effort and expenses to yourself (licensing iLok/Synchrosoft etc is very expensive), that you must transfer in the cost of your product to your customers and high prices never make potential buyers happy.

Shame this is almost entirely untrue

Modern dongles are not cracked and that is the end of it - cubase 5.1 is cracked (although it was about a year after relase before it was cracked)but rob papen's verb is not - yet they both use syncrosoft

sound toys is cracked yet waves (neither 6 or version 7 have been cracked - this is roughly 2 years) is not - they both use ilok.

Dongles are defeatable and will continue to be so, but the idea is i takes so long that it buys the seller some time to make money before it is try before don't buy.

[ericj23]

Surely the problem with the camel audio protection is that the crackers need to get hold of two legit copies - compare them and note the differences (and thats pretty easy) and go from there in obfuscating who's copy they used

But like a dongle it may well buy enough time to ensure that sales are made