Which software protector for a commercial vst
-
- KVRAF
- 7896 posts since 12 Feb, 2006 from Helsinki, Finland
Sign (or encrypt, doesn't really matter) the keyfile with a private key (on the server), have plugin check it with a public key.
-
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
We do this, the public key goes inside the plugin and the private key on our server.
The user downloads an encrypted license file generated by our server (with name, email, etc...). This license file can only be decrypted by the public key inside the plugin. That's it.
Crackers will swap or inject their own public key, but they will never be able to have a keygen for your keys (use a 1024-bit o 2048-bit key and you should be fine for years).
Check this from JUCE: https://docs.juce.com/master/tutorial_o ... tatus.html
The important bit is to use the public key inside the plugin and keep the private key, well, private.
The user downloads an encrypted license file generated by our server (with name, email, etc...). This license file can only be decrypted by the public key inside the plugin. That's it.
Crackers will swap or inject their own public key, but they will never be able to have a keygen for your keys (use a 1024-bit o 2048-bit key and you should be fine for years).
Check this from JUCE: https://docs.juce.com/master/tutorial_o ... tatus.html
The important bit is to use the public key inside the plugin and keep the private key, well, private.
-
- KVRAF
- 1748 posts since 2 Jul, 2018
I can confirm this. If you do it properly they cannot create a keygen. There is no working keygen for our products since over a decade. This means that they need to crack every single update of your plug-ins.
As a result they will ' buy' a key with a stolen credit card and distribute it.
But those stolen keys are easy to detect and blacklist. In this case you can do an online check (I do not longer do this) . A technique that turned out to be also very efficient is to blacklist keys also among different products. But beware of the angry thieves that you will have to deal with on public forums. They will quickly accuse you of 'spyware', 'malware' are troll you anywhere.
What most likely also will happen is that crackers will inject parts of the stolen key your binary.
The most efficient way of protection was a company called 'linkbusters'. They remove the illegal stuff from Google and clickhosters. I can recommend this. If you do this properly your sales will go up for 30%.
If you want to protect sensitive parts of the binary check out code virtualizer. It's from the developers of themida
stay away from packers like pecompact or upx as they are also used by virus developers and virus scanners might report false positives on your binary. apart from this the crackers got automatic unpackers for this.
As a result they will ' buy' a key with a stolen credit card and distribute it.
But those stolen keys are easy to detect and blacklist. In this case you can do an online check (I do not longer do this) . A technique that turned out to be also very efficient is to blacklist keys also among different products. But beware of the angry thieves that you will have to deal with on public forums. They will quickly accuse you of 'spyware', 'malware' are troll you anywhere.
What most likely also will happen is that crackers will inject parts of the stolen key your binary.
The most efficient way of protection was a company called 'linkbusters'. They remove the illegal stuff from Google and clickhosters. I can recommend this. If you do this properly your sales will go up for 30%.
If you want to protect sensitive parts of the binary check out code virtualizer. It's from the developers of themida
stay away from packers like pecompact or upx as they are also used by virus developers and virus scanners might report false positives on your binary. apart from this the crackers got automatic unpackers for this.
-
- KVRAF
- 7896 posts since 12 Feb, 2006 from Helsinki, Finland
UPX (and specifically UPX) should be fairly safe as most virus scanners should be able to unpack it (similar to ZIP etc).. but it's only useful as a compression tool. To quote UPX license:
They even have a pinned issue on tracking Anti-Virus issues... but like ... yeah, useless as protection.- UPX is not a software protection tool; by requiring that you use
the unmodified UPX version for your proprietary programs we
make sure that any user can decompress your program. This protects
both you and your users as nobody can hide malicious code -
any program that cannot be decompressed is highly suspicious
by definition.
-
- KVRist
- Topic Starter
- 109 posts since 7 Jun, 2018
Thanks for your comments guys. Re: upx, yeah I am perfectly aware of all that now, so I looked to Themida after a brief investigation.
Re: private and public keys. Again I must apologize because that was really a field I didn't know yet. So I googled and brainstormed a bit. If D is your data, E is the encrypted data, and 'a' and 'b' are the asymmetric keys (no matter which one you consider public and which one private), the problem summarizes to finding a suitable function F and a suitable couple a,b (where a cannot be easily computed as a function of b but it still is) where
F(D,a)=E and F(E,b)=D
or possibly two distinct functions F,G
F(D,a)=E and G(E,b)=D
Or, even, more simply
F(D)=E and G(E)=D where discovering F by knowing G must be very difficult.
Despite being quite expert with maths I admit this is the first time I face and have to consider a similar problem.
In fact it turns out it is not an easy one, I mean, not something you can easily implement by yourself in a custom way. It turns out there are standard established methods to create the key pair and to encrypt asymmetrically, which are pretty all based on large prime numbers and modular arithmetic.
So one would pretty be forced to use standard libraries (like ssl or tls or such things ? No idea).
And I am one who gets easily discouraged by having to spend time and efforts learning to use APIs...
So... I don't know if it is worth the trouble for me... :-/
Re: private and public keys. Again I must apologize because that was really a field I didn't know yet. So I googled and brainstormed a bit. If D is your data, E is the encrypted data, and 'a' and 'b' are the asymmetric keys (no matter which one you consider public and which one private), the problem summarizes to finding a suitable function F and a suitable couple a,b (where a cannot be easily computed as a function of b but it still is) where
F(D,a)=E and F(E,b)=D
or possibly two distinct functions F,G
F(D,a)=E and G(E,b)=D
Or, even, more simply
F(D)=E and G(E)=D where discovering F by knowing G must be very difficult.
Despite being quite expert with maths I admit this is the first time I face and have to consider a similar problem.
In fact it turns out it is not an easy one, I mean, not something you can easily implement by yourself in a custom way. It turns out there are standard established methods to create the key pair and to encrypt asymmetrically, which are pretty all based on large prime numbers and modular arithmetic.
So one would pretty be forced to use standard libraries (like ssl or tls or such things ? No idea).
And I am one who gets easily discouraged by having to spend time and efforts learning to use APIs...
So... I don't know if it is worth the trouble for me... :-/
-
MirkoVanHauten MirkoVanHauten https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=376111
- KVRist
- 408 posts since 12 Mar, 2016
Probably a dumb question, but couldn't you just share your keyfile and it would be a plugin cracked with a "legit" method? Or do you require the plugin to connect to the server each time for a nonce? Or is it coupled to a system ID?
edit: nevermind, Markus has answered this already in part
edit: nevermind, Markus has answered this already in part
-
- KVRAF
- 7896 posts since 12 Feb, 2006 from Helsinki, Finland
Generally speaking ANY kind of custom encryption as good as useless. There is a reason why new ciphers go through a long process before they are adopted in general use; those are designed by the best cryptoanalysts in the world, yet many of them still turn out to be insecure, sometimes in subtle ways, other times in not so subtle ways.elena2 wrote: ↑Mon Jun 27, 2022 9:20 pm In fact it turns out it is not an easy one, I mean, not something you can easily implement by yourself in a custom way. It turns out there are standard established methods to create the key pair and to encrypt asymmetrically, which are pretty all based on large prime numbers and modular arithmetic.
So one would pretty be forced to use standard libraries (like ssl or tls or such things ? No idea).
And I am one who gets easily discouraged by having to spend time and efforts learning to use APIs...
So... I don't know if it is worth the trouble for me... :-/
As for public-key crypto, the RSA algorithm is something that you could implement yourself, though there are standard APIs for every OS (although if you call a crypto-API then that's an obvious place for someone to breakpoint). You pretty much just need some basic arbitrary precision arithmetics which is not difficult in general. In practice there are some details you'd really want to get right, like one should use proper padding (and get the random numbers from your OS secure random number generator as they need to be truly random) and I'd suggest spending a few days reading about various classic RSA vulnerabilities to get an idea of what you're dealing with, but overall it's not too bad if you accept the possibility that you won't get it right (which would probably not be catastrophic in this case).
On the other hand, when it comes to actual key generation, I would definitely just use some standard tool, because getting RSA key-generation right isn't exactly trivial. The primes need to be random enough, they need to be primes, they need to be fair enough from each other and I'm not sure if there are some primes that are just bad for various random reasons.. and you don't want to deal with any of that. OpenSSL command line tool can generate those easily at least, though using some OS crypto-API is another option.
-
- KVRist
- Topic Starter
- 109 posts since 7 Jun, 2018
I decided to require Internet connection only the first time when activating the plugin to generate the keyfile of course, connecting at every launch would make everything easier but I could never adopt such an invasive policy: those are really the things which motivate people to use pirated software instead of the original!MirkoVanHauten wrote: ↑Mon Jun 27, 2022 11:08 pm Probably a dumb question, but couldn't you just share your keyfile and it would be a plugin cracked with a "legit" method? Or do you require the plugin to connect to the server each time for a nonce? Or is it coupled to a system ID?
Yes the keyfile is bound to the machine ID, which is already an intrusive enough policy but I had to choose for a compromise.
