Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > C++ > Re: Trying to build a copy protection system

Reply
Thread Tools

Re: Trying to build a copy protection system

 
 
Nobody
Guest
Posts: n/a
 
      08-09-2012
On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:

> I am trying to build a copy protection system where the user authenticates
> to my server and the server sends a decryption key. Then without writing
> the key to the hard drive I want to load an encrypted executable in
> memory, decrypt it, leaving the decrypted form in memory and run the
> executable from there.


Any information which could possibly be of use to you is OS-specific, so
you'd be better off asking on a group dedicated to your target OS.

 
Reply With Quote
 
 
 
 
Sjouke Burry
Guest
Posts: n/a
 
      08-09-2012
jeff <(E-Mail Removed)> wrote in
news:(E-Mail Removed) :

> On 08/08/2012 07:54 PM, Nobody wrote:
>> On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:
>>
>>> I am trying to build a copy protection system where the user
>>> authenticates to my server and the server sends a decryption key.
>>> Then without writing the key to the hard drive I want to load an
>>> encrypted executable in memory, decrypt it, leaving the decrypted
>>> form in memory and run the executable from there.

>>
>> Any information which could possibly be of use to you is OS-specific,
>> so you'd be better off asking on a group dedicated to your target OS.
>>

>
>
> Thanks, finally someone actually provides an answer instead of just
> saying that the effort is futile. Well last time I ever consider
> posting in this group since it seems no one is interested in providing
> answers, and instead just wants to criticize what I am trying to do.
>


Why should we assist to write shady software?
Why try to **** your cutomers?(with our assistance?)
 
Reply With Quote
 
 
 
 
Jorgen Grahn
Guest
Posts: n/a
 
      08-10-2012
On Thu, 2012-08-09, jeff wrote:
> There is
> still only one person who has responded with anything that is helpful.


By your criteria, I count at least two. I think it was Paavo who early
on sketched up the connection (or lack thereof) between what you
wanted to do and the C++ language.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
 
Reply With Quote
 
Lynn McGuire
Guest
Posts: n/a
 
      08-11-2012
On 8/10/2012 2:37 PM, jeff wrote:
> On 08/10/2012 12:15 PM, Scott Lurndal wrote:
>> jeff<(E-Mail Removed)> writes:
>>> On 08/10/2012 07:08 AM, Scott Lurndal wrote:
>>>> jeff<(E-Mail Removed)> writes:
>>>>> On 08/09/2012 02:42 PM, Scott Lurndal wrote:
>>>>>> jeff<(E-Mail Removed)> writes:
>>>>>>
>>>>>>> I would suggest that you do not continue to post on here talking about
>>>>>>> things you are completely ignorant of. Just because some companies have
>>>>>>> put in oppressive DRM and have caused problems for legitimate users
>>>>>>> (some of which I have ran into and have dealt with the problems caused
>>>>>>> by it) does not mean that everyone who wants to protect the software is
>>>>>>> going to do that.
>>>>>>
>>>>>> Why don't you just use FlexLM (FlexNet Publisher) like everyone else that
>>>>>> licenses commercial software?
>>>>>>
>>>>>> scott
>>>>> Because everyone (Including me) knows how to crack or get around that.
>>>>
>>>> You have a pretty low opinion of your customer, it appears.
>>> I happen to be working with companies that are currently using software
>>> where they have cracked FlexLM. I also have talked to people who do not
>>> know anything about DRM and they were able to get around restrictions on
>>> FlexLM licenses. Using FlexLM is pretty much the same as using nothing
>>> therefore it is a waste of money.

>>
>> So ARMH, Cadence, Synopsis, Intel, AMD, et. al. are wasting money by relying on
>> FlexLM for their licensed software?
>>
>> Having run licensed software for 30+ years, I've never seen a company
>> attempt to bypass or otherwise eliminate flexlm restrictions on the
>> software they run (even my startup, which had several hundred cadence
>> licenses, had no incentive to attempt to cheat cadence).
>>
>> That isn't meant to imply that no company will attempt to bypass licensing
>> restrictions, but I'd argue that the number of companies which do attempt
>> to bypass such license restrictions are a significant minority and not really
>> worth worrying about.
>>
>> If you suspect, or become aware of such poor behavior, feel free to get the
>> BSA involved (no, not the Boy Scouts of America) - they'll be happy to do
>> an audit and take a cut of the results.
>>

> The point is that to get around some restrictions in FlexLM in Linux takes no more than a single line change in a config file. Also
> there is apparently no verification on the date so simply changing the date in the BIOS on the computer appears to remove time
> restrictions. Minimal knowledge and no programming are required for that. There is obviously more to some of it than I mention here
> but that is the basic idea. Also if you think that those companies are not wasting their money then I would point out to you that
> many companies have invested in copy protection and DRM methods that never really worked but they continued to put millions of
> dallars into it, the only reason I can come up with for that is someone at the company mistakenly thought that it was worth the money
> and did not have enough knowledge of what went on under them to realize that it really did nothing.
>
> I also happen to know from talking to people who work at and have worked at Cadence for many years that the company knows that there
> are companies that are using their software without paying them and in many cases they will either ignore it because they could not
> get enough money from the company to justify legal expenses required to stop it, or they sent sales people there to give the company
> a good deal on getting the software legally. This has not prevented thousands of Cadence licenses that are being used without being
> paid for in places like China where they mostly ignore US patent and copyright.
>
> I would also say that in about 12 years in IT I have seen about 20+ instances of companies either violating or out right cracking
> licensing. In most cases it was either a single employee who brought it in and indicated that it was legal, or the company was
> completely unaware that what they did violated the licensing (usually because no one read the EULA that came with the software they
> are using). I have made it a point to read the licensing agreements and understand the legal aspects of it because I have seen so
> many cases of ignorance, but I have yet to see one case where there was any legal action. I have seen cases where the publisher or
> developer of the software was made aware and they ended up just having sales people contact the company and in some cases scare the
> company into paying for licenses where they were previously using licenses illegally.


Go google "Drink or Die". Or just go here:
http://en.wikipedia.org/wiki/DrinkOrDie
They were selling a cracked version of our software
on their server in San Fransisco when the FBI took
them down. The FBI told me that they made quite
a bit of money from our software.

I have successfully sued companies here in the USA
for using our software without a license.

However, I have sold two licenses in China and we
appear to have several hundred users there.

Lynn

 
Reply With Quote
 
Liviu
Guest
Posts: n/a
 
      08-11-2012
"jeff" <(E-Mail Removed)> wrote...
> On 08/09/2012 01:29 PM, Sjouke Burry wrote:
>>
>> Why should we assist to write shady software?
>> Why try to **** your cutomers?

>
> How am I trying to **** my customers?
> What makes this software shady?


Let me count:

- you deliberately attempt to obfuscate your actual executable from
peeping eyes, on the paranoid assumption that any such is malevolent
towards you; just the opposite, your kind of subversive behavior will
raise any responsible anti-virus's and rootkit detector's reddest flags;

- you want to block memory snapshots, which (on the offchance you
succeed) would also deny legitimate crash dumps; not even insinuating
that you may someday write a bug but if that were to ever happen
and you are not able to duplicate it in house, or if the client has some
other unique misconfig which crashes _your_ software, and you deny
yourself the last line of defense, a full memory dump, you'll lose both
credibility and clients very soon;

- you wish to disallow running inside virtual machines; it's illusory
that you can even come close to foolproofing that wish, but again
on the offchance that you managed to, you'd aggravate many
corporate ITs who migrated their users to VMs in recent years;

- under your scheme, if the client is on a flight without 'net access,
he can't run the program; if your site is down, the client software
stops working; if your site is hijacked, you've just provided a vector
into your client's network; if your company vanishes entirely, the
already "sold" software dies with it.

I did read most of your (highly OT for that matter) thread, and I do
remember you said it's a vertical high value market. I am somewhat
familiar with the context, and my comments still apply. Hope you
have all of the above crystal-clearly spelled out in your contracts,
otherwise you may find yourself in heaps of real trouble down the road.

That said, I realize you are too far invested down this dead end to turn
back now, and will shrug mine off as just another "unhelpful" reply.

So I'll just echo the sentiment from earlier in the thread:

>>> Could you let us know what programs/methods/systems
>>> these are so we could best avoid them?


Liviu

P.S. << Also when the companies buy the software (which they will
buy it because the benefits of using it are to good to ignore) then the
users will not have a choice on what to use. >>

"Famous last words" collection never ceases to grow and amaze







 
Reply With Quote
 
Nick Keighley
Guest
Posts: n/a
 
      08-11-2012
On Aug 10, 7:24*pm, jeff <(E-Mail Removed)> wrote:
> On 08/10/2012 12:56 AM, David Brown wrote:
> > On 09/08/2012 20:59, jeff wrote:
> >> On 08/08/2012 11:53 PM, David Brown wrote:
> >>> On 09/08/2012 05:20, jeff wrote:
> >>>> On 08/08/2012 07:54 PM, Nobody wrote:
> >>>>> On Wed, 08 Aug 2012 13:10:32 -0700, jeff wrote:


> >>>>>> I am trying to build a copy protection system where the user
> >>>>>> authenticates
> >>>>>> to my server and the server sends a decryption key. Then without
> >>>>>> writing
> >>>>>> the key to the hard drive I want to load an encrypted executable in
> >>>>>> memory, decrypt it, leaving the decrypted form in memory and run the
> >>>>>> executable from there.


<snip>

> > The implication from your posts is that your software is large,
> > valuable, and will only have a few customers in a specialised market.
> > Customer-hostile DRM is not the way to go. [...]


> Guess what I am already doing almost everything you have suggested. I
> have been planning on most of it from the beginning and if you look at
> my other posts you would know that for starters I am looking for
> something that will stop at least some users from copying the software,
> or getting the IP. You will also note that I never mentioned anything
> that is customer-hostile. If you believe that I did then please by all
> means point it out and I will probably change it.


it's a political thing. Some people believe *any* form of DRM is
customer
hostile. See Stallman.

> In another post that I made I said that I do not think that a simple
> login screen is too much to ask for when the user wants to access the
> software. I am purposely doing everything that I can to make sure that a
> legitimate user will see no more than that login screen. Once again I am
> repeating myself because people apparently are not reading everything
> that I am posting.
>
> Also you are not the one who has provided help.
>
> I would also like to point out that I have dealt with and I really hate
> any Customer-hostile DRM and I believe that all companies take the wrong
> approach to DRM and I am doing everything that I can to avoid that
> because I know that it does not work and in the end it just pushes
> people to cracking the DRM so they do not have to deal with it.


if you have a small number of users, have you considered a dongle
approach?


 
Reply With Quote
 
Nobody
Guest
Posts: n/a
 
      08-16-2012
On Thu, 16 Aug 2012 12:11:11 -0700, jeff wrote:

> I am really confused about you saying that it adds nothing to security
> when I know that is not true.


The check for the dongle or server is still in software, and can be
removed.

If you want DRM which actually works, you need to leave some critical
portion of your program on the dongle or server, so that any would-be
cracker has to re-implement that code in spite of not knowing what it's
supposed to do. For a dongle, this means that it has to include some form
of processor.

 
Reply With Quote
 
Nick Keighley
Guest
Posts: n/a
 
      08-22-2012
On Aug 16, 8:11*pm, jeff <(E-Mail Removed)> wrote:
> On 08/11/2012 11:52 AM, Andy Champ wrote:
>
> > On 11/08/2012 13:07, Nick Keighley wrote:
> >> if you have a small number of users, have you considered a dongle
> >> approach?

>
> > That gets around the problems of the software not working when the
> > customer has no network connection (etc).

>
> > It adds nothing to security.


it appears to

> Dongles can help as long as they are implemented correctly. As will all
> security they are not perfect but it is an easy way to add some
> security. I do not believe it is too much to ask to have the
> workstations able to communicate with my server for authentication


a network connection is not always available in my case

> so I
> am not worried about that. If the company is worried about that part I
> can always setup a VPN connection that they connect through.
>
> I am really confused about you saying that it adds nothing to security
> when I know that is not true. I have read a lot of information about it
> and spoken with engineers at the companies that make the dongles and the
> modern ones that are used have not been emulated yet that anyone knows
> about. That does not mean that the checks for the dongles cannot be
> disabled but that requires someone with a lot of technical expertise to
> make those changes to the software. I am by no means saying that it
> cannot be done, I am just saying that it makes it considerably more
> difficult and therefore it adds to security.


 
Reply With Quote
 
goran.pusic@gmail.com
Guest
Posts: n/a
 
      08-22-2012
On Thursday, August 16, 2012 9:03:48 PM UTC+2, jeff wrote:
> I am using a dongle. I am just looking for more, since the dongles are lacking in certain areas that I am trying to close without causing problems for the users.


I was working in a place that was using a dongle (world-known provider of such solutions). Well, it turns out that there was a virtual driver that that would imitate the dongle on a given port. We knew about it, we knew whichcustomer was doing it, and we did strictly nothing. Why? It was a good customer. He was using our software and was bringing a lot of money in for us.We could have gone after him about it, but

1. this would cause us work (e.g. legal)
2. it could ("would" is a better word) have alienated the customer.

This is the position you want to be in - you want your product to bring money by virtues other than being hard to crack. From this discusssion, it certainly looks like that is not the case.

Goran.
 
Reply With Quote
 
Dombo
Guest
Posts: n/a
 
      08-22-2012
Op 22-Aug-12 11:42, http://www.velocityreviews.com/forums/(E-Mail Removed) schreef:
> On Thursday, August 16, 2012 9:03:48 PM UTC+2, jeff wrote:
>> I am using a dongle. I am just looking for more, since the dongles are lacking in certain areas that I am trying to close without causing problems for the users.

>
> I was working in a place that was using a dongle (world-known provider of such solutions). Well, it turns out that there was a virtual driver that that would imitate the dongle on a given port. We knew about it, we knew which customer was doing it, and we did strictly nothing. Why? It was a good customer. He was using our software and was bringing a lot of money in for us. We could have gone after him about it, but
>
> 1. this would cause us work (e.g. legal)
> 2. it could ("would" is a better word) have alienated the customer.


3. The customer might have a valid reason to do so.

I understand the (IMO justifyable) desire for DRM. The problem with DRM
is that it tends to hurt paying customers much more (especially the
aggressive ones) than the dishonest users. Some DRM mechanisms have such
severe side effects that the only reasonable course of action is to use
the hacked version, even if you have paid for the product.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Trying to build a copy protection system goran.pusic@gmail.com C++ 1 09-18-2012 01:59 AM
Re: Trying to build a copy protection system Andrew Cooper C++ 7 09-15-2012 05:26 AM
Re: Trying to build a copy protection system Öö Tiib C++ 1 08-23-2012 12:19 AM
Re: Trying to build a copy protection system Lynn McGuire C++ 2 08-21-2012 04:40 PM
Re: Trying to build a copy protection system boltar2003@boltar.world C++ 0 08-09-2012 03:23 PM



Advertisments