Posting Etiquitte?

[Nak]

WOOPS! Wrong place, sorry I'll repost! I wonder where it went :-o

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

Hi there,

Sorry, I have misposted this, and reposted again. I mean't to start a
new thread, my appologies.

If such a thing were used in this country it would not be privacy invasion.
If however, this 'mechanism' 'published' information that it should not to
persons that it should not then it would be in breach of the Privacy Act.

I agree, I wasn't wanting to publish the information, the whole point is
that the developer can monitor piracy by locating "rogue" licenses available
on the internet. Then they could see where the license came from, and who
was responsible, it was just an idea, I'm not sure how valid that would be.

Holding information itself is not a breach. However, publishing such
information when one is constrained by legislation, regulation or promise is
a breach.
ACK.

From my point of view, aiming at 'as little code as possible' should not be
the prime concern. It should take as make code as it needs to make it
function effectively.

Well the reason I say this is at the moment it is not easy to protect
your .NET apps. and it can seem very daunting. I want this to enable people
to make 30 day trials etc with as little hastle as possible.

Again sorry for the mispost everyone :-(

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Mark Pearce]

Hi Nick,

The type of "private secret" scheme that you propose isn't even trivially
secure - it would take mere minutes to break. Why go to the effort when it's
so easy to crack? And who would want to use a scheme that's so easy to
crack?

If you want to do this properly, you could try writing your own version of
something like this - but be warned, it's not trivial.
http://www.desaware.com/DlsL2.htm

HTH,

Mark
--
Author of "Comprehensive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128


Hi people,

I'm having a bit of a brain storm at the minute and wouldn't mind some
personal opinions on some things.

To license my applications I have decided to make a license manager
service that holds application license files (RSA encrypted). When the
application launches the license manager is consulted as to whether the
application is *allowed* to run or not. The license file for that
particular application is held by the license manager which decrypts it and
responds as necessary.

Now what I wanted to do was make the license file simply an XML file
that contains some information, but it's what information it *should*
contain is what my main concern is, for example...

Obligatory information,

* Name
* Company

"Is this a 'Privacy invasion" information?"

* Contact details
* System information (To prevent the application from being used on more
than 1 system).

Hmmm, any ideas on this?

BTW, this is something that I may want to release for free, so some of
you may be interested in this, I'm certainly interested in making my
applications more secure with as little code as possible are you?

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

Hi Mark,

Thanks for the link, I shall check it out. I wasn't under the
impression that my method was insecure as I was wanting the license files to
be RSA encrypted and have data that would lock it to the system upon
purchase, RSA can't be cracked by someone on their nintendo game system, can
it?

I shall check out the information though anyway, I have been writing up
quite allot of ideas as this seems like a good idea to get this one out of
the way, and if it was done properly I would have more piece of mind when
releasing my software. I don't want to use some crappy username and serial
number scheme, because I know within a few weeks there will be a key
generator out.

I think RSA is definitely the key but at the end of the day to prevent a
license from being used any other way than intended; it would require
constants from the destination machine, and constants on a system are not
easy to come by. Hmmm..

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Mark Pearce]

Hi Nick,

The strength of the encryption isn't the issue here - as you say, RSA is
fine. The problem is how to keep secure the key that you're using to decrypt
the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Regards,

Mark
--
Author of "Comprehensive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128


Hi Mark,

Thanks for the link, I shall check it out. I wasn't under the
impression that my method was insecure as I was wanting the license files to
be RSA encrypted and have data that would lock it to the system upon
purchase, RSA can't be cracked by someone on their nintendo game system, can
it?

I shall check out the information though anyway, I have been writing up
quite allot of ideas as this seems like a good idea to get this one out of
the way, and if it was done properly I would have more piece of mind when
releasing my software. I don't want to use some crappy username and serial
number scheme, because I know within a few weeks there will be a key
generator out.

I think RSA is definitely the key but at the end of the day to prevent a
license from being used any other way than intended; it would require
constants from the destination machine, and constants on a system are not
easy to come by. Hmmm..

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

The strength of the encryption isn't the issue here - as you say, RSA is

fine. The problem is how to keep secure the key that you're using to decrypt
the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is it?
Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key,
only files encrypted with this key can be decrypted my the application. You
might be thinking that someone could simply crack the program to change the
key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has
been cracked with ease/ But just by adding several layers it fends off the
less able crackers at least. One thing I'm not doing is buying a 3rd party
product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration
beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself.
There are *some* protection software out there that employs similar methods
to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Mark Pearce]

Nick,

Trying to reverse-engineer the private key is out of the question - no
hacker/cracker would be that stupid.

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around
this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly
can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.

The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much
if all the cracker has to patch is the licensing part of your code.
least. <<

It only needs a single cracker to break your scheme and distribute a cracked
program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.
anyone else with the task, even if they are "godlike" programmers. <<

You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.

Regards,

Mark
--
Author of "Comprehensive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128

The strength of the encryption isn't the issue here - as you say, RSA is
fine. The problem is how to keep secure the key that you're using to decrypt
the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is it?
Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key,
only files encrypted with this key can be decrypted my the application. You
might be thinking that someone could simply crack the program to change the
key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has
been cracked with ease/ But just by adding several layers it fends off the
less able crackers at least. One thing I'm not doing is buying a 3rd party
product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration
beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself.
There are *some* protection software out there that employs similar methods
to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Fergus Cooney]

Hi Nick,

|| One thing I'm not doing is buying a 3rd party product,
|| I wouldn't trust anyone else with the task, even if they
|| are "godlike" programmers.

Not even one who eschews Option Strict On ?

|| You are correct in not trusting some of the commercial
|| copy protection schemes, which are pure snake oil.

I was going to offer to write you a protection scheme based on a
derivative of ASP but then I realised that that would probably just come out
as snake oil.

;-)

Regards,
Fergus

 

[Nak]

Hi Fergus,

Not even one who eschews Option Strict On ?

Then I *would* seriously consider it.

I was going to offer to write you a protection scheme based on a
derivative of ASP but then I realised that that would probably just come out
as snake oil.

Don't you just hate it when you program snake oil, the keyboard gets all
greasy, I'm going to start programming with big rubber gauntlets I think

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

Hi Mark,

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around
this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly
can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.

Yup, I agree that no software is 100% safe unfortunately.

The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much
if all the cracker has to patch is the licensing part of your code.

Yeah, that's one reason I'm not bothering with code obfuscation. That and
the obfuscators I have tried do not allow Strong naming.

It only needs a single cracker to break your scheme and distribute a cracked
program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.

Yup, no software is safe, even the ones that employ hardware dongles.

You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.

I personally don't believe that to be a problem, lack of experience doesn't
mean a product would be any less viable. Microsoft have thousands of
employees, billions pounds and years of experience but I would still rather
use competitive "freeware" alternatives against some of their "attempts" for
software. My opinion has always been that if you are able to do the
research correctly and analyse the pro's and con's too then you're always on
for a winner.

The problem with employing a web service is that I can't do that without a
"fanny on", I do not have a permanent IP address and I also have "Free" web
space, which means that I would have to write a locator file to my web site
every time my IP address changes just so the applications could find my web
service. As well as a web service lowering the security of my system, at
current I do not have anything like that running as I have had *enough*
problems with hackers in the past.

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Fergus Cooney]

Hi Mark,

|| I can't do that without a "fanny on",

Just for your information, this isn't an anatomical reference, as I first
thought, lol., nor a reference to a specialised server (same thing, really)
;-)

It means a lot of hassle.

Regards,
Fergus

 

[Fergus Cooney]

Hi Nick,

BIG LOL :-D

I usually put my keyboard into the washing machine at the end of every
week.

Regards,
Fergus

 

[Nak]

It means a lot of hassle.

LOL, as I said, it's a "fanny on"!

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

I usually put my keyboard into the washing machine at the end of every

week.

LOL

What washing power do you use? Does it have a built in fabric softener? does
it get your whites whiter than white?

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Mark Pearce]

Nick,
correctly and analyse the pro's and con's too then you're always on for a
winner. <<

Maybe in some areas, but not in cryptography or implementation of
cryptography protocols. Here's industry expert Bruce Schneier's scathing
attack on DIY crypto schemes:
http://www.counterpane.com/crypto-gram-9902.html#snakeoil

This is also slightly interesting, also from Bruce Schneier:
http://www.counterpane.com/crypto-gram-9811.html#copy

Regards,

Mark
--
Author of "Comprehensive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128


Hi Mark,

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around
this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly
can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.

Yup, I agree that no software is 100% safe unfortunately.

The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much
if all the cracker has to patch is the licensing part of your code.

Yeah, that's one reason I'm not bothering with code obfuscation. That and
the obfuscators I have tried do not allow Strong naming.

It only needs a single cracker to break your scheme and distribute a cracked
program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.

Yup, no software is safe, even the ones that employ hardware dongles.

You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.

I personally don't believe that to be a problem, lack of experience doesn't
mean a product would be any less viable. Microsoft have thousands of
employees, billions pounds and years of experience but I would still rather
use competitive "freeware" alternatives against some of their "attempts" for
software. My opinion has always been that if you are able to do the
research correctly and analyse the pro's and con's too then you're always on
for a winner.

The problem with employing a web service is that I can't do that without a
"fanny on", I do not have a permanent IP address and I also have "Free" web
space, which means that I would have to write a locator file to my web site
every time my IP address changes just so the applications could find my web
service. As well as a web service lowering the security of my system, at
current I do not have anything like that running as I have had *enough*
problems with hackers in the past.

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Fergus Cooney]

Hi Nick, Mark,

|| http://www.counterpane.com/crypto-gram-9902.html#snakeoil

#snakeoil - LOL.

Regards,
Fergus

 

[Fergus Cooney]

Hi Guys,

Here's one cracker's view - [name changed to reduce the infamy].

[ps. For anyone who disapproves of me posting this publicly - this
material and much more like it (and 'better') is readily available out there.]

<quote>
Hi All!
I'm Stoopid The Cracker and In This Tutorial I'll Explain you How To Crack
Any type of registration protection.
First of all.Use Softice cause i don't like Live Approch.
Ok
Run Your target program and go on the registration dialog,then put
in the dialog any name and any serial number but DON'T press OK
before press "control+d" to pops up softice and in softice sets some
Break points.......for approching with a registration routine we must
breakpoint on api(windows functions) used to read Your name and Your
Sn.
They are
Getwindowtext
GetwindowtextA
Getdlgitemtext
GetdlgitemtextA
Hmemcpy (that's not an api but it's the best)

Well the "A" after the api means 32 bit so if your program is 32 bit
put the A if not don't.Easy!
I always use only Hmemcpy cause it runs 99,9% of the times.
Well now exit from softice by pressing control+d and press ok,if you have set
a working bpx softice will pops up.

Now start the real cracking.....
Press F12 until you can read on the bottom line of SoftIce the name
of the file of the program you're cracking....
then if before your location there's a call ok,if not press again F12 until
you find it.
Then you must step into the code.....(by pressing F10),if in your stepping you
find some
condictional jumps have a look at them......btw step until you find a call
that prompt you
something like a messagebox or something else that prompt you the "You
entered a Wrong code",
well before that call you noticed a condictional jump that jumped on that call
or dindn't jump
over that call....if yes try to inverse the jump (change a jz into a jnz)
or (a better way) change the value of the eip in order to make that jump to
jump or not.
Doing this if you find the good jump the program must prompt you "Thank for
Registering this
****ed program",
now the crack is near to the end...
Often cracking this way you will only prompt the "You Are Regged" but the
program still continue
to be unregged so in order to crack it 100% and easly there are 2 ways

1) trace into the call BEFORE our important condictional jump and try to
understand the code,
in order to find the real compare instrucion that often is kept in this call
not out....if
you find out our real compare instruction,and change the below condictional
jump in order to
make it jump or not(it depends if it before jumped or not,do the reverse).
Ok now the program should be fully cracked!

2) this is a worse way than the first but it works!This way is easyer for
beginners
You must trace into the call before our important codictional jmp,and then put
a bpx in its first line,then press "x" and exit from softice and use the
program in all its functions,create new,open,about,save, and when softice pops
up press "f12" in order to get out that call and look for a near condictional
jump and try to inverse it and look if the program looks like regged, you must
sign up all these condictional jump and inverse it,and your program is
cracked!

Stoopid the Cracker

</quote>

The point is that it is very easy to bypass any security where there is
any easily identifiable and accessible central point. The two best types of
protection are methods that are impossible to crack through sheer
sophistication (whatever that might entail and whenwver someone designs one)
and those that are simply too much effort or too fuzzy.

I would favour a distributed approach where detection of illegality in the
registration or files, etc, leads to a delayed degradation of services, say a
random number of hours/days/keypresses/etc after detection - implemented by
changing encoded settings/menus, or whatever. This means that a hacker would
have to be very dedicated, methodical and patient - and he can never release
the cracked product without wondering if there is some two-week time-bomb
still waiting to disable the program.

The initial registration procedure would make it <very clear> that
tampered-with program <will> fail and include a well-worded disclaimer.

Such a scheme is a challenge to design and implement, probably hell to
test, too - but even more of a challenge to break. ;-)

Regards,
Fergus

 

[Cor]

Hi Fergus, mostly this is true,

Tell someone "You cannot and..........

Such a scheme is a challenge to design and implement, probably hell to
test, too - but even more of a challenge to break. ;-)

And not to forget the times your nice protection scheme goes wrong.
Activate a helpdesk for that.

I've heard many times that people had problems with Internet.
Often that was because the firewall did close everything.
But it has a benefit, you don't get spam
)
Cor