Secretly tracking number of uses

PB · Post by PB » Fri Dec 05, 2003 5:12 am

I want to release an app as trial that expires after 50 uses. However,
secretly storing the number of uses has me stumped. It's too hard to
find a way to do it. Using RegShot, I can spot any changes in the Registry
or hard drive files with no effort.

What's the best way to do it? I know a crack will appear for my app, but
I still believe that "some protection is better than none at all" -- and I also
know that anyone with RegShot will defeat my trial with no crack needed.

Sometimes I wonder if a career in programming is actually worth it...

PolyVector · Post by **PolyVector** » Fri Dec 05, 2003 10:39 am

I got a few tips... no perfect solution tho'

1) Make sure the file or registry entry that stores the number of uses is not the first one checked or the last one checked before the program decides the trial is up... That makes it easy to spot... read/write it at some random point durring the program...

2) If your program is simple and doesn't really store many settings, you may consider adding many fake settings to throw the cracker off... It's a dead giveaway if your program stores 2 numbers and one is how many uses

3) Disguise the number as something else... One way is to put it in a place where important settings are stored for the computer and the cracker might be afraid of changing them...

4) Never leave the number decrypted... it's easy to edit if it's stored as "3" or something obvious... at the very least perform some math equasion on it to make it seem more random....

5) Store the number in a secondary place/way for verification... If the cracker does figure out how to change the first number you'll know with a single conditional statement

6) Once the program determines that the maximum number of uses has been reached, It should create a file w/ random data in it... This file should be checked for BEFORE checking the number of uses each time the program starts... The cracker will have to delete this file before even attempting to crack the counter... and if it's in a system directory, the cracker will be afraid to delete it

That's all I can think of off the top of my head... I hope it helps you out a little...

storck · Post by **storck** » Fri Dec 05, 2003 12:33 pm

Your protection will never stop a cracker. What it can do is to make it hard for regular users to use after it has expired. Some people still don't know about cracking, keygens and such. Like my grandmother.

The most important thing, in my opinion, is to NEVER give any message when the program expires. Also, let the program fool around a while after it has decided to quit. If not, the cracker will just see what set the message or program termination message off. Some false checks may confuse a novice cracker.

In the long run I think you will just have to settle for stopping my grandmother.

Regards,

Storck

PB · Post by PB » Sat Dec 06, 2003 6:47 am

> Your protection will never stop a cracker.

I know.

> What it can do is to make it hard for regular users to use after it has
> expired. Some people still don't know about cracking, keygens and
> such.

That's who I want to stop, but if they use RegShot they can track which
Registry entries/files are being added/modified -- with no need for a
crack or keygen at all.

Thanks to both of you for your comments above. I've started by checking
for any windows containing "registry", "regshot", etc in the title and simply
ending my app immediately if found -- so newbies and non-crackers can't
start my app if those apps are already running. Naturally the text for these
keywords will be encrypted in my exe so they can't be changed with a hex
editor (but anyone smart can change the window titles in those apps instead).

It's going to be a challenge -- one I know that I'll lose, but I have hopes
that at least some honest users will register due to my app's timeout.

PolyVector · Post by **PolyVector** » Sat Dec 06, 2003 8:41 am

Also look for RegMon... Titlebar = "Registry Monitor - Sysinternals: www.sysinternals.com"
it's a popular one...
or how about looking for anything with "Registry" in the title?

J/K

PB · Post by PB » Sat Dec 06, 2003 8:45 am

> how about looking for anything with "Registry" in the title?

Yep: I've started by checking for any windows containing "registry"

> J/K

There's nothing to kid about -- it's a great idea, as it will definitely stop
script kiddies and dumbos from using RegMon, RegShot, etc, with my app.

storck · Post by **storck** » Sat Dec 06, 2003 9:11 am

How about checking for SoftIce and OllyDbg as well? I am not sure how, but they should be targeted if possible.

/Storck

PB · Post by PB » Sun Dec 07, 2003 4:09 am

> How about checking for SoftIce

I don't think that's possible... SoftICE runs "under" Windows and can
launch/step through your app, thus preventing it from knowing that
SoftICE is even there.

PolyVector · Post by **PolyVector** » Sun Dec 07, 2003 5:16 am

I've heard there are methods to detect it... although it could be bull... :/

Post by **Rings** » Sun Dec 07, 2003 10:45 am

PolyVector wrote:I've heard there are methods to detect it... although it could be bull... :/

under nt-based OS'es search for the softice devicedriver.....

MadMax · Post by **MadMax** » Sun Dec 07, 2003 12:48 pm

Dunno much about these kind of things, but how about hiding this data in one of the sprites, surely this would make it quite dificult for any cracker.

Num3 · Post by **Num3** » Sun Dec 07, 2003 2:06 pm

MadMax wrote:Dunno much about these kind of things, but how about hiding this data in one of the sprites, surely this would make it quite dificult for any cracker.

Yes, the less obvious way would be to read and write a pixel in an image, it would give more work to the hacker...

Also make a dll with some functions and one of them also makes checks the CRC of the exe (Getright does this)...

Launch the read/write function has a thread, hackers hate threads, cause they make their life a real pain

...

don't give explicit names to the check variables and procedures

Checkcrc() or CRC.b, or If numberoftimes=50 ...

ricardo · Post by **ricardo** » Sun Dec 07, 2003 5:22 pm

People in certain countries will buy your app if the like it, no matter if there are cracks.

I think that changin your app on weekly basis* (with a different algo every time) stop crackers, nobody has the patiente to build a new crack/keygen weekly.

At least it works with my applications and (Thanks God) i live from selling them.

*However you will need to release a new version weekly if you want to be on the top of the indexes on shareware sites

PB · Post by PB » Tue Dec 09, 2003 1:59 am

> changin your app on weekly basis* (with a different algo every time)
> stop crackers, nobody has the patiente to build a new crack/keygen
> weekly

Yeah, I remember you said this before, and I intended to do so.

It's a good way to do it, as any existing keygens become obsolete.
You just have to remember to keep changing/uploading your app.

I was also thinking today, what would happen if the rego check was
done with ANOTHER exe, that was embedded and extracted during
runtime of the main app? It could extract to the temp folder, do the
check, and delete itself again before the cracker knew it. Sounds
like an interesting approach to me, because the actual code to be
cracked is not available in the main exe to be examined.

storck · Post by **storck** » Tue Dec 09, 2003 12:25 pm

I was also thinking today, what would happen if the rego check was done with ANOTHER exe, that was embedded and extracted during
runtime of the main app?

First you would have to make sure that a program like filemon wasn't running or else it would be very obvious that a file was created.

Second, using a debugger like SoftIce or OllyDbg it would also be obvious that the code was running in another exe. It would be easy to break and copy the exe and examine it later using IDA or any other disassembler.

/ Storck