2005. december 7., szerda

Protect your software against piracy


Problem/Question/Abstract:

Here's my own experience on how to reduce the number of non-legal installations of software.

Answer:

Before I start, let me tell you that whatever protection system you use it's just a matter of time until someone's break it! So what you must have in mind is: "what is the best protection system for this special case ?"  You also must have in mind that the best you got is still breakable!

Once I needed to develop an application where preventing piracy was a must.

I did some investigation and found out what were the possible systems to prevent this. I also did some investigation on how to break those same protection systems.
Let me say that I got a bit disappointed...  I though that mass protection systems would be better then they are... Here's a summary of what I found among the most common:

Anti-Copy: prevents the disk copy, CD in this case.
Disk check: when application starts up check for the original disk, CD in this case.
Hardware check-up: you plug-in some hardware on your RS-232 port and check for it in your application from time to time.
Key activation: the software requires a key to be activated.

Here's what I found out about breaking thoes systems:

Anti-Copy: can be broken with a "clone copy" (bit-by-bit) of the disc...
Disk check: can be broken with a "clone copy" also...
Hardware check-up: read too much complains about it interfering with the system, and it also generates too much calls into your help-line...  Plus read somewhere that this can be fooled through software also...
Key activation: once the user registers, it can spread the key among friends and everybody can activate the application. If someone takes some time, one can break the code and create a patch to ignore activation or create a key generator.

Looking at this, you must agree that it didn't look too good...

After thinking a while on each of these systems I concluded that:

Anti-Copy: to easy to break!
Disk check: to easy to break!
Hardware check-up: causes to much troubles and can make customers to become un-satisfied.
Key activation: would be great if key proliferation could be stopped!

So I stick on the key activation idea and gave it a second though, exploiting the pros and cons of this system!  I simulated the regular use of this system to better understand it:

Get the product
Install the product
Request key
User requests the key
User gets the key
User activates the product

Here's another way to do it:

Get the product from friend
Install the product
Request key
User asks friend for friend's key
User uses the friend’s key

I concluded that if was definitely the best - having in mind what I needed to protect this specific product - if I could prevent the key from spreading!
Preventing key spreading became my next goal!

I knew I needed something that could give me guarantees that the application being activated was a legal copy and not a pirate one!  How could I guarantee this ?  How do you prove that what you own is legal ?  How do you prove that you bought something ?
The answer was easy: invoice!
Every product sold comes with an invoice, which has different data, like the invoice number, date and entity sold to!
My next step was using the invoice data on activation product.
But invoice data "per se" it was not enough, I mean, if someone gives a copy of the product can also give the invoice data to activate the product!
I simulated the piracy process again, using the invoice data:

Get the product from friend
Install the product
Request the invoice data
User requests the invoice data from friend
Request the key
User requests the key from friend

Now, that has a the same hole that usual key activation has...
I knew that I needed to force the key request for all installed products!
That became my next goal. How could I force the user to request a new key ?  
After some more neuron work, I came up with the answer: time!
On my simulations, both users, the legal an non-legal, did the same steps to activate the product, but they didn't do it at the same time...  Time is continuous and non-repeating, so time was the answer!

What did I do with time then ?  Basically, I generated a key using it!
To activate the product you must have a key, which is generated using the invoice data and the time you have installed the product in the system!
Here's how I made it work:

After product installed an encryption of the current time - year, month, day, hour, minute, second, millisecond - is saved somewhere in the system!  This is easy to do and there's a lot of ways to hide something is the system.
Invoice data request.
Generate a "request-key" using the time from 1. and the invoice data from 2..
Inform the user that it must request the activation key for the "request-key".
Key for product activation request.

I had found the solution!
To request the activation key, the user must specify what is the "request-key", which is guaranteed to be unique, since time is involved and the algorithm I used makes sure of that! ;)

Here's a simulation of the legal case:

Buy product and receive invoice
Install the product
Request invoice data
Inform user what the "request-key" is
User requests the activation key referring the "request-key" and the invoice data
User receives the key
User activates the product

It's quite simple, really, the only "visible" change from the original key activation system is the "request-key" that the user must specify when requesting the key!

But this is just half the solution, the other half is you controlling the number of installations!
But that is quite easy!  Every time a key is requested, you know who is requesting it, since the invoice data is specified, so if you got a customer that has 154 key requests in one month, there's something wrong... :)

I've also exploit the possible holes on the system:

A couple of non-legal installations may be done, the customer - or "customer friend" - may say that the system crashed and must reinstall...  That will just work for a couple of non-legal installations, since you may ask why that is the 98th key request done this week or the 3rd this day...
Disk clone can be done. There are tools on the market that clone hard-disks. But what the hack, you cannot prevent that!
Some one takes some time and patches the security or creates a key generator. Like said in the beginning, there's no way to prevent this...

This system does not work just as a piracy stopper, it also prevents it.
When the invoice data is requested, it's more unlike to someone to give it away, since you can track the customer that gave the invoice data to a friend, that gave it to a friend, that gave it to a friend... The original customer knows it can get troubles with the law by giving that information.
If you get some "customer" requesting its 10th activation key because "We got a new computer that is faster and want the application running on it.", you can say "Why have you bought 9 computers in the last 4 weeks ?"...
If you get some "customer" requesting its 50th activation key because "the system crashed and need to reinstall everything", you can say "Maybe there's something wrong, I'll send someone there to take a look at it! Please have your invoice in hand!"...
If you get some "customer" requesting its 154th activation key, you can say that unless proven to be the legal owner of the product you will not give the activation key...  The "customer" may say it is - it even can be -, but unless it has the invoice, it cannot prove it!...
And if you want to be a bit "nasty", you code a special key that will show the "Do you know that non-legal software may give you 3 years in jail ?" and uninstalls the application from the system...
The "customer" will get the point! ;)

1 megjegyzés: