Hi. I have a .NET app. I've read a lot of threads here about protecting apps and concluded that my starting position should be that whatever I use to try and prevent it, the app will be copyable by determined people (like members here), and whatever licensing scheme I use, the app will be crackable by same. Fair summary?

So - having given up on those 2 from the start, I really only want to protect my IP; i.e. I want to prevent someone RE-ing the app, doing some of their own mods and selling a competing product containing all my hard work. It seems that all that is available for .NET towards this goal is obfuscation. 3 questions then:
* is that correct - obfuscation is the only real option?
* how effective is (good) obfuscation really? I would think someone determined could still spend a whole heap of time renaming entities to meaningful names but my hope is that with an app that costs in the £30/$40 area, noone will find that worthwhile.
* what reasonably priced (or free) good obfuscation options are there? I gather the top version of Dotfuscator does a reasonable job (?) but it's too pricey for me.

Thanks.

Think - what would harm you more financially: 95% of people using cracked version of your app because your protection/licensing was insufficient OR some users using competitors app because competitor was able to rip off your "intellectual property" and create a mod?

This is how I see it: if your app is better than the rip-off, why would anyone buy a rip-off? And if your app is worse, why not improve it?
You shouldn't worry about "determined" people, they will steal the app anyway. But you should worry about ordinary user - if it is easier for him to download a cracked version, he'll do that. If cracked version is hard to find or not working properly, he is more likely to buy a real thing (or steal a competitors app).

As for other questions - name obfuscation is just a beginning, code flow/string obfuscation is the one to look for. Free cheese is only found in the mousetrap, I don't think there is any good free solution. From commercial ones - {Smartassembly} is supposed to be quite good.

Cheers,
kao.

Think - what would harm you more financially: 95% of people using cracked version of your app because your protection/licensing was insufficient OR some users using competitors app because competitor was able to rip off your "intellectual property" and create a mod?

Kao,

You seem to be implying that with protection , one can control the percentage of users who have a cracked version of your software.

Please provide specific examples.

I have also been reading this forum's threads for the last week, and have to agree with the original poster's assessment. Your proposition that protection can make a difference doesn't seem to be supported.

If I am wrong, how expensive is it to gain meaningful protection?

Does it make sense for a single inexpensive product from a single person ISV?

Finally, your scenario for IP hijacking does not cover other legitmate possibilities.

For example, your product provides a valuable utility to a third party's closed and proprietary system. You spend a few years developing said product. Third party decides value added by this utility warrants native inclusion within their system. Think of the time that could be saved using your unobfuscated and decompiled system as a template...

@comp1mp: I don't have to prove you anything. It's your software and your bank account, do whatever you like.

I never said that one should not obfuscate his code. But focusing solely on obfuscation is silly. Copy protection is equally, if not much more important than obfuscation.
If you want specific examples and numbers, search for an article about casual games piracy. It should be on gamasutra.com.

Let's assume you make a software protected with simple serial number. Corporate customer buys 1-user license and installs it on 200 PCs.. Congrats, you just lost your potential profit and you'll never even know that.

Or lets take your example about third party system.. It's easy to use System.Reflection functions to call any function from your tool, no matter how obfuscated it is. But if copy protection in your tool is good, it just wont work without a proper license key for every pc.
So, third party will not be able to easily steal your code and incorporate in their product. It still might be possible to decompile your work and use as a template, but at least it won't be copied as-is.

Cheers,
kao.

Disclaimer for nitpickers: all views expressed herein are solely mine. Every product and case might be different and require different approach.

Kao,

Sorry for seeming to be a nitpicker. It was not my intent :) . Now that I re-read my post it can see how it came across that way. I apologize.

I am looking for the same information as the original poster.

I am a single person ISV with no cash to burn. I have a single program I want to sell for 30$. The program targets a specialized niche, I would be happy if the market numbered in the thousands.

I do have a simple internet activation system, using non-personal system information as a fingerprint to produce a license file. This would provide at least minimal copy protection.

Kao, and any other gurus on this forum - if you were in the same position what commercially available product(s) would you use? What combination of obfuscation/copy protection provide the biggest bang for the money?

Just listen to what kao said, he's very knowledgeable about this topic, to make it pure and simple for you I will repeat what he said; BUY SMARTASSEMBLY !
but if your software is good someone will crack it.

Hi Kurapica,

to make it pure and simple for you I will repeat what he said; BUY SMARTASSEMBLY !

He did say buy {smartassembly}. He also says this:

But focusing solely on obfuscation is silly. Copy protection is equally, if not much more important than obfuscation.

It is not clear that he thinks {smartassembly} offers this copy protection. It seemed to me he was saying that a separate copy protection system is necessary. Please correct me if I misunderstood this.

This also seems to be the exact opposite of LibX's position, who is also obviously knowledgeable:

For regular protection: Just use a obfuscator, sure it won't help against cracking but nothing will realy ;) if u want it cracked u can do it at least they don't have ur source code then my favorite over all is smartassembly

LibX's position may have changed as the above quote was taken from an old thread. Nevertheless, that thread seemed to support the original poster's thoughts on copy protection.

but if your software is good someone will crack it.

Right, everyone agrees no protection exists that cannot be cracked. But Kao seems to be saying there is commercially available copy protection which will substantially decrease the use of cracked software. This is what I am trying to wrap my head around. How does copy protection make the use of cracked software less likely? By definition it is cracked!!!!

Using Kao's example:

Let's assume you make a software protected with simple serial number. Corporate customer buys 1-user license and installs it on 200 PCs.. Congrats, you just lost your potential profit and you'll never even know that.

I don't see how this is different than a sysadmin getting on bit torrent and finding a cracked version of your software and installing it on the 200 PCS. Both are equally easy. I think Kao is making the point earlier that if you use copy protection, somehow a cracked version won't end up on a torrent. That is the argument that I am trying to understand.

This brings up the following questions:

1. Is each crack of an assembly protected by {smartassembly} 4.1 a unique, time intensive process?

OR another way to ask the question

2. After cracking the first assembly with maximum {smartassembly} 4.1 protection, is a toolkit available to the cracking community which basically automates (greatly simplifies) all future {smartassembly} 4.1 cracks?

3. How does the difficulty of the initial crack effect the availability of the crack and the opportunity for casual piracy?

Thanks,
comp1mp

smartassembly is merely a protector, but you may need a licensing system like this : http://www.ssware.com/

good luck.

A legendary reverser once said:

"if it runs, it can be defeated" (c) +ORC

Let's take this as a starting point. You cannot stop pirates from stealing your software. But it does not mean you shouldn't try.


How does the difficulty of the initial crack effect the availability of the crack and the opportunity for casual piracy?

Check out this presentation, slides 8-15: http://archive.gdconf.com/gdc_2004/simon_erik.ppt It's all about time window between the release of your software and time it appears fully cracked on torrents. The longer the time window is, the more sales you should be able to generate.

LiBX and Kurapica can reverse virtually anything that runs .NET. But they are busy and not likely to care about obscure niche product. What you should worry about is the "average cracker", who has some skills but not really a top-notch. Sure, he will eventually succeed, but good copy protection can slow him down considerably.

There are number of ways to slow down the process even more. For example, make only a demo version available with some functionality missing and ship each registered customer his own full version. So, cracker would need to get a copy of full version somewhere first. If protection is done properly, you should even be able to track down which customer gave the full version to cracker.


LibX's position may have changed as the above quote was taken from an old thread. Nevertheless, that thread seemed to support the original poster's thoughts on copy protection.

You took LiBX words out of context. Read the next part of his post where he talks about hardcore protection.

It always amazes me that people will spend years developing a product (=10000$+ investment in time and effort) but are not willing to spend $500 on copy protection. I don't know your market but will a good copy protection generate 17 new sales ($30 each) for you? If so, it already paid off. If not, you probably don't need it. :)


is a toolkit available to the cracking community which basically automates (greatly simplifies) all future {smartassembly} 4.1 cracks?

As far as I know - no such tool is available for general public. If it exists inside some cracking group, nobody will ever tell you that. LiBX released some of his tools on this board. The result - most protections were changed so his tools won't work anymore. It's a perpetual game of cat and mouse.

And finally - I never said "buy Smartassembly" or "Smartassembly certainly provides everything you will need". I said that it's quite good in what it does. And there's a difference. ;)

Kao.

p.s. Sorry for putting "obfuscation", "copy protection" and "licensing" in the same basket. Most of the tools provide some combination of these features, so it's really hard to draw a line somewhere.

Thanks Kao!

That powerpoint was very interesting.

I am still confused about one thing.

Generally speaking, is it true that once a specific copy protection has been defeated, all future software using that protection is easily a zero day release?

Do some systems require expensive effort for every assembly protected, regardless if other assemblies with the same protection have been defeated?

If anyone else has any thoughts to add - I am all ears :).

Thanks Kao!

That powerpoint was very interesting.

I am still confused about one thing.

Generally speaking, is it true that once a specific copy protection has been defeated, all future software using that protection is easily a zero day release?

Do some systems require expensive effort for every assembly protected, regardless if other assemblies with the same protection have been defeated?

If anyone else has any thoughts to add - I am all ears :).

Not necessarily. Any time a new protection is defeated, it is usually done so by a cracking team. Most if not all of the time, the cracking team will re-protect the software, to keep the developers code safe and to not make the protection useless.

For example, a cracker named MegaX cracked {SmartAssembly} 4.0. When he released it, he re-protected it with {SmartAssembly} AND Xenocode. So in reality the cracked version of {SmartAssembly} is actually more protected then the real version.

For your last question, if a cracker knows how to defeat a protection, it is generally the same for each application. Once the cracker can do it once, he can create a program to greatly speed up the process, for example he/she may create a program to decrypt the strings in the app, then another program to unobfuscate the control flow, etc.

But, since the only release of the cracked {SmartAssembly 4.0} has come from one person (publicly), I think it is safe to say that your average reverser will have much trouble cracking your app if you use this protection.

In most cases, if you protect your soft with professional obfuscation and code flow/string obfuscation your intellectual property should be protected by ~85%. It is hard to reconstruct the original code flow and impossible to get original class/method names back. Of course this would not stop hacker to crack your software. But it can't be wrong to combine protection and licensing. There are also tools which directly combines strong protection+licensing. At least you would win time to sell your soft.

Generally speaking, is it true that once a specific copy protection has been defeated, all future software using that protection is easily a zero day release?

I would say it depends on the protection tool. There are tools which always produces different assemblies. Obfuscation+Flow obfuscation based on coincidence. Or random string encryption keys...