Prevent Reinstallation 6

[AkutaSame]

I was just wondering if someone could share with me a method (other than putting a simple key into the registry, which can be deleted/removed) to prevent a demo software from being reinstalled.

Ex.
Someone downloads my demo software (hypothetical, the software isn't done) which has a time limit on it set to expire after 15 days. After the expiration, I want to make it so the person can't just uninstall the program and reinstall it for another 15 day trial. I know there are people out there who will even scour the registry for the product and remove all entries.

Is the only solution a hidden registry key with a name and value that have NOTHING to do with the program?

 

[williamu]

Hi,

Many many years ago in the land of DOS we developed a software program that managed to do what you want yours to do. It was coded in such a way that even if the user reformatted their Hard Disk it would still work!

How was it done? Start by generating a Serial Number in what ever way you deem fit. Cassie2002's ramblings are an excellent place to start. Once you have this number write it to the disk. Ah! I hear you cry easy to removed, well not when it's written in the very last sector +1 of the hard disk there's no tool that will find it. Even with a sector editor assuming it can be seen it'll just look like buffer overrun! Which is why it survives a low-level format.

The look on peoples faces during testing, it was great all those heads with the ! marks above them.

Yes, it can be defeated but, it's an awful lot of work, plus hacking the encryption it's more bother that it's worth.

Hope this helps.




William
Software Engineer
ICQ No. 56047340

 

[chelseatech]

Great idea,

Does it still work in the land of windows? Is there an API call to do this in VB6?

And I'm doing my test installs with various operating systems on VMWare, so I don't know if the virtual disks have a "Last Sector + 1".

And lets hope someone else doesn't use the same sector for his own security code.

Editor and Publisher of Crystal Clear

http://www.chelseatech.co.nz/pubs.htm

 

[Alt255]

I have actually played with the notion of writing program data (expiration dates, installation keys, etc.) to physical hard disk sectors. Note that I played. Fortunately, I came to my senses when I realized that this approach to anti-piracy was two shades darker than unethical and somewhat impractical on modern systems. First, ignoring the ethical implications for a time, we have a problem convincing HAL that direct disk access to a hard drive is quite all right. A persistent programmer would probably get around this snag.

I did experiment with the distribution of a special floppy disk, intended to serve as an installation key. One more instance of "good" idea that was really, really bad. The concept was simple: write a key value to the Total Sectors field in the floppy boot sector and then read the value from the VB app. The floppy couldn't be copied because 30mb wasn't a valid size for a floppy disk. (I actually tested this under Win9x and using the WinImage disk utility. I forgot to test the concept under NT, which ignores the value of the Total Sectors field). At the time, I thought I had stumble across a good idea so I posted my whimsy as a FAQ (not even a good tip) in faq204-53. One of these days I'll ask Tek-Tips management to delete it.

I took the "floppy key" idea a bit further by encoding license keys (one for each seat purchased) in the sizes of the files in the floppy root directory. This idea had some merit because NT refused to copy a 1.44mb floppy containing 2,300,000,000 bytes of data.

Alas, I abandoned this approach when a friend took me aside and gently pointed out the meaning of life:[tt]
1) You can't download a floppy over the Internet.
2) Floppys are prone to failure, especially when they are handled by multiple users.
3) I could have developed quite a few useful applications during the time I wasted trying to find a foolproof method of preventing users from redistributing an application that just wasn't worthy of the effort.[/tt]

I assume that Chelseatech has already ironed out the various wrinkles that could prevent an "expiration date" scheme from working and (s)he is just looking for a fairly secure location to store the date. I'm going to go out on a limb here (Strongm, don't hit me too hard!) and suggest a relatively novel approach. Perform some sort of simple text transformation on the date (anything that makes it look like something other than a date). Then save that value to the program executable file.

You'll find a fairly bad example of this sort of thing in thread713-552002 (you'll find a way to hard-code a string variable after an app has been compiled and distributed).

This doesn't address the problem of re-installation. You should pass an authorization key to the user by email or phone.

This doesn't address the problem of folder permissions or user policies. If an application isn't allowed to write to "C:\Program Files" it certainly won't be allowed to modify itself. The program would have to be installed and initialized by somebody with full access. And, ahhhh, the question of permissions.... If the user doesn't have permission to write to the program folder, he probably doesn't have permission to install your software.

None of this addresses the problems posed by "Citrix/Terminal Server environment". That could be a tough biscuit to chew.
In the end, there is only one simple solution: Step back and take a look at the application you are trying to protect. Is it such a killer app that crackers will be lined up trying to find ways to pirate a free copy? Then scale your anti-piracy efforts according to the marketable value of your program.

All this might be easier than you thought.

Real men don't use Interrupt 21h.​

 

[williamu]

Ah well chelseatech that's the 65535 dollar question! And to tell you the truth I don't know. The original was written using inline assembler, but Windows might take a dim view of it when you try to do absolute read/writes to the physical media.

I've no reason to doubt it wouldn't work. But there's only one way to find out! Now where did I put that old 486...

If anyone's interested in the result of this test please email me at wgu(_AT_)forensic-labs.co.uk and I'll send you feedback.





William
Software Engineer
ICQ No. 56047340

 

[KornGeek]

Just a word in defence of dongles (which is still fun to say for some reason). Not all computers have serial or parallel ports these days, but the dongles I'm currently using are also available in a USB version. No additional coding on my end. I just ship the appropriate driver with the appropriate dongle.

However, I understand that you may still be against them for any of a variety of reasons. I just wanted to clear up that one point.

 

[ADoozer]

korngeek...

are these dongles built in house or are they bought in???

how much?
where from (components etc)?
how reliable?
how replicable are they?

im currently trying to mash together alt255s demo steganography code mixed in with hashed data and a few other bits and pieces (MD5 etc etc)! (its a nightmare by the way)

but ive opened my mind to any and all possibilities!!

look forward to your reply!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
A General Guide To Excel in VB FAQ222-3383
The Great Date Debate Thread222-368305
File Formats Galore @

http://www.wotsit.org

 

[chelseatech]

Thanks for all your suggestions everybody, although I'm concerned about someone who thinks I write like a girl.

I think the hard disk sector approach might get my app viewed as a virus by any monitor or OS program, so won't waste any time on that one.

Don't want to send out a floppy disk for the same reason I don't want a dongle. I'm in New Zealand and it can take 10 days for an urgent parcel to get across the Pacific to the US. I'm already selling my App in 20 countries, so need an Internet ready solution.

If Dongles are the answer, then it was a silly question. I am aware of USB dongles, but an NT 4 machine doesn't recognise USB. I'm also doing testing using VMWare and am not aware of a VMDongle. On a Citrix/Terminal server solution (and many other environments), the installer may not have physical access to the machine to plug in a Dongle. And it doesn't scale. A dongle for your app might be fine, but if we all used one, then there isn't room under our desk for the machine and all the dongles you would need. Imaging MS taking a dongle approach and having one for each of their apps. They wouldn't want the Office Dongle to work with Project.

I've found an answer I'm happy with. You are correct in that the administrator must install the program the first time, so I'm going to use a combination of a file to write the first time, and a registry entry in Local_Machine. It appears Citrix doesn't clean that one down between users.



Editor and Publisher of Crystal Clear

http://www.chelseatech.co.nz/pubs.htm

 

[KornGeek]

ADoozer,

We are using dongles from a company called Rainbow. A quick web search should turn up their site. I believe these to be very reliable. They have good support for getting your code working as well. I would recommend setting aside a week or so to give yourself plenty of time to think through your key scheme and practice it before implementation. We were able to order a developer kit with a single key from them. After we proved the concept, we began ordering more keys.

We also implemented a demo mode where you get full functionality, but are limited in how many records you can create. The presence of the key unlocks it into full mode.

The only down side I'm facing in using keys is the cost per dongle dramatically increase in cost per unit to us. Instead of only paying for a CD, label, CD case, and documentation (all of which is very cheap), we also have the expense of the hardware key.

While this scheme won't work for everyone, it is relatively secure and easy to implement. That was the combination that we needed. Shipping time was less of an issue.

 

[ADoozer]

the software, firmware and datasets are currently available for download to any old hack that knows the password!!

currently all our customers are trusted (its not a widely used software and believe it or not the customers are very secure for there own sake (mucho money involved)!!!) but we are looking into using a higher level of security than our current "if you know the password" approach (we have encountered a few snooping "folk" trying to access the goodies!!!), i still dont think dongles are practical(but like i said im getting more open minded)

will have a look at the rainbow site (if i find it) a little later today.

thanks for the input!!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
A General Guide To Excel in VB FAQ222-3383
The Great Date Debate Thread222-368305
File Formats Galore @

http://www.wotsit.org

 

[chelseatech]

Thanks for all your suggestions everybody, although I'm concerned about someone who thinks I write like a girl.

I think the hard disk sector approach might get my app viewed as a virus by any monitor or OS program, so won't waste any time on that one.

Don't want to send out a floppy disk for the same reason I don't want a dongle. I'm in New Zealand and it can take 10 days for an urgent parcel to get across the Pacific to the US. I'm already selling my App in 20 countries, so need an Internet ready solution.

If Dongles are the answer, then it was a silly question. I am aware of USB dongles, but an NT 4 machine doesn't recognise USB. I'm also doing testing using VMWare and am not aware of a VMDongle. On a Citrix/Terminal server solution (and many other environments), the installer may not have physical access to the machine to plug in a Dongle. And it doesn't scale. A dongle for your app might be fine, but if we all used one, then there isn't room under our desk for the machine and all the dongles you would need. Imaging MS taking a dongle approach and having one for each of their apps. They wouldn't want the Office Dongle to work with Project.

I've found an answer I'm happy with. You are correct in that the administrator must install the program the first time, so I'm going to use a combination of a file to write the first time, and a registry entry in Local_Machine. It appears Citrix doesn't clean that one down between users.



Editor and Publisher of Crystal Clear

http://www.chelseatech.co.nz/pubs.htm

 

[chelseatech]

my apologies for posting that last message twice.

Editor and Publisher of Crystal Clear

http://www.chelseatech.co.nz/pubs.htm

 

[pdddms]

A long time ago in a galaxy far far away we used security on the cheap. All we did was to on startup create two .ini entries, win.ini for us but you could create any .ini file. this stored two values.

 [product]
                              system status=
                                [Disposition]
                               registered=
                               company=

here is what happened at the first run of the program these .ini values were written. (who uses .ini anymore -though the win.ini is legacy in windows systems even today )registered would be either YES or NO, company was "whatever company it was"

it had a time trial or certain number of runs. (i.e. run=run+1 sort of logic. On startup the app would check the ini values, against what it was expecting. If the trial end was found. the .ini value for SYSTEM STATUS=MOTHER. we had many laughs over this one, cause it made no sence, but if that was the protection, who would figure this one out?! "HACKER: "if i could only find the right .ini, then set the systemstatus to MOTHER, I'm in!"

just my funny story, but it worked. for someone that paid for the app it was easy to write a bat or small exe to change the value from mother to "".

LoL Concepts®

http://www.lolconcepts.com