A client has a piece of software he wrote and wants to build a website to sell it. He has no idea about how to protect against piracy and I guess I'm new to it as well. It seems that the most common solution is to basically let anyone download the program for free, but it wont work without a key, and you have to pay for the key. I guess thats a good model but I'm unsure about the details. I suppose we would take peoples information, specifically their email address, and get them to pay for the software via paypal or similar. Once they pay, we will email them a link to download the program, and also provide a unique key to unlock the program. The question is, how do we prevent 1 person from purchasing the program, and giving the program and the key to all of his friends? The only way I can think of is to force the person to be connected to the internet while entering the key, so the key gets sent to our database and recorded, and an 'ok' message (another key?) is sent back, which unlocks the program. The program has a key checker algorithm that checks wether the key is valid (there would be a whole class of keys that are considered valid). Is it reasonable to require that the person is online for this? And if not, what other methods are there? And how do I prevent a hacker from sending the 'ok' message without first going through the proper channels? For example if someone purchases a key and unlocks the program, and monitors the traffic between his computer and our servers, he can maybe detect exactly what the 'ok' message is, and write a crack that just sends the 'ok' message to any program without needing a key. Also, what is a good way to check for keys within the actual program? I know that many programs are easily hacked by 13-year olds who just open the binary up in a hex editor and look for the statement "if key is valid then...", and they just fudge the binary so that its always true. How do you prevent this? Are you supposed to do the check in multiple places so that its harder to find them all? Or is there a more clever solution? And how can you stop someone from redistributing the already installed program? Once you purchase the key, and install the program and unlock it, whats to stop you from copying all the files to another computer, thus duplicating the program without requiring a second key? I know this is a really hard problem, thats why there is so much pirated software out there. But I just want to protect ourselves as much as reasonably possible, by at least being as secure as most other softwares. I tried googling this stuff but I got a lot of links to sketchy websites and couldnt find any decent info. Can someone either explain some of this stuff to me, or point me to some good (free online) references? Thanks!

I will assume that the market you are targeting consists of individuals, not companies. I am tempted to make a somewhat unusual suggestion.

• Do not include any copy-protection code in your software. Have the program work out of the box without being tied to a machine or requiring an activation code.
  
• Make the payment process as painless as possible: the user enters billing information and is redirected to the download page. Also create an account (asking for email + password) so that the user may re-download the software whenever they wish.
  
• Explain that you're trying to make a living, and that your price (which, obviously, should be reasonably low) is fair. Appeal to their ethics [smile]

These will ensure that users will never be annoyed by any kind of copy protection, and will therefore be more enclined to pay for it once they reach your website and talk about your program around them.

No invasive copy protection!

Despite the possibility of software piracy, we decided to distribute our software without any kind of protection to avoid any potential problem for legitimate users. In fact, you may use your account to download as many copies of the software as you wish!

Then, you should be making hard for them to download the program illegally. This should be done by flooding the internet with incorrect or badly working programs—most people will be looking for your program online through torrent websites or through google. If you distribute a few "cracked" versions that do not actually work through these channels and your price is low enough, you may convince people that buying is easier than downloading.

Of course, when making a cracked version that doesn't really work, you should make it obvious that it's not working because it's cracked. Omnious warnings from the cracker, stating that "Sorry, I couldn't get this to work correctly with the crack, the feature may work incorrectly :(" and then having the program die or corrupt its data in an obvious an annoying way, should work. Never silently die without an explanation, or people will think it's a bug in the program.

As a last barrier, you should make it seem like a bad idea for non-crackers to distribute the program online. The technical solution for that is actually quite simple: add a "Licensed to Foo Bar (foo.bar@domain.com)" message to the installer and the installed program in an obvious manner. For additional legal security, you may also want to add a version of that text signed with your private key to some data section in the software.

Of course, people need to be made aware of that without accusing them of piracy:

Your account information is confidential!

Revealing your account information, or distributing the software downloaded from that account, may grant other people access to your online control panel! This allows them to steal your account by changing the corresponding email and password.

ToohrVyk:
Idea sounds good, the technical problem though is making personalized installer for each customer. I was thinking along same lines for my game, including uploading the demo version of game to file-sharing networks (which, being demo, makes it clear it is just demo, but only when you run it) so that it is hard to find full version.

Frankly, you've got to hope that enough people are honest enough to buy the software. The key+paypal system you describe is an easy way to get some protection but it is easily cracked. I would also use such a key system(I wrote my own key algoritm which was fun to do) when I'd release a game, but I would not expect it to prevent piracy. It's easy for a cracker to change the code and 'skip' the key algoritm in the code.

Likely one of the best models I've seen is just assume the software is going to be pirated and accept it. A basic "Key" may be used to prevent over easy pirating of the software, basically a check sum system that will keep anyone but a Comp.Sci. student from breaking your system, but don't worry about it if someone does break it.

Make money by offering the user use of your download servers, which they must log in (after having bought your product.) to get their files. Then try to release periodic updates that are useful and users want.

Yes, you'll likely get one legal copy for every two or three illegal copies, or maybe worse, but you won't piss off your user, and you won't pull your hair out worrying about people stealing your work.


Think of it as your program is free, easy access to support and updates is what you sell.

Quote: Original post by Dmytry
Idea sounds good, the technical problem though is making personalized installer for each customer.

That can be quite easy if you choose the format wisely: you're not looking for something that is hard to circumvent by actual crackers, so you can just have the web script overwrite the right data at the appropriate locations in the installer (this can get a tad harder with compression, but you can always manage to keep some part of the installer uncompressed, store the data there, and have the installer insert the data in the executable after it has been uncompressed.

EDIT: also, link.

Related question: if it's so "easy" to crack/patch programs, why do keygens exist? Is it because they're even easier?

Also, I agree that you should make a reasonable effort to protect your software for yourself (and potentially for legal reasons) but don't plan on it being 100% successful.

Quote: Original post by GameCreator
Related question: if it's so "easy" to crack/patch programs, why do keygens exist? Is it because they're even easier?

Well, a keygen means you don't have to worry about patches screwing up your crack.

If you aren't comfortable with the 'no copy protection' system, I'd go with a simple Name+Key system.

Someone registers and pays, they signed up with a username, and are issued a key. No need for the program to go online and check if the key is valid, etc. It will be cracked sooner or later no matter what.

The key just makes it so you can't casually download the software. You actually need to find a keygen or a torrent to get it.

Quote: Original post by Codeka

Quote: Original post by GameCreator
Related question: if it's so "easy" to crack/patch programs, why do keygens exist? Is it because they're even easier?

Well, a keygen means you don't have to worry about patches screwing up your crack.

Right. Some games actually tighten up the set of valid keys when patched though. I do find CD keys annoying actually. A university gaming club I belong to has a lab of computers that we use. It's 'ghosted' every week (it's just a normal computer lab most of the week) to the image with all the games and such. We have valid copies for each computer, but we can't 'customize' the CD-keys for each game (say.. like BF1942). So we have to have the person using the computer run a keygen before they start the game even though we have it legit! It's really annoying we half-life when they moved to steam. We basically just said that people need to buy it themselves, since we didn't want to make a steam account for every single computer.

Quote: Original post by ToohrVyk

Quote: Original post by Dmytry
Idea sounds good, the technical problem though is making personalized installer for each customer.

That can be quite easy if you choose the format wisely: you're not looking for something that is hard to circumvent by actual crackers, so you can just have the web script overwrite the right data at the appropriate locations in the installer (this can get a tad harder with compression, but you can always manage to keep some part of the installer uncompressed, store the data there, and have the installer insert the data in the executable after it has been uncompressed.

EDIT: also, link.

Well, I meant, that the data should go into binary, it is no good having something that could be circumvented by editing a text file and replacing user name here. Just so that you wont have to deal with crack instructions on forums.

I'm thinking of at very least adding online scores to my game, tied to purchase, so if you share the program, not only your email will show up on loading screen, but also your high scores are not your any more, plus it will complain about double logins. So that whoever shares the program, which he paid for, would lose something. I'm sure that would prevent piracy for quite a while; furthermore if there are a lot of demo version downloads on torrent, mislabelled as full version, pirate would also need to put a lot of effort into making his pirated version found.

Cracker would want to fix up executable somehow not to show his email address, at least, so it could be helpful if this is not very trivial to do. (crackers are, by large, newbies. I'm sure something very simple but unusual can stop 99% wannabes).

I think the most stupid idea ever is registration keys - you download full version and you need registration key to make it work w/o time limit. It makes software freely available for cracker experimentation; crackers don't have to purchase it; you're making sort of intellectual challenge out of the issue (I downloaded 30 day trial... now, how do I stop the timer?).

[Edited by - Dmytry on March 27, 2009 4:12:49 AM]