3

Suppose for an application which will never receive internet connection during its lifetime, how can you prevent the piracy of the software? There cannot be a single product key requirement during installation because, once installed legitimately anybody can copy the installation and re-distribute it. So every time the application runs it should check for something and crash if the check fails. Now what could it possibly check? Initially I thought keeping an encrypted binary file will do the job, but as answered here, that seems a negligible prevention. Any hacker can modify the executable so that instead of crashing when the check fails it should continue running. So no matter how difficult the check is, the cracked application will always run. Now I cannot see any possible solution to this problem.

PS: I am a single independent developer who is developing productivity software with very low charge. Seeing this question I believe I just have to let it go. Sigh....

EDIT: I would like to thank all the contributors in this discussion in letting me know the grim reality... What I understand now is that you are indirectly submitting the source code of your application in the form of the target executable. Its source code can be modified by anybody using a debugger, thus ANY method of preventing piracy through source code of your application is useless. The only possible solution to this problem is to keep your legitimate customers happy by providing them services (apart from the software) and keep your price below their expectations. I was think of solving this problem for past 3 days and now all seems worthwhile but still learnt a lot in this process, which I wouldn't have otherwise... I ha

Community
  • 1
  • 1
Cool_Coder
  • 4,888
  • 16
  • 57
  • 99
  • 5
    You can't and you'd better wouldn't. Extensive copy protection usually turns out to be more hassle for legitimate users who will think twice before buying your product again. – Erbureth Nov 18 '13 at 15:15
  • The real solution here is to assert your rights under copyright law as needed. There is no foolproof copy protection, or even semi-foolproof. Particularly if your app can't even phone home to check the status of a product key (which itself can be bypassed, so eh). – cHao Nov 18 '13 at 15:16
  • 4
    Ship a mandatory USB dongle with each copy, while watching your customer base go elsewhere. – Joe Z Nov 18 '13 at 15:17
  • 1
    You could probably do something with DRM on OSes that support it. The DRM system would have to connect at least once at/after installation, to obtain a license. Fudamentally, if you want to control whether your code runs then you can't target open platforms. DRM is a way of making open platforms non-open, but even so whatever it is you DRM-protect that your program uses to work, somebody might figure out how to lift that data from a running process and supply it non-DRM-protected in a cracked copy of the app. – Steve Jessop Nov 18 '13 at 15:21
  • @cHao can you please explain the term "phone home"? – Cool_Coder Nov 18 '13 at 15:28
  • @Cool_Coder: "Phone home" here was tongue-in-cheek for "building up a network connection to one of your servers" – Sebastian Mach Nov 18 '13 at 15:44
  • So can this check be not removed by a hacker using a debugger, or worse check with their own server, which will always return true? – Cool_Coder Nov 18 '13 at 15:46
  • There is nothing like an uncrackable protection. In the end, the real question is how much time/effort you want to invest in a lost cause, and how patient your customers will be in presence of false negatives in your system. – Hulk Nov 18 '13 at 15:50
  • @Cool_Coder: Copy protection these days is hardly worth the trouble. If someone wants to pirate your software, they will do it -- and the best current measures to prevent it will annoy legitimate users. The best protection you have against piracy is twofold: (1) Sue infringers, and/or (2) provide something that can't be copied, like paid support plans or customization services. – cHao Nov 18 '13 at 15:58
  • @Cool_Coder: did you consider publishing your software as a [free software](http://en.wikipedia.org/wiki/Free-software). Redistribution of your software would be legal, and you might get feedback, and perhaps improvement, on the source code! – Basile Starynkevitch Dec 07 '13 at 17:20
  • @Basile Starynkevitch thanks for your advice! I am currently considering releasing the software under GNU GPL. But it is not complete yet. I will make it open source once I feel I can no more contribute to it. – Cool_Coder Dec 07 '13 at 17:30
  • I believe you are wrong: publishing an incomplete, buggy, free software is an occasion to get valuable feedback (bug reports, suggestions, bug fixes, patches, code review, .....) – Basile Starynkevitch Dec 07 '13 at 17:33

2 Answers2

8

The only standalone thing I've seen that is semi-effective is hardware keys that come with the boxed software. They used to attach to a parallel port or a serial port and get checked when you started the program.

AutoCad and similar programs used to do this, but it is a BIG PAIN for your customers. Any time it doesn't read it, or a key goes bad, customer productivity suffers. It hurts your legitimate customers far more than those who end up pirating it anyway, and a sufficiently motivated pirate can make a VM that will overcome this. Modern versions of this use USB.

My recommendation is to trust people. Upon install, make them click a "I promise I paid for this" button and be done with it. If they click "I didn't pay for this" show them a small paragraph about how to help keep good software coming and prevent customer-harming DRM schemes by simply contributing to the success of good software authors.

kmort
  • 2,848
  • 2
  • 32
  • 54
  • can you please tell me what is the USB method? – Cool_Coder Nov 18 '13 at 15:30
  • @Cool_Coder It's the same thing as the serial or parallel key. Take a look at this link: http://en.wikipedia.org/wiki/Software_protection_dongle It really isn't a very good method, as it is easily defeated by those who will pirate, and a huge hinderance to those who will not. But it is one method of doing this. – kmort Nov 18 '13 at 15:35
  • I agree that this is also not a solution to our problem, but rather creates a lot of problems... – Cool_Coder Nov 18 '13 at 15:41
  • In a comment on the question somebody has mentioned the term "phone home", does this mean contacting a server and doing some checks? – Cool_Coder Nov 18 '13 at 15:42
  • 1
    @Cool_Coder: Basically. The software hands the server a serial number / product key / whatever, and the software checks to make sure it's valid and not already registered to another computer. As with any other verification, it can cause false positives (if a computer is replaced, for example), and it's often near-trivially defeatable by simply editing the binary to bypass the check. And the lack of internet access makes it infeasible anyway, short of saying "call this number and tell us your product key". – cHao Nov 18 '13 at 16:07
1

You could generate a unique copy for each user, create a database, and check it agents copies you find online if you like playing the biggest game of wack-a-mole ever.

stephen barker
  • 23
  • 1
  • 4
  • Can you not open the application in a debugger and remove the identity information? – Cool_Coder Nov 18 '13 at 15:32
  • True it is a big game of cat and mouse, though I suppose you could debug it. But if you add say the registered email address in to your code, photos, copies of it in sound files (recorded voice) ETC someone is bound to be lazy and or miss one. If it is the best program in the world you will get it pirated. – stephen barker Nov 18 '13 at 15:55