Howdy,

Just a quick question. What are some methods of preventing product software theft? Things such as registration/product keys/etc..

Here's the scenario:
- A user buys a product from a website through PayPal.
- A .zip file is downloaded to the users computer after buying it.
- (prevent user from copying and pasting .zip file to other computers)

How would one go about with step 3? Something...simple. That handles itself.

Thanks for any help.

Before you dive into proprietary software, restrictive license agreements, and DRM I think you should take a look at the open source philosophy.

I second that suggestion. The only reason I buy games now is for their pretty boxes/CD's/manuals/author signed special content - the tangible things for which step 3 is impossible.

Whats there to take a look at? "Open Source" just about sums it up.

Here is a strategy I've been thinking about for a while.

Have the user download a downloader + installer. The installer gets the CPU id, turns it into a checksum (use some salt for added security), and sends it to the server as part of the download request. Have the server place this checksum into the program at a convenient location (like say the very end of your main executable)*.

When your program starts up read the CPU id and turn it into a checksum (with the same salt used the first time) and compare it against the checksum in your main executable.

Here is some code to read the last 4 bytes.

#include <iostream>

int main(int argc, char *argv[])
{
    std::ifstream exe(argv[0]);

    exe.seekg(4, std::ios::end);

    uint32_t storedChecksum = 0;

    for(int i = 0; i < 4; i++)
        storedChecksum &= exe.get() << i;
}

Edited.

Here is some code to get the cpu id from allegro.

#include <sstream>

...

check_cpu();

std::ostringstream cpuID;

cpuID << cpu_vendor;
cpuID << cpu_family;
cpuID << cpu_model;
cpuID << cpu_capabilities;

cpuID.str() <- Turn this into a checksum

_{* Be careful to write the checksum in an endian-safe manner if you still care about that}

You can't do it. If your program is popular enough, it will be cracked.

The idea I'm after isn't to make it perfect. Mostly its so Jane at home who finally learned to send emails doesn't become my favorite redistributor.

This gets the job done cleanly, efficiently and without disrupting the customer's experience (ie. a CD key is highly annoying)

Create something that nobody wants. Shouldn't be that hard.

Everything I make is like that.

To expand on DDustin's idea, the key generation part could be randomized for every executable/installer pair via some preprocessor magic or otherwise. This will make a generalized crack much harder to create, since, if done correctly, this will require each executable to be cracked separately.

That would only work for a closed source program though... I am not too sure if it is possible to copy-prevent an OSS program. Personally, if I absolutely had to get money from my software, I'd keep it closed source for the first year or two, and then release it for free under GPL, like Id. (yay Id, my favourite company).

EDIT: A note however. If the user changes his CPU, DDustin's method will fail rather miserably, so it needs to be supplemented by something else, perhaps an installation key that identifies each purchase. It could be a 1000 digit code (sent via email) so that you would be unlikely to guess it, but at the same time it would serve as a good fall-back identifier.

Heres my thoughts,

Create something someone wants, for a price they are willing to pay, and the people you want to buy it, will buy it.

People will still pirate it, but they aren't the people you are selling to, so fsck em.

What Thomas said.

Hardware dongles are effective if used wisely. Even when cracked, the software usually won't work perfectly.

Wow, a lot of people not actually answering the question.

Of course, completely preventing theft is unfortunately impossible, not attempting at all isn't really a good alternative. I say add what security you can, but don't waste too much time on the subject. The people who are good enough to hack it and/or take a hacked copy aren't really a part of the target audience. And, if people are willing to hack it and/or take a hacked copy, it means your product is worth their time. Then you have word-of-mouth advertising.

That being said, I'm no where qualified to offer any secure measures to helping prevent theft.

Implement as much as the software on a server as possible, then make people own an account to use the software.

Along those lines have things like

+Online score table
+level editor that automatically uploads your levels onto your online account
+chat
+simultaneous gameplay, it doesn't need to be multiplayer, just allow people to see
their friends current score, or see ghosts of other players*
+forum where registered people get marked and have a quick turn around on questions and help and the like.
+keep the game updated with level packs

This is all aimed at casual games though. The people are buying a service more than just a game.

*this makes me think of super mario brothers, imagine seeing other ghost marios in the background of all the people in your friends list

And all of the current alternatives only make it harder or more inconvenient for paying customers. None of them challenge the pirates, its largely a waste of time and effort for most software.

But Timorg does have a point, probably one of the most secure ways is to implement the important stuff server side, so to play say the multiplayer part, you need a valid account.

They are effective in making the lives of legitimate customers' life difficult, and unfortunately the cracked versions (for example the H2O syncrosoft emulation driver that is packaged with pirated versions of Cubase) function so much better (stability and performance) than the hardware that even legitimate clients opt for the cracked product (or in this case, circumventing the dongle).

The most effective piracy countermeasure is matching the product's quality and price so that the legitimate customers won't feel tempted to opt for shady means of acquisition.

I just make the registration key from the users name + valid email.
That way they can spread the software, but they'll know that I can extract the email from the key of a pirated program. No point in making it hard for people to use.
If you really want to, use something like MoleBox with a hardware key generated from the users machine. But the user will have problems installing on a different machine.

At the end of the day, every scheme can be easily cracked with a good debugger. Even encrypted executables, needs to be unpacked in memory before being fed to the CPU and that way both the encryption scheme as well as the hardware key check can be found and worked around.

Alternative ideas from the past: Include huge book which you must look up for important game text (mostly for RPGs), include great physical content (maps, books etc) or as mentioned make a large part of the game online.

Rewrite a Windows/Linux/OSX compatible OS that doesn't allow moving/copying zip archives.
Even then, it's not impossible, just tougher

I'm not sure that modifying an executable file is a particularly sound way forwards. I'll wager that at least one of the realtime anti-virus programs will have something to say about it. And you need to do it before the executable reaches its destination, since a significant-enough-to-be-worth-mentioning number of people store those in read-only places and having a .exe modified while it is running is likely to trip even more antivirus programs.

I'd say that if you want basic copy protection then some sort of license key that incorporates some machine information and is stored in a proper preferences file (i.e. one stored wherever your OS says they should go, not DOS-style with the .exe - which doesn't even work on Vista) is probably all you can do. It'll mean that program files and license keys can't be redistributed. Someone will be able to crack it, but someone will be able to crack anything you do and this way isn't liable to trip antivirus software or do any of the really stupid Sony BMG-type things that have pretty much killed attempts at DRM on music CDs.

When is the next version of IE coming out?

A decent door, secured windows, a burglar alarm and possibly a safe. Copyright infringement != theft.

lenslok is the future (http://en.wikipedia.org/wiki/Lenslok).

I know well that A friend of mine told me that H20's cracks are far from being perfect, the cracked software usually doesn't work at 100% and you have to re-install it and re-crack it after every use.

In my opinion, hardware dongles are invasive but because of this they are perhaps the most effective anti-copy system.

Hah, our you could release a demo of your game, and then post a monetary bounty to be fullfilled via donations before you release the full game/episode. (Wonder if that would actually work.)

Probably not
I know I wouldn't pay a dime in such a system

There is no such thing as software theft.

Give the basic game away for free and sell additional content. (Assuming it's a game.)

Seriously, holding the product hostage doesn't generate any good will, and the best way to combat piracy is to make them not want to pirate. More bees with honey and all that.

Exactly what I said phrased in a more pc manner, eh?

But almost every DVD I own tells me that downloading pirated films is stealing, Merriam-Webster tells me that theft is the act of stealing, and DVDs can include little programs for their interactive menus.

Surely the movie industry hasn't been lying and/or grossly exaggerating to me?

EDIT: the UK definition of theft is actually one that most law students, including me, find surprisingly memorable so I can tell you that it is the dishonest appropriation of property belonging to another with intent to permanently deprive. Irrespective of the other limbs of the test, you obviously don't permanently deprive the original owner of the rights to a software of their rights if you download it, so downloading trivially isn't theft.

I have a laptop and a Mac. I run Parallels on the Mac, which runs WinXP (or Win9x, or Vista, or Linux, or...).

If I buy software and stick it on my Mac (Parallels), there is no "hardware ID" because I can change it on the fly. "Parallels, I want you to see a dual-core system. Now I want you to see a quad-core system. Now I want you to have a MAC address of [...]. Now I want to have a bridged ethernet connection."

If I get a virus on WinXP on Parallels, I blow it away and want to reinstall the software. I can't, if those protective measures are in place.

On my laptop, I run most all of my downloaded software through Sandboxie. I may play a demo game, or browse the internet, or whatever, and if it gets infected with some virus, I blow away that particular sandbox, rootkits, malware, and all.

Now my 1-hour demo game can be played for 1 hour, then my progress saved. I run the 1-hour demo again through a second sandbox, but this time, copy the saved progress data to the new sandbox and continue from my last-saved location at "time=0". I play for another hour. And so on, and so forth.

I have some computers that have no internet access. If I want to install the game on that computer, I'd either have to download it from internet-connected Computer 1, then copy it over to internet-disconnected Computer 2 and try to run it. (Maybe it's behind a very tight firewall or something.) What then?

Sorry, I took your post to mean more like "merchandise/memorabilia" whereas I was talking about additional characters, items, whatever. Basically, Nexon's model.

Trying to prevent people from pirating is not going to work. If it's popular enough to buy, it's popular enough to crack. I would (either) release it as OSS (yay!), or release it closed with a promise to OSS it later, or release a basic game and charge for extra content.

But then people would just redistribute the extra content that they bought for free.

If you look at previous attempts at DRM it has generally been unsuccessful, even by billion dollar corporations. Without a deep background in computer engineering, you're unlikely to develop something that an experienced hacker with a deep background in computer engineering will have trouble deciphering. It's really not even worth your time or effort at this point, IMO.

I would recommend you discuss this with a lawyer if you're serious about it. IIRC, you're only ~15-16 (though that has little to do with it), but more so you're asking here so you probably don't know much about it. College really helped to open my eyes to the liabilities that can be placed upon you by selling software and by software development in general. Having a good lawyer is definitely worth your time and money.

You should definitely talk to a lawyer about what kind of liabilities you'll have selling software and, if you decide to go that route, to help you write a software license. You may not realize the repercussions of selling software licenses. You may also want to formulate some kind of agreement between you and your lawyer holding them accountable for errors or omissions in the license agreement. The thing is, it can get very messy this way for everyone involved.

Open source has a lot of advantages that you should consider. And open source doesn't necessarily mean you don't get paid at all. For example, you can opt to charge for the source/binary (I wouldn't really recommend this though for anything less than professional software with a strong enough engine to build off of; the Source engine is a good example of where this is a good model).

Better yet, you can give the source/binary away for free and accept donations from your users. Some of the users that like the game will likely contribute to the maintenance of this and development of new games. Also, this way you will get backed by open source developers that support your project. They may contribute and/or point out problems that need fixing.

An added bonus is that an "as is" license is much more acceptable when the user isn't paying for the use of software (you can probably get away with it for proprietary software as well, but it doesn't say good things about you). The users that don't like it won't be sore about being taken by you because they won't have paid anything yet.

Personally, if you're just developing games for fun or as a hobby you should probably just take what you can get from open sourcing them and getting feedback from users. I don't know much about this either, but I've been pulled towards the open source side of the fence and I like where I'm at.

Oh, and BTW, even if you plan to open source your software, I STILL recommend you discuss it with a lawyer.

Yeah, you can GPL it and as long as you're large enough and corrupt enough, actually get away with charging for it, breaking GPL. I mean, look at the x-chat losers who think it's so hard to build a Windows binary that they have to charge for it. Of course, they are GPL fanbois so they can get away with sharewareing it.

There's nothing preventing you from charging for GPL software. You only need to provide sources for free/the cost of delivering, upon request, and grant all rights to the recipient (so they could turn around and sell copies too, or give it away for free, if they wanted; basically what pirates already do).

But my whole thinking on trying to prevent software copyright infringement is this. Software piracy has been around since the beginning of time, and all attempts at preventing/stopping it have been futile at best. Yet, we still have companies making thousands to millions of dollars from software sales...

Impossible*, if it's an online game. Your server's database is the word of god to the client.

For an offline game, you're pretty well fucked regardless -- what're you asking for? It's just a fact. Without external validation, there is absolutely positively no way to make something that cannot be pirated.

• For extremely small values of impossible. (I've never tossed so many absolutes into a forum post, ever. Not once.)

There are other open source licenses. And nothing is stopping you from writing your own (read: paying a lawyer to write your own).

TF already gave the final answer:

If your program requires Internet access, then good, you've got yourself some extra security. If your program requires special hardware to function, then good, you've got yourself some extra security.

But throwing those things, or any extra measures, into your program for the sole purpose of "piracy protection" does a disservice to the honest people who have no problems paying a fair price for your work.

The people that pirate your goods aren't the type of people who will ever pay for anything (most of them are probably too young to even get allowance money from their parents), so they don't actively hurt your sales. I'm not defending their actions, because they are wrong, but they won't be the reason why you have no sales.

Onewing is right, a lot of people in this thread are not answering the question. The gist of the question is 'what can I do to make it more difficult to steal my software'. Most of the replies seem to be saying 'don't bother'.

I like Dustin's response.

From my point of view, if the goal is to minimise the gains of piracy, then what you want is to maximise this: (cost of using a pirated copy of the software) - (cost of using the software legitimately) If you intend to charge money for your software, then "cost of using the software legitimately" can be no less than the price. It is true that most software protection can be cracked easily, so it is almost never be worth implementing software protection that makes life harder for legitimate users. (ie. software protection that raises the cost of using the software legitimately probably will not raise the cost of piracy enough to be worth it). Ideally, software protection should be invisible for the legitimate users, and a pain in the arse for the pirates. ... I just realised that I actually don't have a lot of constructive input to give. A lot of modern computer games have some very basic copy protection that gets cracked straight away, but must be recracked every time a patch is released. That's worth thinking about, I guess.

Thats the entire point, many companies spend so much money and effort on people that aren't even buying the product, and usually make it harder to use legitimately. Why spend time and money on people you aren't selling to at all? Intead of catering to them, spend that extra time and effort on the product itself, make it better, make it worth buying.

To paraphrase a (older) pop culture reference, "if you build it they will come". Not quite that simple, but you should get the gist of it.

hmmm... perhaps I will just trust the users to be responsible. Thank you all for your help.

And this is the single reason why I 'backup' my films as there is nothing worse (Disney being the biggest culprit) than wanting to watch a film and having to go through first a set of piracy warnings and then a series of film previews before you get to the menu because they have disabled all buttons on the remote.

Because that's the right response.

To kind of answer a question the OP posted in a different thread, about the only thing I have no problems with is a registration system. You download the full program for free, and upon entering a registration code, all of the features are unlocked.

If people share the executable, the end user must type in somebody's registration code. That alone is enough to raise alarm bells in a honest person's head, because he'll realize that the program isn't free. If he still enters information that isn't his, you know he isn't honest and not likely to buy it anyway.

Also, nobody can distribute the full, working program unless they hack it, which not many people can do. If your program is so good that somebody hacked it and distributed it, then you're probably making a lot of sales.

It all comes back to making sure there is an audience for your program. If your audience is 18 to 24 year old college students, you are probably out of luck (if you don't have a large marketing budget). No protection scheme is going to force them to buy your software. You need to make something that people want for the price you put on it.

I would like to stress this point, because it's something people overlook and it causes a lot of unnecessary consternation. The simple fact is that the majority of the people who would pirate your program are people who would never buy it in the first place; they are not part of your target audience, and you can't force them to be. They do not represent lost sales, because there are no sales to lose in the first place.

You should focus on the people that are actually interested in buying it and making things as easy as possible for them.

The honest vs. dishonest thing is not a binary quantity. I mean, there's a continuous spectrum of honesty. A person's decision to pirate/cheat/steal or whatever is based on a bunch of different things; including how "honest" the person is but also risk, difficulty, importance (for example, killing someone would be bad even if it were risk free and easy to do), obviousness (it may be easy to pirate the software, but if a person doesn't see how easy it is they may not try; or it might be really easy to rob your house, but as long as the potential criminals don't realise that then they are less likely to try), and so on.

For the kind of small time software piracy we are talking about, the risk and importance are always going to be pretty small. But it would probably be beneficial to put in whatever small tricks you can think of to increase the difficulty of cracking the software; and try not to make it obvious how to apply the crack on other computers. The basic scheme that Matthew just gave actually sounds pretty good to me; but if it is obvious that the same code can be used to unlock any number of copies, then people may find it easier to google for a code rather than pay for one. It would be better if the code were somehow dependant on who was activating it...

So then all you need to do is create two version of your software. The first version, you sell normally. The second is a "breaks down" version that looks and feels (and functions) just like the normal version, except that it's targeted specifically for pirates. After a few uses, it starts deleting some of its own needed files, getting "updates" from your "this software is pirated" website instead of the "real" software-update website, and otherwise becoming a flaming bag of poo.

You upload your "pirated" version to the internet; everything goes well for about a week (especially convincing if it has a low-grade and easily-hackable "registration code" process that they feel they've defeated all of your systems), then stuff dies. No one is the wiser; no one knows it's YOUR program that's making it malfunction like that: they'd expect it's a virus they pulled off of a shady bittorrent site.

Profit!

So you antagonize all the people who buy your game honestly?

And alienate potential customers? Perhaps they downloaded it because they don't have the money yet, or they wanted to try it out before seperating with their hard-earned, limitted, money. They start enjoying it, then "bugs" start occuring, then they decide to not buy it because it looks buggy (or your program is labelled a "virus" and they avoid the creator in all future endeavors).

Good points, but if they're going to download the program illegally in the first place, I'd put them in that bracket of "not your target market anyway". And if people buy your game honestly, then of COURSE you give them the link to the "real" website, and not the "this software is pirated" one.

Besides, it isn't really my first impression if I get software for a torrent that "oh look, it just started deleting its own files..." is always the file's fault. My first impression is, "oh, crap. Some jerk put a malicious file in with this. I'll need to download a different copy of it..."

After all, if I download the program online, I'm going to assume first that the program is the "real" copy and that it's not going to self-implode on me. If that's the case, I'd say others would share the same feelings.

This reminds me of an incident way back at school. A friend had bought a legitimate copy of a game, but someone at school managed to get hold of the floppy disk, copy it and distribute it to the other geeks at school. So my friend created a little 'fix' for the game, which, after it was used a number of times, created some bad sectors on the disk, rendering it useless. We distributed this 'fix', telling people that the game wouldn't work for very long due to a known bug. They bought it hook line and sinker, and within a few days all illegal copies of the game had gone.

OnlineCop's suggestion runs along a similar line to what the programmers of Spyro the Dragon did, when they developed a good copy protection, though this was eventually cracked after a few months.

HardTranceFan, thanks for that link. It was actually a really cool article. I'm in favor of what they talked about: for commercial games, having a crack time of several months over a few hours/days/weeks definitely puts your game at the top of the cracker community buzz forums. While no game is totally uncrackable, the laziness of crackers often lets them play-test the game only partially before releasing an incomplete crack for the game.

I especially liked their picture:
http://www.allegro.cc/files/attachment/596222

C&C:Generals did something similar to Spyro, the copy protection would appear to work, but a random amount of time into a level, all your units would suddenly explode.

I really like that idea, But instead of totally breaking game play, make a different, more simple game out of it. If people want to play the real game, they have to buy it, but what they essentially get out of the illegal copy is a glorified demo