Tips & Hints for
Shareware/Freeware Authors
Written by Matthias Kahlert, mkahlert@kagi.com
http://www.GeoCities.com/SiliconValley/Pines/8031/index.htm
General Information: Secure Registrations
Many good shareware applications are cracked or patched. But how can you protect your application against hackers and crackers? Here are some ideas...
| Saving the Registration Key |
If a user registeres for a shareware application he usually has to enter a registration code somewhere inside this application. But after the program has been registered, where is that key saved?
There are some possible ways:
- The most common way is to save the code in any settings file (like "PROGRAM.INI" in Windows or "Program Prefs" on the Mac). If you decide to save the code in a preferences file, this file should not resist in the same folder like the application. Why? If the use likes your application he possible decides to give a copy of it to his friends. Sometimes he just copies the installed version on a diskette and gives it away, including the registration key!
So if you decided use INI files, you should store them in the Windows directory or in the MacOS Preferences folder.
- Another way, limited to Windows PCs, is to store the code inside the Windows Registry. In order to prevent hackers from finding the code there, you could store the code in an key or section, that has nothing to do with your application. Make it look like it belongs to Windows itself...
- A third possibility is to store the code directly inside the application. Just set a few bits inside the code or add a special resource. But this has the same disadvantages like the INI files: If the user copies the application onto a disk and gives it away, he spreads a registered version...
Like you can see, all possibilities have advantages and disadvantages. Perhaps it is be a good way to combine that ways... But that's you decision.
Think about how to handle updates, what happens if the user gives away a copy of the program, etc.
Or why should you save the complete code on the harddisk? In most cases it is enough to save a handler that shows, that this is a registered version of the application.
If you give hackers a chance to find out the complete code, it may be easier for them to find out how that code is generated.
Another tip:
Never show the registration code anywhere inside your application! After the user has entered the code, don't let it appear in the about box, the main window or somewhere else! Just show the name of the registered user, nothing more.
Why? Many shareware magazines show screenshots of reviewed shareware applications. If they use a registered copy of the application in their review, it may happen that they display the registration code...
Just browse through some older issues of some magazines, they sometimes forgot to hide the code. (that also happened to some major applications like Photoshop or Illustrator).
Often hackers try to crack shareware applications by finding out a way how to create the registration code. If that doesn't work, they try to patch your application by deleting the code that validates the code.
In most cases you can't prevent the hackers from doing this, but you can make it more difficult for them.
In order to prevent patches, you can run a checksum of your program code on startup, and if it is not what you expect when you shipped it, you could bring up a dialog informing the user that the program has been altered, and quit. Again as was mentioned earlier, you should make the "if" statement(s) for this check obscure so they can't be hacked around either.
This checksum can also be used as a nice virus scanner, because viruses also alter the application code.
If you use any constant strings to show, that the user is working with an unregistered version, do not put that string directly into your code. Try to hide it or to encrypt it.
If you have an application that let's the user print out any data, you should put a text like "This has been printed with an unregistered version of XXX" onto the printout.
If the user likes your application but doesn't want to register for it, he perhaps may try to find that string using a hex editor and overwrite it using some spaces. But if you encrypt that string, it is nearly impossible for the average user... (Think about how easy it is to use a hex editor or ResEdit).
If you have any other ideas about how to protect shareware applications against cracking and patching, please let me know. Just send an e-mail to mkahlert@kagi.com.
Modified on 19. July 1997
Back