How did SnD crack my software?

[sandeep]

Hi Guys

I am the owner of Sinvise Systems Shutdown Timer.

I'm not bugged or anything since I knew the application wouldn't be so hard to crack, and I wasn't too fussed if it did get cracked as it was originally free.

One thing I was wondering is what process did the SnD Team manage to get through into the code.

Thanks

[kao]

I can't answer for SnD, but from a first look your "protection" seems to be trivial.

de4dot takes care of .NET Reactor layer. After that - any .NET decompiler will produce readable and understandable license checking code. Rijndael is symmetrical crypto algorithm, so all necessary encryption keys are inside your program.

The entire "cracking" process shouldn't take longer than 15 minutes. Even newbies could do that, since all necessary tools are publicly available.

[The Dark]

Well if I were doing this and btw I suck at .net cracking.

I'd use PEID to identify the protection your using. Find the stripper for it (give her a buck lol) then use a .net disassembler to take a peak at it. From a professional standpoint I would then use IDA as well as the .net program then get her down.

[sandeep]

Thanks for the info guys.

I guess there is a huge thing to look in to.

Does anyone know of any good practice to code a licensing system.

My first thoughts were to re think the encryption, and also validate with my server to see if the details exist. But then I can still think someone can go into the code and block the check.

[ghandi]

Read and watch as many tutorials on different copy protection systems, learn how to reverse engineer for yourself and gain the knowledge/skills necessary to identify and remove/rectify weaknesses in your own, imho this is the best 'practice' or 'training'.

If you are already a successful software developer then you can incorporate these into your own coding to make it more difficult to defeat OR use the information you gain to choose a suitable third party solution, if you can.

See where others fail and try to learn from their mistakes/errors, you'll learn a multitude of necessary information simply by reverse engineering because that is exactly how protections are defeated in the wild: reverse engineering initially and *possibly* tools are built afterwards.

HR,

Ghandi

[xsp!d3r]

or give up to the fact that everything is crackable!

[Kurapica]

I used to be a developer and I don't recommend any one to follow this career path any more <-- just my opinion

small software vendors are usually the big losers from piracy, so if someone is really fetish for coding then I recommend

that you join a big company where your efforts for months or even years won't be spread all over the web after a 15 min cracking job

just like in small software vendors case, what kao said is very true, but even before the emergence of tools like de4dot, we were able to keygen

obfuscated applications but I have to admit it took more time, the point here it was doable and still doable.

I think you should sell your algos or ideas to some big company if you think it's no longer safe to distribute it over the web.

thinking again, I think developers should get a real job, nothing personal guys but just what I think after all those years in this ugly business.

[sandeep]

Thanks for the honest advice guys.

As a note I do have a real job but this is just something on the side since I enjoy programming in .NET and trying out different things. I would love to share my ideas and thoughts but in the end I don't think my programming is that efficient to stick on something like codeproject.

I would actually like to learn how to disassemble code and also help build security up in applications even though it still may be crackable I just want to push new ideas and have something to stick on my CV/resume.

[Ali.Dbg]

Sinvise Systems Shutdown Timer

Compiler: .Net v2.x

Protector:DotNet Reactor v4.X -> Eziriz

Unpacker: De4dot

Patch:Reflexil and ...

Edited June 22, 2012 by Ali.Dbg

[quosego]

If you want to start reversing I suggest Lena's tutorials. These are not for .net but will learn you normal reverse engineering.

/>http://tuts4you.com/search.php?q=lena&r=0&s=Search&in=&ex=&ep=&be=&t=downloads&adv=0

For .net you could check out the following:
/>http://tuts4you.com/search.php?q=DotNet+&r=0&s=Search&in=&ex=&ep=&be=&t=downloads&adv=0

[Soro]

For .net try C0dr4cK tutorials:nice tut to start in .net rev.

.NET Crack Tutorials by C0dr4cK

http://uploadmirrors.com/download/1UGSSJ38/dotNETCracktutorial.rar

.NET Keygen Tutorials by C0dr4cK

http://uploadmirrors.com/download/07YTNW6R/dotNETKeygentutorial.rar

[sandeep]

For .net try C0dr4cK tutorials:nice tut to start in .net rev.

.NET Crack Tutorials by C0dr4cK

http://uploadmirrors.com/download/1UGSSJ38/dotNETCracktutorial.rar

.NET Keygen Tutorials by C0dr4cK

http://uploadmirrors.com/download/07YTNW6R/dotNETKeygentutorial.rar

Thanks for the links, do you know the password for these?

[Soro]

New Link without pwd:

http://www.mirrorcreator.com/files/1EV2OCOJ/.net_Tut.rar_links

Edited June 22, 2012 by Soro

[mrexodia]

@sandeep: Choosing stronger public key encryption systems might help you a little, but also consider looking at EazFuscator tools like de4dot usually have problems with that (free) obfuscator...

Just my two cents,

Mr. eXoDia

Edited June 22, 2012 by Mr. eXoDia

[sandeep]

New Link without pwd:

http://www.mirrorcreator.com/files/1EV2OCOJ/.net_Tut.rar_links

The tutorials really clear things up. Thanks

@sandeep: Choosing stronger public key encryption systems might help you a little, but also consider looking at EazFuscator tools like de4dot usually have problems with that (free) obfuscator...

Just my two cents,

Mr. eXoDia

Thanks for that, I'm reading up on RSA etc and trying out different methods in a solution.

[mrexodia]

About a server checks: only checking for a return code such as 'ok' or 'error' is lame and easy to patch. Returning some RSA keys that decrypt trivial program parts when a serial is valid should be harder to do. The user needs a key from your database, which shouldn't be obtainable without paying for the soft

Edited June 22, 2012 by Mr. eXoDia

[sandeep]

About a server checks: only checking for a return code such as 'ok' or 'error' is lame and easy to patch. Returning some RSA keys that decrypt trivial program parts when a serial is valid should be harder to do. The user needs a key from your database, which shouldn't be obtainable without paying for the soft

OK so basically the private key will be stored on the server and when the customer purchases it then they use that key to enter in my system. The Public key will obviously be bundled with the app right?

[mrexodia]

Why would you include the private key?

If you get a key from a user you can return anything you want, including public keys. You could also use a combination of symmetric and asymmetric encryptions. This article might by of your interest: http://www.suse.de/~garloff/Writings/mutt_gpg/node3.html

Greetings

PS You could also consider bringing two versions of your program. One that you only provide to legit customers and a free one that simply does not have the full features. In this case a cracker needs to get a supply or he/she needs to buy it him/herself..

[Kurapica]

Just wanted to share this blog with you, It has tons of useful information about many topics that developers should know.

/>http://successfulsoftware.net/category/piracy/

[mudlord]

all I can say is: what ghandi said o_o.

no need to repeat anything.

No wait: What Kurupica said. Its always nice to have a stable job when coding, even when its not coding related. that way there is job security when a project fails because of piracy.

though personally, I rather keep doing what I do now and just release code for free, OR get a chance where a developer sublicenses some code of mine for profit (it did happen).

Edited June 22, 2012 by mudlord

[sandeep]

Thanks a lot for the help guys, now I just need to find some .NET apps to crack

@mudlord I do have a stable job, so everything's alright in that area, this was just a hobby for me to keep my programming skills at the same level and learn as I go.

[T-rad]

try crackme.de

[cynent]

The best you can do is to use public key crypto and store the public key in your program differently every time, this would basically force someone to patch and a keygen wouldn't be possible as they'd need to replace the public key with a patch. Meaning every time you do a release a new patch is needed. It can still be broken, but it's really the best one can hope for.

[ghandi]

Bearing in mind that only some applications are suitable, if yours is you could always consider offering a GUI frontend (client) that runs on the users PC. This will have to log in to your server each time they use the application and some of the actual work can be done on your server before the result is returned to the client, tying it to your server for functionality. Still use their PC for the heavy work so your own facilities aren't run at full capacity all the time but sell a service instead of just a software license...

The client software can be distributed freely as long as your backend is secure, they have to subscribe/purchase before getting access and you can monitor and blacklist abusers or stolen keys. The login details would be tied to the individual licensee which would provide deterrant for anybody using their real details, log ips and access attempts and take a zero tolerance policy on carding.

HR,

Ghandi

[xsp!d3r]

wouldn't that be called spying on their clients