Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (16)

Locking shareware functions

By , 18 Sep 2003
 

Introduction

If you're shareware programmer, you may need to lock some functions of your product from unauthorized access. Problem is that hackers can unlock these functions without your permission. :-) In this article I'll show how to lock shareware functions and to reduce of risk of a hacker cracking your product.

Background

Basic idea is that we call hidden shareware functions by its address, which we pass to user in key file. In this case, hacker can't crack the program because he cannot determine the necessary address of a protected function. In the provided demo project, the address of function is stored in an open kind ( pass.txt file), but nothing hinders you to encrypt this address by user's hard disk serial number, for example.

The required Steps

  1. Let's find out the address of the function: 
    // somewhere in program body our shareware function lives 
void HiddenPaintFunc(DWORD pv,DWORD pp)

{
    //...
}


BOOL CSharewareDialog::OnInitDialog()
{
//
// let's find out its address. It can be done with debugger, 
// or simply like this:

CString strAddress;
strAddress.Format("0x%X",HiddenPaintFunc);
AfxMessageBox(strAddress);// this string need to be commented  
                          // after obtaining an address
...
  2. Create a key file in hex editor and write an address to it ( don't forget about the return order - for example: 00401602 -> 02164000)
  3. At last, instead of a customary function call, we write the following : 
    void CSharewareDialog::INeedCallLockedFunction(CDC*pDC)
{
              FILE*pFile=NULL;
  pFile=fopen("C:\\pass.txt","r");// open key file
  if(pFile){
              DWORD dwHidden=0;
  fread((void*)&dwHidden,4,4,pFile);
  fclose(pFile);
  if(dwHidden){
  try{
     DWORD dwParam=(DWORD)pDC;
     DWORD dwParam2=(DWORD)this;
    
    __asm{
    
    xor ebx,ebx
    mov ebx,dwParam // pass some parameters
    push ebx
    mov ebx,dwParam2
    push ebx
    call dwHidden    // address of function we've got from key file
                     // if key file is wrong - jump to anywhere

  }



  }
  catch(...){

    AfxMessageBox("You must register this program.");

  }
  }
  else
  {

        AfxMessageBox("You must register this program.");

  }
  }
   else
  {

        AfxMessageBox("You must register this program.");

  }       

}
  4. That's all.

Notes

It is necessary to keep track of the address of the shareware function, as it may be changed from build to build.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 va_dev
Software Developer
Russian Federation Russian Federation
Member
Professional Windows/Java Mobile/Web-applications developer since 2000.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First Prev Next
GeneralImprovingmemberwinx26 Jan '06 - 21:30 
u can use getFunctionPointer-getDelagateFroFunctionPointer to obtain function address also u can encrypt your memory address files with DES for example and then customer who paid can receive private key

 
winx
Sign In·View Thread·Permalink
General:-) nicememberMREBI24 Sep '03 - 4:49 
Nice trying, but i don´t think is very save. Laugh | :laugh:
 
EBI
Sign In·View Thread·Permalink
Generalgood try, but too easy to crackmemberTekCat23 Sep '03 - 21:20 
As a "retired" h@cker, I'd say that distributing a map of hidden function is an interesting way of making your program hard to debug for lamers.
Usually disassembling software and cross referencing function entries is enough to find out functions that never get called without licience file or that get called dynamically at run time. there!
 
Another thing, the base reallocation of your code segment might backfire on certain operating systems, so even with licence file you'r program would miserably crash!
 
THough, I should say: good try.... keep posting
Sign In·View Thread·Permalink
Questionwhat ?sussAnonymous20 Sep '03 - 1:39 
since when did programs run at absolute addresses on PC ? how would this ever work without creating the key everytime you run the program, which defeats the whole object of it.
Sign In·View Thread·Permalink
AnswerRe: what ?memberJohn M. Drescher20 Sep '03 - 5:35 
Every program runs in its own clean address space so it is possible that an exe can be loaded in the same address. The thing that worries me is dlls and different versions of windows. With these there is a possibility of the code not being where you would expect.
 
John
Sign In·View Thread·Permalink
GeneralRe: what ?memberColin Angus Mackay3 Dec '03 - 14:39 
John M. Drescher wrote:
there is a possibility of the code not being where you would expect
 
I'm sure there is a compiler option that allows the developer to set the base address of the application. So would this be much of an issue.
 
--Colin Mackay--

"In the confrontation between the stream and the rock, the stream always wins - not through strength but perseverance." (H. Jackson Brown)
Sign In·View Thread·Permalink
GeneralRe: what ?memberJohn M. Drescher3 Dec '03 - 15:00 
Yes, but there is a possibility that the operating system will ignore the value that you set as a base and load it where it wants. I know it happens with DLLs but not sure if it will do that with applications.
 
John
Sign In·View Thread·Permalink
GeneralNot sure if this such a good ideamemberBrian Shifrin20 Sep '03 - 1:25 

If your key fille get's corrupted -> GPF land.
 
If we are talking about difference btw shareware & release in may be one function like "save" hacker can still make a pretty good guess....
 
Besides, shareware is pretty much dead... When was the last time you donloaded shareware program.
 
Brian
Sign In·View Thread·Permalink
GeneralRe: Not sure if this such a good ideamemberCyberSky20 Sep '03 - 9:56 
Brian Shifrin wrote:
Besides, shareware is pretty much dead...
 
That's news to me...and to all my customers!
Sign In·View Thread·Permalink
GeneralRe: Not sure if this such a good ideamemberAnatoly Ivasyuk20 Sep '03 - 10:02 
Brian Shifrin wrote:
Besides, shareware is pretty much dead... When was the last time you donloaded shareware program.
 
When is the last time you downloaded a free trial version of any software before you bought it? Guess what, that's the classic definition of shareware!
 
-Anatoly

 
Anatoly Ivasyuk is co-founder of DTLink Software, a company specializing in Internet software and technologies. He is the author of DTLink's Windows products: NeoPhoto, AnswerTool, FAQTool, and Personal Stock Monitor
Sign In·View Thread·Permalink
GeneralAvoid AfxMessageBox...memberStephane Rodriguez.18 Sep '03 - 23:22 
otherwise a cracker just needs to halt the execution when the message pops up and changes the branching being done there.

 

 
-- modified at 9:16 Saturday 8th October, 2005
Sign In·View Thread·Permalink
QuestionOpen file in text mode??sussAnonymous18 Sep '03 - 23:20  
pFile=fopen("C:\\pass.txt","r")
If you afterwards read something out that could contain any bytes (addresses _can_ contain any bytes), you should open the file in binary mode.
 
Fix:
pFile=fopen("C:\\pass.txt","rb")
Rose | [Rose]
Sign In·View Thread·Permalink
GeneralBuffer overflowsussAnonymous18 Sep '03 - 23:16  
DWORD dwHidden=0;
fread((void*)&dwHidden,4,4,pFile);
So you load 4*4 = 16 bytes from the file and pack it into a buffer which is only 4 bytes long...
 
Rose | [Rose]

Sign In·View Thread·Permalink
GeneralTurns out to be the same as every cracking problemsussAnonymous18 Sep '03 - 23:12 
Basic idea is that we call hidden shareware functions by its address, which we pass to user in key file. In this case, hacker can't crack the program because he cannot determine the necessary address of a protected function.
 
So, the address is stored in the pass.txt. If the pass.txt isn't encrypted, the hacker can just read that file out and get the addresses. Not that hard...
 
If the file is encrypted, the hacker has the same problem as always: he has to find out how it is encrypted. This is equivalent to the problem finding a matching serial number...
 
So nothing really new here...
 
Or have I missed something?
Sign In·View Thread·Permalink
GeneralCrashes in debug mode.memberWREY18 Sep '03 - 20:50 
Works in Release mode.
 
Suspicious | :suss:
 
William
 
Fortes in fide et opere!
Sign In·View Thread·Permalink
GeneralA good try, but not foolproof.memberWREY18 Sep '03 - 20:20 
The one thing a hacker has, is "patient". If he/she wants something badly, it is amazing the amount of time he/she will spend (using sheer brute force, cunning, and some luck) to break a code, or obtain an address.
 
I once tried to see if I could determine the address of every variable and functions inside an object (be them public, protected, or private), and the toughest thing for me to obtain was the base address of the object itself (which wasn't too very hard). Once I had that information, it was simply a matter of using word boundaries to determine the (possible) offset of the next class member.
 
OK, so it took me a little while to successfully locate the first three member addresses, but it wasn't that difficult. It simply took persistency (lots of it), some smart guesses and a little mathematics.
 
After successfully obtaining the third member address, I felt I had sufficiently succeeded with what I wanted to prove "was achievable", and called it "quits".
 
It also helps if you know how an object is constructed.
 
No, I'm not a hacker. But I'd like to think I know sufficiently about their methods to catch them at their own game.
 
Wink | ;)
 
William
 
Fortes in fide et opere!
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 25 May '13 - 7:35Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
This article describes how to lock some functions in a shareware product. Users can unlock them only after obtaining keyfile
Type Article
Licence CPOL
First Posted 18 Sep 2003
Views 59,905
Bookmarked 33 times
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
Introducing Javascript Functions
JavaScript: Nesting and Invoking Functions Part 2
Multi-Threading: Deadlock Tracer Utility
Toggling the Num Lock, Caps Lock, and Scroll Lock keys
Spin Lock in C++
6 ways of doing locking in .NET (Pessimistic and optimistic)
A .NET-like ReaderWriterLock Class In Native C++
MySQL Table Manager
A basic named lock class
How to create a Simple Lock Framework for C++ Synchronization
Shared and Exclusive lock control
CWinXPButtonST
A simple Win32 readers/writers lock with reentrance
MFC UI Threads
The Freeze Pane DataGrid
Thread Synchronization for Beginners
User-Level Spin Locks
Handle Management - Complete Solution
ReaderWriterLock Wrapper Classes
How to Lock Windows NT Workstation
C++11: Lock Leveling
Lock Manager for .NET
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130523.1 | Last Updated 19 Sep 2003
Article Copyright 2003 by va_dev
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid