* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Software cracked! Now what?

I was checking my weblogs today and saw some unusually high download activity for my software "Taskbar Manager". I knew something was wrong. Then I found out that a crack for the software was posted on a cracks website. That site was the referrer to most of these visits to my product's web page. This has happened earlier also.

What are my options now? I know I can't stop them but what is the best I can do? Should I change the trial logic and release a minor update?

What will you do in this situation?

Thursday, March 02, 2006
Yes, if it's an .exe crack move around the code check function and recompile. If it's a bogus reg code, change the algorithm and remake your codes.
Thursday, March 02, 2006
Why not redirect the traffic from that url to a page full of ads or some other trash?
Arik Send private email
Thursday, March 02, 2006
Wathing with baited breath on this one.  I had the exact same problem with a little freeware database query tool.

I eventually pulled the tool from the web site.

I plan to re-release it but I am not sure how to combat this problem -- everyone seems to have this problem.

I guess all we can do is damage control.  This amounts to changing the logic.

Another idea I have is making each copy a registered copy and hope that the pirates goof and let the secret embedded user-id slip by.  This way I would at least know who leaked their copy.

Dunno -- advise?
Eric (another ISV guy with his company)
Thursday, March 02, 2006
Do a server-side redirect to your download.com page. At least have the downloads boost your visibility there.

You could also try looking into one of the file hosting services. Many activively maintain IP blocking lists.
Nick Hebb Send private email
Thursday, March 02, 2006
What is the software worth to you?

Or as the saying goes, "Free publicity is free publicity."

It is an entirely different thing when you're selling the software for $20,000 a copy, and making a living off of it, in which case you should start including anti-piracy research and tactics into your budget.

If you're selling it for $10 a copy or giving it away for free, my experience has led me to believe it's just not worth fighting them. Eventually, all the pirates coming from that site will get a copy (figure three weeks), and your traffic volumes will go back to normal.

(Philosophically speaking, I don't advocate piracy. I'm just not rich enough to throw away thousands of dollars just to make a point.)
Thursday, March 02, 2006
For all the users coming from that referrer the download buttons just lead them through the site. Put some ads on those specific pages, and see the visitors redirected to competitors bidding on AdWords while filling your pocket.
Alex Moskalyuk Send private email
Thursday, March 02, 2006
I had the very same issue with my product in December. My first reaction was to panic. Second reaction was to feel really pissed off. The next day I decided - who cares?

The downloads from warez sites seem to work like a wave - starting in the far east. For the first few days referrer sites were all in Mandarin, then the Russian ones popped up, and lastly the English language sites.

I've had three new releases since the first crack, and each one was cracked again two or three days after the release. Looking at it from every angle, I couldn't see a downside. It's a $25 product, and the guys downloading the cracked version would never have bought the licensed product anyway.

It's worth taking a look at this article, before deciding what to do: http://www.codeproject.com/gen/design/UnconventialWisdom.asp

The only downside I've experienced is that it tends to distort the download figures. You're never a hundred per cent sure if someone downloading your product is a genuine prospect, or just plans to install the crack on top.
Reckless Me Send private email
Thursday, March 02, 2006
Don't listen to these losers telling you not to bother and just give away your software for free. Cracks are easy to fix. They rely on running patches to modify precise offsets in your executable to bypass registration checking logic. Simply add bogus code or move functions around to change the offsets, and make a new build monthly. They don't store the programs on crack sites, just the crack, so people still have to get it at your site. And once a crack is made they don't go back and check to make sure it's still working, nor does anyone have the patience to spend 40 hours with a debugger every month to re-crack your app.

I used to do it monthly but am now down to a new build once every six months. All of the cracks that I can find are for long-ago builds and none of them work with the current one.

The only thing it doesn't help are the people who burn new CD's with your cracked app and sell them all over Asia and other markets.
Thursday, March 02, 2006
Just add a simple integrity check.

My company develops code for this kind of protection, but we haven't released it on the market yet.
Rodrigo Madera Send private email
Thursday, March 02, 2006
Guys, I understand why you all so angry at those guys - they're stealing from you, but why don't you think of that as a thing that needs to be considered normal - some people will always steal - the questions is can you convert them to buying costomers?

Why don't you treat those users as beta testers or trial users who just got full version instead of crippled one?

It'll be great to hear if someone can come up with a suggestion how to do the conversion - not to just let them know that you're aware of the crack and that's why you put ads or redirect them to download.com

People in some contries steal software and use cracks because they're poor or because they don't have a way to pay you - no credit cards or bank accounts in general (I understand how stange it can sound for progressive contries but it's a reality). I know that from my experience in Russia but almost sure that other contries have the same reasoning behind using cracks/warez sites.

Even if you can't get money from them regular way - maybe you can get something else from them that is easier for them then pay you by credit card. Electronic money systems as strightforward example (webmoney.ru in Russia is very popular). Another extreme way is to make them blog about you or advertize your software in some way in exchange for a license.

Alexander Roshal (author of FAR Manager and RAR Archiver - http://www.rarlab.com/) made special license for users from ExUSSR with very simple way of regestering - just enter current day of the week in Russian.

I'm not saying - just give it away to poor, I'm just asking you to think about converting stealing users to lawful users for your profit - some of them will become paid users.

Sorry for messy posting...
Sergey Chernyshev Send private email
Thursday, March 02, 2006
If Mr. Roshal did this, I am very pissed off. Why should I pay while russians get it for free?

Digby Speed Send private email
Thursday, March 02, 2006
SERVES YOU RIGHT...this is what happens when you don't obfuscate your software or protect it using the latest technologies.....

...you asked what I would do? I would IMMEDIATELY take if offline and completely rethink how to protect it from that experience again....otherwise, ya might as well promote it as freeware because that is what it will become.
Brice Richard Send private email
Thursday, March 02, 2006
I've had the exact same problem. The last crack was incomplete which just waisted the time of all the people downloading. I've tightened the code further and would be suprised to see a "complete" crack again any time soon.

See my earlier post about this: http://discuss.joelonsoftware.com/default.asp?biz.5.272897.12
Neville Franks Send private email
Thursday, March 02, 2006
+1 for "Who cares?" and "Move on."

There's no reason to believe that the number of people who actually *use* the cracked version of your software (versus the number that download it) exceeds the typical conversion rate you get from more conventional users. In fact, since the people downloading the cracked version are a much more general sample of humanity than your typical target market, the actual percentage is probably much lower.

If you (generic "you"; no one in particular in mind) just stop and think about it for a few minutes you'll stop imagining the MILLION$ you *must* be losing and realize that the problem you're facing just isn't that big.

David Michael Send private email
Thursday, March 02, 2006
Digby Speed:
Hm. Probably because he realized that most of the cracks are made in Russia simply because they can't pay for it and one way to fight it is to let those people who use cracks or write cracks get it for free so they don't make cracks.

Another reason why he did it is just that the cost of his end-user oriented software that every person in US can pay for easily is comparable to mothly salary for many people in Russia (especially back then this License was created).

One more reason is that he just likes the country he was born in.

I don't know that for sure.

But my point was different - try to USE the knowledge that people do want your software to the level of putting themselves against the law IN YOUR INTEREST - don't be too strightfoward about it. Hitting it with the hammer is not always a best solution because your goal is to get more money from what you're doing and as a result you might have a goal of somehow avoiding of cracks being created or distributed or you might have a goal of making cracks inoperable because you update your software too often and cracked versions are not available for download or you might have a goal of making people afraid of using cracks.

It's almost impossible to fight people who create cracks - most of the time they're very smart hackers and impossible to get by law enforcement so they hack it one way or another - instead, put your energy into trying to get your users pay for your software instead of using cracked version. These are two different things.

Disclaimer - I'm not trying to defend crackers in any way. Please don't be confused with my "alternative approach".
Sergey Chernyshev Send private email
Thursday, March 02, 2006
BTW, did you see too many people getting your software and cracking it comparing to sales?

Maybe your target audience can't afford your software and you can win by lowering the price? Did you do research in this direction?
Sergey Chernyshev Send private email
Thursday, March 02, 2006
Watch Jay and Silent Bob Strike Back.  Implement their solution to Internet attacks.  Make sure that your "resolution" of the problem becomes public knowledge, but also make sure you don't leave any evidence and you've got a rock-solid alibi.

You will probably experience a much lower rate of cracks after that one very public resolution.
Clay Dowling Send private email
Thursday, March 02, 2006
Sergey, those are good points, but the solution is not to give it for free but to lower the price only for the poorer countries. In economics you always want to charge the "most you can sell it for," so I think if there were reliable Russian distributors (to use Russia as an example), many shareware authors might sell through them for just $2 but still $20 to other countries. Then Russians can afford it and the developer makes more money. Everybody is happy. But to make that happen we cannot continue to "just let people crack it because they're too poor to buy it" like the terrible advice from some people above. Only when crack sites are no longer reliable because publishers fight back, will somebody in Russia and elsewhere think to start a company to distribute Western software for much lower costs.
Thursday, March 02, 2006
"you asked what I would do? I would IMMEDIATELY take if offline and completely rethink how to protect it from that experience again"

Of course, the minor detail that this would mean that all paying custoemrs would be unable to give him any money at all would, apparantly, not matter to you.

Really, there's two options here:
1) A bunch of piracy and some revenue
2) A bunch of pirates sharing their copies on bittorrent and not as much as a mouldy bean in revenue

It may just be me being insane, but at least with option 1 there's the option of buying some beans and letting them go mouldy, and that's more than he'll get with the "IMMEDIATELY take it offline" approach.

The most effective anti-piracy technique is "don't write software in the first place", but this is counter-productive for the revenue stream.

Thursday, March 02, 2006
Oh and some anecdotal statistics for an old $15 shareware app of mine that I didn't recompile frequently to fight cracks: In 2002 I gathered all the download statistics over the previous three years. I had two versions, the free limited demo version, and a 20MB full version which was a separate download. On the download page for the full version it gave steps, the first was BUY A REGISTRATION CODE HERE in big letters. It gave a link to the free version if the person was looking for the free demo version. It said this registered version will not work unless you have a registration code. So there was no reason somebody would download it thinking it was the free demo version. I found that 92% of the downloaders did not buy a registration code (comparing number of downloads and number of sales). That level was pretty consistent, varying from 85-95% each month. There is no explanation except they were thieves using a crack. (Unfortunately I didn't have stats on countries of origin, though).
Thursday, March 02, 2006
Kind of a wild thought, but you mentioned that most of the traffic is coming from a site that's linked to you...

What about taking the users that come from the referrer and redirect them to a download that has a 'donate' option within it?

Maybe a few of them donate (devils advocate: most probably won't) but if a few do it would at least make a few dollars.

Or, if you just want to fight it, block referrals from the given domain.
Mark Lubischer Send private email
Thursday, March 02, 2006
The people who say do not worry about it make me wonder.  If someone took your car would you call the police?  They may buy it someday so it's just a test drive. What's the issue?

What about the MS callback approach?  Install the program, put in the key and then it needs to verify the key.  Its very clear it needs to do this so it is not deceptive and yes I do need a connection, but I just downloaded it. (and it did give me 30 days).  You could even say nothing but the key is being transmitted - because you really don't care about the person. 

I suppose it could be very direct if the key is known to be a cracked one "This key was reported stolen.  Your IP has been logged and your picture recorded.  Enter your credit card now to cancel the call to the police."
Thursday, March 02, 2006
Same problem here. In my case it's worse since they actually stored the 2.5 MB installation with the crack in a rar file on the crack site. So people the download the crack also get the accompanying software installation.

My product is priced $199 which is much cheaper than it's competition, I was wondering if lowering the price could help but then again, they also steal $10 software..

In the next release in a few weeks I will be taking the following precautions:

1. Requesting users to fill-out a form with e-mail where the download link will be sent. It will not eliminate crackers but at least I can keep some control of valid e-mail addresses.

2. I will create a small executable that will download a validate the actual installation so that I can update without the software algorithms regularly and no-one will be in possession of the actual install file.

3. I am looking at a product called EXEcrypt, it adds protection and prevents your program from starting when it detects debuggers like OllyDebug, Softice etc. They must run your program inside their debuggers to crack it, so this may just help.

4. Compile new releases as often as possible.

I suppose there will be no bullet-proof prevention for your software to be cracked, but these and a few other simple steps could make it more difficult for them.

Erhard Smit Send private email
Thursday, March 02, 2006
Or how about any referred from that one crack site get a bogus version of the app that destroys their hard drive... after a couple months... so they don't know where it came from.
Thursday, March 02, 2006
Thanks for your responses.

I have rebuilt the main binary again and uploaded new installer to the download link on my site. Let me see when the tide comes back. :)

Personally I have never used cracks for other softwares and don't like it when I see my owm software's crack available publicly.

The problem with cracks is that its not just poor people who use them. Even many well-off people first look for cracks. If they don't find it, then they think about purchasing them. Those are the people I am concerned about. They could have been my easy customers!

I have personally talked to people in the west who accepted that they have used cracked software. So I think its not just poverty but basic human tendencies responsible for this menace.

Thursday, March 02, 2006
John wrote:

Or how about any referred from that one crack site get a bogus version of the app that destroys their hard drive... after a couple months... so they don't know where it came from.

Whooaaa!! That's jail time!!
Rodrigo Madera Send private email
Thursday, March 02, 2006
It's possible to make software very hard to crack.  I have two products: one checks the license in one place, and the other checks it in many places.  The first one has been cracked, the second one hasn't (and the second is much more valuable and popular).  The second is also harder because the license checking code is compiled in-line (C++ code) so they can't just disable a single sub-routine, plus it checks the license from many different DLLs.  Still possible, but a major pain in the butt.  And I have code that detects if it has been cracked, and if so disables some core functionality while giving an error message--that way I hope they'll contact me and I can blame the crackers for breaking the app :)

Thursday, March 02, 2006
Well, have your sales gone down?
Voice of Reason
Friday, March 03, 2006
I am an experienced anti-crack warrior. :)

From my experience, the harm done by a crack depends on how widely available it is.

If the crack is just available on a few obscure chinese sites with low traffic, then your sales will NOT decrease.

However, once a crack or stolen serial is available, people start spreading it, and it starts appearing on:

- pirated software forums
- blogs
- cracked software FTP sites
- file sharing sites such as rapidshare.de
- file sharing programs such as Shareaza, eDonkey, DC++
- other web pages

If your app is popular, the crack WILL spread to many such sites. Then your income will go down by 20%-30%.

If you don't react to make the stolen serial and crack invalid, then your income from the application will go down by up to around 50%.

The idea that people who pirate won't pay for your app anyway is simply FALSE. Yes, many of the people who pirate your app will never pay for it even if a crack is not available.

But a significant percentage of people who pirate your software WILL buy it if no crack or stolen serial is available.

Now.. you've just been cracked, or a serial number has been stolen.

Here is what you SHOULD NOT do:

- you should NOT stop your development effort for 1 month just in order to build the ultimate protection.

- Unless you know how to program in assembly language and have cracked some software yourself, you should NOT write your own software protection or key generation scheme. Such protections written by people who have not cracked software themselves are EASY to crack.

- You should NOT inconvenience your customers with things such as hardware-based activation.

- You should NOT become obsessed by stopping them. You won't be able to stop all the pirates, or all the crackers.

Here is what you SHOULD do:

- Buy and use a good software protection solution for your app, such as:

ASProtect from http://www.aspack.com
Armadillo from http://siliconrealms.com

Software Passport is a version of Armadillo which is available from Digital River for free.

These solutions will not prevent your app from being cracked, but they will be cracked a lot later. It will take 2 months from your release to the crack instead of 2 days, for example.

- If an update appears for your chosen protection program such as ASProtect, you should use the new updated version.

- You should release new updates for your software often. For some of these updates, you should NOT change the version number.

This stops many existing cracks from working.

Just adding a bit of bogus code such as:

int i=7;

and recompiling the app will often stop a crack from working, because most cracks patch certain bytes at certain offsets.

So.. make sure you release a new version every 2 months or so, and that sometimes you change the version number, but sometimes you don't change it.

- Plan to spend about 2-3 hours per month searching for stolen serials and cracks for your application.

You can search using sites such as:


You should also check your web site referer logs using a good log analysis program such as 123LogAnalyzer.

Also, you should install Shareaza or eDonkey and search for your software and download the available pirated serials and cracks.

- NEVER run the cracks you download from the Internet on your development machine. Some cracks are full of viruses or of adware.

Instead, run them inside VMWare or on a separate testing machine.

Most of the cracks are clean and don't harm your machine. But if you are not an experienced crack user, you won't know which is which.

- Once you find a stolen serial or crack, you should IMMEDIATELY make sure it doesn't work on your current release.

This way you limit the "spread" of a working crack or stolen serial. This is VERY IMPORTANT because this is what makes your income go down because of piracy.

How to make sure it doesn't work on your release?

If it's a serial, blacklist it. If it's a crack, recompile the program and try to see if the crack works.

After you modified your program so the crack doesn't work, make sure to update the online version of the program: upload it on your web site, to CNET download.com (which also hosts your files), etc

- When you have a bit of time, add a few custom checks to your EXE. Yes, your EXE should be protected by ASProtect (for example). This is your main protection.

But adding a few more checks will make it even harder to crack.

For example, your installer should put a checksum in the registry, and your .EXE should check itself against the checksum.

When the program detects that it has been modified, you should write the current date in the registry, and proceed as usual, as if nothing wrong happened.

After 30 days or so (based on the date stored in the registry), the application should show a cryptic error message and a message that the user should reinstall the application, and then exit or maybe even crash to look more convincing.

What will happen when a cracker cracks your program?

Once he bypasses Software Passport or whatever protection you use, the cracker will think that the program is cracked, and that everything is OK, and will distribute the crack. The users will also think the crack is working, and will not tell the cracker that the crack has a problem.

After 30 days - BAM! The program doesn't work anymore.

The users will e-mail you and tell you about the error.. and you can convert some of them, perhaps.

Make sure that you test this a lot, on all possible configurations. You don't want this mechanism to trigger by mistake and affect a honest user.
Jericho Send private email
Friday, March 03, 2006
Almost *ALL* software I have purchased are version N+1 to N+5 version of pirated software version N when I was teenager.
Difference was money I had.
So my recommendation is put efford on getting out next full version number with lots of OTHER IMPROVEMENTS BESIDES ANTIPIRACY CONTROL.
Another option would be endless war against piracy that you don't really have resources for. You could have pre planned antipiracy strategy for your next version. Best thing would be automated changes with 10+ in pipeline.
So potentially, you have situation where,
a) pirates "market" your product to giving away version N
b) Make version N+1 which has lots of tanglible user benefits.
c) The version N+1 is such that they probably crack it in 5 days, then you notice it in 6th day, and press a button. Then they pirate it again on 10th day, and you respond again... Continue that for a month or two and you got all the converts you probably could from conversion from users of version N.
They probably figure out not too distance time that they need to host the binaries them self instead of just cracks.
After that the game is lost for that version. And after that you have some trickling effect of some pirated converting to registered users, and some who would register othervice would pirate. Now key is here. Pirates practicly market you to some people most of them you shouldn't care, but every now and then when new version comes some of them will convert to paying customers.
Some maybe in position to recommend others to purchase what they them self used as pirated version etc...

As for software I'm making, the piracy isn't such issue but competition is. Target market= companies.
Its quite defined, I can ask them order of magnitude more than I could from homeusers, and companies would buy more copies even if homeusers would get it 10th of the price more copies than homeusers. So basicly if someone pirates it I probably won't loose a sale there for the amount of work for antipiracy effords are mainly for keeping honest companies, honest not spending huge amount of time trying to keep pirates of from pirating the product.
Friday, March 03, 2006
I'm in the "stop complaining" camp.  For starters, if people are that desperate to get your app then a) it must be good (which should cheer you up) and b) no matter what you do to stop it happening, if it's popular enough it'll be cracked again in no time.

Recompiling with junk code added is no use -- for one thing a compiler may well optimise it out, and these days most cracking/patching tools are far more advanced than "patch specific offsets".  Online activation is a hiding to nothing; you'll almost certainly need to provide an alternative method (such as by phone) which opens the door to keygens (c.f. XP, PhotoShop, AutoCAD, etc. -- they all require activation keys based on a hash of your serial and machine ID, and they all have keygens that will calculate the activation key for you; if multi-million-dollar corporations can't protect their expensive bits of software, what makes you think that you, as a small developer, can do any better?)

And to the clown who compared it to stealing a car, it's in NO way comparable.  I steal your car, you have no car; I download your software and crack it, you still have your software.  Repeat after me: piracy is NOT theft, despite what the RIAA/MPAA/&c. try to tell you.

And finally, some companies (Adobe for one) unofficially *embrace* piracy[1].  They're not dumb enough to believe that everyone who uses a cracked copy of PhotoShop would have paid for it, and they also realise that some kid who uses a cracked copy serves as some sort of advertising and could be converted to a future sale -- the kid gets some skills with the app, and may eventually get a job using it, which equates to money in the bank.

[1] I spent a drunken evening in a bar with someone in authority at Adobe, and he probably said more than he should. :)
Anonymous this time around, for obvious reasons
Friday, March 03, 2006
> They probably figure out not too distance time
> that they need to host the binaries them self
> instead of just cracks.

Yes, this DOES happen, but what matters is the "spread" of the crack, stolen serial, or full binary.

How many people have access to it?

If it's the 1000 members of an obscure website in China, then it doesn't matter.

If it's on 10 high traffic warez sites of 100000 members each, it starts to matter.

If a user can easily find the crack using Google Groups, Technorati or Google, then you're screwed, the income from that apps drops by over 50%!

When pirates distribute the full binary of a certain version AND a stolen serial or crack, then this limits the "spread" automatically.

This happens because bandwidth is expensive, and sites willing to host large downloads are few.

Our company's software has been pirated this way (it's between 5 and 30 MB depending on the program) and most of the time it was available on some site for 1 month or so, and then the site took it down because it was a drain for their bandwidth.

What steps can you take if the software has been distributed as a binary and a stolen serial, in the same archive?

- You can write to the site hosting it. Sometimes this has an effect. For example, write to abuse[AT]rapidshare[DOT]de and RapidShare (which is a major binary sharing site) will take down the file.

- The strategy I outlined above (using delayed action if you detect that the software has been cracked) can work very well with this, because the pirates think that the software is cracked when in fact it isn't (and will stop working in 30 days).

- If the archive contains a stolen serial, blacklist it immediately so the pirates can't update to your latest version.

- Release improved new versions often, like every 2-3 months.

- Online activation can work, however, I'm against it because it inconveniences online users.

> Recompiling with junk code added is no use --
> for one thing a compiler may well optimise it
> out, and these days most cracking/patching
> tools are far more advanced than "patch
> specific offsets". 

Are you sure you know what you are talking about?!

From my experience, 95% of the cracks will stop working if you simply add a few lines of bogus code in the program and then recompile.

The rest of the 5% of cracks will need a bit more work, such as adding another checking routine, or adding the bogus lines at strategic places inside your registration algorithm, adding a few variables, changing the meaning of some registration variables, etc, so the automated patching tool can't find the pattern of bytes it is looking for.

In 99% of the case you will be able to defeat a crack by modifying the code in 5-10 minutes and recompiling.

For stolen serial numbers, serious protections such as Armadillo and ASProtect offer a way to blacklist them. If your protection doesn't offer this, you can simply check the key against an (encrypted) list of keys - it's simple.

> Online activation is a hiding to nothing; you'll
> almost certainly need to provide an alternative

As I explained 2 times above already, you should not aim for completely defeating the crackers and pirates. This is impossible.

However, it is VERY IMPORTANT to focus on limiting the "SPREAD" of a crack or stolen serial.

This can work wonders for your income from a certain app.

> if multi-million-dollar corporations can't
> protect their expensive bits of software,
> what makes you think that you, as a small
> developer, can do any better?)

Small developers can't afford to have their software pirated widely. Big developers can afford this.

Adobe doesn't care if students pirate Photoshop because they know that Photoshop is used by a lot of corporations, who WILL pay for the software in order to avoid getting fined when they get audited.

A small developer, writing software for consumers and not corporations, should do everything he can to fight piracy, because piracy dramaticaly lowers his income.
Jericho Send private email
Friday, March 03, 2006
"Are you sure you know what you are talking about?"

Yes.  A lot of the bigger names in the warez scene have developed their own generic patching systems that use a combination of scanning a binary for the protection code rather than assuming it's always in the same place (so adding some pointless code makes no difference), and heuristics that will pick up specific vendor's routines, even if they've been modified slightly (much like AV products detect "virus-like" behaviours).

The biggest target for these is games -- systems like SecuROM, SafeDisk, etc., are now "trivial" to defeat using a variety of generic tools such as AntiBlaxx or FixROM -- but I've run across a number of version-agnostic cracks for "serious" apps -- even if you're running vX.2 instead of vX.1, the crack will still work.

Against a dedicated hacker adding things like checksums to your code is pointless -- they just disable that too.  Putting multiple checks doesn't help much either; as a matter of pride most groups will fix their crack if it turns out to have missed something, and even systems like FADE turned out to be useless.

Blacklisting serial numbers is also more effort than its worth; once your validation code has been reverse engineered it's usually straightforward to generate new valid keys.

"A small developer, writing software for consumers and not corporations, should do everything he can to fight piracy, because piracy dramaticaly lowers his income."

But he will *always* lose -- if someone wants to pirate it they will, so making attempts to try and stop it is a waste of time.  As to dramatically lowering income, this is a specious argument based on the misapprehension that pirated versions would have been purchased had a crack not been available; in reality, more often than not if an individual can't find a crack for your then app he's not going to buy it, he'll just download something else that *has* been cracked.

While I don't condone piracy, I also don't consider it as a major problem, and I firmly believe that even a pirated copy of a $5 app is unlikely to be a genuine lost sale...

(In a former life I was a member of NAPO -- anyone with a C64 or Atari 8-bit would probably have been familiar with our work in the 80s, and although anti-piracy measures have improved since then the techniques used by hackers have improved in step, and it's a battle that you're never going to win.)
Still anonymous.
Friday, March 03, 2006
> But he will *always* lose -- if someone wants
> to pirate it they will, so making attempts to
> try and stop it is a waste of time.

The goal is NOT to stop ALL piracy. The goal is to limit the SPREAD of cracks, stolen serials, pirated versions, etc.

It's an achievable crack.

> As to dramatically lowering income, this is
> a specious argument based on the
> misapprehension that irated versions would
> have been purchased had a crack not been
> available;

No, it's NOT based on that argument. It's based on my experience as a shareware author.

It's also based on the experience of other shareware authors in the ASP.

It's NOT a theoretical thing. It's something that happened in reality to me and to other "try before you buy" software publishers!

Do you actually READ my messages before answering?

Also, about special tools that crack anything, search for byte patterns, etc: these tools may be used for software such as games.

In practice, 99% of the cracks are NOT that advanced.

Adding multiple checksum checks has in my experience been VERY useful for delaying crackers.

It's ROUGHLY something like this:

home-grown protection = the app gets cracked 2-5 DAYS after the release

ASProtect or Armadillo = the app gets cracked 1-2 MONTHS after the release

ASProtect or Armadillo AND multiple custom checks = the app gets cracked 5-6 months after the release

These are rough averages. The time in which your software gets cracked depends on many other factors beside protection.. how popular the app is, luck, etc.
Jericho Send private email
Friday, March 03, 2006
"Do you actually READ my messages before answering?"

Yes.  I've written my fair share of shareware (try saying that after a few beers), and at a rough guess maybe 2% of people who downloaded any of it paid to upgrade to the full version (hard to be specific -- it found itself on the WU FTP site, so I can only speculate as to how many people actually downloaded it), and maybe another 50% turned them into the full versions through some other means (again, only speculation), but I'm not arrogant enough to assume that any more than maybe 1% of that 50% would have ever paid for the thing.  If someone's too cheap/poor/whatever to fork out $10 then if I'd made it more difficult for them to get it for free they'd have just gone elsewhere (and I'd have wasted a lot of time), and the higher the price, the lower the conversion rate would get.

(When I was more involved in the warez arena I had an *awful* lot of software I didn't pay for; had there not been cracked versions, though, I can guarantee that I'd have bought at most 1% of it -- the rest of it I would have not bothered with.)
Still anonymous.
Friday, March 03, 2006
Stop cracks appearing by banning traffic from China to your website.
Friday, March 03, 2006
Then, Mr. "Still anonymous", how do you explain that when cracks appear and spread a lot, the income from that software application DROPS?

It's simple: some people, who otherwise would have bought, use the crack instead of buying!

Is it worth spending 5 hours of work per month for taking the anti-crack measures that I described in a post above in order to prevent the income from dropping by 30-50%?

For me - yes, it is completely, absolutely worth it.

But of course it depends on the app. If nobody buys an app, then 30% of 0 is still zero. So.. no need to protect that app.

It surprises me that some people with NO EXPERIENCE whatsoever in writing successful shareware and getting cracked write a lot of advice about this, and have strong and firm opinions.
Friday, March 03, 2006
Agree with Jericho, and another benefit to simple shuffling and recompiling is that while pirates may also crack the new build, they end up with dozens of different cracks still propagating through the net. All those filthy cracker sites literally copy from each other and there's no "recalling" a bad crack. When somebody searches google they'll find a bunch of cracks that likely won't work and they'll say forget it. If they had any inclination at all to buy that's when they'd do it. If they weren't going to buy anyway, that's when they'd ponder whether they should actually get a job and work for a living.
Friday, March 03, 2006
"And to the clown who compared it to stealing a car, it's in NO way comparable.  I steal your car, you have no car; I download your software and crack it, you still have your software.  Repeat after me: piracy is NOT theft, despite what the RIAA/MPAA/&c. try to tell you."

You are correct.  It's not exactly like stealing a car, but it devalues your software over time.  I look at it more like counterfeiting money than stealing a car.  when you counterfeit money, you arent "stealing" a physical dollar from someone, but if this is done enough times, the value of the dollar will go down, because people will no longer see it has having any value.

Software is similar, because it's intellectual property.  If enough people get their hands on the crack, it will become very difficult to sell. 
Most businesses will actually purchase licenses for your app, but lets face it.  No matter how cheap your application is, a regular every day user will not pay for it if they do not have to. We are just lucky that crack sites are just out of reach for the average joe user.  This is why napster was so dangerous for the RIAA.  It brought free, copyrighted music into the hands of the every day user.

"And finally, some companies (Adobe for one) unofficially *embrace* piracy[1].  They're not dumb enough to believe that everyone who uses a cracked copy of PhotoShop would have paid for it, and they also realise that some kid who uses a cracked copy serves as some sort of advertising and could be converted to a future sale -- the kid gets some skills with the app, and may eventually get a job using it, which equates to money in the bank."

They aren't as dumb as you say.  Take a look at the following link: http://www.bsa.org/usa/about/BSA-Members.cfm

You will see the adobe logo at the top of the list.

would a company that's "unofficially embracing piracy" be a part of the most aggressive anti-piracy company around?

My advice is to protect your software.  It is equivalent  to putting cameras in your store.  As long as it doesn't become a huge nuisance to your customers, it will save you a loss of revenue in the future.
Friday, March 03, 2006
"I steal your car, you have no car; I download your software and crack it, you still have your software.  Repeat after me: piracy is NOT theft..."

So why don't movie theaters just let people come in for free? I mean, if the movie's playing anyway and seats are empty, it doesn't cost them anything to let more people sit in them, right? And why don't CD stores just let people come in and copy whatever they want onto their IPods? I mean, the CD's are just sitting there and it doesn't cost the music store anything, right?
Faulty Logic
Saturday, March 04, 2006

I think your advice is right on target. ASProtect and Armadillo are great choices for Windows software.

Do you know of similar choices for Mac software? The ones I have found so far are either much weaker protection than ASProtect/Armadillo, or are both more complex and royalty-based, or only work for executables, not shared libraries (we do both). Mac is a big part of our market so it would be great to get protection with similar price/performance tradeoffs to Windows.

Any advice you or others may have on this would be most appreciated!
Cross-platform developer
Sunday, March 05, 2006
Nobody said copying software illegally was right or anything. But it is still NOT theft.

Same for movie theaters or loading up your ipod examples. It wouldn't be theft either. Nobody would be deprived of the original copy or anything. Again, nobody said that it would be moral, right, legal or anything, even though it's not theft.
Faulty Logic Indeed
Sunday, March 05, 2006
There is no free lunch. Compared to older industries, producing and distributing a copy of a software product costs nearly nothing. It stands to economic reason that a 30% chunk of your users will pay just that---if you're great, they will tell their friends.
Philipp Schumann Send private email
Monday, March 06, 2006

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz