Protecting your code, and an authentication method.

[MirnesC2]

Hey guys,

I have been working on this project for some time now and have made a really useful tool for people to use. I want to sell my software (1 month, 3 month, lifetime licenses, etc). I have two worries.

• Someone will reverse engineer my program and take the source code which I worked hard on.

• People find a way to bypass my user authentication system.

So my question here, for those more experienced in the subject, is...

• What is the best and most sure way to protect my code? (I don't want hackers unwinding it)

• What is the best and most sure way to set this user authentication system up?

I ask about the protecting source code part because with previous programs I have made and shared for free. I have had other people de-compile my "protected/encrypted" .exe file and send me the code...

For the user authentication part, I was thinking of making an online database, mySQL or something along those lines. But the problem with that is that I will probably have to input the database details into the source code... which again brings me back to worry #1. If the source code can be unraveled, then my entire database becomes a security hazard.

Any ideas and/or suggestions will be GREATLY appreciated!

Edited December 12, 2012 by MirnesC2

[Aktonius]

You should make a special logic in your code where things fall apart if they dont follow license check routines. By adding variables on weird places and just being creative with it. Have those people sent you autoit decompiled? Did you use obfuscator?

If they can pass this then you are pretty much out of luck.

Also you dont need to access database through client code, you can access it through server calls and they cant access that even if they get your source.

Edited December 12, 2012 by Aktonius

[Bert]

Search is your friend!

Please search the forum for what you are asking for. This questions has been asked many times and answered many times.

[Mat]

Lots of people ask this question, mostly because it has never been answered satisfactorily. Not because no-one has bothered to post the answer but because there isn't one.

Do as much of the logic as possible on the server. That's something people often overlook (Aktonius touched on it in his post). If your program was just a web browser with a license key then it would be incredibly secure (they would have to get to the files on the server to get your program code).

Edited December 12, 2012 by Mat

[MirnesC2]

You should make a special logic in your code where things fall apart if they dont follow license check routines. By adding variables on weird places and just being creative with it. Have those people sent you autoit decompiled? Did you use obfuscator?If they can pass this then you are pretty much out of luck.Also you dont need to access database through client code, you can access it through server calls and they cant access that even if they get your source.

Thanks for the reply!

Is it okay if I make a separate function called _AuthCheck() and then call it from random points in the code or would it better to embed it with random points of code?And yes I used obfuscator. There is nothing else to use besides that?

As for the server calls you mentioned. Any specific autoit functions I should be looking at? Or is there even an example of it laying around some where o.O

Edited December 12, 2012 by MirnesC2

[JohnOne]

Having logic on your server is as secure as it gets gets, but this raises the problem of server downtime.

I don't think paying customers would appreciate their paid application failing because your server is having

issues/being maintained/whatever.

How many different hosts are enough when failure occurs on one.

The end of this question is always the same.

You have to weigh up the pro's and con's of your particular circumstances and act accordingly.

If your application is going to make enough money for instance, you might consider getting two or maybe three hosts

to apply your logic server side <- example

Believe it or not, there are still people in there hundreds of thousands who are honest paying customers for a good product

with support and updates. Not everybody knows how to attack/crack a script, or where to find a cracked script, or even

where to look, and wouldn't even get it if they did.

My advice is always this: (which I probably read on here) Make some basic authentication checks and focus on the quality

of the product rather than it's security.

Ask Bill Gates how he protects windows.