Monday, April 11, 2011

Fighting the Pirate

Six years ago I took the decision of investing my efforts into the creation of a software application. It was a complex project that potentially required thousands of hours of work. I had to make it financially viable. No sponsor was in sight, so the only solution was to make a commercial program and sell it. I was extremely lucky, because the facilities to sell it were readily available and convenient too.
The difference between a normal application and a commercial one is that the latter must be copy-protected in some way.
I had complete freedom about how which technology to choose to protect the program. It was clear to me, and still it is, that no money had to be spent for the protection. First, I was not sure that the product could sell enough to invest part of the money into its protection. Second, it's a non-sense to spend money to protect software by piracy. I think that those who steal a copy of a program are inherently thieves. They can't be convinced to buy a regular copy. Stopping the theft does not increase the volume of sales, therefore it is not the case of investing money for the protection.
On the other hand, I had discovered since a long time that:
- writing a program is easy;
- selling it is hard;
- convincing people to use it, after buying, is even harder.
Have you read all the books you have bought? Are you still using all the programs you have bought? We are subsidizing the software industry with this kind of unhappy purchases. I want my share of this cash flow and copy-protection is the way of keeping this little share intact.
I invented my own home-made protection, which was based on a simple but effective encryption. I don't know, however, who were the pirates and how they worked. I believed that a pirate was somebody interested into directly using the program. Nothing was farther from truth. After a couple of years I found the first pirated copy of my program. It had been cracked by someone who only wanted to demonstrate how smart he was (or how dumb I was), but had no idea about whose was the program and what it was for. There was no intent of stealing my money or saving their money. It merely was a kind of illegal hobby. The pirate thinks he is a gentleman, because he never cracks the latest version of a commercial program, but the version of yesteryear. Unfortunately, not all the customers need or asks for the latest version, so piracy is still a danger.
When I discovered the first successful crack, I was not terribly worried. First of all, beige worried could not have helped in any case. Second reason: the particular version they had cracked was probably the buggiest version I had ever released. Third reason: the program was still relatively unknown, up to the point that having illegal copies around was a cheap publicity.
Fast forward another two years and I was seriously worried. This time they had cracked one of the finest version I remembered having made, virtually flawless. Multiple copies of the cracked version had already been uploaded on Rapidshare and were relatively easy to find with Google. I realized had to fight and I fought. On the prevention side I studied how the crack had been executed. Then I implemented a different protection mechanism. All my future versions became more difficult to crack. But what about the copies around? I simply wrote a single email to Rapidshare. I explained that they were violating a copyright, but I didn't threaten anything. With my great surprise, all the files were removed within 24 hours. I accomplished two great results: all the copies had disappeared from the web and a lot of broken links had remained around. Anybody who was going to search for the crack, he was going for a frustrating experience.
Today things are quite different, because there are a lot of parasite sites that promise you, in change of a registration, to disclose the links for the download. No link is published, but probably no link exists in reality. I can't believe that somebody can risk a virus infection, a robbery of their bank account or simply a ton of porn spam, only for getting a dubious link to a cracked program, and not the most recent version of it. The parasite sites are the worst enemies of the pirates.
I had discovered the main weakness of my protection mechanism: the bottleneck design. This is an important and wise design in normal programming. Instead of disseminating the code with duplications, I concentrate the important instructions into a single routine, that is called several times by the rest of the program. If I want to change the mechanism, it is enough to change the internal code of the bottleneck routine, I don't need to care for the rest of the program. Alas, it was too easy for the pirate to find the bottleneck and modify it. Instead of verifying the key code, the cracked routine simply returned "yes" every time, even if no key was present at all.
At the same time, I had discovered the weakness of the pirate. He was not using the program, he had no time to verify if the program was functional (he doesn't even know what the program is about). He has too many applications to unprotect, because he is in competition with other pirates. It's not important, for them, to demonstrate they can unprotect a single program. Their goal is to unprotect as many programs as possible. Quantity does not mean quality and accuracy, this is a piece of information I can exploit.
I have found two solutions that can be combined together. First, I have duplicated the code that verifies the key. The pirate will find the first occurrence, he will bypass it and the program will be apparently unprotected. Five minutes later the second version of the code will be called. By that time, the pirate has already quit the program, so he will never know there is another verification. The second solution that I have found is to put some important action into my bottleneck. Apart from returning "yes", the routine must do something necessary for the rest of the program. If the pirates bypasses the routine, a hole will remain into the memory. Soon or later, the program will fall into it and crash.
Last month a friend of mine, who lives into another continent, discovered a new cracked copy of my program into a lab nearby his. My friend sent me the cracked copy. I launched it and waited. After five minutes, without doing anything, the program crashed by himself! At least in this last battle I have been the winner. The war will go on forever.