SecureIt v2.0

By Jeffrey Habets

Introduction
Until now, I have donated the programs I have written to the public domain because I figured that if I asked any money for them, I would not get paid anyway. I think a lot of us programmers think this way. You could of course build-in some kind of protection by crippling your software and only unlocking certain features when the user registers the software with a password provided by you. But it will be only a matter of time until someone cracks your software so people can use the registered features for free, unless the protection is really good. Then there are alternatives like having two versions of your program. A publicly available demo version and a registered version which you send to paying customers. Well, there will always be someone who doesn't mind 'lending' his copy to someone else for whatever (illegal) reason.

So, program really secure protection into your application, you say. Apart from the fact that not everyone has the skills to build a really sophisticated protection into a program, it is an awful lot of work. Basically you would be building an application into an application. Happily enough, the author of SecureIt (Allan Mertner) saw this problem and wrote that very sophisticated software protection system for us.

Overview
SecureIt offers several levels of protection for your software. Which level you choose all depends on how much effort you want to put into implementing it. To give you an idea, here's a summary of the key features of the package:
 * Serial number support, with possibility to lockout or date-restrict a certain serial number.
 * RSA (max. 786 bit) encrypt user name, password, serial number and any user defined data.
 * Calculate 32 bit CRC checksums of a datablock or (part of) a file.
 * Patch in memory program code or data during execution to prevent certain parts of your code from executing.
 * Let the SecureIt DLL make callbacks into your program to call certain protection related functions.
 * Anti-debugger tricks. A pirate will first have to try and get your program loaded into a debugger before he can start the 'real work'.

You have a total of 30 APIs at your disposal to implement a maximum of security.

A program protected using SecureIt needs to interact with the SecureIt DLL through the SecureIt APIs. SecureIt comes with an interface to VisualAge C++, Borland C++, EMX GCC, Virtual Pascal and Rexx. I tested the package with Watcom C/C++ 10.6 and the VisualAge header and library, this worked as expected without any problems.

Apart from the DLL (16k, which also has to be distributed with your program) SecureIt consists of a program to generate the RSA key-pair and encrypt sensitive data to be included in your program, a program (either textmode or PM) to generate passwords and an on demand generated PM password generator, that will work for your program only, to send to your distributors/registration sites.

All of this comes with very comprehensive documentation (in HTML) describing the essence of software protection. If you want to build good software protection, the documentation really is a must. It explains what you should and should not do and what are the best ways for implementing SecureIt protection in your programs.

A Test Drive
Installing SecureIt was as easy as extracting the archive to an empty directory, making sure the DLLs are somewhere in your libpath and your compiler/linker can find the SecureIt .h and .lib files.

According to the author, basic (read: good and hard to crack) security can be build into an existing program in about 1 or 2 hours. I tested this by implementing SecureIt protection for a small PM program I'm working on, and I must say that it indeed didn't take me more than two hours. I added basic protection using the serial number date restriction and locking features with some user strings that will only be loaded if the program is registered. All this data was encrypted using a 128 bit RSA key-pair. The generated datablob is output by the gendata.exe program in the format of your choice (in my case as a C-array of bytes).

I then generated a MakeKey Client. This is the program customized to only be able to generate valid keys for your specific configuration. It's one executable that can't be tampered with at all. You use it to send to your distributors to generate keys to unlock registered features in your programs. It keeps a log with username and keys so you can be kept up to date on who registered your program with your distributor.



A screenshot of the MakeKey Client. Simply fill in the name, and a key is generated and the serial number automatically incremented. You tell your distributor to send you the generated registration log on a regular basis so you can keep track of your registered users.

As a final test, I also tried the callback feature. Basically, the idea is to have a function in your program that if called, activates some or all of the registered features. However, you won't reference that function at all in your program, thus making it impossible for a pirate to trace the code that enables the registered features. The function is called through a call to one of the SecureIt APIs.

In the password you generate for your user is room for four 32-bit user values. You can use them for whatever data you want. I used the first to hold the 32-bit offset (taken from the .map file after compiling and linking) of the callback function I defined. So, the only way to call this function is if the user enters a valid password, because that is the only way to find out the address for the function call. This is done by calling the KeyDispatch API function with as a parameter the number (1-4) of the 32-bit value holding the offset of the function you want to call. The SecureIt DLL then takes the address from the supplied password and does a callback to the function in your program.

Summary
I have been in the SecureIt beta program for a couple of weeks now and I'm still wondering why it took such a long time for someone to see that there is a market for such a tool. If you seriously want to sell your software, SecureIt is a must. It allows you to keep full focus on implementing actual functionality in your software without having to worry about not getting paid for your efforts.

I only discussed some of the basics of using SecureIt here. SecureIt has a lot more features to implement even more sophisticated protection for your programs. The package contains a couple of example programs using SecureIt which demonstrate all of SecureIt's possibilities. From the SecureIt website you can download a demo program protected with SecureIt. (Try to crack it if you like. ;-) Full source for this program is available in the SecureIt package.

The price for SecureIt (US$149) may seem a bit high at first, but if you consider the amount of work you save by not having to write your own protection code and the number of extra registrations it could mean, it is well worth the price. (BTW, there's mention of an offer on the SecureIt site which could save you US$50.)

If you still would like to test the complete SecureIt 2.0 package before you would consider buying it, Mr Mertner will gladly make a date limited version of the package available to you. Just write him an e-mail.

And, just in case you are considering porting your applications to Win32 (or maybe you have already), around July/August the first SecureIt beta for Win32 is expected. This will be for Delphi. After that, interfaces for the major Win32 C/C++ compilers will also be added.

Information
SecureIt can be ordered through BMT Micro.

SecureIt v2.0

Price: $149 US (private) or $499 US (business)