Discuss Home · Bootstrapped Podcast · Scribbleton Personal Wiki · HelpSpot Customer Service Software · Thermostat NPS

Looking for replacement for Software Passport / Armadillo


#1

Now that Digital River has announced they are discontinuing Software
Passport / Armadillo as of 1 July, I’m looking for a replacement - just a
“remind honest people they’re honest” solution for some new Delphi
Windows desktop apps I’m starting. Anybody care to share what you’re
using?

Thanks,

Jack


#2

Greetings,

I’m not sure if it fulfills all the functions you need from Software Passport but I have been using LimeLM (http://wyday.com/limelm/) for my product and it has worked out pretty well. It is basically a licensing solution if you need obfuscation then you would need to look elsewhere or additional. They have, in my opinion, bootstrapper friendly pricing compared to some of the other solutions I examined.

Hope this helps,

erik


#3

Thanks, Erik - I’ll check it out!

  • Jack

#4

This must be an old question, but in my company we are using PELock software licensing solution for our Delphi based projects, it provides excellent SDK for Delphi, it’s even available at GitHub

and the protection system is available at:

We have migrated long ago from Armadillo / SoftwarePassport to PELock and since then, our software has never been compromised, now they have released v2.0 and it’s the best protection for Windows apps I’m aware of.


#5

Full disclosure: I’m founder and CEO of wyDay, a company that makes LimeLM – a software licensing product for Windows, Mac, Linux, etc.

Well, Marc, nothing is uncrackable. My opinion of companies that claim they have uncrackable software or uncrackable protection is very, very low. They either (a) don’t actually understand how cracking is done or (b) they’re deliberately misleading customers in order to get their business at any cost. Either case is worrisome (which is worse: incompetence or malice?)

A simple google search and I was able to find a cracked version of PELock. So much for uncrackable. To say nothing of apps using PELock.

The long-and-short of it is this: every piece of software is crackable. And, frankly, software is not that hard to crack, no matter how many “in-memory encyption” and “obfuscation” tricks are used. Sure, script-kiddies will moan about “uncrackable software” on forums, but crackers with knowledge of debuggers it’s a walk in the park.

So a company that claim “Software copy protection against reverse engineering with anti-cracking & anti-debugging techniques.” is selling snake oil. I’ve written an article about snake oil in the software licensing industry here (it also, talks about LimeLM, but it was written in a way to make potential customers more knowledgeable about the software protection in general, whether they ultimately chose us or not): https://wyday.com/limelm/features/why/

There are a lot of legitimate software licensing companies out there. I would not put this company among us.


#6

One of the things that pissed a lot of customers of my last ISV company was the change in license system which required a change of their license keys. Don’t do this. Split the process into two tasks, the license stuff (usually an asynmmetric key with high encryption bitrate to prevent key generators) and the protection. I’m not a bliever in spending to much money on protection. I dumped Armadillo (because it was incredible slow on network computers doing a blocking broadcast message in the network segment - Facepalm) in 2007 after 1 year of usuage and saw no effect at all.

If you attract people who can crack your typical home made protection you have a good program already. And with the current virus and malware epidemia the people who pay for software (and they are the only ones you should care about, not some students without money) are not using cracks anymore. And i still want people to use pirated versions of my software more then if they use the software of my competitor.

The only serious problem are stolen keys that work with executables that can be downloaded from your website. So use blacklists for license keys.


#7

Hi there,

we are using LimeLM by Wyatt as well and we are quite happy (or very happy). Since we pay him (and not the other way around) I think we are off the hook with the recommendation. After a couple of years of experience dealing with customers cracks etc, here is maybe some bottom line:

  1. No software is uncrackable. Ideally use static linking (e.g. LimeLM DLLs) and at least verify the libraries if you use dynamic linking.
  2. LimeLM (and other similar solutions) can ONLY protect you from “people using a VALID license on more machines than intended by you”. It does not protect you from cracks.
  3. EVERY software can be cracked - and you should go after the crackers. We use services such as Muso (medium happy) and copyrighthero.com (very happy) also sometimes “track that crack”. You HAVE to clean up the crack mess. Otherwise people will crack your software like hell. I do not agree with the notion “yeah, people don’t crack your software anymore”. We had legit business owners sending us support requests for cracked software. People are dishonest.
  4. Don’t make your software protection overly complicated / complex (e.g. those solutions embedding your software in a wrapper and unwrapping it etc.). There is so much mess happening with “software protection, different operating system, user permissions, firewalls, antiviruses etc.” particularly on Windows. It’s a nightmare…
  5. I don’t think torrents are a big issue these days compared to filesharing sites (e.g. rapidgator) in developed countries. People are actually scared that they get caught using torrents (and they do…) - whereas they are rather safe with filesharers…
  6. People will crack and distribute whatever software you have. Even if it “sucks”. Don’t take it lightly.
  7. I think having a proper software protection like LimeLM will increase revenue by 40-60% compared to “enter a valid key on an unlimited number of computers” and going after cracks should help you another 10-20%.

Plus: I think Wyatt and his team are fine. They are competent and help you out as well. Most competent customer support I’ve ever encountered.
Cheers


#8

You can implement your own in about 2 weeks time.

The advantages of implementing your own:

  • Much more freedom in tailoring it for your needs.
  • Save $$
  • The thrill of learning new things. I enjoy learning techy stuff.

Broadly, the idea is the following:

Compute some kind of signature (aka “machine ID”, “machine fingerprint”) for the computer. Use things like MAC Address, CPU, disk etc.

When your software is first run, check whether “cached license” (stored somewhere on the user’s machine) is present. (More on that below). If not, go into first-time activation.

  • First time activation: Get the registration key from the user. Send the registration key and machine signature to your server. At the server, check whether the software with
    that key has already been installed on stipulated number of machines. If so, send “rejection”. Else, allow activation and send back encrypted form of the machine signature back.
  • The encrypted machine signature is received at the client. Store it somewhere on the user’s machine. This is what I referred to as the “cached license”.

Each time the software runs, read the “cached license” which in essence is the
encrypted machine signature. Decrypt the cached license. Compare the decrypted machine signature with the actual signature. If they are “nearly same” (i.e., “Fuzzy Match”), accept the validity of installation.

The reason for checking that they are “nearly same” instead of “exactly same” is that you don’t want to reject the cached license when the user does small changes to the hardware. How much change you want to tolerate is up to you.

To further clarify the idea, the server side program does the following:

  • Listens to activation requests from the software running on user’s
    machine. As I mentioned, the activation request payload is essentially
    "Registration key & machine signature".
  • Maintains a simple database/file that keeps a map of “registration key” to “Signatures of machines on which it has already been installed”.
  • Check whether the machine signature “matches”(fuzzy match) one of the machines
    software with that key has already been installed. If so, it is a case
    of user trying to re-install on a machine he had previously installed.
    So, send back “Accepted payload”.
  • Otherwise, check whether allowing to be installed on the new machine is within the limits of the license. If so, send back “Accepted payload”. Else, send back “Rejected
    payload”.
  • The “Accepted payload” is in its essence the encrypted
    version of the machine signature that came in as part of activation
    request.

#9

2 weeks time work is not “save $$” in my books. Even at a minimal wage it is some $800.

Having said that, I did implemented my own – but a much simpler one.


#10

@rfctr: Yes, if it was a reasonable, fixed, one-time cost, paying the amount in exchange for 2 weeks time can be a good trade-off. What bothered me when I looked into it about 2 years ago was that some of the good solutions had very high fixed cost (More than 2 weeks typical salary of an engineer) or wanted a cut as percentage of sales. Hopefully, the situation has improved now and there are more attractive alternatives.


#11

Hi guys,

don’t get me wrong - but badly copying the principle from Wyatts page and then seriously suggesting that 800 USD equals 2 weeks of salary and would be enough to implement even a rudimentary solution is just beyond my comprehension. Either you have no valuable product or you have no idea what you are talking about. Why don’t you make it even simpler by allowing any valid key that is matching some checksum.
I mean, you cannot be serious and mean what you are talking about… Testing happens like how many days? Zero? Customer does it for you?

Just for starters, the following things could happen: firewalls blocking activations, hackers hammering your verification servers, customers being unable to verify the license because they are offline for a few days, customers changing a couple of components, customers wanting to try out your software and maybe get an extension, customers installing the software on 32, 64 bit Windows, Mac, Linux, customers running VMs, customers changing to Win 10 with Hyper VM enabled, etc. Even if you get a hold of all those items and implement it just like Wyatt explains it on his homepage - good luck running your activation and verification server 24/7, good luck not having some script sh*** itself, good luck not having people bomb your servers or whatever random thing could possibly happen. Sure, you only have 5 sales a month those things don’t bother you. But then just do a checksum - or even simply accept anything a customer enters. That is still better than a badly implemented software protection mechanism. And you forgot to include the cost in support for dealing with your “homebuilt” licensing system.

With all due respect, but license management (including trials) based on server-verification with fuzzy hardware matching that does not annoy consumers and works reliably is probably one of the most complex endeavours in software development. Even if you believe that you outsmart everybody on the planet by thinking about this problem for 2 weeks max - at least give the credit to the people who thought about those things in detail and made them publicly available when explaining “how you came up with everything”.

But ok, everyone has different standards. However, I cannot possibly understand how these responses have any valuable information a reasonable developer can take serious. You want to know how to do it? Here is a nice technical explanation of the process. It’s more detailed that what you offer and its more reflected also pointing out a number of possible issues…
https://wyday.com/limelm/features/why/

I am a paying customer. For the 10 sales per month products, for which the suggestions above are obviously intended, the single plan is probably good enough and just costs 11 USD/month. Implementation can be done in a couple of days and I’d say supporting issues related to the software protection maybe happens 1 / 1000 installs. Probably less. Resetting activation slots, customers entering invalid keys etc. excluded.

Best,
Jan


#12

What’s your product, Jan?


#13

I’m using LimeLM too and it’s working fine. The support is good. If you want a non-saas solution then http://www.infralution.com/products/licensing_system.html is a good option, also with good support forums. You will need to build and host your own activation server if you want one where LimeLM provide one as a service.

I looked into this extensively and these seemed are the two best options I found. CryptoLicensing is another option but I prefer Infralution.


#14

Strongly worded but all this is a great example of why its hard to sell to developers. “Pah! I can do better than that, couple of days max!”


#15

True.

Having said that, many of the complexities argued above are around the “call home” functionality, which to me seem not necessary (nice to have but not necessary). And if you remove the call home (along with firewall bypass, proxies, servers to receive those requests, DB to store them and an UI to review them) the basic license implementation is pretty simple – decrypt the license file with a public key and off you go.

So yes, 2 days of work.

P.S. It may not work for all applications, but for mine – which requires an unique server IP – it works fine. The IP is in license key, and the application only binds to the provided IP. Of course there is still a way to work around that for a dedicated sysadmin, but why bother?


#16

In case anybody wants to try implementing their own, the following reference may help in getting started.


#17

Well, that’s a naïve article. If it was written by someone in the software licensing industry I’d call it outright bad, but looking at the guy’s “About me” it looks as though he doesn’t have experience in this field, so it’s understandable he gets just about everything wrong.

There are a lot of problems there (with every platform). I’ll just focus on Windows.

  • getMachineName() and getVolumeHash() are worse than useless: https://wyday.com/limelm/features/why/#wrong-id
  • getCpuHash() will not return a unique value.
  • You’re left with a single “unique” identifier (the MAC address of 2 adapters) but even that code is disastrously incorrect.

My advice if you’re building this yourself: Get yourself access to about 100 or so real computers, make sure they all have different hardware configurations (laptops, desktops, devices of all shapes and sizes), make sure they’re in different parts of the world, and then test your algorithm. That will be a good start (but if I’m being honest, it’s just the start).

My secondary advice: you’re not going to find a good fingerprinting algorithm by a google search. It’s simply a case of you don’t know what you don’t know. If you haven’t been developing software licensing for a decade then you don’t know what works and what doesn’t. I immediately recognized that article as simplistic and wrong, but if you don’t have that experience then it looks like you hit the mother lode.

Last piece of advice: keep at it, don’t be discouraged, but also be realistic. If your goal is to learn more about computers and to learn more about developing resilient algorithms, then I’d recommend you give developing your own licensing a shot. If your goal is to make your product and sell it to more than a handful of people, then you’re making a pretty big mistake developing your licensing yourself. But it’s a catch 22: you won’t realize you’re making a mistake until you have enough experience (or enough customers) for it to become obvious.

I’ll just end by saying some of our most loyal customers are those who made licensing themselves, realized what a hard (and ongoing!) problem it is to solve, and were able to recognize our licensing for being very high-quality. Without that real-world insight about what it takes to make good licensing it’s hard (sometimes impossible) to tell garbage licensing products from good ones.


#18

You are right, there were cracked PELock copies, from 10 years ago :joy: and I don’t see any claims on their website it’s uncrackable…

I’ve heard about LimeLM, my friend in Sweden tried LimeLM and his software was cracked in the next day his software was released (audio processing, very popular). Not a very good memory.

LimeLM looks like a snake oil to me, especially when its founder tries to undermine his more technologically advanced competition.

Licensing != Protection

If you don’t know the difference between those two technolgies I guess you’re already in big troubles.

Basically cracking LimeLM is as simple as patching any other licensing code.

On the other hand, PELock protects application against modifications, provides selected code encryption (LimeLM can’t do that) and has extended licensing API all working together. We’ve been using those features for years and it’s proven to be working fine against cracking, we have thousands of users and millions of downloads.

Hell, even people on this forums claims LimeLM won’t protect you against cracks.

“LimeLM (and other similar solutions) can ONLY protect you from “people using a VALID license on more machines than intended by you”. It does not protect you from cracks.”

Why would anyone use LimeLM if it doesn’t protect against cracking?

Get your facts straight, read about application file protection (exe protection) and licensing. Real world application needs both of those, not just some licensing library that get cracked in no time like LimeLM.


#19

Why do you even use it, when you say LimeLM can be cracked :), where’s the logic in that :fearful: ? You choose it just because it has nice interface?


#20

Well, this is explained in the 2nd and 3rd paragraphs in the article I linked to, under the headline “What is software licensing?”:

Software licensing allows you to get paid for each copy of your software. The types of software licensing come in a few general forms which I’ll be covering in the next section. With few exceptions the “hardware-locked” licensing is best for businesses because it allows you to have absolute control over where your software is installed.

The point of licensing isn’t to stop crackers from cracking your software. The point of licensing is to increase your revenue by preventing casual piracy (using serials over and over again). There is real money to be made by stopping casual piracy.

Nowhere on our site do we claim to stop cracking. If customers ask about it we explicitly tell them our product does not stop cracking. No product can stop cracking. Trust me, if it were possible to stop cracking we would make a product and sell it in a heartbeat. It’s not possible.

Because nothing protects against cracking. Because that’s not the point of licensing. You will occasionally get companies claiming to stop cracking (e.g. PELock, and a handful of others), but it’s not actually possible.

OK, we’ll just have to agree to disagree on the “more technologically advanced competition” point.

Regarding me trying to “undermine [our] competition”, I would disagree with that characterization. A company that you recommend is selling a lie (either through ignorance or malice), and I have more than a decade in the software licensing field. So I was trying to bring reality to the discussion. If that company had not claimed an impossible thing (i.e. being uncrackable) I wouldn’t have commented on them one way or another.

I do make a point at shaming companies that lie; specifically licensing companies because that’s where my area of expertise is. Whether that’s a good business decision or not (to even risk looking like that I’m “lashing out” at companies just because they compete with us, even despite that not being true) is another discussion.

Brief aside: commenting on competition

I know some business owners take the position that you should never mention your competition, and never publicly talk about them one way or another. And I take that view for our legitimate competition (i.e. the many software licensing companies that do not claim they provide an uncrackable solution: i.e. our competition that does not lie to customers).

But since I started my business more than a decade ago now, I have always called out the lies of our competition whether they were a bigger company or a smaller company. My ultimate goal is to bring reality to the software licensing market.

I know some of our customer like it, some of our customers are indifferent, and some of our customer are decidedly turned off by me doing this.

Back to the topic at hand…

Well, this is the headline on their homepage:

Software copy protection against reverse engineering with anti-cracking & anti-debugging techniques.

I, and I think any reasonable person, would take that to mean they stop reverse engineering (i.e. cracking). But I guess you do have to click their “PELock” product to get the “money quote”:

PELock is a software security solution designed for protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.

They can’t both claim that they can “protect against cracking” and that they’re not claiming they’re uncrackable. Those two ideas are inherently at odds with each other. You’re either “uncrackable” or you’re not. “Protection […] against cracking” is useless if it can be cracked (and it can be): it’s an inherently binary thing.

Long story short: cracking is both a reality (for any product, including PELock) and for popular products cracking is inevitable.

I get that you’re a fan of PELock, and I’m sorry if anything I said insulted you, that wasn’t my intention. My goal was to inform you of the reality of software, cracking, and licensing in general. And, I guess, my only hope is if you take this away from the discussion:

  1. Nothing can stop cracking.
  2. Legitimate software licensing companies do not infer or “wink” in any way to customers that their product can stop cracking.
  3. The point of software licensing isn’t to stop cracking.