In the world of pirates stealing software, one common technique is to download a trial or demo, patch it and upload this as the stolen version of a piece of software or game. This makes me think: if I sell software one day, it would be possible to set up a custom server, that builds a specific package, personalised to the user, when he downloads a trial. For example, the binary would contain identification numbers and checksums (like a signature using my private key), etc.
This way, if somebody cracks a trail of some software of mine, and uploads that, I could download that, and extract the identification of it. Would that be of some juridical significance to sue the cracker? Compare it to somebody that would buy music on iTunes, and be stupid enough to upload it with his name still in the files. The only difference is that I would try to hide this information, so it’s not that easy to spot.
Such information is most likely to remain in the binary, since this has nothing to do with the trail vs full version code in the binary. Or in the least significant bit of the red channel of a PNG image included in the software, for example. A cracker would most likely never notice this, unless he downloads the software multiple times, and bindiffs the packages. If he does that, he could throw try to throw out the information (and optionally a check procedure in the binary that verifies if the data is still there and valid). Then the cracker would have successfully removed the identification information.
I feel like this is an interesting thing to work on and be developing such a thing, but if this isn’t going to help me in any way to protect my software, or sue the crackers, then it’s probably not worth all the effort.
1
Will it help you identify the culprit in a way that holds up in court?
It will depend on jurisdiction, but there are a few complications.
The culprit is not likely to have used his own name in the registration, so what you have to go by is an IP-address and perhaps an email-address. Often that will only get you which local mall the culprit used the wifi to download at.
You might even have the mac-address of the network card in the laptop used for download. But you are not going to get a court order to search all residenses in a 5 miles radius of the mall.
You might be able to help the police build a case by giving them the information, but I doubt it will matter unless you and the culprit are in the same country.
It depends how much effort you think someone is likely to put into cracking; no system is hacker proof.
A simple check relying on a function that returns success or failure is easy to patch.
If two downloads will only vary in predictable ways then it’s relatively simple to mask the original fingerprint.
You need to balance the loss due to piracy against the cost of making it harder.
UPDATE
Depending on the application and connectivity requirements, you may be able to offload a critical and not readily reproducable piece of code to a server that includes license checks.