Protecting software with Themida

piracy1Remember my post about fighting software piracy? A quick summary:

Don’t bother protecting your software against piracy. Your software will get cracked anyway.

If your software is protected, it will only take slightly longer before the cracker publishes his crack. Making the cracker’s life harder has no effect whatsoever on the number of users that get access to a cracked copy of your software.

In any case, don’t let piracy irritate you, drain your energy, waste your time or take away your focus from the important stuff: Improving and selling your software.

Well… I changed my mind…

Armadillo

I must say that my frustration with software protection was based on using Armadillo (now called SoftwarePassport). We have used it on and off for a couple of years. And each time we tried using it again, we immediately got complaints from users that the new build was suddenly slower or that it just crashed very often. Others even reported that the new build just refused to start on their machine.
Customer support was a nightmare: for every weird bug that was reported, we found ourselves wondering: Is this really a bug in *our* code, or is it caused by Armadillo again.

Also, our software got cracked anyway. For most new versions it took about a week before a crack was released, whereas unprotected builds got cracked within a day.

So we stopped using Armadillo and just released unprotected executables.

Themida

Anyway, after posting the above article, I received a lot of reactions.
Some of them proving my point, as they showed some developers can *really* get worked up about their software being pirated 🙂
But others suggested that I should take a look at WinLicense / Themida.

WinLicense is a full software license control and software protection system. Themida is just the software protection system. We have our own license key system that is fully integrated into our customer database and ordering system, so WinLicense doesn’t apply to our situation. Themida sounded great though, so I decided to buy a copy and test it.

Software Protection Requirements

First, here’s my set of requirements for a good software protection solution, in order of importance:

  1. Must be quick to implement and hassle-free
  2. Doesn’t cause weird crashes or other bugs
  3. Doesn’t cause conflicts with other software (virus scanners, firewalls, etc..).
  4. Doesn’t impact performance
  5. Makes it hard or impossible to crack the software

I still want to spend as little time as possible on piracy protection and I don’t want any negative side-effects.

Testing Themida

In the first week of October, we released Themida-protected builds of both Music Collector and Book Collector. After these releases, we started closely monitoring support tickets and our forum for reports of strange behaviour, crashes, conflicts, etc… And of course, I kept an eye on new cracks being published (I use Google Alerts for that).

After a week, we had not heard of any problems from our users. Which is a good sign, because usually, if there’s something wrong with a new build we know within a day (having a lot of existing customers has many advantages).
And I could not find any cracks of the new versions either.

A couple of weeks after these releases, there was a forum post from a developer (and Book Collector user), who found that Book Collector refused to start while Sysinternals Process Monitor was running (“A monitor program has been found running in your system”). One other Book Collector user confirmed he had the same issue.

A week later one other developer (and Music Collector user) reported a similar issue with Sysinternals Process Explorer. He was quite angry though:

My current version of Music Collector (Version 8.7 build 1) refuses to
start due to this Themida technology, which I assume is newly included
in it. For the first time ever, I’m getting this error on program
launch: “A monitor program has been found running in your system
Please, unload it from memory and restart your program”.

Why doesn’t Themida identify the app that it thinks is a monitor
program??

I’m pretty sure from web research that it has a problem with
Sysinternal Process Explorer–is that true? If so, let me tell you
that that is COMPLETELY UNACCEPTABLE! I’ve been using PE forever, and
I have it set to replace the Windows Task Manager, and I also have it
launch during Windows logon so that it’s pretty much always running.
Disabling it and rebooting every time I want to run Music Collector is
ridiculous.

I’m a developer and need PE. Furthermore, Windows is often unstable
and I use PE to resolve problems; I’m sure I’m not alone in this. If
this is the app that Themida is complaining about, then you’re forcing
me to stop using one or the other, PE or Music Collector. Why??

I need an answer before I reluctantly uninstall Music Collector
forever.

And that was it. No other conflicts with virus scanners, firewalls or anything. No weird Access Violations or other strange crashes. No reports of our software taking a long time to start, or performing slower than before.

And still no cracks.

Final test: protecting Movie Collector

After the successful test with Music Collector and Book Collector, it was time to go for the big one: Movie Collector.
Movie Collector is our most popular program, with the largest installed base. Plus it has always been very popular in the pirate scene (probably for cataloging their pirated movies). In the past, we’ve seen new Movie Collector versions being cracked within a day.

So on November 23, we released our first Themida-protected version of Movie Collector, version 6.5.

And to date, we have received no problem reports about it whatsoever (not even from developers). And what’s even more surprising, I still can’t find any version 6.5 cracks.

My revised view on piracy protection

Themida proved that it is possible to protect software against crackers (or at least make it very hard or time-consuming to crack), without causing conflicts or other software problems.
And more importantly, without spending a lot of time.

So if you want to protect your software against piracy, please don’t spend days or weeks building your own system (and constantly tweaking it for years to come). Just buy a copy of Themida (it’s ridiculously cheap) and spend a couple of minutes adding it to your build process. Then forget about piracy and spend your time improving your software and selling more of it.

Anyway, I think this post on a crack site sums it all up:

I would be very happy if someone had the crack for movie collector 6.5.1, I think I have seached the whole net for it now. It dont look like the crack excist, but that must be a first time ever if its true. Will be very thankfull if someone finds that crack or serial

28 thoughts on “Protecting software with Themida

  1. >Doesn’t cause conflicts with other software (virus scanners, firewalls, etc..).

    Only time will tell on this one. I have recently had a couple of software packages either refuse to install or crash intermittently due (according to the vendor) to conflicts between their licence protection and my anti-virus (ESet). IIRC they were using WinLicense in both cases.

  2. Thanks for sharing the experience! Have you tested your executables with different anti-virus applications? Last time I checked (about 6 months ago) both Armadillo and Themida were blocked by some (though Themida rating was better). Also, did you run tests on 64bit Vista systems with DEP enabled? It crashed on our test systems, both with Themida and Armadillo… True, there are much less errors and speed issues with Themida, but still I’m not (absolutely) sure whether we should just drop the Armadillo protection or replace it with Themida…

  3. By now, over 50 thousand existing customers have downloaded and installed the new Themida protected builds, on over 50 thousand different Windows systems and software configurations.

    From that group, we have received *three* complains, all 3 reporting the same conflict with the Sysinternals software (Which IMO isn’t even a conflict, I mean this is what Themida is supposed to do: detect debuggers and monitors).

    If there were serious problems with virus scanners, we would have heard by now.
    But I agree, only time will tell. Maybe more users will report issues, but still, after 10 weeks, I am quite confident there won’t be many.

  4. I’m trying to evaluate Movie Collector. I installed it and got an error from Themida saying I had a monitor program running. I did not. Based on what I read here:
    http://www.collectorz.com/phpbb2/viewtopic.php?f=5&t=15136

    The issue is almost certainly that at some point within the last few weeks since Windows Update rebooted my machine, I was using ProcMon to troubleshoot misbehaving software. I’m not running ProcMon now, but Movie Collector still won’t start. Soon I’ll be rebooting to see if that fixes the problem (likely).

    This is a defect. It says I’m running a monitor program, but I am not. Please confirm that this issue will be fixed in an upcoming release of Movie Collector. i.e. raise the issue with the Themida folks / stop using Themida / work around the problem in some other way — I don’t really care how it’s fixed, so long as it is.

    I do appreciate that you want to protect your software — I’m a developer myself. The only time I’ve seen the word “Themida” was earlier today, when an annoying popup incorrectly described the state of my system and raised my blood pressure. I don’t ever want to see the word “Themida” again. Please take the needs of power users and developers seriously. You may have 50,000 other people that never see this issue, but you won’t have 50,001 unless you commit to fixing this.

    Besides, Procmon is not an important part of the cracker toolchain. As a software developer myself I wouldn’t be worried about people using it to crack my software. Procmon is a developer and power user tool distributed by Microsoft themselves. We’re not talking about ShadyReverseEngineeringProgram by Saltine the cracker, we’re talking about Procmon by Microsoft….and to reiterate, it’s not even running.

    Please commit to a fix.

    • Hi Mike,

      Rebooting will fix the problem.

      Themida is working very well for us. It prevents cracks and we’ve
      heard of only a couple of problems. The advantages far outweigh the
      disadvantages here.
      So I am afraid we’ll keep using it.

      Sorry for the inconvenience.

  5. Sorry, but messing with (potential) users is NOT a good business strategy. In fact, it can be quite shady.

    I understand that, you as the coder of commercial software, piracy prevention/protection is a MUST – people want everything for free those days, and honestity is not on their values. And software developers need to eat and such other essential needs.

    TryingToEval has a good point – one user with problems among 50000 is not the big deal… but what about if that user loves the program and wants to recommend it to other people (their relatives and friends), and what about those people telling others about the program… You are not losing just ONE sale, but probably quite a few dozens, perharps even to hundreds… hundred of users that won’t be purchasing at all. Hundreds, maybe thousands of dollars that you’re saying “NO, DON’T WANT”. That’s not a smart way to making business…

    And NO, I WON’T RESTART MY COMPUTER. What if i’m doing some critical stuff that can’t be aborted? (like uploading a important file, encoding a lengthy video, or God forbid, burning a DVD/BD…). Oreans Software (and all other commercial software developers) seriously should stop considering users as potential thieves (in some seriously screwed places, your company could even been sued!). If you don’t want people to pirate your app, simply DON’T SELL IT AT ALL – zero piracy rate, and zero problems with users… and zero money for you. The user experience and satisfaction should be your #1 goal (besides earning money :), not only the “thou shall not pirate my program with Sysinternals”).

    • Hi GenericMan,

      Thanks for your feedback on our usage of Themida and the ProcMon issue.
      For your information, I have contacted Oreans support today, with the following email. Will keep you posted about their response.

      We have been using Themida to protect our Collectorz.com software
      since October 2009 and with great success.
      (the long story on my blog here:
      http://www.alwinhoogerdijk.com/2009/12/24/protecting-software-with-themida/ )

      However, we have received reports from 3 users, that Themida-protected
      programs refuse to start when ProcMon, “Process Monitor” from
      SysInternals, is running. Now 3 users out of hundreds of thousands is
      not a lot, but these users are quite upset (and maybe rightly so),
      because ProcMon is just an advanced Task Manager utility (not a pirate
      tool). Some of em indicate that this is a tool by someone at
      Microsoft, so it must be safe and written well ( I don’t know about
      that myself, but hey, that what my users are saying 🙂 ).

      Some user reports are here:
      http://www.collectorz.com/phpbb2/viewtopic.php?f=5&t=15136
      and there’s one in the comments on my blog post.

      So I was wondering, is there any way this can be fixed? Maybe by
      introducing an exception rule for ProcMon or even a setting in
      Themida?
      Or maybe there already is such a setting that I don’t know of.

      Another issue is is that our software keeps refusing to start *after*
      ProcMon has been shut down. A reboot is required to make it work
      again.
      Why is that? Can this be fixed?

      Thanks for looking into this. I am looking forward to your response.

      • Response from Themida support:

        Dear Alwin,

        Thanks for the information.

        Please, refer to the following KB article:
        http://www.oreans.com/kb/?View=entry&EntryID=177

        It seems that you have protected with the option “Monitor Blockers” enabled
        (in Protection Options panel). If you want to allow execution of ProcMon by
        your customers, you just need to protect unchecking those options.

        If you have any questions, let us know please.

        Thanks,
        Rafael

        I am not sure I like the “solution” of switching off the “Monitor Blockers” option. I mean, isn’t that going to decrease the strength of the protection?
        Will ask them about that.

        BTW: A quote from their knowledge base article explains the “reboot issue”:

        If you enable Registry/File Monitors, Themida/WinLicense will detect common registry/file monitor tools loaded in memory. The problem with Regmon, FileMon and Process Monitor is that the driver is loaded all the time in memory even if you close the User Interface for Regmon, Filemon, etc. So, the File system and Registry are still hooked by the monitor driver until you restart the computer. Looks that the developers of those monitor tools are not unloading the driver to avoid system crashes in case that a packet request is in the middle of processing while unloading the driver. Summing up, you customer needs to restart the PC if they have launched Regmon, Filemon, etc before launching your protected application (with Monitors detection enabled)

        • Wow, the Themida guys responded to my question within 5 minutes, on a Saturday! Their response:

          The module which detects those monitor tools will not be present. Just that protection is taken out, that should not affect the global security of your application.

          Sounds like a good solution to the ProcMon issue then.
          I will ask Ronald to switch off that setting for the next builds of all our programs.

  6. Hmmm… If I had to choose between “three users must close PE” or “millions of pirated copies”, I think I know what I would decide. It’s nice that you contacted Oreans, as they might be able to easily fix it, but I wouldn’t go much beyond that.

    Alwin, thanks for this post. I’m happy with what I use now, but it hasn’t been updated for a while and I’m aware that I’ll need to find another solution, sooner or later. Themida seems to fit quite nicely.

  7. I can certainly confirm the total lack of support for Armadillo (Software Passport or however the call themselves right now) since they were acquired by DR. It used to be a good product and had very good support, but it’s definitely not an option anymore.

    I’ll also be moving to Winlicense in the next month.

  8. I’ve seen today’s GAOTD where you’re giving a license for the Medical version, and after reading comments there, many complaining about Themida (of which I’ve heard about for the first time), someone linked to this blog post here. It seems to be quite an interesting tool, and I see you’re quite pleased with the way it is managing to prevent hacks. But I have a question whose answer would be quite useful to those thinking about using this tool, and I hope you can shine some light on it. So, basically: did you see an increase in sales after implementing it?

    I mean, from what I understand there are basically four groups of people out there when it comes people who want to use a specific non-free software:

    a) Those who’ll pay for it no matter what, even if a cracked version is easily available;

    b) Those who want it bad enough they’ll pay for it *if* they cannot get a cracked version;

    c) Those who, similar to ‘b’, want it badly enough they would pay for it, but who don’t have the money anyway, so they just won’t use it if they cannot get a cracked version;

    d) Those who like it enough to use it if a cracked version is available, but who wouldn’t care not being able to use it at all if only the paid-for version is available.

    Since ‘a’ are always-paying customers, and ‘c’ and ‘d’ are always-non-paying non-customers, it’s quite evident then that the only group that makes a financial impact is ‘b’, as they are the only ones that would switch from non-paying to paying.

    Hence, my question would be more precisely stated thus: if you take the effective sales of softwares for the months April to July, then subtracts from this the originally projected sales for the period, then subtracts from the result the cost of Themida itself, is the end result noticeable enough to make it worth implementing?

    • I am not sure what you are referring to with “Medical version”? I think you are confusing us with some other company.

      To answer your question: no, sales didn’t go up while using Themida.
      In the meantime, more incompatibility problems have appeared, so we have stopped using Themida for most of our products.

      BTW: the cost of Themida is of course negligible… that was never an issue.

    • IMO, the concern is ridiculous. Themida is a legitimate software protection tool.
      The user who posted the 2nd comment there obviously has no clue what he is talking about. I feel sorry for the developers of this Smart Diary Suite program, they are probably loosing a lot of sales because of this one comment. Sad…

  9. @Alwin, the userbase at giveawayoftheday are a few serious people among throngs of clowns so I agree that many developers get hurt by silly comments. Unfortunately, when people attack the developer, the comments don’t get moderated, but then when someone rises up to defend the developer and try to squash ridiculous unsubstantiated comments, they get moderated… I have notoriety so I get moderated super quick now, it’s rather ridiculous, all I want is fair commenting, but it should go BOTH ways!

    @Alexander, the question is interesting as anthropological studies have shown this phenomenon to exist, however, if you could protect an investment from theft (yes, piracy is absolutely and totally theft, there is no other definition for it), especially a product that garners the interest of *millions* of users, wouldn’t you?? Closed source, proprietary software is not a common resource like public parks or public lakes, and it is an atrocity that it is treated as such…

  10. @Alwin

    Care to explain a little about ‘more incompatibility problems have appeared’ and having stopped using Themida?

    You’ve kind of killed the entire post/thread with that remark.

    The Internet is a big place… but it almost seems like a business opportunity for someone to create a ‘crack sweeper’ service on the ‘net… that developers might subscribe to for a nominal fee… if one could somehow ‘sweep away’ (terminate) the (availability of) specific cracks.

  11. Hi Alwin,

    after year and half I’m wondering if you’re still using Themida or how did this story end?

    Waiting for final conclusion….
    Thank you!

    • In the end, we stopped using Themida.
      It often generated false positives with virus scanners and other security software. Which generated unnecessary support load.

  12. Hi there,

    I never tried, nor do I want to, but from what I heard there are game files, which have been decrypted and which did use Themida. While I personally don’t have anything against having your files protected, I do think that making the game/program better or cheaper (or both) is the better way to go if you want to win more customers.

    In theory at least it could be possible to mask an analysis application or – even worse – run the game/program inside a VM and have a full view at its memory print. I agree that this protection is difficult and due to its realtime decryption somewhat more secure. I however am not sure that the way of thinking (= thinking of how to use DRM to make people buy your software) is the right sales strategy. But then again it’s something everyone has to decide for him-/herself.

    Thanks for the post though – it was interesting to read it.
    Cheers.

  13. @Igor:
    > I do think that making the game/program better or cheaper (or both) is the better way to go if you want to win more customers.

    Interesting statement, in many ways…

    First, you make it sound like one has to choose between the two, either protect your software OR make it cheaper/better.
    I think (or at least hope) that *every* software developer is always trying to make his/her software better, everyday. But that of course doesn’t mean you can’t also try to protect your software against piracy. One doesn’t exclude the other.
    Of course, I fully agree that protecting your software should never be you main focus, taking time away from your regular development work. And that is exactly why a tool like Themida can come in handy, because it is so easy and quick to implement (and thus ensures that the developer can focus on what he should focus on: improving his software).

    Then, about making software cheaper: IMO that never is a good strategy. Choose a good price for your software, that represents its value for people who use it, and then users *will* buy it. And you will earn some money that allows you to spend more time on that software to improve it. Everybody wins.

    Finally, you say “win more customers”. If that is your goal as a developer, that is fine. And yes, making your software cheaper will certainly help to win more customers.
    BUT: will it actually help your company? For my company the goal is to make more money. If more customers is the way to do that, fine. But in many cases, it isn’t. Again, it may be better to make your software more expensive, so that you attract the kind of customers you want.
    Entirely depends on the type of software of course. Only way to know for sure is to test different price levels. Which we did of course and for us lowering prices certainly didn’t work.

    > I however am not sure that the way of thinking (= thinking of how to use DRM to make people buy your software) is the right sales strategy.

    Of course DRM isn’t a way to “make people buy your software” and it certainly isn’t a sales strategy. I think for most developers it just is a way to make sure people don’t steal their software and use it for free. Whether it actually generates more sales or not 🙂

    FYI: we stopped using Themida years ago. Wasn’t worth the trouble of false positives, incompatibility problems, etc…
    So you may be happy to hear that we now fully focus on making our software better (which we always did anyway).

  14. Thanks for taking the time to maintain this post. We are evaluating our copy protection/license software now. Themida is on the short list, but the AV issues are front and center.

    Have you switched to a new protection product? If yes, would you be willing to share the name?

Leave a Reply

Your email address will not be published. Required fields are marked *