A specific sequence of superfluous prefixes and/or using different encodings for the same operation may be not that conspicuous.
Yep, that is pretty easy and difficult to find if you bury it deep enough. It is mostly a question of how much time a cracker wants to invest in debugging the exe...
If I had a valuable software (I don't, and it strikes me that the question of obfuscating and securing pops up so frequently here - does anybody here have anything that is worth the effort???), then I would do the following:
- check if the fingerprint is OK (not the same as watermarking)
- if not, put somewhere a comparison between the install date and system time (or some other magic difference)
- set a flag if the difference is too high
- pop up later in an unrelated place and tell the user "you forgot to register"
Now the fingerprint is the tricky part:
- user downloaded a legal copy and left his email address, so that his downloaded exe could be individually configured
- user has to contact you via email or website to get a magic dword
- in his exe, in the code or data section, there is an individually crafted 512 bytes section with random data
- one of the dwords, at a location determined by another (fixed position) dword contains the xor'ed register dword
- if that dword doesn't match, it triggers some nasty behaviour
- and of course, the check takes place deeply buried in the edit control's subclass procedure, and only if the user types "Microsoft".
But again, that only makes sense if you have to offer something as valuable as PaintShop Pro ;)
