I am currently implementing a simple copy protection scheme using the OnlineUnlockStatus and I am by no means an expert on this field (I just followed common sense and the documentation of this class).
Basically you implement all virtual functions of OnlineUnlockStatus with your project specific data and then scatter your non-realtime code randomly with the isUnlocked() checks to make the cracking an annoying process.
But I think the weakest point of this class is the getPublicKey() method. Because its a virtual function, it can’t be inlined (unlike the actual isUnlocked() check).
If you find this method (which is called exactly once at the point where you load the key file), you can simply exchange the public key with a public key matching to another private key and use this in a keygen to create perfectly valid licence files.
Now basically there are two strategies:
Try to harden this copy protection scheme (eg. by adding a hash of your public key somewhere into the binary and check if it stays correct. This check should be called as frequently as the isUnlocked() check).
Stop further efforts because if a cracker can find the public key, he is good enough to solve every other puzzle you throw at him within minutes.
What would you recommend (and what is your experience in this field)? I certainly don’t need a bulletproof solution (because there is none), but want to apply as much effort as needed to prevent little idiots with reverse debuggers to create a keygen within the first days.