Review: AVLockGold. Should component writers stop giving sources?

Review of GodilocksOnce upon a time, there was a security protection called AVLockGold (sold with sources) which has never been hacked or cracked. It also reads like the story of Goldilocks and the 3 bears.. For those who do not know about this story, see: Goldilocks and the Three Bears



Code review
Your reviewer was surprised to see much of:
 -Ararat Synapse (Copyright (c)1999-2008, Lukas Gebauer),
- Rijndael API (http://rcolonel.tripod.com),
- parts RX Library, parts TurboPower SysTools.

Let me explain:
in /component/ folder -
AVLockS4.pas - from AVLock (with parts from RX Library, from SysTools
blcksock.pas - from Ararat Synapse
boxes-ref.dat.pas - from Rijndael API
NewIn32.txt.pas - from AVLock
rc_rndcrypts4.pas - from Rijndael API
rijndael_alg_refs4.pas  - from Rijndael API
rijndael_api_refs4.pas  - from Rijndael API
Simple4_TLB.pas - simple WMI instrumentation
sntpsend.pas  - from Ararat Synapse
sswin32.pas  - from Ararat Synapse
synacode.pas  - from Ararat Synapse
synafpc.pas  - from Ararat Synapse
synaip.pas  - from Ararat Synapse
synautil.pas  - from Ararat Synapse
synsock.pas  - from Ararat Synapse
userstats4.pas  - from AVLock
(16 files, 8 files from Ararat Synapse, 4 files from Rijndael API, 1 COM wrapper, 3 files).

Even though it is mostly open-source, your reviewer thinks this is better than ICE License. For IceLicense, the authors copied almost 99%, including TurboPower LockBox encryption flaws, TurboPower OnGuard errors, TurboPower SysTools errors, TurboPower Essentials Errors. In AVLockGold, the author repaired some errors in Synapse, Rijndael and other routines so they would be compatible with Delphi 2009/2010.

At least AVLockGold used Synapse to do TCP/IP. (In IceLicense, it binds with Indy v7, so it causes link errors if you use Indy v8 or v9, but few people know, since the author removed his website's forum so nobody could complain.)

Flaws
There are several flaws in AVLockGold:

1. In AVLock Gold is where is the blocked-serials list? Opps, you have to make it manually. Also, the OLM (on-line license manager) has no capability to enter blocked serials.
2. The public/private key pair in RC4 is stored in DFM, in plain-text, so your program can be easily broken.
   
    That is, if someone else licensed AVLockGold, they can enter the same values you enter into AVLockGold to generate keys for your program.
    
3. Lack of network metering capability
4. On-line License Manager sends via non-encrypted and post results (from web-server) can be emulated. 
5. Trial can be easily reset by deleting files AVLock generates.
6. The cryptographic buffers are not cleared. That means RC4 results are still in-memory.
7. While AVLockGold calls certain time-servers to check real time, it does not have a list or alternate time-server as back-up. (Meaning, if you call Time-Server, the copy-protection system should implement a list of time-servers, so if one time-server call fails repeatedly (due to firewall, packet filtering, time-outs) it can switch over to other time-servers.
8. Can be patched/ or copy-protection mechanisms can be bypassed in binary

Price
AVLock comes with 4 prices - free (who will want to copy-protect non-commercial software?), basic at US$49.95 (without sources), Professional (without sources) at US$76.95 and Developer (with sources) at US$149.95.

Your reviewer thinks few people will want to license something that is mostly 70% based on open-source codes or based upon Freeware. Your reviewer hopes at least, the author of AVLockGold donates some money to Sergey Kirichenko



Thoughts over Leaks and Piracy
Your reviewer was thinking about losses over software piracy and wondered if the author of AVLockGold (and other Delphi vendors as well) think this suggestion -

Here's an interesting suggestion. Since there is chronic and persistent piracy (because Delphi users are cheats, liars and honorable thieves) why not stop giving away source codes? Right now, as this article is written, the authors of AVLockGold, Mr. Alcides Valega is busy constantly deleting RapidShare links, MediaOnline and other file-sharing links where Delphi developers can download the full sources of AVLockGold. [Password: exclusive@(site) replace (site) with some worthless site]. Funny thing is, once one link is removed, 3 or 4 more file-sharing links are put-up in replacement. The moderators of that site and others know about it too, and keep on making troubles.

Suppose other authors get fed-up of this nonsense, such as TMS (the authors must be busy deleting links to their software, posted by honorable thieves) and consider releasing non-source code versions of their software instead, and always have partial sources (similar to IntraWeb, ReportBuilder) is starting to become good idea.

Many years ago, Pirapati Reporter (now called as ReportBuilder), had this same problem with piracy until their made their Enterprise version non-source code version. That decision to switch from source to non-source made them very, very rich. Same with IntraWeb as well.

Your reviewer suggests, as an example to TMS software guys:
TMS Software:
- US$299 (partial sources or some sources protected in DCU format)
- US$2999 (full sources)

TMS Scripter Pro
- US$199 (partial sources or some sources protected in DCU format)
- US$999 (full sources)

TMS GUI Motions
- US$199 (partial sources or some sources protected in DCU format)
- US$999 (full sources)

If they consider this kind of pricing, then the TMS authors can become very rich. This price deterrent is to prevent 'leaks' like this.

There should be a discussion - should component writers stop "giving away" sources, or components purchased with source codes?

Your reviewer thinks, component writers like TMS, LMD, DevExpress should consider stop giving full sources and go back to partial sources. That way, they can be rich, gain profit from their works.