Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am in the process of exploring the software protection schemes for my company. Sure enough, there are so many alternatives and almost all of them give a facility to limit:
Number of usage (executions)
Number of days
Now if I think about it, there must be some place in computer where "number of times the application has been used" or "number of days it has been used for" is stored. Here I assume that an application protected using one of these mechanism would NOT require it to run with Administrative privileges. And I understand that an application with normal user rights cannot modify a place which affects other users. Which would mean that if an application is expired for user A, it will still run for user B (which looks foolish enough). I wonder what place these schemes can possibly hide their information in to make it work?
They just hide it somewhere where it is hard to find, for example in a data file of the application or somewhere deep in the registry. So for timed limits (runs until April, 4th), you can use the date of a file or write the installation date somewhere in the registry (not the usual places; they write it below an odd key in the drivers section where you have lots of random 64 character keys). These keys can then additionally protected (removing write access for anyone).
The "number of times" limits needs to write the key, though, so the "limited access" scheme doesn't work (or works against the protection). These places have no protection but the fact that no one knows where the information is stored. A good place is somewhere in the middle of a huge data file: That makes it hard for the cracker to find even when they figure out the counter must be somewhere in that file.
That said, most good software sells because it's good, not because it's protected.
I believe the only way do do this kind of stuff reliably is some kind of client-server scheme. E.g. your company has a license server, and the client's software queries the server every time it runs. Of course this requires a working internet connection, which is not always available...
Sure you can write something to registry, but nothing prevents the user modifying it.
I know some protection mechanisms that require to be run with administrative privileges at least once (e.g. during installation). I assume they set up a place in a non-user-specific location (e.g. under HKEY_LOCAL_MACHINE or ProgramFiles or even WinDir) and also set write permissions for (authenticated) users to that location.
"And I understand that an application with normal user rights cannot modify a place which affects other users" - this sentence is where you are misunderstanding.
The application can store this sort of information in a file, in the registry (under windows) or possibly even in its own code or data files.
For example, a user can save a text file so another user may or may read it. Permissions can keep things private to only one user, but code is usually free to make a file readable by any user on almost any operating system.
I wonder what place these schemes can
possibly hide their information in to
make it work?
At least under Windows, the registry would be the common data store accessible to all users.
Software protections store time trial info either into the registry or into a file. You can use programs such as registry and file monitor in order to have a quick idea about the attempts of reading this data from the registry or from a file.
Another way is through reverse engineering. With the use of a debugger you can place breakpoints on the well known win APis that are used for this scope such as RegOpenKeyEx/RegQueryValueEx for reading data from the registry and CreateFile/ReadFile/GetFileSize etc in order to read info from a file.
You should consider reading the documentation of those API onto the MSDN.
Related
I am trying to get input from the user that the program will remember every time it runs. I want to do this in C. Based on my limited knowledge of computers, this will be stored in the storage/hard drive/ssd instead of the RAM/memory. I know I could use a database, or write to a text file, but I don't want to use an external file or a database, since I think that a database is a bit overkill for this and an external file can be messed with by the user. How can I do this (get the user to enter the input once and for the program to remember it forever)? Thanks! (If anyone needs me to clarify my question, I'd be happy to do so and when I get an answer, I will clarify this question for future users.)
People have done this all kinds of ways. In order from best to worst (in my opinion):
Use a registry or equivalent. That's what it's there for.
Use an environment variable. IMO this is error prone and may not really be what you want.
Store a file on your user's computer. Easy to do and simple.
Store a file on a server and read/write to the server via the network. Annoying that you have to use the network, but OK.
Modify your own binary on disk. This is fun as a learning experience, but generally inadvisable in production code. Still it can be done sometimes especially using an installer.
Spawn a background process that "never" dies. This is strictly worse than using a file.
You won't be able to prevent the user from modifying a file if they really want to. What you could do is create a file with a name or extension that makes it obvious that it should not be modified, or make it hidden to the user.
There isn't really any common way that you could write to a file and at the same time prevent the user from accessing it. You would need OS/platform level support to have some kind of protected storage.
The only real alternative commonly available is to store the information online on a server that you control and fetch it from there over the network. You could cache a cryptographically signed local copy with an expiration date to avoid having to connect every time the program is run. Of course if you are doing this as some kind of DRM or similar measure (e.g., time-limited demo), you will also need to protect your software from modification.
(Note that modifying the program itself, which you mentioned in a comment, is not really any different from modifying other files. In particular, the user can restore an earlier version of the program from backup or by re-downloading it, which is something even a casual user might try. Also, any signature on the software would become invalid by your modifications, and antivirus software may be triggered.)
If you simply wish to hide your file somewhere to protect against casual users (only), give it an obscure name and set the file hidden using both filesystem attributes and naming (in *nix systems with a . as the first character of file name). (How hidden you can make it may be thwarted by permissions and/or sandboxing, depending on the OS.)
Also note that if your goal is to hide the information from the user, you should encrypt it somehow. This includes any pieces of the data that are part of the program that writes it.
edit: In case I guessed incorrectly and the reason for wanting to do this is simply to keep things "clean", then just store it in the platform's usual "user settings" area. For example, AppData or registry on Windows, user defaults or ~/Library/Application Support on macOS, a "dotfile" on generic *nix systems, etc. Do not modify the application itself for this reason.
If you want to persist data, the typical way to that is to store it to a file. Just use FILE* and go about your business.
Using a database for this may be an overkill, it depends on how you want to later access the data once it is stored.
If you just load the data from the file and search through it, then there is no need for a database, if you have loads of data and want to make complex searches, then a database is the way to go. If you need redundancy, user handling, security then choose a database, since the developers of each one already spent a lot of time fixing this.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am at the first experience of releasing my windows application and I don't have a cue how I should move on. Here my question:
I have my own website running on hosting. I would like to implement a customer
portal so after receiving an order I will provide a username and password via email
where users can download the activation code. I know that this is a big question...How to protect my application against duplication? Do you know what is the "best" solution to apply license system to my software?
How I can force the application to be excuted just on specific pc? Is it complex to achive?
In this scenario should I create a new build for each user so the activation key will
unblock just the right build?
If so I understand that each profile will have its own build file along with activation code and a sort of service agreement information (i.e. 1 year of free updateds).
Again I see it to complex to manage, for every changes in the application I need to compile, build and upload new version...? Ok... my application right now is a simple exe file with some folders and xml configuration files but what in future...?
Is it possible just to share among all user a single application file which can be activated by using the user activation code (in this scenario user will have his own profile just for activation key and SA information). what about security? if someone share the activation code I guess the application can be unblocked anywhere.
Should I implement the customer portal on a dedicated server (i.e) ? I don't have possibility to install my own server. What do you think about virtual server on ISP?
What about invoicing and ordering process? You think that an ecommerce commercial solution is a good choice? For istance I was thinking to get order via email or fax and then process the license (still don't know how) and send invoice whith information for payment (i.e wire tranfer). What do you think?
If the software it would cost (still don't know the price) let's say less then 30 dollars does it make sense to use as payment method a wire tranfer? What about share-it.com? Is it safe? Do they also handle customer portal?
Thanks a lot.
The usual way to prevent users from just replicating your application on many machines is 'node-locking' - at runtime the application checks that certain machine parameters match the values recorded in an encrypted license key or activation record. The Ethernet MAC address is a popular locking parameter, but this is not a good choice as on some systems the MAC address can be set or spoofed. A combination of parameters such as Windows ID, machine name, perhaps user log-in name etc. is more secure.
To issue a license you either request these details from the user or have them run a small utility that writes them to a file they send to you. You can then encrypt them in the license key, which can also contain other information such as a trial or subscription time limit, feature configuration info etc.
Alternatively, all this can be done automatically using [product activation][2]. When your application first runs it connects to a hosted license server, checks it is a valid license, and automatically reads the names of the locking parameters on its host, so it can then encrypt them and persist them in a local file it then reads each time it runs after that (so the app does not need to connect to the server again after the initial validation). If you go the activation route it is much more convenient for you and your users.
Whatever route you go, you need to think about:
- Integration with your chosen ecommerce provider/payment processor?
- How to handle users who don't have an Internet connection?
- How to support users who want to relocate their license, perhaps because they bought a new system? Can you ensure they have only one copy active at any one time? (and you may also want to limit how often they can relocate their license).
- If you lock to several machine parameters, can your locking system accommodate the user upgrading part of their system, so potentially causing one of the node-locking parameters to change?
- If the user's system crashes, how can they get their license running again on another machine?
- How do you issue trial licenses?
- How do you protect against people who try to hack your license protection?
- Might you in future want to configure features in your product e.g. offer different price points, or different combinations of features to different types of users. Can your licensing system handle this?
All these issues and more have of course already been considered and resolved by competent commercial licensing systems.
i would go with similar system to what i have seen used by Nod32 ( which is why i don't use it anymore, but still suggest to buy for everyone else ).
Application has two states: demo and full.
You can use the demo version for time period of 30 month.
And each application has a product key, which is daily verified against remote server. If verification fails, application slips back into demo mode.
If the verification server is unreachable, you show user a message that "verification server unreachable, check your connection or verify manually". Then try again in an hour. If for .. lets say .. 3 days application hasn't been verified. It does into demo mode.
If user, which has connection issues clicks on notification bubble, he sees a view containing information about how to verify manual or button for "try again".
For manual verification you have a generated code (based on his hardware data), which he can enter in your website together with his product key. And get a number for manual verification.
my 2 cents.
How I can force the application to be excuted just on specific pc? Is
it complex to achive?
You can store his computer ID/Key pair in your database.
In this scenario should I create a new build for each user so the
activation key will unblock just the right build?
No. Definitely you do not want to create 1000 builds for 1000users.
If so I understand that each profile will have its own build file
along with activation code and a sort of service agreement information
(i.e. 1 year of free updated).
It is easy to manage it with a right tool. You can ‘bind’ each key to a specific version range of your product (say v1.0.00 – v2.0.00) or specify the validity period of the key ( SaaS scheme)
Is it possible just to share among all user a single application file
which can be activated by using the user activation code ..?
Yes. It’s called floating or network licenses.LAN license server allows to run some limited number of product’s instances in corporate network. This approach is widely used by corporate customers.
Should I implement the customer portal on a dedicated server (i.e) ? I
don't have possibility to install my own server. What do you think
about virtual server on ISP?
It depends on what you mean under ‘own server’. You can’t run separate daemon/process on shared hosting, you need VPS or dedicated server. But you can use the solutions that are present on the market already.
Why do you need to implement activation system yourself? And run servers yourself? It may appear a far more complicated and costly as it seems.
ActivationCloud https://activation-cloud.com provides a good set of features that can fit needs of ISVs that is selling software to home and corporate user. Consider to use it.
Read my question "A licensing system for my (WinForms) application. Would this be secure enough? (Within reason)"
I listed a few possibilities.
Mainly, I noticed that you wanted the program to be only runnable on a specific PC, for which I used a function which returns a unique code for each PC, and required it to be the last 5 characters of the Product Key.
Hope this helped. :)
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm developing some software that I'm going to eventually sell. I've been thinking about different copy protection mechanisms, both custom and 3rd party. I know that no copy protection is 100% full-proof, but I need to at least try. So I'm looking for some opinions to my approach I'm thinking about:
One method I'm thinking about is just having my software connect to a remote server when it starts up, in order to verify the license based off the MAC address of the ethernet port.
I'm not sure if the server would be running a MySQL database that retrieves the license information, or what... Is there a more simple way? Maybe some type of encrypted file that is read?
I would make the software still work if it can't connect to the server. I don't want to lock someone out just because they don't have internet access at that moment in time. In case you are wondering, the software I'm developing is extremely internet/network dependant. So its actually quite unlikely that the user wouldn't have internet access when using it. Actually, its pretty useless without internet/network access.
Anyone know what I would do about computers that have multiple MAC addresses? A lot of motherboards these days have 2 ethernet ports. And most laptops have 1 ethernet, 1 wifi and Bluetooth MAC addresses. I suppose I could just pick a MAC port and run with it. Not sure if it really matters
A smarty and tricky user could determine the server that the software is connecting to and perhaps add it to their host file so that it always trys to connect to localhost. How likely do you think this is? And do you think its possible for the software to check if this is being done? I guess parsing of the host file could always work. Look for your server address in there and see if its connecting to localhost or something.
I've considered dongles, but I'm trying to avoid them just because I know they are a pain to work with. Keeping them updated and possibly requiring the customer to run their own license server is a bit too much for me. I've experienced that and it's a bit of a pain that I wouldn't want to put my customers through. Also I'm trying to avoid that extra overhead cost of using 3rd party dongles.
Also, I'm leaning toward connecting to a remote server to verify authentication as opposed to just sending the user some sort of license file because what happens when the user buys a new computer? I have to send them a replacement license file that will work with their new computer, but they will still be able to use it on their old computer as well. There is no way for me to 'de-authorize' their old computer without asking them to run some program on it or something.
Also, one important note, with the software I would make it very clear to the user in the EULA that the software connects to a remote server to verify licensing and that no personal information is sent. I know I don't care much for software that does that kinda stuff without me knowing.
Anyways, just looking for some opinions for people who have maybe gone down this kinda road.
It seems like remote-server-dependent-software would be one of the most effective copy-protection mechanisms, not just because of difficulty of circumventing, but also could be pretty easy to manage the licenses on the developers end.
Remember, if someone wants to pirate your software, they will. Generally, they don't even bother with emulating the license server, they just insert a jmp around all license check code. You can make this more difficult (self modifying code, checks everywhere, code which is not delivered until the license check succeeds, etc), but it becomes a full time job doing license enforcement.
You are trying to stop casual pirates, which is fine. Doing a simple HTTP request to a license server, with the license code and MAC ID in a hash is a legitimate method. Have an easy way to "unregister" computers (its reasonable to move the license amongst machines or to install it on someone's laptop IMO), and don't do a hard lockout once something changes. Decent models are iTunes DRM (5 computers, deauthorization, and a global reset) and Windows (fuzz factor based on how different the computers are).
If the software is not internet accessible or the organization dislikes it, the general practice is to have a license server on customer network which manages the authorization portion. There is established middleware for this already (FlexLM amongst others). Maintaining a license server is a PITA most IT departments balk at, so if you can piggy back on existing infrastructure, the more acceptable your solution becomes.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
By best I mean more time tested, easier to implement and easier for the users to work with. I do not want my licensing crap to interfere with their work.
I was thinking of launching a WCF service that check with my license DB if it's a valid license and if it is, send a True.
If the returned response is False, then shut down the program after telling them to fix their license.
Do you think this is a good way to handle it?
You will need to develop or find an algorithm that creates sufficiently complex strings for your license keys.
Generate the license key based on some bit of information unique to a user, like their E-Mail address.
Your program would then require the user to enter their E-Mail address and license key. It would then ensure the license key is correct by running the same algorithm you did to generate it in the first place.
The approach i have used in the past is a simple one but effective. I generate about a 1000 keys to my software and run them through a hashing algorithm. I then include them within my program (maybe as an array which takes up little space)
I then give out one unique key of the 1000 generated to each customer and when they enter that into my software it is hashed with the same hashing algorithm and compared against the included hashes. If it compares true you are registered so save it in your config file.
Every so often i update the program by another build number and recreate the keys and hashes included in that build. You just have to keep track of what keys go with what build, but you can control this with a nice database, etc.
Never had any trouble with this system as it can all be fully automated.
You could try generating license keys strings using the user's name + dob + user-selected-password.
OR
Use the user's h/w serial numbers and give them a license key online post install. I am assuming at this point only one computer per license is allowed.
Pinging the web service will not work if a net connection is not available. You should use a combination of pinging and a grace period. If a customer cannot validate/activate the license within 'X' number of days, THEN you declare it as unlicensed.
Try CryptoLicensing which supports this scenario.
I suggest you take a look at OffByZero Cobalt (obligatory disclaimer: it's produced by the company I co-founded). You're better off buying an existing proven solution than rolling your own.
As we point out in Developing for Software Protection and Licensing:
We believe that most companies would
be better served by buying a
high-quality third-party licensing
system. This approach will free your
developers to work on core
functionality, and will alleviate
maintenance and support costs. It also
allows you to take advantage of the
domain expertise offered by licensing
specialists, and avoid releasing
software that is easy to crack.
I'm about to get finished developing a windows application which I want to release as shareware. It was developed in C# and will be running on .Net 3.5+ machines.
To use it the user will have to be online.
My intent is to let the user try it for 30 days and then limit its functionality until a registration is purchased.
The installer will be made available via an msi file.
Could anyone give the general steps on how to implement this?
Here are some more specific questions:
Since I am trying to avoid having to invest a lot upfront in order to establish an e-commerce site, I was thinking of a way to just let the user pay somehow, while supplying his email in which he then receives the unlock key.
I found some solutions out there like listed here:
Registration services
I am still not sure, if they are the way to go.
One of my main concerns is to prevent the reuse if a given serial, e.g. if two users run the program with the same serial at the same time, this serial should disabled or some other measure be taken.
Another point is, that my software could potentially be just copied from one computer to the other without using an installer, so to just protect the installer itself will not be sufficient.
Maybe someone who already went though this process can give me some pointers, like the general steps involved (like 1. Get domain, 2. Get certain kind of webhost ....) and address some of the issues I mentioned above.
I'm thankful for any help people can give me.
I don't have a useful answer for you, but I did have a couple observations I wanted to share that were too large to fit in a comment. Hopefully someone else with more technical expertise can fill in the details.
One of my main concerns is to prevent the reuse if a given serial, e.g. if two users run the program with the same serial at the same time, this serial should disabled or some other measure be taken.
To ensure that two people aren't using the same serial number, your program will have to "phone home." A lot of software does this at installation time, by transmitting the serial number back to you during the installation process. If you want to do it in real time, your application will have to periodically connect to your server and say "this serial number is in use."
This is not terribly user friendly. Any time that the serial number check is performed, the user must be connected to the Internet, and must have their firewall configured to allow it. It also means that you must commit to maintaining the server side of things (domain name, server architecture) unchanged forever. If your server goes down, or you lose the domain, your software will become inoperative.
Of course, if a connection to your service specifically (rather than the Internet in general) is essential to the product's operation, then it becomes a lot easier and more user friendly.
Another point is, that my software could potentially be just copied from one computer to the other without using an installer, so to just protect the installer itself will not be sufficient.
There are two vectors of attack here. One is hiding a piece of information somewhere on the user's system. This is not terribly robust. The other is to check and encode the user's hardware configuration and encode that data somewhere. If the user changes their hardware, force the product to reactivate itself (this is what Windows and SecuROM do).
As you implement this, please remember that it is literally impossible to prevent illegal copying of software. As a (presumably) small software developer, you need to balance the difficulty to crack your software against the negative effects your DRM imposes on your users. I personally would be extremely hesitant to use software with the checks that you've described in place. Some people are more forgiving than I am. Some people are less so.
The energy and effort to prevent hacks from breaking your code is very time consuming. You'd be better served by focusing on distribution and sales.
My first entry into shareware was 1990. Back then the phrase was S=R which stood for Shareware equals Registered. A lot has changed since then. The web is full of static and you have to figure out how to get heard above the static.
Here's somethings I've learned
Don't fall in love with your software. Someone will always think it should work differently. Don't try and convert them to your way of thinking instead listen and build a list of enhancements for the next release.
Learn how to sell or pay someone to help you sell your stuff
Digital River owns most of the registration companies out there
Create free loss leaders that direct traffic back to you
Find a niche that is has gone unmet and fill it
Prevent copying: base the key on the customer's NIC MAC. Most users will not go to the trouble of modifying their NIC MAC. Your app will have a dialog to create and send the key request, including their MAC.
The open issue is that many apps get cracked and posted to warez sites. Make this less likely by hiding the key validation code in multiple places in your app. Take care to treat honest users with respect, and be sure your key validation does not annoy them in any way.
Make it clear that the key they are buying is node locked.
And worry about market penetration. Get a larger installed base by providing a base product that has no strings attached.
cheers -- Rick