About code protection.
-
Hi all, I am trying to protect software that I have written from being pirated (Vb for Compact Framework). Code is designed for Mobile Devices. One thing that I thought about doing was when a user purchases software they must reigster it first, before it will run. To register they will receive a number which they punch into the program the program will then write an entry to the windows registry to advise the program this software is licenced. Every time the program starts up it will check the windows registry to see if it is registered or not before allowing full functionality. Is windows registry safe from hacking? Is there a better way to achieve a similar result? How to generate the key-number? Are there other ways to implement a protection? Thanks for help and/or suggestions
modified on Monday, September 14, 2009 5:28 PM
-
Hi all, I am trying to protect software that I have written from being pirated (Vb for Compact Framework). Code is designed for Mobile Devices. One thing that I thought about doing was when a user purchases software they must reigster it first, before it will run. To register they will receive a number which they punch into the program the program will then write an entry to the windows registry to advise the program this software is licenced. Every time the program starts up it will check the windows registry to see if it is registered or not before allowing full functionality. Is windows registry safe from hacking? Is there a better way to achieve a similar result? How to generate the key-number? Are there other ways to implement a protection? Thanks for help and/or suggestions
modified on Monday, September 14, 2009 5:28 PM
Well man depends upon the software Licensing that your software licensing policy is PC wise or on Per users their are several ways to achieve this but depends upon the policy , anyways you can encrypt your registry values as well as if its pc wise then can get the serial number of board or hard drive and can use digital signing as well as
Best Of Regards, SOFTDEV If you have knowledge, let others light their candles at it
-
Well man depends upon the software Licensing that your software licensing policy is PC wise or on Per users their are several ways to achieve this but depends upon the policy , anyways you can encrypt your registry values as well as if its pc wise then can get the serial number of board or hard drive and can use digital signing as well as
Best Of Regards, SOFTDEV If you have knowledge, let others light their candles at it
Hi, Thanks for reply The program is designed to be installed on mobile devices (windows Mobile). Licensing will be per user, but I have not clear ideas about. Mobile devices have an unique ID identificator, but I don't undestood how to exploit it, and first of all, how to relate it to a key-number. I read the Unique Device-ID of my device, but I noted that using different sample-routine, the result is a different (or differentely formatted)ID. I not found on the web exaustive documentation or articles about. Ignazio
modified on Tuesday, September 15, 2009 4:13 AM
-
Hi, Thanks for reply The program is designed to be installed on mobile devices (windows Mobile). Licensing will be per user, but I have not clear ideas about. Mobile devices have an unique ID identificator, but I don't undestood how to exploit it, and first of all, how to relate it to a key-number. I read the Unique Device-ID of my device, but I noted that using different sample-routine, the result is a different (or differentely formatted)ID. I not found on the web exaustive documentation or articles about. Ignazio
modified on Tuesday, September 15, 2009 4:13 AM
If you can get an id, and your device is always online, you can tie a license key to a device id, and check it when the app starts.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
-
If you can get an id, and your device is always online, you can tie a license key to a device id, and check it when the app starts.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
Hi, Application is a normal stand-alone static appl, not an online appl. I think that the device-ID is the equivalent of the board-serial number of a PC, and then can be applied same way to protect code on a PC. Ignazio
modified on Tuesday, September 15, 2009 4:28 AM
-
Hi all, I am trying to protect software that I have written from being pirated (Vb for Compact Framework). Code is designed for Mobile Devices. One thing that I thought about doing was when a user purchases software they must reigster it first, before it will run. To register they will receive a number which they punch into the program the program will then write an entry to the windows registry to advise the program this software is licenced. Every time the program starts up it will check the windows registry to see if it is registered or not before allowing full functionality. Is windows registry safe from hacking? Is there a better way to achieve a similar result? How to generate the key-number? Are there other ways to implement a protection? Thanks for help and/or suggestions
modified on Monday, September 14, 2009 5:28 PM
There other ways to implement such security but this depends alot on what your software does, hows its installed, does it access the web (permanently/once), architecture, are there corporate licenses you will sell etc. i would suggest you base your security on serials unique to a particular mobile device (hardware) for instance on cell phones IMEI or a devices blue tooth MAC address. relying on windows registry means an environment can be replicated where someone can try their level best to crash your software protection because windows is readily available plus your software must conform to certain rules to run on the system. Free Idea: user installs app, software gets hardware device ID, software sends ID to your server, your server runs algorithm on ID and processes payment, server emails software license code plus thank you for support... sweet nothings, user enters code and presto! access granted. Remember that in effect what you are protecting are the license codes because technically thats what your selling right? So if a code is entered in any other mobile device it won't work because the algorithm run to decrypt the code and the device ID do not match. For single user licenses this is tried and tested on many android apps I've deployed but Obviously this technique must be thought out if you intend to have corporate licenses for thousands of devices on one bulk purchase :) My 2 cents
-
There other ways to implement such security but this depends alot on what your software does, hows its installed, does it access the web (permanently/once), architecture, are there corporate licenses you will sell etc. i would suggest you base your security on serials unique to a particular mobile device (hardware) for instance on cell phones IMEI or a devices blue tooth MAC address. relying on windows registry means an environment can be replicated where someone can try their level best to crash your software protection because windows is readily available plus your software must conform to certain rules to run on the system. Free Idea: user installs app, software gets hardware device ID, software sends ID to your server, your server runs algorithm on ID and processes payment, server emails software license code plus thank you for support... sweet nothings, user enters code and presto! access granted. Remember that in effect what you are protecting are the license codes because technically thats what your selling right? So if a code is entered in any other mobile device it won't work because the algorithm run to decrypt the code and the device ID do not match. For single user licenses this is tried and tested on many android apps I've deployed but Obviously this technique must be thought out if you intend to have corporate licenses for thousands of devices on one bulk purchase :) My 2 cents
Hi, Thanks for reply and your several suggestion. I want give some more details about my specific case and what I want obtain: 1)- My application not need installation, because it consists in a simple EXE file (running in Compact framework provided devices) to be simply copied on device. 2)- My application is not provided of internet access. 3)- I am interested only to sell single user licences, not corporate licences. Actually I installed on my PDA, a software (not mine)that to make it fully working, I buyed a registration-key and I received it via E-mail. To be fully working the software, I must entered in it only my full Name + a registration-key. And then apparentely it is not read and/or to used the hardware Device-ID. How works this kind of protection? Ignazio
-
Hi, Thanks for reply and your several suggestion. I want give some more details about my specific case and what I want obtain: 1)- My application not need installation, because it consists in a simple EXE file (running in Compact framework provided devices) to be simply copied on device. 2)- My application is not provided of internet access. 3)- I am interested only to sell single user licences, not corporate licences. Actually I installed on my PDA, a software (not mine)that to make it fully working, I buyed a registration-key and I received it via E-mail. To be fully working the software, I must entered in it only my full Name + a registration-key. And then apparentely it is not read and/or to used the hardware Device-ID. How works this kind of protection? Ignazio
Er okay Ignazio, First thing, the example you gave is a poor attempt at security. Why? nothing stops someone from simply using the same full Name + a registration no A.K.A key on another device! because your application is designed to accept any valid key, so if my friend bought a key i could just borrow it and use his name and I could just take the same app and replicate it on several devices, or worse if i crack the algo on it i could make my own keys to sell because the keys and en/decryption technique are stored locally on the device, not a good idea. However if this is sufficient "protection" for your app then hey who am i to talk... as for how it works? there way too many books that could best educate you on that :) If all else fails u can also try 1. a query for a unique ID of the mobile device through lineGetGeneralInfo or such similar API i.e.TAPI functions. check out msdn for more info here http://msdn.microsoft.com/en-us/library/aa458219.aspx[^] or make another small app just to extract that serial. 2. once your application extracts the serial/IMEI number of the device and displays it to the user, they can then enter it on say your website where they have a registered account. in other words they pay for the license and can then login onto your website where your server side encryption algorithm is running. 3. They can now enter the serial as displayed on the mobile device and receive an instant key unique to there device. 4. When the user fires up the application on their device, it will check the serial against the stored key before starting. This way you keep your key encryption technique away from prying curiosity of would be crackers. you will need to make changes to your application to incorporate security i.e. decrypting the key against the serial of the device. there are several readily available techniques to do this. in fact i think there's an entire .net class that can help you do this check out on msdn. Anyway hope i helped a little, All the best
-
Er okay Ignazio, First thing, the example you gave is a poor attempt at security. Why? nothing stops someone from simply using the same full Name + a registration no A.K.A key on another device! because your application is designed to accept any valid key, so if my friend bought a key i could just borrow it and use his name and I could just take the same app and replicate it on several devices, or worse if i crack the algo on it i could make my own keys to sell because the keys and en/decryption technique are stored locally on the device, not a good idea. However if this is sufficient "protection" for your app then hey who am i to talk... as for how it works? there way too many books that could best educate you on that :) If all else fails u can also try 1. a query for a unique ID of the mobile device through lineGetGeneralInfo or such similar API i.e.TAPI functions. check out msdn for more info here http://msdn.microsoft.com/en-us/library/aa458219.aspx[^] or make another small app just to extract that serial. 2. once your application extracts the serial/IMEI number of the device and displays it to the user, they can then enter it on say your website where they have a registered account. in other words they pay for the license and can then login onto your website where your server side encryption algorithm is running. 3. They can now enter the serial as displayed on the mobile device and receive an instant key unique to there device. 4. When the user fires up the application on their device, it will check the serial against the stored key before starting. This way you keep your key encryption technique away from prying curiosity of would be crackers. you will need to make changes to your application to incorporate security i.e. decrypting the key against the serial of the device. there are several readily available techniques to do this. in fact i think there's an entire .net class that can help you do this check out on msdn. Anyway hope i helped a little, All the best
Hi Samuraiii, You helped me very much. Then you suggest me to apply something like this : A simple software key useful to protect software components[^] Is it correct? Thanks Ignazio
-
Hi Samuraiii, You helped me very much. Then you suggest me to apply something like this : A simple software key useful to protect software components[^] Is it correct? Thanks Ignazio
Yes something along those lines would be a much better license protection system. Not perfect but much better.