I am currently using WMI to query various details about the underlying hardware in order to uniquely identify a machine. To this end, I came across a field called "Signature" under "Win32_DiskDrive". Is this signature unique across machines (globally)? Can this be used reliably to identify the machine?
Thanks,
Ananth
In my experience, it is not always, but may be often enough for your purposes.
My company makes software that, among other things, generates VMs from physical machines. One of the problems we had to solve when doing this was how to preserve the disk signature, since the signature is used by Windows to identify the disk. It is possible to create another disk with the same signature if you know where the signature is stored in the master boot record.
So the answer is it depends. If you assume the signature uniquely identifies the machine, and you run into a situation where someone has cloned a disk or otherwise obtained a duplicate signature, how will your app respond? How serious a problem would that be? If the answer is 'not that serious' maybe it's good enough for your purposes.
You might also consider the MAC address on the machine's Ethernet card. This is (more or less) guaranteed to be unique, and if it's not they have other problems (like ARP resolution issues).
Related
Im building a small winforms app using: ayende rhino licensing. The licensing is working fine, I can create licences and distribute them as I choose.
The problem is, How do I make each license work on just one machine? I know there is a class in ayende's project called LicensingService which I believe does something like what I'm trying to do, but I just cant figure it out. I've done quite a bit of searching and couldnt really find any tutorials except this one.
Maybe someone has implemented this, or has some tips on how I could accomplish this? I do have access to a webserver, if that helps.
Any help is much appreciated, as always.
Depends how annoying you want to make it for your users to be honest. You could implement a HWID (see How to fast get Hardware-ID in C#? on how to generate them) which will be unique from system to system, then have your program check if the HWID matches the ID found to the place you store them on-line (usually by using a database).
Needless to say, this will make your application require internet connection in order to run which might be a bit frustrating for your users.
Or you can merge the HWID with the serial and have your application do the same to verify if they match, but that would be easily cracked by the average cracker.
In the end of the day, .net isn't the best as far as security goes since you can easily get the source code and modify the assemblies as needed to patch certain protections. Keep that in mind when deciding what route you want to take to protect your software.
I do not know what exactly is a rhino licensing. To tackle your need generally there are two approaches.
Either give some randomly generated password to the client machine, and maintain a pool of passwords in your server. Each time a password is entered to register the application in a local machine, check if it was already registered elsewhere by connecting to your server via internet.
Or, what we do is, generate a code unique to that machine (perhaps a hash of some unique machine id, say mac id) and get the client sent it to you. You would then rehash the code and send it back using some logic. Now when the client enters this code to his machine do the same thing: fetch the very machine id, do the same rehashing using the same some logicand check if it matches.
I cant think of anything else
For simple copy-protection purposes, I would like to generate a small string or int value to (somewhat) uniquely identify the current computer. Ideally this value won't change after simple hardware peripheral changes, or even hopefully after a complete re-installation of Windows.
Most of the answers found here and elsewhere are unsatisfactory for three main reasons:
The code presented isn't easily portable to C#.
The hardware values suggested are often unusable/empty (e.g. the processor ID or even the hard drive serial number) or unstable (e.g. the MAC address).
The code involved requires elevated admin privileges.
I have searched through several posts and found a helpful article (How To Get Hardware Information), but since #3 is an important consideration in my case, I'm not sure what hardware info I can retrieve with just normal user privileges.
Regarding #2, I imagine the best solution is to simply append a few different values together, but which ones? Any help is greatly appreciated, especially if it includes or points to C# code. :D
I think you're going to have a hard time meeting this criteria because uniquely identifying the machine may be a functionality that is only intended for administrators. If this isn't the case now I'd imagine it will be as time goes on due to rising privacy concerns.
I need some ideas how to create a activation algorithm. For example i have demo certificate. Providing that the application runs in demo mode. When full version certificate is provided then application runs in full mode.
Is it even possible and how would be a good way creating this system?
One simple was i was thinking would be just have a 2 encrypted strings, now when the decryption is succsessful with the demo public key certificate then the application will run in demo mode and etc..
You could do something like:
Generate public/private key pair
As owner of private key, you can sign those "activation certificates" (called AC from now on)
In your app, with public key, you can check if the sign is correct
As Overbose mentioned -- you can't prevent reverse engineering. In general someone could take functionality and put it in his/hers own app and thus eliminate any possible activation algorithm. So you can only assume (or make) this is hard enough not to be worth the effort (this is the same as for cryptography -- when you make the cost of breaking the message greater then the profit of gaining it you can say it is well secured).
So you could:
Make executable self-verifying (signed by you, self-checking based on hard-coded public key (one thing: you must skip this value when self-checking)).
Do some tricks with pointers (point to the activation function, go to 7th bit and change value of it for something based on value of another pointer; in some weird places change hard-coded values to those based on occurrence of some bits in other places of the code; generally -- make it more difficult to break than by simply changing bits in executable with hex editor)
Try to make some protocol that your server would use to ask questions about the app ("gimme the value of 293 byte of yourself") and check answers.
Use imagination and think of some weird self-checking method nobody used before :)
As mentioned -- none of this is secure from cutting the authentication part off. But nothing is and this could make it harder for crackers.
Background: I've deployed an activation based system built on top of a third-party license system, i.e. server, database, e-commerce integrations. I've also separately written a C# activation system using RSA keys, but never deployed it.
Product Activation commonly means that the software must be activated on a given machine. I assume that's what you mean. If all you want to do is have two strings that mean "demo" and "purchased", then they will be decrypted and distributed within hours (assuming your product is valuable). There is just no point.
So. assuming you want "activation", then when the user purchases your software, the following process needs to happen:
Order-fulfillment software tells Server to generate "Purchase Key" and send to user
User enters "Purchase Key" into software
Software sends Purchase Key and unique Machine ID to server.
Server combines Purchase Key and Machine ID into a string and signs it with its certificate and returns it to user.
Software checks that signature is valid using Servers public key.
Software could check in lots of places: loading the sig in lots of places, checking it in others.
When generating Purchase Keys, the server can store not only what produce was purchased, but what level of product. You can also have "free" products that are time limited, so the user can try the full version of the software for 30 days.
You are using C#, so make sure you obfuscate the binaries, using dotfuscator or equivalent. However, even with that there is nothing you can do against a determined hacker. Your goal, I assume, is to force non-paying users to either be hackers themselves, or to have to risk using a cracked version: kids wont care, corporations might. YMMV.
The code that does the checking needs to be in every assembly that needs protecting, otherwise an attacker can trivially remove protection by replacing the assembly that does the checking. Cut and paste the code if you have to.
Or just buy something.
Another option is to have the server pre-generate "Purchase Keys" and give them to the Order fulfillment service, but then you dont get to link the key to the customers details (at least not until they register). Better to have the ecommerce server hit your server when a purchase has been made, and have your server send it out.
The hard part isn't so much the generation of activation keys as it is the creation of the server, database, and the integration with e-commerce software, and most of all, human issues: do you allow unlimited installs per Purchase Key? Only 1? If only 1 then you have to have customer-support and a way to allow a user to install it on a new machine. That's just one issue. All sorts of fun.
This guy wrote a blog post about a similar idea, explaining what he did with their own commercial software. Also wrote a list of recommendations about the most obvious cracking techniques. Hope it helps.
One simple was i was thinking would be just have a 2 encrypted
strings, now when the decryption is succsessful with the demo public
key certificate then the application will run in demo mode and etc..
Could be a simple solution. But this way you won't prevent someone to reverse engineer your binaries and make the execution jump to the correct line. Everyone has your program, has a complete version of it, so it's only a matter of find how to break this simple mechanism.
Maybe a better solution is encrypt a part of the binaries needed to use the full application version, instead of a simple string. This way to execute the application complete version someone need to decrypt those binaries in order to execute them.
Please take in consideration that even that solution isn't enough. There are other problems with that:
Does all the version of your tool will share the same encryption key? Breaking one of them for breaking all..
Even if you use a different key for each binary application released, does the encrypted binary are identical? Once cracked one, you can reuse the unencrypted binaries for all distributed applications.
How to solve these problems? There's no simple solution. Most of the more important commercial software with even sophisticated protection systems are broken just few hours or days after they have been released.
Product activation is not a problem that asymmetric cryptography can solve. Asymmetric cryptography is about keeping secrets from your adversary. The problem is that you can't keep a secret that is stored on you're adversaries machine, that would be security though obscurity.
The correct way to do product activation. Is to generate a Cryptographic Nonce that is stored in a database on your server. You give this Nonce to the customer when they buy the product, and then they activate it online. This activation process could download new material, which would make it more difficult for the attacker to modify the copy they have to "unlock" new features.
But even with DRM systems that require you to be online while using the product. Like the ones found in new games like "From Dust" are still broken within hours of their release.
One of the benefits of public key encryption is that you can verify the origin of a given piece of data. So if you store the public key in your assembly, then sign a given piece of data (say an authorization code or serial number) your assembly can verifiably determine that you were the one that created that data - and not a hacker. The actual data itself isn't all that important - it can be a simple pass/fail value.
This is actually pretty easy to do with .NET. You can use an x509 certificates or like we use in DeployLX Licensing the RSACryptoServiceProvider.
I would highly recommend buying a commercial product (doesn't really matter which one, though DeployLX is excellent) and not doing this yourself for 2 reasons
Even if you're a great developer, you'll probably get it wrong the first time. And any savings you might have enjoyed by rolling your own will be lost to recovering from that mistake.
You'll spend far more time working on your own system - time that you should spend making your product great.
The second phase in protecting the software is to make sure that it runs the way you created it - and hasn't been modified by a hacker. It really doesn't matter what encryption you use if hackers can check if( licensed ) to if( true ).
You can use AsProtect to solve this problem. This is good staring point.
I'm about to release my application which is built in C# VS2008 to my customer, and I want to prevent copy abuse post deployment, since it's easy to copy installation files to another machine and use the application. I want to limit usage to only one computer per installation.
See this question for some products that will help you do this...
https://stackoverflow.com/questions/118031/best-activation-key-software-for-net-application
My favorite for now is IntelliLock. Decent price, supports ASP.Net, and has been around for a while.
Locking to a machine ID is not a trivial thing to do manually. So I would us a license software package. Even if you're just trying to deter casual copying, you have to consider machine components change, and people get new computers.
But if you really want to do this manually see CPU serial number and http://www.vcskicks.com/hardware_id.php. But note even the CPU Serial is not a fool proof method as it quite often is disabled.
Use hashing to generate an unlock key. The idea is to gather some data which is fixed on the target machine but also unique. Examples are the name of the machine, id of network card, ... Generate a hash from these values and let the user send this data to you. Generated a new hash from this value and a secret key (only known by you) and send it back to the user. Now the user has to enter this key to unlock your software.
Use an "activation" scheme, like Microsoft does with Windows. Each installation must authenticate itself against a server somewhere using a key. If a key is used more than once, prompt the user to call and talk to a real person.
Just make a pre-screen to enter login\pwd
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
Where do programs save their secret license or install related information? I notice that often times when you uninstall a program, clear out appdata references, check registries to make sure there is no residue of any relevant information.
If you reinstall the trial program again, it seems to know it was installed before. I'm not looking to find a way to crack trial programs but actually need to implement something similar and can't find any good information on how to do this.
Registry
online
file in folder Windows with system like name
I even seen apps that hacked unused OS variables to store custom data in registry.
But the simplest method is to register a handler for a custom unused file type like .sof (if that is there, it was installed before) Edit 1 You have to register the handle to open a known executable on the system, not to your app. Because cleaners will detect if points to a no longer existing app location. As for storing additional params like date of trial expiry you can include them in the path as a param, like: cmd.exe -o 2010-02-09
I have handled this in two ways. First, in windows apps, I put in an encrypted Registry entry which is not in a standard location so that it is not easily found. This is a good solution if you don't mind people who either a) reformat often which removes all registry entries or b) use your software on a virtual machine which can be quickly reverted to a pre-trial state (and thus your trail can be used again quickly).
The better alternative is to have an online registry component which catches the MAC address of the machine which the trial is loaded on. Whenever the trial is reloaded, the software checks against a web service to see if the MAC address has been seen before. The only way around this is again using a Virtual Machine with the ability to change the MAC address. However, if you have a user that goes to this extreme, they'll use your trial regardless.
Probably the most foolproof way of licensing (when done right) is through something the user physically has - some kind of hardware dongle.
very hard to copy/duplicate
not dependent on network access
tamper-resistant (compared to software)
user-friendly (when working correctly)
licence count enforcement (can't easily plug 1 dongle into 10 machines at once)
Of course, it has also numerous disadvantages:
expensive to produce
hard to repair/replace
actually requires you to communicate with the dongle in a cryptographically secure way - any kind of if(dongle_ok()) { do_stuff() } is an invitation for crackers to patch that over to if (1) { do_stuff() }...
...which will require special drivers...
...maybe even a special interface (I still have a LPT dongle, but no LPT ports; USB<->LPT sucks)
don't even think of hooking it up to a virtual machine (although peripheral support is better in VMs nowadays)
support hell (is it connected? is it not broken? is the driver not broken? are the signatures/keys right and unexpired?)
fragile, esp. if it sticks out of the computer and/or has destructive anti-tamper mechanisms
may break communication with other peripherals (esp. those "pass-through" things were notorious for this)
For most programs, the disadvantages far outweigh the advantages; however, if you're making expensive, complex software (think "production plant control"), your clients are rather cavalier about licensing (in other words, "would buy a single copy (crack it if necessary) and run it on 50 machines if they could get away with it"), and lawsuits are impractical (take too long, you don't have much evidence, uncertain outcome), this may be useful. (I didn't say simple, did I?)
They save it wherever they can, secret files, secret registry keys. There are commercial products that offer this kind of protection, like asprotect, armadillo, etc.
Some products will utilize ADS (Alternate Data Streams) and hide the data in various places.
Others will leave behind "rootkits" cough SONY.
Also some will create special registry entries that cannot be delete easily, such as entries with NULLs in the name.
It sometimes depends on how scrupulous the developer is.
Could also try making the file or folder hidden - most users don't know to reveal hidden files and folders. Then you can put it anywhere really. C:/WINDOWS is sometimes a good choice because of that silly window that shows up when you click it for the first time that says "DANGER! DO NOT EDIT ANYTHING IN THIS FOLDER OR YOUR OS WILL MESS UP!" This will hide most anything from the lay man, but let's face the facts, you're not hiding anything from anyone that is active on stack overflow. :)