Re: Securing Software with License
- From: john smith <john@xxxxxxxxx>
- Date: Thu, 26 Jan 2006 14:07:15 -0400
Frans Bouma [C# MVP] wrote:
I'd go for signed xml files. You can create them at your own server and add any info you want, like the name of the customer. Signed xml is easily read with .NET code and checked (it's build in).
That by itself is hardly what I'd call protection. Even if it's obfuscated, it's still far too easy to find the SignedXml::CheckSignature call(s) in the IL and NOP the following brfalse (or even NOP the entire check altogether, licenses wouldn't even need to be signed anymore vs no need for a valid signature). It would probably take all of 5 minutes to crack that app... If your app is known at all or useful, it'll be on crack sites within minutes. I would call this more like an annoyance to crackers more than protection really.
Another approach is a key-code but that's less personal to the customer and you run the risk of having your serial codes end up on some crack site.
Indeed. That alone is enough either, and that is bound to happen too (possibly keygens or hand-made "unlimited" licenses too)
You can also purchase a commercial licensing library, like Xheo licensing. These typically implement a few different ways of doing licensing, like signed xml files or serial numbers.
Some of those suck, some are great... One has to pick the right one (and preferably at the right price too). I haven't looked at those extensively, can't really make recommendations. Chances are you'll find universal "unlockers" for apps protected with specific protections.
Either way, you have to protect your own code from disassembling and removal of the protection code. So obfuscate the code, sign your assemblies, check at random places that the public token on the assemblies is still yours and if not set a random variable to null so the app crashes somewhere else.
Obfuscation is obviously a must, but it's not enough in itself (it can only obfuscate so much; the thing still has to run; and not all obfuscators are created equal obviously).
Signatures can be removed too (same for checks), it's not that hard... Useful as an "extra step" to make cracker's lives miserable, but far from enough either. Encryption can't hurt either (but key management can be a pain, DPAPI is always an option).
But the "hidden checks" option is a VERY good one indeed (whether it checks dates/timestamps or such, parts of the serial that isn't normally checked (more "in depth" checks on parts of the serial), anything goes). Hide them as well as you can, in places no one would look: called at the middle of some functions your program does or on some special events, perhaps only start to use some of the checks X days after install so the crackers think it works, release it, the crack-addicts download and install it, only to find out in a couple days it's not working right, etc. You can also make some of these hidden checks run only sometimes (5% chance or such), which again will make it harder to find them, but will cripple the badly-cracked programs. Make the checks work off non-obvious indirect copies of the licensing data or such kept in RAM (hard to keep track of a couple dozen memory locations with variants of the registration info and such) The more hidden checks, and the better they're hidden the better. Those are the most likely parts to be missed/troublesome/time-wasting/frustrating to crackers, and the people using your soft illegally will tire of it, and hopefully see a value in purchasing your useful program. Make them tired of buggy cracks, and they may want a stable version enough to pay for it... You can offer some "perks" to paying members too to make it even more attractive (newer builds and bugfixes sooner, member advantages like forums or extra downloads, access to betas of the next versions, dicsounted upgrades, whatever you want). Of course this is by far the most complicated and time consuming option to protect your programs, but it's perhaps one of the most "secure" things you can do (almost impossible to find all hidden checks) and that annoys those using illegal versions the most.
That said, also read: http://software.ericsink.com/bos/Transparency.html
about how far you should go in protecting your own software, as the more you do to protect your software, the more you likely will annoy your (potential) customers. :)
FB
The tougher the better, but eventually it can become rather complex and time consuming (one would rather spend their time add new neat features to their apps to make people want to purchase it instead and such). And it's sad to see a protection that you've spent so much time onto be broken when it happens... The never ending battle :)
.
- Follow-Ups:
- Re: Securing Software with License
- From: Frans Bouma [C# MVP]
- Re: Securing Software with License
- From: grant
- Re: Securing Software with License
- References:
- Re: Securing Software with License
- From: Frans Bouma [C# MVP]
- Re: Securing Software with License
- Prev by Date: Re: Regular expression optimization
- Next by Date: Re: Problem with background in CSS
- Previous by thread: Re: Securing Software with License
- Next by thread: Re: Securing Software with License
- Index(es):
Relevant Pages
|
