Re: Securing my app with serial number
- From: "james" <james@xxxxxxx>
- Date: Sat, 30 Sep 2006 14:02:34 +0100
<teslar91@xxxxxxxxxxx> wrote in message
news:1159303803.092855.192550@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Andrew,
Here's (approximately) how I do it, with some pseudo-code.
The app has two passwords hard-coded into it, we'll call them A and B.
When the program is installed, it generates a string:
Right(CDriveSerialNo() & "|" & Rnd(1) & "12345678901234567890", 20)
It then encrypts that string with password A, converts it to a hex
string, and stores it in the registry as a challenge code. When the
user wants to register, the software displays that code, which has to
be sent to me.
I then de-hex and decrypt the string, re-encrypt with password B and
re-hex, and send that string as an unlock code to the user. The
program stores that string in the registry as well. At any time, it
can de-hex and decrypt the strings with the appropriate passwords and
compare; if the strings match, the program is registered.
I can also insert some extra data into the beginning of unlock code
prior to re-encrypting it, which the program can use as flags on what
features to unlock:
If DecryptedChallenge = Right(DecryptedUnlock, 20) Then
Registered = True
UnlockFlags = Left(DecryptedUnlock, Len(DecryptedUnlock) - 20)
End If
If the user later contacts me saying they need to reinstall the
software, they have to tell me why. I keep their last keycode on file
so I can determine the drive serial number, which gives me at least a
little information to verify their story and determine whether this is
a legitimate reinstallation or not.
This isn't the most secure method in the world, but it works for me. I
have a small userbase of technically-challenged people, and little
demand for this application outside a tiny niche.
One obvious step in improving the security of this is to obfuscate the
hard-coded passwords A and B, so they do not appear in plain-text in
your program when viewed in a hex editor.
Beyond that, there are many methods to foil a cracker, and many methods
crackers have to foil you. Google is your friend for techniques, as
well as commercial protection packages that implement these techniques
for you. I'm afraid I don't have links/names handy, or experience with
any of these packages.
Hope this helps!
What's to stop the registered user copying both registry entries and
importing them onto another PC though? The app will presumably still check
these quite happily and say it's registered. Or does it re-generate the key
each time it runs by checking the disk serial number again?
James
.
- Follow-Ups:
- Re: Securing my app with serial number
- From: teslar91
- Re: Securing my app with serial number
- Prev by Date: Re: Think BEFORE you post.
- Next by Date: Re: how to get both old and new value for a changed text box
- Previous by thread: (newbie - VB2005) writing to file
- Next by thread: Re: Securing my app with serial number
- Index(es):
Relevant Pages
|
