How to retrieve serial number of OS or CPU for copy protection?

  • Thread starter Thread starter Klaus Bonadt
  • Start date Start date
K

Klaus Bonadt

In order to protect software from being copied without licence, I would like
to use something like a key, which fits only to the current system. The
serial number of the CPU or the current operating system would be
appropriate. However, I do not know how to retrieve the information.

Could you help?
Klaus
 
The number one problem of a copy protection algorithm is identifying
machines. Is there a number that uniquely identify a computer? Let’s call
this number as "Serial Number" (SN).

What are the requirements for a Serial Number? There are two:

1. A Serial Number must be different on different computers.
2. A Serial Number must be the same on the same computer.

Today’s PCs do not contain such a hardware id which meet these requirements.
Because of this, we should loosen these hard requirements. I’ve modified the
second requirement this way:

2. The Serial Number must be the same on the same computer, but if somebody
successfully changes the serial number on a computer, it involves serious
consequences.

I think, there is such a "Number" in Windows XP, it’s the following value in
the registry:

HKEY_LOCAL_MACHINE\SYSTEM\WPA\SigningHash-*...*\SigningHashData

It’s a byte array and it contains the Windows Product activation signature.
It’s hard to overwrite (the kernel protects it), but it isn’t worth to
overwrite, because the attacker can’t reactivate his copy of Windows again.

You can read that value in C# in the following way:



public static byte[] GetHardwareIdBytes()
{
using(RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SYSTEM\WPA",
false))
{
foreach(string subkey in rk.GetSubKeyNames())
{
if(subkey.IndexOf("SigningHash") == 0)
{
using(RegistryKey rk1 = rk.OpenSubKey(subkey))
{
return (byte[])rk1.GetValue("SigningHashData");
}
}
}
}
// It should never happen:
throw new Exception("There is no hardware id on this computer!");
}

This solution has two disadvantages:
1. It works only on Windows XP (or later)
2. The SN changes, when the user reinstalls the operating system.


Kazi
 
Thanks Kazi,

This is very interesting and indeed, at least for Windows XP, this approach
seems to be more appropriate than scanning for MAC addresses.
One additional general question:
Are there legal consequences when binding software to hardware? Under which
legal constraints this could be a way for selling software in different
countries?

Best regards,
Klaus
 
One additional general question:
Are there legal consequences when binding software to hardware? Under which
legal constraints this could be a way for selling software in different
countries?
Click to expand...

Even in America I this is agains the spirit of the copiright law,
although not illegal.

The copyright law applied to software was explained at some point
by some specialists this way "the software should be like a book".
Meaning can be used on one machine at a time, if I move it on a new one,
I cannot use it on the previous one.

So, in theory, I can install it on my desktop at home, my laptop,
my desktop at office. If I don't use them symultaneously, I am legal.
The only way I know to enforce this is with a dongle.

Now, the software manufacturers don't give a dime about user's rights.
Tying the software to a certain computer violates the spirit of the law.
But who cares? Put it in a disclaimer in EULA and you are free to do
what you want!

But if I have a choice between your "protected" software and a
non-protected one, guess what am I going to choose?
No, I am no pirat, I pay for my software, but I expect it not to take
away some of the freedoms that are in the law.
Same with the music. I want to listen to it in the car, at home,
on my desktop in the office, and keep the original CD in a safe place.
Can I be in 3 places at once? No. Then I am ok!
 
Klaus Bonadt said:
Thanks Kazi,

This is very interesting and indeed, at least for Windows XP, this approach
seems to be more appropriate than scanning for MAC addresses.
Click to expand...

One comment about MAC addresses:
You can't read the MAC address of a network card, if the driver of that card
is disabled, and it is not a rare case, especially in a notebook computer.
One additional general question:
Are there legal consequences when binding software to hardware? Under which
legal constraints this could be a way for selling software in different
countries?
Click to expand...

I don't know the laws relating to this question.

I'm a shareware developer, and I use the following method in my software: if
a user wants to install my software on a new computer, the user must ask a
new license for installing the already paid software on the new machine. And
the users accept this method. The problem is in the case, when a user
reinstalls the operating system. The users understand this issue.

The .Net 2.0 library now contains managed interfaces for the crypto api. I'm
developing a new shareware software protection system based on the crypto
api, which means, it will be strongest method as it can be.

There are two methods for cracking software:
1. A cracker reverse engineers the license checking algorithm, and he
creates a license key generator (keygen).
2. A cracker removes the license checking algorithm from your software.

I'm developing a license checker algorithm, that uses the public key
infrastructure (PKI), which means, the cracker can't create a license
generator (keygen) utility, because he don't know the private key. It's
impossible to create a keygen program without the private key.

The .Net library contains a possibility to avoid code modification: strong
name assemblies, which based on digital signatures. There is a possibility
to create libraries, that can't be modified.
 
The theory is good, but the code is not correct a bit.
It’s not impossible to deceive it.
 
I have also been working on a PKI solution as well for licensing. I
must warn you against using MAC Addresses. I have tried this in the
past with software for some servers, but found that some MAC addresses
are not perminent. This burned me with one client in that all of
there MAC addresses changed one evening when there network staff made
changes to the network.
 
Mihai N. said:
Even in America I this is agains the spirit of the copiright law,
although not illegal.
Click to expand...

"Against the spirit of the copyright law?" Where did you get this?
Copyright law gives the author of a creative work supreme and total control
over the software. If they want to restrict you to running it on one
computer, running it no more than 5 times, and never on Sundays, they are
perfectly within their legal rights to do so. Such a license restriction
would be silly, of course, but that doesn't make it "against the spirit of
the law".
The copyright law applied to software was explained at some point
by some specialists this way "the software should be like a book".
Meaning can be used on one machine at a time, if I move it on a new one,
I cannot use it on the previous one.
Click to expand...

This happens to be Borland's approach to software copyright. In fact, that
phrase comes directly from Borland's license agreements. Although it is
comforting and reasonable, it is not a legal authority by any means. Many
software makers hold that you are entitled to run their software on one
machine, and one machine only, forever and ever.
Now, the software manufacturers don't give a dime about user's rights.
Tying the software to a certain computer violates the spirit of the law.
Click to expand...

No, it doesn't. It violates the spirit of common sense, but the law has
very little to do with common sense.
 
"Against the spirit of the copyright law?" Where did you get this?
Copyright law gives the author of a creative work supreme and total control
over the software. If they want to restrict you to running it on one
computer, running it no more than 5 times, and never on Sundays, they are
perfectly within their legal rights to do so. Such a license restriction
would be silly, of course, but that doesn't make it "against the spirit of
the law". ....
No, it doesn't. It violates the spirit of common sense, but the law has
very little to do with common sense.
Click to expand...

I did not say it is illegal, just that it is agains the spirit of the law.
The original intent of the law was to stimulate creation, not to be used
to kill it. This is why "fair use" and other mechanisms like this was put
in place. See http://arstechnica.com/reviews/004/software/law/i-tunes.html
to see "how contracts are being used to restrict the normal freedom given to
users by copyright law in general."

I know companies complain about piracy. And they are right (I wonder?
http://arstechnica.com/news/posts/20040903-4156.html)

But the numbers are not as high as they claim. Even under the american
law (the most pro-corporate), a company accusing someone of piracy
should show they lost money. And this does not mean I have an illegal
copy. It means I would have bought it if a stolen copy was not available.
Can a company show that the russian student using an illegal copy of
X software package ($1000) would have bought it, when the monthly salary
there is arround $100?

I do not say starting to steal software or music is the solution.
But I do hope that more and more peoples will start doing what I do.
I did buy hundreds of CDs. Since the first RIAA lawsuit against one
of their customers (several months ago), I did buy none.
Same with software. I do buy it, but when it does cross the line
(in my case the activation), I just say "bye" and buy somewhing else.
Maybe someone will get the message.

If you don't trust me and treat me like a theaf, then I don't do
business with you. If police would stop every car and body search
the ocupants, because "there are criminals out there", it would be
a public outrage. If software/movie/music industry does it, it's ok.

So, my message is: before start adding such "features" to your product,
put in balance what you gain and what you loose.
 
Can a company show that the russian student using an illegal copy of
X software package ($1000) would have bought it, when the monthly salary
there is arround $100? ....
If you don't trust me and treat me like a theaf, then I don't do
business with you. ....
So, my message is: before start adding such "features" to your product,
put in balance what you gain and what you loose.
Click to expand...

These are remarkable aspects, which make my thoughtful.
However, there are hundreds of illegal copies of cheap software,
Zip-utilities for example.
Some developers started to work for voluntary donations. They also published
the number of distributed, registered copies and the amount of donations. It
is frustrating...

What do you think about a "shareware" utility for 10$ or EUR fixed engaged
to hardware configuration or the operating system?
Do you believe, people, who need it, would think "10 bucks are not so much,
I would afford it a second or third time when I change the configuration!";
or do you rather believe "They treat me like a theaf, I don't do business
with them, even the software would be good for me and I could afford it to
buy!"?

Thanks for your ideas...

Best regards,
Klaus
 
Mihai N. said:
But the numbers are not as high as they claim. Even under the american
law (the most pro-corporate), a company accusing someone of piracy
should show they lost money. And this does not mean I have an illegal
copy. It means I would have bought it if a stolen copy was not available.
Can a company show that the russian student using an illegal copy of
X software package ($1000) would have bought it, when the monthly salary
there is arround $100?
Click to expand...

Your reasoning is faulty. If a Russion student is using an illegal copy of
X software package ($1000), then the manufacturer of X has lost $1000.
It's just that simple. If the student could not have bought the package,
then he should not be using it. If I were to steal a television set, the
fact that I would not have bought the television set anyway does not change
the illegality of the act, nor the loss to the manufacturer.
 
Your reasoning is faulty. If a Russion student is using an illegal copy of
X software package ($1000), then the manufacturer of X has lost $1000.
It's just that simple. If the student could not have bought the package,
then he should not be using it. If I were to steal a television set, the
fact that I would not have bought the television set anyway does not change
the illegality of the act, nor the loss to the manufacturer.
Click to expand...

You are worst than most American corporations! Check the American law.
A company should proove you would have bought it if it was not available to
steal. This is the law, not my faulty reasoning.

Are you working for RIAA? Same faulty comparison with stealing objects.
A stolen object is gone. A copyed software is still there.

Again, I don't say is right to just copy software.
But let me tell you why your reasoning is faulty and a loss is not
always a loss:

Option one:
- student does not have money to play with 1000$ program
- draconic anti-piracy measures prevents him from geting a stolen copy
- student searches and finds open source alternative
- student graduates, recomends to his company to use open source software
- over-zelus pirate-killer company looses a company

Option two:
- student does not have money to play with 1000$ program
- he manages tp get a stolen copy and becomes proficient with it
- student graduates, recomends to his company to use same software
(this is what he knows, right?)
- software company gains one more company as client

This is something many American companies know.
- Borland offered amnesties in Eastern Europe.
- Microsoft and Apple donate software to schools and universities
to "hook" students
- SCO (the onld one) offered the SCO Unix for $25

I am comming from Eastern Europe. For many years I did use pkzip
(shareware) without giving any money. How could I? 25$ was about
a quarter of a salary. And during the comunists we where not allowed
to have $ or to have relations with foreign companies.
One of the first things I did when I came to America and stared making
some money was to send them the 25$.

Anyway, maybe I was a bit rough in my posts.
But I tried to show another side.

Think twice before implementing tough protections.
Real pirates will have a crack in a few weeks after release.
The final ones to suffer are your customers.
If you have 90% of the market (Windows, Photoshop), you can afford
something like the activation, otherwise you are just adding to the
development costs and push your clients to concurent companies.
It is all about balance.

And maybe you are just implementing what your managers ask.
Nothing personal against you, really.
 
These are remarkable aspects, which make my thoughtful.
....
Zip-utilities for example. ....
What do you think about a "shareware" utility for 10$ or EUR fixed engaged ...
Thanks for your ideas...

Best regards,
Klaus
Click to expand...

Please see my other post on zip-like tools and software.
If I did make you think twice, I am glad.

Thank you, and forgive me if I was a bit rough.
 
Mihai,

you're arguing that intangible product has no value. If you steal something
like a program the owner still has it but it doesn't mean you didn't steal
it (and yes, it's not stealing, it's using it without a permission, but that
makes little difference determining the legality of the fact). Somebody has
put resources into creating it and unless they chose to give it out for free
(by releasing it into the public domain, or under a free license) you do not
have any right to use it. The fact that you can't afford it (for whatever
reason) is not an excuse. If there are free alternatives (and you're arguing
that there are) use those. I am really sick of people who say they would use
an open source (as in free, in terms of cost) alternative if they had to pay
for something they stole - why don't they then? Same thing about people who
say they would never buy it and use something else - put your money where
your mouth is and do use something else.

And your argument about a student forcing his future employer to buy SW ;)
You have obviously never worked for a decent company, new hires are not in a
position to make a whole company switch to an expensive piece of SW. You'll
end up using whatever they use now or stealing what you've been using till
then, except now you'll have to change your excuse.

Jerry
 
Tim Roberts <[email protected]> schreef in berichtnieuws
(e-mail address removed)...

Hello Tim,
Your reasoning is faulty. If a Russion student is using an illegal copy of
X software package ($1000), then the manufacturer of X has lost $1000.
It's just that simple. If the student could not have bought the package,
then he should not be using it. If I were to steal a television set, the
fact that I would not have bought the television set anyway does not change
the illegality of the act, nor the loss to the manufacturer.
Click to expand...

Sorry, but I do not agree.

1a) You make it sound as if the money is stolen, which it isn't the case
1b) You make it sound as if the product is stolen, which it isn't the case

(You even explicitily compare the actual *removal* of goods to the *copying*
of software, which *isn't the same*, not even in American law :-) )

2) As Mihai allready tried to point to, there is *no way* that a person with
a monthly income of around $100 will, for personal use, buy a package of
around 10 times that ammount. Meaning that if the package would, outside
of buying, not be available, (s)he just *would not buy it*. (I even think
that but a few people will buy software that is worth over a quarter of
their monthly wages, without being able to inspect it first)

Conclusion : no matter which way (the package is copied, the package is not
bought) the company does not get that money.

In my eyes that means that any company that claims that they lost that money
is just trying to make us believe a lie (trying to swing someone's
(Lawmaker's ?) opinion in their favour)....

But yes, if you do not aquire something available legally, you should not be
using it.

Regards,
Rudy Wieser
 
... If you steal something
like a program the owner still has it but it doesn't mean you didn't steal
it (and yes, it's not stealing, it's using it without a permission, but that
makes little difference determining the legality of the fact).
Click to expand...

Right. And I guess, Mihai does not have another opinion.
And your argument about a student forcing his future employer to buy SW ;)
You have obviously never worked for a decent company, new hires are not in a
position to make a whole company switch to an expensive piece of SW.
Click to expand...

Do not take this too literal. I understand this that way: Look at Microsoft.
Why they achieve that amount of success? From my point of view, it's because
of their market position, not because of their products. There are powerful
graphical operating systems before MS Windows. However, the people continue
buying MS-DOS until MS provides MS Windows. Look at IE, Netscape was better;
MS knew this and distributed IE free of charge. They wouldn't if they had
the market position. Just my opinion.
I bought Office 2003 although I still do my work in Star Office 5.2. Why I
bought MS Office additionally? Because the most companies interchange
documents in MS Word format.
A company which can afford to seed a market with products (free of charge)
or products being copied illegal could benefit on the long run from illegal
copies, but I fear this cannot be transfered easily to the situation of
small companies.

This is the problem.
Self-employed developers would like to get paid for their ideas and work.
From what they want to live, if they distribute their work without any fees?

Klaus
 
Sorry, but I do not agree.

1a) You make it sound as if the money is stolen, which it isn't the case
1b) You make it sound as if the product is stolen, which it isn't the case
Click to expand...

Exactly how is the product 'not stolen'? This is exactly the thinking that's
killing small software companies. The argument that every pirated piece of
software is not a sale lost is complete rubbish - some people may pirate it
because the genuinely can't afford it, others pirate because they don't want
to afford it.
(You even explicitily compare the actual *removal* of goods to the *copying*
of software, which *isn't the same*, not even in American law :-) )
[....]
Conclusion : no matter which way (the package is copied, the package is not
bought) the company does not get that money.

In my eyes that means that any company that claims that they lost that money
is just trying to make us believe a lie (trying to swing someone's
(Lawmaker's ?) opinion in their favour)....
Click to expand...

No, they want to continue to develop products and pay their employees. The
law does absolutely nothing to stop software piracy, which is a real shame -
it means that the only companies that can continue to make software will be
massive corporations that can soak up the losses or those that provide some
kind of additional service to paying customers. Open source is fantastic,
but it doesn't employ people - given the choice between working at a fast
food restaurant and writing OS software, or being paid to write software, I
know which I'd take.
But yes, if you do not aquire something available legally, you should not be
using it.
Click to expand...

.... which is the ONLY thing that counts.

Steve
 
Mihai N. said:
Are you working for RIAA? Same faulty comparison with stealing objects.
A stolen object is gone. A copyed software is still there.
Click to expand...

But the revenue which comes from the pirated software is no less gone.

Regards,
Will
 
But the revenue which comes from the pirated software is no less gone.
Click to expand...
Please read the whole answer, don't just quote a sentence out of context.
I did explain why there was no money to go. Because the very low income
person would have never bought the product.
This is no argument for piracy, is more about learning to detect
false claims of "trilions of USD lost to piracy."
 
Back
Top