OT - Software license key generator

  • Thread starter Thread starter Joe
  • Start date Start date
J

Joe

Sorry this is OT...

I'm looking for recommendations for generating license keys (machine
specific) for our application. I was looking at Quick Licenses Manager which
looks pretty good.

Is there any favorites?

-Joe
 
Joe,
Machine-specific license keys need to be generated using some combination of
unique numbers (or strings) that can be obtained from a PC such as the CPU
ID, the Hard Drive serial number (manufacturers number, not the "Volume
Number"), then Network Card MAC Address( which can be changed by the way!)
Typically what software vendors do is have their program gather this
information and make a call to a WebService which uses it to generate a
machine specific licence key which the software basically
"reverse-engineers" and checks against the same machine - specific items
mentioned above in order to validate the key.

None of this is rocket science.

If you have a vendor whose solution you like, and the price is affordable,
go with it. Otherwise, with the above-summarized information, any developer
possessing an above-room-temperature IQ could write their own.

Best of luck,
Peter
 
If you have a vendor whose solution you like, and the price is
affordable, go with it. Otherwise, with the above-summarized
information, any developer possessing an above-room-temperature IQ
could write their own.

Best of luck,
Peter
Click to expand...

Sorry to say this but...that was a rude and incorrect thing to say!

Licensing is not a "do it yourself" project in my book unless you are
selling shareware programs as a hobby. Sure, you could make some half-
arsed encrypting system that sent a web request to a server and then
processed/saved the reply yourself easily - but that is only part of the
solution.

You need a way to include other things in a license "component" in order
for it to work correctly:

- Different Key Types (demo/trial/perm)
- Fixed/Specific Product Versions
- Concurrent Usages (maybe 1 key for several computers)
- Shared License Keys (multiple computers but only 1 at a time)
- Other Product Specific Settings (Max. # of something, specific server
ti can connect to, specific features that were purchased, etc.)

This all needs to be designed so that it cannot be changed by the user,
but can still be decoded (which means no HASH algo) by the program so it
can use the information. You will want to get access to the username,
product version, etc. in your application.

Here is an example of what I mean by this.

Example License Format:
-------------------------------------
[Application Name]
[Version]
[Application Specific Features or Information]
[LicenseType (perm/demo)]
[exp. date if demo]
[encrypted license key of HD+MAC address]
[encrypted CRC value of entire license key]
-------------------------------------

Example License Key:
-------------------------------------
SomeApp
1.2.0.0
EditorFeature|DesignerFeature|QueryFeature|ServerFeature=215.128.56.12
PERM
00/00/0000
ab86af7e890da8ab78c98ea9bd8ffa7e
1e67a01f3bc1
-------------------------------------

The above sample would be the actual license key that the user receives.
It has human readable information but it cannot be changed because of the
CRC of the entire key on the end. The encrypted key (HD+MAC) is used to
verify it is valid as well.

Also, you need to have more then a simple method call like bool
CheckLicenseKey() in your code otherwise it will be easy to hack it and
perform a simple JMP around the check - or even worse find out how to
generate your own keys! Once it is "known" to one user how to
break/hack/generate a key it is known to everyone thanks to the WWW. An
ideal solution would somehow encrypt the binary code of the application
so it would be hard to determine where the license checks are made (and I
mean CHECKS and not check since you should perform multiple checks of a
license key in different key areas.) Also, it should not set some global
variable like bKeyValid because that is a VERY simple thing to hack.

There are a lot of companies out there that make licensing software and
most software developers who need a decent solution use them for a reason
- because it takes more then an "above-room-temperature IQ" to get it
done correctly.

If you want half-arse: do it yourself.
If you want it done right: purchase something.

Of all the things you could skimp on during development the licensing is
not one of them because once it is hacked it becomes freeware!

I do not develop/selllicensing software so I am not trying to suggest any
particular product that is out there.
 
Hey Chuck,

I'm glad you understand all the issues I've already considered which is what
led me to looking at commercial software for this.

Thanks,
Joe

Chuck C said:
If you have a vendor whose solution you like, and the price is
affordable, go with it. Otherwise, with the above-summarized
information, any developer possessing an above-room-temperature IQ
could write their own.

Best of luck,
Peter
Click to expand...

Sorry to say this but...that was a rude and incorrect thing to say!

Licensing is not a "do it yourself" project in my book unless you are
selling shareware programs as a hobby. Sure, you could make some half-
arsed encrypting system that sent a web request to a server and then
processed/saved the reply yourself easily - but that is only part of the
solution.

You need a way to include other things in a license "component" in order
for it to work correctly:

- Different Key Types (demo/trial/perm)
- Fixed/Specific Product Versions
- Concurrent Usages (maybe 1 key for several computers)
- Shared License Keys (multiple computers but only 1 at a time)
- Other Product Specific Settings (Max. # of something, specific server
ti can connect to, specific features that were purchased, etc.)

This all needs to be designed so that it cannot be changed by the user,
but can still be decoded (which means no HASH algo) by the program so it
can use the information. You will want to get access to the username,
product version, etc. in your application.

Here is an example of what I mean by this.

Example License Format:
-------------------------------------
[Application Name]
[Version]
[Application Specific Features or Information]
[LicenseType (perm/demo)]
[exp. date if demo]
[encrypted license key of HD+MAC address]
[encrypted CRC value of entire license key]
-------------------------------------

Example License Key:
-------------------------------------
SomeApp
1.2.0.0
EditorFeature|DesignerFeature|QueryFeature|ServerFeature=215.128.56.12
PERM
00/00/0000
ab86af7e890da8ab78c98ea9bd8ffa7e
1e67a01f3bc1
-------------------------------------

The above sample would be the actual license key that the user receives.
It has human readable information but it cannot be changed because of the
CRC of the entire key on the end. The encrypted key (HD+MAC) is used to
verify it is valid as well.

Also, you need to have more then a simple method call like bool
CheckLicenseKey() in your code otherwise it will be easy to hack it and
perform a simple JMP around the check - or even worse find out how to
generate your own keys! Once it is "known" to one user how to
break/hack/generate a key it is known to everyone thanks to the WWW. An
ideal solution would somehow encrypt the binary code of the application
so it would be hard to determine where the license checks are made (and I
mean CHECKS and not check since you should perform multiple checks of a
license key in different key areas.) Also, it should not set some global
variable like bKeyValid because that is a VERY simple thing to hack.

There are a lot of companies out there that make licensing software and
most software developers who need a decent solution use them for a reason
- because it takes more then an "above-room-temperature IQ" to get it
done correctly.

If you want half-arse: do it yourself.
If you want it done right: purchase something.

Of all the things you could skimp on during development the licensing is
not one of them because once it is hacked it becomes freeware!

I do not develop/selllicensing software so I am not trying to suggest any
particular product that is out there.
Click to expand...
 
I agree. I would only add that even if you check IsValid in 100 places, that
would only slow them down a bit. They recompile or patch, and a hacked
version is on WWW in a day. One would still need to obfuscate so a simple
decompile can not be done. Even then, a good cracker can still jump around
and modify the IL and the app is again on the web in maybe 2 days. So you
can keep the honest out, not the thieves.

But that begs another question. The honest will pay anyway, the theives
will not. So all you are really doing is making it harder for the honest to
use and install your app and adding a bunch of license infrastructure
(generators, db storage, hosting, etc) to protect your app against a few
script kiddies that can't afford it anyway. Makes one wonder if it is even
worth the effort?
 
I agree. I would only add that even if you check IsValid in 100
places, that would only slow them down a bit. They recompile or
patch, and a hacked version is on WWW in a day. One would still need
to obfuscate so a simple decompile can not be done. Even then, a good
cracker can still jump around and modify the IL and the app is again
on the web in maybe 2 days. So you can keep the honest out, not the
thieves.

But that begs another question. The honest will pay anyway, the
theives will not. So all you are really doing is making it harder for
the honest to use and install your app and adding a bunch of license
infrastructure (generators, db storage, hosting, etc) to protect your
app against a few script kiddies that can't afford it anyway. Makes
one wonder if it is even worth the effort?
Click to expand...

Yep.. Make it hard enough so the average user would be better off
purchasing a license then spending hours hacking it. The hackers are gonna
hack you just dont want to give them a golden opportunity.

Another thing to keep in mind is multiple products that you may
develop/distribute. If this is the case then it may be better to spend a
bit more for a licensing system that can "polymorph" itself a little bit
for each application - instead of the same exact strucuture/encryption/etc.
for every product. That way they have to hack all your products
individually instead of just one of them.

Good luck!
 
Chuck C said:
Yep.. Make it hard enough so the average user would be better off
purchasing a license then spending hours hacking it. The hackers are gonna
hack you just dont want to give them a golden opportunity.
Click to expand...

Your typical warez user won't hack it themselves, isntead they'll goto thier
favorite sites and look for a crack someone else made. If your app is at all
popular, they'll be able to find it in a few minutes. This is the nuisance
bar your protection needs to stay below. IF you go too far above it, even
users who normally would buy a legit copy will get fed up and look into a
cracked one.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What software do you use to convert between audio files? 6
.NET Licensing Framework 2
Generate license numbers for shareware - How ??? 10
License Key Generators 1
SharpDevelop and General question about LPGL licence when integrateopensource in a commercial applic 3
Licensing and Key Validation 2
Which PHP IDE do you use? 4
Help with creating license code 2

Back
Top