Protection via activation / product registration keys

[Paul Aspinall]

Hi
Can anyone offer any hints / tips for creating registration keys /
application activation, as software copy protection measures for a Winform
app developed in C#?

Thanks

 

[Mack]

Hi
Can anyone offer any hints / tips for creating registration keys /
application activation, as software copy protection measures for a Winform
app developed in C#?

Thanks

This topic comes up repeatedly in sci.crypt. Google for it.
The general consensus is that it is a waste of time.
A determined hacker will compromise any copy protection
system and once the system is compromised an infinite
number of copies can be made. That is a single compromise
is fatal to the system.

Microsoft has spent a ton of time and money on the issue and the best
they can do is produce updates that "break" compromised copies that
download them. Unless you are planning on spending more time and
money than microsoft, make it easy on legitimate users and hope your
software is worth pirating.

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

 

[Matt Berther]

Hello Paul,

Im a firm believer of buy vs build in this area. Take a look at xheo licensing:
http://www.dotnetlicensing.com. This is (IMO) the best licensing component
out there right now.

 

[Herfried K. Wagner [MVP]]

Paul,

Can anyone offer any hints / tips for creating registration keys /
application activation, as software copy protection measures for a Winform
app developed in C#?

..NET's licensing mechanisms:

..NET Framework Developer's Guide -- Licensing Components and Controls
<URL:http://msdn.microsoft.com/library/en-us/cpguide/html/cpconlicensingcomponentscontrols.asp>

..NET Licensing
<URL:http://windowsforms.net/articles/Licensing.aspx>

Commercial components:

XHEO|Licensing
<URL:http://www.xheo.com/products/enterprise/licensing/>

 

[Bob Powell [MVP]]

I regularly use a license key method that I've found to be very safe. It
involves the construction of a long string of data such as the computer
name, user name and other metrics that are unique to the machine the product
is to be installed. This long string is used to generate a hash key that is
unique for every installation. In most instances I use a web-service to do
the key generation so that is under the control of my server.

I created a licensing component that uses this hash key to grant or deny
licenses based upon runtime / design time use and I also do horrible stuff
like check for the presence of different sorts of debugger running on the
machine. This licensing component is heavily obfuscated with an obfuscator
that crashes the IL disassemblers and it's guts are also encrypted wherever
possible.

I feel that I can explain this because the heart of the system depends upon
so many factors that go together to create a string of information which
averages about 1000 characters. Hash key cracking systems such as lookup
tables are unreliable past 15 or 20 characters so my strings with all the
weird information I collect are, I think, quite safe.

IMO If anyone has the energy to crack such a variable system as one that is
different for each and every installation, even if it's installed twice on
the same machine, then they are the very low percentage of people who will
be deterred by nothing. I know that a single crack would take an
inordinately long time and the key is so simple to change that a trivial
update on my part will make the hackers have to go through the whole reverse
engineering process again.

--
Bob Powell [MVP]
Visual C#, System.Drawing

Find great Windows Forms articles in Windows Forms Tips and Tricks
http://www.bobpowell.net/tipstricks.htm

Answer those GDI+ questions with the GDI+ FAQ
http://www.bobpowell.net/faqmain.htm

All new articles provide code in C# and VB.NET.
Subscribe to the RSS feeds provided and never miss a new article.

 

[Mack]

I regularly use a license key method that I've found to be very safe. It
involves the construction of a long string of data such as the computer
name, user name and other metrics that are unique to the machine the product
is to be installed. This long string is used to generate a hash key that is
unique for every installation. In most instances I use a web-service to do
the key generation so that is under the control of my server.

This is a store the key on the users computer system and match the key
to the user system.

I created a licensing component that uses this hash key to grant or deny
licenses based upon runtime / design time use and I also do horrible stuff
like check for the presence of different sorts of debugger running on the
machine. This licensing component is heavily obfuscated with an obfuscator
that crashes the IL disassemblers and it's guts are also encrypted wherever
possible.

Hackers can defeat such programs using a variety of methods.
First and simplest is to use a ICE. Another method that is slower but
more cost effective is to use a computer emulator. The third method
is to use an offline disassembler. The first step would be to remove
any run time checks for debuggers. Patching an executable is
a simple thing.

Encrypting the guts of your program requires the key to be available
to run the program. A hacker can obtain a legitimate key and then
decrypt the code. However unless each program is individially
encrypted at distribution time all of them will use the same key for
the encryption portion.

I feel that I can explain this because the heart of the system depends upon
so many factors that go together to create a string of information which
averages about 1000 characters. Hash key cracking systems such as lookup
tables are unreliable past 15 or 20 characters so my strings with all the
weird information I collect are, I think, quite safe.

A hacker would simply bypass whatever checks were put in place.
Patching such code is trivial.

IMO If anyone has the energy to crack such a variable system as one that is
different for each and every installation, even if it's installed twice on
the same machine, then they are the very low percentage of people who will
be deterred by nothing. I know that a single crack would take an
inordinately long time and the key is so simple to change that a trivial
update on my part will make the hackers have to go through the whole reverse
engineering process again.

Do you compile a custom version for each user? If not then each
installation is still the same.

If hackers think your software is worth the trouble to pirate, nothing
will stop them. A single crack would probably take a week.
This crack allows the hacker to make an infinite number of copies.
They don't need to reverse engineer the whole thing for each copy.
They simply remove all the obfuscation and run time checks.

Copy protection only works when the adversary does not have access
to the machine the program is running on. Offloading critical
computation to a PCI/USB hardware device greatly increases the
difficulty of defeating copy protection. Of course this is an
expensive solution since it requires custom hardware be designed
and only works for computation dependent software. I have not
yet seen such devices. If someone can point me to a dongle
which does computational work for the program I would be most
interested.

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

 

[Grant Frisken]

Infralution offers a reasonable priced encrypted licensing solution.
You can download an evaluation version at:

www.infralution.com/licensing.html

As several posters have noted, nothing that you can do will stop a
really determined hacker from cracking your software in one way or
another. However, a licensing system offers protection similar to
locking the doors of your house - it won't stop the determined thief -
but it will stop the casual passer by. The level of protection you put
in place depends on the value of what you are protecting and the
likliehood of people wanting to steal it.

Regards
Grant Frisken
Infralution

 

[Mack]

Infralution offers a reasonable priced encrypted licensing solution.
You can download an evaluation version at:

www.infralution.com/licensing.html

As several posters have noted, nothing that you can do will stop a
really determined hacker from cracking your software in one way or
another. However, a licensing system offers protection similar to
locking the doors of your house - it won't stop the determined thief -
but it will stop the casual passer by. The level of protection you put
in place depends on the value of what you are protecting and the
likliehood of people wanting to steal it.

Regards
Grant Frisken
Infralution

I looked at your web site before launching into my usual tirade
against anti-piracy schemes. Yours is reasonably priced and
doesn't make exagerated claims of security. You also provide
source to your customers which gives the added bonus of
being able to fix bugs. Your scheme is practically as secure
as systems costing a hundred times more. Which as you noted
won't stop a determined hacker but will prevent someone from
casually creating a license key generator.

I would also like to say I agree with your comments on
product activation (see the web site). The point you missed
in your comments is that every office of substantial size should
have at least one computer that doesn't have internet access*.
Most product activation schemes require internet access. Larger
companies have phone activation but it is a pain. Product activation
is unlikely to go away but does provide modest income for consultants
who do phone activation so their clients don't have to sit on hold.

* Anyone who needs a primer on why one computer
needs to be isolated as a backup, consult a security expert.

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

 

[Grant Frisken]

Thanks for your comments. We developed the licensing system when were
unable to find a reasonably priced product to license our own products.
I am hoping that by being honest about the level of security offered
and the pros/cons of product activation we will find a market amongst
those developers who can see through some of the hype surrounding some
of the more expensive solutions. I have had experience of product
activation schemes as both a customer and developer - and didn't enjoy
either end!

Regards
Grant Frisken
Infralution

 

[TC]

Grant Frisken wrote:
(snip)

You can download an evaluation version at:
www.infralution.com/licensing.html

As soon as you provide a website that has readable text, I'll take a
look at it!

It is really not a smart marketing move, to make the text so small that
many people won't be able to read it. And to do so in such a way that
it can't be resized from IE (View : Text Size) :-(

TC

 

[Grant Frisken]

Point taken. I'll endeavour to get something done about it.

Grant Frisken
Infralution

 

[Grant Frisken]

The website has now been updated so that the default text size is now
somewhat more readable and it will respond to resizing the text from IE
or any other browser.

Thanks for your feedback.

Grant
www.infralution.com

 

[TC]

Way better - well done.

TC

 

[LogicNP]

Use server based activation system

Your best bet is a server based activation system. Use a cryptographic algorithm for creating secure licenses. Check out CryptoLicensing which does this.