OT - Software license key generator

Joe,
Machine-specific license keys need to be generated using some combination of
unique numbers (or strings) that can be obtained from a PC such as the CPU
ID, the Hard Drive serial number (manufacturers number, not the "Volume
Number"), then Network Card MAC Address( which can be changed by the way!)
Typically what software vendors do is have their program gather this
information and make a call to a WebService which uses it to generate a
machine specific licence key which the software basically
"reverse-engineers" and checks against the same machine - specific items
mentioned above in order to validate the key.

None of this is rocket science.

If you have a vendor whose solution you like, and the price is affordable,
go with it. Otherwise, with the above-summarized information, any developer
possessing an above-room-temperature IQ could write their own.

Best of luck,
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Joe" wrote:

Sorry this is OT...

I'm looking for recommendations for generating license keys (machine
specific) for our application. I was looking at Quick Licenses Manager which
looks pretty good.

Is there any favorites?

-Joe

> If you have a vendor whose solution you like, and the price is

affordable, go with it. Otherwise, with the above-summarized
information, any developer possessing an above-room-temperature IQ
could write their own.

Best of luck,
Peter

Sorry to say this but...that was a rude and incorrect thing to say!

Licensing is not a "do it yourself" project in my book unless you are
selling shareware programs as a hobby. Sure, you could make some half-
arsed encrypting system that sent a web request to a server and then
processed/saved the reply yourself easily - but that is only part of the
solution.

You need a way to include other things in a license "component" in order
for it to work correctly:

- Different Key Types (demo/trial/perm)
- Fixed/Specific Product Versions
- Concurrent Usages (maybe 1 key for several computers)
- Shared License Keys (multiple computers but only 1 at a time)
- Other Product Specific Settings (Max. # of something, specific server
ti can connect to, specific features that were purchased, etc.)

This all needs to be designed so that it cannot be changed by the user,
but can still be decoded (which means no HASH algo) by the program so it
can use the information. You will want to get access to the username,
product version, etc. in your application.

Here is an example of what I mean by this.

Example License Format:
-------------------------------------
[Application Name]
[Version]
[Application Specific Features or Information]
[LicenseType (perm/demo)]
[exp. date if demo]
[encrypted license key of HD+MAC address]
[encrypted CRC value of entire license key]
-------------------------------------

Example License Key:
-------------------------------------
SomeApp
1.2.0.0
EditorFeature|DesignerFeature|QueryFeature|ServerF eature=215.128.56.12
PERM
00/00/0000
ab86af7e890da8ab78c98ea9bd8ffa7e
1e67a01f3bc1
-------------------------------------

The above sample would be the actual license key that the user receives.
It has human readable information but it cannot be changed because of the
CRC of the entire key on the end. The encrypted key (HD+MAC) is used to
verify it is valid as well.

Also, you need to have more then a simple method call like bool
CheckLicenseKey() in your code otherwise it will be easy to hack it and
perform a simple JMP around the check - or even worse find out how to
generate your own keys! Once it is "known" to one user how to
break/hack/generate a key it is known to everyone thanks to the WWW. An
ideal solution would somehow encrypt the binary code of the application
so it would be hard to determine where the license checks are made (and I
mean CHECKS and not check since you should perform multiple checks of a
license key in different key areas.) Also, it should not set some global
variable like bKeyValid because that is a VERY simple thing to hack.

There are a lot of companies out there that make licensing software and
most software developers who need a decent solution use them for a reason
- because it takes more then an "above-room-temperature IQ" to get it
done correctly.

If you want half-arse: do it yourself.
If you want it done right: purchase something.

Of all the things you could skimp on during development the licensing is
not one of them because once it is hacked it becomes freeware!

I do not develop/selllicensing software so I am not trying to suggest any
particular product that is out there.

--
Chuck C
ElSeeker.at.hotmail.com
Software Developer

Hey Chuck,

I'm glad you understand all the issues I've already considered which is what
led me to looking at commercial software for this.

Thanks,
Joe

"Chuck C" <ElSeeker.at.hotmail.com> wrote in message
news:-t********************@comcast.com...

If you have a vendor whose solution you like, and the price is
affordable, go with it. Otherwise, with the above-summarized
information, any developer possessing an above-room-temperature IQ
could write their own.

Best of luck,
Peter

Sorry to say this but...that was a rude and incorrect thing to say!

Licensing is not a "do it yourself" project in my book unless you are
selling shareware programs as a hobby. Sure, you could make some half-
arsed encrypting system that sent a web request to a server and then
processed/saved the reply yourself easily - but that is only part of the
solution.

You need a way to include other things in a license "component" in order
for it to work correctly:

- Different Key Types (demo/trial/perm)
- Fixed/Specific Product Versions
- Concurrent Usages (maybe 1 key for several computers)
- Shared License Keys (multiple computers but only 1 at a time)
- Other Product Specific Settings (Max. # of something, specific server
ti can connect to, specific features that were purchased, etc.)

This all needs to be designed so that it cannot be changed by the user,
but can still be decoded (which means no HASH algo) by the program so it
can use the information. You will want to get access to the username,
product version, etc. in your application.

Here is an example of what I mean by this.

Example License Format:
-------------------------------------
[Application Name]
[Version]
[Application Specific Features or Information]
[LicenseType (perm/demo)]
[exp. date if demo]
[encrypted license key of HD+MAC address]
[encrypted CRC value of entire license key]
-------------------------------------

Example License Key:
-------------------------------------
SomeApp
1.2.0.0
EditorFeature|DesignerFeature|QueryFeature|ServerF eature=215.128.56.12
PERM
00/00/0000
ab86af7e890da8ab78c98ea9bd8ffa7e
1e67a01f3bc1
-------------------------------------

The above sample would be the actual license key that the user receives.
It has human readable information but it cannot be changed because of the
CRC of the entire key on the end. The encrypted key (HD+MAC) is used to
verify it is valid as well.

Also, you need to have more then a simple method call like bool
CheckLicenseKey() in your code otherwise it will be easy to hack it and
perform a simple JMP around the check - or even worse find out how to
generate your own keys! Once it is "known" to one user how to
break/hack/generate a key it is known to everyone thanks to the WWW. An
ideal solution would somehow encrypt the binary code of the application
so it would be hard to determine where the license checks are made (and I
mean CHECKS and not check since you should perform multiple checks of a
license key in different key areas.) Also, it should not set some global
variable like bKeyValid because that is a VERY simple thing to hack.

There are a lot of companies out there that make licensing software and
most software developers who need a decent solution use them for a reason
- because it takes more then an "above-room-temperature IQ" to get it
done correctly.

If you want half-arse: do it yourself.
If you want it done right: purchase something.

Of all the things you could skimp on during development the licensing is
not one of them because once it is hacked it becomes freeware!

I do not develop/selllicensing software so I am not trying to suggest any
particular product that is out there.

--
Chuck C
ElSeeker.at.hotmail.com
Software Developer

I agree. I would only add that even if you check IsValid in 100 places, that
would only slow them down a bit. They recompile or patch, and a hacked
version is on WWW in a day. One would still need to obfuscate so a simple
decompile can not be done. Even then, a good cracker can still jump around
and modify the IL and the app is again on the web in maybe 2 days. So you
can keep the honest out, not the thieves.

But that begs another question. The honest will pay anyway, the theives
will not. So all you are really doing is making it harder for the honest to
use and install your app and adding a bunch of license infrastructure
(generators, db storage, hosting, etc) to protect your app against a few
script kiddies that can't afford it anyway. Makes one wonder if it is even
worth the effort?

--
William Stacey [MVP]

"William Stacey [MVP]" <wi************@gmail.com> wrote in
news:#$**************@TK2MSFTNGP10.phx.gbl:

I agree. I would only add that even if you check IsValid in 100
places, that would only slow them down a bit. They recompile or
patch, and a hacked version is on WWW in a day. One would still need
to obfuscate so a simple decompile can not be done. Even then, a good
cracker can still jump around and modify the IL and the app is again
on the web in maybe 2 days. So you can keep the honest out, not the
thieves.

But that begs another question. The honest will pay anyway, the
theives will not. So all you are really doing is making it harder for
the honest to use and install your app and adding a bunch of license
infrastructure (generators, db storage, hosting, etc) to protect your
app against a few script kiddies that can't afford it anyway. Makes
one wonder if it is even worth the effort?

Yep.. Make it hard enough so the average user would be better off
purchasing a license then spending hours hacking it. The hackers are gonna
hack you just dont want to give them a golden opportunity.

Another thing to keep in mind is multiple products that you may
develop/distribute. If this is the case then it may be better to spend a
bit more for a licensing system that can "polymorph" itself a little bit
for each application - instead of the same exact strucuture/encryption/etc.
for every product. That way they have to hack all your products
individually instead of just one of them.

Good luck!

--
Chuck C
ElSeeker.at.hotmail.com
Software Developer

"Chuck C" wrote:

Yep.. Make it hard enough so the average user would be better off
purchasing a license then spending hours hacking it. The hackers are gonna
hack you just dont want to give them a golden opportunity.

Your typical warez user won't hack it themselves, isntead they'll goto thier
favorite sites and look for a crack someone else made. If your app is at all
popular, they'll be able to find it in a few minutes. This is the nuisance
bar your protection needs to stay below. IF you go too far above it, even
users who normally would buy a legit copy will get fed up and look into a
cracked one.