473,749 Members | 2,402 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Securing Software with License

I need advice on how to best to protect software with licenses.

We are developing a windows application that people can purchase and
download off the net, but the software needs to be protected by licensing.

The software is being written in vb.net v1.1.

If anyone knows any beeter places to post this message, please let me know.

Many thanks

Rob
Jan 25 '06 #1
4 2738
P1ayboy wrote:
I need advice on how to best to protect software with licenses.

We are developing a windows application that people can purchase and
download off the net, but the software needs to be protected by
licensing.

The software is being written in vb.net v1.1.

If anyone knows any beeter places to post this message, please let me
know.


I'd go for signed xml files. You can create them at your own server
and add any info you want, like the name of the customer. Signed xml is
easily read with .NET code and checked (it's build in).

Another approach is a key-code but that's less personal to the
customer and you run the risk of having your serial codes end up on
some crack site.

You can also purchase a commercial licensing library, like Xheo
licensing. These typically implement a few different ways of doing
licensing, like signed xml files or serial numbers.

Either way, you have to protect your own code from disassembling and
removal of the protection code. So obfuscate the code, sign your
assemblies, check at random places that the public token on the
assemblies is still yours and if not set a random variable to null so
the app crashes somewhere else.

That said, also read:
http://software.ericsink.com/bos/Transparency.html

about how far you should go in protecting your own software, as the
more you do to protect your software, the more you likely will annoy
your (potential) customers. :)

FB

--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------
Jan 26 '06 #2
Frans Bouma [C# MVP] wrote:

I'd go for signed xml files. You can create them at your own server
and add any info you want, like the name of the customer. Signed xml is
easily read with .NET code and checked (it's build in).
That by itself is hardly what I'd call protection. Even if it's
obfuscated, it's still far too easy to find the
SignedXml::Chec kSignature call(s) in the IL and NOP the following
brfalse (or even NOP the entire check altogether, licenses wouldn't even
need to be signed anymore vs no need for a valid signature). It would
probably take all of 5 minutes to crack that app... If your app is known
at all or useful, it'll be on crack sites within minutes. I would call
this more like an annoyance to crackers more than protection really.
Another approach is a key-code but that's less personal to the
customer and you run the risk of having your serial codes end up on
some crack site.

Indeed. That alone is enough either, and that is bound to happen too
(possibly keygens or hand-made "unlimited" licenses too)
You can also purchase a commercial licensing library, like Xheo
licensing. These typically implement a few different ways of doing
licensing, like signed xml files or serial numbers.
Some of those suck, some are great... One has to pick the right one (and
preferably at the right price too). I haven't looked at those
extensively, can't really make recommendations . Chances are you'll find
universal "unlockers" for apps protected with specific protections.

Either way, you have to protect your own code from disassembling and
removal of the protection code. So obfuscate the code, sign your
assemblies, check at random places that the public token on the
assemblies is still yours and if not set a random variable to null so
the app crashes somewhere else.
Obfuscation is obviously a must, but it's not enough in itself (it can
only obfuscate so much; the thing still has to run; and not all
obfuscators are created equal obviously).

Signatures can be removed too (same for checks), it's not that hard...
Useful as an "extra step" to make cracker's lives miserable, but far
from enough either. Encryption can't hurt either (but key management can
be a pain, DPAPI is always an option).

But the "hidden checks" option is a VERY good one indeed (whether it
checks dates/timestamps or such, parts of the serial that isn't normally
checked (more "in depth" checks on parts of the serial), anything goes).
Hide them as well as you can, in places no one would look: called at the
middle of some functions your program does or on some special events,
perhaps only start to use some of the checks X days after install so the
crackers think it works, release it, the crack-addicts download and
install it, only to find out in a couple days it's not working right,
etc. You can also make some of these hidden checks run only sometimes
(5% chance or such), which again will make it harder to find them, but
will cripple the badly-cracked programs. Make the checks work off
non-obvious indirect copies of the licensing data or such kept in RAM
(hard to keep track of a couple dozen memory locations with variants of
the registration info and such) The more hidden checks, and the better
they're hidden the better. Those are the most likely parts to be
missed/troublesome/time-wasting/frustrating to crackers, and the people
using your soft illegally will tire of it, and hopefully see a value in
purchasing your useful program. Make them tired of buggy cracks, and
they may want a stable version enough to pay for it... You can offer
some "perks" to paying members too to make it even more attractive
(newer builds and bugfixes sooner, member advantages like forums or
extra downloads, access to betas of the next versions, dicsounted
upgrades, whatever you want). Of course this is by far the most
complicated and time consuming option to protect your programs, but it's
perhaps one of the most "secure" things you can do (almost impossible to
find all hidden checks) and that annoys those using illegal versions the
most.

That said, also read:
http://software.ericsink.com/bos/Transparency.html

about how far you should go in protecting your own software, as the
more you do to protect your software, the more you likely will annoy
your (potential) customers. :)

FB


The tougher the better, but eventually it can become rather complex and
time consuming (one would rather spend their time add new neat features
to their apps to make people want to purchase it instead and such). And
it's sad to see a protection that you've spent so much time onto be
broken when it happens... The never ending battle :)
Jan 26 '06 #3
I agree with pretty much everything John said above. There are really
two aspects to consider. The first is generating customer unique
license keys that can't be reverse engineered by inspecting your code.
For this you really need a system that uses some form of public key
encryption. Our company, Infralution, offers a low cost licensing
solution that does this (www.infralution.com/licensing.html).

The second aspect is preventing crackers simply bypassing your license
checks by nulling out statements or simply recompiling your whole
application. Unfortunately there is bullet proof way to do this. If
you visit some of the crack sites you will see that just about all of
the protection/obfuscation products have themselves been cracked - so
your best insurance is the sort of approach that John recommended where
at least the cracker will have to put some effort in understanding your
particular code.

There is also really good article on Code Project
(http://www.codeproject.com/gen/desig...tialWisdom.asp) about
the balance between protecting your code and making life difficult for
your legitimate customers.

Grant Frisken
Infralution
www.infralution.com

Jan 26 '06 #4
john smith wrote:
Frans Bouma [C# MVP] wrote:

I'd go for signed xml files. You can create them at your own server
and add any info you want, like the name of the customer. Signed
xml is easily read with .NET code and checked (it's build in).
That by itself is hardly what I'd call protection. Even if it's
obfuscated, it's still far too easy to find the
SignedXml::Chec kSignature call(s) in the IL and NOP the following
brfalse (or even NOP the entire check altogether, licenses wouldn't
even need to be signed anymore vs no need for a valid signature). It
would probably take all of 5 minutes to crack that app... If your app
is known at all or useful, it'll be on crack sites within minutes. I
would call this more like an annoyance to crackers more than
protection really.


No it's not :)
I agree the license check is found in 5 minutes, though that's not the
point. The point is that to remove it, you have to remove the signature
as well, as the code is signed.

To do that is a little harder. Ildasm -> file, remove signature ->
ilasm
And if the app consists of multiple assemblies, you have to do that
with all assemblies.

And now comes the fun part, by removing the signature, you have to
remove the public token of the original signer. And _THAT_ can be
checked in 1 line of code with obscure byte checking code you
definitely won't find easily, even in non-obfuscated code.

Because that check is so simple yet very effective, you can add it to
a lot of routines. There a failed check simply sets a reference to null
or clears some collection or whatever. A crash will follow later on.
It's a tactic used by many applications and works very well, because
it's very hard to track down where the test actually was, because it
doesn't display a popup with "LICENSE VIOLATED", but sets up a bomb
which goes off later.

Furthermore, you can't win from professional crackers who spend days
if not weeks to find the protection. You simply cant. So that's a
given. What it does however is protecting you from the large group of
wannabe crackers in a random office, you know the guy in the corner who
likes to give it a try over lunch. It gets a drag and they lose
interest if it takes them hours to find all the public token checks, if
they even find one.

The signed license file with a name of the customer has another
purpose: it stops your customer for spreading their license file to
others, because their name is in the file. A serial number is
anonymous, the signed license file isn't. So if that ends up on a
cracksite, the vendor knows immediately who spread the license.
You can also purchase a commercial licensing library, like Xheo
licensing. These typically implement a few different ways of doing
licensing, like signed xml files or serial numbers.


Some of those suck, some are great... One has to pick the right one
(and preferably at the right price too). I haven't looked at those
extensively, can't really make recommendations . Chances are you'll
find universal "unlockers" for apps protected with specific
protections.


The older xheo licenser wasn't that good as it was easy to find the
trial installation date holder (the object (file/regkey whatever) which
holds the installation date to check how long a trial is running). Now
they're pretty good, as in: it will take the random office 'I'll give
it a try'-cracker too much time to break it. (IMHO)
Either way, you have to protect your own code from disassembling
and removal of the protection code. So obfuscate the code, sign your
assemblies, check at random places that the public token on the
assemblies is still yours and if not set a random variable to null
so the app crashes somewhere else.


Obfuscation is obviously a must, but it's not enough in itself (it
can only obfuscate so much; the thing still has to run; and not all
obfuscators are created equal obviously).


- make all types, properties and methods in the .exe at least internal
and if possible private.
- don't use popups in the check routine but create a long trail of
calls/routines which in the end lead to the result if the license is
valid or not.

Especially the first step is essential. Because of that, a LOT is
obfuscated, much more than you'd get with public
types/methods/properties.
Signatures can be removed too (same for checks), it's not that
hard... Useful as an "extra step" to make cracker's lives miserable,
but far from enough either. Encryption can't hurt either (but key
management can be a pain, DPAPI is always an option).
But the "hidden checks" option is a VERY good one indeed (whether it
checks dates/timestamps or such, parts of the serial that isn't
normally checked (more "in depth" checks on parts of the serial),
anything goes). Hide them as well as you can, in places no one would
look: called at the middle of some functions your program does or on
some special events, perhaps only start to use some of the checks X
days after install so the crackers think it works, release it, the
crack-addicts download and install it, only to find out in a couple
days it's not working right, etc. You can also make some of these
hidden checks run only sometimes (5% chance or such), which again
will make it harder to find them, but will cripple the badly-cracked
programs. Make the checks work off non-obvious indirect copies of the
licensing data or such kept in RAM (hard to keep track of a couple
dozen memory locations with variants of the registration info and
such) The more hidden checks, and the better they're hidden the
better. Those are the most likely parts to be
missed/troublesome/time-wasting/frustrating to crackers, and the
people using your soft illegally will tire of it, and hopefully see a
value in purchasing your useful program. Make them tired of buggy
cracks, and they may want a stable version enough to pay for it...
You can offer some "perks" to paying members too to make it even more
attractive (newer builds and bugfixes sooner, member advantages like
forums or extra downloads, access to betas of the next versions,
dicsounted upgrades, whatever you want). Of course this is by far the
most complicated and time consuming option to protect your programs,
but it's perhaps one of the most "secure" things you can do (almost
impossible to find all hidden checks) and that annoys those using
illegal versions the most.


It's time consuming indeed, but well worth it. I once read on the blog
of the author of Feeddeamon rss reader that he got complaints from
people that the software crashed in several parts, though that was on
purpose, because they used a cracked copy :).

Though as I said in my previous post: keep in mind for whom you're
protecting your software. Don't try to outsmart the professionals,
these have too much time on their hands. Try to outsmart the random
office hacker. That won't take too much time, and in general you'll be
fine.

In general, if your protection is quite good, you'll see another
phenomenon: people using illegally obtained creditcard numbers to
purchase your software, with that get a license and be done with it. No
protection helps you avoid those attempts, except one:
sell a temp license to the customer, which is then used after 60 days
to obtain a real license on the website. In that period, the legal
owner of the creditcards often spotted odd payments and blocked the
card and you can then block the license.

Though this is an annoyance to users, and it's therefore perhaps not
worth the effort, but it's an idea to keep in mind. :)
That said, also read:
http://software.ericsink.com/bos/Transparency.html

about how far you should go in protecting your own software, as the
more you do to protect your software, the more you likely will annoy
your (potential) customers. :)

FB


The tougher the better, but eventually it can become rather complex
and time consuming (one would rather spend their time add new neat
features to their apps to make people want to purchase it instead and
such). And it's sad to see a protection that you've spent so much
time onto be broken when it happens... The never ending battle :)


yeah :). I still remember the feeling I had when someone broke my
'unbreakable' protection in 5 minutes back in 2003. I was shocked. It
turned out I made a dozen mistakes in a row and luckily the guy was
quite friendly and helped me with a lot of hints to look into. One was
for example to make the main form sealed and internal, as you can
rename a .exe to .dll and reference it from another .exe assembly and
instantiate code from there. THe sealed part was necessary so you
couldn't create a subclass and do license voodoo with reflection.

Often it can be pretty simple to avoid these kind of mistakes, so it's
not that hard to close those holes. Though to protect you from every
cracker is simply too time consuming, and IMHO not worth the effort:
they will crack it anyway, IF they're interested. I mean, if you can
crack the modern cdrom protection schemes, you aren't a small guy as
these protection schemes are very tough (even in the old days when I
did 68000 assembler coding on an amiga and knew the disk IO hardware
inside/out I sometimes couldn't follow the schemes some people were
able to cook up to protect their code, but there was always a guy who
was able to crack it): illegal instructions, selfmodifying code etc.
etc.

FB

--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------
Jan 27 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

31
2750
by: poisondart | last post by:
Hi, I'm not sure if this is the right group to post this. If not, then I would appreciate if somebody could point me to the correct group. This is my first time releasing software to the public and I'm wanting to release a Python program I wrote for review (and critique) and testing on other platforms, but also I would like to explore the different software licenses that are available (there seems to be many). Since the specification...
39
4219
by: Kaarel | last post by:
I don't feel very confident when it comes to software licenses. But there are some cases I would like to make myself clear. What I am particulary interested in is when does GPL license become restrictive? For example say a company has a proprietary software product that only works with MySQL and no other database system. Are the following cases legal? 1) This company sells his product under proprietary license and leaves it up to the...
74
8038
by: John Wells | last post by:
Yes, I know you've seen the above subject before, so please be gentle with the flamethrowers. I'm preparing to enter a discussion with management at my company regarding going forward as either a MySql shop or a Postgresql shop. It's my opinion that we should be using PG, because of the full ACID support, and the license involved. A consultant my company hired before bringing me in is pushing hard for MySql, citing speed and community...
2
1607
by: James | last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it with every function call from my windows client. Any alternatives?
9
1916
by: John | last post by:
Hi, I would like to protect my software from copying. What are best tools for it (hardware protection is not an option), do you have some reccomendation for protection or third party software that works? Thanks very much John
19
2209
by: John | last post by:
I would like to use some third party software for copy protection, software that prevents from copy paste program to another computer (not obfuscator). I am looking for some good solution (hardware lock is not an option). Can you reccomend me software based on your experiences?
6
19544
by: Joe | last post by:
Sorry this is OT... I'm looking for recommendations for generating license keys (machine specific) for our application. I was looking at Quick Licenses Manager which looks pretty good. Is there any favorites? -Joe
4
1509
by: LW | last post by:
Who among this group believes that Microsoft (or any other creator of intellectual property) does NOT have both a RIGHT and a DUTY to protect the product of their minds? =========================================================== Microsoft denies WGA kill switch in Windows XP Eric Lai June 30, 2006 (Computerworld) Microsoft Corp. today denied speculation that it plans to cripple copies of Windows XP for users
26
10166
by: T | last post by:
We all know that there are many softwares that require some license key or registration key to enable them. How does one implement something like this in python?
0
8996
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9566
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9254
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8256
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6800
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6078
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4879
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3319
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2791
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.