C#: How to Make it Harder for Hacker/Cracker to Get Around or Bypass the Licensing Check?

Question

First of all, I understand that almost all applications can be cracked (especially written in C#). My question here is to make it a little bit harder to crack.

Suppose that the user has saved the License file under the Application.StartupPath, where all users can read.

And then, every time when the application starts, it will check if it can find and verify the license file.

If the application can find and verify, we let the user to continue with full functionalities.

If not, we prompt a MessageBox showing "Unlicensed, continue to use with trial version, functionalities limited."

My question is, if I'm a hacker/cracker, I would try to get around or bypass the licensing check instead of cracking the license file, because, if we use RSA signature, it's very difficult to crack a license file.

So where should we put the license check?

P.S.: and also, is it safe if I put a global variable IsLicensed (true / false) to limit the functionalities? Is it easy for a hacker to change IsLicensed = true?

related: http://stackoverflow.com/q/506282/103167 – Ben Voigt Apr 02 '12 at 21:51 — Ben Voigt, Apr 02 '12 at 21:51

score 51 · Accepted Answer · answered Dec 26 '10 at 02:57

51

The #1 law of software licensing: You don't control your software once you allow it to be installed on a computer you don't control.

If you want to keep control over your code, you need to make it a web service and give the end user just a thin client that interfaces to that web service.

In many scenarios, this is unacceptable, because users want to be able to use their software even when they don't have an internet connection.

In almost all cases, you should focus on making the user experience better, and all forms of copy protection make it worse instead. Once you get to the point where the experience of downloading from a warez site and running it through several virus scans is better than doing the license setup for the legit version, you've lost.

answered Dec 26 '10 at 02:57

Ben Voigt

277,958
43
419
720

+1 couldn't have said it better myself – AndersK Dec 26 '10 at 03:01
5

This. It's not good to pour time developing copy protection, since that time could have been used for the actual application development. – Gustavo Puma Dec 26 '10 at 03:07
1

@Ben Voigt and vash47: I understand what you mean. but here what I want to do is just to make it a little bit harder to cracker. There should be some trivial cracking thoughts in our minds. – Peter Lee Dec 26 '10 at 03:16
1

@Peter Lee: If all you want is to make it a "little" harder to crack, then use a good obfuscator (note: dotfuscator is not a very good obfuscator). – Jeff Hubbard Dec 26 '10 at 03:26
4

@Peter: That's a waste of time. If you're not an expert, you will spend hours to slow crackers down a few minutes. The most cost-effective target is "keep honest people honest, and don't worry about crackers", but even that degrades the user experience a little. – Ben Voigt Dec 26 '10 at 03:29
4

In addition to this: If you actually have something worth protecting with a vigilant license/copy protection, you're probably working on something worth thousands of dollars, which would more or less imply you're not flying solo. Even then, I'd almost suggest outsourcing the licensing part to a company specialized in just that. But a +1 for not worrying to much, and certainly a +1 for making sure your copy protection doesn't spoil the user experience of your program! – Erik van Brakel Dec 26 '10 at 03:30
@Erik: I agree. I think some 3rd party professional software should work better than what I have :-) – Peter Lee Dec 26 '10 at 03:36

score 1 · Answer 2 · answered Dec 26 '10 at 02:51

1

You can obfuscate the code (make it harder to decompile/use the reflector on it), but with enough energy and knowledge, it will get broken, after that it's quite easy to change the bytecode of the assembly, thus circumventing the license check. Also, you could invest the money to make it possible for you to sign your assemblies, which would make it harder to change the assembly itself, but with enough energy (more than just breaking the obfuscation) this can also be circumvented.

Your goal shouldn't be to make the license process unbreakable, but to make your software itself worth to buy. This is a much better protection. Crackers (and only them, hackers are something completely different, see this article for more) won't be hindered by that, but with the software being worth it, much more people would buy it.

answered Dec 26 '10 at 02:51

Femaref

60,705
7
138
176

@Fermaref: yes, I think obfuscating the code will make it harder to crack. – Peter Lee Dec 26 '10 at 03:19
1

Code signing really only makes it more difficult to fool the user into thinking the files are authentic. But in this case the user is intending to use a cracked version, so code signing does precisely nothing. – Ben Voigt Dec 26 '10 at 03:33
That's not correct Ben. Code signing means the assembly is strongly named, meaning it provides a way for the framework to check it's authentency, so the IL code in it can't be changed unless you get rid of the strong name as well (which, quite frankly, is possible). It is just another slowdown (as all references in all assemblies have to be changed as well), but with enough time, will be broken as well. – Femaref Dec 26 '10 at 13:59
1

No; all you need to do is `sn -Vr` to bypass verification. – SLaks Dec 26 '10 at 19:45
Does this also account for strong name references in assemblies? – Femaref Dec 26 '10 at 19:55
@Femaref: I wouldn't say it *also* does that. Skipping strong name checking is the primary purpose of the `-Vr` option. Not a side effect, not an afterthought. Ignoring strong names in assembly references is what it does. – Ben Voigt Jul 16 '13 at 15:10

score 1 · Answer 3 · answered Dec 26 '10 at 02:55

1

I think that check should be done in several different places in the source code; it is much harder to catch all of them than only one. Also, if wants to protect program written in C# (or any other .NET language), one should consider to use some obfuscator. In counterpart a cracker or even lamer will be able to crack a program using some software like .NET Reflector

answered Dec 26 '10 at 02:55

Vladimir

1,781
13
12

I will try obfuscating the code :-) thanks. – Peter Lee Dec 26 '10 at 03:20

score 0 · Answer 4 · answered Dec 26 '10 at 03:04

As mentioned previously, one can simply use .NET reflector to get the entire source code of your software (in fact, it can even get it in VB.NET or other languages even if you're written it in C#!). You must obfuscate your assembly if you hope to have even a chance at slowing a cracker's progress.

What is to stop people from directly copying licenses? If you have a license which is signed, it will then just be signed in two places -- what have you put in place to stop this? Never mind whether a global variable would further weaken your protection without taking into account trivial "cracks."

There really is no good answer to this as Ben Voigt pointed out. If you need something that is uncopyable, make it a closed-source web application. Astalavista will show you that most things have been cracked. Adobe products which cost thousands of dollars have been cracked and I'm sure their employees are quite well versed in copy protection techniques.

obfuscating the code is a good idea, but I think at the same time, put the licensing check somewhere should also make it harder to break, which is my real question. — Peter Lee, Dec 26 '10 at 03:21

C#: How to Make it Harder for Hacker/Cracker to Get Around or Bypass the Licensing Check?

4 Answers4

Linked

Related