10

How do I best obfuscate my C#.net app Product Key verification code?

Is it enough to place it in a "INTERNAL SEALED CLASS CLASSNAME { };" or do I need to do more?

Thanks!

mmcdole
  • 91,488
  • 60
  • 186
  • 222
J3r3myK
  • 1,427
  • 2
  • 13
  • 21

3 Answers3

17

Access modifiers like internal and sealed don't have anything to do with obfuscation or code security, they just tell other classes how to interact (or not interact) with them.

At the end of the day, there's nothing you can do to prevent piracy. Anything created by one human can be broken by another. There are loads of questions on SO that deal with product keys, keeping software secure, etc. which you can find if you use the search mechanism in the upper-right. All the answers cover a few basic ideas that anyone with a little sense will tell you:

  1. Only put enough effort into your anti-piracy measures to make cracking the software a little less convenient than breaking out the credit card. If that's really hard to do, you are charging way too much for your customer base.
  2. If you focus on building positive relationships with your customers instead of assuming they are criminals, they will be more willing to give you money.
  3. Most customers - individuals and especially companies - don't have any interest in cracking open your assemblies and trying to figure out how to get away with not paying you. For individuals, they wouldn't pay for it anyway so you're not losing a sale; and companies wouldn't risk mountains of cash in legal problems for the cost of some software licenses.

Research public/private and elliptic key cryptography and you'll find ways to secure your key algorithm, but it will only prevent cracking the key, not bypassing it.

Rex M
  • 142,167
  • 33
  • 283
  • 313
  • What Rex M says is true. Use a public/private key encryption scheme to generate your keys. Obfuscate your code with something like Dotfuscator. But ultimately, people can still crack it if they want to by modifying some conditional jumps in the executable. – mmcdole Feb 02 '09 at 01:47
  • 2
    I agree to your 3rd point, but what about one individual/company buying only one license and using it on multiple machines, for this some protection is necessary right? – Akash Kava Jul 05 '10 at 07:35
2

I agree with Rex M, you should consider using an asymmetric encryption algorithm such as elliptic curves cryptography to avoid keygens. And if you are interested in a commercial solution then try Ellipter - it uses elliptic curves and has some useful features like product info and expiration data embedding into generated serial keys.

Roland
  • 71
  • 1
  • 2
  • Or any PGP system, really. Put the public key in the application, and let the application developer (or company) hold the private key. – Arafangion Jul 05 '10 at 07:57
0

Rex is correct, internal sealed class won't hide anything. Use a one-way encryption hash (e.g. MD5CryptoServiceProvider) to protect passwords and keys.

Community
  • 1
  • 1
Bob Nadler
  • 2,755
  • 24
  • 20