2

We have a custom license check method, which is very simple, we just check a registry key(a string, set by another process based on different parameters) and grant license or reject.

I came to know that, anybody can simply crack this, once they get to know which regkey we are looking for. Or by searching for cmp instruction in assembly code. I just wanted to know better solution for this license check problem. I may not need very complex procedure or any such. But if it should be little better than current one.

I use C++\VC++ with windows 7.

Thanks & Rgds, calvin

rplusg
  • 3,418
  • 6
  • 34
  • 49
  • possible duplicate of [Preventing copy protection circumvention](http://stackoverflow.com/questions/203229/preventing-copy-protection-circumvention) – tenfour Feb 17 '11 at 12:38
  • thanks, your suggestion gives insights about part of my question. My question is more towards better ways and good practices. – rplusg Feb 17 '11 at 12:50

5 Answers5

3

The only way to totally prevent cracking is to use a pay as you go based hosted application accessed by users remotely. That way someone without a valid paid account can not use the application, and anyone handing his account credentials to other will pay for their use as well as his own.

No code (except possibly a stub to allow logging in) is ever sent to the client, let alone stored there, so the client can't ever operate without connecting to your server (which will hopefully not get compromised, but that's a sysop problem, not a coding problem).

Any other system you may adopt will essentially have to rely on the legal clout behind your license to deter people from cracking it.

jwenting
  • 5,505
  • 2
  • 25
  • 30
1

You could calculate a hash from a hardware-specific value and check for that value in the registry. This way it wouldn't be enough to find which value you are looking for, but also the algorithm.

A mathematically sound way of doing this is would be to turn the computer-specific value (e.g. MAC address) into a prime number, multiply it with your own magic prime number and store the product.

Edit: Note, though, that it usually is not worth bothering with any protection scheme except very simple ones. Even large corporations are struggling with this problem.

Tim
  • 13,904
  • 10
  • 69
  • 101
  • 1
    ...But beware of people changing network cards, this can happen for example if the machine's motherboard is swapped under warranty. – Joel Mansford Feb 17 '11 at 12:22
  • @Joel: I agree. Most of these schemes cause more problems than they solve. – Tim Feb 17 '11 at 14:48
1

You need to somehow protect your code against reverse engineering; there are many so-called executable file protectors and I will not name it here. Regardless of what you calculate, just two NOP instructions will push the flow of the protection check in undesired direction.

Of course, it really matters what kind of code you are protecting; for interpreted languages it is almost impossible to protect yourself.

Ah, sorry, I can name one, non-commercial: infamous Yoda's PE Protector.

globalheap
  • 107
  • 4
  • Sounds strange and interesting. Does anyone uses this way? and if I'm using high level language like C++ or C#, how do i achieve this(using NOPS)? btw, i liked this approach and gave an upvote. – rplusg Feb 17 '11 at 13:09
  • C# is interpreted, native umanaged C++ is compiled - meaning C++ compiled projects always have better chance to be protected. However, I've seen some commercial executable protectors that actually compile *a part* of the C# code (instead of obfuscating it, like Obfuscator .NET does). Of course that people are using such protections; for example, all SecuROM games nowdays, for example, are protected with the proprietary code protection. Thanks for the upvote! :) – globalheap Feb 17 '11 at 13:37
  • One of such protectors is found here http://www.sofpro.com/ – globalheap Feb 17 '11 at 13:39
0

Any logic running locally will always be prone to circumvention. With regard to the actual storage of a license depending on your application I would write a web service and run your own server. Get the app to check with your service each time it starts that the license is still valid.

This also gives you much more flexibility for example you could revoke a licence if payment doesn't clear.

Joel Mansford
  • 1,306
  • 7
  • 13
0

You can accomplish this using public/private key encryption. Have local signed file instead of the registry that contains information about the license and having a web server to check the license is valid once in while. This should give you enough protection.

This can be done with LicenseSpot. On the site there's sample code, although only in c#.

Jose
  • 187
  • 1
  • 1
  • 6