0

Wondering if anyone could point me in the write direction for how to generate a hwid securely in java. I need to lock my software to only certain hwids hard coded in an array.

The methods I’ve seen so far involve System.getEnv which can be easily overrided to provide the values of someone who’s hwid has been whitelisted.

Thanks

mastercooker
  • 43
  • 8
  • 2
    A) see https://stackoverflow.com/questions/1986732/how-to-get-a-unique-computer-identifier-in-java-like-disk-id-or-motherboard-id B) you understand that when you distribute your bytecode, someone might just change the content of that array? So, just to prevent that, you have end to end security in place, including hashing and verifying your binary deliveries? – GhostCat Jul 25 '19 at 12:19
  • C) The user's hardware is under their control, so you would *expect* a technically savy user to be able to override HWIDs. D) Just about every component in a PC is user replaceable. If you tie your software to the ids of various system components, you will have a lot of angry users complaining about your software breaking when they (say) replace a faulty hard drive, motherboard, etc. – Stephen C Jul 25 '19 at 14:13
  • Thanks @GhostCat , I hadn’t thought of MAC addresses, that’s a really good idea. And yes I had considered changing the memory or something similar, so the hwids are hashed securely and they’re identity isn’t obvious. – mastercooker Jul 25 '19 at 14:19
  • @StephenC , that was why I was asking. Luckily most NICs don’t allow MAC spoofing so I think that that would be a reliable enough hwid. And it is made very clear to customers that they are purchasing the software per hwid. – mastercooker Jul 25 '19 at 14:22
  • Interesting, anyway. But just for the record: consider to think up a better way than "putting bytes into some array in code". You could for example provide encrypted licence keys (that contain such a hwid). In other words: your approach will force you to compile your product specifically for each customer. That is a huge no-go for scaling and maintenance. Instead: have ONE application that only works when a local licence is in place that matches the expected hardware setup for example. – GhostCat Jul 25 '19 at 14:27
  • "Luckily most NICs don’t allow MAC spoofing". Really? I thought that most did allow it. – Stephen C Jul 25 '19 at 14:41
  • @StephenC a few do, however they are not mainstream. Most NICs you would find being mass sold are from companies like Realtek which don’t allow it. – mastercooker Jul 25 '19 at 16:11
  • 1
    @GhostCat interesting idea, thanks. I was thinking I could create a script to the backend of the payment site to automate changing the hwid and building on each purchase, but I guess that it would be better to go down your solution, I’m guessing involving some sort of hashing function to turn the hwid into a license key and then comparison on the client. – mastercooker Jul 25 '19 at 16:16

0 Answers0