I have written a software which I would like to bind to mac. Is there any specific algorithm to bind mac address with my software? Thank you for help !
Edit:
I want to provide serial number according to user's mac address.
The comment above is right - the MAC address is widely used for node-locking, but it is a poor choice as it is easily changed in OS.
A more secure approach is to use a combination of hardware and software system parameters, such as hard disk ID, system name, user OS login name, CPU ID etc.. The selection available will depend on the specific OS and programming language you use.
However, to avoid problems down the road, I'd suggest you think about the following:
How do you obtain the system parameters? If you ask the user to provide them there is opportunity for human error, such as entering a '1' for an 'l' or a '0' for an 'O'. Then the license won't work and the user will be inconvenienced.
What if the parameter you lock to changes, say if the user upgrades their system by changing a piece of hardware? Will it break your system and need the user to request a new license from you?
What if the user wants to move their license to another system, or to a new machine? Can your licensing system allow this without making it easy for the user to run one license on both the old and new systems?
These are the kinds of issues that cause home-built licensing systems to annoy legitimate users, and not be very secure against would-be hackers.
Commercial licensing systems should of course have dealt with these and other issues already.
Write MAC Adress into a kind of license file.
On startup read the MAC-Adress and compare it with configured.
If not equal --> stop with error.
To create a unique serial number out of a mac address you have to apply an algorithm to macaddress. There are some comercial tools for that for you professionally.
Some thoughts to licensing can be found here and here
I take it you're looking to achieve some sort of node-locking of your app to a specific device. If so, you might be disappointed to learn that the MAC address is not always a persistent value on a device. In fact, some devices have multiple MAC addresses, so it's not a particularly reliable value to use when looking to find a persistent hardware ID to bind to.
Our solution for Node-Locking Licenses to a device at LicenseSpring (we specialize in this sort of stuff) is that we generate a device fingerprint by hashing the serial numbers of some of the hardware we read on the device (such as the CPUID + BaseboardID + SystemDiskID). When the end user retrieves the license key, they use that hash along with the license key to perform a license check, which is computed on the fly. The license key is set to only be usable on a finite number of devices, so if another device tries to use the license key, they will compute a different hardwareID and be blocked.
So long as you're hashing those serial numbers in the same way, you won't run into any trouble...
You CAN store information in the key itself, such as product info / device info etc.
but I would also advise against that. Mainly because there's only so much info that can fit into a key, and then it makes it quite easy to reverse engineer.
Instead, I'd suggest you use the server response from the online license check to send back license entitlements as well as signing the server response, and use that to control the state of your application.
Related
I am currently working on an application which will audit computers, and one of the things that it is mandatory for this app to achieve is to get the license key from the install of OEM windows and Retail Office, in order to retain this information for future purposes, such as re-installation and move from one machine to another (this part is more for office).
The requirement here is specifically NOT to use any apps that already find keys, this is a BIG no no for the project.
The goal is to have a comprehensive audit of the user's PC:
hardware info, software installed, user account name, pc name, domain currently used, workgroup, antivirus used, running processes, startup processes, and LICENSE KEYS. And it has to be custom tailored for this specific purpose, so retail apps are instantly out of the question.
Now I am very confident I can do everything myself. Frankly, I already did 50% of this. Where I am stuck is finding where the license keys are stored within windows.. It has been eluding me for a week now.. Internet searching only refers me to sites that offer the easy and lazy option of using a pre-made key finder.
Initially I thought that these would be somehow squirreled away in the registry, but a plaintext search of my own personal Office key returned a great big nothing. Which leaves me to wonder if these keys are stored in the registry, are they perhaps in there as HEX? Or encrypted?
Or if not, where could they be stored?
The literally used keys are not stored on the computer.
However the registry contains a value which is based on the original key. There is software (which you stated is "a big no no") which you can use to calculate the original key based on these values.
If you want to do this yourself then you might want to take a look at bytes 34 through 42 from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\DigitalProductId (for windows). Office uses something similar.
I have an application I want to protect by requiring my users to register.
I also want to ensure that they can't install on more than two machines.
To do this I need to know where to find a unique hardware ID number, and utilize that in the registration code.
All I need to know is how to get that number using code.
As others have pointed out, there is really no such thing as a unique hardware ID. Others who have come before you have tried to use various things (e.g. motherboard serial number, CPU serial number, HDD serial number, MAC address) or combinations of those things, but they are all problematic in their own way. Serial numbers are not always returned by all drivers and even if they do, they can easily change if the hardware is upgraded or replaced. Also, the serial numbers can technically be repeated by different vendors and especially on virtual machines. MAC addresses are problematic because there are often multiple and they change often, especially with VPN's. Also, MAC addresses are often duplicated by multiple machines using the same VPN software. You could use the Windows Installation serial number, but this can also be duplicated and changes with OS upgrades. The simple answer is, when possible, don't. If you must do something like this, it would be better to have a way to programmatically mark each computer that your software is installed on by writing an encrypted GUID to someplace on the harddrive and provide an easy mechanism for your support staff to retag any computer at will.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
We plan to sell a Windows portable application. By 'portable' I mean that it can be run from any Windows computer without installing it. For example from an USB stick etc. However the application while (theoretically) it can work anywhere, is targeted to LAN environments.
What solutions do you see that while keeping this advantage (in a more or a lesser degree) to still make money from it?
PS: The application is/will be written in Delphi.
If you are offering your product for sale and not for free, then you will most likely make money from it. If what you are asking is how to maximize the income and prevent piracy, then that is a more specific question.
The key to making money with software is to make the purchase route less painful then the piracy route. Usually the biggest hurdle to purchasing software is the price tag (but not always, some people just will never buy software and always pirate, but you can't do anything about that). And the biggest hurdle to piracy is some sort of DRM scheme, which is actually the second largest hurdle to purchasing software. Often times DRM only annoys the legitimate purchases, while the pirated version has all the DRM removed with less effort then you spend to put it in. Thanks to the wonder of electronic duplication, once the DRM is removed, then everyone can have a DRM free copy.
So you want a solution that only annoys illegitimate usage, but not legitimate purchases. This is much harder to do then expected.
Depending on the price tag for your software you might consider deploying it on a keyed USB drive (i.e. Dongle or USB stick with some special key). Then it is portable, but only on the hardware you provide. The user never has to worry about a secondary authentication scheme, and the DRM only becomes an issue when the hardware (which is harder to duplicate) is changed.
You say that it is only for a LAN environment, which doesn't necessarily mean that the computers will have internet access (and if they do, they probably have a proxy requirement) which means "phoning home" will be problematic. If you want the product to only be used on a specific LAN then you might require a license server to be installed on the LAN. Then the software could always check with the license server to make sure it is authorized. That won't work if you want it to run on multiple LAN's though.
Conversely if your price is low enough then most companies and people would rather buy the correct licenses and not risk the piracy. In actuality, depending on your clientele, most people will prefer legitimate licenses when they can, and DRM can actually discourage them from buying licenses.
Some alternatives:
Use a dongle, where the user of the software must plug in the dongle before your application can work.
At startup read a configuration file and if this is invalid or missing, halt the application or reduce its functionality. The configuration file should contain information about the user or company that licensed your software, and also a checksum to prevent users from changing the file. With such a file, serious companies are less likely to distribute this configuration files to others. Of course, you should then create one such configuration file per user that licenses your software.
Optionally, include specific computer information (type, memory, bios date, system guid, ...) that prevents the application from being run on other computers.
Make sure you make money from the service you can deliver, not only from the software you are selling. This service can include: providing upgrades, taking suggestions for improvements, assisting with problems, helping with domain-specific knowledge, ...
You can use some sort of license file and a "phone home" option that makes sure the same license is not used at more than one place concurrently.
If you have a large ordfer, you could try to get a memory stick with a special serial number and/or value in it that you can read out in the software (eg the exe must reside on a special memory stick)
Please note that a lot of users get quite annoyed by these things (we've used the first option)
Also please note that if commercially interesting, your app will be hacked. Make sure the effort someone has to take outweighs the profit the could make
One approach that also helps some is by custom branding. Each copy you sell would have compiled into it the name of the company it was sold too, which can be displayed as part of the splash screen as well as the about screen (along with a button to view the license terms). Most often this branding is done by using an external file which contains the information encrypted that when placed in the same directory as the executable is used to unlock the application as well as possibly provide additional functionality.
Unfortunately with todays software firewalls, most of the simple solutions to disallow running multiple copies on a network are not practical while still maintaining true portability, or requiring internet access to a server that you fully control.
Yes, piracy is a problem, but if you continue to offer great support and there is an additional "visible" benefit to purchasing, you can help offset this in your favor.
If you need trial protection, you can count uses/days if you have any sort of database where the user will have invested time and data, and won't want to lose it. Just encrypt the counter and place in the database somwhere. The user can then only reset the trial by wiping out the database. Depending on the type of app, this may be effective, or not.
Another approach is to not have a portable trial at all, but offer it as an incentive for purchase. i.e. conduct the trial on the desktop, and when they purchase a license, they get a license key that allows it to run on portable devices.
I recommend the PortableApps.Com framework for launching your app. It's free. You need to make your "launcher" open-source, but not your app itself. You can still run on a bare drive, if you follow their pattern.
I'm developing a commercial project on an ARM based embedded board with a custom Linux kernel on it, using Ruby. Target workspace of the project and the device is a closed-environment, no ethernet, inernet, I/O devices etc... I want to protect my code/program so that; it'll only work on the specific machines I let (so; people cant just copy and paste my code/program on to their embedded boards and run it w/o permission). This can probably done with the machine's MAC address tho; I don't have any experience on the subject. I guess, just a simple if(device.MACAddr == "XX:XX....XX") wouldn't be depandable (not to mention people can just easily delete the check from my code). I can't use some ruby obfuscators, which I found thru google, beacuse; the device doesnt run ruby-external-C-libraries or such stuff, only pure ruby code.
So; what are your suggestions, what type of approach should I take?
you can't really protect it, its hard enough protecting native code! and even then that basically fails if someone really wants to copy the software.
basically do very little if anything to secure it, its mostly wasted time and effort
This is isomorphic to the problem of DRM. You're giving a person both a lock and the key to that lock, and trying to stop that person from using the key in a way you don't like.
Therefore, I suggest using the same methods that other DRM users do: put your terms in the license, and sue them if they violate it. You need to use the law to enforce the other terms of the license, anyway.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am thinking of implementing a good licensing mechanism that has a good resistance against piracy. The required mechanism should not use an internet connection at each and every time the software is used. I am thinking of a mechanism based on hardware IDs etc. Do you guys have any better suggestions? What are the parameters/algorithms/characteristics that I need to concern to make a hack proof license mechanism?
Ideally you need something that is OS independent.
I would recommend that you embed the license protection within your code or wrap your application within it in such a way that it cannot be run without the copy protection code having run first.
It would be best if your application needs a license key file in order to operate and that this isn't generated locally.
One way of doing this is that your application generates some form of image code based upon the hardware on it's initial run. This is supplied to you and in return you supply the license key which will allow the code to run. Best to base the hardware image around CPU and motherboard as these will change the least often.
Your app. should check against hardware image and license key whenever it is run.
If you want your app. license time limited then it should also keep track of how long it has run and embed it within the license key file.
Don't forget to encrypt the license file.
Also don't forget to make it more difficult to reverse compile your executable by use of a dotfuscator or similar.
Check this question: What copy protection technique do you use?
It also links to other related questions.
First of all, nothing is hackproof, so i wouldn't spend too much time on protecting your software.
The downside of a mechanism based on hardware IDs is when a user buys a new computer or upgrades most of his computer he needs to update the key too.
HWHash is a pretty good HardwareID implementation, but i guess there are more (free) solutions.
At work we use Hardlock and Hasp keys, but these are usbkey solutions which are not very efficient for small applications.
I am thinking of implementing a good licensing mechanism that has a good resistance against piracy. The required mechanism should not use an internet connection at each and every time the software is used.
Then how about a periodic online check of the licence?
When the user logs in the first time, the user verifies the install against his account and a licence file is stored on the users PC. This licence file is encrypted and contains all the data needed to uniquely identify the license. This is all stored on your server.
The licence file expires in set number of days or even months. Logging in after the file expires checks against the account and verifies its legitimacy. You might even consider generating a new licence file at this time.
There should be some smarts that give some leeway in the case that the users internet is down and the licence cannot be registered. Perhaps 7 days.
If the software is reinstalled on a new computer the user has to repeat the verification process.
As the others have stated there is no way to beat a determined pirate, since such a person will hack the code, but this should prevent or slow down casual piracy.
You can check out Microsoft's SLP - I haven't used it, but it definitely looks interesting (yknow, IF you're into MS stuff...)
One important point to note - no licensing mechanism will protect you from piracy, or even substantially reduce it. By definition, the licensing mechanism will be client-side - which is inherently breakable. Take a look at all what happened with DRM...
Your guideline should therefore be usability - the intent should be to use it as a general policy, the good guys will be comfortably limited to what they're supposed to be allowed to do, and the bad guys - well, the bad guys will get around your intent anyway, your best hope is to make it more work.
I'd be very wary of published software protection mechanisms, as they are much more likely to have published hacks. You are probably better off using some of the techniques to get a unique persistent ID and use this to roll your own protection mechanism. I also think that it is a poor idea to simple check the license whenever you run the program, as this leads the hacker to the location of your proection mechanism. IMO, your are better checking the license in a more random fashion, and more than once per session.
FWIW, I use hardware locks (hasp) for my high end desktop software, and device ID based licensing on mobile solutions. If you are selling small quantities of high cost software in a vertical market, IMHO, a good license protection mechanism makes sense, and hardware dongles work well. My experience has been that people will use more licenses than they purchase if this is not in place. For high volume, low cost software, I'd tend to live with the piracy based on increasing the size of the user base and product visibility.