|
|
Comments and Discussions
|
|
 |
|
If someone update machine/server date to prolong/validate the license date. So, the license will never expire. what do I do ?
Thanks
|
|
|
|
|
HI,
you can use a NTP server (or a list with few entry) to control date/time every x minutes.
You can combine with i.e.
- save somewhere the value (date/time, encrypted) after each connection to your NTP server. Next time, if you are not connected to internet, check the current machine date/time and compare with your saved value, it should not have a "older" value.
- If you don t have an internet connection for x days/week, you request it to continue to use the programm
|
|
|
|
|
|
A very nice artikel Simon, thanx !
I tried to translate it to vb but i constantly get the message "..License Terms Expired on:1-1-0001. Anyone tried this before?
Kind regards.
|
|
|
|
|
After some research this weekend everything works now in vb.net. Thanks again Simon !
|
|
|
|
|
Nice article 
RSA License protection + obfuscation = good protection
To go further, It is also possible to add hardware check and time ckeck.
|
|
|
|
|
|
Dear Sir ,
Thanks so much for the code . I really works like magic. I still wonder if I can make license check at the formLoad event. I tried it but without success. I got errors.
Also, regarding the publicKey. what is the best place to include into the application . I mean into application header as a constant variable or a normal variable.
Thanks,
|
|
|
|
|
Did it finally , Thanks.
But one question , what do you recommend me to protect the public key. do you recommend me to :
1- supply it into resource file
2- hard code it as a Constant string into my application.
3- hard code it as several sections , then combine them by code.
4- any other idea ? .
Also , are there any risk if the user knew the the public key ?
Thanks,
|
|
|
|
|
G'day,
The biggest vulnerability is if someone manages to replace the public key with their own. so:
1) DO NOT use a resource file for the public key. It is way too easy to find and change. DO however put a bunch of fake ones in as resources (so anyone hacking your system can waste hours replacing these to no avail)
2,3,4:
The best method I have found is to use simple steganography to embed the public key into an image file that is a resource in the project. Have a read of steganography techniques on the web.
A simple system where you take each byte of the image and code a single bit (of the public key) into it by making it odd(true) or even(false) works a treat, because you only have to change the value of the byte by a maximum of one, and this makes an invisible change to the image (to the human eye at least).
With this method, the image file has to have 8 times as many bytes as there are bytes in the public key.
Of course I just gave this all away on a public message board...so hopefully no one reading this will be trying to break the security 
There is no risk if the public key is read by anyone - that's the point of having a public key... the risk is if the public key can be changed by the hacker to use their own (to which they know the private key)
Cheers,
Simon.
|
|
|
|
|
Would it be possible or even simpler to upload a file to a server with the user's IP, then when the app boots compare current IP (should be the same) and compare it to the IP in the file we uploaded. if the two IPs don't match then disallow use of the software?
Does this make any sort of sense?
|
|
|
|
|
Also the user wouldn't have access to my server...unless of course when im uploading the file(which will require me to add my server info in code). But I could also use an ancryption algo. to help with that.
|
|
|
|
|
Yes but it still requires that the user have access to the internet, which defeats the purpose of the article.
|
|
|
|
|
|
Not many people have static IP addresses, so I wouldnt think it that practical. Also, when using a common internet connection, hundreds of users may share the same outbound ip address. Also, which ip do you use? Potentially dozens just from one machine.
|
|
|
|
|
This is a good point, so have you been able to come up with a REAL solution to avoi internet, keygens and anything else you can think of?
|
|
|
|
|
This solution is real enough for its stated purpose. I have had a few collegues attempt to break it without much success, although I strongly suggest against putting the real public key in a resource file, - too easy to see and change. Stick a fake one in the resource file though. You can also mess with the file headers to prevent it being decompiled by reflector. Download a program called Eve pilot (it is a bot for an MMO) to see an example of a C# program that cant be decompiled.
|
|
|
|
|
It is possible copy the public key in a comment and read the comment as a string in c#?
|
|
|
|
|
No, comments aren't included in the meta-data of the assembly.
I suppose you could add an [attribute] decorator to a method or property (one with a string parameter in the constructor, and a string property for the key), and load the public key into that. I think it would still be possible to change, but it would be harder.
|
|
|
|
|
Simon,
Do you have the unencoded test license file? I understand what methods I have to use, but I first want to author my own unencoded license file and keys to try and license my application. Could you help me with this.
Regards,
Luis
EDIT: I see that I can generate a key pair with sn.exe. Is that how you're getting your keys? I'm just missing the how to on the unencoded license format.
|
|
|
|
|
The license file is never encrypted. It is simply a binary serialization of an instance of the licence class. it is written to disk as a text file by expressing the binary data (byte array) as a base 64 string (using methods in the static Convert class)
|
|
|
|
|
To all,
I do mention in the article, that the way to defeat this system (as with any other system using public/private or secret keys) would be to replace the public key with one of your own making.
You do not need to keep posting this over and over again! 
The idea was to put forward a way to protect a small application, that is probably sold for under $30 a copy, without unduly harassing the user with licensing requirements.
If there are programmers out there that are prepared to spend the time and effort decompiling the code and altering the private key without breaking the other signatures,rather than spending a couple of dollars having legitimate software, then they are more than welcome to it. They wouldn't pay for software anyway, so you haven't lost a sale.
The best way to secure your software is to make it easier to buy than to pirate, and for anyone who is not an experienced developer, this is more than enough.
|
|
|
|
|
How about strip the public key, and resign it using your own key and sign the license using the same key. Sorry, but this article is too naive and doesn't contain anything for practical use.
|
|
|
|
|
Sure that's a recipe on a how to work your way around the protection scheme presented by Simon. But that doesn't mean you shouldn't use a protection scheme like Simon's for software priced reasonably low. And the basic idea of using PPK to protect your software is really a very good idea - it's just a matter of how much effort you put into it and how you implement it. Personally I would focus on how to keep people from generating fake licenses and forget about trying to safeguard 100% against decompiling, stripping, recompile etc. It's just not worth the effort.
Jacob / KodeLabs.com
|
|
|
|
|
Hi Priyank,
Maybe your should read the entire article before you condemn it as naive?
Note that I headed the article with the words: "reasonably quick and effective",
I also discussed this method of defeating the system exactly in the article, as the main weakness I also suggested methods to deal with it...
here, I will quote to save you the effort:
"The danger lies in pirates being able to replace or intercept the public key with one of their own making. This would require them to get into the .exe and alter the sequence of bytes that defines the public-key (whether it is a string-literal or a resource within the EXE).
This is beyond the scope I have given myself for this article, but just a quick mention:
signing the executable itself is one potential way of trying to stop this: modification of the executable will generate a different signature, and the application can be instructed not to open. (This is how the click-once manifests work, in fact, using click-once to deploy your application makes it (almost) impossible to modify that application without regenerating the click-once manifest file.)"
Just because you can't be bothered to read and understand something, doesn't mean it is wrong.
I am happy to accept constructive criticism, in fact I always hope when I see there are new messages, that there will be something that I can address and improve, but just making derogatory comments for the sake of it is petty and juvenile, especially when they are ill informed and not thought through.
|
|
|
|
|
I don't know you and I don't have time for "derogatory comments for the sake of it is petty and juvenile". I have written what I felt, as the article needs to be more matured in dealing with the issue. The 10 LOC concept is nothing new, more than a decade old. I too use it in my software for last 4 years. I don't want to go into details and unnecessary fight. If you want to take my comments in negative sense, feel free to do so.
AFAIK, there is no need to manually "get into the .exe and alter the sequence of bytes that defines the public-key". There are already tools which can remove public key in seconds and you can again sign it using another certificate in few more seconds. There is nothing wrong with the approach, just it needs to be more strengthened and safeguards against such extremely simple hacks.
The article is just a concept article and I felt it needed more detailed work. A better design would be to fetch the customer machine specific license from web using customer credentials or some key or machine ID. Now again writing the web part in ASP is a kids job and no marks for that. The web license generator should be written in PHP or Perl, Python, etc. using standard web languages (no offense against ASP programmers, but Linux servers are cheap and fast), that should be interoperable with the standard C# RSA encryption. Now the program needs to made tamper proof using some hashing and encrytions (details omitted purposely). The next thing is make program safe from reverse engineer, for which http://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering is a good reference point, that I used years ago.
|
|
|
|
|
Thank you for offering something constructive
However, I believe you have missed the point of the article a bit. You seem to think I haven't thought of any of this. I wasn't suggesting a perfect solution or even a particularly strong one.
The point was (and I thought I had got this across but maybe not) to offer a simple way to secure a low-value application, that would not unduly harass the user with annoying things like having to enter a 50 digit serial number, or having to ensure their computer is always online before being able to use the software. A once off selection of a license file is not very intrusive, and that was the reason to develop this system.
If you bought a $30 application, would you be happy with not being able to use it offline due to a license check? If you were selling a $30 app, would you really want to maintain the license server forever? what happens when the license server is down for maintenance? or you lose your domain name?
I did mention the method of using a web-service to authenticate users in the article, as this is the most secure method, and possibly the only method that cannot be defeated without actually removing the license check code from the software.
However, if you have an online license check, and lots of customers that aren't always online, they are going to jump at a hacked version that doesn't require an internet connection. Thus you improve the incentive for a pirate to patch and distribute your software (because they have a strange sense of justice in the hacker leagues, and overly securing a bit of software is like a red flag to a bull) -> the regular ethos of "harder to hack than buy" becomes mute as people see it as their 'duty' as hackers to patch it.
Also, and this is being made more and more abundantly clear as I have discussions about this topic, - we are never going to get past the fact that anyone with half a brain can use .NET reflector to debug your software and extract the key values or remove the license check code. Even obfuscated code still has to be semantically identical to the original code, (ie it still must work), and can be debugged. Encrypting/Signing the application is one way, - but it still must have the code and keys in it to access and run the main assembly.
I have been discussing some methods to create code that cannot be debugged - use of native frames in the call-stack etc. Bill had an interesting idea to store the application logic in an encrypted zip file, and use a custom boot-strapper to load the application domain from the zip instead of all the actual code in the exe (which presumably would look like the application code, but would not actually work)
Sorry if I have been a bit long winded...
modified on Thursday, June 9, 2011 11:52 PM
|
|
|
|
|
Simon Bridge wrote: A once off selection of a license file is not very intrusive, and that was the reason to develop this system.
Was always in favor of such system, the only concern I had was, the article approach is too simple to break in seconds.
Simon Bridge wrote: If you were selling a $30 app, would you really want to maintain the license server forever?
If you remember in my previous message, I talked about PHP as a backend, and not ASP. A domain + site can be hosted on LAMP for less than 30$/yr. The benefits are you have a product website, your own license server. Plus for my products, I have option to report crash report with stack trace, using my own server (not very hard to write your own). Also you just need to have internet once to do license verification, and the product allows 30 days trial without internet. So, I completely disagree with argument of not using web based verification. Android relies heavily on that only for even 50 cents apps.
Simon Bridge wrote: if you have an online license check, and lots of customers that aren't always online, they are going to jump at a hacked version that doesn't require an internet connection
I would say this is all theoretical and provides no guarantee that a non web based won't be pirated easily. I would say a non web based licensing would be pirated easily as their is no communication to your server, and also piracy would be much harder to detect. The only thing that stops users from pirated version is frequent feature updates and nothing more, no matter you get the best experts to write anti-piracy features.
Simon Bridge wrote: we are never going to get past the fact that anyone with half a brain can use .NET reflector to debug your software and extract the key values or remove the license check code
My original concern was that you don't need .NET reflector also to break this licensing scheme. Even on code project, I guess there are tools that can strip license and change another one.
Simon Bridge wrote: and use a custom boot-strapper to load the application domain from the zip instead of all the actual code in the exe
There are so many ways, but that's a new topic all together.
|
|
|
|
|
I think too you are missing the point of the article. The article is not about obfuscation and de-obfuscation. If you expect a full production ready licensing system, look elsewhere.
Wout
|
|
|
|
|
Priyank,
I love how you've quoted points from Simons response and then made non-sequitur comments.
Also, just a small tip, calling the content of an article naive is not a positive way to start a constructive discussion.
You truly don't understand the original article article at all, do you?
|
|
|
|
|
Your approach (and that of Rhino) only encrypts the license file. This might make it a little more daunting for a naive end user.
The challenge .NET presents is that it's really easy to decompile and so not at all daunting for a developer with any familiarity with .NET. If someone wants to skip your licensing it's just too easy to open it in Reflector, decompile it, find the code handling the licensing conditions, remove it (or equivalent) and recompile. By equivalent, I mean something like replacing your public key with their own and then provide a file encrypted with their own private key. I know, I've been creating more and more sophisticated protection methods for years but all are ultimately easily crackable because the code can be decompiled.
To me an approach like this could leave the author of an application with a false sense of security.
|
|
|
|
|
Fully agree with you. Many "license-protection" methods just give a false sense of protection while cracking the "protected" software remains easy. Modification of the IL is very easy, even when the code is obfuscated (not all "obfuscators" are the same and some provide code much stronger than others).
Chris
www.aulofee.com - Infrastructure and Security Supervision, Event Correlation
|
|
|
|
|
I tend to agree bill. A good protection scheme consists of several countermeasures but Simon's remarks about the pitfalls of his protection scheme does give the reader an indication of his protection scheme' shortcomings. The bottom line is that readers should not consider the protection scheme presented as being a turnkey solution. Instead use it as a source of inspiration 
Btw good work simon.
Jacob/KodeLabs.com
|
|
|
|
|
Have you never heard of obfuscation?
|
|
|
|
|
I hope you are not suggesting that an obfuscator is a reasonable way to protect your IP from prying eyes and people who want to undo any licensing restrictions implemented in code?
If you are, are you writing software you want to protect? Got anything you think is valuable?
|
|
|
|
|
Seriously, have you ever tried to reverse engineer obfuscated code? or even read it?
If you can do that, you are a super-human freak and you should immediately apply to Mensa for your million dollar genius grant.
I also have a heap of decompiled code that isn't even obfuscated, that I have an entire dev team trying to work through to solve a problem in an application we don't have the original source for, and the simple lack of proper variable names and comments has made the entire job very difficult. I will post you the 12 million lines of uncommented code and you can tell me what it does and how to fix it.
|
|
|
|
|
Hi,
Just as a less knee jerk reaction: Yes that is a good point, - how can you ever secure software if it can just be decompiled and changed?
Obfuscation does make it extremely hard to read and reverse-engineer, but of course you can't change the name of the DSACryptoServiceProvider class using obfuscation, so they would know you were using that. And also, obfuscated code still has to be semantically identical to the original code.
A serious approach to solving this I think is to use double blinds to hide the critical data. For example, placing several resources in the executable that contain a public key, but not using any of them. Using steganography to hide key data across several of the applications internal bitmap resources is another idea.. no one thinks to look in a bitmap, and even if they did, they would have to know how to extract the data from the noise.
Also, you write your code to be deliberately confusing: have a method to access an internal resource that you know will fail, and access the real data in a catch block that is attached to an un-handled thread-exception. C# has some great ways of attaching code in a less than obvious fashion.
I'm open to any other ideas or suggestions.
|
|
|
|
|
Yes, that's exactly the issue we face. Obfuscation is great if you want to make a bit more difficult to understand some key algorithms. But not so good for hiding the encryption functions. And once you have these, you can trace the code using VS and follow it until you see the encryption keys.
It's fairly common for the licensing information to be accessed early in a process so the chances are if you start debugging at a Main() method you will find the information you need pretty quickly. The .NET Framework is great but not so good if you want to hide code. And, anyway, de-compilers and de-obfuscators are pretty good these days.
We've even looked at tinkering with the PE header to 'hide' the real code but these tricks tend to set off the virus alarms.
|
|
|
|
|
There is another idea that I have been playing around with.
It can only work for small parts of an application (not the whole thing) and you are limited to .NET 2.0 compliant code (no LINQ, no abstract get/set properties etc)
Obviously it is (possibly) sensitive to debugging via reflector, but what isn't?
The idea is this: the System.CodeDom namespace is capable of generating and instancing a type at run-time, from source code in any .NET language. I initially discovered this when needing to implement ORM against a database system that I would not know the structure of at design time.
The CodeDomProvider class has a method GenerateAssemblyFromSource that will, if you set the correct options, generate an assembly entirely in memory.
The point being, you would write the code for the license handler, encrypt it, hide it, otherwise make it not seem like code, then, at the correct point in the application, decrypt the source-code directly into the parameter of the GenerateAssemblyFromSource method, use the Assembly.GetType method and Activator to instance the class, and use it to handle the license logic.
I've probably ruined the main point of this idea by posting it, (mainly I figured it would work because no one would consider it)
It has to be possible to write code that won't run in a debugger.... e.g. VS won't display a native frame at the top of the call-stack in the debugger, so making calls to certain windows native methods can add a lot of pain to the debugging process, - I have accidently made software impossible to debug in the past, there must be a way to do it deliberately.
|
|
|
|
|
There used to be a book you could get - I think by Jeffrey Richter - which was all about configuring the CLR. In 1.0 there was little you could do but to make it possible for, say, the SQL Server team embed .NET they needed better control over the initalization and teardown of the app domain and even the ability to replace (share in the case of SQL server) the garbage collector. These abilities were added in 1.1 and the book was about using these features.
One of the code examples in the book was loading assemblies from a zip file. In the article he showed a how you can encrypt the assemblies for an app domain, store them in a zip file and use it as the 'file system' for the assembly resolve method. That is, the CLR is initialized to look first at the zip file as the source of it's assemblies and only look to the GAC if the required assembly is not found.
Messing with the CLR like that can only be done in C++ but we've tried a similar technique but in C#. In the scenario we investigated the app was given a 'bootstrap' exe which intercepted the app domain's assembly resolve event. This method would unzip the file, access the correct assembly file, decrypt it to a byte array and load the assembly from the byte array using the Assembly.Load() method. It works fine but the bootstrap exe is the weak point. Even when implemented in C++ it took no one much time to figure out how to defeat the bootstrap.
|
|
|
|
|
That is really interesting approach, but that it didn't take too long to defeat, I think this brings us neatly back to:
Just make it harder to hack than buy.
Or even, just pick your customers;
I work with some very expensive EAM software (purchase price is in the millions, and that doesn't include the consultant(s)- @$180 per hour,in 8 hour blocks - you need to install it).
It does not implement any serious license protection. You can download the entire thing on the internet if you want, (and if you can figure out how to get it to work) the protection scheme is just being big and complex and expensive... there isn't any use for the software outside a very large organization that would never consider running anything illegal.
|
|
|
|
|
Simon you are absolutely spot on : "Just make it harder to hack than buy". I'm only just starting up my business but I have some friends who's been i the business for years selling their homebrew software. So what have they learned? Well first of all don't put to much effort into various protection mechanisms. Any good hacker will take just about one hour to hack everything you throw in their face.
Instead they've successfully done the following:
- Make it hard or impossible to generate fake licenses.
- Obfuscate
- Release updates very often. In each update move around the licensecheck/securitycheck code, rename it, spread it across different assemblies, makes copies throughtout your code and call it and even fill in dummy license check methods to make sure code get's re-arranged thoroughly when compiled thus making your assemblies larger/smaller etc.
- Sign your assemblies
- Don't require customers to be online to use your software.
- Send back license usage information to your backend server when possible (user occasionally being online). Use it for blacklisting licenses.
The above is not a bulletproof protection package but it does offer some protection to your IP and at a relatively low cost.
Btw i still believe the protection scheme presented in your article is a good starting point. It's really a quick'n'dirty solution for anyone looking to protect their IP.
|
|
|
|
|
Bill,
Do you know if anyone has broken the click-once manifest file security? As far as I can tell, it digitally signs the executable, and won't allow it to run if the signatures don't match.
I know Microsoft isn't famed for it's security, but they have a lot of resources and presumably put a lot of effort into making it secure.
|
|
|
|
|
ClickOnce employs Microsoft's DRM technology though so far as I can tell it only 'protects' the install package. The installed object code is not 'protected' so far as I can tell. We have a free add-in for Excel which is installed using ClickOnce. The installed files are not protected which make.
Under Microsoft's DRM scheme, which applies to a range of their technologies including Office, a file is encrypted using a certificate which is part of a chain. There's a whole Xml schema dedicated to describing and containing signatures so an application can authenticate a certificate back to it's root (in this case Microsoft).
Active Directory Right Management System (ADRMS) uses the same idea. If you have ADRMS installed on a domain you can encrypt Office documents without the need for a password and even assign specific access rights to users. One might have read-only access, one is unable to print or use the copy-to-clipboard feature. Office 2007 and later files are really zip files. However when you encrypt them the OLEStorage file format is used to hold both an encrypted copy of the file, the certificate used for signing and an Xml file describing the certificate chain. There is also some other stuff which is there so the file conforms to the DRM spec and is required so 'decrypting' applications are able to learn which hash and symmetric encryption algorithms were used to encrypt the file.
This DRM stuff which applies to ADRS, ClickOnce, Media Player, Office, etc. is tough to break but it's all controlled through a single dll so if you had a mind...
|
|
|
|
|
Have you seen Rhino Licensing[^]? It's also based on asymmetric encryption and license files.
|
|
|
|
|
I had not seen it... it is almost the same system! Could have saved myself a few hours hard work... but then I wouldn't have learned anything.
I do think that placing all that detail (including the type of hash algorithm and the un-encrypted message-digest) as plain text in the license file is a bit short sighted.. the Rhino xml license file contains almost the information you need, in plain sight to regenerate your own signature.
="1.0" ="utf-8"
<license id="ae4c05b5-c188-47f8-852f-b4e5375621f7"
expiration="2011-01-01T00:00:00.0000000" type="Standard">
<name>Bilbo</name>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>sKDT7gzgedzmh1AMxxLbfcF1Hsw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
SfkvCGv1+EdLTvaROv27ymDumS0y02fPANTVhr0Yxd/
AxxVH0q0BQ6w8Ou5L7gyLYLvnSckgjhrGnGpiifdvbg==
</SignatureValue>
</Signature>
</license>
modified on Wednesday, June 8, 2011 11:46 PM
|
|
|
|
|
If you include your public key in the executable file then validation of the license file should fail unless you change the public key as well.
|
|
|
|
|
Very nice. I am working on something similar right now, and this just saved me typing out a justification for a license file to my boss :-p
|
|
|
|
|
Thanks for sharing. How far is it to be a commercilized level product?
usability & truth
|
|
|
|
|
Southmountain wrote: Thanks for sharing. How far is it to be a commercilized level product?
You wouldn't want to inflict this version of the code on the general public (there is no proper handling of an invalid license file, you would probably want some sort of demo period handling (i.e. dynamic end date based on first use of the software) and there isn't much in the way of proper error handling & reporting.
However, I am planning to use pretty much this system (with a couple of extra gotchas that i'd rather not publish) to secure a little $5 application I am working on.
|
|
|
|
|
|
|
 General  News  Suggestion  Question  Bug  Answer  Joke  Rant  Admin
|
Implementing License Protection using RSA
| Type | Article |
| Licence | CPOL |
| First Posted | 30 May 2011 |
| Views | 30,166 |
| Downloads | 4,390 |
| Bookmarked | 130 times |
|
|
Submit an article or tip
Post your Blog
