Public Key Integrity - Man in the middle attack

Question

I want to license my product. The question is about validation and making sure that public key is not changed so is the certificate (Man in the middle attack).

What I have planned so far is;

1. I give my EXE with license key and signed certificate (signed with private key) to the customer.
2. when customer enters license key, my EXE will validate it using public key (generating hash code, then decrypting certificate to get other hash code and compare)

Now problem is; if someone reverse engineers the EXE, changes the public key with his own public key and get a new certificate generated with his own private key. Then the EXE will always validate the certificate and my EXE is hacked.

Is this possible? If yes, what could be the solution to be sure my public key is not changed?

NOTE: There is no internet connection involved.

Answer 1

To ensure integrity of something (executable, for example), sign it (or critical parts of it) with private key and check that the signature is valid every time you start the application.

Someone with enough time could of course figure out how the signature is done and replace that as well. They could bypass the check altogether. The only cure for that is encryption. But someone with enough time could work out the decryption algorithm...

The common way is to protect your license is to bind the software to some hardware, such as USB dongle, TPM or HDD serial number. This still does not guarantee that a determined hacker will not bypass your licensing.

There is no 100% protection against hackers. All you have to do is make it uneconomical for your users to hack it. Make the effort to hack a good deal more expensive than you are charging for the product. Make licensing terms very explicit and warn about risk of prosecution in case of breach. Build in reporting mechanism for suspected breaches so you can go after them.