-2

I would like to start selling some software I have developed in C++. The first line of protection will be the fact that C++ produces an executable. Within that, I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.

With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored. If it does, it will reply with some sort of cryptographic response that must match a certain pattern. The client will then check if that response matches the pre-determined pattern, and if it does the software will be allowed to be used. If it does not, the user will be locked out. And this response will be empty if the API check failed, so that will also cause the user to be locked out.

I am aware that this is not unbreakable, but I would like to make it as difficult to break as possible without investing a ridiculous amount of time. The reason I wanted to add some cryptographic response is so the user can't just spoof the response from my server. Although I will also be using HTTPS on top of that. If this is a good idea, what sort of cryptographic check would you recommend?

The idea of the fingerprint is to prevent users from using the software on multiple computers at a time. I'm not quite sure what to use for this, but I was thinking of hashing a combination of the MAC address, computer name and something else. Any suggestions?

Is there anything else I should be doing to protect my software?

Thanks.

F J
  • 98
  • 1
  • 2
  • 9
  • @drescherjm Thanks but I'd like to develop it myself. Any suggestions with regards to my questions? – F J Jan 05 '20 at 23:12
  • Your ideas sound reasonable for software protection. – drescherjm Jan 05 '20 at 23:14
  • @drescherjm Thanks but I'd really appreciate some help with the specifics I've mentioned. – F J Jan 05 '20 at 23:15
  • 1
    I think what you've outlined is a very good start, and a considerable amount of work. Once that is implemented, along the way you'll probably have more ideas. Keep track of those ideas but don't let the derail the 1.0 protection, or you'll never ship product. – Eljay Jan 06 '20 at 00:04
  • @Eljay The main problem I'm having at the moment is the cryptographic check I mentioned. I'm not sure how to implement it. I thought of using public/private keys but then would I just always send the message and check if the private key decrypted the public key encrypted message to result in that message? Doesn't seem like such a good idea. – F J Jan 06 '20 at 00:10
  • 1
    "_The client will then check if that response matches the pre-determined pattern_" 1) What if cracked version, of the executable, just bypassed (jumped over) said (function call that performed the) check, and just made such function return `true` (for example)? 2) If the check hard-fails the launch of the application, the workflow loop of: attempt-to-crack; check-if-it-launches; attempt-to-crack-if-launch-failed - becomes pretty fast. For example: if it launches correctly, but makes subtle errors in calculations, in multiple places - it becomes much harder to weed everything out. – Algirdas Preidžius Jan 06 '20 at 02:28
  • 1
    Footnote on (1) of my previous comment, to make it easier to visualize: Let's say you have this in your piece of code: `bool isLicenseValid (/* ... */) { /* Do some checks, to make sure client has the license, and return true, if it does. */ }`, then the patched version could contain a variant of `bool isLicenseValid (/* ... */) { goto end; /* Do some checks, to make sure client has the license, and return true, if it does. */ end: return true; }`. To crack a program, you don't need to crack every bit of it - only the weakest point. – Algirdas Preidžius Jan 06 '20 at 02:39
  • @AlgirdasPreidžius a program that gave subtly incorrect results if it weren't licensed properly would scare away all of the legitimate customers. – Joseph Sible-Reinstate Monica Jan 06 '20 at 17:42
  • 1
    @JosephSible-ReinstateMonica That is true. I was just merely giving an example of the cases where it's easy to detect if cracking attempt was successful, and where its hard(er). Note: Majority of my (theoretical) knowledge regarding this topic, comes from hearing how license checks in some of the video games (which can be thought of as a subset of "software") were performed, and cracked, back in the day. So, the stakes of producing subtly wrong outcome in case of failed check, there, wasn't that high. – Algirdas Preidžius Jan 06 '20 at 18:19

2 Answers2

3

I'm working professionally on creating software licensing system. I can tell you, that's not easy to make software protecting system that will be safe enough to discourage people before they break it.

Yes, all systems are crackable. It's only matter of time before someone finds a way to bypass security. Our job is to make it as hard as possible giving them as few clues as possible.

I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.

The goal is not to understand application, but run it without valid license.

With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored.

What you're describing is called License Server. It holds licenses and makes sure that the system users do not exceed their number.

and ensure the device fingerprint matches the fingerprint stored

Those fingerprints are called hostids and there are many types of them: bios id, harddrive serial number, MAC address, donlge (usb stick with license on it), username running application, etc. Most of them are pretty easy to forge. But as I said. The goal is to slow them as much as possible.

I am aware that this is not unbreakable.

That's very wise of you.

but I would like to make it as difficult to break as possible without investing a ridiculous amount of time

You've cat to be kitten me.

Unless license server will be in the same network as your software, it won't be able to run without internet connection. It might not be an issue for you, but it is for many companies.

I'm not saying it's a bad idea. Writing such a system is great exercise and I very recommend it to every programmer, but that's not an easy piece of bread.

chwala
  • 199
  • 10
  • Thanks for your reply. It's not an issue that it requires a connection because the software needs that anyway. – F J Jan 06 '20 at 00:24
  • My main problem is the cryptographic response from the server. Do you know how I could achieve that? I was thinking of generating a public/private key pair for each user. The user stores the private key on their machine and the public key is in my database. With the response I send a message encrypted with the public key e.g. "hello", then the client decrypts it with their private key and it is accepted if it equals "hello". – F J Jan 06 '20 at 00:25
  • I'm not sure about this approach for two reasons. Firstly what if the user loses their private key? Secondly, I would have to hardcode the message and thus send it every time, which doesn't seem secure. Any suggestions? – F J Jan 06 '20 at 00:25
2

Don't waste your time. It's impossible to stop everyone, and even if you stop 99.999% of the people from cracking it, it only takes a single person to crack it and upload it to all the pirate sites. And the harder you make it, the more it will annoy legitimate users.

Joseph Sible-Reinstate Monica
  • 45,431
  • 5
  • 48
  • 98