1

I'm making a Flash program to be downloadable and unlockable on one computer on receipt of payment. To do this, I was looking to create a UUID for a computer which could be checked to make sure that the program has not been moved to another computer but I don't know of any way to access enough information about the computer to make it uniquely identifiable (or even close).

I have also considered having a separate program written in a different language which would have access to this information but I don't know if I can even run it from Flash.

Any ideas or alternative solutions to the original problem would be greatly appreciated.

mmdeas
  • 183
  • 3
  • 10
  • Is AIR an option or does it have to be pure Flash? – RIAstar Aug 05 '11 at 12:04
  • I've already written most of it with Flex which I notice has an AIR compiler. Any idea how much of that would need to change to use AIR instead? – mmdeas Aug 05 '11 at 14:21
  • 1
    Hardly anything. Probably just a few lines in your main Application. And then the part about identifying the PC which I need to give some thought. Through AIR you can access native applications, so there could be a solution down that road, but perhaps there's an easier solution just using AIR. – RIAstar Aug 05 '11 at 14:49
  • I've tried it out and I can't see it being a problem to use AIR. I'll have to check with others to make sure that's ok for the end users but for now I'm going to assume that's the way forward. – mmdeas Aug 05 '11 at 15:55
  • Posted a solution for you. Let me know if you have any questions. –  Aug 05 '11 at 18:46

1 Answers1

4

You can make a small external EXE (In AIR) that will run a native command and retrieve specific info about the persons computer. See my answer here for source code:

How can i on button press execute a command in the command prompt and get back the output in ActionScript?

So for example, on windows you can write an exe in C++ (use eclipse and mingw not microsoft C++ unless you wanna have to redistribute .net with your exe). Just use the System command:

#include <iostream>
#include <stdio.h>
#include <stdlib.h>

using namespace std;

int main() {
    std::cout << system("wmic csproduct") << std::endl;
    return 0;
}

That outputs this:

Caption                  Description              IdentifyingNumber  Name  SKUNumber  UUID                                  Vendor  Version  

Computer System Product  Computer System Product  OEM                OEM              00000000-0000-0000-0807-XXXXXXXXXX(Hidden cause it's mine :D)  OEM     OEM                   0

According to microsoft this command returns a S/N unique to the local machine. If that's not satisfactory, you can always get one of the computers partition serial number, you'll just have to google around for that.

Anyway regardless of what you use, just make it so that when the user first registers it takes this info, processes it into a digest using a the AS3CoreLib crypto package (maybe use the SHA256 class to convert to hash) and then send that data to the server along with their registration info. Whenever they launch the app just get the app to connect to the server and re-run this command, comparing the new hash (at launch) against the saved one on the server and if they don't match you know they've moved it onto another computer or given it away to be pirated.

Sources:

http://support.microsoft.com/kb/558124

http://www.cplusplus.com/reference/clibrary/cstdlib/system/

https://github.com/mikechambers/as3corelib/tree/master/src/com/adobe/crypto

Community
  • 1
  • 1
  • Good idea but this solution might have some privacy issues – The_asMan Aug 05 '11 at 21:56
  • Possibly, good point. I'm thinking that since you're ONLY saving the digest of their personal serial number etc it might not be a problem but it's kind of a grey area. You'll just have to have an end users license agreement and state that some hardware specific information is saved for verification and just issue a privacy policy with it. In your privacy policy just write that all information collected is never shared with any third party and strictly used for license verification. Doesn't have to be fancy writing. Good point tho asMan. –  Aug 05 '11 at 22:02
  • Thanks for all the information. If I were to use SHA with a salt so that it couldn't be easily be created by anyone else, would there be any problem with storing it locally and checking it from there once the server has checked the registration code the first time or are there advantages to checking against the server each time? – mmdeas Aug 06 '11 at 12:19
  • 1
    You would have store the data server side, anything the data could be lost and license invalid. And then you would have no way to verify the computer. – The_asMan Aug 08 '11 at 15:53