Jump to content
ŁukaszDe

License key system

Recommended Posts

Hi,

 

What do you use to protect the application?
I mainly mean licensing system and time limiting applications.
Will you recommend something?

Share this post


Link to post

https://avlock.av-soft.com/products.php

 

I used the older version in a project, where I could control the license by my own PHP server.

Not checked the newer versions, and also not checked the safety level.

But for my old app that was well working and good enought, to protect from too easy stealing software.

 

If you need very high trusted licensing systems, I'm not sure if there is any, you always should be aware that things can be hacked.

Edited by Rollo62

Share this post


Link to post

I trust my customers...and it only works with a peace of hardware (not a dongle, a signal processor). 😉

Share this post


Link to post
4 minutes ago, Sherlock said:

I trust my customers...and it only works with a peace of hardware (not a dongle, a signal processor). 😉

I doubt even that, see CadSoft trying to protect their Eagle CAD layout software in the early days.

They had a dongle, but were hacked all the time.

But you're right, if the dongle does some necessary calculation, which is absolutely needed in the app,

then this might work.

Edited by Rollo62

Share this post


Link to post

It does, I connect to medical devices, whose output the users want to see on my client software. They may install as many copies as they like, but have to pay for each signalprocessor :classic_biggrin:. Which is why I actually make money with a Python project...not with Delphi  :classic_ninja:

  • Like 1

Share this post


Link to post
Just now, Sherlock said:

It does, I connect to medical devices, whose output the users want to see on my client software. They may install as many copies as they like, but have to pay for each signalprocessor :classic_biggrin:. Which is why I actually make money with a Python project...not with Delphi  :classic_ninja:

Interesting,

and how do you use this hardware ?

Is it a kind of data encryption, which is absolutely needed to decode the data from the machine ?

 

In the example of Cadsoft, they finally put some hidden watermarks in the created files, when they detected to be hacked.

This is a very effective and nasty solution, as it appears to be functional, but your created files will uncover that you done it illegal.

From that time I liked such idea very much.

Share this post


Link to post

It is hard almost impossible to protect your desktop software against cracking/using without licence etc..

 

That said I recommend to build your own licencing system for 2$/month ( only paying hosting for backend )

2 hours ago, ŁukaszDe said:

I mainly mean licensing system and time limiting applications.

This can be done over your backend rest api and it is not really hard to do if you have little knowledge with php,nodejs,databases or similar...

 

You could have easily 300+ users at same time performing DB requests on cheapest digital ocean droplet for 5$ a month .. Also you could have a lot more users if you do a websocket/redis validation instead of performing DB query every X seconds ( i will not recommend this second method since it is not commonly used and it is harder )   .. THere are also cheaper solutions ( cheaper droplets ) .. So if you have 3-4 days you can build your own backend licencing system fast,cheap and easy  

 

I will be making my licencing system for my desktop app in around 20 days, i will host it on same digital ocean droplet that i already own , saving money .. 

 

If you need some help with designing such a system just ask i will try to answer best I can.. 

 

 

Quote

Is it a kind of data encryption, which is absolutely needed to decode the data from the machine ?

He could just send device name with motherboard id + procesor id + gpu id + hdd id and compare that value with value that is stored when user installed app or something like that 

Edited by Tntman

Share this post


Link to post

@Tntman How does this perform in high security client networks, that usually block the internet?

Share this post


Link to post
37 minutes ago, Tntman said:

That said I recommend to build your own licencing system for 2$/month ( only paying hosting for backend )

This can be done over your backend rest api and it is not really hard to do if you have little knowledge with php,nodejs,databases or similar...

Yes, I did that, and the link above was a quite good solution helping to set up my own licensing server fastly and cost effective.

 

But since EU GDPR I switched off that licensing server, and decided to open to register freely via other ways.
I didn't want to step in that legal trap, but of coarse enhancing the PHP system regarding the GDPR is feasable,
but will take a lot more efford around the pure PHP coding.

 

I think this should be also considered when to move to a licensing system, if they support such legal aspects too.

 

Edited by Rollo62

Share this post


Link to post
1 hour ago, Sherlock said:

@Tntman How does this perform in high security client networks, that usually block the internet?

I actually dont know.. Lets use a "Bank" example.. Lets say that computers in bank does not have access to the internet ( world wide web ) but they will need to have some sort of inside network with their own servers ( to exchange data etc )  that are accessible only from inside bank  and their computers 

 

So probably that server inside a "bank" will have similar software to monitor other computers , data exchange collecting logs etc.. Some sort of client-server app i guess .. 

1 hour ago, Rollo62 said:

EU GDPR

Im actually a hobbyist and i actually never thought about this stuff, i will have to google it , i never heard about it .. I got awesome idea for app that i wanted to sell ( rent over licence keys - paying monthly ), i think i will have to research more about legal aspects ..

 

1 hour ago, Rollo62 said:

but will take a lot more efford around the pure PHP coding.

Dont need to do with PURE - raw php.. U could do that with raw php if you have already existing projects and some template that you can work on and just modify/upgrade it .. But you could always use prebuilt stuff like active record,jwt even whole framework ( its slow but fast development - Laravel or for just API use Lumen ) .. Even those frameworks are slow they can handle a lot of users on 5$ without problem

Edited by Tntman

Share this post


Link to post

As network traffic is really easy to be misdirected, I am strongly against network-based authentication. As @Sherlock pointed out, they will simply fail to launch (or fall back to demo mode) in most of the real-world customer scenarios, where networks are controlled as they should be.

Local license authentication is the way to go in my opinion, but there is no fool-proof way. Everything can be (and if it worth, will be) hacked no matter what. You only can make the job of the pirate harder with obfuscation, fake no-op assembly blocks, custom multi-level encryption, on-the-fly method assignments and so on. One thing for sure, delay checking the license and NEVER use something like If Not TMyLicense.IsValid Then Halt as on assembly level that's a modification of one JMP to bypass everything.

 

I started to learn the proper use of pointers and if my license is not valid, I'm simply corrupting memory on purpose. It might (that's the beauty in it, it's not guaranteed) start to crash or malform data at the most random places / times. If you hide it well enough, even the hacker might think that it's a piece of junk and does not worth the effort...

Share this post


Link to post
1 hour ago, aehimself said:

I started to learn the proper use of pointers and if my license is not valid, I'm simply corrupting memory on purpose

If you were in my employ I'd fire you for doing something like that.

What happens when a bug in your code causes your license check to fail and you execute corrupted code that wipes the customers disk?

  • Like 5
  • Thanks 1

Share this post


Link to post
15 minutes ago, Anders Melander said:

If you were in my employ I'd fire you for doing something like that.

Seconded. 

Share this post


Link to post
17 hours ago, aehimself said:

I started to learn the proper use of pointers and if my license is not valid, I'm simply corrupting memory on purpose. It might (that's the beauty in it, it's not guaranteed) start to crash or malform data at the most random places / times. If you hide it well enough, even the hacker might think that it's a piece of junk and does not worth the effort... 

This is interesting... If my software doesn't find correct license info (for whatever reason), I just revert to limited (evaluation) mode. Did you try something like that and you realized it is not good enough? I'm just trying to figure out if my solution is actually not good enough and I just don't know it...

Share this post


Link to post
16 hours ago, Anders Melander said:

What happens when a bug in your code causes your license check to fail and you execute corrupted code that wipes the customers disk?

Well, it's a bit overdramatized, this would also mean that any bug could wipe a disk, or eject the DVD with a speed which cuts off the customers head.

Doesn't matter if on purpose or not.

But you are right, it's a very bad solution.

I would rather afraid that if any result caused by a bug on purpose results in any health/material/monetary loss, one could be held accountable for the damages.

Irrespective of the fact if a software was licensed or not.

 

Edited by Attila Kovacs

Share this post


Link to post
22 minutes ago, Attila Kovacs said:

Doesn't matter if on purpose or not.

Tell that to the lawyers. Of course it matters. 

Share this post


Link to post
19 hours ago, aehimself said:

I started to learn the proper use of pointers and if my license is not valid, I'm simply corrupting memory on purpose. It might (that's the beauty in it, it's not guaranteed) start to crash or malform data at the most random places / times. If you hide it well enough, even the hacker might think that it's a piece of junk and does not worth the effort...

Interesing idea but too harsh solution IMHO. I'd rather consider spoiling some app output if it's the main app's goal.

Or the behavior of xplorer2 could be examined. It's not only the app with the strongest protection I've ever seen (made by a single author, uses offline license key and still couldn't be cracked reliably!), it fails on invalid key harmlessly and randomly. On some random moment it just closes and removes all its settings from registry.  For file explorer software it really hurts.

Share this post


Link to post

I am strictly talking about security. By not a valid license I don't mean an expired; a crafted one which is known to be not from the author.

As for code execution, it's not that easy. Of course if you are corrupting with (or you did not initialize your buffer, and it contains) the exact binary representation of a call to DeleteFile - it will work.

 

procedure TForm1.Button1Click(Sender: TObject);
Type
 TProcedure = Procedure;
 PProcedure = ^TProcedure;
Var
 p: PProcedure;
 buf: Pointer;
begin
 GetMem(buf, 1024);
 Try
  p := buf;
  p^;
 Finally
  FreeMem(buf);
 End;
end;

Project Project1.exe raised exception class $C0000005 with message 'access violation at 0x00000000: read of address 0x00000000'. Execution denied.

 

Same, if you try to execute a differently allocated memory area:

procedure TForm1.Button2Click(Sender: TObject);
Type
 TProcedure = Procedure;
 PProcedure = ^TProcedure;
Var
 p: PProcedure;
 x: TObject;
begin
 p := Addr(x);
 p^;
end;

Project Project1.exe raised exception class $C0000005 with message 'access violation at 0x02f788b0: write of address 0x060904ec'. No luck.

 

Out-of-bounds?

procedure TForm1.Button3Click(Sender: TObject);
Type
 TProcedure = Procedure;
 PProcedure = ^TProcedure;
Var
 p: PProcedure;
begin
 p := Pointer($ABABABAB);
 p^;
end;

Project Project1.exe raised exception class $C0000005 with message 'access violation at 0x005fd31b: read of address 0xabababab'.

 

The OS is attempting to take measures against this, and if it's possible (somewhat how iPhone / PS4 jailbreaks used to work until they patched their browsers) - you found an exploit.

 

With not invasive memory corruption you'll turn some output Chinese, or crash the application at a point. Do it carelessly, and you can face charges.

  • Like 1

Share this post


Link to post
28 minutes ago, Attila Kovacs said:

@David Heffernan I'm telling the same. The phrase you quoted was referring to the action "wiping a disk", if a "bug" could cause that, that bug doesn't have to be on purpose.

There's a huge difference between making an unintended mistake after having done your best not to, and intentionally harming. It's surely not difficult to see. 

Share this post


Link to post

@David Heffernan 

Actually I do. Actually I was the first who did. No clue why are you chanting the same.

2 hours ago, Attila Kovacs said:

I would rather afraid that if any result caused by a bug on purpose results in any health/material/monetary loss, one could be held accountable for the damages.

Irrespective of the fact if a software was licensed or not.

 

Share this post


Link to post
1 hour ago, aehimself said:

'access violation at 0x02f788b0: write of address 0x060904ec'.

I believe that my first projects accounted for 10% of world-wide AVs 🙂 Though, none of them corrupted any systems, disks, crashes... and no lawyers involved. I would not choose your security measures, but it is interesting approach.

Share this post


Link to post
10 minutes ago, Mike Torrettinni said:

I believe that my first projects accounted for 10% of world-wide AVs 🙂 Though, none of them corrupted any systems, disks, crashes... and no lawyers involved. I would not choose your security measures, but it is interesting approach.

It is not interesting. 

 

Also, no guarantee that invalid pointer leads to access violation. Corrupted data is perfectly possible. 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×