pr2501
asked on
Testing how to make licence for app.
https://www.experts-exchange.com/questions/26513510/How-to-make-license-for-app.html
This post is continuation of post above. In attached picture is code from resolution answer.
So from what i have learnt from yours posts (or from what i have decided to do from yours posts). I 'm planing to protect my code in next way. As you may see on attached picture i have dates from my PC. So i will use special app to retrieve this data. And then i will type it in my app as string wariable and then my "working" app will itch on form create event check if data is equal by simple comparing of characters. What do You think? Should i practice it?
There is another thing that i have noticed
(code below). I do not see*.exe file for it, once app is compiled in directory where my project is saved. Why?
This post is continuation of post above. In attached picture is code from resolution answer.
So from what i have learnt from yours posts (or from what i have decided to do from yours posts). I 'm planing to protect my code in next way. As you may see on attached picture i have dates from my PC. So i will use special app to retrieve this data. And then i will type it in my app as string wariable and then my "working" app will itch on form create event check if data is equal by simple comparing of characters. What do You think? Should i practice it?
There is another thing that i have noticed
(code below). I do not see*.exe file for it, once app is compiled in directory where my project is saved. Why?
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
Memo1: TMemo;
procedure FormCreate(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.FormCreate(Sender: TObject);
const
Subkey: string = 'Hardware\description\system';
var
hkSB: HKEY;
rType: LongInt;
ValueSize, OrigSize: Longint;
ValueBuf: array[0..1000] of char;
procedure ParseValueBuf(const VersionType: string);
var
I, Line: Cardinal;
S: string;
begin
i := 0;
Line := 0;
while ValueBuf[i] <> #0 do
begin
S := StrPas(@ValueBuf[i]);
Inc(Line);
Memo1.Lines.Append(Format('%s Line %d = %s',
[VersionType, Line, S]));
inc(i, Length(S) + 1);
end
end;
begin
if RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar(Subkey), 0,
KEY_READ, hkSB) = ERROR_SUCCESS then
try
OrigSize := sizeof(ValueBuf);
ValueSize := OrigSize;
rType := REG_MULTI_SZ;
if RegQueryValueEx(hkSB, 'SystemBiosVersion', nil, @rType,
@ValueBuf, @ValueSize) = ERROR_SUCCESS then
ParseValueBuf('System BIOS Version');
ValueSize := OrigSize;
rType := REG_SZ;
if RegQueryValueEx(hkSB, 'SystemBIOSDate', nil, @rType,
@ValueBuf, @ValueSize) = ERROR_SUCCESS then
Memo1.Lines.Append('System BIOS Date ' + ValueBuf);
ValueSize := OrigSize;
rType := REG_MULTI_SZ;
if RegQueryValueEx(hkSB, 'VideoBiosVersion', nil, @rType,
@ValueBuf, @ValueSize) = ERROR_SUCCESS then
ParseValueBuf('Video BIOS Version');
ValueSize := OrigSize;
rType := REG_SZ;
if RegQueryValueEx(hkSB, 'VideoBIOSDate', nil, @rType,
@ValueBuf, @ValueSize) = ERROR_SUCCESS then
Memo1.Lines.Append('Video BIOS Date ' + ValueBuf);
finally
RegCloseKey(hkSB);
end;
end;
end.
165.JPG
the first coment reading your idea: almost no protection .....
security takes efforts and skills - in the end you need to spend resources (time, money, man) --- if you asking just for 3 lines of reading this memo fiel for you --
this no security
security takes efforts and skills - in the end you need to spend resources (time, money, man) --- if you asking just for 3 lines of reading this memo fiel for you --
this no security
The best way for maximizing your protection, in terms of HW details, is to use WMI (Windows Management Instrumentation), do not rely on Registry very much, that will be the first place to be manipulated by curious guys:
http://files.codes-sources.com/fichier.aspx?id=37706&f=Main.pas
Link provided by epasquier
http://files.codes-sources.com/fichier.aspx?id=37706&f=Main.pas
Link provided by epasquier
but what will be the gain if I store ascii data inside my app and a ini file, take a HEX editor and read out these values
ASKER
Ok, let's make some things clear.
1. Is it possible to "decode" an app compiled to *. exe file?
So yo can get source code?
If it is it, how much do this service cost and how many people are able to perform it?
1. Is it possible to "decode" an app compiled to *. exe file?
So yo can get source code?
If it is it, how much do this service cost and how many people are able to perform it?
I believe everything in computer is possible but the question is how hard/easy it is and how direct/indirect it can be done.
Decoding exe from machine language (human unreadable instructions 0s & 1s) to source code (human read-able code) that's a lot of work and many phases of conversion which requires very high knowledge of computer languages (first of all the assembly language) and using sophisticated helping tools for converting the low level machine language to high level language it's almost impossible for ordinary programmer if it is to be done in simple steps.
Here is a few lines to clarify the levels of translating the source code so it can run on the machine.
http://www.cset.sp.utoledo.edu/sample/engt1050/engt1050_languages.html
go to the part "Programming Language Levels"
Decoding exe from machine language (human unreadable instructions 0s & 1s) to source code (human read-able code) that's a lot of work and many phases of conversion which requires very high knowledge of computer languages (first of all the assembly language) and using sophisticated helping tools for converting the low level machine language to high level language it's almost impossible for ordinary programmer if it is to be done in simple steps.
Here is a few lines to clarify the levels of translating the source code so it can run on the machine.
http://www.cset.sp.utoledo.edu/sample/engt1050/engt1050_languages.html
go to the part "Programming Language Levels"
the Q is not if it is possible in general, the Question should be "will somebody do it with my app"
eg. will somebody get rich and famous hacking your app ?????
if not very rich and not chance for glory select a medium / resonable set of security feature
eg: http://en.wikipedia.org/wiki/MD5
eg. will somebody get rich and famous hacking your app ?????
if not very rich and not chance for glory select a medium / resonable set of security feature
eg: http://en.wikipedia.org/wiki/MD5
ASKER
Am not a programmer, just an automation engineer. Which do not have right sense about this concept. But anyway i can not get much far without professional instruction. And seriously am not sure that my life will go in direction that i will ewer need some professional resolutions about security.
MD5. What is it. I can't understand anything from wiki. BdLm can you write couple of sentence about it.
Yes, what can i say. Maybe my app will be a million dollar thing. But now i can believe that some programmer specialist will be payed to decode my app.
So finally until now i believe that option described in my post question will be the best for my case.
Or, i do not know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have at lest one month of time how to study"my" protection.
But now i should give to an customer some testing version witch will work just on one PC and for one month. And this version has one function excluded (for now). So even if it gets on the web as it is, it's no important.
I still do do not understand one thing: what a need to encrypt HW data if:
1. i use code above do read HW data on customer PC and sore it to text file
2. and then use it as string variable, to built and compile it in working app, to compare it with read data of HW from PC.
it is almost impossible for usual programmer to decode *.exe file to get my source code and then to exclude part where am i compering string variable with HW. In this case license is no important?
thank you
And pleas understand i need some time to relax, because am going mad.
But now i should give to an customer some testing version witch will work just on one PC and for one month. And this version has one function excluded (for now). So even if it gets on the web as it is, it's no important.
I still do do not understand one thing: what a need to encrypt HW data if:
1. i use code above do read HW data on customer PC and sore it to text file
2. and then use it as string variable, to built and compile it in working app, to compare it with read data of HW from PC.
it is almost impossible for usual programmer to decode *.exe file to get my source code and then to exclude part where am i compering string variable with HW. In this case license is no important?
thank you
And pleas understand i need some time to relax, because am going mad.
ASKER
Two app:
1. get HW as string
2.work
Work:
if (string=readHW) and (actualDate < limitDate) then OK else exit;
1. get HW as string
2.work
Work:
if (string=readHW) and (actualDate < limitDate) then OK else exit;
OK, if do like proposed in the last post:
you app is protected until the attacked started to analyse the *.exe , here the rest depends on the skills of the hacker
I prefer the external file (Encrypted ID File) to hold the data which your application is going to compare against the current computer data. First of all because you don't have to compile your application with every different data to match every customer's machine that you are going to give your application to.
Also whenever a customer's HW is changed you generate that ID File and send it to the customer (you can prepare a HW reader that you send to the customer which gets you the data you look for, then an encrypter to encrypt that data then the ID file is ready to be provided to the customer. As an extra measures you should implement the key-method encryption which you include that key in your exe where every customer will be assigned a unique key (you keep records of those keys so in future you will still be able to generate updated ID File for any customer who might require new ID file after changing HW).
Only to confirm this: risk is always there either by using the ID File or store the data in the exe.
Also whenever a customer's HW is changed you generate that ID File and send it to the customer (you can prepare a HW reader that you send to the customer which gets you the data you look for, then an encrypter to encrypt that data then the ID file is ready to be provided to the customer. As an extra measures you should implement the key-method encryption which you include that key in your exe where every customer will be assigned a unique key (you keep records of those keys so in future you will still be able to generate updated ID File for any customer who might require new ID file after changing HW).
Only to confirm this: risk is always there either by using the ID File or store the data in the exe.
@jimyx : yes sure, in the end you need something like the Embarcadero/Borland Delphi does to protect undesired copies, give a key to the user (serial nr) run the set up .... get some HW data... evalaute a HW String .... and request the user to send a Information back (eg. MD5 Hash Value of the HW String ) back , based on that you provide the final licence.
a good system , but with much efforts
@pr2501: do some simple encryption (rot13 or ....) and be aware this is not a high security but a bit of protection
a good system , but with much efforts
@pr2501: do some simple encryption (rot13 or ....) and be aware this is not a high security but a bit of protection
ASKER
What a need to encrypt HW data?
simple algo : rot13, caesar, .... -> see my links: http://forum.delphi-treff.de/showthread.php?24859-Algorithmen-Rot13
better also: DES , .... -> see link by jimyx http://www.cityinthesky.co.uk/cryptography.html
very good Algo: AES
better also: DES , .... -> see link by jimyx http://www.cityinthesky.co.uk/cryptography.html
very good Algo: AES
ASKER
Two app:
1. get HW as "A" , encrypt "A" as "B".
2. de-encrypt "B" to "A" , if (A=readHW) and (actualDate < limitDate) then OK else exit;
Corect?
What is wrong if A is public and i work just with A?
Pleas explain this?
A public means I may start to trim myother hardware to make correct repsonse ,
or trim your exe to accept also other response
ASKER
Ok, thank you
You might consider using ID file which contains an encrypted data of the hardware details that you obtain from the customer, and your application will decrypt that file and match it against the current available hardware details, so instead of compiling the application every time the hardware is changed, you can just update the encrypted ID file. So you give your application with extra one file holds encrypted details that will be confirmed with the available details if matched then show the application normally if not then inform the user to contact you for more details.
For not finding the .exe when compile/run make sure the Output directory is not set to different directory the the current folder of your application source:
Delphi 7:
Project -> Options -> Directories/Conditionals tab -> Clear the "Output directory"
Delphi 2009:
Project -> Options -> Delphi Compiler -> Clear the "Output directory"