• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

How to protect my portable software against copying

Hello,

I have a software written by me and it uses a portable database.
The portable database is password protected.

My problem is that  the whole software can be copied to another computer and it will work. I don't want to use another database, because it's a small software, and neither a hardware key, however I want to prevent copying.

Because the database is protected I can store any data in it that can't be read, or modified.

What can you recommend? I thought of storing the hard drive serial number in the database (by the way I don't know how to get it) and at software start I would check the actual hard drive number and the database stored one.

Is it a better method? What about if the customer buys it for 4 computers? What can I do then?

Thank you

0
starhu
Asked:
starhu
2 Solutions
 
ggeekCommented:
It's possible to generate unique key (e.g. based on hard drive serial number).

The activation process will be:

The user install the software and provide you his unique key
You generate encrypted key (e.g. MD5 of unique key)
Store the encrypted key in the database

The validation is:

The software get unique key and stored encrypted key
check if MD5 of unique key = stored encrypted key



How to get hard drive serial number

GetVolumeInformation
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364993(v=vs.85).aspx
can be used from other languages e.g. C#:
http://www.eggheadcafe.com/articles/20021019.asp

How to calculate MD5:

 
public string CalculateMD5Hash(string input)
{
    // step 1, calculate MD5 hash from input
    MD5 md5 = System.Security.Cryptography.MD5.Create();
    byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(input);
    byte[] hash = md5.ComputeHash(inputBytes);
 
    // step 2, convert byte array to hex string
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < hash.Length; i++)
    {
        sb.Append(hash[i].ToString("X2"));
    }
    return sb.ToString();
}

Open in new window

0
 
epasquierCommented:
there are tools that allow the setting of the volume ID, so this is not the most secured information to use for such protection. It would be easy to set the volume ID on other computers to match the one where the software was registered.
I would recommend the use of the motherboard information, through WMI :
http://stackoverflow.com/questions/2497253/how-to-get-motherboard-id-or-serial-number-delphi

But yes, the principle is always the same. For multiple workstation licence you will need to add a licence Key in the mix.
The licence Key is a single value, or row, in your database. this key should contain those informations :
LICENCE_KEY , CLIENT_ID (for your own customer management application), MAX_WORKSTATION, VALID_UNTIL_DATE
Those data will be put in the DB by you, manually, with a tool. Then all workstation will need to register

* Step 1 : At startup, your application get the workstation specific key
- get some hardware related data
- generate a workstation key from that data (let's say 12 to 16 hexa digits) (*algo 1*)

* Step 1.5 : check if there is an activation key in the DB corresponding to this workstation key (detailed later). If there is, then allow the application to start. Otherwise, launch the registration process.

* Step 2 : the user send this key to you, AND the DB licence key, and you return an activation code
- maybe your software sends you an email, or you have a webservice that will do it fully automated
- from the key given to you, and the licence key, you generate an activation code.
the activation code generation usually carry less information than the workstation key combined with licence key. so maybe 12 hexa digits is enough (* algo2*)
- you send that code back to the user by email, or directly to the application if you used a webservice

* Step 3 : Check the activation and store in DB
- the software checks the activation code returned, buy calculating it with the same "algo 2".
- if both match, then register the activation code with the workstation code in another DB table, and allow the software to run.

Now, how to implement all those algo (1 & 2) ? well, that is the part you have to decide yourself, as your system will be as secured as these algo will be secret and complex. There are plenty cryptographic algos you can use, combine, do little tricks here and there of your own with constants that only you and your softwares know...
0
 
starhuAuthor Commented:
Hello,

Thank you for the advice both.

The motherboard examples don't work:

Option 1) I haven't got WMIScripting in my system
Option 2) It always gives me an empty string for the motherboard
0
 
thehagmanCommented:
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now