tags:

views:

255

answers:

6
+2  Q: 

Securing WinForms Application suggestions

I've been looking for a simple key/license system for our users. Its partly to stop piracy (avoid users from sharing the application around) and the other half to track the number of 'licensed users' we have. I have already read a few good suggestions on SO but I'm curious as to how people have implemented the 30 day evaluation criteria.

Do you generate a key that stores the date somewhere and do a comparison each time or is it a little more complicated - deleting the file/removing the registry shouldn't deactivate.

Are there any example implementations out there that can give me a head start? The irony is that our PM doesn't want to license a third-party system to do it for us.

This is for a Windows Forms application.

A: 

I am not sure you can actually protect a .NET - There may be commercial solutions that do the trick. The reason is .NET code can be seen through Lutz Roeder (Thanks Jasonh for the heads up) Red Gate's Reflector (It was formerly by the named guy above). The best way to deal with it is to look for code obfuscation which makes reflecting more trickier, I can point you to one place I know of that does this for free - Phoenix - NtCore.Com.

The more esoteric solution would be to create a .NET hosting environment in C++, load the binary image (which could be encrypted) and the hosting environment than undecrypt it in memory - have heard of that theory but not sure how that would be done in practice. Please do not use your own protection scheme as there could be a weakness.

Someone once said - "Security through obscurity"....

Hope this helps, Best regards, Tom.

tommieb75  2009-12-13 12:34:33
On the other side - the custom solution has a profit, because potentional cracker has not experience with same way of protection from other softwares. And, if he makes the protection smart, the protection can looks successfully cracked, but then can application makes some unwanted behaviour in some special/common cases of domain functionality of application.
TcKs  2009-12-13 12:37:43
@TcKs: Very much agree there but personally wouldn't want to risk developing my own solution as I would unwittingly put in a weakness into the scheme. Take a look at sites that offer serial key generators for a huge mass of software, then it would put things into perspective - once a cracker finds a way to determine what is the key, then that will be posted no doubt!
tommieb75  2009-12-13 12:47:11
It's actually Red Gate's Reflector now. :)
jasonh  2009-12-13 19:13:09
@jasonh: Whoops! Yes that is 100% correct...I'll edit this accordingly.
tommieb75  2009-12-13 19:18:44
+1  A: 

Have you checked out the Rhino-Licensing project by Ayende Rahien. You can also see his blog post about licensing a commercial product which led him to develop this solution.

paracycle  2009-12-13 12:35:22
Ayende seems to have a solution to everything!
RichardOD  2009-12-13 12:42:09
A: 

There are two separate challenges: i. How do you prevent a copied app from running. ii. How to prevent users from ripping out/bypassing your prevention scheme. The first one is usually done by taking a hard to copy signature of the user's system (e.g. Hard Drive ID + Processor ID + RAM, etc) and using it as the seed/key AND activating it on-line by calling "home".

The Second issue is harder to do in .Net since the source code can be in someway extracted and recompiled to exclude your protection system. The key here is to make it cheaper to buy the license than to remove the protection at the user's end. You may find that for most products, the suggestion to use a customized engine to encrypt your product libraries that also contain your copy-protect and decrypt it at initial run-time, might be enough.

MandoMando  2009-12-13 17:33:00
A: 

I worked on a project that handled this by putting some critical functionality (for example data storage, reporting, or payments) on an external server we ran, and requiring the user to log in to this server to get the functionality.

Customers can make backups, share, or run the application locally, but to access this critical function they have to type a password in to our application and connect to our server. Customers knew the password allowed changing their data, so they would not want to share the password with other people.

This was handy because we do not care how many copes of the application are out in the wild, we only track server connections. We included machine-identifying data like MAC address in the connection data, so we can track which machines are connecting.

Dour High Arch  2009-12-14 18:53:53
A: 

I'm not just saying this because my company sells the OffByZero Cobalt software licensing solution for .NET: your PM should know that software licensing is very hard to get right, and if you roll your own, you'll be supporting it for the foreseeable future.

Take a look at the article Developing for Software Protection and Licensing; it explains how to choose a solution, why you should obfuscate your application and gives a number of tips for structuring your code to be harder to crack.

In particular it makes the point that the vast majority of companies should outsource their software licensing, as it makes no sense to spend developer time on building and maintaining a complex system that isn't your core business.

What is more important to your company: adding an important new feature to your product, or tracking down a peculiar permission behaviour on an ancient version of Windows that's clobbering your licensing system?

Duncan Bayne  2010-01-05 22:01:04
A: 

Why would you want to spend time on non-core development like implementing a licensing system? I would instead focus on core development and use a ready-made licensing system.

If you ever decide to use a 3rd party system, take a look at CryptoLicensing.

logicnp  2010-05-05 05:54:08

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?