Securing a Flash EXE

views:

answers:

+2 Q:

Securing a Flash EXE

My client has a Flash projector EXE and he wants to set-up an on-line serial number control system so he can sell it on-line.

The key problem in this project, as far as i see, that the exe is required to run on only one computer.

My current plan is below:

Request the serial number from user before the installment and check whether it is okay.
If it is okay, generate a hash from a number of unique hardware constants. Match it with server and see if the application was installed on this machine before.
If not, or it is the same machine as before, allow the installer to continue.
After installment, put the hardware hash into the registry.
Create a loader EXE, place the Flash EXE into it as a resource.
In loader EXE, check if the registry has the hardware hash and it is the correct hardware we're running on.
If the hardware hash is correct, extract he resource (Flash Exe) to a hidden path and execute it with CreateProcess.

Now, i'm aware of that there is a serious security flaw in this workflow. When i extract the resource exe and execute it. It would be visible to any user looking to the Task Manager. So he/she could reach his hand and grab it!

How can i improve my approach? At least to an acceptable point?

Thanks.

P.S. This application has similar functionality: http://www.increditools.com/flash_exe_builder/index.php in terms of protection and serial-number.

+2 A:

How can i improve my approach? At least to an acceptable point?

Depends on what you mean by "acceptable". This problem is unsolvable - there are commercial companies which exist solely to provide DRM protection to multi-million-dollar software, and that "protection" is routinely broken within days.

The exact amount of protection you want to bother with depends largely on what you're distributing - without having an idea of that, it's really not possible to give a good recommendation as to what you want to do.

Your proposed system might be sufficient. Heck, the honor system of you trusting your customers might be good enough for your client's purposes.

Anon. 2010-02-18 23:20:32

The problem with my approach is that once the user entered his valid serial and installed the software, he/she can very easily copy the Flash exe and send it to others (which i don't any problem with! :)). I would like to make it a bit more difficult to get the Flash exe. I know it will never be impossible, but at least don't want it to be that easy. This is "acceptable" for me.

frbry 2010-02-18 23:25:44

The question you want to ask yourself is *Why*. If you tie the user to a specific hardware configuration (and require them to reinstall if they upgrade their computer), they're more likely to pirate your app instead of buying it. If you only let the user install it on a limited number of computers, they're more likely to pirate instead of buying. If you require the installer to "phone home", your users are more likely to pirate instead of buying. The DRM you are suggesting *will not stop a determined pirate*, but *will inconvenience your customers and make them more likely to pirate your app.*

Anon. 2010-02-18 23:29:58

Again, i'm not admitting the methods described in the original post. I'm just trying to solve the problem. But my solution is not removing the copy-protection system, for now at least.

frbry 2010-02-18 23:40:12

The best copy-protection is stuff that doesn't give your customers an incentive to bypass it. So just cut out the hardware hash and phoning home, and just store the serial key. You could even get your installer to *embed the key in the extracted app*, so that if you do find a pirated copy floating around, you know whodunnit.

Anon. 2010-02-18 23:45:24

Embedding the key in the extracted Flash exe. Could you direct me some resources on that bit or maybe some keywords? Thank you very much.

frbry 2010-02-19 00:01:08

You can just append the key (maybe using BASE64, just to confuse the newbies :P) to the end of the EXE without corrupting it.

MeDiCS 2010-02-19 00:05:50

+1 A:

If his app isn't popular (and won't be), phoning home is overkill.

If his app is popular (or will be), give up. Even industry grade (whatever that means) software security protections are inherently flawed, including the controversial Sony's SecuROM and Valve's 'DRM to end all DRMs' CEG have already been broken.

MeDiCS 2010-02-18 23:21:30

I'm sharing the same thought with you on this. But a customer is a customer and he is complaining about how people sharing his program all over the internet! I don't know if it is true or not.

frbry 2010-02-18 23:27:23

Just add serials, extract the EXE to the temp dir (locked) or directly to memory if you have the 'skillz' and be done with it. Anything else is just extra noise.

MeDiCS 2010-02-18 23:38:03

+1 for the relieving suggestion :)

frbry 2010-02-18 23:46:14

You cannot stop everyone from cracking your security but in this case stopping 90% (or so) of the users from doing it is all you can ask for. And just making it difficult to use an illegal copy will accomplish the task.

Look at Adobe and how many cracked license keys for Photoshop and Flash CS3 exist. The point is that doing something is worthwhile to stop the average user - but thats as far as protective measures will go. If someone wants to steal software and willing to put in the time and effort to do so they will be able to get it - no matter how good it is.

Todd Moses 2010-02-19 04:38:07

ansaurus

tags:

views:

answers:

Securing a Flash EXE

related questions