C# - PC fingerprint (for program piracy protection)

[ricka0]

All I can say is bloody brillant . I googed a few of security terms (looking for code like this) - and google brought me right here. Copy/paste in VS.Net - compile errors, then add System.Management.dll ref - compiles and WORKS!

Good explaination of software protection trade off's Brian.
I used a CAD program that required a dongle, the dongle died and I couldn't work. Took it apart, left a note saying F* U in it - I hate dongles.

You can easily lock down much of the registry and WMI in Win03 - which would return those errors. You can get most of these values in native Win32 but then you'd have to step outside of .Net (but it would solve the protection problem).

I have code getting most of these ( Win32/C++/ATL )
The require connection to the network before your app can run is unacceptable to most people. I do my best programming on an airplane.

The SHA hash is the way to go - you get it for free and it makes the code unbreakable. Compressing all the data into an 8 bit hash has the flaw that if some of the data is predicitable(which I'm sure it is), you end up with more like a 4 bit hash. That's how 128 bit encryption was cracked (time has was predictable).

[ricka0]

adding a modicum to pixoluts excellent post, here is the C# version

VB Code:

using System.Security.Cryptography;    // SHA.ComputeHash
using System.Web;                     // HttpUtility.UrlEncode
 
// add ref to System.Web.dll
 
string rSHA(string str){
 
        ASCIIEncoding AE = new ASCIIEncoding();
        SHA1 shaM  = new SHA1Managed();
        string sTmp = Convert.ToBase64String(shaM.ComputeHash(AE.GetBytes(str)));
        return HttpUtility.UrlEncode(sTmp);
        
    }

Note I change'd it to pass in whatever strings you want. I'll probably use CPU_ID and MAC Addr

I could write a web site that would let you register GUIDS (to enable cust code) - custs could connect to my site and get hash. I could charge say 5 cents for each customer I serviced. Not everybody wants to set up a web site to issue codes.

[BrianHawley]

Cool stuff. Glad it worked.

[Kasracer]

The idea of having unique log-ons to a server is interesting, but what happens if the server is down? What about non-Internet apps or people with dial-up? What happens when you sell a hundred billion copies and overload your server?

Redundancy. Dial-up doesn't matter since you're only sending a few bytes (not entire applications).

I also doubt selling a crapload of copies will overload the server unless the server admin doesn't know what he's doing and/or the programmer create a huge amount of overhead.

Like I said, you'd only be transfering a few bytes verifying that someone's login.

[BrianHawley]

Redundancy. Dial-up doesn't matter since you're only sending a few bytes (not entire applications).

I also doubt selling a crapload of copies will overload the server unless the server admin doesn't know what he's doing and/or the programmer create a huge amount of overhead.

Like I said, you'd only be transfering a few bytes verifying that someone's login.

Hmm...

Well if I had bought, for instance, a word processor and it had to establish a dial-up connection and swap even a few bytes each time I wanted to use it, I think I would not be a happy customer. Particularly if I was using my lap-top on an airplane. But it's a free world. We can all protect our apps (or not) as we think best.

[pixolut]

Veeery good point Brian. Customers have very set expectations when it comes to app protection. High-end and specialist apps are EXPECTED to have a dongle or 'call to base' and be hard to install. A lot of customers actually LIKE this with their high end software as it validates for them the high cost of the software - good examples are high end 3D software packages like Houdini or management software like ShortCuts. Brian's point is valid - because a low end software package is not expected to have high-end security features to protect it. Its all relative and very much built in to the psychology of software consumers.

In the software we built using the authentication scheme above we were using it to enable web based services which were 'pay per use' so customers were very happy to have software which 'chatted' on the internet to validate it was authorized.

Note - they don't like getting feedback about the chats. We found that some of the errors which were raised that were network related were best ignored. We started out showing them to customers (like 'could not connect to server') but found later that since the software was not being used, the error was useless. Customers get the transport errors when they try to use the software - even if they have been going on all day before hand - thats the first they find out about it. Its all in the psychology...

-Joe

[BrianHawley]

Well put.

Use the appropriate tool for the job.

Don't use your Ferrari to transport 20 bags of cement and don't race your 18-wheeler (although there are some people who will do both!)

[nemaroller]

I move that we go back to putting programs on cassette tapes - or better yet, punch cards - yes punch cards - that would stop piracy.

[BrianHawley]

I've got an old Commodore PET (1970s PC) with programs on tape. Still works! A whole 8 Kilobytes of RAM.

[Tobiasgar]

I have developed checking computer finger print program in c#. Now what logic i should apply to check finger print before installing setup of application.

Pls help.

[shakir1311]

well guys the code work well but there is a bit of problem. The code can not
enumerate devices that are disabled by the device manager.

e.g run the program and generate your serial number ( unique to your system).
save the number and then disable your network card( or enable it if it is already disabled). run the program again and u will get a different number.

[andyd273]

First off, I've been looking for something like this, and it is awesome.
And props for the VB.net translation.

Second, just in case someone else runs into the problem I did, you have to add in the System.Management.dll as a reference, because this part threw me for a couple minutes (I'm a bit of a newbie with .Net)

Once again, awesome job.

Oh, one more thing... the program I am working on has to connect to an online database on one of our servers to get the data (we don't want to give the users the data, since that is what they will be paying us for). so since they will be accessing a sql server anyway, I plan on just storing their registration key and fingerprint in the database, and make it so they have to match or no data for them.
That way we can charge a subscription fee, and if they cancel their subscription, we can invalidate their key and cut them off. They will still have the program, but it won't do them any good.

Just my thoughts

[andyd273]

well guys the code work well but there is a bit of problem. The code can not
enumerate devices that are disabled by the device manager.

e.g run the program and generate your serial number ( unique to your system).
save the number and then disable your network card( or enable it if it is already disabled). run the program again and u will get a different number.

Just remove the + macId() from the value function.
The other stuff can't/shouldn't be disabled.
cpu, bios and base aren't disableable (I don't think),
and if you disable the disk or the video then other bad things happen (like not being able to run your computer). Not impossible, just unlikely.

Then as a last safeguard, I liked the one idea of letting them update their system id 3 times over 2 months. That way if they do have to disable something, it won't bother them. but if they are sharing a key, it'll lock them out pretty quick.

[rickbear]

Hey...

I am not sure if this thread is still allive, but I found it on a google search and found it interesting.

I have a question though:

You can make your application to start only once on each machine to prevent multiple instances of your application running if you lets say had an application which had a license allowing you to have 1000 database entries of some kind.
If more instances of the application were allowed, then all this hardware checking would make no sense because hardware information would be the same for each instance.

But:
What if one's application is installed on a virtual machine - you then clone the virtual machine and run two instances of the virtual machine on the same physical machine - each now allowing 1000 database entries = 2000 entries. Is there some way to distinguish the two virtual machines? I've tried to look at some of the wmi calls and the info looks similar on both virtual machines. But perhaps I haven't looked deep enough?

When I run clones of one virtual machine on two different physical machines there are differences though. But it is the instance above I am worried about.

- rick -