>> fingerprint of your computer

[kedaman]

Anyone had tried to crack that game "Stars!" or in other ways know that it's hard to do. Well i tried but i run into this problem, that Stars! will take a fingerprint of your computer, probably something in registry and you can't have any copies on other computers without retyping the serialcode. Actually i made an app that tried millions values and i have a list of 100 serial numbers which works but all of them seems rejected later Saying: "Your spaceship refuses to move because he suspect you're a ursuper" or something like that.

Actually, i was talking to myselft again, ok back to the topic: How do i get a fingerprint of a computer? From registry or whatever? It seems to be a really good way of preventing illegal copying and cracking a game - So do anyone have any idéas or is this too hard to answer?

There is something called the MAC code which is used to identify a particular machine on a network (esp. when DHCP is being used). I'm pretty sure it's hardware-derived when the OS is installed. Try someting like

\HKEY_CURRENT_USER\IDENTITIES

The Macromedia Flash demo does a similar thing.

-John

[Edited by RoyceWindsor1 on 05-16-2000 at 11:07 AM]

[Edited by RoyceWindsor1 on 05-16-2000 at 11:07 AM]

[kedaman]

Sorry, I don't have that key

[kmchong]

I am also looking for any fingerprint of a computer. But it seems there isn't any.

MAC, as I know, it is the network adapter number (hardware), which compose of a string of hexadecimal characters. And according to something I read before, it is pre-assigned by adapter manufacturer and unique on the whole planet.

[MrShickadance]

Why are you guys talking about MAC addresses? MAC, or Medium Access Controller Addresses cannot be a valid fingerprint cuz it assumes you have an Ethernet card installed in your computer. kmchong is correct by saying that MAC addresses are assigned by the mfg's and they are "most likely" unique. You need to have a unique address for every card on your LAN. Outside the LAN, MAC addresses can be the same as one you have on your LAN. Anyways, MAC's can't be fingerprints.

[Paul282]

That's right. Only a system with a LAN card has a MAC address and a system with Multiple LAN cards have multiple MAC and IP addresses

Why not use the Hard disk Serial number?

or an encrypted version of it.

Thats an idea....but by since hdds these days are smaller, and easier to move around. So if the program was to stop people pirating software, all the pirates need to do is to have one hdd that they share around. And encrypting....that wouldn't really do anything if they were actually move the real hdd around.


Sunny

[Paul282]

But if they move the HDD around then they are not in violation of the license as only on copy is being used at a time.

If they can't recreate the encrypted SN for a HDD then they can't copy the software.

Let's say you use trippleDES (free standard on the net - do it yourself) 168bit encrypted with a password you only know.

if the crackers can't find the password(s) then they can't put a valid key in the registry for their HDD. which means it can't be cut to CD rom or emailed to anyone (well, it can but it won't run).

[kedaman]

Ok, let's get back to the topic. How do i get that HDD serial number?

[Iain17]

I have no idea on how to get the Hard-Disk serial number, but i have a suggestion.

I have no idea if this is possibe, but you might be able to use the Bios serial number. Surely every computers Bios must have a different serial number, or something similar. The program would then only run on a computer that had that Bios.

No one on this board seems to like the FileSystemObject, but I assure you it can be handy. Once you start using it in an app, you'll use it enough to justify the 140K Microsoft Scripting dll. (scrrun.dll)

Code:

Dim fso as new filesystemobject
Dim d as drive
Dim serialNo as string

Set d = fso.getdrive(fso.drives(1))

serialNo = d.serialNumber

John

[Edited by RoyceWindsor1 on 05-17-2000 at 12:51 PM]

[r0ach]

ActiveLock uses a similar 'fingerprint' thingy. It generates a code from the current system time, etc. Which it encrypts and stores somewhere (prolly in the registry). This fingerprint is then used (sometimes with a username) to generate the serial number for the program. If the program is installed on a different computer, the system time, etc. is different from the previous installation, hence, a new serial number is needed. When you uninstall the program, the stored fingerprint is NOT removed, so that you do not need to re-register when you re-install, but If it's a trial version, the previous installation's install-date (which is also stored at the first installation) will be used to eveluate the trial period. It's a rather involved process, but can be quite effective.

[Paul282]

I aggree with RoyceWindsor1 comment about the scripting being under used. But for large files, byte arrays are better (faster) even for test.

Sorry for getting off the topic

[kmchong]

Back to Kedaman, there is a API in this forum, I forget the thread, you may search for 'serial', 'drive serial' ... etc. I am using it right now and seems it working fine. Except the it can only read serial for IDE drive, no SCSI drive

[DrkMatter]

I believe you're missing something here...
How can writing a serial number in the registry prevent piracy ? I mean, if I take any program CD and have my friend burn it, neither my comp or the CD-ROM will have the serial in memory, so I'll still be able to use the software.
And if you'Re trying to prevent peoplefrom posting pirated games on the I-Net, they just have to give the whole installation CD , theefore your program will never have the chance of creating that Serial...

[Paul282]

I wasn't talking about distributing a license key with the software, I was talking about registration of software after trial.

The software generates an email (with details of name, credit card etc) encrypted for privacy and one of the bits of info sent (encrypted) is the HDD serial no.

The vendor (us) genrates the license key from the HDD serial no. you pass the license key back to the client who can then use the software on that HDD with all the functionality.

I'm not saying it's how I'd do it I was just replying to the origional question about computer fingerprints

[kmchong]

To Paul282,
The registration mechanism that you mentioned, is exactly what I am going to do. Do you have any reference information or sample for the process. Such as how to send information from the registration program to my IIS, and what I need to be in my IIS for returning the key and how the online registration program retrieve the key information.


Thanks

(It seems we are never alone on this planet)

[DiGiTaIErRoR]

No one mentioned the Windows OEM key.

[Paul282]

Originally posted by DiGiTaIErRoR
No one mentioned the Windows OEM key.

and for good reason considering how often windows has been pirated.

--------------------------------------

to kmchong,

If you're using you're own server then use ASP and forget mail altogether. Stick an Inet control on the reg software and have it talk to ASP files with an SQL server backend. You'll have to come up with an encryption algorithm for send and receiving data but as you control both ends that's not a big deal. get it working without encryption first (eg, send delimited strings like name#@#company#@#HDD-SN#@#

then use the split function to read the data. write the contents to the sql server, do a credit card algorithm check (better than nothing if you don't have access to an online bank), then generate and send a key. If you're worried about fraud have the client reg soft send the IP (the local IP rather than the IP visible to the server as that may just be a firewall IP) and other details (host name, windows reg key, contents of the outlook addressbook :-) .

You're only concern then will be if NT is hacked. (have the credit card numbers copied to another system then deleted from the database, otherwise your customers might decide to introduce you to the ins and outs of the legal system.)

I'm sure you think of more things you can do.

[Edited by Paul282 on 05-18-2000 at 01:15 AM]

[kmchong]

To Paul282,

Do you have any sample on the codes for the Inet processing?

KMChong
Taipei

[Paul282]

not really,

just use the openURL method from the client with the string and the ASP address and tha data goes into the string.

Then it's just string processing

Make a class first for encription and pass the data through that, then later when you want to impliment encryption you can just change the class code and every thing else is fine

[kedaman]

Thanks guys! I liked that one with the harddisk serialnumber so i did this:

Code:

'Kedamans Application & Registry & HDD Fingerprint 8 digit Serial Number V 1.0
'Requires Kerareg.bas, scrrun.dll, converters.bas
Sub main()
Dim fso As New filesystemobject, serialNo&, x&, RegSN&, AppSN&, HDDSN&, CompleteSN&
    AppSN& = Val(Left("" & Str2num(Left(App.Title, 4)), 8))
    If Len(KedaReg.RegVal("HKEY_LOCAL_MACHINE\Software\Kedasoft\Apps\Fingerprint\Serial")) Then
    Else
        Randomize Timer
        KedaReg.RegVal("HKEY_LOCAL_MACHINE\Software\Kedasoft\Apps\Fingerprint\Serial") = Int(Rnd * 100000000)
    End If
    RegSN = KedaReg.RegVal("HKEY_LOCAL_MACHINE\Software\Kedasoft\Apps\Fingerprint\Serial")
    Rnd -1
    Randomize fso.GetDrive(Left(App.Path, 1)).SerialNumber
    HDDSN = Int(Rnd * 100000000)
    CompleteSN = RegSN Xor 12345678 Xor HDDSN
    Do
        Select Case InputBox("Enter 8 digit serail number")
            Case "": End
            Case CompleteSN: Exit Do
        End Select
    Loop
    frmmain.Show
    Do While Forms.Count
        DoEvents
    Loop
End Sub

[Paul282]

Where do you find all this free time Kedaman???

PS: I went to your web sits and there is only one link there "Available" and it's broken! I was expecting reams of code

[kedaman]

Well I was uploading kl 4:30AM yesterday when I noticed it didn't work, i got and kicked my computer out of the window and went to sleep. So there's where from i got the time.

Go look at my website today again, i'll fix that

[Paul282]

The link is still broken

[kedaman]

Ok, it's ready now, but there's still some annoying script errors at line 199, what possibly could that be?

[Paul282]

EH? Moshikashite Kedaman ha Nihon-Jin?

[kedaman]

Ore wa Finland ni sunderu kedo nihongo hanshiteru.

[mwildam]

When I started to generate demo versions and serial numbers for my applications, I also thought about the HDD serial number but then I decided not to do that because of the following reasons:

1. To prevent from reinstall on another machine by saving for example the HDD serial number the serial number must be written to the installation disk to have something to compare with during the next install. On a CD this is impossible so it only would work if I ship my product on disks and tell the user an error if he or she write protected the disks. => :-(

2. If someone want to use a pirate copy of my application he or she will take the installation CD (or a copy of the disks) and not copy the already installed set of files. I guess nearly nobody use the installed set of files who works in windows environment. Further one usually write protect original disks to prevent unwanted overwriting and as the setup than produces an error one will make a second copy where the write protection will be disabled. So my copy protection lost in 95 % of cases. => :-(

3. Storing the HDD serial number on the local machine (for example within the installed exe file) where the application is installed on doesn't make much sense but if I would do so I would get more unwanted troubles: Some of our customers use my applications on many workstations and I often copy exe files around during updates. I would not be able to do so when storing the serial numbers in the exe file. Further I have to spent much time on hiding the serial number => :-(

4. I found out that every application having a demo feature for 30 days or whatever can be pirated by examining the computer before and after the installation or by watching the actions of the setup during installation and first call. Every application doing so must store some information about expiring the first time during setup up or startup. And this information can be found and killed after uninstall. => :-(

5. To make a separate demo exe is very unhandy and is additional work I don't like to have. => :-(

6. IMHO the only acceptible way is to have a serial number which has an expiration date encrypted inside for demo versions and for full registered versions to take the users full name together with a serial number (where the serial number is calculated from the name). Then display the registered user name on your startup screen and if there are copies around you can see the name of the first one who gave the copy + serial number away. The user's name on the splash screen should be a little motivation not to give away the code to friends. But a good cracker will either find that position in the exe file where the code is queried and checked and will be able to patch the exe file. => :-(

==> SO IMHO THERE IS NO WAY TO REALLY PREVENT FROM PIRATING!
I do 6. to "prevent" the "standard" and some of the "advanced" users from pirating my applications.

[philbell]

I had exactly the same problem to solve for some software I am writing for a major train company in the UK. I solved it the folowing way:-

After installing the system onto a P.C and is run for the first time the system checks the registry for an unlock key. If the unlock key is not found it then generates an installation key by retrieving the HD serial number and encrypting it. As the installation key uses the HD serial number and encryps it, it is unique to that particular machine. The installation key is then displayed to the user who then has to contact my company quoting the installation key who will then be given an unlock key which is unique to the installation key. This unlock key is then entered into the system an saved to the registry.

The next time the system runs it again checks for an unlock key in the system registry. If it finds one it again retrieves the HD serial number, encrypts it and checks that the unlock key matches it. If it does then the software runs.

The users can make as many copies as they like but the system will ask for an unlock key for every P.C it is installed on. This works for me !!

Phil.

[syn_bOy]

Good News for those of you who don't want their Software Copied.

OK! If I tell you this you will send me a freeware version
of your software, right? nah..just kiddin'

TO THE SUBJECT: Checking HardDrive Serial Number is a good
idea but what if the whole installation files are copied?

IF YOU DON'T KNOW HOW TO DO IT. DON'T ASK ME!
Solutions: Before Dristributing your program..Wait a couple of days and Check the
exact date your application was created and last-accessed,
modified. Make your installation program check to see if
the installation files are last-accessed, modified..created. on the day your application was created.
If it's not then the one using your installation files at the moment is using a copied version. DONE.

[da_silvy]

i don't think people would be swapping their hard drive aorund. So what you could do, is encrypt their hard drive serial number then tell them that it is their serial number, (after they register)

i.e. their encrypted hdd serial no is their serial number...

therefore there will be no matching serials.

so if my hard disk crashes, and I have to re-install everything on a new disk - will the software work?

I'll tell you what will happen though - nobody will by your software cos it will be too much of a pain in the arse to transfer between HDD's

You basically have two choices - a basic serial nunmber approach that will work for any machine, and live in hope that your software doens't get pirated too badly

or

THE DONGLE OF DEATH.

Dongles are a major annoyance, but they are good copy protection, they are portable, and most importantly, it's not too difficult for a dumb user to set it up. It stop the s/w being used on more than one machine at a time.

There basically is no real security - a good hacker can beat all the methods listed above.

Buts for gods sake, don't use the registry. At least be a little created and embed the S/N in the exe file somewhere.

- gaffa

[HeSaidJoe]

No matter what you do, someone can undo: there is always better. Look on the bright side...if you can write something that people think good enough to pirate, hey, you're star is rising!

[kedaman]

Hey! Whoo the comeback of another old thread!

Hehe, hesaidjoe, can you recover a harddisk that was smashed into pieces and burned into ashes, can you rise ppl from death`? Can you really undo what is done? Well sure you can because everything is possible and nothing is impossible

[buzz]

Well, heres what I'm doing and it's fairly secure and minimal 'pain in the arse' for users. The only downside is that it may not work for you since my app is an online app which requires the user to be connected to the internet. My software is normally freeware w/banner and if the user registers, the banners and nagscreens are removed.

What i do is, i have an access db server with an asp script. When running in freeware mode, nothing is done. However when the user wishes to register, he can fill out a form online w/credit card info. Once i process the cc info and verify it works, I have my asp script generate a unique key (not related to anything). The key is then sent via email to the user. He/she will then enter that key using my software. The registration software first checks the key against the asp script which validates that it is indeed in the active keys' db table. The asp script will set a flag which will mark that the key can no longer be used to register a new copy of the program. The program then gets a confirmation that the key is valid and disables the banners, etc. The program then encrypts a string which is based on the hdd serial, the reg key itself, and the windows product id (which seems to be unique even if ppl install off same cdkey). This new encrypted string is buried in 3 places in the registry.

The next time the program is run, it checks against asp script if key is still valid. If it is, it does the encryption again and see if it matches the value of all the keys.

If the user passes the encrypted string to a buddy, it will fail to match since product id and hdd serial will both not match. If the user's buddy tries to register using the users' key, it will again not work since it's been marked off as already used.

Now you may be wondering, what if the original user formats or his hd crashes. Well, I also have another asp script which you can generate a new key provided that you have your old one. So the user can just enter his email address and his old key and a new one will be generated and email to his email address. The asp script marks the old key as invalid and the new key as 'not yet used'. The user is now able to reregister using the new key.

[VIKT0RY]

You can try to use the API GetVolumeInformation [Public Declare Function GetVolumeInformation Lib "kernel32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long] and only use the lpRootPathName parameter, which it's the root name (such as c:\) and the lpVolumeSerialNumber parameter, which gives you the serial number of the hard disk.After that you can make an algorithm whith this number to make a serial for your program.

[da_silvy]

how do hackers actually change things in programs?

[mwildam]

Originally posted by philbell
... As the installation key uses the HD serial number and encryps it, it is unique to that particular machine. ...

Have you ever thought about that the harddisk could get defect and has to be changed? - Imagine you are two weeks on holiday while an Administrator at the customer is restoring a backup to a new harddisk and your program does not work. He would need a new key immediately...

[syn_bOy]

Whatever you do, there's always ways for a hacker to break
in and trust me I've been a hacker myself.

When compiling your code VB translate in to Assembly
and hackers simply unassemble the assembly code and
do reserve engineer. So whatever you so, whatever the
security there's always ways for a hacker to use your
software without paying.