Question

I'm developing a program in C#. It connects to the internet to see if this copy is valid.

Currently I'm just sending the licence key and getting a response (0 or 1) if the key is valid.

The problem is that some users just fake the data with some packet capturing tool and replay it. So the application is very easy to crack. How can I prevent this?

Here is what I essentially want to prevent:

  • Network replay attacks
  • Authentication "emulators"

It should be impossible to find out what data is sent. Maybe I should add the current time and then encrypt the packet ? So it's always different ?

Attention: Please don't warn me that it's easy to crack the application itself by modifying it. I know that. This question is only about the network part.

Was it helpful?

Solution

If you use SSL or HTTPS then you don't have to worry about users cracking the data packets. This is easy because the libraries already exist and are easy to implement. With C# and IIs for example it is just a matter of installing the certs and changing a few configuration items. (Maybe a recompile with some slight code changes).

OTHER TIPS

Assuming you actually want to prevent license abuse there are far better ways to do this. The "phone home" approach is easy to roll yourself, but as you've noticed it's full of holes.

Disclaimer: I work for a company that makes commercial tools to solve these license management and copy-protection issues. There are other similar products available from a variety of vendors.

This isn't that different from thinking about how to do setup for your application. Choices are roll your own or buy an existing 3rd party toolset. Rolling your own at first blush make seem cheaper, but that's perhaps only because you haven't really discovered all the true requirements to create something robust and reliable. The 3rd party tool vendor needs to charge for their products, but they've spent years discovering all the issues with particular problem set and have solved the problems. So that eliminates work for you and leaves you free to focus on where your application can add value.

The difference is if you get setup wrong your users will be irritated; if you get copy protection wrong your product will be pirated.

In any event, reducing license validation checking to a binary "either/or" condition is extremely easy to crack--doing that check over the net makes it 10 times easier (record playback attack). Modern approaches encrypt the executable and the license is contained in the key to decrypt it (this is an oversimplification since the actual methodology includes a lot more complexity to make it virtually impossible to get around). Only by having a valid license can the executable be decrypted on program load and run.

If you want to do it the way you've described, consider this: Have the app use a predictable, changing value (such as a lookup from a table of random numbers coupled with some external value like time) to create some kind of hash. Have the server implement the same code. The server sends the hash to the app, which compares it to its own hash. If they match, the app is allowed to run. If they don't, it errors out. Since the hash is different on ever startup attempt, recording it over the network won't allow the user to get it to run the next time it tries to start.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top