Binary comparison to prove that a client is using our C++/CLI library

Question

We have being building a C++ library that we are planning on offering as a commercial library + source code with a one-time license fee. Unfortunately the library is built to function fully offline and therefore cannot connect to our servers to validate the license.

Considering we know the client and are able to access their application binaries that possibly contain our library, what tools/process can we use to prove that client X is using our library within application X? What technique can be used to check binary segments to match against binary segments in a built EXE/DLL? I'm looking for something somewhat robust because we are supplying source code which can be further refactored/renamed/obfuscated. Obviously they can't change everything, so some classes and functions should match, allowing us to find it in their EXE/DLL.

Answer 1

If the code you supply has been sufficiently derived away from the original source, then you may not be able to do that. On the other hand, if someone takes this:

int longname = 42;
int othername = 3;
double largenumber = 0.5;
for(int i = 0; i < x; i++)
{
    largeNumber *= longname + othername;
}

and rewrites it as:

int l = 42;
int o = 3;
double n = 0.5;
for(int i = 0; i < x; i++)
{
    n = n * l + o;
}

it will generate exactly the same binary code (obviously, only if you use the same version of the same compiler with the same settings)

So, if you have some fairly complex and unique code in your software package, I'm pretty certain that it's difficult to disguise that without a fair amount of effort - it would probably be easier to rewrite the code completely, just using your general ideas (which of course they could have done in the first place).

Is there at tool that can trivially tell you that "this binary contains this bit of code, as produced by gcc 4.7.3"? Possibly one could be constructed if you do some really specific types of calculations using a set of constants.

If there is enough money in it, you could certainly have an expert reverse engineer look into it, and produce a legal witness statement (probably in the form of a document and then examination by other experts, etc) in court saying that "It is my belief that this code can only have come about by using the source code from Company X".

Now, can you make that stand up in court? That's for a judge and jury to decide. I don't think it's at all easy to do this. But it's not impossible either.

Is there a completely foolproof way to assure this? No, absolutely not. But that applies to just about everything. If you have a contract with someone that says you should do this, mustn't do that, does that mean they aren't physically able to do that? No, it's a legal contract, you take them to court if they break it. Same applies to software. You then have to prove in court that they did what they shouldn't do (or didn't do what they should do), and if your evidence is good enough, you win. If the other guy can defend himself well enough, you lose. Typically, these cases end up being "the one with the most money wins", because there's ways to say "I want this tried in the next level court", and then you end up spending more money on just proving the same thing again (but with more expensive lawyers this time).

Answer 2

There are extremely powerful tools out there that can scan your code to look for 3rd party using source code fingerprints from open source projects. What you do is configure the tool so your code is also broken up into source code fingerprints and then scan the code of the person you believe is infringing on you. Now this is probably only possible if you are in court because how else would you get access to their code. Also using these tools and getting them customized is not cheap. Google open source due diligence and look at some of the top providers Black Duck, EscrowTech and Palamida.