Spoofing online activation protection [closed]
Ok I want to use online activation to protect my software. The users will need an internet connection and need to verify that they have an active account/license to continue using the software. So my software will send out some credentials to my website, where I will verify and send back SOMETHING to allow the program to run or not.
Here's the problem. How do I prevent someone from spoofing the simple SOMETHING that I send back, bypassing my verification altogether?
Two examples:
I remember seeing a program somewhere that allows you to monitor internet traffic and modify it before the traffic returns to the software. I cannot remember the name. In effect, its a man-in-the-middle between what goes out and comes into your computer, before the application sees it. For example, your browser sends a开发者_运维知识库n HTTP request, this program can intercept it and modify the out packet, or vice verse, some HTTP webpage is returned to the browser, and this program can intercept and change the incoming packet and then pass it along to the browser.
The HOSTS file can be changed to redirect traffic to any address. So if someone knows that my verification will return the text "ok_to_use" or "not_ok_to_use", and they know the url that I use to verify, then they can just use the HOSTS file to bypass dns lookup of my website, redirect it to their own site, and always return the string "ok_to_use"
The second example illustrates the problem. I think I need to somehow return something other than a static string. Obviously I can encrypt the string, but it won't take long to figure out that "ok_to_use" equals "7hgx3a" if that is the same encrypted string that always gets sent back. So I would need to send something back that changes all the time.
EDIT/
To the comments/responses saying that there will always just be a final if/then check in the app that flags whether the license is valid or not: Yes thats true. I was hinting towards something like this in the last paragraph of the original post. Perhaps having the web php send back some critical functionality, so that even if the if/then is skipped, if the web check wasn't performed, then the algorithm for some function won't get downloaded, and the app won't work correctly. Anyone have ideas in this vain?
Although I basically agree with Gavin, but this is not the reason to leave your software prone to be hacked by the most stupid and noob hackers ever!
Well, you have many options to prune a large portion of the script kiddies and probably customer employees from the population that threaten your software's licensing mechanism.
I list some of them in the order they cross my mind:
You can use two-way SSL for your client-server connections, it has a little coding overhead but you can make sure that you have sold that version of software that is contacting your licensing server already. You can identify it by the public key that decrypts the sent licensing query correctly.
You can send more complicated tokens than OK_TO_USE, perhaps a value of a mathematical function that returns a number randomly every time it is asked about. Then the client software can be written so that identifies if the number is produced by that specific function.(this can be a more complicated thing than a single integer!)
At least use encryption! or register a certificate so that your client can verify that it has contacted the correct server.
Update your software in a timely manner and change the licensing mechanism every now and then!
Finally, no bullet-proof vest for a software license! you'll get cracked soon or late, but try to sell more and get hacked later. :D
I personally wouldnt bother - there are plenty of different copy protection systems used by professional software products, and every single one of them have been cracked.
No matter how complicated your copy protection system is, at some point in the binary you will have a check to see if the license is valid, all that is needed is to modify this part of the binary to always return true.
Just add a very simple activation system to deter people from passing it to friends, and then spend your time adding new features in order to sell more copies, rather than wasting time trying to prevent professional hackers from copying your software.
If they want to - they will!
You can use public/private key protection when sending messages from the server to the client. These messages cannot be altered and you rest assure the response came from the server.
You can check LicenseSpot that already provides what you're looking for. It has:
- Free Licensing Component
- Private/public key encryption
- API to integrate your app and online store
- Serial number generation
- Revoke licenses
加载中,请稍侯......
精彩评论