Hello guys,
I'd like a simple opinion about a licensing scheme. Its not supposed to be "the perfect license system" neither to be uncrackable, but keep the non-professional from doing something illegal or unwanted.

I'd like to hear your opinion about the crackability of this concept.

How does it work?
Licenses are simple text files containing lines with comments and lines with key/value pairs. Values can be plain text or encrypted (Rijndael) and B64 encoded. Values are not case sensitive, neither whitespace dependent.

The file itself contains a signature which is made up by a MD5 hash (SHA1 doesnt seem to bring any advantage in this situation) which is then encrypted (Rijndael-256) and stored as a B64 encoded value. Basically the signature is calculated over all lines, excluding comment lines, whitespaces and newlines, and then appended to the file as key/value pair. This is just to be able to send licenses as plain text by email, etc.

The "code" to read, decrypt and verify is in an assembly which is merged into the main assemblies and then protected using SmartAssembly. Different keys are used for values and signatures, the keys are themselves encrypted into the app before final protection.

Do you see any general flaw (besides of "there is no real protection", etc) ?
Whats the estimated effort to crack the system? Can a license generator be created with moderate effort?
And most importantly: would it keep the sunday hacker out?

Thanks for your thoughts

What you describe is reasonably good. Using {smartassembly} should stop "sunday hacker" or, at least, slow him down considerably.

General flaw No.1 - licensing should not use symmetric algorithms like Rijndael and MD5/SHA1 hash. Rijndael keys can be extracted from your application and MD5/SHA1 can be calculated at any time. Properly implemented RSA, however, is close to being unkeygenable. .NET provides all the necessary functionality, so there is no reason not to use it.

General flaw No.2 - you did not describe how the licence will be verified. If your licensing scheme only sets boolean variable IsRegisteredVersion or has function like checkIfRegistered(), it's trivial to patch and therefore useless.

if your software is free, your software will never suffer the attack of crackers ;)

All the protections are at risk of being unprotected by someone, be long or short time.
but the surest protection is the hardware needed to run, if the hardware is manufactured in-house is more difficult to find and make the checkout.

I'm sorry, but not being able to help

Kao, thanks for the reply. Your idea of using RSA was considered for the design but for simplicity reasons (both technical and administrative) we chose Rijndael (which is also provided by the .net framework as you may know). But we may fall back when problems arise.
The "verification" of the license is not based on yes/no (besides the fact that a license exists or not), but on the key value pairs in the license, like number of users, domain names, emails, etc., so the values are mostly operational data.
Of course this can also be patched similar to a bool, yet it requires patching for a determined location.

I wouldn't use this scheme for a desktop, end-user application, where it mostly doesnt matter which username is used or how many users are licensed as long as its at least one.

Again, thanks for the input.

[Please do not reply to yourself. Use the Edit button to add to the first post]

Gus, I really wouldn't mind to make it free, if i had other means of living ;) Unfortunately I don't, thus i must try to "keep the honest people honest".

Agree in the hardware, its a lot harder but depending on the gain it can also be solved (reminds me of homebuilt dongles for the VC20 and C64, centuries ago)

.......
Gus, I really wouldn't mind to make it free, if i had other means of living ;) Unfortunately I don't, thus i must try to "keep the honest people honest".



of course, u right ;)

I see two small problems with this.

1.) You are relying on a commercial obfuscator ({Smartassembly}) that has been cracked in almost every version to protect your licensing system. I suggest you check out better protection, such as DnGuard.

2.) While a keygen would be difficult because it would take time to reverse all of your crypto functions, you are not taking into consideration that your entire license system could be bypassed by editing the IL code in your app. I would recommend hiding many checks to the license in various parts of your code, that will crash the application if it detects anything out of order. This will keep most crackers away from your application, unless they are really determined. And if they're determined to crack your app, then you're doing a good job :).