When you’re done writing your application and everything is ready for launch, the final step is licensing your application. Licensing is the process of avoiding casual piracy in your software product and there are multiple ways to this in .NET.
The first thing you should know is that applying licensing to your app doesn’t mean that it won’t be pirated. There are two kinds of piracy in the software market: casual piracy and actual piracy. The actual piracy is when someone or a company is decided on using an unlicensed product and will do whatever is necessary to get it. This includes getting fake serial numbers or cracking the application. You can’t stop this kind of piracy from happening. There’s nothing you can do in your application that wouldn’t allow a person to deobfuscate your code and inject their own to prevent licensing from working.
But casual piracy is different. You can find this one generally inside companies when they have purchased a license of a product for five users. Then all of sudden they need an extra one a, sixth user, and they just proceed to install it and use it. This is the one we want to prevent. Their intent isn’t to pirate or crack the application, they’re just doing it because they can or it’s just temporary.
The most well-known way of protecting .NET software is using the public/private key mechanism or digital signatures. With this system, a private key is used to sign a document and a public key is used to verify that the document was signed using the private key. After the document has been originally signed, it cannot be altered. Changing its contents, will break validation using the public key.
Encrypting the data isn’t useful because you’ll need the encryption key to be present in the program to decrypt the document. The pirate could simply take a look at your IL code using any disassembler, take the key and unencrypt the file, change it and encrypt it again.
For your product, you can for example create an XML file that contains information about the user, company, serial number, what features the license allows and trial information. Then you can sign the XML using a private key and distribute this file as the license. Nobody will be able to modify the file because they don’t have the private key. This one is stored (safely somewhere) in your computer and never distributed. For creating the license file and delivering it to the user you can use online activation. This is the method used by Windows and Office and are the ones users are more familiar with so you don’t need to do any training or let them go through a manual process for copy the license file.
The only downside to using digital signatures is that a hacker can create its own private/public key pair and inject this into your program. You can prevent this from happening by using signing your code using the strong name utility (SN.exe) that comes with Visual Studio and tell it to sign your assembly. By doing this, the runtime will always check the assembly hasn’t been altered before loading the application.
Obfuscation can also help, making it difficult for the person trying to crack your product. The person won’t be able to easily understand the code and adds an extra layer of complexity to the hacking process. But we need to keep mind, that users decided to crack the program, will find ways to deobfuscate it.
Also, you can spread the method for validating your app all over the place. This will make it more difficult for the cracker to inject its code in the product.
In conclusion, follow all these practices and you’ll get a better chance at protecting your application. Using obfuscation, strong name signing and digital signatures for the license file are effective at protecting your property.
Below you can find demo code for signing a document using a private key:
public XmlDocument SignXmlDocument(string licenseContent, string privateKey)
{
RSA key = RSA.Create();
key.FromXmlString(privateKey);
XmlDocument doc = new XmlDocument();
doc.LoadXml(licenseContent);
SignedXml sxml = new SignedXml(doc);
sxml.SigningKey = key;
sxml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigCanonicalizationUrl;
// Add reference to XML data
Reference r = new Reference("");
r.AddTransform(new XmlDsigEnvelopedSignatureTransform(false));
sxml.AddReference(r);
// Build signature
sxml.ComputeSignature();
// Attach signature to XML Document
XmlElement sig = sxml.GetXml();
doc.DocumentElement.AppendChild(sig);
return doc;
}
This code snippet will validate the document using a public key:
public bool VerifyXmlDocument(string publicKey, string licenseContent)
{
RSA key = RSA.Create();
key.FromXmlString(publicKey);
XmlDocument doc = new XmlDocument();
doc.LoadXml(licenseContent);
SignedXml sxml = new SignedXml(doc);
try
{
// Find signature node
XmlNode sig = doc.GetElementsByTagName("Signature")[0];
sxml.LoadXml((XmlElement)sig);
}
catch (Exception ex)
{
// Not signed!
return false;
}
return sxml.CheckSignature(key);
}
