Click here to Skip to main content
15,921,382 members
Please Sign up or sign in to vote.
3.00/5 (2 votes)
I made a windows application in C# with SQL database, and I want to sell this application so I protected my application by the following steps:
- Create the serial number of the application based on finger print of the client PC.
- Put this serial number in the database to check it with the finger print whenever the program is started.
Please what is the expected hacking on this application? And how to protect my application against it ?
Posted
Updated 27-Feb-11 5:14am
v2

If you are simply validate the serial number from the DB to the input, it is not secure. The if(input serial== db serial ) is just a simple jump instruction in the disassembly. Change the jump other way is just change a byte value in a hash editor.

What you can do is have the serial digested with a salt and keep the serial and the resulted hash af ter digestion has to be custom encrypted and stored in the global memory. You decryption function should be strong enough, not possible to reverse engineering. Check the validity of this salt digested hash against the serial in many places of your application. So it is not simple a jump, but the hacker not escaped from providing a valuable serial or complete reverse engineering your app.

Apart from that keep the serial in the database encrypted

hope this helps.

I am adding more points here as per your question.

a light weight comparing function based on two global variable will not be a significant issue in performance, so can be called in many places.

Keeping fake function names only help to prevent newbie hackers.

The detailed work flow of what I suggested here is...

1) When use swipe, digest the input serial in a way and store in the app memory. Not the same way encrypted as you did for the original serial. Because if you did the same way this input supposed to result in the same hash you stored in the database. As you are going to get the real hash also in the app, a hacker can swap the real hash to the input hash. Then comparison of both result fruitful. So this input has to hash in a different way than you did for the original hash and it result in a different hash.
2) Get the encrypted serial from the database and store in memory.

3) Now the input hash you stored in step 1 and real hash from database in step 2 has to be subjected to mathematical operations. For example if the user input/ swipe in correctly the mathematical operations may result in zero. Divide a zero with other number will result in a exception. So if incorrect serial is provided it will be result in exception. On the exiting event you can show the message of unauth user.

The basic idea is not using an if condition, but a complex mathematical operation which results in an exception if not provided correct serial.

Checking this function in different major functions of your app doesn't significantly affect the performance as it is simply a few math operations on a two variables in memory which cost a few CPU cycles, not big issue in present day computers. However the little performance issue (though insignificant) will be a tradeoff when security given importance
 
Share this answer
 
v2
Comments
firas_hamzeh 28-Feb-11 2:45am    
Mr.AlbinAbel, Thanks for your answer
I used the salt digested hash as follow:
after getting the fingerprint of the PC which is combination of some hardware serial numbers, I insert some pad data and finally apply hash function like MD5 to get the final serial. this serial is stored in the database.
you recommend that I check the serial in different places of my application, do you mean that I throw a thread to do this in order not to affect my application performance, you know getting the hard ware serial number takes considerable time.
I have another questions:
When writing the functions of the security issue, is it useful to give these functions and variables fake names, to make understanding the code after reverse engineering harder for the hacker?
If I distributed these functions in different places in my application, does this make the hacking harder when trying to do the reverse engineer?

thanks for being helpful..
Albin Abel 28-Feb-11 3:57am    
I improved the answer as per your questions
Its very hard to say what the security issues in an application is without doing a extensive study of it. If it is a windows application then you should check for common security vulnerabilities in windows client applications. If it going to connect and communicate on a network at some point, then you have a different story. Depends on how your application was built and what it's going to do. If it's got a database, you should start with the preliminaries: SQL injection attacks, password hash attacks etc.
 
Share this answer
 
Comments
firas_hamzeh 28-Feb-11 2:58am    
Mr.markFaction, thanks for your answer
My application doesn't work on a network, the database and the application is on the same PC, this means that the SQL server is on the same PC.
I'll store the serial number in the database to check it whenever the application is started. then how to protect my SQL database?
If your app and DB are in the same machine (physically), you could for starters obfuscate your code to make it harder to reverse engineer your files:
blogs.msdn.com/b/ericgu/archive/2004/02/24/79236.aspx


You could also secure the DB connection string by encryption:
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
 
Share this answer
 
Comments
firas_hamzeh 1-Mar-11 2:23am    
Mr.markFaction, Thanks for your answer
The solutions you recommended were suggested in 2004 and now these solutions are too weak and broken.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900