implementing copy protection


i know this is a topic that has some prejudices, however some projects just need a protection to remember the user that the way he is using the product isnt what he paid for.

so i am looking for hints how to implement a online and telephonic authentication that allows a installation to run for a specific time.

i already have some idea’s, however they lack some parts.

the client does:

  • using the uuid.getnode() i can identify the computer
  • using a serial number i can identify a available license
  • possibly the time of the computer should be included as well to prevent time manipulations
  • those must be combined and transmitted (max 16 ascii-characters) (i’m lacking a method here how to compact this information)
    -> is sent to the server

the serial number:

  • must contain a checksum (prevent entering it wrong) (md5 or what should be used for that?)

upon receiving the message by the server:

  • the server extracts the hostId, serialId and hostTime
  • if the hostTime is valid (± 3d)
  • if the serialId is not associated with any host except the hostId
  • generate a authentication-return-code

this authentication-return-code should contain:

  • how long the license is valid (license-end-date)
  • contain the hostId (maybe encrypted using it?)
  • be a maximum of 16 ascii-characters
  • contain a function code, decryption code or anything similar that the client need for running the application
    -> is sent to the client

the client extracts the informations (from eighter just entered or stored file)

  • decrypt the message by using the hostId (if the host is changed, the return code cant be extracted)
  • check if the computer time versus the license validity time
  • extract the function, decryption or similiar code and use it to run the application

some questions to this topic which i havent tried yet:

  • can i manipulate a local Multifile (store something within it)

  • what is if it’s run from a website, is the file cached (and manipulatable)

  • in case this isnt possible, what would be a platform independent path that could be used for storing such informations?

  • anybody knows if this method is patented? (i havent found such a patent yet, but it’s so obvious somebody must have had this idea already :wink:

  • any additional things i’m missing?


another thing,

i’d like to add individual encryption. this would allow me to share the code and use it among multiple projects. however this seems to be quite complicated to implement in a way that does not only add more complexity to the implementation, but also yields some additional security.

Here there is an example where you use a multifile for writing, is that what you’re searching?

it’s more of a: when p3d file, which is a multifile, is run. is it mounted read-write? and if it’s run within a browser, is it cached locally, so a manipulation would be stored locally and not overwritten every time i run it? or do i nead a alternative way to store local informations?

Running your application from within a virtual machine will makes it easy to render your copy protection ineffective. So maybe disallow users to run your code from a VM.

I like the words you have choosen. It’s true, copy protection is not meant to prevent copy, but to remember users that they are not allowed to do so.

I don’t know if a 100% safe method is real.

If the code returned by the server is based on the data send by the client then using a statistical method one can make a key generator.

Once you get a copy of the program autorised, then you have a valid return code for that date. You can set the system time to that date, make a hoax proxy that returns that code and you have a life time license.

Shipping the aplication encrypted, only works if it won’t ever be decrypted.

And whatever you do, a program can be decompiled if someone has the time, and all protections skiped.

If that fails there are memory hacks and fake system calls.

You can’t win this war, you can only make it hard for the enemy and hope they won’t bother.

I don’t know if there is a way to operate “inside” the p3d: actually I work outside the p3d, storing the files I need in the start folder which is created when you run a p3d file (locally or from browser).

i dont wanna go down all the way with the discussion that copy protection is breakable and if it’s good or bad.
it’s about making clear that i want some compensation for the time i invested. sometimes one just copies or install the product on another computer and forget that they didnt pay for it. (it’s not a homeuser product, it’s installed in exhibitions)

The p3d files are not meant to be writable. It’s probably best to do something as yaio suggests: store any local information needed in the start folder (or in a sub-folder of your own name).