0

Imagine I wrote some software on .NET which will run on client machine. Is it possible to detect that someone copied my software to different computer? (Assuming my software can connect to a remote server - which she could use to aid itself in copy detection). If yes, how?

Without using hardware approach.

Indeed I am concerned when attacker copies software and executes it.

  • Is the software only targeted to run on one machine? – Neil Smithline Dec 14 '15 at 17:41
  • @NeilSmithline What do you mean? No different machines can have this software installed. –  Dec 14 '15 at 17:42
  • Have you looked at license management & DRM? (we're ignoring permissions here). The software could try to phone home on install, the software could work only in the presence of a license file which is keyed to the hardware, the software could phone home if there is no license file. Check into your legal/copyright protections (varies with area) Recognize however that you'll cut into your user base; I won't install that software on my computer, I'll choose software from a competitor who treats me like a human being. – MCW Dec 14 '15 at 17:44
  • 1
    I'm not sure that I like that as a duplicate @Xander. I believe the OP used the word _copy_ but meant _copy then execute_. Preventing execution on a different machine seems a bit different than just copying the files. That said, I think this question is also off-topic. – Neil Smithline Dec 14 '15 at 20:12
  • @NeilSmithline Agreed, but the question I marked it as a duplicate of is quite similar, despite the "copying files" question title. – Xander Dec 14 '15 at 20:20
  • You're correct @Xander. I didn't read the question closely enough. – Neil Smithline Dec 14 '15 at 20:22
  • 1
    What do you mean without hardware? Not having to use a hardware dongle of sorts or not being able to use the computers hardware to identify the system. One common method some software developers is use details from the hardware like the serial of the hard drive or some other unique identifying information they could get from hardware. Keep in mind it isn't bulletproof. For example there is plenty of software out there to spoof this information. So while it might deter most it won't prevent someone from bypassing this if they discover how this is done. – Bacon Brad Dec 14 '15 at 21:35
  • @BradMetcalf: I meant dongle. Yes computer fingerprinting is one approach I am thinking of –  Dec 14 '15 at 21:42
  • @NeilSmithline Yes I mean copy and execute –  Dec 14 '15 at 21:43
  • @MarkC.Wallace Can you please elaborate on your approaches, honestly I didn't get any of those how they work –  Dec 14 '15 at 21:54

1 Answers1

6

There is a lot of information you can acquire about the hardware of the computer your program is running on, including serial numbers of individual pieces of hardware (consult stackoverflow for code examples). This gives you a pretty accurate fingerprint of the system.

If you have your software "phone home" by contacting your server at startup, it can send you that fingerprint to tell you which machine it is executed on. If you receive far more such fingerprints than you sold licenses, then something is wrong.

However, this won't tell you from whom the pirate obtained their copy. You could find that out by only distributing personalized copies of your software: Include a serial number in each copy you sell. Send the serial to the server together with the hardware fingerprint. When your server receives the same serial number with a different hardware fingerprint, you know which of your customers pirated it and you can take legal actions.

But there are, of course, countermeasures the pirates could take:

  • Find the serial-number in your software and change it to hide the source
  • Use a personal firewall to block the phoning-home feature
  • When the software won't run without phoning home, crack the software to suppress the phoning-home feature
  • Crack the phoning-home feature to send false hardware fingerprints

Unfortunately there is not much you can do about this. Once your software is on hardware you don't control, it's no longer your software.

The software industry is trying to develop software-based copy protection since the invention of the floppy disk. So far they haven't succeeded in creating a solution which withstood serious cracking attempts from the piracy community, despite investing millions of dollar and using some ethically questionable methods (like modifying the users operating system).

I am also a software developer and I have come to the realization that there are really only two ways to make money with consumer software:

Method 1: Tie your software closely to a subscription-based online service. Consider the service your actual product and the client software a free tool to use it.

Method 2: Simply accept that only those people who really want to pay for your software will pay for it and the rest of the world will pirate it.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • I think the answer would be stronger if you clarified that by _copy_ you mean _copy and execute_. While I assume that is what the OP meant, I think mentioning it may help others. – Neil Smithline Dec 14 '15 at 20:09
  • @NeilSmithline: Indeed I meant copy and execute. –  Dec 14 '15 at 21:42
  • @Philipp: can you explain what you mean with phone call? –  Dec 14 '15 at 21:44
  • I think it means that the software is connecting to a server, likely a licensing server, to determine if the app can or cannot run. – Neil Smithline Dec 14 '15 at 21:44
  • @NeilSmithline I meant that to Philip. Still I don't get how phone call protects from copy and execute –  Dec 14 '15 at 21:44
  • @user200312 When we say an application "phones home" it means it "contacts a server owned by the developers". – Philipp Dec 14 '15 at 22:12
  • @Philipp: Aha so you mean when application is first run on computer it sends serial and hardware fingerprint to server. Server stores it. Then on each launch app will resend this information, and if server checks that serial and hardware fingerprint don't match (because she has them on database) server will raise alarm? –  Dec 14 '15 at 22:22
  • @user200312 Yes, that's how it works. As Philipp said already, there are ways around this too, but if you did it right, these ways require quite an effort, to the point that no one will even try. [Btw., if two clients with the same HW ID and serial at active at the same time, that's an alarm reason too} – deviantfan Dec 14 '15 at 22:35