PC-Identification techniques
Bob
application that is being executed on an un-authorized machine.
.
techniques we've discussed here in the past have included looking that the
size of the hard disk, volume names, NIC addresses, BIOS serial numbers,
etc. of course, some of these variables, like disk size, are subject to
change, and may lead to a number of nuisance calls for support when disks
get upgraded, etc.
.
while working on this a few questions have popped-up:
1. how does one access BIOS serial numbers?
2. can anyone offer ideas on other methods that would be useful?
3. are there handy ways to read configuration information from the myriad
of system files that are present on a Win98/95 system? which information
would be most useful?
.
regards,
.
Bob Predaina
Indiana, USA
to reply, delete "nospam." from my email address
Wong
1. Sector two on harddisk not use by OS, read master boot record at
sector one then write it to sector two and your EXE, compare what in
your EXE with sector two when program start.
2. CMOS have some unuse area, do a checksum on CMOS data, write it to
that area and your EXE.
3. Create a key disk using Laser Hole technique by simply use a niddle
to punch a hole on that diskette. Format that sector when program
start, if success, that is not a key disk.
Somehow I need to say, no copy protection can withstand DEBUG.EXE.
Regards,
Wong
Wong
> Have you punched before?
Yes, I do, at year 1988 to 1989.
> What is the relation of laser hole and a niddle?
Laser hole are a hole burn/created using laser jet beam, a needle is a
poor man tool for creating the hole, and niddle are poor English for
needle invented by Wong. <g>
Cheers,
Wong
> Hello Wong, :)
> You are really cute when describing the below
>
> > 3. Create a key disk using Laser Hole technique by simply use a niddle
> > to punch a hole on that diskette. Format that sector when program
> > start, if success, that is not a key disk.
>
> Have you punched before?
> What is the relation of laser hole and a niddle?
>
> T.S.LIM
> My new company is named "Highclass Software Design", visitors are welcome!
Wong
I have no habit to run an unknown program at our development machine,
so I use debug.exe to have a look.
C:\WINDOWS\DESKTOP\EMAILS>debug 123456.exe
-u
1B47:0000 BA1000 MOV DX,0010
1B47:0003 0E PUSH CS
1B47:0004 1F POP DS
1B47:0005 B409 MOV AH,09
1B47:0007 CD21 INT 21
1B47:0009 B8014C MOV AX,4C01
1B47:000C CD21 INT 21
1B47:000E 90 NOP
1B47:000F 90 NOP
1B47:0010 54 PUSH SP
1B47:0011 68 DB 68
1B47:0012 69 DB 69
1B47:0013 7320 JNB 0035
1B47:0015 7072 JO 0089
1B47:0017 6F DB 6F
1B47:0018 67 DB 67
1B47:0019 7261 JB 007C
1B47:001B 6D DB 6D
1B47:001C 206D75 AND [DI+75],CH
1B47:001F 7374 JNB 0095
-
Normal program will not have NOP(No Operation) instruction at the
program startup, the NOP usually are the place holder replace by some
programs that do direct modification to executable, this included
virus, copy protection utilities...
When I go down further, I found this:
Borland C++ - Copyright 1995 Borland Intl. CodeGuard cannot be run
with multiple processes CodeGuard Message PKWARE Data
Compression Library (R) for Windows. Copyright 1989-1995 by PKWARE
Inc. All Rights Reserved. Patent No. 5,051,745 PKWARE Data Compression
Library Reg. U.S. Pat. and Tm. Off.
What do you want me to do? Change a byte of the program to bypass
password key checking, or trace until this program unzip it self and
save the memory image to a file, then rebuild this file to a EXE?
Anyway, break password/copy protection, kill virus, data recovery...
All these thing I will not do it just for fun only. :-)
Sorry, I not even try to run the program. :-p
Cheers,
Wong
Lutz Gentkow
first, you can create your own environment variable like SET CLIPPER=...
e.g. SET MACHINE=...,
second, you can create your own INI files and read the information from
there.
Both techniques are not really secure, but perhaps secure enough for
people who don´t know the existence of these settings.
Kind regards from Germany
Lutz
Bob
> e.g. SET MACHINE=...,
> second, you can create your own INI files and read the information from
> there.
regarding the idea of reading the windows' *.INI files - there is some
information in them that is easy enough to grab using a text reading
funciton. but this information is often subject to change as the user
modifies his system configuration. are there any windows system files that
are well preserved over the life of the operating system?
.
beyond reading the *.INI files, how do you read the system registry? is is
possible to use the registry to obtain a user's e-mail address to assure
that your program is running on the right fellow's machine?
.
thanks for your help.
.
bob
Lutz Gentkow
> information in them that is easy enough to grab using a text reading
> funciton. but this information is often subject to change as the user
> modifies his system configuration. are there any windows system files that
> are well preserved over the life of the operating system?
> .
> beyond reading the *.INI files, how do you read the system registry? is is
> possible to use the registry to obtain a user's e-mail address to assure
> that your program is running on the right fellow's machine?
Hi Bob,
do you want to distribute your programs and to copy protect them ?
Then install additionally to your program a text file with special
informations and give them the extension DLL, for example. Only few
people will look in such a file. Add a checksum so you are sure that the
file is not modified. When starting your program control the existence
of this file and the correct checksum.
I have no idea whether it愀 possible or not to read informations from
the registry from a dos program. But Netscape for example doesn愒 store
the e-mail address in the registry but in a text file called prefs.js.
Kind regards
Lutz
Ross McKenzie
<cli...@custombasses.8m.nospam.com> wrote:
>is it
>possible to use the registry to obtain a user's e-mail address to assure
>that your program is running on the right fellow's machine?
Bob,
I am now onto my 3rd email address. What makes you think the "right
fellow" will not change his?
I have been down this path Bob and always come back to using a $35
dongle as the best solution to life's needs to upgrade PC, hard disks,
email addresses, etc. You have probably spent more in time already
trying to avoid spending it.
Regards,
Ross
Bob
> fellow" will not change his?
i am aware of the benefits and the limitations of the dongle technique. my
objective isn't solely to copy-protect software. as others have noted, copy
protection is simple enough to break with debug.exe.
.
i am also working on an automated upgrade system. it would be handy to be
able to have your software automatically "phone home" with an occasional
e-mail/attachment, allowing automated updates of key files, for example.
.
other commerical applications like oil-change perform this sort of task on
much a larger scale.
.
if you could read the email address and smtp server information from windows
system files, you could automate the process, and relieve the user of having
to jump through hoops on a periodic basis.
.
bob
Phil Barnett
<cli...@custombasses.8m.nospam.com> wrote:
>> I am now onto my 3rd email address. What makes you think the "right
>> fellow" will not change his?
>
>i am aware of the benefits and the limitations of the dongle technique. my
>objective isn't solely to copy-protect software. as others have noted, copy
>protection is simple enough to break with debug.exe.
Or softice, which will tell you exactly how to jump over copy
protection.
>i am also working on an automated upgrade system. it would be handy to be
>able to have your software automatically "phone home" with an occasional
>e-mail/attachment, allowing automated updates of key files, for example.
Well, unless you are inside a proxy/firewall.
>other commerical applications like oil-change perform this sort of task on
>much a larger scale.
If you have permission to evade the firewall or proxy.
>if you could read the email address and smtp server information from windows
>system files, you could automate the process, and relieve the user of having
>to jump through hoops on a periodic basis.
And, when we find software that is protected in this manner, we simply
don't buy it.
--
Phil Barnett mailto:midnight @ the-oasis.net
Oasis WWW http://www.the-oasis.net
FTP Site ftp://ftp.iag.net/pub/clipper
Clipper FAQ http://www.the-oasis.net/clipper.html
Harbour Project http://www.Harbour-Project.org
Reality is the leading cause of stress
among those who are in touch with it.
Ed Ratcliffe
It would seem that if I were so fortunate to own a laptop or want to
use your software both at home and at the office your proposed scheme
would force me to purchase a copy for each machine that I was going to
use it on. If this is the case then do not expect a cheque from us.
____________
Ed
Robert Haley
I've always preferred the method of placing a ".key" file in the same
directory as the production .exe, containing (among other things) the
Max. # of Users and (current) fully-qualified installed path.
The ".key" file is encrypted via byte-shifting or XOR'ing the data,
along w/ a prerequisite Byte checksum in the file (can be CRC or other
Byte addition method), this to prevent "casual" user-editing.
-----------------------
To allow in-place upgrades, etc. there are several methods available,
although most follow similiar logic. Here's one:
Display the Checksum on the "Upgrade Screen" along w/ the current
Date.
When the user calls in for upgrade, e.g.: Add user licenses,
You have a companion program that performs ("x") calculation using the
provided file Checksum & System Date of the Remote machine to generate
an "Unlock code" (could be called a "Hash Key", etc.).
You also generate a (new) Checksum code @ your site using the (new) #
of Users, etc. the system is authorized to have (what the user is
requesting).
The user enters the "Unlock" code on the system.
The user then enters the upgrade information. Note: They only get to
this point if they enter a valid "Unlock" code.
The user enters the (new) checksum you provide to them.
The system validates the (new) info. they entered against the (new)
checksum you provided. If it matches, save the ".key" file update.
( Hint: Only generate a partial checksum using the data entered to
validate. Generate a full ".key" file checksum when saving the file. )
If setup properly this process should take about (1) minute max.,
describing the process takes much longer than doing it.
> Unauthorized user
If the application is installed in a multi-user environment, tracking
state of current users against the ".key" file would allow enforcement
of max. users.
I would quickly add that rather than "locking out" the user, it may be
preferrable (and more profitable to you) to ALLOW the user to utilize
the system, with (only a few) stragetically placed "delays" in the
application to "encourage" the (unauthorized) user to register/upgrade.
> BIOS identification, etc. <
You can always go that route, although does "the end justify the means"
in what you're trying to accomplish, namely have a "reasonable" amount
of security in the app. while at the same time trying to "encourage"
users to buy your application and/or upgrade ?
In summary, I prefer using the above method because it does not require
"exceptional efforts" to enforce "reasonable" security, & is not "tied"
to a given (workstation) OS platform (DOS/Win9x/WinNT).
I hope the above helps.
Regards,
Bob
In article <391c3...@news1.prserv.net>,
Sent via Deja.com http://www.deja.com/
Before you buy.
Bob
> And, when we find software that is protected in this manner, we simply
> don't buy it.
Thanks for your feedback, Phil.
.
i agree, all of your suggestions are very reasonable. i understand your
position on this sort copy-protection, which is both reasonable and logical
for someone who is trying to sell software. but i am not selling software,
nor am i looking for customers. rather, i am considering leasing seats on a
custom-built system, which is an entirely different situation.
.
in my case, the client (a large anesthesiology group in another state) has
been through a number of software vendors and billing services over the
years and learned the hard way that none of the commerically available
physician practice management options work very well.
.
they are asking to license my software that is the basis for a successful
anesthesiology billing service. they are in a situation where they want a
unique product that i have, that cannot be obtained anywhere else. they are
also unwilling to spend the prohibitive amount of time and money that would
be involved in the development of an equivalent system. they brought up the
idea of leasing the software, paying a fee for its use each time that a
billing record is generated.
.
i have considered the options of 1) telling the customer that they're
dreaming, and turning them away, or 2) trying to help them on my terms.
.
i am in a position where i do not need the money (i quit working a few years
ago), and i do not need or want their business. if i choose to help them it
will be on my terms.
.
Bob
Wong
For us, we prefer to spend our effort on improving our product,
instead wasting time on copy protection.
We do not mind a bit of piracy of our product, but we will really
worry no body want to use our product due to the trouble cause by copy
protection.
Just personal opinion. :-)
Regards,
Wong
On Mon, 15 May 2000 15:05:21 -0500, "Bob"
<cli...@custombasses.8m.nospam.com> wrote:
>i am aware of the benefits and the limitations of the dongle technique. my
>objective isn't solely to copy-protect software. as others have noted, copy
>protection is simple enough to break with debug.exe.
>.
>i am also working on an automated upgrade system. it would be handy to be
>able to have your software automatically "phone home" with an occasional
>e-mail/attachment, allowing automated updates of key files, for example.
>.
>other commerical applications like oil-change perform this sort of task on
>much a larger scale.
>.
>if you could read the email address and smtp server information from windows
>system files, you could automate the process, and relieve the user of having
>to jump through hoops on a periodic basis.
>.
>bob
Wong
Sorry for my previous message, I had misunderstand you want to do some
copy-protection, that is what I always feel not worth to do.
If what you want are to identify a PC/user, these Win32 API function
may help.
WNetGetUser(), The WNetGetUser function retrieves the current default
user name or the user name used to establish a network connection.
GetUserName(), The GetUserName function retrieves the user name of the
current thread. This is the name of the user currently logged onto the
system.
GetComputerName(), The GetComputerName function retrieves the computer
name of the current system. This name is established at system
startup, when it is initialized from the registry.
GetHostName(), The Windows Sockets gethostname function returns the
standard host name for the local machine.
But you will need to write a small external Windows version C program
to retrieve the information, and write it to a ASCII text file to pass
the result back to your CLIPPER program.
Sorry I can't do this for you, because we do not have any C compiler
on our development machine. But if you don't mind about the files
size(about one MB included DLL), I can link a VO EXE for you. If you
need it, just let me know.
Regards,
Wong
Ed Ratcliffe
Based on that info, I at one time used a software package that was
tied to a transaction and annual license fee structure. If I remember
properly the license had to be renewed annually and at that time the
transaction history was read and uploaded to the vendor who would then
invoice the company. Just one more option.
____________
Ed
Bob
> Based on that info, I at one time used a software package that was
> tied to a transaction and annual license fee structure.
thanks for your feedback, Ed.
.
bob
Wong
I think someone here may want to know how to use external executable
to help in CLIPPER programming, so posted here also.
If anyone interested, please download from:
http://members.xoom.com/n_s_wong/getcomna.zip
http://www.angelfire.com/ns/nswong/getcomna.zip
Regards,
Wong
Hi Bob,
I have attach a getcomna.zip(209KB) for you, please have a try and let
me know it's in the way you want.
Since the EXE are smaller than what I expected(36KB), I think you may
not need C compiler anymore.
Cavort20.dll are VO runtime, this DLL are needed by all VO generated
EXE files.
getcomna.txt are copy from Win32sdk.hlp.
The whole source are contain in the getcomna.prg, I have included File
Version Information Structure and Icon in the program.
The Icon is what you see on the Windows, you can switch between
View->Large Icons and View->Small Icons to see the effect.
Right click on the EXE, chose Properties->Version and you will see
information about File Version Information Structure.
This just to show Windows development are not really as tough as some
people think. :-)
Regards,
Wong
----------
> From: Bob Predaina <custom...@yahoo.com>
> To: nsw...@maxis.net.my
> Subject: PC-Identification Techniques
> Date: 17, May, 2000 4:39 AM
>
> Wong,
> .
> Thanks for your help on this topic. I do not have a C compiler on my
> development machine, so I'm unable to create a C program to access the Win32
> API.
> .
> If you could please send me the equivalent VO EXE file, that would give me a
> chance to test a system that uses the PC/User information. The size of the
> VO files would not be a problem. If the system works, I'll just have to
> find a way to create a C program.
> .
> Thanks for your help.
> .
> Regards,
Gary Stark
> be involved in the development of an equivalent system. they brought up the
> idea of leasing the software, paying a fee for its use each time that a
> billing record is generated.
And to me, it seems that this will be your answer. All you need to do is look at
how many billing records have been generated, and calculate your license fee
from that.
--
g.
Gary Stark
gst...@RedbacksWeb.com
http://RedbacksWeb.com
Wong
Phil Barnett
<cli...@custombasses.8m.nospam.com> wrote:
>
>> And, when we find software that is protected in this manner, we simply
>> don't buy it.
>
>Thanks for your feedback, Phil.
>.
>i agree, all of your suggestions are very reasonable. i understand your
>position on this sort copy-protection, which is both reasonable and logical
>for someone who is trying to sell software. but i am not selling software,
>nor am i looking for customers. rather, i am considering leasing seats on a
>custom-built system, which is an entirely different situation.
>.
>in my case, the client (a large anesthesiology group in another state) has
>been through a number of software vendors and billing services over the
>years and learned the hard way that none of the commerically available
>physician practice management options work very well.
>.
>they are asking to license my software that is the basis for a successful
>anesthesiology billing service. they are in a situation where they want a
>unique product that i have, that cannot be obtained anywhere else. they are
>also unwilling to spend the prohibitive amount of time and money that would
>be involved in the development of an equivalent system. they brought up the
>idea of leasing the software, paying a fee for its use each time that a
>billing record is generated.
>.
>i have considered the options of 1) telling the customer that they're
>dreaming, and turning them away, or 2) trying to help them on my terms.
>.
>i am in a position where i do not need the money (i quit working a few years
>ago), and i do not need or want their business. if i choose to help them it
>will be on my terms.
So, they won't have any problem paying for the dongle.
Wong
If your client need to charge by cost center, may be you can use
sub-net mask of the IP address to determine the cost center to be
charge for.
Regards,
Wong
>.
>Bob
Bob
Hi Phil.
.
am i missing something here? is the dongle the end-all solution, and
nothing else works?
.
at the risk of wasting bandwith with redundant statements, i understand the
advantages and disadvantages of the dongle method, both of which are
significant. i am looking for other methods that i may use with or without
a dongle.
.
while i really do appreciate the help and advice of everyone in this forum,
i'm really at a loss to understand why the dongle idea keeps coming up. its
been recommended once, and recommending it over and over again seems a bit
purposeless.
.
i don't mean to sound ungrateful for the help that everyone's offered, but i
am beginning to feel like a horse that's been led to water, and everyone is
watching to see if he drinks or not. i guess that the best way to get my
questions answered is to change the topic of this thread to something like
"how can you perform low-level hardware identification functions with a high
level
language."
.
thanks again for all of your help.
.
Bob
Alain Boucher
It seems to me that what you are looking for is not so much to
identify the equipment but the *user*.
I use the following method on my POS software: (no dongle ;-))
One encrypted fie that holds identification and serial number of every
user in the organisation.
- The identification actualy prints on every invoice / receipt /
reports / list / etc...
- The serial numbers are cross-referenced in all major operations.
One other encrypted file that holds "leasing data" if this copy is
leased and not purchased.
- Leasing data includes dates of the validity period.
Just my 2 cents... Hope it can help.
Alain Boucher
abou...@acti-soft.com
--
=========================================================
ACTI-$OFT(r)
Division de/of 2329 6684 QUEBEC INC.
1363, Des Peupliers Mont St-Hilaire,Qc Canada J3G 4S6
http://www.acti-soft.com
Montréal 514.944.4949
Canada 1.877.944.4949
Fax 450.464.5726
=========================================================
Lee Clinkscales
Matters of licensing are of interest me and many others, I'm sure. So
let me lead you down a different path to another source of water to see
if you'll drink there, or tell us why you don't like the idea (or why it
won't work for you). Bear with me.
"Bob" <cli...@custombasses.8m.nospam.com> wrote in message
news:39217...@news1.prserv.net...
> in my case, the client (a large anesthesiology group in another state)
has
> been through a number of software vendors and billing services over
the
> years and learned the hard way that none of the commerically available
> physician practice management options work very well.
> .
> they are asking to license my software that is the basis for a
successful
> anesthesiology billing service. they are in a situation where they
want a
> unique product that i have, that cannot be obtained anywhere else.
they are
> also unwilling to spend the prohibitive amount of time and money that
would
> be involved in the development of an equivalent system. they brought
up the
> idea of leasing the software, paying a fee for its use each time that
a
> billing record is generated.
I use a POS system that ties my store name and phone number to an
authorization code. The store name and phone number print on the
receipts. The authorization code is issued by the programmer and
differentiates between stand-alone, networked (multi-user), and multiple
locations. The authorization code can be verbally transmitted and
entered by the user. This solution only prevents pirate copies. It does
not attempt to limit simultaneous users.
I find limiting simultaneous users relatively easy. My approach requires
an encrypted database file (btrieve) that has one record for every
potential user. When a user starts the program, a lock is placed on the
next available record and held until the user terminates the program. Do
not write data to the file as crashed PCs will create a mess. Locks are
automatically released when a crashed PC reboots.
If you wish to license specific users, you could add a field to the
above file that would identify the user the first time that user ever
ran your app and then always seek that record when that user started
again. This could be something like the network name, but the NIC ID
seems like a better solution. I don't know how to read the NIC, but
obviously others in this ng do.
Finally, comes the issue of what to do about expired users.
Suppose the NIC must be replaced. This obvious solution is for the user
to send you the actual authorization file and have you remove the
record. Another way would be to have all current users log in and then
use a built-in utility to release previous users.
Now, all of this may be stating the incredibly obvious. [I'm obviously
not concerned with band width. <g> ] The main issue for me in a
situation like the one you have described would be that the user be made
aware that specific hardware is being licensed, and what would be
required to add users and to recycle users (replace the NIC). Also,
consider how much time you want to devote to supporting the system you
choose to implement. Since it seems that you are retired, you won't want
to feel tied down by your system, nor do you want the user
inconvenienced terribly by your taking a month-long vacation.
So far as leasing based on usage, be sure that you want to administer
this. Much easier is a per-user license that must be renewed
periodically. Since it seems that you may have already recovered the
bulk of your development costs, per-use charging may work. The danger is
that the user will find something else and abandon you before you
recover your costs of customizing the app for them.
I hope this helps. Please let us know how you intend to proceed.
Lee
Randal Ferguson
I missed part of this thread so I don't understand exactly what you are
trying to do but you may want to take a look at Protection Plus
Professional. I've used this tool for years. It does have a method of
detecting the motherboard serial number I believe and you can control
where your app runs, i.e. is it a licensed computer. I use it for
customers that purchase our software and take advantage of our
financing, also to control the number of licensed users on networks.
Works well, perhaps it will meet your needs.
Regards,
Randal Ferguson
Bob
>
> take a look at Protection Plus Professional. It does have a method of
> detecting the motherboard serial number I believe and you can control
> where your app runs, i.e. is it a licensed computer.
Randal,
.
thanks for the tip. i was hoping that somebody could tell me how to
directly access exactly this sort of information in a low-level language.
even though i was looking for a low-level solution to this problem, this is
the closest response i've received. thanks.
.
bob
Randal Ferguson
Your welcome. I don't know if this is what you're looking for but you
can get some info
at www.softwarekey.com. You can use the product in a lot of different
ways so see if you
can get some info about all the functions available.