2

My client has a Flash projector EXE and he wants to set-up an on-line serial number control system so he can sell it on-line.

The key problem in this project, as far as i see, that the exe is required to run on only one computer.

My current plan is below:

  • Request the serial number from user before the installment and check whether it is okay.
  • If it is okay, generate a hash from a number of unique hardware constants. Match it with server and see if the application was installed on this machine before.
  • If not, or it is the same machine as before, allow the installer to continue.
  • After installment, put the hardware hash into the registry.
  • Create a loader EXE, place the Flash EXE into it as a resource.
  • In loader EXE, check if the registry has the hardware hash and it is the correct hardware we're running on.
  • If the hardware hash is correct, extract he resource (Flash Exe) to a hidden path and execute it with CreateProcess.

Now, i'm aware of that there is a serious security flaw in this workflow. When i extract the resource exe and execute it. It would be visible to any user looking to the Task Manager. So he/she could reach his hand and grab it!

How can i improve my approach? At least to an acceptable point?

Thanks.

P.S. This application has similar functionality: http://www.increditools.com/flash_exe_builder/index.php in terms of protection and serial-number.

4

3 回答 3

2

How can i improve my approach? At least to an acceptable point?

Depends on what you mean by "acceptable". This problem is unsolvable - there are commercial companies which exist solely to provide DRM protection to multi-million-dollar software, and that "protection" is routinely broken within days.

The exact amount of protection you want to bother with depends largely on what you're distributing - without having an idea of that, it's really not possible to give a good recommendation as to what you want to do.

Your proposed system might be sufficient. Heck, the honor system of you trusting your customers might be good enough for your client's purposes.

于 2010-02-18T23:20:32.000 回答
1

If his app isn't popular (and won't be), phoning home is overkill.

If his app is popular (or will be), give up. Even industry grade (whatever that means) software security protections are inherently flawed, including the controversial Sony's SecuROM and Valve's 'DRM to end all DRMs' CEG have already been broken.

于 2010-02-18T23:21:30.897 回答
0

你不能阻止每个人破解你的安全,但在这种情况下,阻止 90%(左右)的用户这样做是你可以要求的。仅仅让非法副本的使用变得困难就可以完成任务。

查看 Adob​​e 以及存在多少破解的 Photoshop 和 Flash CS3 许可证密钥。关键是做一些事情来阻止普通用户是值得的——但这就是保护措施的范围。如果有人想窃取软件并愿意投入时间和精力这样做,他们将能够得到它——不管它有多好。

于 2010-02-19T04:38:07.373 回答