Java: Serial Code gen/use & Protection againts reverse-engineering / decompiling

cgarvey

2 questions..

1. What are people using to generate and use Serial Codes for Java apps. Is there a framework that people recommend that handles this (like handago's basic one for mobile apps)? I'd love one that ties to a machine hardware ID of some sort, or a good mix of hardware & network configs. Or do people generally role their own? PKI?

2. What do people use to protect web apps agains decompilation? Just obsfucation?

Ta.

fragile

The GPL

Capt'n Midnight

fragile wrote:

The GPL

LOL

you could bind it to the MAC address
but everyone on windows dial up uses a similar fake address ppp MAC
IMHO as a good rule of thumb there is an inverse correlation between the quality of software and difficulty of registration

Dizz

/me OT...
<I'd love one that ties to a machine hardware ID of some sort, or a good mix of hardware & network configs.>
Go ask MS about that one! DRM and it's ilk will never really work... i don't think I've ever seen a protection scheme of any sorts work, except for honesty.
As to inverse rules... The more desirable the software (irregardless of DRM) the quicker it's cracked

fragile

The ATA standard specification is what you are looking for to uniquely identify a harddrive, namely the identify drive command. The assembly language for the command can be found here.

I don't know if this is much use to you if you are developing in Java, perhaps you can find higher level C++ code that does the same thing and use that through JNI.

Of course I would still encourage you to abandon all proprietary nonsense and use the GPL but thats just the socialist side of me coming out

cgarvey

Thanks for the replies guys.

GPL (or any open source licensing) is not an option here I'm afraid.

Binding to MAC address sounds like it'd be enough, but are there any quick ways to do that in Java? The target machines are a mix of Linux and Win32.

ATA IDs sound way too low level for me, but is an option we may consider in the future.

I hear you on the desirable software being cracked anyway point.

Ta
.cg

Capt'n Midnight

cgarvey wrote:

Binding to MAC address sounds like it'd be enough, but are there any quick ways to do that in Java? The target machines are a mix of Linux..

ifconfig eth0 hw ether de:ad:00:00:be:ef

cgarvey

Capt'n Midnight wrote:

ifconfig eth0 hw ether de:ad:00:00:be:ef

Indeed, point taken, ta.

jmcc

Just on the idea of binding to the MAC address:
With Linux boxes, chopping and changing parts will probably be a lot more common than on Windows boxes. W2K has a hissy fit everytime you change something critical like a video card but Linux handles things transparently.

If you have professionals (rather than the warez dudes) after your software then the chances are that whatever system you use will be compromised.

What you could do is generate some data based on the boot information from syslog or messages and have this hashed with a unique identifier for the customer. It is replicating the current schemes used by some developers but software is just not protectable despite what DRM gobsh1tes say. The best you can do is to deter or slow down attackers. At one extreme, you can go for online authentication (or a challenge response system based on those old calculator like devices that BOI used to use) or at another just use GPL as has been suggested.

Try looking at the problem of DRM with the following in mind:

Cost of development.
Cost of software.
One off or Per Seat Payment model.
Niche or Mass Market.
Ease of use for enduser.

Regards...jmcc