How would you hide a Text String?

peroja

New member
Joined
Jul 5, 2014
Messages
4
Programming Experience
1-3
Hey Guys,

I have a Splash Screen that generates a 16 Digit String mixed with Letters and Digits (like: IUH64KJF743FGKG) etc...
I'm using Streamwriter to generate a file and write this unike key into it and read from it as well. The same string is also inserted into a remote mySQL DB and later compared.
However, i dont want the User of my Program find this file as he could manipulate or even DELETE it (which would make him able to override a 30 day trial)
I'm not going into specifics but is there another way to write this key and read it other than place it into a file? Yes, i know, writing into the registry but i already have this as well...
My initial idea was to create a file.dll which is in fact a text file but to camouflage it as .DLL and place it inside the System32 Folder. :cool: (because a hacker knows a DLL is compiled and not readable) but the file is only 1kb in size.... that again would be suspicious.
How would you "hide" this 16bit key other then tarnish it as DLL inside the system folder (no access, so forget it) i need to create the file, read and write to and from it.
Any Ideas?

Thank you
Randy

For those who are interested:

Generate Random Key and Write into File:
  const string src = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
            int length = 16;
            var sb = new StringBuilder();
            Random RNG = new Random();
            for (var i = 0; i < length; i++)
            {
                var c = src[RNG.Next(0, src.Length)];
                sb.Append(c);

            }

            



            // create a file and write the software key into it. we need this later to call the correct data from a external db

            if (File.Exists("fsds.dll"))
            {
                string[] a_content = File.ReadAllLines(@"fsds.dll");
                if (a_content[0] == null)
                {
                    // do nothing
                }
                else
                {
                    // do nothing

                }
            }
            else
            {

        ....bla bla
        }



 
                using (StreamWriter writetext = new StreamWriter("fsds.dll"))
                    
                {
                  
                    writetext.WriteLine(sb.ToString());
                }
 
No. Do not put files into System32 directory. Microsoft has gone through great lengths to restrict write access there to prevent the DLL Hell that was in earlier versions of Windows because everyone and their brother was placing files in System and System32.

The correct thing to do is to encrypt the contents of the file and store the file along with your other configuration files. This usually dissuades the casual user, and most hackers will just move on unless your app is truly a high value target.
 
As a quick aside, that is not a 16 bit key. That is a 16 character key. And that key is useless as a 30 day trial since you don't encode an expiration date in it.
 
As a quick aside, that is not a 16 bit key. That is a 16 character key. And that key is useless as a 30 day trial since you don't encode an expiration date in it.

I understand your Statement but i feel i have to explain what my Programm does. I'm sure you will reconsider your statement

At the very First Start a Splash Screen will Pop Up. Following will be created:
  1. a 16 character key (random)
  2. the current date
  3. the current date but 30 days ahead (expire date)
  4. 4 (four) 4character keys (random)
  5. a local file called fsds.dll and writes the 16 character key into it (NOT a real DLL but just to confuse a wannabe hacker)
Then ALL of this will be stored inside a remote mysql table ( 1- 4 ). TOGETHER with 'active' and a '0' for two rows called: active and purchsed.
The Splash Screen of course checks if the fsds.dll exists and does only create all the keys and db entries if it does not exist.
Then a timer then will close the splash screen and opens the main form.

The Main Form then will call the mysql db and uses the 16character key as ID. which he first grabs from the fsds.dll!! (at this point it is very important that the user does NOT know that if he DELEDTES the fsds.dll the whole trial will start again because the splash screen would not find it and would generate a new one and generates new entries at the DB)

The Mainform then will take the expiration date which is 30 days after the first start and compares it with the current date. This way i can see if the trial period is expired and then i can take measures to either block the software completely in its intire function or just parts of it.

There is a 3rd. Form (info) as well. With a Button that opens a website with a form to register. That webpage updates the db. Name and Email will be inserted and the row 'purchased' will be updated with a '1'. So, as soon as the user starts the software, the Main Form will work again AND in the Info Form the 4character key which is in the registry btw.... (happens as well at the first time splash screen) will appear together with the Users name. I will show some Pictures for you to have an idea what i am doing.

mainform.jpg


inforegistered.jpg


infounregistered.jpg


So, now you guys understand my dilemma? I want to "hide" the 16 character key and also NOT want to be deleted the fsds.dll because this would enable the user to uninstall and delete the Programm and just reinstall it for another trial period. I could hide the 16 character code inside the registry but a advanced user will find this too.

YES the Softwarw will be valuable like 99 US$ (software for private and commercial pilots)

Thank you
Randy
 
So the 16 character key is just a unique identifier for the user's machine. Why not just use the serial number of the users C: drive or some hash of the user's of MAC number(s), or some other hardware that the will not commonly change on a user's machine.
 
So the 16 character key is just a unique identifier for the user's machine. Why not just use the serial number of the users C: drive or some hash of the user's of MAC number(s), or some other hardware that the will not commonly change on a user's machine.

Actually a nice Idea but i dont really want to store the users harddisk serial # on a remote server. I dont even know if that is legal without telling the customer or even "force" him to sign a agreement about this. I can not see into the brain of a customer who might think this is dodgy, and i might be able to "hack" his computer if i knew his serial number. WE both know better, but put yourself into the situation of a non IT guy....a just user
 
The serial number of the hard drive is readily available, just like the MAC address of the network card. You are not doing any hacking. Or just get a hash of the serial number instead of using the number outright.
 
The serial number of the hard drive is readily available, just like the MAC address of the network card. You are not doing any hacking. Or just get a hash of the serial number instead of using the number outright.

I know that. But the 16 character Key is not really my concern. Im more worried the user find out that the trial will be start again if he uninstalls the software (with the fsds.dll)
Im considering to put the key into the registry disguise its real identity and then read from there. like in: Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Proton
 
If you use something that is tied to the hardware of the user, the only way he'll be able to get new trial would be to swap hardware.

First, how will you manage to write into the System32 directory without admin rights? If you tell the user that they need admin rights to be able to use pilot software, they will already be suspicious that something isn't right. Microsoft went to great lengths to not require admin rights for most of the software on Windows. It's like a phone app that requests access to your camera even though the app doesn't do anything with photos. Something is already suspicious.

Next, if you really think that your app is that high value, invest in a real licensing library instead of trying to half-ass your own licensing scheme.

If you think that at $99 a pop, and a licensing library won't pay for itself within the first half year, then either your app is really not that high demand, or high value.

If you don't like the C: drive serial number, consider getting the machine GUID:
 
If your app hs a connected aspect, do it in the server side; the key is granted by sales, the user enters it, if they change it then the server stops responding and the app becomes relatively useless

If you're trying to protect a local app whose entire code is placed on the hard drive of the user, and it can function without any connection to something you retain ownership of, then you're largely fighting an uphill, losing battle I'm afraid
 

Latest posts

Back
Top Bottom