RE: Using C++ MD5 hash for software verification & licence files

Hi
The last few days I've been searching the net for ideas about building in some sort of software protection/security schema within a development for educational but perhaps more importantly to understand good & bad security coding/practises do's & don’t s when it comes to software development.

There is quite a bit of documentation out there & opinions & recommendations do vary considerably on what’s the best practises in C++, so can quiet easily render confusion.

In brief I've been thinking on the lines of

1. End user registers via website, the system then creates an encrypted licence file containing information specific to that user, to which the user places within a licence folder/dir.
2. Within this encrypted licence file it contains a MD5 hash or check sum of the original software to which the software compares its own MD5 hash against the original when it first loads.

The program can then decide whether to challenge the user to the authenticity of the software [or has it been tampered with].
Using such a encrypted licence file, only the software would know how to open the licence file using a built-in algorithm. Also it ensures the software consults the file to obtain other pieces of data in order to function properly.

Does any of you have any views/thoughts on the above method?. Any help would be greatly appreciated.

Ziggyspaceman.

For one, MD5 shouldn't be used any more.

And it's going to be fairly trivial to bypass this. A reverser can just put a breakpoint on when your program attempts to open a file.. this is going to be somewhere at the beginning of the 'check license file' function. He then checks where it was called from and modifies the binary to skip the check.

only the software would know how to open the licence file using a built-in algorithm

Sure, until someone gets motivated enough to reverse the algorithm.

Of course there is always going to be a way around software protection, so you can only make it as hard as possible... but your described way wouldn't take too long for someone who's motivated

Sure point taken about the MD5, but the purpose was not to encrypt anything with it just to use it as a ref or checksum value to compare original value with current value[quick check].

any other suggestions?

But many thanks for your reply.

And that's exactly where it shouldn't be used any more ;)

Details are out on Google.

As for other suggestions, you need to ask yourself some questions:
- How skilled is my attacker?
- How motivated is my attacker?
- How important is what I'm protecting.

When some very big, cold country is your attacker... you're in trouble, if your program has 20 users then your solution above is going to be fine.

Also a big thing to keep in mind is how does the protection affect your users? There is nothing more annoying than an elaborate scheme to protect your software but is a nuisance to users.

For example, some game company tried to protect their game by requiring a constant internet connection even in single player... so genuine users who bought the game could not play if their connection failed, but players with a cracked copy had no trouble at all.

Thanks for the advice, I'll certainly do a bit more research.

It not so much protecting the software as such, because when completed it will available free of charge, it's more of the software using the right user data from the licence file than anything else.

Because the user will be updating [non sensitive] data via the software to an online web account to be able to use extended services.

Best Regards

This article has been dead for over six months. Start a new discussion instead.