Software-protection with IMEI in sourcecode

[schimanski]

Hello together!

My software is only for a small category of personens, so I protect my application while I check the IMEIs or the Windows-ID in the source-code. I think, it is a very safe copyprotecion. The disadvantage is, that I have to compile the code and use the setup-builder every time, when I contain a new IMEI. Is there anyone who knows, if there is an easier way to contain the IMEIs? I thought about a encrypt database, but I think it is not save as the souce-code variety.

Thanks for help....

[agraham]

Quote:

Originally Posted by schimanski

I think it is not save as the souce-code variety.

If you are optimised compiling then I don't think compiling it into the source is safe unless you are also using an obfuscator that can obfuscate literal strings and numbers as well as code. It is relatively easy to run an exe through ILDASM to get IL code or Reflector to get C# code (I've done both!), modify the strings and then reassemble or recompile to get a new app. With the source available you may as well just hack out the IMEI checking anyway so it would run anywhere.

I would think that having a small file containing the IMEI encrypted is just as secure (or insecure) as what you are now doing. In one case the IMEI itself is compiled into the source, in the other it is the encryption key compiled into the source.

[schimanski]

Thanks for the infos! I doesn't know, how easy it is to hack the strings in a compiled code. I think, I set the IMEIs in a separat database, which is 128bit-encrypt....It's easier to handle..

[agraham]

You still have the problem of securing the encryption key if you want to decrypt in your code. If you don't need to re-encrypt in your application and only decrypt once when you start the application then asymmetric encryption using CryptoEX library can be secure.

You could make up a string including the IMEI number and sign it with a private key then verify the signing in your application with the public key. With only you knowing the private key the string can be in clear text because if anyone tries to alter the IMEI number the signing check will fail. However someone with the technical capability could still reverse engineer your application and change your checking logic to always succeed.

[schimanski]

Thanks, agraham!

I dont' know, what happens with the code after compiling, but is it not possible to set the encryption key as buffer of bytes in my code?

And in this context, what about the comments? I hope, they will disappear after compiling.

Thanks.....and greetings from germany

schimanski

[agraham]

Compiled .NET programs can be decompiled, just as any computer program can but it's a bit easier in .NET than in X86 Assembler. For example the next version of my Debug library will be able to debug programs in the IDE as well as optimised compiled. This is primarily for use on the device where there is no real debugger available. Erel will add the necessary "hooks" into the next version of Basic4ppc but for testing I decompiled the device version of Basic4ppc with a Reflector plug-in, added the necessary hooks and recompiled it so I now have complete source code for a customised version of Basic4ppc for the device that I have used to develop the IDE capable version of my Debug library . Erel does of course know this and has had a copy of it.

Taking your optimised compiled program apart would be similarly easy to see what you have done with the key . There are programs called "obfuscators" that attempt to scramble the code after compiling by making names meaningless and doing other tricks to change the code, but the fact remains that if a processor CPU has to execute the code it can always, perhaps with a lot of effort, be dismantled to see what it does.