当前位置：文江博客话题详情

关于产品激活方案的问题

发布于 2024-08-13 23:27:12 字数 203 浏览 2 评论 0原文

典型的产品激活方案如下：

唯一的序列号。为用户分配
一个唯一的硬件ID，为用户的机器生成。

将此信息提供给供应商后，供应商会发出激活码。

我想知道激活码是如何生成的以及它的内容是什么。另外，一旦在用户电脑上的应用程序中输入激活码，一般方案是什么，例如下次如何解码、存储、检查？

谢谢

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

满地尘埃落定 2024-08-20 23:27:12

执行此操作的一种非常简单的方法是将 PC 相关硬件的列表编译为字符串，然后对其运行 MD5 哈希。所以你的字符串将例如包含

"Pentium 4 Dual Core 3.8 GHz, HDD1: 320GB"

etc
There are many free implementations of MD5 hashing in almost every language, you can do a Google search for it.

你没有说明你的目标平台是什么，但如果你使用的是Windows，你可以通过查询WMI或使用Windows API调用来获取PC的硬件配置。例如，在 WMI 中查看的物理内存类是 Win32_PhysicalMemory< /a>.

首次安装软件时，会编译此哈希值，然后发送到激活服务器，激活服务器会发回一些仅与该哈希值匹配的相应代码。一个非常简单/无用的例子 - 假设硬件哈希是 123，检查算法是在添加硬件哈希和激活码后所有数字都应该是 9，激活服务器将返回 876。程序将添加 2组合密码得到999，然后解锁使用。

程序将定期重新创建硬件哈希，将其添加到激活码中（仅在我的超级简单示例中），并确保它们仍然相加。如果不这样做，产品可能会自行锁定并坚持重新激活。

但是：我强烈建议您不要使用这种复制保护方法。为什么不呢？

每当用户升级硬件、重新安装 PC 等时，您可能会产生帮助他们重新激活软件的支持费用，并给用户带来不便。
如果您停止激活服务器、产品或关闭您的公司，您实际上就关闭了付费使用该产品的人的访问权限。
这几乎将用户的 PC 变成了硬件加密狗 - 这表面上听起来是个好主意，但会阻止用户购买该软件

相反，我建议您使用注册方名称或公司名称的哈希值，并将其嵌入以这样的方式在程序中很明显该程序已注册给他们。是的，这从技术上讲可以让他们更轻松地复制软件。

底线是 - 如果您的软件对很多人来说确实有价值，那么有人会绕过您的复制保护方案，无论它多么复杂。使用基于硬件配置的产品激活只会激怒您真正想与之开展业务的一组人 - 那些基本上诚实并希望合法使用您的产品的人。那些不关心合法软件的人会使用激活方案已被破解的版本。

我个人鄙视购买任何无法保证在我更换电脑或公司倒闭后仍能使用的产品。这有点像最近的案例，人们在 Kindle 上购买了乔治·奥威尔的《1984》，然后当出现版权纠纷时，亚马逊远程删除了人们购买的所有这本书的副本。

只是我的2c。

A really simple way of doing this is compiling a list of the PC's relevant hardware into a string and then running an MD5 hash over it. So your string would for e.g. contain

"Pentium 4 Dual Core 3.8 GHz, HDD1: 320GB"

etc
There are many free implementations of MD5 hashing in almost every language, you can do a Google search for it.

You don't say what platform you are targeting, but if you are using Windows, you can obtain the PC's hardware config by querying WMI or using Windows API calls. For example the physical memory class to look at in WMI is Win32_PhysicalMemory.

When the software is first installed, this hash is compiled, and then sent to the activation server, which sends back some corresponding code that will only match to that hash. A really simple / useless example - let's say the hardware hash is 123, and the check algorithm is that all the digits should be 9 after the hardware hash and activation code are added, the activation server would return 876. The program would add the 2 codes together and get 999, then unlock it for use.

Periodically the program will re-create the hardware hash, add it to the activation code (in my super simple example only), and make sure they still add up. If they don't the product might lock itself and insist on re-activation.

However: I highly recommend you don't use this method of copy protection. Why not?

Any time the user upgrades their hardware, re-installs their PC, etc, you will probably incur support costs assisting them to re-activate the software, and inconveniences the user.
If you ever discontinue your activation servers, the product, or close your company, you effectively shut down access for the people who paid to use the product.
This is pretty much turning the user's PC into a hardware dongle - which sounds like a good idea on the surface, but discourages users from buying the software

Rather I would suggest you use a hash of the registering party's name or company name, and embed that in the program in such a way that it is obvious that the program is registered to them. Yes, this technically allows them to copy the software more easily.

Bottom line is - if your software is really valuable to many people, someone will bypass your copy protection scheme, no matter how convoluted it is. Using product activation based on the hardware configuration will only aggravate the one group of people you really want to do business with - those who are basically honest and want to use your product legally. The folks who don't give a stuff about legal software will use the version where your activation scheme has been cracked.

I personally despise buying any product where there is no guarantee that I will be able to use it if I change my PC or the company shuts down. It's kind of like the recent case where people bought George Orwell's 1984 for their Kindles, and then when there was a copyright dispute, Amazon remotely deleted all the copies of this book that people had bought.

Just my 2c.

回复收藏 0 原文

够运 2024-08-20 23:27:12

正如迈克尔（托德）评论的那样，不同供应商的方法或方案有所不同。如果它真的是标准的，那么“破解”可能会更容易，是吗？

我认为您的最终目标是保护您的软件免遭未经授权的使用？

以下是一些相关的 SO 帖子：
如何保护您的软件免遭非法分发？
阻止软件盗版的方法？

更新：
更直接地回答OP的问题：

我想知道激活码是如何生成的以及它的内容是什么？
@：可以是序列号的专有散列/加密。与用户/产品/日期信息或几乎任何其他信息混合在一起。

此外，一旦在用户电脑上的应用程序中输入激活码，一般方案是什么，例如接下来如何解码、存储和检查时间？
@：该软件内部可能有一些算法可以理解该代码，至少检查其有效性。可以作为文件存储在注册表中，甚至嵌入现有文件等中。

回复收藏 0 原文

送君千里 2024-08-20 23:27:12

我假设你问这个问题，因为你想自己实现类似的东西。

在这里，我将概述一个可用于帮助保护所购买软件的合法性的方案。这有助于保护公司免受盗版侵害，并有助于保持客户有价值的购买合法且相对容易注册。

该方案的工作原理是跟踪三个独立的数据元素：一个是自动生成的，一个是用户输入的，一个是根据这两个数据计算得出的。当产品未激活时，它可能会以减少的功能集运行，或者根本不运行。

该过程涉及与网站的通信，但是当该网站不可用时，可以使用替代机制，以便用户仍然可以使用该软件，而不会因许可问题而感到沮丧。
方法

该软件利用三个基本数据元素：

[IC] 安装代码：自动生成的代码；这可以是由特定安装生成的并且对于该安装来说是唯一的任何内容。重新安装软件时它会发生变化，并且不取决于安装者是谁。过去，一些供应商使用了硬件哈希，但它也可能是随机生成的代码，存储起来以便在每次实例化时检索。从存储中删除代码本质上与卸载软件相同。
[UI] 用户ID：注册者的唯一标识符；您可以将其称为解锁代码、客户或公司代码或序列号。它将唯一地标识谁购买了该特定安装。
[HASH] 哈希值：计算出的值；身份验证的最后一部分告诉软件它已合法注册并且可以运行。它应该可以从其他两个部分派生出来并存储在某个地方，可以是在文件系统中，也可以是在 Windows 注册表中或其他地方。

逻辑流程

在伪代码中，软件运行过程如下：

begin:
  load IC
  if not IC: IC = generateIC
  load UI
  if not UI: UI = promptUser
testHash:
  load HASH
  if HASH=hash(IC,UI): goto valid
  HASH = activateLicense()
  if not HASH=hash(IC,UI): goto invalid    
valid:
  REV = revokeLicense()
  if REV: goto invalid
  done : run software
invalid:
  done : do not run software

generateIC:
  IC = some unique identifier
  store IC
  return IC
promptUser:
  UI = get id from user input
  store UI
  return UI
activateLicense:
  HASH = wwwResponse('activationRequest')
  store HASH
  return HASH
revokeLicense:
  REV = wwwResponse('checkIfRevoked')
  if REV: erase HASH
  return REV

伪代码还涉及到可选的第四个元素：

[REV] 撤销许可证的指示：公司软件公司可以跟踪许可证的数量软件激活并撤销滥用用户的访问权限。该信息不需要存储，并且只有在有可用的 www 连接时才可以检索。

无法连接到该网站仅意味着许可证的状态不会改变。如果软件无法直接连接到网站，则可以从网络启用点使用替代程序，用户在浏览器中输入他们的 IC 和 UI，浏览器通过电子邮件向他们发送一个哈希值，他们可以手动将其输入到软件中。这只是稍微复杂一些，但仍然允许用户自己完成此操作，一个重要因素是，如果他们希望接收将通过电子邮件发送给他们的哈希代码，他们必须输入有效的电子邮件。

它不是防黑客的或不可战胜的，但它确实以合理的方式保护双方，不会导致挫败感。所涉及的实际机制应严格保密。

注意：

在此方案中，IC 是计算机硬件上的哈希值还是只是一些随机生成的密钥并不重要。当它发生变化时，会发生的只是软件会重新注册自身，如果它所在的机器连接到互联网，这可能不是问题，或者如果再次需要用户交互，这可能会有点不便，但是如上所述，这部分仍然可以作为网站上的自助服务功能来实现。如果软件公司想要计算激活次数或跟踪其他信息，则由软件公司决定。

I'm assuming you asked the question, because you want to implement something similar yourself.

Here I will outline a scheme that can be used to help protect the legitimacy of purchased software. This helps to protect the company from piracy and helps to keep the clients' valuable purchases legitimate and relatively easy to register.

This scheme works by tracking three separate data elements: one auto-generated, one entered by the user, and one calculated from those two. When the product is not activated it could either run with a reduced set of features or simply not run at all.

The procedure involves communication with a website, but when the website is unavailable, there are alternative mechanisms so that the user can still use the software without getting frustrated over licensing issues.
Methodology

The software utilizes three basic data elements:

[IC] Installation code: An auto-generated code; this could be anything that is generated by the particular installation and is unique to the installation. It will change when the software is reinstalled and does not depend on who is installing it. In the past some vendors have used a hardware hash, but it could just as well be a randomly generated code that is stored for retrieval at each instantiation. Deleting the code from storage is essentially the same as uninstalling the software.
[UI] User ID: A uniqe identifier for the registered; you could refer to this as an unlock code or a client or company code, or a serial number. It will uniquely identify who has purchased this particular installation.
[HASH] The hash: A calculated value; this final piece of the authentication is what tells the software that it is legitimately registered and good to go. It should be derivable from the other two parts and stored somewhere, either in the file system or in the Windows registry or elsewhere.

Logic flow

In pseudo code, the software runs through the following procedure:

begin:
  load IC
  if not IC: IC = generateIC
  load UI
  if not UI: UI = promptUser
testHash:
  load HASH
  if HASH=hash(IC,UI): goto valid
  HASH = activateLicense()
  if not HASH=hash(IC,UI): goto invalid    
valid:
  REV = revokeLicense()
  if REV: goto invalid
  done : run software
invalid:
  done : do not run software

generateIC:
  IC = some unique identifier
  store IC
  return IC
promptUser:
  UI = get id from user input
  store UI
  return UI
activateLicense:
  HASH = wwwResponse('activationRequest')
  store HASH
  return HASH
revokeLicense:
  REV = wwwResponse('checkIfRevoked')
  if REV: erase HASH
  return REV

The pseudo code also involves an optional fourth element:

[REV] An indication of a revoked license: the company software company could track the number of software activations and revoke access to abusive users. This does not need to be stored and will only be retrievable if there is an available connection to the www.

Failure to connect to the website would only mean that the state of the license will not change. If the software cannot directly connect to the website, then an alterantive procedure could be available from a web enable point where the user enters their IC and UI into a browser and the browser emails them a HASH which they can manually enter into the software. This is only slightly more involved, but still lets the user do this by themselves with an important factor being that they must enter a valid email if they wish to receive the hash code that will be emailed to them.

It's not hack-proof or undefeatable, but it does serve to protect both parties, in a reasonable way that does not lead to frustration. The actual mechanisms involved should be closely guarded company secrets.

Note:

It doesn't really matter in this scheme whether IC is a hash on the computer's hardware or if it is just some randomly generated key. All that will happen when it changes is that the software will re-register itself, which might not be a problem if the machine it is on is connected to the internet, or might be a slight inconvenience if user interaction is once again required, but as stated above, this part can still be implemented as a self-service feature on the site. It's up to the software company if they want to count number of activations or track other info.

回复收藏 0 原文

~没有更多了~