哪里是存储序列号等的好地方?

发布于 11-19 10:10 字数 1431 浏览 5 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

酷炫老祖宗2024-11-26 10:10:33

我会为您省去麻烦,并告诉您,无论您在用户计算机中存储或修改什么内容,有经验的用户能够逆转 - 是的,这将允许用户访问您的试用版再次软件。最坏的情况是,他们可以在安装试用版之前使用虚拟机并拍摄虚拟机的快照。

我会更进一步指出,相当多的用户会对显示类似 Rootkit 行为的程序感到非常恼火(这里有索尼粉丝吗?),并试图隐藏在每个角落和他们的操作系统的一角。让您的软件电话回家或在您的服务器上存储个人信息(例如操作系统序列号)至少是不好的形式 - 如果您在没有通知用户的情况下这样做,也可能是非法的。

底线:不要试图寻找营销问题的技术解决方案。让您的完整版本足够吸引用户购买。相信您的用户是通情达理的,而不是不加区别地将他们视为潜在的小偷。而且,看在插入最喜欢的神份上,不要不要弄乱他们的计算机...

如果您提供非常昂贵的软件,您可能需要考虑硬件密钥 - 只要您以某种方式确保它们在 10 年内继续工作,即使您的企业不再支持。一方面,我讨厌惩罚软件合法用户的反盗版措施。

I'll save you the trouble and tell you that whatever you store or modify in a user's computer, an experienced user will be able to reverse - and, yes, that will allow the user access to your trial software again. Worst case, they could use a virtual machine and take snapshots of the VM before installing your trial version.

I'll go a step further and mention that a significant number of users would be very annoyed with a program that displays rootkit-like behaviour (any Sony fans here?) and tries to hide in every nook and corner of their OS. Having your software phone home or storing personal information (e.g. OS serials) on your server is at least bad form - if you do it without notifying your users it could also be illegal.

Bottom line: don't try to find a technical solution for a marketing problem. Make your full version appealing enough for a user to buy. Trust your users to be reasonable, rather than consider them indiscrimately potential thieves. And, for insert-favorite-deity's sake, do not mess up their computers...

If you offer a very expensive piece of software, you might want to consider hardware keys - as long as you somehow make sure that they will keep working in 10 years even if your business drops support. I, for one, hate anti-piracy measures that punish the legal users of the software.

倾城花音2024-11-26 10:10:33

理论上来说,没有办法阻止用户强行延长免费试用期。事实上,用户可以扰乱系统时钟,甚至使用具有快照功能的虚拟机。

您的问题的简短答案概括为“默默无闻的安全”。您必须在创造性的地方编写看起来无辜或奇怪的文件或注册表项,并且必须对这些位置保密。您还应该对要存储的信息(例如名称、序列号)进行打乱,以便用户无法执行全文搜索来查找其存储位置。

如果您想要额外的创意,您可以以某种方式填充一些系统文件(可能像 notepad.exe)并将您的秘密负载存储在那里。

此外,您还可以通过互联网使用该软件打电话回家;您可以检查时钟攻击;您可以尝试将数据存储在磁盘分区的可用空间中。

In theory, there is no way to stop a user from forcibly extending the free trial. Indeed, the user can mess with the system clock, or even use a virtual machine with snapshot capability.

The short answer to your question is summed up as "security by obscurity". You will have to write innocent-looking or weird-looking files or registry entries in creative places, and you must keep these locations a secret. You should also scramble the information that you want to store (e.g. name, serial) so that the user cannot perform a full-text search to find where it's stored.

If you want to be extra creative, you can somehow pad some system files (maybe like notepad.exe) and store your secret payload there.

Additionally, you can have the software phone home over the Internet; you can check against clock attacks; you can try to store data in the free space of a disk partition.

ゃ懵逼小萝莉2024-11-26 10:10:33

我建议您将其存储在一些专门加密的文件中,或者自行修改某些资源或应用程序文件本身。

为了获得良好的保护,应用程序产品(可执行文件)正在使用特定算法进行压缩,这些算法在运行时提取到内存等中。例如,使用 UPX 及其变体。

大公司开发了自己的保护措施,但实际上,当逆向工程师开始他/他们的工作时,通过给定的逆向方法压倒任何防御是正常的(预期)。

重点是尝试隐藏有效序列匹配的算法,以及序列加密、文件或注册表等。

例如,您可能将序列存储在文件中,其中根据文件创建日期时间对序列进行哈希处理。
但是,当有人反汇编您的可执行文件时,当他看到整个图片时,根据您的场景重现注册机并不是什么大问题。 :)

正如 thkala 所说,你必须集中精力赢得客户,因为你可能没有像大公司这样的资源来投资安全。

I suggest you to store it in some specifically encrypted file, or to self-modify some resource or the application file itself.

For good protection, the application product (executable) is being compressed with specific algorithms which are extracted at run-time in memory, etc. UPX with its variants is used for example.

Large companies develop their own protections, but actually when a reverse engineer(s) starts his/their work it is normal (expected) to overwhelm any defense by a given reverse approach.

The point is to try to hide your algorithms for valid serial matching as for the encryption of your serial, to file or registry etc.

For example, you may has your serial in file, where it is hashed against the file creation datetime.
But when somebody disassemble you executable it won't be a big deal reproduce a keygen based on your scenario, when he see the whole picture. :)

As thkala said, you have to focus to earn customers, because probably you have no such resource as the large companies to invest in security.

我经常看到的另一种编写试用软件的有效方法是要求用户在线注册并接收该软件的临时注册码。一般来说,尝试在没有某种外部组件的情况下实施试用期的可靠性会低得多。

Another effective approach to writing trial software I've often seen used has been to require the user to register online and receive a temporary registration code for the software. Trying to implement a trial period without some sort of external component is going to be much less reliable in general.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文