Add a registration code to the software

This article aims to propose a method to add a registration code to the software. The effectiveness of the proposed method and the ability to withstand cracking by some reverse experts must be verified. I just put forward my personal opinion.

1. goals.
The goal is to register the personal information of the software as needed to generate a registration code. And the software must be able to verify whether the registration code is valid. In addition, it can prevent others from reverse calculation of verification algorithms to generate registration machines. It can prevent others from using brute force cracking methods, directly modifying the software Execution Code, and bypassing registration.

Ii. Methods
To achieve the above objectives, there are two important aspects. First, the choice of algorithm generated by the registration code; second, the software should have its own verification mechanism to prevent the executable program from tampering. The following two points are discussed respectively.

1. Select an algorithm for generating registration codes
Nowadays, many software providers have registration machines. The major reason is that the algorithm generated by the software registration code is too simple. Hackers can easily extract registration algorithms from the disassembly code and easily restore them to C code. These attacks cannot be regarded as masters, but they can also be regarded as cool people. I have also learned the relevant knowledge. It is not difficult to understand the disassembly code. What is difficult is to find the call relationship between each other in a large number of Assembly codes and to write the corresponding code in reverse order; of course, some lazy people directly extract the compilation code, so they can achieve the goal of cracking without understanding the detailed execution process.
To put it bluntly, no matter how Nb someone else is, he should at least disassemble the Code, at least look at the assembly code. If our algorithms are powerful enough, they will be done. Today's standard encryption algorithms are nothing more than symmetric encryption and asymmetric encryption. We also don't need to create algorithms. Don't do anything thankless. Our own algorithms are far less secure than common algorithms. First, I would like to briefly list common algorithms and explain why we should select the algorithms we want.
A.Symmetric encryption algorithms are now popular in des and AES. Des algorithms are widely used in the banking industry. AES has appeared late, but its security is better than DES. Symmetric encryption is called symmetric encryption. encryption and decryption use the same password. If we use it to generate a registration code, we must keep this key in our software. No matter where the key is, it always exists in one place, and we cannot guarantee the security of the key. The reason is simple. The attacker only needs to follow the code to know where to read the key.
B.Asymmetric encryption includes RSA and elliptic curves. The most popular one is RSA. Although the efficiency and security of the elliptic curve are better than that of RSA, it is complicated and I have not yet understood the principle. The so-called asymmetric mechanism is because it has two keys, one known as the public key and the other known as the private key. The public key can be released externally, while the private key is saved by itself. Encryption with the public key must be decrypted with the private key. Otherwise, encryption with the private key must be decrypted with the public key. Therefore, we know that we can save the public key content in the software, which can be made public (of course, it is necessary to hide it inside the software, in short, we can try all the things that can cause the difficulty of cracking ). Then, we can keep the private key. If someone else cannot obtain the private key, the Registration Code cannot be calculated.

2. Now we know that we can use the RSA algorithm and ensure software security. At least the registration machine cannot be generated because others do not have the private key. However, we can follow the process below for details.

A. Registration Code Generation Process:
Registration Information (including user name and other information) ---> RSA private key encryption ---> registration code.

B. Software verification registration code process:
Registration Code ---> RSA Public Key decryption ---> registration information.

3. Solved the first goal. It is still difficult for us to prevent others from directly tampering with binary executable files, thus bypassing the verification of the registration code. However, there are always methods. To solve this problem, I came up with a method: software self-verification. The specific method is as follows:
A.We generate verification values for our software. Here we use the Digest algorithm. The most commonly used Digest algorithm is MD5. I believe you have heard of it, so we will not detail it here. We only need to read executable programs during software execution (in windows, your execution file is readable, but if you want to rewrite yourself, you cannot) and calculate the check value.
B.Next, we can determine whether the verification value is correct. If it is incorrect, our software can directly commit suicide.

But there is a problem here. How can we store the correct verification value in the software? It cannot be stored in a file or registry, so that you will be known later. Others can directly modify the verification value to make it the same as the error verification value, thus deceiving the software verification. Here is a method: Return to the method described in (and. How to return? Let's continue.

4. Save the software verification value: Integrate the verification value with the registration code. The process for modifying () is as follows:

A. Registration Code Generation Process:
Registration Information (including user name and other information) + software verification value ---> RSA private key encryption ---> registration code.

B. Software verification registration code process:
Registration Code ---> RSA Public Key decryption ---> Registration Information + software verification value.

In this way, we can determine whether the software has been successfully registered. First, calculate the registration information and software verification value according to the above steps, and then compare the two with the current user information and the calculated verification value. If both match, the software has been successfully registered.

5. Try to crack.
If you know the detailed process, how can you crack the software? First of all, we know that the registration machine cannot be written. The only solution is profiteering cracking, but profiteering cracking adds self-verification to the software. However, there are always a few hundred secrets, which can still be achieved by profiteering cracking. Let's first review if we have added the verification code according to the above method. So our code is almost written like this:

Int rsa_check (char * Sn ){
The verification value of the function compute software decrypts the verification value and user information based on the registration code Sn, and then compares whether the verification is successful.
}
....
When the software is started, we call the above functions.
If (rsa_check (SN) {<-------------------------- ①
Here, if the verification fails, exit (0 ~
}

However, the critical weakness lies in the ① position above. Because the location assembly is similar to this:
Je XXXXX
....
....

It's just a jump statement, so the attacker directly changes it to JNE or another JMP command, and our efforts are all done. In this case, our Code cannot be written like this, or our method should not be so simple. At least, we can do this:
1. Do not write the validation algorithm as a unified interface.
2. Do not make judgments only in one place. This is actually very simple and effective. If you want to, you can add a few more judgments in areas with low efficiency requirements in the software, which is quite painful for the hackers, at least he cannot find all key locations at the same time. As long as a change fails, our self-verification takes effect, and we have the right to perform subsequent actions. For example, directly Delete the program itself (of course, you must close yourself and then call another process to delete the software.
3. An additional process is initiated to monitor and verify each other with the main process. If an exception occurs in the registration of the other party, kill the other party and kill the executable program of the other party. It sounds cheap, but it's not useful, and I don't know.
4. If you want to prevent a registration code from being used everywhere (Chinese people help each other), you can add the information of the target machine to the registration information.
4. There will be a lot of such methods, and everyone can do it freely.

Iii. Summary
After the above discussion, I think there is no absolute security. Sometimes, if your software doesn't want to be cracked, you can only curse those immoral people. But we can make them even more painful. At least cainiao won't be able to do anything at will. In China, if you write a software program, it will be open-source and free. Don't count on it to support your family.

Iv. Attachment
RSA encryption/Decryption Implementation Code