我正在开发一个Windows应用程序。这就要求用户在注册使用它... 现在，我在我的存储在应用程序数据文件的许可信息。但是，删除该文件重置试用版的日期。所以，我现在打算将它保存在注册表中。 但是，大多数用户不会有管理权限（受限用户）在Windows中访问注册表。 我能做什么 ？我在哪里可以救我的序列号和日期？

I am developing a Windows Application. That requires users to register to use it... Now, I am storing my license info as a file in APpData. But deleting that file resets the trial version date. So, I am now planning to save it in registry. But, Most of the Users will not have administrative privileges (Limited Users) in Windows to Access the registry. What can I do ? Where can I save my serial number and date ?

推荐答案

在我看来，关键是你必须改变如何您管理您的许可证。

In my opinion the point is you have to change how you manage your license.

如果他们删除许可证数据文件，然后重新启动审判？不要启动应用程序，如果文件不存在，并与它的安装了安装操作第一次创建它。

If they delete license data file then trial restarts? Do not start application if file doesn't exist and create it with an install action first time it's installed.

现在你面临的第二个问题：如果他们卸载并重新安装应用程序？第二步是到本文件移动到应用程序数据文件夹（例如的 Environment.SpecialFolder.CommonApplicationData ）。这是更安全的只是一点，它仍然可以为他们手工查找和删除（因为应用程序数据不会被卸载时删除），但。如果应用程序将通过低权限的用户可以安装没有什么可以做，（你不能尝试的隐藏的某处注册证）。

Now you face a second problem: what if they uninstall and reinstall application? Second step is to move this file to application data folder (for example Environment.SpecialFolder.CommonApplicationData). This is just little bit more safe (because application data won't be deleted when uninstall) but it's still possible for them to manually find and delete it. If application will be installed by low privileges users there isn't much you can do (you can't try to hide license somewhere in Registry).

现在是你的饼干的之间的博弈。他们会取胜，始终。你只会使合法用户的生活更辛苦，所以看的暨花岗SALIS 的。在这里您可以存储许可证数据：

Now it's a game between you and crackers. They'll win, always. You'll only make life of legitimate users more hard so read cum grano salis. Where you may store license data:

注册。优点：容易做到。缺点：容易开裂和低权限的用户是只适用于每一次一个用户。注册表键（每用户群）可以以某种方式的隐藏的，如果它有 0 在其名称。看看到this好贴。 文件。优点：容易做到和海事组织一点比登记更安全。缺点：容易破解（但可以将其隐藏更多，见后） 应用程序本身（数据附加到你的可执行文件，一些有关的字this帖子）。优点：很难检测到。缺点：防病毒可能会认为这是...病毒和应用程序更新可能会删除许可证太（当然，如果你不处理这种情况正常），所以它会让你的code和部署更为复杂 Registry. Pro: easy to do. Cons: easy to crack and for low privileges user it's valid only for one user per time. A registry key (in a per-user base) can be somehow hidden if it has in its name. Take a look to this nice post. File. Pro: easy to do and IMO little bit more safe than Registry. Cons: easy to crack (but you can hide it more, see later). Application itself (appending data to your executable, few words about that on this post). Pro: harder to detect. Cons: an antivirus may see this as...a virus and an application update may delete license too (of course if you don't handle this situation properly) so it'll make your code and deployment more complicated.

如何隐藏在一个文件许可？ 如果你想用一个文件（也不要紧它位于哪里），你可以考虑做饼干的生活（点点）更难。两种解决方案来我的心现在：

How to hide license in a file? If you're going with a file (it doesn't matter where it's located) you may consider to make crackers life (little bit) harder. Two solutions come to my mind now:

备用数据流。文件附加到另一个文件，他们将看不到它，只需在Windows资源管理器的搜索。当然也有工具来管理他们，但至少他们必须显式搜索。

Alternate Data Streams. File is attached to another file and they won't see it with just a search in Windows Explorer. Of course there are utilities to manage them but at least they have to explictly search for it.

隐藏其内的应用程序数据（位图，例如，使用隐秘） 。他们只是不知道它的许可证数据，更重要的是安全的？问题是，他们可以很容易反编译你的C＃程序，看看你做什么（查看关于 $ C C混淆 $段）。

Hide it inside application data (a bitmap, for example, using steganography). They just don't know it's license data, what's more safe? Problem is they can easy decompile your C# program to see what you do (see paragraph about Code Obfuscation).

可能很多人（幻想这里是我们的主人），但不要忘了......饼干会发现它（如果他们真的想），所以你必须平衡你的努力。

Probably many others (fantasy here is our master) but don't forget...crackers will find it (if they really want) so you have to balance your effort.

保持你的许可模式现在死的路径。你必须要决定的是，如果风险他们使用的试验时间超过允许的风险比他们停止使用，因为无聊的保护您的应用程序提供更高。

Keeping your license schema you're now on a dead path. Decision you have to take is if the risk they use trial longer than allowed is higher than risk they stop to use your application because of boring protection.

验证 如果你可以假设他们有一个网络连接，那么你可以使用一些的确认上线（仅适用于第一次运行你的应用程序）牌照的唯一ID 的（即使它是关于Windows 8，你可以看看到这个职位上的SO ）。服务器端验证可以是pretty的麻烦（如果你想这样做以正确的方式），在this帖子解释程序流程的一个例子来管理，在一个适当的方式。

Validation If you can assume they have a network connection then you may validate license on-line (only first time they run your application) using some unique ID (even if it's about Windows 8 you may take a look to this post here on SO). Server side validation can be pretty tricky (if you want to do it in the right way), in this post is explained an example of program flow to manage that in a proper way.

数据模糊处理/加密 您的许可文件/数据存储在一个安全的地方。几乎饼干会发现它。现在，你需要另一个步骤：混淆。如果您的许可证数据为明文，一旦他们发现你的文件时，它太容易去改变它。

Data Obfuscation/Encryption Your license file/data is now in a safe place. Hardly crackers will find it. Now you need another step: obfuscation. If your license data is in plain text once they found your file it's too easy to change it. You have some options (ordered by increased security and complexity):

模糊处理的文件。如果他们无法理解什么是用一个简单的文本编辑器（甚至是一个十六进制编辑器），在文件中，那么他们将需要更多的时间和精力去破解它。例如，您可能COM preSS他们：看到这个帖子关于XML文件混淆与COM pression 。请注意，也有简单的base64编码会混淆你的文本文件。 加密他们机智对称算法。即使是一个非常简单的将工作做好，在这里你只是想隐藏的数据。请参见这个职位一个例子。我没有看到一个原因preFER此方法简单混淆。 加密他们的非对称算法。 这种加密是在复杂性和安全性的一大步，它会是（非常）有用只有当许可令牌是由一个服务器/外部实体提供。在这种情况下，它会混淆其私钥签名的授权。客户端应用程序将验证签名与公钥即使饼干会发现这个文件（和反编译你的code读取公钥），他们仍然无法改变它，因为他们没有私钥。 Obfuscate your files. If they can't understand what's inside a file with a simple text editor (or even a hex editor) then they'll need more time and effort to crack it. For example you may compress them: see this post about XML file obfuscation with compression. Note that also a simple base64 encoding will obfuscate your text files. Encrypt them wit a symmetric algorithm. Even a very simple one will work well, here you're just trying to hide data. See this post for an example. I don't see a reason to prefer this method to a simpler obfuscation. Encrypt them with an asymmetric algorithm. This kind of encryption is a big step in complexity and security and it'll be (very) useful only if license token is provided by a server/external entity. In this case it'll obfuscate license signed with its private key. Client application will validate signature with its public key and even if cracker will find this file (and decompile your code to read public key) they still won't be able to change it because they don't have private key.

请注意，数据混淆/加密可以配合使用上述隐写（例如隐藏图像内加密许可证文件）。

Please note that data obfuscation/encryption can be used in conjunction with above mentioned steganography (for example to hide encrypted license file inside an image).

ç混淆 $ C $ 如果你不使用许可证签名与非对称加密那么最后一步是混淆你的code。不管你会做，他们就可以看到你的code，检查你的算法和解决办法吧。那么伤心，你部署说明书！与混淆器混淆，如果你想，但我强烈建议是将您的许可证检查在一个不太明显的地方。

Code Obfuscation If you're not using license signing with asymmetric encryption then last step is to obfuscate your code. Whatever you will do they'll be able to see your code, check your algorithm and workaround it. So sad, you're deploying instructions manual! Obfuscate with an Obfuscator if you want but what I strongly suggest is to move your license check in a less obvious place.

把你所有的许可证相关的code在一个单独的DLL。签字。 在你的可执行文件的资源包它（有没有这么明显的名字），不要部署DLL。 在处理事件 AppDomain中。 AssemblyResolve ，当你的DLL将需要在运行时，你会解压在内存中，并返回字节的流。查看更多有关这项技术的这个杰弗里里希特的帖子。 Put all your license related code in a separate DLL. Sign it. Pack it inside your executable resources (with a not so obvious name) and do not deploy DLL. Handle event AppDomain.AssemblyResolve, when your DLL will be needed at run-time you'll unpack in memory and return its stream of bytes. See more about this technique in this Jeffrey Richter's post.

我喜欢这种方法，因为他们会看到有一个许可证检查，但......他们会找不到许可证code。当然，任何良好的裂解装置将解决这个问题，在10分钟内，但你会（多一点），从安全的任意的那些。

I like this method because they'll see there is a license check but...they won't find license code. Of course any good cracker will solve this issue in 10 minutes but you'll be (little bit more) safe from random ones.

要总结一点点，这是什么，你的列表可以的也提供了更强的许可证检查（你可以跳过，当然一个或多个步骤，但这样会降低安全）：

To summarize a little bit this is a list of what you may do to provide a stronger license check (you can skip one or more steps, of course, but this will reduce safety):

在分裂您的许可检查code的两个组件（一个执行检查和管理许可证，并另提供一个公共接口的引擎）。 在强征的所有程序集。 您嵌入的许可发动机总成的在你的许可界面的部件（请参阅 $ C C混淆的部分$）。 创建，将管理许可证的许可证服务器。要小心，使其安全，有安全的连接和安全的身份验证（见的验证的部分）。 保存许可证本地文件中的安全的位置（见的其中，的部分）和加密与非对称加密算法（见的数据混淆的部分） 有时候验证执照，许可证服务器（见的验证的部分）。 Split your license check code in two assemblies (one to perform the check and manage license and the other to provide a public interface to that engine). Strong sign all your assemblies. Embed your License Engine assembly inside your License Interface assembly (see Code Obfuscation section). Create a License server that will manage your licenses. Be careful to make it secure, to have secure connection and secure authentication (see Validation section). Save license file locally in a safe location (see Where section) and encrypted with an asymmetric encryption algorithm (see Data Obfuscation section). Sometimes validate license with your License Server (see Validation section).

附录：软件保护加密狗 有关硬件按键小编（软件保护加密狗的）。他们是一个宝贵的工具，以保护您的软件，但是你必须更仔细地设计你的保护。你可以假设硬件本身是非常安全的，但不足之处是它的计算机和软件的通信连接。

Addendum: Software Protection Dongles A small addendum about hardware keys (Software protection dongles). They're an invaluable tool to protect your software but you have to design your protection even more carefully. You can assume hardware itself is highly secure but weak points are its connection with computer and communication with your software.

想象一下，只需您的许可证存入键，黑客可以使用外置USB（假设你的SPD是USB）分享与多台计算机相同的密钥。还应该存储一些硬件唯一ID密钥内，但在这种情况下，薄弱点是连接（硬件可以是模拟的由软件驱动程序）。这是一个pretty的容易开裂，这种虚假的安全感（我使用软件保护加密狗，我的软件是那么安全的）将让您的应用程序更加容易（因为你的风险，以忘了的其他基本的保护，以简化许可证管理）。

Imagine to simply store your license into the key, a cracker may use an external USB (assuming your SPD is USB) to share same key with multiple computers. You should also store some hardware unique ID within the key but in this case weak point is connection (hardware can be emulated by a software driver). It's a pretty easy crack and this false sense of security ("I'm using Software Protection Dongle, my software is then safe") will make your application even more vulnerable (because you risk to forget other basic protections to simplify license management).

VS成本使用SPD应该让你考虑使用普通U盘一个贫穷的设计保护的好处。它花费1 $，而不是15 / $ 20（或更多）的SPD，你必须防范的休闲的饼干相同的水平。当然，它不会停止的严重的裂解装置也是一个可怜的设计SPD也不会停止。

Cost vs benefits for a poor designed protection using SPD should make you consider to use a normal USB pen drive. It costs 1 $ instead of 15/20$ (or much more) for a SPD and you have same level of protection against casual crackers. Of course it won't stop a serious cracker but also a poor designed SPD won't stop it.

一个的真正的保护（假设你不是一个的DRM功能的设备上运行）是加密狗也可以执行你的code 。如果可以的移动的一些基本算法（至少是至关重要的解密 - 动 - 支持文件）​​插入钥匙，然后要破解软件，他们将需要破解的硬件。对于半像样的加密狗，这是一个非常非常非常艰巨的任务。更仔细地你设计这个多code，你进入了关键的多，你就安全了。

A true protection (assuming you're not running on a DRM enabled device) is a dongle which can also execute your code. If you can move some basic algorithms (at least to decrypt vital - and dynamic - support files) into the key then to crack your software they will need to crack hardware. For a half-decent dongle this is a very very very hard task. More carefully you design this and more code you move into the key and more you'll be safe.

在任何情况下，你要怀疑的营销活动：软件保护，加密狗不容易。它的可以的（多）更安全，但它并不像厂商说的那样简单。在我看来的插件正播放的相比，它的（收益=多少会让饼干的生活困难）保护成本太高。

In any case you should doubt about marketing campaigns: software protection with a dongle isn't easier. It can be (much) more safe but it isn't as easy as vendors say. In my opinion plug-n-play protection cost is too high compared to its benefits (benefits = how much it'll make crackers' life harder).