[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Software Registration Process

Hi Experts,

I have software application that the user must activate with a serial number that we will give him.
This serial number will be valid for X Days. For example 1 x year (365 days) etc.

Following are the steps of our registration process:
1. User download software
2. We email user software registration number based on whether he bought a 1/2/3 year license.
3. User enters this serial number in the software.
4. The software will determine if its valid by checking with our online MySQL database that this serial number has not been registered previously and then allow the further use of the software according to the license period.
5. After the serial number "online checking" has completed the software needs to sent this serial number to our online MySQL database with a request to flag it as been "USED" or "RESERVED" or whatever......  :)

Ok I know this sound quite hectic but I have layout the process in bit detail just incase someone else has got a better idea than this which does not involves too much work.

My solution to this:
For checking and flagging a serial number I have thought to sent the variables via a URL and then have a PHP script doing the work for me on the other side.
***But the problem is how can I determine the result from the script on the Delphi side***

For example:
To flag a serial number it should be quite easy:
I can use ShellExecute() with an url for example: "http://www.signgenius.com/phpscript.php?serial=1234456343" as parameter and on the PHP site I simply GET the variables from the url and insert it into the MySQL database.

***BUT***

To check whether a serial number has been used prior to flag it I need to receive a response from the script.
I where thinking maybe to fake a page not found (404) error when the serial has been used else a page found (200) if the serialnumber is OK.

------------Questions------------
1) So how can I from the PHP scripts side fake a page not found (404) or found (200) and
2) then in Delphi how can I receive these responses?
3) What would be a good implemention of a serialnumber which has a expiry date encoded? Any examples welcome.
4) And please feel free if you have any better suggestions.

0
Marius0188
Asked:
Marius0188
3 Solutions
 
DragonSlayerCommented:
1. At the server end, the PHP script can return a result (not necessarily a response code, it can be plain text), which would be encrypted. You can specify the responses that your app react to, e.g. if the PHP script returns code 100, it can mean that everything is OK. (Of course, again, the code will be *encrypted*).

2. I would recommend that you use an HTTP component such as Indy's TIdHttp. That way, when you issue a GET, you can just check the resulting response that you got.

e.g.

var
  Reply: string;

Reply := DecryptCode(IdHttp1.Get('http://www.signgenius.com/phpscript.php?serial=1234456343'));
// assume that DecryptCode is a function which decrypts the reply into something that your programme will understand

I would also suggest that instead of sending the serial in plain sight, it will be a good idea to encrypt it as well, because anyone with a proxy tool will be able to sniff out the GET.
0
 
JDSkinnerCommented:
Questions:
1.  Have you handled re-installation of the software on the same PC by the user?
2.  Have you handled re-installation of the software on another PC when the first PC became obsolete?

Have a look at the link below it has some usefull tips.
http://www.inner-smile.com/nocrack.phtml
0
 
sakuya_suCommented:
there is also another flaw in that security design, anyone with a custom made proxy can also fake whatever your server send as a OK Serial number. so the proxy will return a OK Code to the program and your server will never actually see the request.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jpedefCommented:
One solution is to use TDownloadUrl action (in ExtActns unit) and make your php script return somekind of ini-file so you can easily have additional information, witch you can
show to your user. Actual response should be crypted someway.

  fDownload := TDownLoadURL.Create(self);
  try
    fDownload.Filename := 'C:\Temp\Result.ini';
    fDownload.URL := 'http://myserver.com/myscript.php?code=1234567890';
    fDownload.ExecuteTarget(nil);
    ParseResultIni('C:\Temp\Result.ini');
  finally
    FreeAndNil(fDownload);
  end;

Your software is time limited, hopefully you have considered what if user turns computer clock back?
0
 
JDSkinnerCommented:
Have a look at the last comment block in the thread indicated below, it may give you some ideas on serial number implementation.

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_21733559.html
0
 
Marius0188Author Commented:
>>Questions:
>>1.  Have you handled re-installation of the software on the same PC by the user?
>>2.  Have you handled re-installation of the software on another PC when the first PC became obsolete?

In regards to this comment we have thought about it but we have decided not to REALLY block the user.
We would though just like to enable us to identify serial numbers that have been mis-used.
For example:
If we see in the MySQL database (online) that a certain key has been used 5000 in a single month then its quite likely been posted on some serial crack website. So we can now 1) identify this serial number, 2) disable it and 3) issue the original user a new serial should we think he is innocent.
0
 
Marius0188Author Commented:
My I ask to all,

In general our goal is not to try and fight piracy 100% which will result in a very lengthy process.

We are aiming for the following:
1) Implement a simple hazzle free (for end user) security system just to stop the rookies from copying our software
2) Track the use (qty) of serial numbers.
3) Yes and then we would like to make it secure on the simplest level. As long as the user is not able to just make a raw copy and distribute to all his friends, we are happy. Because he need to distribute his serial number as well and then we will be able to identify these mis-uses of serial numbers and we can track down the user.

Do you believe that the process I have explained in the very first comment will provide the best solution to this?
Does anyone else have a better solution?
0
 
Marius0188Author Commented:
And sorry I fogot to add.

I would like more specifics to the creation of a time limited serial.
I have read through the article listed on http://www.inner-smile.com/nocrack.phtml
and it was really helpfull.

But some ideas of creating a serial number with expiry date embedded would also be appreciated.


Thanks in advance!
0
 
mwbowmanCommented:

Another option would be to use a 3rd party registration service such as Software DNA.  They provide the necessary SDK for connecting to their site and manage the registration issues for you.

Have a look at https://www.softworkz.com for more info...
0
 
JDSkinnerCommented:
Ok

First you need an serial number encryption system that allows you to encode not only the user's serial number but also the fact that it is time limited.

Have a database table with customers name, serial number, date allocated, current time limit and encrypted registration string (If issued).

You could issue software with a tempory activation key as standard.

The software when run for the first time checks the registry for a valid registration, as none has yet been entered, a registration key is requested. A default Registration key with 30 day timer is entered.

Once the user has entered this, then the encrypted data can be stored in several points within the registry, along with the encrypted installation or issue date. The format of the encrypted acivation key should be modified prior to storeage in case the user tries to find it with a registry search using the activation key you supplied
Example:
Date encrypted as StrDate
procedure TfrmRegistration.InsertDateInstalled(strDate: string);
var Reg: TRegistry;
begin
    Reg:= TRegistry.Create;
    try
        Reg.RootKey:= HKEY_CURRENT_USER;
        if Reg.Openkey('<AnyFolderName>', true) then
            Reg.WriteString('<dateIssued>', strDate);
    finally
        Reg.CloseKey;
        Reg.Free;
    end;
end;

Thereafter when the software is run, a number of different routines from various points within your software should extract the data from the registry and decrypt it, Only the decryption routine should be in your supplied software).
Then run calc against current date to see if software authorisation has expired. If the software is out of time then set a number of booleans to flag the fact and take some sort of action.  Set another registry value to record that the software has expired. This registry reading should be checked ever time the software is run and acted upon.

To help prevent the user from resetting the date encrypt within the registry the number of times
that the software has been run should also be encrypted and stored in the registry, if the number of runs is checked and if it exceeds a preset number then action can again be taken.

Increment the number of times the software has been run after each check and re encrypt the result.

The Activation code needs to look different for every new serial number that you issue, so that certain
characteristics such as the time limit or lack of time limit are not identifiable,
otherwise this may allow the user to change part of their serial number to affect the time limit.

Having embedded a time limit, you can either prefix it with an encrypted marker to indicate its start point or place it at a fixed point, although the latter is not adviseable.

ie Variable length dummy prefix + Serial no xxx + Time Limit or No Limit + dummy suffix to pad string out

Below are two simple examples with a key code run up for this example only.

Dummy prefix variable Length + Serial Number 1234567890 + Time Limit 30+ Dummy suffix
NERK94wV9|5/Djd1X8KnALOJ-ejpEBelza0uXYz@tyoXKX8GbGUg0I2AQcG.YSGkLN:npMC/QrhcMSUE41@4W

Then the same serial and time limit with slightly different prefix to give an entirely
different activation key string

Another prefix of variable Length + Serial Number 1234567890 + Time Limit  30+ different suffix
:0Dwn:F5g4IEaETZ9uYmxtHECBsQYqQ.21bzgNLdTQbsboSliCz1hWbWvhSO:TG3LNLTBavcquipjtU4P1@lHX2oNpXPa|0

The two encrypted strings contain the same base information but look entirely different.

When the user runs the software the registry details should be  looked up from a number of different points within your application and action taken according to the results returned.

Good luck


0
 
JDSkinnerCommented:
Another 3rd party piece of software can be downloaded from the link below.
This is supplied as Freeware and is quite comprehensive.

http://www.wakproductions.com/regware/
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now