Product distribution questions

kjc1111
kjc1111 used Ask the Experts™
on
Hi all,

I have a product that was developed in VC++ and consists of an EXE file and several DLLs.  I would like to distribute a stripped-down version of the product for free and sell additional features on a feature-by-feature basis (each feature being independent of the others).  For example, if there are 10 features user A might purchase features 1, 2 and 6, user B might purchase features 3, 4 and 6, and user C might purchase all 10 features in a bundle.  Can anyone recommend a product that can do this?

I'd also like to protect the code from reverse engineering after it is published.  Can anyone recommend a product to do this?  Ideally, this would be the same product as the one for my first question, but this is not strictly necessary.

Thanks,
Kevin
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Just to clarify - I need something that will do more than just package the product in trial and full releases of the software.   That is, I need a way to detect in the code whether a given feature has been paid for, so I can determine which menu items etc. to activate or hide/disable.

Thanks,
Kevin
I am using the Unikey dongle ( http://www.esecutech.com/ ). It's an hardware dongle that can be programmed to enable / disable software function on various protection scheme. They can also be updated remotely by providing a digitally firmed file. And they also provide a wrapper that encrypts the exe to prevent reverse engineering.
But before choosing a protection scheme you must identify the risk and the cost you can support. If your application is cheap and have large distribution, maybe protecting it do not worth the cost - remember that no software can be completely protected, there will be always someone that is able to defeat your protection, the battle is between your cost and their cost.
I am happy with esecutech.com unikey dongle, they do not cost to much for the product I am selling (a single dongle cost about 30$) and the company gives a great support, i had various problems with their library under macosx and the supported me very quickly and with great kindness.

hope that help.

Commented:
Hi Kevin,

Your question has not made it clear whether or not you are a programmer, so I am going to give this answer assuming that you are.

You don't need to buy a product to do this.  You need a webservice that your app can communicate with.  Assuming the add ons are not to be downloaded individually (that might be an easier option - more on that later) - that is, all features are already in the product you ship to everyone, it is just that they are not "enabled", as it were - the webservice tells the app which products have been purchased (say via a nice separate website).  The app then receives this information and writes away a registry key, perhaps an unsigned integer that uses "bit flags" for each feature.  This unsigned integer can be encryped with some hardware unique value (say, the user's hard drive serial number) which gets unencrypted at runtime; if successful the features are unlocked.  This is to prevent one user giving their registry to another, thereby sharing the features.

Of course, this is easier said than done, but again, I assume you are a programmer or have access to people which who code this for you.

Now, regarding shipping each feature in a DLL: if you have 10 features, strip each one into a separate DLL, and change the app so that it looks for these DLLs, and loads whichever it finds.  You can then distribute "features" via DLL downloads or similar.

Anyway, that is what I would consider before going for a paid alternative...

HTH
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Author

Commented:
HappyCactus - Thanks for the reply.  The product is designed for low cost / high volume and will not cost enough to justify a dongle.

mrwad99 - I'm a programmer but have little experience with web programming, which is partly why I was looking into 3rd-party software.  

I am planning to ship all features in one app and enable them on purchase, rather than have separate DLL downloads.  In theory I could probably change the code organization to use separate DLLs for each feature, but it currently isn't practical.  So unless I hear of a better solution I might have to use the registry as you are suggesting.  

In the meantime, can you point me to examples of how to implement the webservice (on the website and in the code)?  Would the website code be something I would have to develop from scratch, or are there tools out there I could drop into my website to do it?  I was just planning to put up a few pages using Google sites, would the process you are suggesting be possible?

Do you think it is worthwhile using a product like ASProtect to protect the code from reverse engineering.  Assuming that the product is successful it seems like a fairly small price to pay.  Have you heard positive or negative reviews about that product or similar products?

Thanks,
Kevin
There are many answer to your problem. You must balance the requirements with the cost for you and usability for your customers. For example, some protection scheme require an "always on" connection. It is not practical for all users. Keep in mind that what a customer buy is the functionality, not the protection scheme!

Author

Commented:
Hi again,
Is the following a reasonable way to distribute and sell the product?
Thanks,
Kevin
 
Distribution

1. build product using VC++

2. protect code and set up trial version of software using ASProtect

3. set up install file (I'm currently using CreateInstall)

4. upload install file to various download sites (e.g. mywebsite.com, download.com, etc)

5. customer downloads trial version

6. application disables advanced features when trial version expires if those features have not been purchased in the interim (stripped-down version of the code will continue to run)

Sales

1. "buy now" menu item in application will direct customer to appropriate page on mywebsite.com

2. customer chooses features from mywebsite.com

3. customer is directed to payment processing website to handle payment

4. payment processing website notifies mywebsite.com when purchase is complete

5. a registration key is created by the payment website or mywebsite.com and is mapped to a set of features on mywebsite.com

6. email is sent to customer by the payment website or mywebsite.com with the registration key and customer is directed to a "register" menu item in the application where the key can be entered

7. application sends the key to the mywebsite.com webservice and the webservice notifies the application which features have been purchased

8. the application creates an encrypted value using the unique hardware id and feature id for each purchased feature and stores that info in the registry

9. a given feature is unlocked if the unencrypted hardware id matches the hardware id for the computer on which the application is currently running

Customer Support

If/when the user tries to re-register the application on a different computer is it reasonable to ask them to do so by email? Or should the registration be automatic if some reasonable amount of time has elapsed (say six months) or some other conditions apply?



Author

Commented:
Just to clarify something - If each registered version of the application is hardware-locked to a specific computer, then would that eliminate the need to use an elaborate key generator?  

For example, say I assign the first customer the key 00001.  If/when the customer enters that key into the application, and the application sends that key and a hardware id to my webservice for verification about which features to activate, then I'll immediately know if the key is valid (e.g. it is entered in my customer database as registration pending), invalid (e.g. it is not entered in my customer database at all) or if someone is trying to use a copied version of the product (e.g. it is already registered in my database with a different hardware id).  Or am I missing something?

Thanks,
Kevin
If you are using any of the Digital River services (such as I described in my other question), then their preferred protection service is Armadillo by Silicon Realms. Digital River owns Silicon Realms.

You can do trialware with a default certificate and use different certificates to support the Silver/Gold/Platinum strategy I described in the other question. They provide a license server to prevent users from reinstalling too many times.

Armadillo will support your concept of multiple features through "secure sections" combined with license strings and a 32-bit value that's part of the license. However, Digital River's license server won't know how to manage merging multiple purchases into a single license code, so you would end up rolling our own license server. This is potentially several weeks of work (or possibly months, depending on the sophistication.) The opportunity cost alone dictates that it would be cheaper and easier to use a strategy that fits cleanly into the existing structure.

Author

Commented:
Hi Jim,

Thanks for the pointer to Armadillo, it seems to have a lot of nice features.  I've downloaded the trial version and will check it out.

Regards,
Kevin
Kevin,

the workflow seems reasonable, except that the "locking to the hardware" feature. I like hardware dongle because they permit to use the software as a "floating" license, i.e. moving the software from pc to pc. I understand that the dongle expense is too high for the price of the software.
But remember that the protection scheme must not be too intrusive in the user experience, otherwise the customer will no use it. If I have to spend, say, 25$ to have a software, and I cannot use it for 6 month when my pc crashes, then, I'll not spend it.
Also, I usually have many virtual machine running windows in my mac, I exchange the machine for each project or customer, so I have many payed copies of my software installed, running one at time, completely working. They have different machine id, so your software will not work this way.
If it was for me, I would not buy your software.
This is to say, do not try to defeat piracy, just cohabit with it.

Except this point, all the workflow seems reasonable.
Commented:
Kevin,

Building a webservice for a task like this is not trivial.  

You need to think about how essential it is that the users will not be able to gain access to the features which you deem to be "locked".  Whatever method you choose, it will not be fool-proof.  Given, the webservice option is very secure, but again not foolproof.

How about the following, from a purely programatical point of view.

All the security is registry based.  You have an unsigned integer whose individual bits you use for each feature, i.e. bit 0 = feature 1, bit 9 = feature 10 etc.  Your software displays a dialog that lets users choose which features they want unlocking.  This dialog launches a web page with a simple query string that you can interperet, eg

www.YourWebSite.com/AuthorizeFeatures.aspx?Features=35&HWKey=983953

"HWKey" could be the unique hard drive serial of the user's machine, or some other machine-specific value.  "Features" is a set of bit flags, with bits 0,1 and 5 set (100011) in this example, i.e. features 1, 2 and 6.

This webpage has some sort of payment functionality.  When the user's payment has cleared, you display a unique number (also E-mail it to them) that contains

a) 35 (so your program can know that features 1, 2 and 6 have been unlocked)
b) 983953 (the HW key)

mangled together using some sort of encryption method, that 1) I am not going to tell you since it would be a huge security risk for your company 2) must be tough enough to be quite difficult to reverse-engineer.

Back in your app, the user then enters this number.  The SW unencrypts it, checks that the HW key part matches that of the local hard drive, then proceeds to unlock the features.  It also writes away the number to the registry, so the features remain unlocked between runs.  There is no risk of registry-sharing, since the unique number is tied to the machine with the hard drive serial specified.

No need for a web service.  There is even no need for a webpage; you could write a standalone app that does the number mangling, and have your customers telephone you.  Although this is not too friendly.

HTH

Author

Commented:
mrwad99 - I like the process you've suggested and think it will support what I want to do.  Thanks!

HappyCactus - Good point about the hardware locking.  However, I think I can support a situation like the one you describe with a virtual machine by auto-enabling the features for the first hardware id, and asking the user to send an email to add additional hardware ids.  Not ideal, but I think it will work for now.

All - Thanks again to everyone who answered my questions.  I'll close the thread and try to distribute the points equitably.

Regards,
Kevin

Commented:
Glad to help :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial