ttobin333
asked on
Software Subscription Verification
Dear Experts,
I am designing a method of verifying valid software subscription status. On startup, the software contacts the server and receives the number of days remaining in the subscription. I would like to allow a maximum of 3 uses at a time without connecting to the internet, but require connection on at least every 4th use to verify the subscription.
What's the best way to encrypt and store the number of uses that have occurred without connection to the web?
Thanks!
I am designing a method of verifying valid software subscription status. On startup, the software contacts the server and receives the number of days remaining in the subscription. I would like to allow a maximum of 3 uses at a time without connecting to the internet, but require connection on at least every 4th use to verify the subscription.
What's the best way to encrypt and store the number of uses that have occurred without connection to the web?
Thanks!
ASKER
Thank you! My software also runs on a mobile drive without installation onto a host computer. Would some sort of encrypted ini file that also contains the license key validation be an option? Any suggestions on how to perform this?
You are welcome :)
Regarding an ini file; well, yes it is possible to do that but it would be very easy to circumvent. Consider if you encrypt the file, the user looking at it does not know what it means, but figures that because it is encrypted, it must have some important purpose. Then, then, after N runs. the app requires verification. The user will know that some logic must have determined that it was time for this to happen, so the first thing they would think is that it must be written to the ini file, since that is the only thing that is encrypted. Furthermore, you would need to update the ini file each time a "run" is used; a file that is updated on each run is a big giveaway to its purpose.
So, all the user would have to do is replace the ini file with the one originally installed, assuming they kept a copy. If not, they could just get it from the installation files or off another user. Or, if this is not possible, they could just replace the ini file with one from an earlier run, that contains information stating less than N runs have been carried out, again preventing verification.
I still think writing to the registry is the way to go. Lots of "portable" software does this, so don't think that portable means "leaves no trace on the machine it is executed on".
Regarding an ini file; well, yes it is possible to do that but it would be very easy to circumvent. Consider if you encrypt the file, the user looking at it does not know what it means, but figures that because it is encrypted, it must have some important purpose. Then, then, after N runs. the app requires verification. The user will know that some logic must have determined that it was time for this to happen, so the first thing they would think is that it must be written to the ini file, since that is the only thing that is encrypted. Furthermore, you would need to update the ini file each time a "run" is used; a file that is updated on each run is a big giveaway to its purpose.
So, all the user would have to do is replace the ini file with the one originally installed, assuming they kept a copy. If not, they could just get it from the installation files or off another user. Or, if this is not possible, they could just replace the ini file with one from an earlier run, that contains information stating less than N runs have been carried out, again preventing verification.
I still think writing to the registry is the way to go. Lots of "portable" software does this, so don't think that portable means "leaves no trace on the machine it is executed on".
In fact, late last night I remembered at my old company we also used a second method for validating our software; I can't think what it was right now but tomorrow I will have access to it so please keep this question open until then as I might have a better answer for you!
ASKER
Thanks, will wait for your update.
It was a third party plugin that, thinking back about it now I have recalled what it is, did an incredibly good job of protecting the software (to the point of having to reinstall windows to get around the protection) but was a) expensive and b) difficult to use.
Go with the registry option. If you use the hidden keys method, it would take someone with intimate windows programming knowledge to get around it :)
Go with the registry option. If you use the hidden keys method, it would take someone with intimate windows programming knowledge to get around it :)
ASKER
Can you give a VB6 example of how to set a registry key in native API using Unicode, as the article describes?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help!
Now, I worked purely in C++, but you can access the registry via VB even more easily. Incidentally, the article http://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs talks about hiding registry keys altogether so they can only be manipulated via code; this prevents a fiddling user deleting the keys from regedit automatically!
When you uninstall your application, make sure you don't delete the key that you write to, otherwise a clean install would reset the count!