Solved

Software Subscription Verification

Posted on 2013-10-29
9
403 Views
Last Modified: 2013-11-02
Dear Experts,

I am designing a method of verifying valid software subscription status. On startup, the software contacts the server and receives the number of days remaining in the subscription. I would like to allow a maximum of 3 uses at a time without connecting to the internet, but require connection on at least every 4th use to verify the subscription.

What's the best way to encrypt and store the number of uses that have occurred without connection to the web?

Thanks!
0
Comment
Question by:ttobin333
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611137
I have done exactly this at my last company, and the way to go is without a doubt to wirte it in the windows registry.

Now, I worked purely in C++, but you can access the registry via VB even more easily.  Incidentally, the article http://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs talks about hiding registry keys altogether so they can only be manipulated via code; this prevents a fiddling user deleting the keys from regedit automatically!

When you uninstall your application, make sure you don't delete the key that you write to, otherwise a clean install would reset the count!
0
 

Author Comment

by:ttobin333
ID: 39611413
Thank you! My software also runs on a mobile drive without installation onto a host computer. Would some sort of encrypted ini file that also contains the license key validation be an option? Any suggestions on how to perform this?
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611433
You are welcome :)  

Regarding an ini file; well, yes it is possible to do that but it would be very easy to circumvent.  Consider if you encrypt the file, the user looking at it does not know what it means, but figures that because it is encrypted, it must have some important purpose.  Then, then, after N runs. the app requires verification.  The user will know that some logic must have determined that it was time for this to happen, so the first thing they would think is that it must be written to the ini file, since that is the only thing that is encrypted.  Furthermore, you would need to update the ini file each time a "run" is used; a file that is updated on each run is a big giveaway to its purpose.

So, all the user would have to do is replace the ini file with the one originally installed, assuming they kept a copy.  If not, they could just get it from the installation files or off another user.  Or, if this is not possible, they could just replace the ini file with one from an earlier run, that contains information stating less than N runs have been carried out, again preventing verification.

I still think writing to the registry is the way to go.  Lots of "portable" software does this, so don't think that portable means "leaves no trace on the machine it is executed on".
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 19

Expert Comment

by:mrwad99
ID: 39613627
In fact, late last night I remembered at my old company we also used a second method for validating our software; I can't think what it was right now but tomorrow I will have access to it so please keep this question open until then as I might have a better answer for you!
0
 

Author Comment

by:ttobin333
ID: 39615801
Thanks, will wait for your update.
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39617734
It was a third party plugin that, thinking back about it now I have recalled what it is, did an incredibly good job of protecting the software (to the point of having to reinstall windows to get around the protection) but was a) expensive and b) difficult to use.

Go with the registry option.  If you use the hidden keys method, it would take someone with intimate windows programming knowledge to get around it :)
0
 

Author Comment

by:ttobin333
ID: 39618339
Can you give a VB6 example of how to set a registry key in native API using Unicode, as the article describes?
0
 
LVL 19

Accepted Solution

by:
mrwad99 earned 500 total points
ID: 39619072
I am sorry but I do not know Visual Basic.  I don't even have it installed.

If you choose to follow my suggestion, you need to follow a tutorial on registry access with VB: one such good one is at http://www.vbforums.com/showthread.php?563162-Working-with-Windows-Registry-using-Visual-Basic-6-A-complete-Tutorial.

Now, I have looked into how the linked CodeProject article does its magic, and referred to my own personal notes, and it relies on functionality being present in ntdll.dll.  Here is a sample from the example code off a SysInternals example (http://read.pudn.com/downloads111/sourcecode/windows/system/460388/REGHIDE.C__.htm), which the CodeProject article is based on:

	if( !(NtCreateKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtCreateKey" )) ) {

		printf("Could not find NtCreateKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtDeleteKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtDeleteKey" )) ) {

		printf("Could not find NtDeleteKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtSetValueKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtSetValueKey" )) ) {

		printf("Could not find NtSetValueKey entry point in NTDLL.DLL\n");
		exit(1);
	}

Open in new window


All this is doing is setting up function pointers to functions that are not exposed through header files, which are then used to achieve key hiding.

So, you have three options:

1) Replicate what RegHide.c does in your VB6 code.
2) Turn RegHide.c into a DLL, and call into it from your VB code.  You could get help with that here, but it is out of the scope of this question.
3) Adopt a less secure approach and write a normal registry key somewhere none-obvious, eg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, that keeps a count of the number of runs.  It is not uninstalled by your uninstaller (if there is one) and gets written on the first run of your app.  The tutorial on using the registry I gave at the top of this post should give you more than enough info on how to achieve this.

HTH
0
 

Author Closing Comment

by:ttobin333
ID: 39619215
Thanks for your help!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was working on a PowerPoint add-in the other day and a client asked me "can you implement a feature which processes a chart when it's pasted into a slide from another deck?". It got me wondering how to hook into built-in ribbon events in Office.
This article describes some techniques which will make your VBA or Visual Basic Classic code easier to understand and maintain, whether by you, your replacement, or another Experts-Exchange expert.
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question