Solved

Software Subscription Verification

Posted on 2013-10-29
9
396 Views
Last Modified: 2013-11-02
Dear Experts,

I am designing a method of verifying valid software subscription status. On startup, the software contacts the server and receives the number of days remaining in the subscription. I would like to allow a maximum of 3 uses at a time without connecting to the internet, but require connection on at least every 4th use to verify the subscription.

What's the best way to encrypt and store the number of uses that have occurred without connection to the web?

Thanks!
0
Comment
Question by:ttobin333
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611137
I have done exactly this at my last company, and the way to go is without a doubt to wirte it in the windows registry.

Now, I worked purely in C++, but you can access the registry via VB even more easily.  Incidentally, the article http://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs talks about hiding registry keys altogether so they can only be manipulated via code; this prevents a fiddling user deleting the keys from regedit automatically!

When you uninstall your application, make sure you don't delete the key that you write to, otherwise a clean install would reset the count!
0
 

Author Comment

by:ttobin333
ID: 39611413
Thank you! My software also runs on a mobile drive without installation onto a host computer. Would some sort of encrypted ini file that also contains the license key validation be an option? Any suggestions on how to perform this?
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611433
You are welcome :)  

Regarding an ini file; well, yes it is possible to do that but it would be very easy to circumvent.  Consider if you encrypt the file, the user looking at it does not know what it means, but figures that because it is encrypted, it must have some important purpose.  Then, then, after N runs. the app requires verification.  The user will know that some logic must have determined that it was time for this to happen, so the first thing they would think is that it must be written to the ini file, since that is the only thing that is encrypted.  Furthermore, you would need to update the ini file each time a "run" is used; a file that is updated on each run is a big giveaway to its purpose.

So, all the user would have to do is replace the ini file with the one originally installed, assuming they kept a copy.  If not, they could just get it from the installation files or off another user.  Or, if this is not possible, they could just replace the ini file with one from an earlier run, that contains information stating less than N runs have been carried out, again preventing verification.

I still think writing to the registry is the way to go.  Lots of "portable" software does this, so don't think that portable means "leaves no trace on the machine it is executed on".
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39613627
In fact, late last night I remembered at my old company we also used a second method for validating our software; I can't think what it was right now but tomorrow I will have access to it so please keep this question open until then as I might have a better answer for you!
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:ttobin333
ID: 39615801
Thanks, will wait for your update.
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39617734
It was a third party plugin that, thinking back about it now I have recalled what it is, did an incredibly good job of protecting the software (to the point of having to reinstall windows to get around the protection) but was a) expensive and b) difficult to use.

Go with the registry option.  If you use the hidden keys method, it would take someone with intimate windows programming knowledge to get around it :)
0
 

Author Comment

by:ttobin333
ID: 39618339
Can you give a VB6 example of how to set a registry key in native API using Unicode, as the article describes?
0
 
LVL 19

Accepted Solution

by:
mrwad99 earned 500 total points
ID: 39619072
I am sorry but I do not know Visual Basic.  I don't even have it installed.

If you choose to follow my suggestion, you need to follow a tutorial on registry access with VB: one such good one is at http://www.vbforums.com/showthread.php?563162-Working-with-Windows-Registry-using-Visual-Basic-6-A-complete-Tutorial.

Now, I have looked into how the linked CodeProject article does its magic, and referred to my own personal notes, and it relies on functionality being present in ntdll.dll.  Here is a sample from the example code off a SysInternals example (http://read.pudn.com/downloads111/sourcecode/windows/system/460388/REGHIDE.C__.htm), which the CodeProject article is based on:

	if( !(NtCreateKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtCreateKey" )) ) {

		printf("Could not find NtCreateKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtDeleteKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtDeleteKey" )) ) {

		printf("Could not find NtDeleteKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtSetValueKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtSetValueKey" )) ) {

		printf("Could not find NtSetValueKey entry point in NTDLL.DLL\n");
		exit(1);
	}

Open in new window


All this is doing is setting up function pointers to functions that are not exposed through header files, which are then used to achieve key hiding.

So, you have three options:

1) Replicate what RegHide.c does in your VB6 code.
2) Turn RegHide.c into a DLL, and call into it from your VB code.  You could get help with that here, but it is out of the scope of this question.
3) Adopt a less secure approach and write a normal registry key somewhere none-obvious, eg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, that keeps a count of the number of runs.  It is not uninstalled by your uninstaller (if there is one) and gets written on the first run of your app.  The tutorial on using the registry I gave at the top of this post should give you more than enough info on how to achieve this.

HTH
0
 

Author Closing Comment

by:ttobin333
ID: 39619215
Thanks for your help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Since upgrading to Office 2013 or higher installing the Smart Indenter addin will fail. This article will explain how to install it so it will work regardless of the Office version installed.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now