Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Software Subscription Verification

Posted on 2013-10-29
9
Medium Priority
?
414 Views
Last Modified: 2013-11-02
Dear Experts,

I am designing a method of verifying valid software subscription status. On startup, the software contacts the server and receives the number of days remaining in the subscription. I would like to allow a maximum of 3 uses at a time without connecting to the internet, but require connection on at least every 4th use to verify the subscription.

What's the best way to encrypt and store the number of uses that have occurred without connection to the web?

Thanks!
0
Comment
Question by:ttobin333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611137
I have done exactly this at my last company, and the way to go is without a doubt to wirte it in the windows registry.

Now, I worked purely in C++, but you can access the registry via VB even more easily.  Incidentally, the article http://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs talks about hiding registry keys altogether so they can only be manipulated via code; this prevents a fiddling user deleting the keys from regedit automatically!

When you uninstall your application, make sure you don't delete the key that you write to, otherwise a clean install would reset the count!
0
 

Author Comment

by:ttobin333
ID: 39611413
Thank you! My software also runs on a mobile drive without installation onto a host computer. Would some sort of encrypted ini file that also contains the license key validation be an option? Any suggestions on how to perform this?
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39611433
You are welcome :)  

Regarding an ini file; well, yes it is possible to do that but it would be very easy to circumvent.  Consider if you encrypt the file, the user looking at it does not know what it means, but figures that because it is encrypted, it must have some important purpose.  Then, then, after N runs. the app requires verification.  The user will know that some logic must have determined that it was time for this to happen, so the first thing they would think is that it must be written to the ini file, since that is the only thing that is encrypted.  Furthermore, you would need to update the ini file each time a "run" is used; a file that is updated on each run is a big giveaway to its purpose.

So, all the user would have to do is replace the ini file with the one originally installed, assuming they kept a copy.  If not, they could just get it from the installation files or off another user.  Or, if this is not possible, they could just replace the ini file with one from an earlier run, that contains information stating less than N runs have been carried out, again preventing verification.

I still think writing to the registry is the way to go.  Lots of "portable" software does this, so don't think that portable means "leaves no trace on the machine it is executed on".
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 19

Expert Comment

by:mrwad99
ID: 39613627
In fact, late last night I remembered at my old company we also used a second method for validating our software; I can't think what it was right now but tomorrow I will have access to it so please keep this question open until then as I might have a better answer for you!
0
 

Author Comment

by:ttobin333
ID: 39615801
Thanks, will wait for your update.
0
 
LVL 19

Expert Comment

by:mrwad99
ID: 39617734
It was a third party plugin that, thinking back about it now I have recalled what it is, did an incredibly good job of protecting the software (to the point of having to reinstall windows to get around the protection) but was a) expensive and b) difficult to use.

Go with the registry option.  If you use the hidden keys method, it would take someone with intimate windows programming knowledge to get around it :)
0
 

Author Comment

by:ttobin333
ID: 39618339
Can you give a VB6 example of how to set a registry key in native API using Unicode, as the article describes?
0
 
LVL 19

Accepted Solution

by:
mrwad99 earned 2000 total points
ID: 39619072
I am sorry but I do not know Visual Basic.  I don't even have it installed.

If you choose to follow my suggestion, you need to follow a tutorial on registry access with VB: one such good one is at http://www.vbforums.com/showthread.php?563162-Working-with-Windows-Registry-using-Visual-Basic-6-A-complete-Tutorial.

Now, I have looked into how the linked CodeProject article does its magic, and referred to my own personal notes, and it relies on functionality being present in ntdll.dll.  Here is a sample from the example code off a SysInternals example (http://read.pudn.com/downloads111/sourcecode/windows/system/460388/REGHIDE.C__.htm), which the CodeProject article is based on:

	if( !(NtCreateKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtCreateKey" )) ) {

		printf("Could not find NtCreateKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtDeleteKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtDeleteKey" )) ) {

		printf("Could not find NtDeleteKey entry point in NTDLL.DLL\n");
		exit(1);
	}
	if( !(NtSetValueKey = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
			"NtSetValueKey" )) ) {

		printf("Could not find NtSetValueKey entry point in NTDLL.DLL\n");
		exit(1);
	}

Open in new window


All this is doing is setting up function pointers to functions that are not exposed through header files, which are then used to achieve key hiding.

So, you have three options:

1) Replicate what RegHide.c does in your VB6 code.
2) Turn RegHide.c into a DLL, and call into it from your VB code.  You could get help with that here, but it is out of the scope of this question.
3) Adopt a less secure approach and write a normal registry key somewhere none-obvious, eg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, that keeps a count of the number of runs.  It is not uninstalled by your uninstaller (if there is one) and gets written on the first run of your app.  The tutorial on using the registry I gave at the top of this post should give you more than enough info on how to achieve this.

HTH
0
 

Author Closing Comment

by:ttobin333
ID: 39619215
Thanks for your help!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When there is a disconnect between the intentions of their creator and the recipient, when algorithms go awry, they can have disastrous consequences.
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question