|
FOROS PROFESIONALES
WINDEV, WEBDEV y WINDEV Mobile |
| | | | | |
| WD15: Best end user licensing strategy & code? |
| Iniciado por guest, 01,nov. 2010 12:37 - 43 respuestas |
| |
| | | |
|
| |
| Publicado el 01,noviembre 2010 - 12:37 |
I am a newbie developing a business app to be used either standalone or on a network accessing an HFCS database and I am trying to figure out the best strategy for managing licensing. It seems that conventional license add-on tools don't work with Windev, so therefore I have to roll-my-own. I am seeking a licensing method that will fulfill the following requirements:
1. Be simple to implement. I REALLY want to avoid having to do extensive custom coding of an installer so I'd like to use the built in Windev installation & update mechanism if at all possible.
2. Be simple for users to install & manage.
3. Be reasonably secure (the app will sell for US$250-US$750 per seat)
4. Require minimum maintenance when users move computers etc
5. To enforce the license, I want to have all documents print out the licensee company name etc.
There seem to be 2 licensing options:
PER CLIENT:
Pros:
Maximizes license revenue because each seat is licensed.
Probably more compatible with the Windev built-in installer/updater.
More conventional.
Cons:
A license is required for every client.
Likely more opportunity for problems during client installation.
Maintenance problems when a license must be moved to a new client computer.
PER CONCURRENT USER:
Pros:
Only one license is required for each server.
The client software could be freely installed on any number of computers.
Moving the app to different clients doesn't require license changes.
Cons:
Possibly fewer licenses are needed, so revenue is lower (or concurrent user price must be higher).
Not sure this can be done using the built-in installer.
Also, suppose I wanted to have a "Standard" & "Enterprise" version of my app. Which licensing method would be more compatible?
Licensing methodology must be a standard problem for most Windev developers but I see very little information or dialogue about how to handle this, or examples of code. To get me started I have Fabrice's "WDProtected" project & the Windev "WD Evaluation Period" project. But I'm still scratching my head trying to figure out where to start.
What has been your experience in doing this, and what would you recommend?
Are there any other resources or code out there for helping with this?
Many thanks,
Michael |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:37 |
Michael,
Have you considered the use of a hardware lock to control "per concurrent user" licensing?
This allows a user to have the software installed on multiple machines but only able to be used on any machine if it has the hardware loch attached.
If you are interested let me know and I will give you some ideas as you can use a simple $10 USB mass storage device as your hardware lock - this has been covered in previous threads but is probably worth going over again.
Milton |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:38 |
Hi Milton, thanks for that. Very useful.
I recall seeing some articles and code about this. It is certainly attractive from an implementation point of view. I would guess that coding this would be quick, and perhaps I should go this route. But the disadvantage is the cost and admin involved in Fedexing out the dongles.
Perhaps its worth it, but I was hoping for a simple code-only solution.
Michael |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:39 |
Hi Milton, thanks for that. Very useful.
>
I recall seeing some articles and code about this. It is certainly attractive from an implementation point of view. I would guess that coding this would be quick, and perhaps I should go this route. But the disadvantage is the cost and admin involved in Fedexing out the dongles.
>
Perhaps its worth it, but I was hoping for a simple code-only solution.
>
Michael
Hi Mike,
28 years ago, when we started out to make programs for bakeries, I ran over quite a number of programs of competing software makers which were either stolen or misused. 'Misused' in the sense of 'not used as licensed to'. At that time, licensing mechanisms were in their infancy, about half of the competition's programs had no licensing scheme at all!
Nowadays, we estimate that 10% of our own installed base is either stolen or misused. In the PR China, they say, about 90% of the software in use is stolen! In Eastern Europa it's about 50%. Thinking about an effective way of licensing while fighting the thieves is definitely worth your efforts!
First, there is no such thing as an unbreakable and un-misusable code-only licensing solution! If you let the customer input a license name, a serial number and a license key and hard-code that together with a set of options into an encrypted licensing file, your dear customer will be able to use the program on several unconnected computers and he/they will be able to kind of sub-distribute your software (together with the license file) to those who aren't willing to pay a dime! Showing name & address of the licensed customer on all windows and important printouts will definitely deter some of the amateur-thieves.
However, if your software is of high value (in price AND in usage) then be prepared that eventually there will be someone who puts your software under an in-memory debugger (SoftICE, IDA etc) and finds out what really happens when it checks the license file against customer name, serial# and options. Your program will be either 'cracked' (a simple GOTO or RETURN will de-activate the check-routine) or, even worse, they'll build a key-generator which will build a correct license file for any given customer info. Use good old google to find out about cracks and key-generators!
[color=#CC0000]Bottom line: If you really want to have some copy protection or enforce usage of your software according to the license then you'd have to bind your software to a piece of hardware! Which is no 100%-solution but it's definitely better than all software solutions![/color]
Microsoft binds most of their software to hardware parts of the computer which are bearing a unique serial number. So, their software is licensed to a certain piece of hardware. If this computer completely goes south there's no good way to re-license the software on the next one.
If we do the same as M$ does, then it leads us to the question what we are going to do if the customer calls and says that their computer is inoperational now and they'd like to have a new license for their new computer? During nights, on Saturdays and Sundays? And who says that their computer is really down?? After you sent them a new license they'd have two licenses while paying for one only!
Here we are. Which piece of hardware is portable and bears a unique serial number? [color=#CC0000]Only a dongle does![/color] But don't let you fool into a pricy piece of hardware and let someone earn their money with your work! [color=#CC0000]All USB memory sticks do bear a unique serial number![/color]
See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html
Kind regards,
Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:39 |
Many thanks Guenter,
"See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html".
I can't find a link there to a downloadable project, or is it only the text on the web page?
Michael |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:41 |
| Uh, oh, sorry, there's a link to this page http://www.windev.at/html/usbfind.html and there you can download a project for USBFind(..) which btw will retrieve the serial# of a USB memory stick. USBFind(..) is only working with USB-sticks not with USB-connected hard drives, but in our case that doesn't matter. Kind regards, Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 12:41 |
I know that there is no fool proof way to protect software, but how do you handle trials?
I don't want to have to distribute a USB stick just to enable a trial. If an app can be run as a trial without a USB stick, can it be easily hacked to enable all features without having a USB stick? How do you deal with this?
Or for trial purposes do you distribute a different version of your app which has certain features missing from the code, so it can't be hacked?
Michael |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 23:11 |
Hi Michael,
No USB stick = Demo Mode. Demo Mode is restricted to a small number of customers, items etc, additionally all reports and documents show 'Demonstration Version'. We do not restrict demos in time. My experience ist that the decision to download or to order a demo DVD is a momentary one and trials are neither installed nor run for quite some time. Sometimes, I'm getting orders for programs where the trials have been sent out a year or more ago!
Kind regards,
Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 01,noviembre 2010 - 23:11 |
Hi Everybody
and specifically, hi Guenter, as I am going to disagree with many of the
things you are saying here 
It seems to me that your main argument for a hardware solution is that
it's harder to hack than a purely software one. I'm afraid I disagree
totally on that one. If somebody is able to use a debugger to crack a
software solution and put a 'return', as you were saying, they can do
EXACTLY the same thing, with EXACTLY the same amount of work, for the
tests done on a piece of hardware...
And to compare to Guenter's code generator comment, you have to
understand that there are as many Hardware emulators out there that
there are brands and types of dongles... So no difference here either!
Basically ANY solution will be crackable by somebody able to use a
debugger...
In order to make it LESS breakable, here is the array of solutions that
I chose:
- Software only solution to avoid managing hadrware, fedex, etc
- the protection works via the web: every so often, the software checks
on the web if it's license is valid. At the same time, it can check for
updates, new information, etc... That solution works only if your
customers will always have a web connection (but today, that is probably
the case). If you sell a solution that NEEDS the web to work or better
that gets regularly updated via the web (new providers data, new
software version,etc.) then this solution is a perfect match.
- The protection schema links the PC (mac address, OS version, hard
drive serial number, or any combination) to a license number.
- The internet check verify that the hardware matches the license
record. If not, the software is deactivated.
- The internet check also provides a possibility to check the public IP
of the user... You can even manage access protection for your customer,
with only some IP authorized, some specific users allowed mobile IPs,
etc...
- You can then provide the user with a web UI to deactivate PCs,
activate new ones, etc... So they can manage their license pool.
- You can even accept that a license is used by a new PC by offering a
dialog to the user telling him that the old PC license will be
automatically deactivated...
- You can restrict the number of times a license is moved (and you can
override all that)
- This solution provides a dynamic system allowing you to manage a
license per PC or even per concurrent user, as in that case you just
need a httprequest in your software every 5 minutes to reactivate your
concurrent user license and block if maximum+1 has been reached
- Local information is not stored in a license file, but in one of the
regular file in the DB. This means that deleting this file to restart
fresh will also delete valuable customer information. In the case of a
multi user program, this information is therefore in the DB on the
server, making it harder for an individual user to STEAL a license from
his employer.
----- Now the part to make hackers work harder -----------
-1- use of api to detect debugger and block the software if it's there
(windev component available for that on Vincent Roy web site)
-2- putting most (if not all) of the code of the application inside
components, as this will add a layer of encapsulation that will make
debugging the app more complex
-3- Encrypt the exe with an external tools (telock by example)
-4- Most of the calls to the protection system (doesn't matter which one
you choose) should be as random as possible: done in a timer whose
duration changes each time, done in different places in the app, done in
different threads, etc... This will again make cracking the app more
complex (often gives an app that is partially cracked then stops working
randomly)
----------------------
Now the problems with that solution:
- No internet connection : doesn't work (loosing temporarily the
connection can be managed by accepting a delay in the verification.
Managing the per concurrent users system can be done against the local
DB, while the license verification itself remains on the web)
- Regarding #1 above: if you are able to use a debugger like ICE to hack
a software, you'll be able to remove the ani-debugger protection using
the debugger. It will just slow you down
- Regarding #2 above: debugging/hacking decomes more complex, not
undoable. It forces you to manage at least two projects: one to create
the component, and one to encapsulate the component
- Regarding #3 above: as there are code generators for software keys,
and dongle emulators out there, you can easily google the solution to
extract the original exe from an encrypted one. So once again, it's just
a slowing down solution.
I could probably continue like that for quite some time.
As a conclusion, I would say that you have to think of your ROI.
Whatever solution you choose, it will cost you in development and
management time. At what point is that investment more expensive that
the hackers?
I designed my solution to give me as much flexibility as possible, and
give me as LITTLE management as possible:
- no hardware to send,
- the user can directly manage his licenses on my web site UI (move them
around by example)
- they can buy new licenses directly,
- the licenses can be time (monthly) based, and the user can add seats
for their rush period and remove them later,
- the licenses are blocked automatically if payment is not done (with
paypal payment links+invoices sent automatically, and paypal telling
directly to my protection system when payments are made)
- The demo period is managed the same way, with the user's PC
registering without a license at a certain date/time (web server based)
and stopping to work after xx days... here again, you can override the
ending date and gives the user 2 more weeks if needed, or anything else.
.... all that without me having to do anything
Another interesting point is that you can turn what is generally a
constraint (protection schema is generally a pain for the customer) into
a marketing asset:
- Manage your seats online,
- save by reducing the number of seats during the vacation period
- Be fully flexible, add a license for your new hire in minutes
- Protect your data by using our IP checking system
and so on...
Of course, I do not expect everybody out here to agree with me
In my 25 years of software development I have seen all kind of schemas
used to protect software. None is perfect, and none will ever be.
Just choose the one you feel comfortable with
Best regards
--
Fabrice Harari
International WinDev, WebDev and WinDev mobile Consulting
More information on http://www.fabriceharari.com
On 01/11/2010 06:39, Jimbo wrote:
Hi Milton, thanks for that. Very useful.
I recall seeing some articles and code about this. It is certainly attractive from an implementation point of view. I would guess that coding this would be quick, and perhaps I should go this route. But the disadvantage is the cost and admin involved in Fedexing out the dongles.
Perhaps its worth it, but I was hoping for a simple code-only solution.
Michael
Hi Mike, 28 years ago, when we started out to make programs for bakeries, I ran over quite a number of programs of competing software makers which were either stolen or misused. 'Misused' in the sense of 'not used as licensed to'. At that time, licensing mechanisms were in their infancy, about half of the competition's programs had no licensing scheme at all! Nowadays, we estimate that 10% of our own installed base is either stolen or misused. In the PR China, they say, about 90% of the software in use is stolen! In Eastern Europa it's about 50%. Thinking about an effective way of licensing while fighting the thieves is definitely worth your efforts! First, there is no such thing as an unbreakable and un-misusable code-only licensing solution! If you let the customer input a license name, a serial number and a license key and hard-code that together with a set of options into an encrypted licensing file, your dear customer will be able to use the program on several unconnected computers and he/they will be able to kind of sub-distribute your software (together with the license file) to those who aren't willing to pay a dime! Showing name& address of the licensed customer on all windows and important printouts will definitely deter some of the amateur-thieves. However, if your software is of high value (in price AND in usage) then be prepared that eventually there will be someone who puts your software under an in-memory debugger (SoftICE, IDA etc) and finds out what really happens when it checks the license file against customer name, serial# and options. Your program will be either 'cracked' (a simple GOTO or RETURN will de-activate the check-routine) or, even worse, they'll build a key-generator which will build a correct license file for any given customer info. Use good old google to find out about cracks and key-generators! [color=#CC0000]Bottom line: If you really want to have some copy protection or enforce usage of your software according to the license then you'd have to bind your software to a piece of hardware! Which is no 100%-solution but it's definitely better than all software solutions![/color] Microsoft binds most of their software to hardware parts of the computer which are bearing a unique serial number. So, their software is licensed to a certain piece of hardware. If this computer completely goes south there's no good way to re-license the software on the next one. If we do the same as M$ does, then it leads us to the question what we are going to do if the customer calls and says that their computer is inoperational now and they'd like to have a new license for their new computer? During nights, on Saturdays and Sundays? And who says that their computer is really down?? After you sent them a new license they'd have two licenses while paying for one only! Here we are. Which piece of hardware is portable and bears a unique serial number? [color=#CC0000]Only a dongle does![/color] But don't let you fool into a pricy piece of hardware and let someone earn their money with your work! [color=#CC0000]All USB memory sticks do bear a unique serial number![/color] See my demo-project for reading the serial number of a USB memory stick: http://www.windev.at/html/dongledemo.htmlKind regards, Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 02,noviembre 2010 - 08:01 |
>Or for trial purposes do you distribute a different version of your app which has certain features missing from the code, so it can't be hacked?
Michael
Off the top of my head I'd do what others do and mark the application as DEMO MODE, NOT FOR PRODUCTION USE. And make an important field a a one byte integer, like customer number or something they can attain after 9 or so months in the normal course of their business.
In code at the 250th record check to see if that field is a one byte integer. If so warn the user that the demo is rapidly coming to termination and an advertisement for the full version that will use the same data files the demo program is currently using.
If they have been using your program for production I think you may be getting a call.
My 2 euros worth. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 10:51 |
Hi guys.
I was searching the forum to find some kind of licensing procedure. The one mentioned here (dongle with a flash-drive) was interesting until I found this: [url=http://www.xboxharddrive.com/freeware.html][/url]
I tested it and it works. The serial number of your flash-drive is changed in a blink.
Someone else have another idea??
It would be possible to compile a Linux library or executable and format the flash-drive in ext3 for example? I never tryed any compilation under Linux platform. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 10:51 |
Hi guys.
I was searching the forum to find some kind of licensing procedure. The one mentioned here (dongle with a flash-drive) was interesting until I found this: [url=http://www.xboxharddrive.com/freeware.html][/url]
I tested it and it works. The serial number of your flash-drive is changed in a blink.
Someone else have another idea?? |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 10:53 |
Raul,
The web page you quote also states:
Guenter's solution use just that - the hardware serial number set by the manufacturer.
I've also implemented a license system using USB memory sticks and it seem to work well. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 10:54 |
Hello Darren.
So you are querying the manufacturer SN by Win API? Because fDriveinfo() only works with the other one in WD14. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 12:04 |
Raul,
Correct, I don't think fDriveInfo() will give you what you need.
Without giving too much away (  ) part of my solution uses USBFind to get the serial no. of a USB stick:
sDevices is string = USBFind(USBPropertyManufacturer," ")
There are several keywords you can use with USBFind to locate the USB stick based on Manufacturer, Class, Location etc...
See here:
http://doc.pcsoft.fr/en-US/?3090004&name=usbfind-function&q=usbfind&verdisp�0
If USB device is not found, then switch to Demo Mode. If a USB device is found with the matching serial no., then let the user in... [[5]] |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 15:15 |
Michael,
take an encrypted Hyperfile DB and put into the file the customer hardware. Check it when you open the file.
Regards
Thomas |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 18:43 |
Hi I use the windev key gen functions and it works pretty cool. New in windev 16. It generates a code from the users machine and you can put your own fields in as well. say name and email address. If you do this a huge code is produced. The client has to mail this code to me and I have a little program that generates a code from the code send by the customer and it extracts name and email address as well. I send the code back to the customer he pasts the code and the software is registered for a year.
After a year the client has to do the whole thing again.
It is not perfect because the user has to mail the code. And if someone cracks the standard windev key gen than it is cracked. I use this for a really cheap piece of software. Just to do some kind of protection
Better way Use a web service.
The client has to fill his name and email address in a form. The key gen function is used to generate a code. The code is send to a web service. The web service posts the name and email and other info to a website ( webdev)
Now the client has registered. The important thing is you know who the user is
When the program runs the next time it randomly contacts the web service. The web service looks for the client info on the website. If the client is registered and he has paid the web service contacts the program and gives the ok to run
If the client has not paid, even after you contacted him via email or if the email address is not a valid email address then you go to the website and you place a check that the program may not run.
The next time the program contacts the web service the web service does not give an ok. The program stops working or gives a message that it will stop working or gets limited or does what ever you want. In some countries you need to give a warning first before disabling the software. So a message and disabling it after a month is recommended.
If the program cannot contact the web service it gives a message that a connection to the internet must be made and if no connection is made than it will stop working
This is a way of registering that the user can do fast without waiting etc. For trial software this is important . For if it takes to much effort they will not even install the software. Now they can use the software right away.
Pro’s
You know when someone installs the software. So you can contact them. If you build in as well that the program contacts the web service as well if it is uninstalled then you know that as well.
If someone really uses the program and gets contacted by you then they will pay and if not you can shot them down.
This is a lot of work. But if your software is selling over 500 euro than it’s problebly worth it. And if ones made, this functionality can be reused in other programs.
Regards allard |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,julio 2011 - 19:46 |
Hi Allard,
If you use the standard key gen of WinDev without additional protection, anyone with WinDev can generate an activation code for your application. Ideally, you should also crypt, at least, the answer key and join additional data to it. This additional crypting would be known only by your software. Then complete the verification in checking the generated key.
Also, the generated key by WinDev works only for a physical PC. So it's not a good networked solution. But this point is described in the help.
Best regards,
Alexandre Leclerc |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 10:26 |
Hi alexandre,
As see it you can use the windev standaard key gen. For it uses your dongles Id to generate the key. Since every dongle is unicque so is the key you generate.
The physical pc thing is true. But my app is a one pc programm so that's no problem
Regards Allard. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 10:28 |
Hi Allard,
If we both talk about KeyGenerateInitialKey() / KeyCalcActivationKey() then I'm afraid you might be surprised to know anyone can generate a key for you. It's not using your dongle to generate a unique key.
I sent a suggestion to PCSoft about this couple months ago when I encountered the problem trying to use this mechanism. Try the following code for yourself:
Trace(KeyCalcActivationKey("853D-6336-2E4E-8BC9-364D"))
The activation key will be: 4273-3635-6HGC-H44H-93C3
This is standard key generation. You must crypt your answer key with a process only you knows. (And ideally for your initial key too.)
Send me one of your key and I'll give you all your customer information and an unlock key.
The whole process is actually not secure. One of my suggestion was to add an additional parameter to give a "password" to generate a unique key for an application. The same principle as in Hash() functions where we can give a secret key with HMAC algorithm family.
This has been confirmed by PC Soft following my suggestion:
Dans la version actuelle de WINDEV toute personne possédant WINDEV pourra activer la clé en question.
>
Votre idée est intéressante. Je l’ai transmise en tant que suggestion à notre équipe de développement pour qu’ils étudient son implémentation dans une prochaine version.
>
Dans l’immédiat, je vous conseille de crypter la clé d’activation coté fournisseur de l’application et de la décrypter coté client.
>
Je vous remercie de cette suggestion et vous souhaite de bons développements.
>
King regards,
Alexandre Leclerc |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 10:29 |
Hmm....... Didnot know that.
Thanks
Allard |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 11:06 |
Hi Alexandre,
one thing should be clear: if you're using this mechanism for licensing then you're binding your application to a bunch of pieces of hardware - the customer's PC. And, worse than a dongle, the user will be unable to move over to another PC if the 'licensed' PC becomes defective. In fact, the PC IS the dongle now. It's similar to Windows or other applications. If a Windows-PC goes south (= it is no more usable) then I have to buy a new Windows for a new PC.
I lost 'Adobe Captivate' that way - a 1000 Euro piece of software. Adobe binds the application to the PC. Moving over to another PC involves the de-installation of Captivate on the first one. Huh? The motherboard got defective - no de-install possible. 'We're sorry, but .. simply, we don't care ..' Ok, I will not buy any Adobe products anymore, I learnt my lesson! Found out that Serif does the same when I tried to install a newly bought Web Page X5 to my win7-32 and win7-64 hard disks. Simply because I don't like to change hard disks for common applications. No second install possible. What, if the win7-64 hard disk goes bad and with it Serif's Web Page X5? No de-install - no re-install. Losing a hard disk involves purchase of a the application for a second time?
Compare that to a dongle. I have WinDev 8,9 ..16 etc on *all* of my hard disks, WinDev 5.5 is running on the WinXP-32 hard disk. The WinDev-dongle is firmly stuck in its place, I'm just exchanging the hard disks. And no, I don't had to buy the Windows 7*32, 7*64 and XP*32 separately, because the PC is a Fujitsu which came with all of these operating systems and they don't have to be activated at all!
Kind regards,
Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 15:38 |
Hi All
The problem in the end is the same if you choose a physical item to protect your software.
If the PC, Server or even dongle gets lost, stolen or damaged then you will need to make a decision as to whether to issue a replacement key ( = new license) or not.
Of course we all need to do what is best in our situation and take into account the security offered versus the risks involved.
I rolled my own solution many years ago using a combination of Crypt and Hash to produce a key based on information extracted from the registration details of the customer.
I could of course just as easily bind it to an item of hardware.
So far it has served me well as it gives me the flexibility of choosing what information to use as the seed for my key and even what parts of the key to use.
All of this is stored in a data (encrypted) file on the customer site - I keep my own copy.
Worst case all I need to do is send them a copy of License.fic (no its not called that) if the data is damaged.
Not foolproof but there again nothing is.
Just my 2 cents, euros, penneth
DerekT |
| |
| |
| | | |
|
| | |
| |
| Publicado el 13,julio 2011 - 16:47 |
Hi Jimbo,
Indeed it will bind specifically to the end user PC. It depends what you want to achieve. I also sent a second suggestion about this last month to allow a key generation with no binding so that it may work in networked environments. (All the job is already done, so supporting this is quite simple.)
I also made a third suggestion to allow one to send back additional data in the generated key (like serializing a class, etc). These three suggestions (including the one adding a "password" to the key generation process) would give a very flexible key generation option that I would use out of the box. It would be as secure as we are doing right now.
As DerekT suggested, we are also using our own mechanism right now. But we also use the actual key generation for handshaking: when doing web registration (live or through email) we can guarantee the PC who asked the key is the one who receives it. Then we are not using it further but our own licence and verification scheme. We will also consider the USB solution to protect our solution in the long run.
Best regards,
Alexandre Leclerc |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 01:37 |
Hi Guenter
Did you have confirmation please from PCSoft that the KeyGenerateInitialKey() commands are bound to the user's hardware? There is nothing about this - that I can see - in the help.
Using Alexandre's example:
sKey = KeyCalcActivationKey("853D-6336-2E4E-8BC9-364D")
KeyGetIdentifier("853D-6336-2E4E-8BC9-364D") returns an empty string,
and calling KeyGetIdentifier("853D-6336-2E4E-8BC9-364D", sKey) returns False.
So that tends to confirm what you said, otherwise different results would have been produced. On one hand, this is good, as it protects the registration; but as you mention, this is a problem if the end-user needs to replace his PC.
As it was not clear what the algorithm is behind these commands, I encrypt the information, so am not too concerned about someone being able to generate an activation key.
Chris |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 01:37 |
Hi Chris,
I know you asked Guenter, but look at KeyCompareKey() function: http://doc.pcsoft.fr/en-US/?1000018850
Is says: "the "initial key/activation key" is only valid on a given computer."
This is what the technical support has replied to me on the same question. It means: this key / initial key is only good for a single PC... it's bind to the PC configuration. But we don't know exactly what. Your test proves the case. This is why I made a "no bind to PC" suggestion for other cases.
For KeyGetIdentifier() it will return something only if you actually passed something as parameter with KeyGenerateInitialKey(). It will return the "identifier" you passed in parameter. In my example there was no identifier (no additional data). So it will return nothing. But if I pass one, you will be able to extract it.
Finally, calling KeyCompareKey() will return False for you because it is bind to my PC (it was your point).
I think you also understood my example: you can generate a key for me! The result of KeyCalcActivationKey() will give you "4273-3635-6HGC-H44H-93C3 ", as for anyone else. As of WD16, one must crypt his key exchange to avoid anyone owning WinDev generating unauthorized keys of his application.
Best regards,
Alexandre Leclerc |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 01:38 |
Hi Alexandre
Thanks for your reply, and for having pursued this with PCSoft. I had missed that comment in the help of KeyCompareKey(). That, to me, limits the usefulness of these functions unless one wants to have the headache of managing end-users who replace their computers. It is a good concept, just too stringent. Your "no bind to PC" suggestion would resolve that.
Your example was good as it showed two points: that the key can be generated by anyone with WinDev, and that the KeyCompareKey() is hardware-bound.
I encrypt the information before passing it to KeyGenerateInitialKey(), and then encrypt and Base64 encode the resultant initial key before transmitting it for authorisation. I had found that the password, and the encoding method have to be strings (not binary), otherwise KeyGetIdentifier() would sometimes produce invalid data.
It would be easy to emulate these functions.
Cordialement
Chris |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 01:42 |
Hi Guenter. I see you have a lot of experience about this issue. Your comments are very helpful. By the way, what's your company website?
Kind regards. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 01:43 |
| Hi Raul, we have several web sites (and three companies) for different products. Main one is http://www.syspredl.at Regards, Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 11:09 |
Hi Chris,
yes, that's exactly my position. I cannot risk to stop my customer's operation. Many of their computers are switched on 24/7 - with only our program on their monitors.
So, binding the software to the PC as a whole is not an option. In case of KeyGenerateInitialKey(..) we don't even know which pieces of the hardware are replaceable and which not. Microsoft doesn't tell either but tests have made clear that you can replace nearly all parts of the PC - each time replacing a single part and restarting the PC - without losing the activated Windows. How is it with PC Soft's KeyCompareKey(..) ?
Our initial licensing system was to encrypt the licensing information (customer's short + long name, address and options) into an encrypted file. We named it LICENCE.EXE and distributed that together with the program. Btw, it appears that the encryption never has been broken, many tried to do so - as we know. All screens in the program are showing the licensing info, even 99% of the listings, reports, invoices, delivery notes etc. bear the licensee's name. We thought, that would discourage any thief from using our program without paying. We definitely were wrong with this assumption! From numbers of caught thieves we believe that about 50 programs still in use without having ever paid. They're just taking a black marker or a wipe-marker to erase the licensing info on the invoices, that's all. Taking the original price of about 2000,- Euros = ~100.000,- Euros lost. Worse: since the program was freely copyable, most of our competitors got a copy and copied many screens and prin
touts nearly 1:1. Ok, this one is unavoidable because a demo is to be distributed anyway.
Another program, far cheaper at 399,- Euro excl VAT is licensed by a license code. Simply a numeric code that's covering customer's name + address + feature/s. Taking each byte, converting it to ASCII, doing some adding, multiplying gives a numeric result and that's the 'license code'. So, the demo is for download and if they want to buy it then they just initiate a bank transfer and upon receit of payment we send out their license code. We didn't do a research about stolen programs yet. I believe it's less because of the less-inspiring price, but still would take 3% of the installed base of ~300 = 9 pieces x 399,- = 3590,- Euros lost. Nothing that keeps me from a good sleep.
I do not care a lot about several other programs which are distributed in low numbers between 10 to 50 pieces. Chances for a theft are low there. Our touch-screen POS software is still protected by a commercial dongle device (Rockey2) on each cash register. No stolen programs known to us (yet). However, Rokey2 dongles have to be bought in 100 pcs minimum and if the batch runs out we have to order the next one. As long as the new dongles aren't on my table we cannot deliver any new cash register .. we will switch over to licensing with ordinary memory sticks.
Next desktop software will be dongle-protected too. A single dongle for network installs (HFCS on a server) and a single dongle for standalone PCs (HF Classic) too. 'Dongles' are cheap memory sticks as you can buy them everywhere. We have no experience about performance in big numbers because we didn't start full fledged distribution yet. As far as we can see for now, there's no difference to a not-so-cheap commercial dongle device. The downside of dongles is that one can lose or destroy them. We plan to have them engraved with our company name later on, a destroyed dongle would still be identifiable. Replacing a 'lost' dongle at low price still means risking to have an 'extra' customer.
New challenges are waiting. Cheap virtual machines like Virtual XP for Win7 Prof cannot 'see' the USB-dongles. VMWare does. VirtualBox had problems which should be gone by now. Next: is the dongle 'local' or is it 'remote'? There's software and hardware available which allows to have the dongle in the office and grabbing its licensing info from a remote PC. http://www.seh.de/produkte/dongleserver.html and http://www.usb-over-network.com/ I strongly believe that people like safenet can differentiate between local and remote dongles. But can we? Otherwise, 15 people could use the same dongle!
Kind regards,
Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 15,julio 2011 - 11:10 |
Chris,
From the helpfile
[hr]
Result = KeyGenerateInitialKey([Identifier])
--------------------------------------------------------------------------------
Identifier: Optional character string
Identifier used to generate a specific initial key containing user data for instance. This data can be retrieved by KeyGetIdentifier. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 20,agosto 2011 - 16:31 |
>
>See my demo-project for reading the serial number of a USB memory stick:
>
Kind regards,
>Guenter
>
Hi!
This demo can be downloaded from anywhere else? The page ain't working...
Regards. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 20,agosto 2011 - 21:59 |
>>
>>See my demo-project for reading the serial number of a USB memory stick:
>>
>>Guenter
>>
Hi!
This demo can be downloaded from anywhere else? The page ain't working...
Regards.
Sorry Raul, this project is still unfinished, because I will definitely NOT just copy our own licensing system. Copying it would give very good ideas to crackers of our own software. The idea was to give you a firm starting point for rolling your own licensing system based on USB-memory sticks.
- It states that all USB memory sticks bear a unique and unalterable hardware serial number.
- project http://www.windev.at/files/USB_Drive.zip should give you an idea how to read this hardware serial number
As I know, a few friends of this forum have made their own licensing solution using this as a starter. It depends on what you want. Binding the software on a memory stick to exactly this memory stick is one solution, another one is to have several software products + add-ons licensed on the same memory stick, like ours.
you would need:
- a program to have your customers in a database and attach the license(s) + sold add-ons + max. allowed seats + hw serial number(s) of issued memory sticks.
- a program that generates the license file and writes it to the memory stick or sends the license file per e-mail to a customer.
- a program that reads a license file, checks its validity for that memory stick, shows the license information.
- your software has to have a HyperFile C/S stored procedure that reads the license file and the unique hw serial number from a memory stick and sends both infos to a local procedure where the license file is decoded, the hw serial# is checked against the serial# contained in the license file, the number of connections to the database is checked first. If the log-in would exceed the max allowed number .. sorry. Next, all licensed add-ons within the program will be activated, the name / address of the customer will be shown in all places of the software.
- your software has to have a window where a license file which came by e-mail can be written to the memory stick. Again, you'd need a separate stored procedure for that. The validated license file is sent to the stored procedure and written to the memory stick.
This is not a 'small project' to write just for demo purposes from ground up ..
Regards, Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 23,agosto 2011 - 08:56 |
Hi Guenter.
Sorry, I thought there was a missing or broken link. Your explaination was very useful to code some kind of cheap USB dongle. Thanks a lot!
Regards. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 26,agosto 2011 - 18:45 |
Hi Alexandre
I find these options of WD licensing very interesting. I'm trying to find in the example provided a simple solution but it seems a little complicated. Can you indicate me some basic steps so I can implement a simple licensing solution for an application I'm about to install in a client ?
I'm not asking you code, just steps so I can figure out how to do it. Do you remember how PervasiveSQL handles this with the 30 days trial period ? that would be great to implement in a WD App.
Thanks in advance
James |
| |
| |
| | | |
|
| | |
| |
| Publicado el 27,agosto 2011 - 00:28 |
| |
| |
| | | |
|
| | |
| |
| Publicado el 27,agosto 2011 - 00:28 |
Hi James,
(Thank you Guenter for the reply.)
Aside that, I would simply add that we are actually evaluating SafeNet HASP key (formerly know as Alladin HASP) and also SecuTech UniKey. Both have great advantages and some drawbacks. But in the end it depends what advantages you are looking for.
Why we look for this solution? Because we are no experts in this domain and that we have no time to waste to fight against copy. The software we sell are expensive and the dongle price is marginal in the whole thing. Also, because using these dongles is almost plug and play. No special development to do.
The other great thing is that the keys are managing the user count alone with military precision whatever happens. (We will be using the "networked" solution that has such a feature.) We can licence many software on the same dongle. (So a client having many solutions from our company required only one dongle. We send a dongle update to unlock the new software with its own user count and licensing terms.)
Any-way. It all depends what you are looking for and also, the price you can sell your products. For us this is a good solution in many respects. If our product was at a low price, it would be quite different: we would use the solution described above.
Finally, whatever the solution you choose, do not forget to "warp" your program with a protection software (like PCGuard: www.sofpro.com) in order to help preventing reverse engineering to crack you licence protection. We use this technique since couple of years. (The other solutions mentioned above both include an "envelope" application to do just this but with the dongle.)
I hope this helps and can contribute to further your reflection on the whole question.
Best regards,
Alexandre Leclerc |
| |
| |
| | | |
|
| | |
| |
| Publicado el 27,agosto 2011 - 21:53 |
Thank you, Alexandre
I will spend some time in these solutions, you mention.
James |
| |
| |
| | | |
|
| | |
| |
| Publicado el 29,septiembre 2011 - 08:59 |
| Hi, the card reader itself has no ID, but any memory stick has. Guenter |
| |
| |
| | | |
|
| | |
| |
| Publicado el 29,septiembre 2011 - 08:59 |
Hello guys.
I'm testing my licensing procedures according the information found in this thread. It works ok but...
* If I plug the USB stick into another port: the ID is different.
* If I use an USB hub: ID is different too.
Only works when I plug the stick in the same port I've used to generate de licensing code. If I generate the license on my pc, and move the stick to the client's, I guess it will not work.
Anyone using this kind of licensing without problems??
The same stick with 2 IDs:
USBSTOR\DISK&VEN_FNK_TECH&PROD__USB_CARD_READER&REV_2.33\7&CB4676E&0
USBSTOR\DISK&VEN_FNK_TECH&PROD__USB_CARD_READER&REV_2.33\6&322401D0&0
Any clue??
Kind regards.
PS: I'm using a memory card reader, I don't know if this could be the issue because I don't have a pendrive right now. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 29,septiembre 2011 - 12:22 |
Raul, I tried here with no problem.
usb-stick (directly) or memorycard (using a usb-cardreader) in either one of the ports.
Every device always returns it's one and only serial.
Even when they get a different drive letter. Which makes sense: serial and driveletter are not connected I guess in any way.
Maybe this little utlity can help you out: http://www.nirsoft.net/utils/usb_devices_view.html |
| |
| |
| | | |
|
| | |
| |
| Publicado el 11,octubre 2011 - 23:01 |
Hi guys.
I just wanted to add some information regarding my last post here, for those making some questions in the future.
I've been testing this method with actual memory sticks and it works great!
The tests made with USB card reader didn't work ok at all. As I said before, when I plug the device in the port (let's say) "A" it has a serial code. If I plug it in the port "B", it has another one.
My card reader is this exactly model: [url=http://mx.ioffer.com/i/mini-micro-sd-tf-card-reader-%28black%29-215754924][/url]
Regards. |
| |
| |
| | | |
|
| | |
| |
| Publicado el 12,octubre 2011 - 11:47 |
Le 11/10/2011 22:01, RAUL a écrit :
Hi guys. I just wanted to add some information regarding my last post here, for those making some questions in the future. I've been testing this method with actual memory sticks and it works great! The tests made with USB card reader didn't work ok at all. As I said before, when I plug the device in the port (let's say) "A" it has a serial code. If I plug it in the port "B", it has another one. My card reader is this exactly model: [url= http://mx.ioffer.com/i/mini-micro-sd-tf-card-reader-%28black%29-215754924][/url] Regards.
Hi,
Just one piece of information, we also use memory sticks serial for
licensing and we just bought from an new reseller a set of keys with
only 3 letters as serial (DC0) so be careful
Regards,
Fred |
| |
| |
| | | |
|
| | |
| |
| Publicado el 02,febrero 2016 - 22:05 |
| |
| |
| | | |
|
| | | | |
| | |
| | |
| |
|
|
|