Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
57
Erster Beitrag:
vor 7 Jahren, 3 Monaten
Letzter Beitrag:
vor 2 Jahren, 12 Monaten
Beteiligte Autoren:
Jimbo, RAUL, Alexandre Leclerc, Allard, Michael Q, James Smiths, Arie, Steve E. , Jose Antonio Garrido, ChrisC, ... und 11 weitere

WD15: Best end user licensing strategy & code?

Startbeitrag von Michael Q am 01.11.2010 05:21

I am a newbie developing a business app to be used either standalone or on a network accessing an HFCS database and I am trying to figure out the best strategy for managing licensing. It seems that conventional license add-on tools don't work with Windev, so therefore I have to roll-my-own. I am seeking a licensing method that will fulfill the following requirements:

1. Be simple to implement. I REALLY want to avoid having to do extensive custom coding of an installer so I'd like to use the built in Windev installation & update mechanism if at all possible.
2. Be simple for users to install & manage.
3. Be reasonably secure (the app will sell for US$250-US$750 per seat)
4. Require minimum maintenance when users move computers etc
5. To enforce the license, I want to have all documents print out the licensee company name etc.

There seem to be 2 licensing options:

PER CLIENT:
Pros:
Maximizes license revenue because each seat is licensed.
Probably more compatible with the Windev built-in installer/updater.
More conventional.

Cons:
A license is required for every client.
Likely more opportunity for problems during client installation.
Maintenance problems when a license must be moved to a new client computer.


PER CONCURRENT USER:
Pros:
Only one license is required for each server.
The client software could be freely installed on any number of computers.
Moving the app to different clients doesn't require license changes.

Cons:
Possibly fewer licenses are needed, so revenue is lower (or concurrent user price must be higher).
Not sure this can be done using the built-in installer.

Also, suppose I wanted to have a "Standard" & "Enterprise" version of my app. Which licensing method would be more compatible?

Licensing methodology must be a standard problem for most Windev developers but I see very little information or dialogue about how to handle this, or examples of code. To get me started I have Fabrice's "WDProtected" project & the Windev "WD Evaluation Period" project. But I'm still scratching my head trying to figure out where to start.

What has been your experience in doing this, and what would you recommend?
Are there any other resources or code out there for helping with this?

Many thanks,

Michael

Die 50 interessantesten Antworten:

Re: WD15: Best end user licensing strategy & code?

Michael,

Have you considered the use of a hardware lock to control "per concurrent user" licensing?

This allows a user to have the software installed on multiple machines but only able to be used on any machine if it has the hardware loch attached.

If you are interested let me know and I will give you some ideas as you can use a simple $10 USB mass storage device as your hardware lock - this has been covered in previous threads but is probably worth going over again.

Milton

von Milton - am 01.11.2010 05:37

Re: WD15: Best end user licensing strategy & code?

Hi Milton, thanks for that. Very useful.

I recall seeing some articles and code about this. It is certainly attractive from an implementation point of view. I would guess that coding this would be quick, and perhaps I should go this route. But the disadvantage is the cost and admin involved in Fedexing out the dongles.

Perhaps its worth it, but I was hoping for a simple code-only solution.

Michael

von Michael Q - am 01.11.2010 05:44

Re: WD15: Best end user licensing strategy & code?

Quote
Michael Q
Hi Milton, thanks for that. Very useful.

I recall seeing some articles and code about this. It is certainly attractive from an implementation point of view. I would guess that coding this would be quick, and perhaps I should go this route. But the disadvantage is the cost and admin involved in Fedexing out the dongles.

Perhaps its worth it, but I was hoping for a simple code-only solution.

Michael


Hi Mike,

28 years ago, when we started out to make programs for bakeries, I ran over quite a number of programs of competing software makers which were either stolen or misused. 'Misused' in the sense of 'not used as licensed to'. At that time, licensing mechanisms were in their infancy, about half of the competition's programs had no licensing scheme at all!

Nowadays, we estimate that 10% of our own installed base is either stolen or misused. In the PR China, they say, about 90% of the software in use is stolen! In Eastern Europa it's about 50%. Thinking about an effective way of licensing while fighting the thieves is definitely worth your efforts!

First, there is no such thing as an unbreakable and un-misusable code-only licensing solution! If you let the customer input a license name, a serial number and a license key and hard-code that together with a set of options into an encrypted licensing file, your dear customer will be able to use the program on several unconnected computers and he/they will be able to kind of sub-distribute your software (together with the license file) to those who aren't willing to pay a dime! Showing name & address of the licensed customer on all windows and important printouts will definitely deter some of the amateur-thieves.

However, if your software is of high value (in price AND in usage) then be prepared that eventually there will be someone who puts your software under an in-memory debugger (SoftICE, IDA etc) and finds out what really happens when it checks the license file against customer name, serial# and options. Your program will be either 'cracked' (a simple GOTO or RETURN will de-activate the check-routine) or, even worse, they'll build a key-generator which will build a correct license file for any given customer info. Use good old google to find out about cracks and key-generators!

Bottom line: If you really want to have some copy protection or enforce usage of your software according to the license then you'd have to bind your software to a piece of hardware! Which is no 100%-solution but it's definitely better than all software solutions!

Microsoft binds most of their software to hardware parts of the computer which are bearing a unique serial number. So, their software is licensed to a certain piece of hardware. If this computer completely goes south there's no good way to re-license the software on the next one.

If we do the same as M$ does, then it leads us to the question what we are going to do if the customer calls and says that their computer is inoperational now and they'd like to have a new license for their new computer? During nights, on Saturdays and Sundays? And who says that their computer is really down?? After you sent them a new license they'd have two licenses while paying for one only!

Here we are. Which piece of hardware is portable and bears a unique serial number? Only a dongle does! But don't let you fool into a pricy piece of hardware and let someone earn their money with your work! All USB memory sticks do bear a unique serial number!

See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html

Kind regards,
Guenter








von Jimbo - am 01.11.2010 08:33

Re: WD15: Best end user licensing strategy & code?

Many thanks Guenter,

"See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html";.

I can't find a link there to a downloadable project, or is it only the text on the web page?

Michael


von Michael Q - am 01.11.2010 08:49

Re: WD15: Best end user licensing strategy & code?


Uh, oh, sorry, there's a link to this page http://www.windev.at/html/usbfind.html and there you can download a project for USBFind(..) which btw will retrieve the serial# of a USB memory stick. USBFind(..) is only working with USB-sticks not with USB-connected hard drives, but in our case that doesn't matter. Kind regards, Guenter


von Jimbo - am 01.11.2010 09:19

Re: WD15: Best end user licensing strategy & code?

I know that there is no fool proof way to protect software, but how do you handle trials?

I don't want to have to distribute a USB stick just to enable a trial. If an app can be run as a trial without a USB stick, can it be easily hacked to enable all features without having a USB stick? How do you deal with this?

Or for trial purposes do you distribute a different version of your app which has certain features missing from the code, so it can't be hacked?

Michael

von Michael Q - am 01.11.2010 09:37

Re: WD15: Best end user licensing strategy & code?


Hi Michael,

No USB stick = Demo Mode. Demo Mode is restricted to a small number of customers, items etc, additionally all reports and documents show 'Demonstration Version'. We do not restrict demos in time. My experience ist that the decision to download or to order a demo DVD is a momentary one and trials are neither installed nor run for quite some time. Sometimes, I'm getting orders for programs where the trials have been sent out a year or more ago!

Kind regards,
Guenter


von Jimbo - am 01.11.2010 12:19

Re: WD15: Best end user licensing strategy & code?

Quote
Michael Q
Or for trial purposes do you distribute a different version of your app which has certain features missing from the code, so it can't be hacked?
Michael


Off the top of my head I'd do what others do and mark the application as DEMO MODE, NOT FOR PRODUCTION USE. And make an important field a a one byte integer, like customer number or something they can attain after 9 or so months in the normal course of their business.

In code at the 250th record check to see if that field is a one byte integer. If so warn the user that the demo is rapidly coming to termination and an advertisement for the full version that will use the same data files the demo program is currently using.

If they have been using your program for production I think you may be getting a call.

My 2 euros worth.

von Art Bonds - am 02.11.2010 00:34

Re: WD15: Best end user licensing strategy & code?

Hi guys.

I was searching the forum to find some kind of licensing procedure. The one mentioned here (dongle with a flash-drive) was interesting until I found this: http://www.xboxharddrive.com/freeware.html

I tested it and it works. The serial number of your flash-drive is changed in a blink.

Someone else have another idea??

von RAUL - am 11.07.2011 16:06

Re: WD15: Best end user licensing strategy & code?

Hi guys.

I was searching the forum to find some kind of licensing procedure. The one mentioned here (dongle with a flash-drive) was interesting until I found this: http://www.xboxharddrive.com/freeware.html

I tested it and it works. The serial number of your flash-drive is changed in a blink.

Someone else have another idea??

It would be possible to compile a Linux library or executable and format the flash-drive in ext3 for example? I never tryed any compilation under Linux platform.

von RAUL - am 11.07.2011 16:44

Re: WD15: Best end user licensing strategy & code?

Hi guys.

I was searching the forum to find some kind of licensing procedure. The one mentioned here (dongle with a flash-drive) was interesting until I found this:

I tested it and it works. The serial number of your flash-drive is changed in a blink.

Someone else have another idea??

It would be possible to compile a Linux library or executable and format the flash-drive in ext3 for example? I never tryed any compilation under Linux platform.

von RAUL - am 11.07.2011 18:05

Re: WD15: Best end user licensing strategy & code?

Raul,

The web page you quote also states:

Quote
Please note, this serial number of hard disk is not hardware serial number set by the manufacturer, the hardware serial number value won't change even if you format your hard drive.


Guenter's solution use just that - the hardware serial number set by the manufacturer.

I've also implemented a license system using USB memory sticks and it seem to work well.

von DarrenF - am 11.07.2011 23:35

Re: WD15: Best end user licensing strategy & code?

Raul,

Correct, I don't think fDriveInfo() will give you what you need.

Without giving too much away ( ;) ) part of my solution uses USBFind to get the serial no. of a USB stick:

sDevices is string = USBFind(USBPropertyManufacturer," ")


There are several keywords you can use with USBFind to locate the USB stick based on Manufacturer, Class, Location etc...

See here:
http://doc.pcsoft.fr/en-US/?3090004&name=usbfind-function&q=usbfind&verdisp=160

If USB device is not found, then switch to Demo Mode. If a USB device is found with the matching serial no., then let the user in... [[5]]

von DarrenF - am 12.07.2011 07:47

Re: WD15: Best end user licensing strategy & code?

Michael,

take an encrypted Hyperfile DB and put into the file the customer hardware. Check it when you open the file.

Regards


Thomas

von Thomas - am 12.07.2011 10:58

Re: WD15: Best end user licensing strategy & code?

Hi I use the windev key gen functions and it works pretty cool. New in windev 16. It generates a code from the users machine and you can put your own fields in as well. say name and email address. If you do this a huge code is produced. The client has to mail this code to me and I have a little program that generates a code from the code send by the customer and it extracts name and email address as well. I send the code back to the customer he pasts the code and the software is registered for a year.
After a year the client has to do the whole thing again.

It is not perfect because the user has to mail the code. And if someone cracks the standard windev key gen than it is cracked. I use this for a really cheap piece of software. Just to do some kind of protection

Better way
Use a web service.
The client has to fill his name and email address in a form. The key gen function is used to generate a code. The code is send to a web service. The web service posts the name and email and other info to a website ( webdev)
Now the client has registered. The important thing is you know who the user is

When the program runs the next time it randomly contacts the web service. The web service looks for the client info on the website. If the client is registered and he has paid the web service contacts the program and gives the ok to run

If the client has not paid, even after you contacted him via email or if the email address is not a valid email address then you go to the website and you place a check that the program may not run.

The next time the program contacts the web service the web service does not give an ok. The program stops working or gives a message that it will stop working or gets limited or does what ever you want. In some countries you need to give a warning first before disabling the software. So a message and disabling it after a month is recommended.

If the program cannot contact the web service it gives a message that a connection to the internet must be made and if no connection is made than it will stop working


This is a way of registering that the user can do fast without waiting etc. For trial software this is important . For if it takes to much effort they will not even install the software. Now they can use the software right away.
Pro’s
You know when someone installs the software. So you can contact them. If you build in as well that the program contacts the web service as well if it is uninstalled then you know that as well.
If someone really uses the program and gets contacted by you then they will pay and if not you can shot them down.
This is a lot of work. But if your software is selling over 500 euro than it’s problebly worth it. And if ones made, this functionality can be reused in other programs.

Regards allard


von Allard - am 12.07.2011 14:38

Re: WD15: Best end user licensing strategy & code?

Hi Allard,

If you use the standard key gen of WinDev without additional protection, anyone with WinDev can generate an activation code for your application. Ideally, you should also crypt, at least, the answer key and join additional data to it. This additional crypting would be known only by your software. Then complete the verification in checking the generated key.

Also, the generated key by WinDev works only for a physical PC. So it's not a good networked solution. But this point is described in the help.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 12.07.2011 15:25

Re: WD15: Best end user licensing strategy & code?

Hi alexandre,

As see it you can use the windev standaard key gen. For it uses your dongles Id to generate the key. Since every dongle is unicque so is the key you generate.

The physical pc thing is true. But my app is a one pc programm so that's no problem

Regards Allard.

von Allard - am 12.07.2011 17:57

Re: WD15: Best end user licensing strategy & code?

Hi Allard,

If we both talk about KeyGenerateInitialKey() / KeyCalcActivationKey() then I'm afraid you might be surprised to know anyone can generate a key for you. It's not using your dongle to generate a unique key.

I sent a suggestion to PCSoft about this couple months ago when I encountered the problem trying to use this mechanism. Try the following code for yourself:


Trace(KeyCalcActivationKey("853D-6336-2E4E-8BC9-364D"))


The activation key will be: 4273-3635-6HGC-H44H-93C3

This is standard key generation. You must crypt your answer key with a process only you knows. (And ideally for your initial key too.)

Send me one of your key and I'll give you all your customer information and an unlock key.

The whole process is actually not secure. One of my suggestion was to add an additional parameter to give a "password" to generate a unique key for an application. The same principle as in Hash() functions where we can give a secret key with HMAC algorithm family.

This has been confirmed by PC Soft following my suggestion:

Quote
Support Technique Gratuit
Dans la version actuelle de WINDEV toute personne possédant WINDEV pourra activer la clé en question.

Votre idée est intéressante. Je l’ai transmise en tant que suggestion à notre équipe de développement pour qu’ils étudient son implémentation dans une prochaine version.

Dans l’immédiat, je vous conseille de crypter la clé d’activation coté fournisseur de l’application et de la décrypter coté client.

Je vous remercie de cette suggestion et vous souhaite de bons développements.



King regards,
Alexandre Leclerc

von Alexandre Leclerc - am 12.07.2011 19:38

Re: WD15: Best end user licensing strategy & code?

Hi Alexandre,

one thing should be clear: if you're using this mechanism for licensing then you're binding your application to a bunch of pieces of hardware - the customer's PC. And, worse than a dongle, the user will be unable to move over to another PC if the 'licensed' PC becomes defective. In fact, the PC IS the dongle now. It's similar to Windows or other applications. If a Windows-PC goes south (= it is no more usable) then I have to buy a new Windows for a new PC.

I lost 'Adobe Captivate' that way - a 1000 Euro piece of software. Adobe binds the application to the PC. Moving over to another PC involves the de-installation of Captivate on the first one. Huh? The motherboard got defective - no de-install possible. 'We're sorry, but .. simply, we don't care ..' Ok, I will not buy any Adobe products anymore, I learnt my lesson! Found out that Serif does the same when I tried to install a newly bought Web Page X5 to my win7-32 and win7-64 hard disks. Simply because I don't like to change hard disks for common applications. No second install possible. What, if the win7-64 hard disk goes bad and with it Serif's Web Page X5? No de-install - no re-install. Losing a hard disk involves purchasing of some applications for a second time?

Compare that to a dongle. I have WinDev 8,9 ..16 etc on *all* of my hard disks, WinDev 5.5 is running on the WinXP-32 hard disk. The WinDev-dongle is firmly stuck in its place, I'm just exchanging the hard disks. And no, I didn't have to buy the Windows 7*32, 7*64 and XP*32 separately, because the PC is a Fujitsu which came with all of these operating systems and they even don't have to be activated at all!

Kind regards,
Guenter



von Jimbo - am 13.07.2011 05:47

Re: WD15: Best end user licensing strategy & code?

Hi All
The problem in the end is the same if you choose a physical item to protect your software.
If the PC, Server or even dongle gets lost, stolen or damaged then you will need to make a decision as to whether to issue a replacement key ( = new license) or not.

Of course we all need to do what is best in our situation and take into account the security offered versus the risks involved.

I rolled my own solution many years ago using a combination of Crypt and Hash to produce a key based on information extracted from the registration details of the customer.
I could of course just as easily bind it to an item of hardware.

So far it has served me well as it gives me the flexibility of choosing what information to use as the seed for my key and even what parts of the key to use.
All of this is stored in a data (encrypted) file on the customer site - I keep my own copy.
Worst case all I need to do is send them a copy of License.fic (no its not called that) if the data is damaged.

Not foolproof but there again nothing is.

Just my 2 cents, euros, penneth

DerekT

von DerekT - am 13.07.2011 10:56

Re: WD15: Best end user licensing strategy & code?

Hi Jimbo,

Indeed it will bind specifically to the end user PC. It depends what you want to achieve. I also sent a second suggestion about this last month to allow a key generation with no binding so that it may work in networked environments. (All the job is already done, so supporting this is quite simple.)

I also made a third suggestion to allow one to send back additional data in the generated key (like serializing a class, etc). These three suggestions (including the one adding a "password" to the key generation process) would give a very flexible key generation option that I would use out of the box. It would be as secure as we are doing right now.

As DerekT suggested, we are also using our own mechanism right now. But we also use the actual key generation for handshaking: when doing web registration (live or through email) we can guarantee the PC who asked the key is the one who receives it. Then we are not using it further but our own licence and verification scheme. We will also consider the USB solution to protect our solution in the long run.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 13.07.2011 12:24

Re: WD15: Best end user licensing strategy & code?

Hi Guenter

Did you have confirmation please from PCSoft that the KeyGenerateInitialKey() commands are bound to the user's hardware? There is nothing about this - that I can see - in the help.

Using Alexandre's example:
sKey = KeyCalcActivationKey("853D-6336-2E4E-8BC9-364D")
KeyGetIdentifier("853D-6336-2E4E-8BC9-364D") returns an empty string,
and calling KeyGetIdentifier("853D-6336-2E4E-8BC9-364D", sKey) returns False.

So that tends to confirm what you said, otherwise different results would have been produced. On one hand, this is good, as it protects the registration; but as you mention, this is a problem if the end-user needs to replace his PC.

As it was not clear what the algorithm is behind these commands, I encrypt the information, so am not too concerned about someone being able to generate an activation key.


Chris


von ChrisC - am 13.07.2011 16:43

Re: WD15: Best end user licensing strategy & code?

Hi Chris,

I know you asked Guenter, but look at KeyCompareKey() function: http://doc.pcsoft.fr/en-US/?1000018850

Is says: "the "initial key/activation key" is only valid on a given computer."

This is what the technical support has replied to me on the same question. It means: this key / initial key is only good for a single PC... it's bind to the PC configuration. But we don't know exactly what. Your test proves the case. This is why I made a "no bind to PC" suggestion for other cases.

For KeyGetIdentifier() it will return something only if you actually passed something as parameter with KeyGenerateInitialKey(). It will return the "identifier" you passed in parameter. In my example there was no identifier (no additional data). So it will return nothing. But if I pass one, you will be able to extract it.

Finally, calling KeyCompareKey() will return False for you because it is bind to my PC (it was your point).

I think you also understood my example: you can generate a key for me! The result of KeyCalcActivationKey() will give you "4273-3635-6HGC-H44H-93C3 ", as for anyone else. As of WD16, one must crypt his key exchange to avoid anyone owning WinDev generating unauthorized keys of his application.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 13.07.2011 17:15

Re: WD15: Best end user licensing strategy & code?

Hi Alexandre

Thanks for your reply, and for having pursued this with PCSoft. I had missed that comment in the help of KeyCompareKey(). That, to me, limits the usefulness of these functions unless one wants to have the headache of managing end-users who replace their computers. It is a good concept, just too stringent. Your "no bind to PC" suggestion would resolve that.

Your example was good as it showed two points: that the key can be generated by anyone with WinDev, and that the KeyCompareKey() is hardware-bound.

I encrypt the information before passing it to KeyGenerateInitialKey(), and then encrypt and Base64 encode the resultant initial key before transmitting it for authorisation. I had found that the password, and the encoding method have to be strings (not binary), otherwise KeyGetIdentifier() would sometimes produce invalid data.

It would be easy to emulate these functions.

Cordialement
Chris



von ChrisC - am 13.07.2011 17:42

Re: WD15: Best end user licensing strategy & code?

Hi Chris,

yes, that's exactly my position. I cannot risk to stop my customer's operation. Many of their computers are switched on 24/7 - with only our program on their monitors.

So, binding the software to the PC as a whole is not an option. In case of KeyGenerateInitialKey(..) we don't even know which pieces of the hardware are replaceable and which not. Microsoft doesn't tell either but tests have made clear that you can replace nearly all parts of the PC - each time replacing a single part and restarting the PC - without losing the activated Windows. How is it with PC Soft's KeyCompareKey(..) ?

Our initial licensing system was to encrypt the licensing information (customer's short + long name, address and options) into an encrypted file. We named it LICENCE.EXE and distributed that together with the program. Btw, it appears that the encryption never has been broken, many tried to do so - as we know. All screens in the program are showing the licensing info, even 99% of the listings, reports, invoices, delivery notes etc. bear the licensee's name. We thought, that would discourage any thief from using our program without paying. We definitely were wrong with this assumption! From numbers of caught thieves we believe that about 50 programs still in use without having ever paid. They're just taking a black marker or a wipe-marker to erase the licensing info on the invoices, that's all. Taking the original price of about 2000,- Euros = ~100.000,- Euros lost. Worse: since the program was freely copyable, most of our competitors got a copy and copied many screens and printouts nearly 1:1. Ok, this one is unavoidable because a demo is to be distributed anyway.

Another program, far cheaper at 399,- Euro excl VAT is licensed by a license code. Simply a numeric code that's covering customer's name + address + feature/s. Taking each byte, converting it to ASCII, doing some adding, multiplying gives a numeric result and that's the 'license code'. So, the demo is for download and if they want to buy it then they just initiate a bank transfer and upon receit of payment we send out their license code. We didn't do a research about stolen programs yet. I believe it's less because of the less-inspiring price, but still would take 3% of the installed base of ~300 = 9 pieces x 399,- = 3590,- Euros lost. Nothing that keeps me from a good sleep.

I do not care a lot about several other programs which are distributed in low numbers between 10 to 50 pieces. Chances for a theft are low there. Our touch-screen POS software is still protected by a commercial dongle device (Rockey2) on each cash register. No stolen programs known to us (yet). However, Rokey2 dongles have to be bought in 100 pcs minimum and if the batch runs out we have to order the next one. As long as the new dongles aren't on my table we cannot deliver any new cash register .. we will switch over to licensing with ordinary memory sticks.

Next desktop software will be dongle-protected too. A single dongle for network installs (HFCS on a server) and a single dongle for standalone PCs (HF Classic) too. 'Dongles' are cheap memory sticks as you can buy them everywhere. We have no experience about performance in big numbers because we didn't start full fledged distribution yet. As far as we can see for now, there's no difference to a not-so-cheap commercial dongle device. The downside of dongles is that one can lose or destroy them. We plan to have them engraved with our company name later on, a destroyed dongle would still be identifiable. Replacing a 'lost' dongle at low price still means risking to have an 'extra' customer.

New challenges are waiting. Cheap virtual machines like Virtual XP for Win7 Prof cannot 'see' the USB-dongles. VMWare does. VirtualBox had problems which should be gone by now. Next: is the dongle 'local' or is it 'remote'? There's software and hardware available which allows to have the dongle in the office and grabbing its licensing info from a remote PC. http://www.seh.de/produkte/dongleserver.html and http://www.usb-over-network.com/ I strongly believe that people like safenet can differentiate between local and remote dongles. But can we? Otherwise, 15 people could use the same dongle!

Kind regards,
Guenter






von Jimbo - am 14.07.2011 07:24

Re: WD15: Best end user licensing strategy & code?

Hi Guenter,

Thank you for sharing your experience. We are developing a new solution and we thought to display the customer name everywhere as you did. It now make us reflect on this approach.

As for dongle spoofing on network, maybe it would be possible to store on the dongle a registration file? i.e. you could use the Key* functions to create and generate a key for the PC who uses the dongle. Then check regularly if the key on the dongle matches the one the software uses. If it changes (i.e. another PC connected on the same dongle, and thus a new key is created) then you inform the user that he must restart the software because to key has been lost. Etc. It would be quite unproductive to have the software closed every minute or two because two PC try to access the same dongle. But this is an idea that crosses my mind. There are certainly other (better) solutions. As you said, maybe there is a way to know if a device is networked or local.

I also fell on a software that makes USB sharing through any PC / Server / VirtualMachine / Windows / Linux with no hardware: http://network-usb-gate.smartcode.com/info.html

It is very interesting. The dongle protection must be resistant to this, as the HASP dongle are (see HaspHLLogin(), etc.). But at this point, one must calculate the risks with the level of security he desires to protect his software.

Kind regards,
Alexandre Leclerc

von Alexandre Leclerc - am 14.07.2011 12:47

Re: WD15: Best end user licensing strategy & code?

Hi Guenter. I see you have a lot of experience about this issue. Your comments are very helpful. By the way, what's your company website?

Kind regards.

von RAUL - am 14.07.2011 13:49

Re: WD15: Best end user licensing strategy & code?

Chris,

From the helpfile





Result = KeyGenerateInitialKey([Identifier])
--------------------------------------------------------------------------------

Identifier: Optional character string
Identifier used to generate a specific initial key containing user data for instance. This data can be retrieved by KeyGetIdentifier.


von Carlo Hermus - am 15.07.2011 01:48

Re: WD15: Best end user licensing strategy & code?

Quote



See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html

Kind regards,
Guenter

Hi!

This demo can be downloaded from anywhere else? The page ain't working...

Regards.

von RAUL - am 19.08.2011 20:39

Re: WD15: Best end user licensing strategy & code?

Quote
RAUL
Quote



See my demo-project for reading the serial number of a USB memory stick:
http://www.windev.at/html/dongledemo.html

Kind regards,
Guenter

Hi!

This demo can be downloaded from anywhere else? The page ain't working...

Regards.


Sorry Raul, this project is still unfinished, because I will definitely NOT just copy our own licensing system. Copying it would give very good ideas to crackers of our own software. The idea was to give you a firm starting point for rolling your own licensing system based on USB-memory sticks.
- It states that all USB memory sticks bear a unique and unalterable hardware serial number.
- project http://www.windev.at/files/USB_Drive.zip should give you an idea how to read this hardware serial number

As I know, a few friends of this forum have made their own licensing solution using this as a starter. It depends on what you want. Binding the software on a memory stick to exactly this memory stick is one solution, another one is to have several software products + add-ons licensed on the same memory stick, like ours.

you would need:
- a program to have your customers in a database and attach the license(s) + sold add-ons + max. allowed seats + hw serial number(s) of issued memory sticks.
- a program that generates the license file and writes it to the memory stick or sends the license file per e-mail to a customer.
- a program that reads a license file, checks its validity for that memory stick, shows the license information.

- your software has to have a HyperFile C/S stored procedure that reads the license file and the unique hw serial number from a memory stick and sends both infos to a local procedure where the license file is decoded, the hw serial# is checked against the serial# contained in the license file, the number of connections to the database is checked first. If the log-in would exceed the max allowed number .. sorry. Next, all licensed add-ons within the program will be activated, the name / address of the customer will be shown in all places of the software.
- your software has to have a window where a license file which came by e-mail can be written to the memory stick. Again, you'd need a separate stored procedure for that. The validated license file is sent to the stored procedure and written to the memory stick.

This is not a 'small project' to write just for demo purposes from ground up ..

Regards, Guenter


von Jimbo - am 20.08.2011 17:27

Re: WD15: Best end user licensing strategy & code?

Hi Guenter.

Sorry, I thought there was a missing or broken link. Your explaination was very useful to code some kind of cheap USB dongle. Thanks a lot!

Regards.

von RAUL - am 23.08.2011 00:08

Re: WD15: Best end user licensing strategy & code?

Hi Alexandre

I find these options of WD licensing very interesting. I'm trying to find in the example provided a simple solution but it seems a little complicated. Can you indicate me some basic steps so I can implement a simple licensing solution for an application I'm about to install in a client ?

I'm not asking you code, just steps so I can figure out how to do it. Do you remember how PervasiveSQL handles this with the 30 days trial period ? that would be great to implement in a WD App.

Thanks in advance

James

von James Smiths - am 26.08.2011 14:02

Re: WD15: Best end user licensing strategy & code?

Hi James,

see http://forum.mysnip.de/read.php?27131,83784,109265#msg-109265

for more details about what's needed in general.

Regards,
Guenter


von Jimbo - am 26.08.2011 16:04

Re: WD15: Best end user licensing strategy & code?

Hi James,

(Thank you Guenter for the reply.)

Aside that, I would simply add that we are actually evaluating SafeNet HASP key (formerly know as Alladin HASP) and also SecuTech UniKey. Both have great advantages and some drawbacks. But in the end it depends what advantages you are looking for.

Why we look for this solution? Because we are no experts in this domain and that we have no time to waste to fight against copy. The software we sell are expensive and the dongle price is marginal in the whole thing. Also, because using these dongles is almost plug and play. No special development to do.

The other great thing is that the keys are managing the user count alone with military precision whatever happens. (We will be using the "networked" solution that has such a feature.) We can licence many software on the same dongle. (So a client having many solutions from our company required only one dongle. We send a dongle update to unlock the new software with its own user count and licensing terms.)

Any-way. It all depends what you are looking for and also, the price you can sell your products. For us this is a good solution in many respects. If our product was at a low price, it would be quite different: we would use the solution described above.

Finally, whatever the solution you choose, do not forget to "warp" your program with a protection software (like PCGuard: www.sofpro.com) in order to help preventing reverse engineering to crack you licence protection. We use this technique since couple of years. (The other solutions mentioned above both include an "envelope" application to do just this but with the dongle.)

I hope this helps and can contribute to further your reflection on the whole question.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 26.08.2011 18:34

Re: WD15: Best end user licensing strategy & code?

Hello guys.

I'm testing my licensing procedures according the information found in this thread. It works ok but...

* If I plug the USB stick into another port: the ID is different.
* If I use an USB hub: ID is different too.

Only works when I plug the stick in the same port I've used to generate de licensing code. If I generate the license on my pc, and move the stick to the client's, I guess it will not work.

Anyone using this kind of licensing without problems??

The same stick with 2 IDs:
USBSTOR\DISK&VEN_FNK_TECH&PROD__USB_CARD_READER&REV_2.33\7&CB4676E&0

USBSTOR\DISK&VEN_FNK_TECH&PROD__USB_CARD_READER&REV_2.33\6&322401D0&0

Any clue??

Kind regards.

PS: I'm using a memory card reader, I don't know if this could be the issue because I don't have a pendrive right now.


von RAUL - am 28.09.2011 21:34

Re: WD15: Best end user licensing strategy & code?

Raul, I tried here with no problem.
usb-stick (directly) or memorycard (using a usb-cardreader) in either one of the ports.
Every device always returns it's one and only serial.

Even when they get a different drive letter. Which makes sense: serial and driveletter are not connected I guess in any way.

Maybe this little utlity can help you out: http://www.nirsoft.net/utils/usb_devices_view.html




von Arie - am 29.09.2011 07:43

Re: WD15: Best end user licensing strategy & code?

Hi guys.

I just wanted to add some information regarding my last post here, for those making some questions in the future.

I've been testing this method with actual memory sticks and it works great!

The tests made with USB card reader didn't work ok at all. As I said before, when I plug the device in the port (let's say) "A" it has a serial code. If I plug it in the port "B", it has another one.

My card reader is this exactly model:

Regards.

von RAUL - am 11.10.2011 16:28

Re: WD15: Best end user licensing strategy & code?

Le 11/10/2011 22:01, RAUL a écrit :
> Hi guys.
> I just wanted to add some information regarding my last post here, for those making some questions in the future.
> I've been testing this method with actual memory sticks and it works great!
> The tests made with USB card reader didn't work ok at all. As I said before, when I plug the device in the port (let's say) "A" it has a serial code. If I plug it in the port "B", it has another one.
> My card reader is this exactly model:
> Regards.
>

Hi,

Just one piece of information, we also use memory sticks serial for
licensing and we just bought from an new reseller a set of keys with
only 3 letters as serial (DC0) so be careful :)

Regards,

Fred
Message forwarded from pcsoft.us.windev

von Fredo.pcs.crosspost - am 12.10.2011 07:47

Re: WD15: Best end user licensing strategy & code?

Quote
Alexandre Leclerc
Hi James,

(Thank you Guenter for the reply.)

Aside that, I would simply add that we are actually evaluating SafeNet HASP key (formerly know as Alladin HASP) and also SecuTech UniKey. Both have great advantages and some drawbacks. But in the end it depends what advantages you are looking for.

Why we look for this solution? Because we are no experts in this domain and that we have no time to waste to fight against copy. The software we sell are expensive and the dongle price is marginal in the whole thing. Also, because using these dongles is almost plug and play. No special development to do.

The other great thing is that the keys are managing the user count alone with military precision whatever happens. (We will be using the "networked" solution that has such a feature.) We can licence many software on the same dongle. (So a client having many solutions from our company required only one dongle. We send a dongle update to unlock the new software with its own user count and licensing terms.)

Any-way. It all depends what you are looking for and also, the price you can sell your products. For us this is a good solution in many respects. If our product was at a low price, it would be quite different: we would use the solution described above.

Finally, whatever the solution you choose, do not forget to "warp" your program with a protection software (like PCGuard: www.sofpro.com) in order to help preventing reverse engineering to crack you licence protection. We use this technique since couple of years. (The other solutions mentioned above both include an "envelope" application to do just this but with the dongle.)

I hope this helps and can contribute to further your reflection on the whole question.

Best regards,
Alexandre Leclerc


Alexandre,

Did you make any final determinations on which solution to use? I am currently evaluating SecuTech and was pleased to find they had sample code for Windev. Seems fairly straightforward and I have the sample code working. Eventually I would want to use the Networked solution so that they don't need dongles/application on individual workstations. Any feedback on what you are doing?

Thanks!

Steve

von Steve E. - am 19.04.2012 17:43

Re: WD15: Best end user licensing strategy & code?

most of Software protection dongle/ hardlock come with the sdk and example and it is quite easy to use .
some Software protection dongle allow you to write into it .

one biggest problem of using Software protection dongle is customer always tend to lose it . good luck in handling such issue

von ccc2 - am 20.04.2012 16:52

Re: WD15: Best end user licensing strategy & code?

Hi Steve,

Even though SafeNet keys are more expensive we finally went for this solution for different technical and customer relationship reasons. Both dongle will do the job in the end, I'm sure. The actual killer-feature of SecuTech is the driverless dongle. But SafeNet is also working on that, but they do not have release date yet. (What I've been told by a rep.)

We worked couple weeks in the end in R&D for testing the solutions and creating the WD interface for SafeNet.

Main reasons for choosing SafeNet have been (leaving aside the smaller ones):
- Encrypting, writing data into the dongle and the way the update mechanism works (technical reason here - features we needed).
- Networked Time based licences and feature management super easy to use (technical reason - in fact this is completely transparent to use, you have nothing to check: you have access or not to the feature you try to log on and that's it. You can make further queries to get details if need be.)
- I had an excellent, fast, courteous and professional contact with the sales rep. and he took the time to answer in details all my questions thought all the evaluation period (we were not committed customers yet). If he did not know, he was asking the tech support and had answers reasonably quickly.
- The technical support is very efficient, they answer fast, they even call you and make remote-support sessions right on the PC when need be. (I had issues with some parts of the software because we used French characters in the "Studio" (the key and customer management solution that comes with the toolkit). And they fixed it!!! It took about a month and I had a patch. I was quite surprised. (We are a very small customer for them, but I fell we had a great service just as their big customers.)
- Very complete documentation and very good code samples (even if none in WinDev), and complete ready-to-work customer/key management solution. You can interface with it if need be.
- Overall: good customer and technical experience. Took some time to work the interfaces and drivers but worth all the time. Required features present and easy to use and implement.

Main reasons for not choosing SecuTech:
- When dealing with SecuTech the technical support was much slow (at least one day to many days between each reply over email - maybe your experience is different), was not efficient (i.e. when the support guy was not understanding your point you would loose couple days because there were so many days between each reply). - This is the biggest show-stopper. If you have an urgent issue at a customer site, you do not want to wait 24-48 hours and more. You need an answer right now, especially in production environment.
- Code samples were very basic and documentation almost nonexistent. Very few answers to questions about how it really works. WinDev code was very bad and I did not like the "way" the API was working.
- Overall: After making initial tests, examining the code sample (they really are that: samples) and looking at the tools provided in the toolkit, we stooped investigating the solution quite quickly. We would have had to build our own customer/key management software, etc. Customer interaction was not giving confidence we would have had fast service if a problem would raise at a customer site.

We had to code the interface in WinDev (needed some work, search and testing). As for the drivers, we created an intelligent mechanism that was checking if the workstation had them installed and if not installed them. This also took some time to work on that but now is a very transparent and efficient. We also modified WDSetup to automatically install the drivers during installation if they were not installed properly.

I hope these lines will be of help to you in your decision making. Both are good I'm quite sure. It depends your business needs and technical needs. SafeNet was the only one satisfying our business and technical needs and risk management. It really is a matter of what you really need (business, technical, risks, business model and budget constraints). Then choosing the good solution for you will become easier.

Best regards,
Alexandre Leclerc

Edit 1: Forgot to say that we needed to write data into the dongle in RO (RO and RW are available).

von Alexandre Leclerc - am 23.04.2012 14:49

Re: WD15: Best end user licensing strategy & code?

Hi Alexandre,

Thanks for the thorough response. I agree that the Secutech tools manage the dongles that shipped with the SDK leave a lot to be desired but I did have more luck with the updated version that I downloaded from their website. Much much better. For right now I think I'm going to stick withe the secutech solution as I have it working now and am currently only in beta with my product and won't have but a few installations to deal with. We'll see later if I need to make a change.

Cheers,

Steve

von Steve E. - am 26.04.2012 01:02

Re: WD15: Best end user licensing strategy & code?

Hi,

Today I made a licening model that is easy to implement and verry bullet proof. It can all be done with windev. ( no webdev needed, but if you have webdev it's even better )

In the programm make a connection to an external mysql db .

In the analyse I have a file witch is encripted ( called licence)local hyperfilesql . and a table called register ( mysql )

when activating the software a licence file is made and a table is made in the mysql database.

This is the principle. From here the sky is wlanguage!!

I even made a trial 30 days trial when the program is first installed. When customer pays I change an item in the mysql table and when cleint registers again the licence is valid for a year.

I use webdev to administer the mysql database , but that can be done with a windev application as well. I choose webdev because I want to build a registration application that does more that only read and write to a database. It has to sent me a mail when someone registeres etc.

regards
Allard

von Allard - am 31.05.2012 12:10

Re: WD15: Best end user licensing strategy & code?

Hi Allard.

But i didn't understand how the app checks if it is registered.

If it's somethink like:

Read_the_files_HF_and_MYSQL_to_know_if_software_is_registered()

IF SoftwareRegsitered() = True
Open(Win_Menu)
Else
Error("Bad Registration")
END

Then someone could use a debugger and make the app always jump to Open(Win_Menu). Or even worse. They could check what "SoftwareRegistered()" does and make a valid keygen.

von Jose Antonio Garrido - am 31.05.2012 15:46

Re: WD15: Best end user licensing strategy & code?

Quote
Jose Antonio Garrido
Hi Allard.

But i didn't understand how the app checks if it is registered.

If it's somethink like:

Read_the_files_HF_and_MYSQL_to_know_if_software_is_registered()

IF SoftwareRegsitered() = True
Open(Win_Menu)
Else
Error("Bad Registration")
END

Then someone could use a debugger and make the app always jump to Open(Win_Menu). Or even worse. They could check what "SoftwareRegistered()" does and make a valid keygen.


No, Jose! Did you ever try to look at a WinDev program using a debugger like Black Ice (discontinued) or other? W-Language programs are p-code software embedded within a run-time environment. Very similar to .NET. If you can insert that notorious GOTO or develop a keygen software this would mean that you understand what the p-code does. Of course, it can be done. You could try to learn what PC Soft engineers made. You'd have to understand thousands of commands and the inner workings of WinDev's p-code. But. If you can do that - after some years of hard work, of course - then you could write the whole software anyway - you don't need to crack the software and you don't need a key-Generator! While de-compilers for .NET exist, there's nothing like that for W-Language! Regards, Guenter

von GuenterP - am 31.05.2012 16:21

Re: WD15: Best end user licensing strategy & code?

Quote
GuenterP
W-Language programs are p-code
Guenter

Quote
GuenterP
While de-compilers for .NET exist, there's nothing like that for W-Language! Regards, Guenter


I have made a simple app and tried to load in ollydbg (which i used to made a keygen for my personal once), but i was unable to start it.

Very very good news for me.

:)

von Jose Antonio Garrido - am 31.05.2012 22:51

Re: WD15: Best end user licensing strategy & code?

Hi Allard,

An open connection to an external database is considered to be a security risk.
- On the client side the connection might not be allowed.
- On your side your database (especially if it's MySQL) is vulnerable. They may snif the connection details from your program and start hacking. BTW, why are you using MySQL instead of hyperfilesql?

Regards,
Piet

von Piet van Zanten - am 01.06.2012 07:33

Re: WD15: Best end user licensing strategy & code?

Quote
Piet van Zanten
Hi Allard,

An open connection to an external database is considered to be a security risk.
- On the client side the connection might not be allowed.
- On your side your database (especially if it's MySQL) is vulnerable. They may snif the connection details from your program and start hacking. BTW, why are you using MySQL instead of hyperfilesql?

Regards,
Piet


I use MySQL (and Oracle) because in the US getting companies with an internal IT department to accept a system in their infrastructure with a proprietary DB such as Hyperfile that they know nothing about is, in my experience, difficult, if not impossible. It's hard enough using a language (Windev) that they know nothing about.

von Steve E. - am 01.06.2012 16:43

Re: WD15: Best end user licensing strategy & code?

Hi. Piet.
How are they gonne snif my mysql connection ? There is only a connection when registration or updating is done and if they want to snif it they would have to decompile , not worried about that.

Hi Arie.
I guess a little more explanation is required.
1

I have a hyperfile sql file called license.( because the Windev Program works with hyperfile sql.) It holds the name, address, email ,etc of the client. It also has a view items like registration date, expiration date, ( trial version ) expiration date (real version) and if it is valid or not. If the license file is removed nothing works. ( The file is encrypted )
It also has a field with a generated key based on the name, address ,email , and the key-gen function (). This is a unique key. This key is used to identify the client.( in the mysql database the same key is stored )
2

The key and other data is stored as well on the mysql database. In the mysql table I have a view items like a check if the client has paid. If the client has paid then I can switch that on and if the client registers again the Windev app registers the licence not as trial but as real version with a valid license ( for 1 year ).
At the moment I am building a random check. So that at random the windev app will check if based on the key and other values the license is still valid.
3
I am using mysql because I do all my webdev programming with the free php and mysql . I have not bought the application server yet, and don’t want to buy it as long as I don not need it.

In my opinion this is rather bulled proof. But I can be wrong. So If I am doning something wrong then please tell me ( if possible with a reason why it is wrong )

someone said that the external db might not be availeble... Hm didnot really think about that, then indeed passing info via a webservice ( using port 80) would be bettter?
Well for now iam leaving it this way, it is used onley in a little app .

Thanks

Regards Allard

von Allard - am 04.06.2012 09:45

Re: WD15: Best end user licensing strategy & code?

Hi all,

I was thinking of this old thread this morning when I received a notification that now KeyCalcActivationKey() can receive a secret password to make sure only the application provider can generate a valid key for it's end users without additional coding.

Ok, it's four years later, version 20 51j, but it's now possible! And since this thread was very interesting and is still actual, it's not that bad to make it go up again.

In four years we made a lot of road and reading some previous posts, I add that we now use since two year LimeLM from wyday.com as integrated activation solution (TurboActivate and TurboFloat). Great price, great service and nice piece of technology.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 24.02.2015 14:17
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.