By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,835 Members | 1,454 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,835 IT Pros & Developers. It's quick & easy.

custom licensing scheme

P: n/a
In my quest to create a derived edit control in ATL that will go into an
application that will hopefully make me some money one day, I have decided to
try to devise a custom licensing scheme for it. I will describe it and would
like to see what people think and how it can be improved if possible please.
My aim is not to prevent it from being used in design mode / OK in run mode,
but to have a *relatively simple* method of making sure that it is only used
by my client application and no other. The idea is that I don't have to
understand all the IClassFactory2 palava (which I think it would take me far
too long, if at all), I just have to implement a certain class in any client
application I write that I want to use it, and then just copy and paste a
GUID into that class's source code (from the component's source code) to pass
to the component to validate it - not great you may think, but it seems good
because it is simple, while still possibly keeping out all but hardened
cryptographers / machine-code crackers.

The validation algorithm goes as follows: The ActiveX control (which is an
VC7.1 unmanaged ATL control) has a COM-exposed Validate method, that takes
one parameter which is an interface of type IDispatch. The method then looks
up the dispid of a method called "NearlyThere" using
IDispatch::GetIDsOfNames. It then assembles a DISPPARAMS with no arguments
and calls the method it found using IDispatch::Invoke. The client
application, which is written in C#, creates an instance of a class which has
the InterfaceAttribute set to IDispatch (thus implements IDispatch) and uses
this to pass to the IDispatch parameter of the Validate method of the
control. The "NearlyThere" method in this class returns a GUID, which seems
to safely make it back into the C++ side, and is stored as a VT_BSTR VARIANT
class member variable of the control. I was then thinking of having a method
(let's say "Authorize") which checks the GUID in this BSTR against a
constant, and throws a _com_raise_error(?) if they don't match.

The code in the ATL project is as such:

VARIANT r; //(actually in the .h file)

STDMETHODIMP Clicensed::Initialize2(IDispatch* d)
{
// TODO: Add your implementation code here
HRESULT hr;
DISPID dispid = 0, dispid2 = 0;
ITypeInfo* typeinfo;
OLECHAR* text = OLESTR("NearlyThere");
hr = d->GetIDsOfNames(IID_NULL, &text, 1, LOCALE_SYSTEM_DEFAULT, &dispid);
d->GetTypeInfo(0, LOCALE_SYSTEM_DEFAULT, &typeinfo);

DISPPARAMS dp;
memset(&dp, 0, sizeof(DISPPARAMS));
dp.rgvarg = NULL;
dp.cNamedArgs = 0;
dp.cArgs = 0;

EXCEPINFO excinf;
UINT uArgErr;
memset(&r, 0, sizeof(VARIANT));
hr = d->Invoke(dispid, IID_NULL, LOCALE_SYSTEM_DEFAULT, DISPATCH_METHOD,
&dp, &r, &excinf, &uArgErr);

ATLTRACE(r.bstrVal); //the GUID gets back here OK
return S_OK;
}

and the code in the C# project is very little, but this is it:
//theinitobj.cs

[InterfaceType(ComInterfaceType.InterfaceIsIDispatc h)]
public interface IMySecurity
{
string NearlyThere();
}
public class theinitobj : IMySecurity
{
public theinitobj(){}

#region IBonjSecurity Members

public string NearlyThere()
{
return "{1F3B54F8-8615-43e4-B74D-4E1699CC990A}";
}

#endregion
}

//frmMain.cs

private void Form1_Load(object sender, System.EventArgs e)
{
IMySecurity ibs = new theinitobj();

this.axlicensed2.Initialize2(ibs);

}

I'm thinking of calling a routine that checks the received GUID before an
important algorithm happens (maybe a preprocessor macro) - but how do you
think I should go about aborting if it's wrong - _com_raise_error or
_com_issue_error, what's the difference? And what parameter? Or something
else?

What does this sound like? I thought it would be good because it is quite
contrived - it's calling then calling back again - but how easy would it be
to "switch return values" without getting into the function, and how
successful will it be at preventing people from being able to use it, do you
reckon?
Could it be improved?

Nov 16 '05 #1
Share this Question
Share on Google+
16 Replies


P: n/a
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:D7**********************************@microsof t.com...
In my quest to create a derived edit control in ATL that will go into an
application that will hopefully make me some money one day, I have decided
to
try to devise a custom licensing scheme for it.


FWIW: You might want to take a look at some of the products that do this
kind of thing:

http://www.crypkey.com/

http://siliconrealms.com/index.shtml

Regards,
Will
Nov 16 '05 #2

P: n/a
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did... is
it not??

Did you REALLY think by my post that I wanted to buy someone else's
solution? From the way I I phrased it, I *thought* I'd made it clear that's
exactly what I DIDN'T want, or are you just deliberately trying to wind me up?

Nov 16 '05 #3

P: n/a
what the hell, that response was completely uncalled for... calm down. He did not say to BUY it. He said to look into those and
maybe get some ideas on how they do it.

--
Adam Clauss
ca*****@tamu.edu
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message news:52**********************************@microsof t.com...
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did... is
it not??

Did you REALLY think by my post that I wanted to buy someone else's
solution? From the way I I phrased it, I *thought* I'd made it clear that's
exactly what I DIDN'T want, or are you just deliberately trying to wind me up?


Nov 16 '05 #4

P: n/a
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:52**********************************@microsof t.com...
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd
wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did...
is
it not??


Yes, it is.

But what few people realize is that security is a fulltime job. Either you
do it or you don't. A solution concocted by anyone who has to post for
advice on how to accomplish it is likely to be broken by the regulars here
in forty five minutes or less.

Regards,
Will
Nov 16 '05 #5

P: n/a
William DePalo [MVP VC++] wrote:
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:52**********************************@microsof t.com...
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd
wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did...
is
it not??

Yes, it is.

But what few people realize is that security is a fulltime job. Either you
do it or you don't. A solution concocted by anyone who has to post for
advice on how to accomplish it is likely to be broken by the regulars here
in forty five minutes or less.


LOL!

However, he just wanted to know how to throw an exception
from his C++ code.

Patty, that COM, so just return S_FALSE or E_whatever ;-)

bye
Rob
Nov 16 '05 #6

P: n/a
Well - OK. I see your point.
But my point is that I'm not trying to be too ambitious. There's always
going to be some people who haven't got a clue of how to disassemble and
can't crack any program, and there's always going to be some who are expert
at it, who can crack anything. My aim is not to *prevent anybody* from
cracking my program, but to make it likely that you'll have to disassemble in
order to do it. Since this is going to be largely a business application, I
think the sort of developers that are going to be using this product are
mainly people who are building in-house systems.
I would guess that in large companies, these people are going to regard
disassemblage of something they found in the GAC from this application they
had installed as more than their jobs'/criminal record's worth, what with the
ever-increasing amount of law relating to software theft, especially as it is
a component that the only point in cracking it would be to use it in another
saleable application.

I suppose I'll just have to accept the minority such as the likes of you who
will flaunt your knowledge just because you can and put it on some warez site
- but I do hope you won't.
"William DePalo [MVP VC++]" wrote:
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:52**********************************@microsof t.com...
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd
wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did...
is
it not??


Yes, it is.

But what few people realize is that security is a fulltime job. Either you
do it or you don't. A solution concocted by anyone who has to post for
advice on how to accomplish it is likely to be broken by the regulars here
in forty five minutes or less.

Regards,
Will

Nov 16 '05 #7

P: n/a
The other thing about using a commercial solution is that it will be cheaper
in the long run. If you only value yourself at $20 an hour, you could buy a
commercial solution before you've spent 10 hours on it.

Believe me, if you think that you're only gonna spend 10 hours (a good
working day) on it, you've got another think coming :-) The commercial
solutions are relatively expensive because they have thousands of man-hours
invested in them. A company I worked for did a very simple but effective
copy-protection scheme for floppies and this took several weeks of an
extremely competent engineer.

Any solution that doesn't involve a dongle will be cracked if the software
is worth having. Dongled software usually lasts longer, but it's a bit of a
pain for customers.

All the Best
Julian Nicholls

"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:A6**********************************@microsof t.com...
Well - OK. I see your point.
But my point is that I'm not trying to be too ambitious. There's always
going to be some people who haven't got a clue of how to disassemble and
can't crack any program, and there's always going to be some who are expert at it, who can crack anything. My aim is not to *prevent anybody* from
cracking my program, but to make it likely that you'll have to disassemble in order to do it. Since this is going to be largely a business application, I think the sort of developers that are going to be using this product are
mainly people who are building in-house systems.
I would guess that in large companies, these people are going to regard
disassemblage of something they found in the GAC from this application they had installed as more than their jobs'/criminal record's worth, what with the ever-increasing amount of law relating to software theft, especially as it is a component that the only point in cracking it would be to use it in another saleable application.

I suppose I'll just have to accept the minority such as the likes of you who will flaunt your knowledge just because you can and put it on some warez site - but I do hope you won't.
"William DePalo [MVP VC++]" wrote:
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:52**********************************@microsof t.com...
If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd
wanted
opinions, I'd have asked for opinions - which *IS* what I believe I did... is
it not??


Yes, it is.

But what few people realize is that security is a fulltime job. Either you do it or you don't. A solution concocted by anyone who has to post for
advice on how to accomplish it is likely to be broken by the regulars here in forty five minutes or less.

Regards,
Will

Nov 16 '05 #8

P: n/a
I would second absolutely everything below. DIY security isn't worth it
unless you're interested in it as an academic exercise - commercially it'll
a) be much worse than any solution that you can buy and b) be terrible value
for your time/money.

Steve
"Julian Nicholls" <sw***********************@removethis.btconnect.co m> wrote
in message news:eC**************@TK2MSFTNGP12.phx.gbl...
The other thing about using a commercial solution is that it will be cheaper in the long run. If you only value yourself at $20 an hour, you could buy a commercial solution before you've spent 10 hours on it.

Believe me, if you think that you're only gonna spend 10 hours (a good
working day) on it, you've got another think coming :-) The commercial
solutions are relatively expensive because they have thousands of man-hours invested in them. A company I worked for did a very simple but effective
copy-protection scheme for floppies and this took several weeks of an
extremely competent engineer.

Any solution that doesn't involve a dongle will be cracked if the software
is worth having. Dongled software usually lasts longer, but it's a bit of a pain for customers.

All the Best
Julian Nicholls

"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:A6**********************************@microsof t.com...
Well - OK. I see your point.
But my point is that I'm not trying to be too ambitious. There's always
going to be some people who haven't got a clue of how to disassemble and
can't crack any program, and there's always going to be some who are expert
at it, who can crack anything. My aim is not to *prevent anybody* from
cracking my program, but to make it likely that you'll have to disassemble in
order to do it. Since this is going to be largely a business
application, I
think the sort of developers that are going to be using this product are
mainly people who are building in-house systems.
I would guess that in large companies, these people are going to regard
disassemblage of something they found in the GAC from this application they
had installed as more than their jobs'/criminal record's worth, what

with the
ever-increasing amount of law relating to software theft, especially as
it is
a component that the only point in cracking it would be to use it in

another
saleable application.

I suppose I'll just have to accept the minority such as the likes of you

who
will flaunt your knowledge just because you can and put it on some warez

site
- but I do hope you won't.
"William DePalo [MVP VC++]" wrote:
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:52**********************************@microsof t.com...
> If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd > wanted
> opinions, I'd have asked for opinions - which *IS* what I believe I

did... > is
> it not??

Yes, it is.

But what few people realize is that security is a fulltime job. Either you do it or you don't. A solution concocted by anyone who has to post for
advice on how to accomplish it is likely to be broken by the regulars here in forty five minutes or less.

Regards,
Will


Nov 16 '05 #9

P: n/a
You talk about better value - but I don't know that it's going to sell at
all. I've never sold anything before - I just get the impression that this
will be quite useful.

If I make any money at all, then I might invest some of it in a professional
licensing scheme for my next app. But I don't want to buy something out of my
own pocket that may just end up sitting there.

I guess I wanted people to evaluate it on its own merits and give an opinion
as to how hard it will be for the layman to crack (not *whether* it will
eventually be cracked) - as opposed to being ushered in the direction of the
alternative - although it seems that's too much to ask.
Thanks anyway.
Nov 16 '05 #10

P: n/a
Hi,

The layman won't crack it - but most cracked software is done by gangs of
programmers, not by customers. The scheme you mentioned is about as simple
as things get, so while I don't know in terms of minutes, it wouldn't take
very long at all for anyone with any decompilation skill to crack. If you're
not going to rely on it as a source of income, then go with it - it's simple
and would only take a few minutes for you to implement.

Steve

"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:B9**********************************@microsof t.com...
You talk about better value - but I don't know that it's going to sell at
all. I've never sold anything before - I just get the impression that this
will be quite useful.

If I make any money at all, then I might invest some of it in a professional licensing scheme for my next app. But I don't want to buy something out of my own pocket that may just end up sitting there.

I guess I wanted people to evaluate it on its own merits and give an opinion as to how hard it will be for the layman to crack (not *whether* it will
eventually be cracked) - as opposed to being ushered in the direction of the alternative - although it seems that's too much to ask.
Thanks anyway.

Nov 16 '05 #11

P: n/a
There are these things called "trials" and "demos" - maybe you should investigate their meanings.

--
Adam Clauss
ca*****@tamu.edu
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message news:0E**********************************@microsof t.com...
Yes, but the webste is telling you to buy it. It's a commercial website, so
they're hardly going to give away their secrets are they?

"Adam Clauss" wrote:
what the hell, that response was completely uncalled for... calm down. He did not say to BUY it. He said to look into those and
maybe get some ideas on how they do it.

--
Adam Clauss
ca*****@tamu.edu
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message news:52**********************************@microsof t.com...
> If I'd wanted COMMERCIALS, I would have asked for COMMERCIALS. If I'd wanted
> opinions, I'd have asked for opinions - which *IS* what I believe I did... is
> it not??
>
> Did you REALLY think by my post that I wanted to buy someone else's
> solution? From the way I I phrased it, I *thought* I'd made it clear that's
> exactly what I DIDN'T want, or are you just deliberately trying to wind me up?
>



Nov 16 '05 #12

P: n/a
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message
news:A6**********************************@microsof t.com...
Well - OK. I see your point.
But my point is that I'm not trying to be too ambitious. There's always
going to be some people who haven't got a clue of how to disassemble and
can't crack any program, and there's always going to be some who are
expert
at it, who can crack anything.
Yes, but the naive approach to the problem involves a solution along these
lines

bool ok = IsThisCopyGoodToGo();

if ( !ok )
ExitProcess();

You can have a world class implementation of the license check but some 17
year old who can use a debugger will find the address in the code where he
simply set one bit in the EAX register and your application is his. The
commercial products spend as much time hiding the check and making it
difficult for the attacker who only has a standard debugger to have his way
as they do on the crypto.
My aim is not to *prevent anybody* from
cracking my program, but to make it likely that you'll have to disassemble
in
order to do it.
Well, unless and until operating systems provide this level of security no
solution will be absolutely perfect. The attacker has the upper hand because
he has your stuff.
Since this is going to be largely a business application, I
think the sort of developers that are going to be using this product are
mainly people who are building in-house systems.


Businesses are the worst. I used to work for a huge multinational bank - one
in the top two or three in the US. Its settlement for using unlicensed
copies of a particular software publisher's product was so large it made the
nightlly news. What passes for ethical behavior in the financial commumity
on Wall Street is often literally criminal.

Regards,
Will
Nov 16 '05 #13

P: n/a
> bool ok = IsThisCopyGoodToGo();

if ( !ok )
ExitProcess();

You can have a world class implementation of the license check but some 17
year old who can use a debugger will find the address in the code where he
simply set one bit in the EAX register


That's exactly where my head is at - which is the reason why I really wanted
to write this in C++ as opposed to C#, as I can just embed a macro into one
of the main functions / key algorithms and then, in my source code, the
checking bit is nice and tidy and in one place, but in the EXE the code to do
the checking is all splodged around. But I'm pulling my hair out again
because I still can't get it to work... please see "Richedit text change
events." by me further up (please pleeeeeeease do;-))

Thanks for managing to explain anc confirm exactly what I was thinking though.

Nov 16 '05 #14

P: n/a
I'm not refraining from buying these things because I don't trust they'll be
any good, I'm refraining from buying them because I don't want to outlay any
money before I've made any. Simple as that.
If my first product makes only a fraction of what it could do due to my
"layman's" system being cracked, but makes me enough to cover the costs of a
professional licensing scheme for my next product, then I'll be happy.

Nov 16 '05 #15

P: n/a
Once again, I did not say buy it. So I didn't care much about WHY you did not want to buy it...
The idea was to take a look at the trial and get ideas on how to accomplish your goal.

--
Adam Clauss
ca*****@tamu.edu
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message news:FF**********************************@microsof t.com...
I'm not refraining from buying these things because I don't trust they'll be
any good, I'm refraining from buying them because I don't want to outlay any
money before I've made any. Simple as that.
If my first product makes only a fraction of what it could do due to my
"layman's" system being cracked, but makes me enough to cover the costs of a
professional licensing scheme for my next product, then I'll be happy.

Nov 16 '05 #16

P: n/a
But that's the point - because it's commercial, they're unlikely to give away
their secrets - rendering it useless for me trying to discover a good way in
which it can be done. The only advice for my licensing scheme I could glean
from that website would be how to market it, possibly.
"Adam Clauss" wrote:
Once again, I did not say buy it. So I didn't care much about WHY you did not want to buy it...
The idea was to take a look at the trial and get ideas on how to accomplish your goal.

--
Adam Clauss
ca*****@tamu.edu
"Patty O'Dors" <Pa********@discussions.microsoft.com> wrote in message news:FF**********************************@microsof t.com...
I'm not refraining from buying these things because I don't trust they'll be
any good, I'm refraining from buying them because I don't want to outlay any
money before I've made any. Simple as that.
If my first product makes only a fraction of what it could do due to my
"layman's" system being cracked, but makes me enough to cover the costs of a
professional licensing scheme for my next product, then I'll be happy.

Nov 16 '05 #17

This discussion thread is closed

Replies have been disabled for this discussion.