Fog Creek Software
g
Discussion Board

software registration


I am trying to come up with a software registration system. I am debating whether it is good or not to lock the application to a single PC (if possible at all). 

I have a few methods in mind for registration. However, each method has its pros and cons. I'll spare you the pros, but here are a list of cons:

* One registration method requires you to be connected to the internet. The connection might be needed for a few seconds either the first time you run the app, or every time you run it. This essentially is to make sure only one copy of the registration code is alive at any given point. So if you distribute the app to your friends, all of you can't run it at the same time.

* Another method requires me to generate a different (unique) binary everytime someone buys the app. I am not sure how I would send this binary to the customer though. I guess I would create it automatically, and then create a link only for that customer to download as soon as the credit card info is entered (i.e. the sale is closed). After the app is downloaded, the binary and the link will be deleted.
This looks pretty involved though.

So based on your experience, what kinds of "maintenance" headaches would these methods create?

I am pretty new to this registration stuff. I wish I didn't have to deal with it, but looks like I have to.

Any other suggestions are welcome!

Thank you!

registrar
Tuesday, May 4, 2004

Don't try too hard and focus on making your application better, so more people will buy it. Nevermind the pirates. It's impossible to come up with something that will stop people from copying software.

Required internet connection on application startup is wrong, it makes it harder to use for people who actually *did* buy it, and the cracked version will be *better*. No incentive to buy it then, is there? Also, it would be very complicated to get it working behind proxies etc. Too much trouble.

How is the second method supposed to work?

TomA
Tuesday, May 4, 2004

I would say that the best thing which could happen to you is mass copying of your software.  That's more people that will see it, more who will ultimately become paying customers.

It might be better to give an incentive to purchasing, and use the copying as a marketing tool.  Free/Automatic updates for paying customers would be favorite. That's how AntiVirus software works.  Watermarking the output is another very fine method.  Make it small but clear, and make sure that the watermark is advertising for you.

What is the application, so we can make more specific recomendations?

Clay Dowling
Tuesday, May 4, 2004

Give away a slightly-crippled or time-limited version, and use registration codes.  Of software I've purchased that wasn't shrinkwrapped, that's how they did it.  And make it _very_ easy to retrieve your registration code again if you delete the e-mail that contained it.

Kyralessa
Tuesday, May 4, 2004

Crackers simply find the point in your code where you decide IsCodeValid() or IsThisVersionRegistered() and add a jump or nop over it. So it doesn't matter how elaborate the checking process itself is, whether you go on the internet or not, or how many times you encrypt or decrypt the code, since they're just going to bypass it.

What does matter is how well you can obscure that decision point such that they decide it's not worth the frustration to crack (especially since your app is probably just one of thousands released that month). That's where you should spend your effort, instead of on the verification process. Search google for cracking techniques for some anti-cracking trips.

Melvin J. Cracker
Tuesday, May 4, 2004

We use a paid registration code for our personal edition download (free, but some advanced features expire after a trial period).  The code gets emailed to the user automatically after a purchase.

After the user enters the registration code into the client software, the program will attempt to report back to the central server.  This report includes the code, the internal and external IP addresses, user-name, and other basic registration information.

If we receive multiple notifications from a bunch of different IPs that all use the same code, we know some piracy has occurred.  We gently notify the original purchaser that they are responsible for distribution of the code... and that's usually as far as it gets.

dir at badblue com
Tuesday, May 4, 2004

>> I would say that the best thing which could happen to you is mass copying of your software.  That's more people that will see it, more who will ultimately become paying customers.

I have heard this many times when the issue of piracy comes up and I think it is just wrong. Talk to any successful author and they will tell you sales drop off noticeably when a crack has been published.

Tony Edgecombe
Tuesday, May 4, 2004

I buy a LOT of software. Tons. At least ten thousand dollars a year, sometimes much more for my own personal use and then I also recommend much more than that.

I don't have ANY cracked or illicit software. None. I buy everything.

So, I am the sort of customer smart companies should be listening to.

If the registration requires making a phone call or is locked to a single computer, I WILL NOT BUY IT. it's as simple as that. The risks of losing my data when the company goes belly up are far too great for that kind of stupidity.

Locking to a single computer is retarded and unacceptable. Requiring a phone call or netlookup to some company that will be out of business in five years is unacceptable.

Dennis Atkins
Tuesday, May 4, 2004

First of all, is that really true for unknown software? That sails drop?

Second, here's a few tips:

The only way to even decently protect your software from being copied is putting major functionality server-side and require that each client has a unique id registered with the server, such as network games does.

Crippeling software is good though, especially for low profile applications, but this requires you to send the full executable to paying customers. Just disabling functionality won't work. It's only good if it's low profile though since if it's a high-profile application people will buy it and release it that way.

Watermarking is good if you use an effective technique and have a relatively small userbase, such as the IDA disassembler, whos watermarking technique has been prove unbeatable time after time after time. It simply dumps tons of data straight into the exe for you.

Techniques that has been beaten but requires a whole lot of work is what is involved in for example Flash FXP and WinRAR, though I wont venture a guess about what code-obfuscation they use, but the registration involves Public Key-encryption.

I've done alot of research :)

Marcus
Tuesday, May 4, 2004

Thank you all for your responses. I appreciate your feedback!

> I don't have ANY cracked or illicit software. None. I buy
> everything.
>
> So, I am the sort of customer smart companies should be
> listening to.
>
> If the registration requires making a phone call or is
> locked to a single computer, I WILL NOT BUY IT. it's as
> simple as that.

I hear you Dennis.. I am trying to come up with a way that will keep everyone happy which is proving to be very hard.
Naturally, everyone has different requirements.

I cannot come up with a way that will stop the spreading of the full version of the app without locking it down to a particular PC. Please note that I don't claim that I can even do that. I am just considering that option. I am aware that it is not a very user-friendly option though. Especially for people that upgrade their PCs a lot, or in case the company goes belly up.

If I use only registration numbers, that won't stop the copying.  I am not even talking about crackers and pirates. When people like something, they like to share. Sharing is good but when your income depends on it, it is not the greatest thing (although it is good marketing). Preferably, if you like the app, you'll buy your own copy. Or if you wish to share your copy, then you will stop using yours. Cloning the app for sharing is technically a violation of the EULA, but people are used to doing it by now.

I'd like my registration procedure to enforce the EULA without interfering too much with the user. It would be nice to allow one user to install the app on as many PCs as he wants to as long as he is the only user of the app. But that is VERY hard to detect programmatically. If only there was a way to authenticate the user without the possibility that someone else can impersonate the user...

Crippling has been criticized on here before as well. Some posters complained that sometimes the crippled functionality is what they wanted to test, so they get turned off by that. Time-limited full software is very vulnerable to cracking. I don't know if I care for that as a developer although as a user, I'd personally like that.

I can't quite come up with something that'll please everyone. Please let me know what you use in your own applications... I guess what I am looking for is to authenticate the user without the possibility that someone else can impersonate the user... I just have a feeling that is not possible, but hopefully you can prove me wrong.

Thanks again!

registrar
Tuesday, May 4, 2004

USB hardware keys are one extreme option and only to be used for very expensive software since the hapless user will lose a prized USB port.

Watermarking the executable is another.

The problem with locking to one machine is that the software will STILL be cracked and put on boards, but in addition to this you are giving honest users an incentiv to get the crack or not buy the software in the first place because... the crack is a better piece of software, lacking the annoying net check/machine lock routine.

A decent registration number scheme for software under $1000 will keep honest users honest. Software $1000 and up can have a hardware key, or you can set up a system of watermarking your executables if you're really concerned.

I don't advocate NO protection for software you want to sell. But if the software stops working a month after you go out of business, destroying all the files worldwide that were made with it that can no longer be opened, then sensible users will avoid that software if at all possible.

For software over $100,000 there can be an escrow provision, which requires a system to keep he latest versions stored in escrow with an independent third party in case the original business shuts down.

Dennis Atkins
Tuesday, May 4, 2004

>Locking to a single computer is retarded and unacceptable.

While I don't agree with what Dennis said about refusing to buy software that required a call to registrar, ie I am quite happy to make that call. I also think that software vendors have a right to do that.

However he did make one interesting point:
>Requiring a phone call or netlookup to some company that will be out of business in five years is unacceptable.

We all like to think we will be in business forever, but what happens if we are not. Do we just stop support for the product, what measures should be implemented to ensure the user is still able to register in X years time.

Aussie Chick
Tuesday, May 4, 2004

> We all like to think we will be in business forever, but
> what happens if we are not. Do we just stop support for
> the product, what measures should be implemented to
> ensure the user is still able to register in X years time.

Besides the fact that the business could disappear, I think it is more of a hassle to have an authentication server and/or customer service reps to handle the phone calls. I'd rather have it be quick, simple and clean.

I actually came across one product (CacheX for IE) which has quiet a strong protection scheme based on registration numbers. I can't reach the author though. He apparently took ideas from a commercial protection scheme and made his home-made thing. The strongest (and the weakest) point of the scheme is that you need at least one valid code to get to a constant which is required to crack the scheme... It is tough enough that most average users will not care to crack it. It apparently is also hard to patch.

Anyway... Aside from the "how can I do it?", I am trying to decide on "what" to do...

So how can I lock a registration number to a single user without the user giving his/her identity away so others can use the application?  (the million dollar question)  :)

registrar
Tuesday, May 4, 2004


Please don't say "use the credit card number as the registration code".  :)

registrar
Tuesday, May 4, 2004

Listen to me, registrar -- cracks are NOT free codes that get out. Cracks are modifications to your program files that allow ANY code to work. That is what you have to address!

Cracker Jack
Tuesday, May 4, 2004

I do not work for Silicon realms.  http://www.siliconrealms.com/ is the site, Armadillo is the product.  I suggest you go check it out.  They actively update it, it uses strong methods of protecting files that are quite hard to break, and they respond quickly to questions via email or their forum.

Aaron F Stanton
Tuesday, May 4, 2004

...and the only downside to armadillo is that there exists several generic protection strippers. But if you want to waste money...

Believe me when I say that the only efficient way you'll come across is watermarking. When it comes to protection, if you know what you're doing you'll be better of rolling your own than just buying one. Every known protection except the IDA-one has been broken, armadillo, HASP, c-dilla, safedisc. Some just takes longer :)

Marcus
Wednesday, May 5, 2004

Like Dennis, I don't buy software that calls home or locks me to one machine. That is unless the software has a monopoly like Windows XP or Adobe Photoshop.

The latest Photoshop CS version only works for 30 days. After that you have to register online or by phone. Of course a crack was available even before the official release. Another example of thieves getting a better treat than paying customers.

I actually made sure that the crack worked before buying it. So we can safely say that Adobe made a sale, because some cracker had created a work-around for their stupid registration system...

Jan Derk
Wednesday, May 5, 2004

>>> So how can I lock a registration number to a single user without the user giving his/her identity away so others can use the application?  (the million dollar question)

If you dispense a registration code with the purchase (e.g., this is a feature that DigiBuy supports), you know who was issued the original reg-code.

The reg-code gets reported back to a PHP/Perl script on your site when the user enters the code into the client app to unlock it.

Thus, you know who was issued the reg-code in the first place.  If that same reg-code gets reported again, you gently warn the user about piracy.  Or take stronger action, depending upon what transpired.

I'm not sure where this doesn't work for you.  Software isn't locked to a single machine.  You get auditibility for each reg-code you've dispensed.  We've seen little to no piracy with this approach.

dir at badblue com
Wednesday, May 5, 2004

Marcus,

Do you have some URLs where I can understand how watermarking works?

GinG
Wednesday, May 5, 2004

Watermarking is a good idea, but that means a unique binary is created for each customer... I don't know how hard it is to setup the website such that when a customer wants to make a purchase, a unique binary is generated and the customer is sent a link to download it.

> I'm not sure where this doesn't work for you.  Software
> isn't locked to a single machine.  You get auditibility for
> each reg-code you've dispensed.  We've seen little to no
> piracy with this approach.

You are right badblue. This is probably the best solution.

registrar
Wednesday, May 5, 2004

*  Recent Topics

*  Fog Creek Home