Simple licensing scheme?

[mijen67]

Any ideas for a simple licensing scheme with the following features:

Per user license.

Locked to three devices per user (cross-platform)

30 days trial, selected features are locked after 30 days (maybe separate binary if easier)

[rvk]

http://wiki.lazarus.freepascal.org/OnGuard

This version of OnGuard is port of Turbo Power OnGuard. OnGuard is a library to create demo versions of your Delphi, Kylix and Free Pascal applications. Create demo versions that are time-limited, feature-limited, limited to a certain number of uses, or limited to a certain number of concurrent network users. You could also protect executable file from modification, either by hacker or malware. Most functionality has been tested to work under Windows, Linux and FreeBSD.

It has now been designed for cross-platform applications (Windows, Linux, FreeBSD etc). Pure Object Pascal. However some features are heavy system dependant. OnGuard doesn't depend on the Lazarus LCL, so you could also use it in Command Line, Web or other GUI toolkit applications.

OnGuard is distributed as a source-only package. The download contains the component package for Lazarus + documentation (pdf and hlp file) and probably all original examples ported to Lazarus.

[mijen67]

http://wiki.lazarus.freepascal.org/OnGuard

Thanks, seems like this certainly can do what I want to do. However, it also seem to require a significant amount of extra work - in particularly compiling Lazarus which I'm not sure I want to do (still newbie, struggling a lot with ... a lot  ).

Basically I just want to enable program for 30 days trial, and then lock it down if it hasn't been enabled by license key. So I guess I'm just searching for hints on how to generate keys and simple methods to store time of first use that regular users cannot break (Hackers for sure will be capable of getting around this, but I don't care about that). Just something that makes it very difficult for non-hackers to get around.

[rvk]

However, it also seem to require a significant amount of extra work - in particularly compiling Lazarus which I'm not sure I want to do (still newbie, struggling a lot with ... a lot  ).

Actually, it doesn't require any component.
But you should know that ANY component you want extra in Lazarus will require the recompilation of Lazarus. But it isn't that hard. Just confirm the installation and Lazarus will re-compile itself.
 
But like I said, although OnGuard does have components to just drop on a form, you CAN do it without components. But it's a but harder because you would need to call the correct functions yourself.

Basically I just want to enable program for 30 days trial, and then lock it down if it hasn't been enabled by license key. So I guess I'm just searching for hints on how to generate keys and simple methods to store time of first use that regular users cannot break (Hackers for sure will be capable of getting around this, but I don't care about that). Just something that makes it very difficult for non-hackers to get around.

Generating the keys is just what OnGuard does. Storing that key is up to you. You can save it in the registry or save it to a file. Both methods are susceptible to hacking. That's why I use a combination of online keys.

You can look at the source-code of OnGuard to see how the keys and machine-codes are generated.

[mijen67]

However, it also seem to require a significant amount of extra work - in particularly compiling Lazarus which I'm not sure I want to do (still newbie, struggling a lot with ... a lot  ).

Actually, it doesn't require any component.
But you should know that ANY component you want extra in Lazarus will require the recompilation of Lazarus. But it isn't that hard. Just confirm the installation and Lazarus will re-compile itself.
 

Got it.

Now I want to try to install OnGuard. The readme file is probably fine, but not for a newbie:

  1. Unzip the release files into a directory (the best it \components subdirectory
     of Lazarus tree).
  2. Start Lazarus.
  3. Open & install the package. This requires a Lazarus IDE rebuild.

Steps 1 and 2 are ok, but 3 assumes some knowledge I don't have. There is no menu called "Open & install package", however there are related menu items:

Open loaded package
Open package file (.lpk)

I saw multiple .lpk files in the onguard-master directory:

tponguard.lpk
tponguard_design.lpk
tponguard_fpgui.lpk

So I guess the option "Open package file (.lpk)" is the correct option. Next uncertainty. Which one of above three packages to choose? Readme just states "the" package ...

Ok, so maybe I can find help here: http://wiki.lazarus.freepascal.org/Lazarus_Packages . Unfortunately I couldn't find, for me, useful hints so I gave up and guessed that maybe I'll just open package file "tponguard.lpk".

Now a new window pops up with options: Compile, Use, Add, Options, Help ... 

Compilation went fine (green background on topline in messages window) with some hints though. What to do next?

[scons]

Another idea, maybe, put some code in to check a date at program startup, put that date in an external encrypted file, if check is not ok exit program.
Very simple but may be efficient enough for simple usage. When date has expired and you want to provide a new license, then you can send a new file with encrypted date ...
You could extend this beyond date only of course.

But OnGuard works also pretty nice.

[rvk]

Another idea, maybe, put some code in to check a date at program startup, put that date in an external encrypted file, if check is not ok exit program.

And there is the potential problem. If you let the program create that encrypted file on first startup, the user can just remove that file after 30 days and the program will generate that file again.

The only way this is going to work is if the user gets the license-key from you. Also for the trial-version. So you would need to provide EVERYONE who downloads the program with a license-key.

Next problem is that the program can be copied and the same license-key is valid to everyone.

The best way would be to calculate a unique machine code (which OnGuard does) and the user has to "register" that code with his e-mail (or name) with you. You can create a unique license-key (again OnGuard) especially for that combination of machine-code and name and expiration date (I do this automatically online).

The problem with this method is that, even for the trial version, the user has to register and a key needs to be created (which can be a hassle for large number of downloads).

Another option would be to generate the trial key on startup but hide it really well in the registry or filesystem. So don't just save it in the program directory. But the program can still be copied or if the user runs a virtual machine it can go back to it's original state. And when running a monitor program on the trial program, it will be easy to see what the program does to generate the key and where the file is saved.

Now I want to try to install OnGuard. The readme file is probably fine, but not for a newbie:

The interested part of that link you mentioned is
http://wiki.lazarus.freepascal.org/Lazarus_Packages#Design_Time_vs_Run_Time_package

The difference between design-time packages and run-time-packages.
The design-time packages contain components. Those are the icons in the component bar at the top. But sometimes a package doesn't need components to work. Sometimes a package contain just a library of functions you can use directly in code without dropping a component on your form. Those are the run-time-packages.

The design-time packages (with component-icons) are usually the ones with _design in the name. You'll always want to compile the run-time (without the design in the name) first (so all the functions are compiled) and the compile AND install the design-package.

(For now you can forget about the _fpgui package. It's for the fpgui in Lazarus if you use that gui instead of the standard one)

You already opened and compiled tponguard.lpk. So that's correct.
If you create a new program and want to use it's functions you can open the Project > Project inspector and choose Add, Add new requirement and choose the onguard package. Now the functions are available to you in your code.

If you want to use the components, for easy drop- and use functionality, you would need to install the design package.
Open the tponguard_design.lpk (the same way you did for tponguard.lpk).
Now you can run compile.
After that you need to do Use > Install.
Lazarus will compile itself and restart.
After that you have extra components on the componentbar.

[scons]

Another idea, maybe, put some code in to check a date at program startup, put that date in an external encrypted file, if check is not ok exit program.

And there is the potential problem. If you let the program create that encrypted file on first startup, the user can just remove that file after 30 days and the program will generate that file again.

Yes of course, but that is not the target, the file with date/and or user info should be delivered by the OP in a seperate of course, not created by the program, that should just do the checking. And a check "file not found" could be implemented too.

It was not clear to me that the program could also be downloaded. Of course my example was a "simple" solution. 

[mijen67]

The best way would be to calculate a unique machine code (which OnGuard does) and the user has to "register" that code with his e-mail (or name) with you. You can create a unique license-key (again OnGuard) especially for that combination of machine-code and name and expiration date (I do this automatically online).

It seems the only "safe" way to protect software from piracy is to place part (or all) of the functionality on server side.

If that is not possible then determined hackers can always change your program, and I guess obfuscation combined with a clever licensing scheme, maybe a combination of asymmetric encryption/decryption with a online https service to validate the license info - is the way to go to at least make it challenging for hackers.

How much is required to get the automatic online system running?
Server slice or web server, server side program (php, maybe with mysql), encrypted channel using https (certificate?), design of license validation "protocol" on top of https maybe using json processing? Feel free to hint what you did to make this work? 

Looking for this I found this https://projectlicense.com/. Seems interesting but for how long can we rely on this free service being available, and can it be trusted. I would prefer to roll my own small system, but ... (a significant amount of work required).

Can Lazarus do obfuscation?

If you want to use the components, for easy drop- and use functionality, you would need to install the design package.
Open the tponguard_design.lpk (the same way you did for tponguard.lpk).
Now you can run compile.
After that you need to do Use > Install.
Lazarus will compile itself and restart.
After that you have extra components on the componentbar.

Thanks! You're right, it wasn't hard at all ... once you know how  It is running now.