PC Enforcer : registration toolkit

Introduction

In the text below PC Enforcer will be referred to simply as Enforcer
 

Enforcer is a tool for use by programmers to protect the copyright of programs whilst allowing them to be freely distributed with whatever evaluation periods and conditions that are required. If you wish to distribute high quality software on the internet or on magazine coverdiscs, then this utility will allow you to do so with confidence that your efforts will be rewarded.

• Enforcer is simple to integrate into existing program code, yet it is powerful, flexible and relatively secure.
• Enforcer allows you to store security data anywhere and by any means that you choose.
• When the specified evaluation period expires, Enforcer may lock out the user from all program functions (except registration of course) or you may choose to provide some minimal program functions indefinitely.
• Enforcer allows registrations to be transferred from one computer to another.
• Enforcer allows central registration on network servers.
• When the time comes to register, Enforcer provides sophisticated dialogs and can submit registration data via the internet automatically, though being flexible, you are not obliged to use these capabilities.
• All dialogs, etc. can be translated into any western language by means of text files (one file per language) so you can ship Enforcer with products around the world.

A great deal of software is currently available on a try-before-buy basis. This is often called shareware. Such programs typically come with a fixed time limit called the Evaluation Period after which they either whinge or cease to operate. Typically, a registration code must then be entered. However, that code has to be based on a user name, or some characteristic of the computer, or be reusable. Depending on the nature of the software, basing the registration code on a user name may be sensible but for most programs it is not. This leaves the options of basing the code on a characteristic of the computer or making the code reusable. With reusable codes what is stop the user installing the software on several computers for the price of one? However, basing the code on the hardware of the computer leads to all sorts of potential problems. Not least what happens when the user wants to upgrade to a new computer. Enforcer is designed to address all these problems without resort to hardware dongles.

For example, you could use Enforcer to release a time-limited version of your program that is otherwise fully functional. You could choose an evaluation period of 60 days. After, say 30 days, a reminder notice could be displayed at startup. You may also wish to provide a minimum amount of use, say 30 days. This would mean that if the program just gathered e-dust for a few weeks after installation, its evaluation period could be automatically extended to allow it to be used on 30 different days. Of course, if you wish to do so, you may still reduce the functionality of unregistered programs, but that rather misses the point.

Can several clients be registered on a central server ?

Yes. Enforcer has a sidekick called Net Enforcer. Together, they permit you to choose a client limit and a network code to allow that number of clients to run. Net Enforcer is fairly basic in nature consisting of just nine function calls so you may wish to implement your own more sophisticated one if you are a developer specialising in this area. However, basic or not, it should be sufficient for 95% of products. Of course, if you wish to do so, you may ignore this feature.

How unique is the registration code ?

Registration codes are 32bit numbers. The standard dialogs display these codes in Hex44 format e.g. ABCD-EF10. Breaking up an 8 digit hex code simply makes it more readable for the user. The code is based on several factors.

• The Program Level (defined as major part of the program version number).
• The System ID. (Currently based on the Volume ID of the hard disk).
• A User Name. This is optional. Most developers may ignore this.
• A pseudo-random factor called the Modifier that is maintained by Enforcer. When a program is run for the first time, the Modifier will be initialised according to a Hardware ID for the computer. An internal function will calculate a Hardware ID but you may use your own function if you prefer.

Why not use 64bit codes ?

This would not make the system any more secure. It would simply make typing errors more likely.

How are registration codes calculated ?

You register a callback function with Enforcer. You may calculate registration codes any way you wish.

How long is the evaluation period ?

You may set this figure and all similar figures to any values you wish. Recommended values are 60-days of evaluation from installation. 30 days before warnings are issued and 30 days of minimum use in case the program just gathers e-dust after installation.

What happens when the evaluation period expires ?

Most situations such as this are handled by callback function but default responses are provided. The default response here is to display the Main Dialog. The purchase button on this dialog initiates another callback function. You may choose to display a standard purchase form, which can then submit its data to your website, or you may prefer to direct the user straight to your website. Enforcer is extremely flexible. You can even use its standard purchase form, but process the cgi-style string that it outputs and pass the data straight to your credit-card handler (on a secure server).

• When the function IEnforcer.RegisteredOrEvaluating is called and the evaluation period has expired, the Main Dialog is displayed modally, i.e. the user will be locked out by virtue of all other windows being disabled. At other times, you may choose to display the Main Dialog either modally or non-modally.
• Prior to displaying the purchase form, a callback function is initiated to acquire the license conditions of the program. These conditions will be displayed by Enforcer and the user must agree to them before proceeding.
• You may process the form data before returning it to be submitted by Enforcer functions if you wish.
• Enforcer does not collect credit card information. This should be initiated by the CGI program that processes the registration form data exactly as though the form were submitted from your company website. However, it is possible to integrate this capability by use of callback functions, but it is not recommended.

What is to stop the user simply changing the system date ?

Enforcer is smart. If time goes backwards the evaluation period expires.
Enforcer is also kind-hearted. When the correct time is restored, any remaining evaluation period will be restored.
Don't worry about seasonal time changes like clocks going back an hour. This has been anticipated.

Does Enforcer install and/or run any programs secretly in the background ?

No. Enforcer is clean. Enforcer does not create any new processes or create any files other than those in its home directory. Enforcer does take security seriously and by no means are all its capabilities discussed in published documentation but it does not do anything likely to adversely affect other programs.

What happens if the computer is upgraded changing the Hardware ID ?

Enforcer is smart. Registration is maintained. The Hardware ID is used to initialise the Modifier when the application is installed. Thereafter, if the application is registered, the Hardware ID it is checked to see if it has changed but such changes will not negate registration.

What happens when the user wants to change computer altogether ?

Enforcer is helpful as well as smart. Once the application is installed on the new computer, the registration may be transferred.

What stops registrations being transferred back ?

Nothing. Registrations can be transferred but NOT duplicated. Enforcer is smart and tough.

How are registrations transferred ?

Enforcer provides methods to make this simple. Developers can provide their own dialogs but the standard ones are clear and simple to use. If you wish to do so, you may choose to intercept normal registration transfer operations. You can prevent transfers altogether, or you can keep track of transfers by forcing them to be completed via your company website. However, at this time, a standard method to achieve this has not been implemented (but is under consideration) so you will have to write the code to perform these functions.

If Enforcer can transfer registrations, it must be able to generate registration codes itself. Isn't that a gift for hackers & crackers?

NO. Enforcer is packaged as a DLL. One copy of Enforcer is required for each program (or suite of programs). All that is necessary is for a checksum to be carried out on the Enforcer module before exposing the callback functions that actually generate the registration codes. Enforcer is smart but you must be too!

Surely hackers will track down where the registration data is stored and obliterate it won't they ?

Well that is largely up to you, the developer, to prevent. Enforcer provides tools to allow registration data to be saved covertly at the end of files and in the Windows Registry. However, you are free to develop more sophisticated methods if you so choose. e.g. to save data within the cluster wastage at the end of a directory. (No knowledge of Enforcer is required for this. These methods simply need to be able to read and write binary data streams. Enforcer will take care of checksums and encryption, but you may add you own too.)
You may store registration data in as many places as you wish. If one location is obliterated Enforcer just goes on to look for others. In fact it reads all data locations and where differences are encountered behaves appropriately. This approach means that if a hacker cracks the security of one program protected by Enforcer, they are no nearer to doing the same for another program. Additionally, if the standard tools are used, the registration data of several programs can coexist together so there is no chance of one program obliterating the registration data of another. Indeed this holds true for non-standard tools too, although if two different data storage methods try to store data in the same place, there will certainly be a problem.

What happens when program upgrades are released ?

Enforcer recognises a program upgrade as having taken place when the major version number increases (a.k.a. the Program Level). It also recognises an increase in the most significant digit of the minor version number.

• When an upgrade takes place, if unregistered, a new evaluation period will begin. This may be less than the evaluation period when the program is first installed.
• When an upgrade takes place, if previously registered and the Program Level increases, the previous Registration Level will be recognised even after the new evaluation period expires. Therefore you may choose to allow program upgrades to run with lower levels of registration. In the long term, this should simplify the problems of technical support since you may request that users upgrade to newer versions (free of charge) whilst preventing them from freely taking advantage of new features (beyond the evaluation period). On the other hand, once they have the new version, if they find they want the new features, you'll have made another sale !!!
• You may choose to allow Version 4.x programs to run with level 5 registration, etc.
• Enforcer stores the highest program level, so switching back and forth between versions will not perpetuate the evaluation period indefinitely.
• Also refer to the License conditions.

How easy is it to integrate Enforcer into an existing program ?

Enforcer is written using Delphi 4. If you wish to use C++ you will have to translate the header files but these are straightforward. About 50 lines of code should get Enforcer running. Taking advisable security measures will typically raise code length to ~250 lines in a final program release. If you add your own additional security measures, this will increase the code length, but may make nervous executive types a bit more relaxed when you tell them that you want to put the latest version of GeeWhiz on the internet as a free download.
You should not need to make significant changes to existing code. However, when program upgrades are released, to take advantage of Enforcer's capabilities in this regard, you will need to write code to disable features new to the upgrade (when the evaluation period expires).

Borland Delphi : That's not very standard is it ?

Relax. Borland produce the finest development tools in the world. You should have no problems with Enforcer. All functions use the stdcall calling convention, and all exposed objects are based on Windows Interface standards i.e. they descend from IUnknown.

How are program exceptions handled ?

All function that do more than return stored data values are wrapped within Delphi try...except...end statements, therefore exceptions should not propagate out of the Enforcer module.

So how secure is Enforcer ?

Frankly, that's the wrong question. No matter what you do to protect your code, someone will be able to crack the security. Realistically, provided that a program cannot be cracked by your average user, it doesn't really make any difference if it takes a skilled hacker an hour or a month to crack. He or she will post the solution on some website or other even if it's for no other reason than to show off. If a user visits the website, the game is up. Enforcer takes precautions against common hacking tools but skilled and serious hackers will never be defeated.

Enforcer is not designed to be the most secure tool available (but it is so flexible that you can easily integrate your own additional security measures). It does not encrypt your program code (frankly, what's the point?) and it does not compress your code (you can buy a compressor) but what it does do is provide a common interface (potentially, in any language) into which you can pretty much bolt on as much security of almost any type that you wish. The important point to bear in mind here is that adding security is all about maximising revenues. Some security systems are so draconian that they upset the users to the point that they don't bother using the program and they may not really be very secure anyway. Even copy-protected CDs can be copied and users don't want to be forced to keep a CD handy anyway. Don't be dazzled by long lists of debuggers (like Soft Ice) a security program can detect. Ultimately, if someone plugs a CPU emulator into a Pentium socket they can look inside your program code no matter what precautions you take. And whilst Enforcer does attempt to look for registry and file monitoring tools, if someone uses snapshot tools (comparing changes to identify the locations of registration data) they will certainly be successful unless you bypass the registry and filing systems altogether. (Enforcer does allow data to be stored anywhere so if you have the expertise to save data in hidden areas of the hard disk, by all means use it.)

The only way to distribute software in such a way that it cannot ever be copied and used without payment is to use an encryption key that is unique to the hardware of each computer. Each copy of the program would have to be custom-encrypted so that it can only work on a unique computer. All other security systems can and will be beaten by hackers. In point of fact, even this system can theoretically be beaten because the code can be saved from memory after decryption!!

When choosing a security product (or deciding not to bother) the only criteria you should consider is the maximisation of revenues. So far as the author is aware, Enforcer is unique amongst security programs in allowing the transfer of registrations. It is entirely reasonable that users should be able do this. Therefore, Enforcer should certainly be on any shortlist of security tools under consideration for protecting the copyright of software and maximising revenues.

Enforcer is designed to be easy to use by the programmer and easy to understand by the user. It is designed to allow registrations to be portable but not copyable that is to say that users may port software to another computer but registration on one computer is negated as it is transferred to the other. Please, don't be deluded, theoretically, this is a security weakness, but this feature is necessary to keep users, and the organisations that represent them, happy. (If you wish to deny transfers completely, though Enforcer permits this, you may as well use a different security system. If you wish to force transfers to take place through the internet, currently, you will have to write the necessary code yourself but hooks are provided.)

Users don't like machine-dependent registration codes for three reasons
    1.  They want to run your software on several computers for the price of one registration (in breach of copyright).
    2.  They want to be able to transfer software when they buy a new computer.
    3.  They want to be able to upgrade their computer without fear of negating registration codes.
Only the first of these is unreasonable. Enforcer has no problem with upgrades and explicitly makes transfers easy.

Some of the most successful software has little or no security - WinZip for instance. Most users are honest enough so that if you make life slightly difficult for them they will pay to use your software if it is useful, reliable and reasonably priced. How much security to add in order to maximise revenues is a matter of judgement. Enforcer is designed to guide you towards a sensible compromise whilst still allowing you do your own thing if you feel the need.

Enforcer is not designed explicitly to maximise security, it is designed to help you to maximise revenues by using sensible levels of security. It is designed to be easy for users to understand by providing a common user interface but without constraining programmers unnecessarily. You can handle registrations pretty much any way you wish (albeit using 32bit codes only) and you can distribute upgrades with time-limited enhancements to features, etc.

Enforcer is neither the simplest nor the most fundamentally secure system available, but it is so flexible that it may well be the choice that helps you to maximise revenues and that is what security is all about. A couple of days work should be all that's needed to integrate Enforcer to default standards and remember, all Enforcer dialogs can be translated into other languages simply by translating a single text file.

The bottom Line : How much does it cost ?

Recognised companies may evaluate Enforcer free of charge. Thereafter, you are free to negotiate any sort of deal based on a flat fee, royalties, or a combination of both. Including a flat fee, royalty costs in the range of 1-5% of pre-tax retail cost should be expected. You may negotiate a sliding royalty scale, i.e. the more you sell the smaller the royalty cost per unit. Enforcer is a new product trying to get established so fees will be lower now than in the future. In particular, though originally designed to be targeted at small companies and developers, interest from large companies will be welcome.

Can I download a demonstration ?

NO

• You may download Maverick which uses Enforcer.
• You may order a demo copy.

In Conclusion

Enforcer is a sophisticated tool developed to minimise software piracy and maximise revenues. It allows programs to be safely distributed free-of-charge on the internet or on magazine cd-roms with confidence that very few copies will be used beyond the evaluation period. No method of protection is absolutely secure, but Enforcer should help you to maximise revenues by providing reasonable levels of security without upsetting users. And it's not restricted to the English language. Enforcer contains a function that will generate an annotated English-language data file for all its dialog and message boxes. Simply translate this text file and you can ship Enforcer with your programs around the world.

NOTE

Enforcer is currently in late beta form. Though fully functional, testing continues and some changes and/or enhancements may still be made. If you have special requirements, it may be possible to incorporate these into a custom version. If you have suggestions for additional features, these will be welcome, however, if you look carefully, you may discover that a problem you foresee has been anticipated and allowed for. Enforcer has been in development for some time and most if not all user and hacker scenarios have been considered.

Hacking and Cracking Tools

If you know of a readily available program that can be used against Enforcer, please contact skaro.net. The program will be studied and, if possible, measures will be devised to defeat it.

Copyright and intellectual property rights.

Enforcer is an entirely original product. Copyright applies. Any breach of intellectual property rights will not be tolerated. This includes reverse engineering. This also includes reproducing functionality from scratch. YOU'VE BEEN WARNED.

 

 

 

---

Keywords

PC Enforcer, Anti-piracy tools, Software registration, Copyright protection tools

Links