Yearly subscriptions for my software

Started by ImJustAnotherCoder, March 26, 2020, 10:11:59

Previous topic - Next topic

ImJustAnotherCoder

Hiya everyone.

I have some software that I want to sell, written in native C++ for Window10 x64.
I'd like to have users sign up for a year subscription at a time to use the software. Seems a pretty normal thing these days, however I'm completely new to this kind of thing and some of you guys seems pretty clued up so I thought I'd ask for some help 8)

So my question is
Do any of you know of a reputable company that offers such a software/service for subscription based licensing. Do I even need an external company for this? Or is it east to implement such a thing myself? If so are there any learning materials that you would recommend?

I assume that I would have to add in some code into my source for the subscription checks etc?

Go easy with me, while I'm experienced in C++, the subscription stuff is new for me!

Naughty Alien

..what does your software do, if i may know?

ImJustAnotherCoder

Hi Naughty Alien,

Should I have mentioned that it's not a game?

It's an audio/video player solution for teams of transcribers.

Qube

Some of the apps I write for business are yearly subscription based due to them being supported and updated per bespoke requests.

The apps are VB.net with the backend being PHP / MySQL on a server.

If that's of use I can give you the details of that side with the code ( most but not all of course ). Let me know :)
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

ImJustAnotherCoder

Hi Qube!

That would be great. Very kind of you.

I'm new to all the server stuff too. Would you be able to include some kind of idiots guide too? Or a link to where I could learn these kinds of things.

This is very kind of you!

Thanks

Qube

No problems, will try and post more in-depth tonight or tomorrow night and explain as best as I can about the code / procedure both client side and server side.

Will also include code to hopefully give you a starting point / theory to get the basics up and running.
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

ImJustAnotherCoder

That' would be great and is very kind of you!

Thank you Qube.

degac

Hi

I made something like this

1. first solution - one program, one auth
2. second solution - many programs, one key-data file

1.

Using Bmax+CurlSSL+a website I made a simple PHP request from the Bmax app to my site: if the (encrypted) request is the same as on my server (readonly) you can run the app.

2.

the first solution was useful if you have few programs. When the number grows, you need to make things complicated on the web side (php requeste must have program_name & key and so on)

In any case solution #1 was 'slow'... you need to contact the site every time you start the program... and also depends on your connection AND website (mine is a low cost solution...)

So I moved to another approach.

Every single application 'asks' to a local (on a server or on the final user pc) if they there's an auth to run.
The 'main' program (I called id SecureID) simply receive (via AppArgs() ) the various date 'embedded' in the app (sing and name)
a. SecureID checks with a (encrypted) database if name+sign is valid and return 1 to go.
b. SecureID checks also the date - connecting to http://worldtimeapi.org/api/timezone/Europe/Rome.txt - so you can't cheat changing time on your pc...
c. SecureID every N days downloads the 'key-database' from my website (also encrypted)

So I can change my 'key-database' (with a different sign or putting the app_state to 0) to block the apps.

Seems complicated, but it works :)
If there's a problem, there's at least one solution.
www.blitzmax.org

Derron

Quote
b. SecureID checks also the date - connecting to http://worldtimeapi.org/api/timezone/Europe/Rome.txt - so you can't cheat changing time on your pc...

Open your local "hosts" file and redirect any "worldtimeapi.org" request to localhost - then just run a simple local server serving a custom "Rome.txt" - time cheated.

---

Open your "secureID" binary and switch the "je" (jump if equal) instruction to a "jne" (jump if not equal) instruction on the checks - so any invalid one becomes valid.


There is always a way to crack a "offline" app. If you have certain functions "remote" then they needed to know the algorithms there so it results in the same result - and as it is not just a hash but a real result (eg a complex calculation/simulation result) this is harder to replicate.

You could also have a tool which builds a hard- and software specific key (like a fingerprint). This is send to your server which builds a custom binary. This binary only runs if the hardware is unchanged and the OS is the same.
Then use this specific key (same if you get the key via your "secureID") in multiple parts of your application. incorporate it in various corners of your code and do not rely on a single "CheckCode()" function (so it is not a single instruction change to make them all work in one stroke).
Also never check for the code itself but hide your checks by using some "shadows" of the code (so do not do "if code = 123 then ..." but hide it by somewhere storing the memory address of the code, then pointing to it ... and at the end somewhere else convert it back ...).


---

Or just keep it simple: have an algorithm in your application which would accept any key suiting to the schema (algorithm: "all keys are even", so 2,4,... would suit -> just make it more complex and for multple "groups"). Then hand out the keys to the subscribers. Just use the system date and store it as "latest usage". If somehow the date on a second run is more "earlier" than some days (maybe someone accidentally moved a month in the calendar) then he might "fake" it. Mark this in your code (or maybe check if some OS systemfile dates are now "from the future"). Submit the faulty behaviour to your website so you could handle it.

For offline computers you might offer manual ways (eg logging in on your site and requesting a new "keep activated key").


Nonetheless - and as said: the people who try to cheat will look for cracked versions of your software - and if the software is interesting, it will be offered by someone. No real chance to stop it. Save yourself some headaches by making over complicated solutions which out of some flaws are cracked within a blink. Just stop "average joe" from copying it.



Good luck.


bye
Ron

degac

@Derron:
yes, everything is crackable, but for my final user this is beyond their possibilities (running a local server to cheat the time or changing the code) ;D and surely is not worthing spending so much time!
Asking to rewrite the apps I did, surely is an higher cost.

Everything is relative.
If there's a problem, there's at least one solution.
www.blitzmax.org

Qube

Oops, sorry I forgot about this. Will post soon soon :)
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.