Windows Service : to program a software security feature

Are you going to spend more than say 5% of your time on this "protection", compared to the time you've spent on the actual product?
If "yes", perhaps you need to reconsider your priorities.

Is your product bug-free?
If "no", perhaps you need to reconsider your priorities.

Spending excessive amounts of time to "project" buggy software won't make people any more willing to buy it even if they like the general principle of the program.

>I'm quite the newbie in programming...
>Any advice, tips or issues/concerns i should be aware of based on your experience?
So, you told you're newbie, right?
In that case I don't believe that this project will succeed.

Hi,

Thanks for your replies :)

to clarify some important stuff i missed out:

1. this project is not at all meant for distribution/sales now or ever... its just some simple internal development/assignment that i'm trying out
2. 
   
3. software x is just an example.. as for this case i'm trying out on a third party software.
4. the idea is to see whether a windows service has those capabilities and to try them out...

>In that case I don't believe that this project will succeed.
Thanks for your comment but i hope to prove you wrong :P

Any comments/advice is greatly appreciated :)

>* Is it possible that if the user tries to kill the service, the service will automatically change license code and kill software X before being killed itself?
No, not directly. However you can use cryptography to make it alot more harder. See below.
>* If the user changes the license code manually in the file after the service changes it, then the service will automatically change it back and kill software X.
If you really want to make it bullet proof (not full proof BTW), use an online public key encryption system. Normal block cyphers uses one key to encrypt and decrypt messages. Public key systems uses one key to encrypt messages, and one key to decrypt messages.
Encrypt the program you are protecting with a block cypher. If the user is not over his time limit, the server sends an encrypted (with public key system) message containing two passwords. One to decrypt the currently encrypted software, and one to re-encrypt the software with a new key. Just make sure you use an exe compressor so its hard to get the decryption key. But I think thats just a little bit much for a begginer to try (if you can, trust me, your not a begginer:)) The best block cypher you can use is probably AES-256. An example of a public key encryption system is RSA. Instead of using a public key system, you can use a cryptographic protocol like ssl (OpenSSL). Good luck with your software or theoretical software :)

EDIT: Just thought of a flaw. If the user wanted to bypass this, all he would do is backup the encrypted software, and capture the encrypted key's. Than he would just restore the encrypted software and re-inject those packets. This can be avoided by using SSl, becouse the keys are random every time.

Thanks for detailed explanation...
(trying to google wrestle all the terms and facts given :| )

The case that was given to me was this:

• I have full access to the user's PC before giving it to him/her
• 
  
• There is a particular software that the user have to use. Say software X.
• There is also a particular task that the user have to do. For example, the task is to call me on my cell.
• Until the user completes that task, everytime he/her runs software X, a windows service will keep poping up a window every 30 mins asking him to call me.
• If the user still doesnt call me after one month, then the service will change the license key of software X and kill software X.
• the service will backup the license key first.
• after the user calls me, i'll give him a file that'll restore the orginal license key and permanently remove that service.

The so called "security" feature that i'm trying to implement is something local to the PC. No connection to LAN or internet.

I'm just wondering if windows service is able to do it. Of course it doesnt have to be bullet proof. I'm just experimenting on how extensive can a windows service (or any other better method) implement that feature.

To the OP:
>Thanks for your comment but i hope to prove you wrong
I wouldn't be happier if you could prove me wrong :)

BTW, another question: What are you going to do when the user takes an image of his pc's harddisk, after the software is successfully activated?
In that case he could just always restore the image (the annoying service is removed then).
Do you also want to cover this?
If yes, then you shouldn't maybe permanently remove the service, but built-in some kind of time delay, and after that the delay is expired, ask the user to re-activate.

>software x is just an example.. as for this case i'm trying out on a third party software.
Then your software is probably only going to work on one specific software package, because every commercial software is different, and every commercial software uses different techniques to store the license key.

Thanks for your reply.

>BTW, another question: What are you going to do when the user takes an image of his pc's harddisk, after the software is successfully activated?
In that case he could just always restore the image (the annoying service is removed then).
Do you also want to cover this?
If yes, then you shouldn't maybe permanently remove the service, but built-in some kind of time delay, and after that the delay is expired, ask the user to re-activate.
Hmmm.. interesting... although i dont intend to cover that for now but you gave me some interesting ideas...

• Can i like program the service to read certain parameters from a file (maybe a bin) or an encrypted file. The file will contain configurations such as the time between pop-up and period before changing key and killing process X. So the service will behave differently with every file. If the service cant find the file (user delete) then it'll change the key and kill software X.

Is this possible?
[*] Seems like the service have no protection if the user kills it. The only thing i can think of is just to change the name and description (is this possible?) of the service to something that looks like a normal windows service.

> Then your software is probably only going to work on one specific software package, because every commercial software is different, and every commercial software uses different techniques to store the license key.
Yup... thats true... however i just wanted to try the concept out on this particular software first since the license checking mechanism of the software is quite straight forward...

Once again.... this is not a comercial project or anything like that... Its just something i want to experiment out T_T

I should have explain the nature of the project clearly in the beginning..My bad... I sincerely apologize :S

Unless software X has some built in security, It would be really hard to kill it. Lets list the facts:
* It does not connect to the internet.
* If the user wanted to stop the 30 day time period, all he would do is pause or reverse the system clock.
* If software X has no cryptographic wrapper, the user can easily steal the software by just copying it.
* Lets say you can use the internet, and your using online software encryption to protect it (like in my other post). The problem with this is it wouldent be hard to dump the unencrypted program in memory after the decryption of the software.

Hmm... If you have physical access to the computer before they use the software, I suppose you could try to out root all the user programs, and encrypt it on the hard disk. But you would still have that problem with the clock. If you instead had a limit of how many times a user can use a program... no wait, than you would just back up the counter... Arg! You have a hard situation, even theoreticly! If you programmed software X youself, it would be alot more easy to protect itself in memory.
If you want 30 day protection that would be easy to break (by changing the date on the clock), just wrap software X in a program that checks if the 30 days is up. Having the service externally would be way to easy to break.

> * If the user wanted to stop the 30 day time period, all he would do is pause or reverse the system clock.
Haha, it's becoming difficult for the OP now :)
Well, what he could do to avoid this is implement his own software timer.
Generally software copy protections are very hard to implement.
You can make it as good as you can, but probably there will always be a way around it.