License & Copyright protection tools for Visual LISP applications ?

I know this has been asked before but I've not been to these newsgroups much
in quite some time.

We are looking for high end third party license manager/copyright protection
tools for applications developed in Visual LISP. We have reviewed a few
such as FlexLM and Sentinel which are network based tools. We are hoping to
find something more flexible in creating a variety of copyright protection
modes such as demo's, 30 day timeouts, machine specific licensing, etc.
However after several hours of searching the internet, there doesn't seen to
be anything for Visual LISP. About the closest thing we've found is a small
utility called LispPRO. Unfortunately this only works with native LISP code
and not VLX applications. Many simple methods available to Visual LISP such
as creating 30 day timeouts are easily bypassed by resetting the system
clock. We definitely do not want to use the so called 'honor' system of
using nag screens or copyright notices. I know from experience in major
engineering firms I have worked for/with this is a completely ineffective
means of protecting our investment.

Thanks

Jesse Danes

 

By-passing 30 trials isn't possible if you tag the machine when the 30 days
passes or clock is reset.

You'd have to re-format the system to get the utility to work again.

You've not review all possiblities as far as I know. Some of us are smarter
than you think.

 

http://www.ai-d.com/Products/LispPRO/LispPRO.htm

 

Many simple methods available to Visual LISP such as creating 30 day
timeouts are easily bypassed by resetting the system clock.

Have you ever actually tried resetting your system clock every time you
wanted to run a particular application? It may seem like any easy kind of
protection to defeat, but the side effects (for all the other files on your
computer) are an absolute nightmare.

I've seen offices that routinely ignore nag screens on shareware, but it's
difficult to imagine an office that would falsify its system time, every
day, forever, just to avoid buying one piece of software.

 

He saw that already. Didn't you read the message?

 

Actually when I worked for one of the engineering firms I mentioned in my
previous post one of the small utilities I developed there was a simple
pre-executeable to setback system date/time prior to starting the configured
application then reset it accounting for elapsed time, after the application
had been closed. For applications using system date/time it was very
effective. I do understand the problems presented in modifying files with
an altered date/time stamp, this might be problematic in some environments
however it had never presented enough of a problem/deterrent in any of my
experience in supporting CAD networks, when carefully and thoughtfully done.
Additionally, not everyone who would change their system date/time would be
clearly aware of the problems presented here. So I decided this was also
not enough of a deterent.

If it were a matter of one seat that might not present as much of a problem
as 250 seats at $900-$1500 per copy. one engineering firm I worked for a
few years back were regularly using two very popular 3rd party AutoCAD
utilities which almost everyone has heard of and had no more copyright
protection than a simple "UNREGISTERED VERSION" splash screen when the app
was first loaded. These were being used as standard CAD tools companywide,
which in this case encompassed dozens of offices nationally and
internationally. I asked them several times if they intended to purchase
the software to which I was usually told "Well yeah ... eventually", even
after two years. Another company I worked with were using several seats of
AutoCAD and AutoCAD LT for a number of years without having actually paid
for the software. After the 30 day limit was reached the engineer simply
deleted the acad.cfg file which reset the timeout (acad R14). This was
predominently done within the ranks of the designers/engineers and without
CAE knowledge.

Anyone who has worked in this field for any number of years is pretty well
aware of the die hard 'freebee' mindset predominent in the ranks of AutoCAD
endusers. For those of us who put so much time and work into development,
its not that we wouldn't just love to give everything away for free, its
just that we need to pay the rent like everyone else.

 

Your lisp routine could write a registry key every time it SUCCESSFULLY
runs. That key would contain the current date and time. Now when your
routine runs it could check the system date/time and if the "current" date
and time is BEFORE the date/time that it last successfully ran then you know
the system date has been fooled with.

You could even fix it so that after you find that the system date has been
fooled with, the routine will NEVER run--even if they do figure out that
they have to change this registry entry. To do that you'd have to have a
second registry key name it such that it WON'T be obvious what it is.

 

Actually when I worked for one of the engineering firms...

Wow, I wouldn't think the big firms would be that stingy. Your points are
valid, and you certainly desrve to protect your work. Perhaps with some of
the registry tricks mentioned here you might defeat that kind of cheating.

 

Jesse

Look a little further into Rainbow's Sentinel system. I started using the USB SuperPro keys with my app last year, and it's clockwork. Their website doesn't shout about using them with lisp much which is probably why you haven't progressed further with this, but I can tell you right now that all my problems & worries about visual lisp protection are totally solved.

You can use the keys for timeouts, demos, anything really. They are essentially memory sticks which you write values to (algorhythms or just numbers if you want), and Rainbow provide a set of lisp functions in an arx file, which you call from your visual lisp program. The functions can read and write to the keys, plus do a few administrative things.

So for example, in my app (I think it's safe to put this here, cos no-one knows what my product is!)

- I program each key to hold a string which is the customers name, and their serial number, plus a few other values which I can make the program check for when I tell it to

- when the lisp file loads, it uses the arx functions to 1) check the key is plugged in, and 2) report the customers name and serial number, just for their info.

- every time they use a command from my lisp file, it runs the check routine again (checks the key is plugged in, and that the values stored on it are all correct)

The arx functions return useful data, for example, when you ask it to find the key, it returns 0 if there's not one plugged in, and 1 if it is, so it's easy to check.

You will be given a developer digit code which means only you can write to the key.

That's it really. Timeout demos can be done, I allow 3 uses of my demo, so I write a '3' in one of the addresses on the key, and every time the lisp file is loaded, I knock 1 off the number and write it back to the key. When it reads a zero, lock em out!

Only thing to make sure of is (I'm sure you know this already), compile your lsp to vlx. Otherwise some idiot will go into the lsp file and just take out any key check routines.

I hope thats helpful Jesse, you can probably see how impressed I am with this system!! Now go back to www.rainbow.com and read up on Sentinel SuperPro.

And no, I don't work for Rainbow.

Regards
Dave

 

Oops! - guess I jumped on that one before I read everything. Sorry!

Here's an SDK environment that's supposed to Work with Visual LISP and have
the "Create Registration Lock" capability:

http://www.ikozmos.com/

Check out the Oasis API package - specifically the OASis-RTK part.

 

Wouldn't you know it, I was at the Rainbow Sentinel website and reading up
briefly on their product line. Their technology did look pretty solid, but
I hadn't cought the specific mention about ARX exported functions for use
with VLX, this is right along the lines of what we are looking for. I've
been somewhat apprehensive about using a HASP key (i.e. hardware lock) up
until now, but after reading your post it started me thinking ... a hardware
lock does offer a great deal more flexibility in licensing options as well
as solid security. If you are familiar with GTX RasterCAD, they also use a
hardware lock similar to your example, commands check the HASP key upon
issuing any specific software command. This can be a problem if using a
single key over a network as it bogs down the return time for issued
commands. But running on the local maching it works fine. My suggestion to
the GTX developers for using across a network was to limit a command check
to say every third or fourth call, or as a process which the application
uses to check for the HASP key every 10 minutes or something along those
lines.

In any even thanks for your input, I'm going to give the hardware lock
approach some very serious thought. It might be just what the doctor
ordered. Writing reasonably dependable security code in VL was definitely
not something I wanted to tackle at this point, thats a whole other project
in itself.

Jesse Danes

USB SuperPro keys with my app

 

.. . . and if somebody is able to decrypt the VLX ?
This is the true question.
Whatever kind of software protection is not a valid one,
if it is possible to decrypt the VLX or a FAS !

Let me know more about.

Ciao
Domenico

 

Jesse

Yes you're right about using the keys across a network, I haven't tested for speed but then again I just use them in standalone mode anyway. I believe there is a way of setting a 'heartbeat' for the keys (ie making an app check for a key every x seconds) but I'm not totally sure if that would work with VLX because the app isn't actually running until you issue a command. I guess if you had a command which took a long time to run, you might want to look into heartbeat setting, or just make the program check for the key at various stages.

Regards,
Dave

 

. . . and if somebody is able to decrypt the VLX ?

There could possibly be some cracks out there by now, but as to my knowledge
there arent any decryptions for VLX. Its a proprietary format owned by
Autodesk (formerly owned by Basis Software). So in effect, Autodesk are the
only folks who could reverse engineer a compiled FAS/VLX file. VLX is not
encrypted so to speak but rather a byte code compiled format specific to the
VL runtime.

Additionally, VLX has various optimizations such as: link, not-link,
localize variables, etc (previously implimented as pragma clauses in Vital
LISP) which strip actual function/variable names from the code which would
make it a very troublesome task to reconstruct to useable source code even
if someone has/could crack the FAS/VLX format. The best security is
obscurity I've always said, however VL is becoming far less obscure than it
has been in years past. The downside of growing industry acceptance I
suppose.

This is myown observation of course, but I think it would be easier task to
get PTC corporation to publicly admit AutoCAD is a far superior product than
Pro-E *grin*

 

We were in search of a similar capability. We ended up creating a MySQL database on the web server, with a PHP engine that integrates with PayPal for product purchase, or free sample download. Depending on the level of registration I want, the tool can require an XML query to verify its registration status every time it is used, or only when certain actions are performed. Even though some might question a solution that requires internet connectivity on every machine, it's really the only way to prevent spoofing.
You could also try downloading one of the free Yahoo games -- they have a third-party internet-enabled timeout device, maybe that software could also work for you.

--Jeremiah

 

[Commercial]

Jesse,

1. I believe LISP is capable of calling out to C so you can use the C
solution for our EasyLicenser license manager. Support is available on
a variety of platforms and does all the things you list including
protection from resetting the system clock. Also, we support both
networked and non-networked licensing.

A free download is available at our website at www.easylicenser.com

Regards,


Dominic Haigh
Agilis Software