Simple Registered User Method for Xojo Apps

I’ve been thinking about writing as simple routine to save and load registered user information that I can easily deliver an application to users/clients that is registered to them and displays registered to: “User Name”, etc. The goal would be to have a separate application that creates an encrypted file, and the application would read the encrypted file to display who it’s registered too. If the file isn’t found, or if it’s not in the proper format, the application will not run. The encrypted file or license key (whatever you want to call it) would be delivered with the application and need to be present in order for the application to run. I don’t need anything sophisticated such as web based activation, etc. I’m not worried about hackers, just keeping the honest people honest.

I’ve got ideas of how I’ll write this code, I’m more interested in if anyone else has done anything like this and any feedback you may have. I don’t want to buy plug-ins or get carried away. I just want to make it easy for me to register a program to a specific user and have that displayed at some point when the application is run.

I hate to say it, but I can tell you about a handful of proprietary solutions (including my own), but I do not know of any free advice about this topic. When you create a DRM, it’s kind of in your best interest to keep the pool of people who know how it works as small as possible.

The documentation does have some information about encrypting and decrypting data here.

Hi Tim, thanks for you reply.

I probably should have been more clear in my post. I’m not looking for anyones code or algorithms. I’m more interested if anyone has done something like this and general feedback.

As far as encryption, I’ll just write that myself. I’ve done that before in other languages. I just don’t want the user info to show up if someone decides to use a simple hex editor allowing them to change it. I’d probably do some type of checksum to insure the file hasn’t been tampered with. I’m not going to military strength, just something to keep the honest people honest as I mentioned in my first post. :slight_smile:

1 Like

Perhaps you may have to find another solution. If someone gives to third person your application together with the key file then it will work even if you have done encryption. You have to find another method of working the program to just one computer. It has not to do with serial numbers, encryption etc… it has to do with the method that your application may run to one pc only.

I think you misunderstand what I’m trying to do and it’s probably my fault for not explaining it well. I’m not trying to build in copy protection or prevent it from running on other machines. I just want the message on the screen with who the registered user is so that people will know if it’s not being run by the person that it’s licensed to.

I don’t expect a large user base. I mostly want the user that does have a copy intended for them realizes that it’s licensed to them.

I have done this with a couple of DB based apps: Display the contents of a simple one row table containing the person/organization name and set up a customer specific unlock code across the top of an important form. Run a procedure to check the unlock code against a code in the table generated for the user when the system is registered - If it matches the unlock code display the correct data, otherwise display a default of “UNREGISTERED COPY” or the other, original, user’s details. We allowed customers to put some “trial” rows in the database, when the trial number was exceeded, the system became read only until it was registered.

Back in the old days, the customer sent the details by fax or email and we replied with the correct code for their name or institution (and address?) - These days you would automate that (after you have been paid!). If you include the address, the customer will need an updated code if they move.

We also based the code on the number of licenced users (and their machine ID). If the user number was exceeded (by more than one) the customer was given the option of Cancelling one of the existing users/IDs. For customers who blatantly exceeded their licencing, the software kept count and reset the system - Each user had to confirm their unique name and details on a form that displayed that they had insufficient licences.

If you are not using a database, have a registration form that puts an encrypted copy of the details in a key file that has to be located in the app folder. When the app starts up decrypt and check it. If it doesn’t match, display either the other user’s or the unregistered data…

Since you say ‘delivered with the application and need to be present’
it sounds as if you will generate the file before sending the app.
Thats a very labour-intensive way to do it, as you would need to either send an email or build an new installer for each customer.
If your customer numbers are low and prices high, it’s reasonable.

So if that’s what you want to do, the ‘key’ part is simple enough.
one random no-plugin example which probably overcooks the pudding, but…

Take the user details.
eg JimBlack=j.black@aol.com
Pad them by inserting random letters every other character (so that brute force checking for common and double letters is no use )

JEiLmNBWlSaKcHkO=UjE.LbPlPaDcCkV@DaWoElA.LcWoDm

Add together the ASC values of each letter to arrive at a simple ‘checksum’ … eg 1345

Then EncodeBase64 the result

Save the resulting string as a text file, but named Sys_1345.DLL (windows example here)
Ship with your app.

Your app, on opening, will then:

Look in resources for a file beginning with Sys_
Take the value of the numbers following Sys_ in the name
Open the file as a text stream.
DecodeBase64
Check the sum of the ASC values matches the file name value
Strip out every other letter
Display it.

The use of a file called DLL hides the purpose of the contents, and allows you to install into a place where your running app probably wouldn’t be able to WRITE (if the key was generated by an app at the user end.)

This does not prevent piracy- if the installer is given to someone else, they get a version registered to Jim. But it does meet what you asked for in the OP.

Simpler options include creating a file in specialfolder.applicationdata and hoping.
Or writing to the registry (again, Windows, but I dont know your target)

you may use:

  • user’s Name & Surname and store it to a Database encrypted
  • use integer into the database to count number of times that the
    program may run as unregistered.
  • use a Boolean column in the Database to describe if the program is registered True/False.
  • you may also digitally sign the database-key so no one may alter its contents such as : user details, program info etc…
    You may have a private key into the program and a public key that you may give to the user so the program may decrypt database entries (otherwise without public key will be unregistered as the program cannot decrypt database entries such as user details, numbers of running, etc.)

to get an idea have a look here:

i think i would use a database and a simple table with user/app version and checksum.
give them an input field with base64 data and do an sql insert query.

SQLite files can be encrypted so your registration file could be one of those.

What prevents a user from giving away the file to other users? On a modern OS you can’t really hide the file in an unusual location and still have programming access to it.

As I mentioned earlier, if someone did that they would see that it’s registered to someone else and would not be able to change that. I’m not anticipating a large audience, just want to have a simple way to register users I do sell software to and be consistent across the Linux, MacOS and Windows.

For my purposes and intent (at least currently), I think a database would be overkill.

database would be overkill

could also be a file with csv rows.

Correct, but someone could still share the registration file with someone else. The second person won’t care if it’s registered to the first person, as long as the app is registered (free of charge).

I read UUID and save it encrypted with user details so if application runs on another windows pc and reads other UUID it either shows unregister copy or it shows regjstered to “…”.

The second person would need to have the entire program, not just the registration file. Since I would only provide the software to the people sold to, it would be obvious who shared the program if it was found available for download someplace.

If the software is only provided to the users who bought it, why do you want a registration method in the first place?

To simplify registration for me. This way I would not need to do it in code, I just produce the registration file with the users info. I could write a simple app to do that. Then I just include the file with the package.