|Delphi Clinic||C++Builder Gate||Delphi Notes Weblog||Delphi for .NET||Prism for .NET|
OnGuard: securing your investment without trial-and-error
As a satisfied user of many TurboPower tools, since the early DOS days and Turbo Analyst, I must admit there were a few TurboPower tools that I never even considered to give a try. OnGuard was one of them.
From the description on the website, I knew it would be a utility to protect your intellectual property and self-made applications with serial numbers, release codes, etc. Personally, I never had the need to use such techniques, but I've always kept it in mind for future reference. And then the day came by when someone asked me about a way to add a registration feature to their application that would allow the makers to sell keys to enable specific features of the application (for a certain amount of time). And that, too, was part of the functionality of OnGuard, so I told my client we would need to purchase OnGuard, and I downloaded the trial version to get started.
Like any TurboPower software library, OnGuard is available in a free trial edition. Fully functional and without time limitation. The only condition is that the Delphi (or C++Builder) IDE must be running in order to use the application that you made with it. Once you purchase the "official" version of OnGuard, you get a serial number and unlock code that you need to use on the CD-ROM to install the product. And you can't just use this unlock code on any TurboPower CD-ROM, but you must use it on the CD-ROM that came with the unlock code, although each TurboPower CD-ROM contains all their components and libraries (the unlock code is connected to only one CD-ROM of the right date). This functionality can also be found in OnGuard itself (although even after you've purchased OnGuard and received full source code for OnGuard, there's no way you can generate your own unlock codes for the CD-ROM).
On the Delphi component palette, you'll find OnGuard represented by 10 (non-visual) components: OgMakeKeys, OgMakeCodes, OgDateCode, OgDaysCode, OgNetCode, OgRegistrationCode, OgSerialNumberCode, OgSpecialCode, OgUsageCode and finally OgProtectExe. The first two components are used to generate keys and unlock codes, while the other components are used to check the unlock codes.
Like I wrote before, even once you own OnGuard, you cannot easily break applications that have been protected using OnGuard. That's because apart from the unlock code, an application is also protected by a special key - a 16 byte value that you should embed in your application (and never publish to anyone), which is needed to decode the release code. Note that the same special key is needed when you actually generate unlock codes (using the OgMakeCodes component), and this 16-byte key ensures that nobody can just enter a random unlock code to "unlock" your application. You can also use the unlock code in combination with a serial number, a maximum number of concurrent (network) users, a specific number of days, or by embedding an end date after which the application can no longer be used. Or a combination of these criteria.
OnGuard comes with a number of example applications that demonstrate the use of each of these possibilities, including a very useful CodeGen application to generate the unlock codes (based on one or more of the criteria):
The thing that makes the unlock codes unique is the key that I mentioned earlier, which must be set to a personal value inside CodeGen (it is not recommended that you leave the original value intact (or set it to 16 equal $42 values) for obvious reasons).
Once you learn your way with the OgMakeKeys and OgMakeCodes components (or with the CodeGen example program), it's very easy to apply these with the other OgWhateverCode components, and the first OnGuard-enabled test applications should generally be ready within a short while of installing the product. If you don't get it right away from the examples, you can always read the helpfile or the manual, of course.
A number of additional units with miscellaneous protection support are also available, such as a component to guard (protect) your executable from tampering (the OgProtectExe) by inserting a CRC code somewhere inside the executable and some code to check that CRC code at startup. If someone tries to "patch" your program (for example to skip the OnGuard test), then the CRC check will probably fail (unless a real clever hacker is at work), which the OgProtectExe component will detect. Finally, a special unit is included that can help you in making sure only one instance of your application can be active at the same time. Not very hard to do yourself, but the OgFirst unit makes sure you don't even have to worry about the details for both 16-bit and 32-bit applications.
As usual with TurboPower products, OnGuard comes with full source code and a small but useful manual (a small manual isn't usual, but OnGuard only consists of a few components and routines anyway). The only thing that I found curious at first is that the manual only mentions Delphi and Delphi 2, and is apparently never updated with Delphi 3+ or C++Builder information (there is an additionally printed supplement for this).
I haven't had any technical problems with Onguard and Delphi 5, but if the usual TurboPower support is any indication, I don't expect to have to wait long for any support should I ever need it (for example in the TurboPower product support newsgroups).
OnGuard is easy to use, well documented and contains lots of examples. For further security you should consider adding LockBox (which I'll probably do next time). Based on my own experience (I waited until I really needed it), I don't expect you to run out and buy OnGuard right away, but if you remember one thing from this review it should be that OnGuard is available and what it can do, should you ever need similar functionality...
The price is easily worth the time you save yourself by not having to re-invent the wheel.