`

`U.S. Patent
`
`Apr. 7, 1992
`
`Sheet 1 of 3
`
`5,103,476
`
`FIG. I.
`
`REGISTRATION PROCESS
`
`EXECUTE REGISTRATION
`SHELL PROGRAM
`
`DISPLAY DESCRIPTIVE
`ON USER PC
`
`INFO.
`
`USER ENTERS DESCRIPTIVE INFORMATION
`
`INFORMATION TRANSFERRED
`TO CENTRAL COMPUTER
`
`INFORMATION
`VALIDATE
`AT CENTRAL,. COMPUTER
`
`BUILD TAMPER PROOF
`OVERLAY FILE
`
`-
`
`TRANSMIT TAMPER PROOF
`OVERLAY FILE TO USER
`
`INSTALL OVERLAY Fl LE
`IN MAIN PROGRAM
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0002
`
`

`

`

`

`,-- PC IO~
`
`-
`
`REGISTRATION
`SHELL PROGRAM
`
`I
`I I
`16
`
`PC DISK
`OPERATING SYSTEM
`
`,_
`
`MAIN PROGRAM
`Fl LES W/0 CRITICAL
`SEGMENT
`
`/4
`
`REGISTRATION
`REQUEST
`FILE
`
`26,
`
`FILE TRANSFER
`PROGRAM
`
`1-t LOADER SEGMENT
`
`18
`
`~ DECRYPT KEY
`
`20
`
`I
`
`.
`
`I
`
`Ii UNPACKER
`INSTALLER
`PROGRAM
`
`I
`
`""28
`
`I 22
`I
`I 2
`
`I
`
`..._
`
`w CRC VALUE
`
`..... ' - CRITICAL PROGRAM
`SEGMENT
`
`I
`I
`I 7
`I 32
`I
`I
`I
`I
`I
`...... _44
`I
`I
`I
`I
`L ________ - - -~A~~
`L
`
`-r
`
`r
`
`4
`
`REGISTERED
`DATA
`BASE
`l
`VALIDATION
`PROGRAM
`l
`FILE
`TRANSFER
`PROGRAM
`f
`
`I
`I DATA
`LINK
`I
`J
`I
`30
`I
`I
`I
`I
`I
`I
`I
`I
`
`40
`
`i - -
`
`REGISTRATION
`PROGRAM
`
`36-.
`
`~
`
`1
`I
`I
`
`CRITICAL
`SEGMENT
`
`PROGRAM
`FILES
`
`rJJ.
`•
`
`e •
`""d a (t) = '"""°
`
`>
`,:, :,
`~ .......
`~
`IC
`IC
`N
`
`00 =(cid:173)n:,
`~
`~
`0 ....
`
`~
`
`UI
`....
`1-l
`.o
`cu
`....
`~
`-l
`O'\
`
`TAMPER PROOF
`OVERLAY
`FILE
`
`t-- '-37
`
`I
`
`I DECRYPT KEY I
`
`MAIN
`PROGRAM
`FILES
`
`l....---39
`
`-
`
`-·
`
`_J
`
`-
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0004
`
`

`

`1
`
`5,103,476
`
`SECURE SYSTEM FOR ACTIVATING PERSONAL
`COMPUTER SOFTWARE AT REMOTE
`LOCATIONS
`
`2
`are transferred or transmitted as a tamperproof overlay
`file to the registration shell and installed on the personal
`computer. Subsequently, the loader segment will acti(cid:173)
`vate the main program by providing the essential seg-
`5 ment each time the main program is loaded for execu(cid:173)
`tion.
`Security features are included to prevent execution of
`the main program files with counterfeit, altered, or
`unauthorized essential segments. Security features are
`also included to ensure that all copies of the activated
`program will include unique licensee identification data,
`thereby allowing unauthorized copies to be traced to
`the original licensee.
`
`BACKGROUND OF THE INVENTION
`Generally speaking, most users of personal computers
`or similar devices obtain additional computer software
`to run on their devices by purchasing this software in
`various retail outlets or by obtaining this additional 10
`software through the mail. In both situations, a "shrink(cid:173)
`wrap" material encases the software product and a
`license agreement is implied by the removal of the
`shrink wrap material in an endeavor to protect the li(cid:173)
`censor of the product from unauthorized copying and 15
`use of the product by the licensee/purchaser. This
`method of doing business has proved to be inadequate
`for both the licensee and the licensor. For example, the
`licensee is not given an opportunity to initially operate
`the software program to determine whether this pro- 20
`gram would suit the licensee's needs. Additionally, from
`the licensor's point of view, identification of the licensee
`and a means of controlling or monitoring the use of the
`program by the licensee are not provided by this tech(cid:173)
`nique.
`Consequently, a method and system for allowing a
`potential purchaser/licensee to test a software program
`prior to purchasing the product is needed. Furthermore,
`a method and system in which the licensor is afforded
`protection as well as more precisely monitoring the 30
`licensees is warranted.
`
`25
`
`BRIEF DESCRIPTION OF THE INVENTION
`The present invention is directed to a method and a
`system for permitting personal computer software pro- 35
`grams or other types of programs tp be distributed in an
`inactive condition. Subsequently, based upon various
`criteria, the program will be made active due to a par(cid:173)
`ticular transaction between the purchaser/licensee and
`the seller/licensor. Although the relationship between 40
`the seller and the purchaser need not be a licensor /lic(cid:173)
`ensee agreement, for the purposes of the present inven(cid:173)
`tion, we will refer to the seller as the licensor and the
`purchaser as the licensee or user. Once the licensee
`agrees to the terms of the particular transaction, Ii- 45
`censee identification data is provided to a registration
`computer. The registration computer records the trans(cid:173)
`action and provides certain essential segments to the
`licensed program. These segments are both tamper(cid:173)
`proof and unique to the identified licensee. Based upon 50
`this exchange of information, the computer program
`that was inactive becomes operational.
`Generally speaking, the inactive or unusable software
`programs are first distributed to potential licensees by
`physically conveying copies of a master on magnetic 55
`media, or by electronic transfer. Additionally, these
`programs may be broadcast as electromagnetic informa(cid:173)
`tion, or they may have been included as firmware or
`hardware logic in the personal computer at the time of
`manufacture. These programs contain all of the seg- 60
`ments of a particular program code except for a critical
`segment of an operational control loop without which
`the program process is incapable of sustained operation.
`Additionally, special program modules called a loader
`segment and a registration shell are distributed with the 65
`inactive software program. Once all of the appropriate
`information is relayed to the registration database com(cid:173)
`puter, the essential segments of the particular program
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. I is a flow diagram of the registration process
`according to the present invention;
`FIG. II is a flow diagram of the program execution
`process according to the present invention; and
`FIG. III is a block diagram of a typical personal
`computer and central computer according to the teach(cid:173)
`ings of the present invention.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`The purpose of the present invention is to allow a
`licensor to maintain accountability of its programs in a
`manner much more efficient than presently being uti(cid:173)
`lized. Additionally, a second purpose of the present
`invention is to allow a licensee or user to test a particu(cid:173)
`lar program before it is purchased or licensed. There(cid:173)
`fore, it is contemplated that the teachings of the present
`invention are considered to be comprehensive and that
`any software program could be used.
`Initially, a particular program which does not contain
`a critical or essential segment is provided in a personal
`computer or other device on a magnetic disc, firmware,
`hardware, or other means. However, in the case of
`small or extremely valuable programs, the essential
`segment may be the entire main program. Additionally,
`a registration shell program is also included with the
`particular program. However, due to the exclusion of
`the critical segment, the program would not operate
`without the implementation of the proper registration
`process. As shown in FIGS. I and III, this registration
`process is initiated utilizing a registration shell program
`11 in the personal computer (PC) 10 as well as a regis(cid:173)
`tration program 40 provided in a registration computer
`12. Although it is contemplated that the registration
`shell program would be distributed along with the
`product application program, this need not be the case.
`A registration system program is provided in the regis(cid:173)
`tration computer 12 and is accessible to the registration
`shell program 11 by an electronic data link 30. The
`electronic data link may be a local area network, a
`telephone modem link, or any other type. However, it
`should be noted that in a second embodiment, the regis(cid:173)
`tration shell and the registration system programs could
`be on the same medium, but separate from the product
`application program. In this instance, the transportable
`media containing the registration shell and the registra(cid:173)
`tion systems program are personally transported to the
`personal computer 10 of the user by a licensed installer,
`and no electronic data link is needed.
`The registration shell program is executed when the
`user first attempts to execute the product application
`program provided in the main program file 16 of the PC
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0005
`
`

`

`5,103,476
`
`3
`operating system 14. The registration shell provides and
`displays on the PC display, descriptive information
`about the product application program and prompts the
`potential licensee to register as a user. The license could
`be assigned specifically for a particular licensee at a 5
`particular site and could be for varying lengths of time
`or on a temporary trial basis which is offered at no cost
`to the licensee.
`The registration shell program 11 would provide a
`data entry form which would be displayed on the Ii- 10
`censee PC, requesting the licensee to provide identifica(cid:173)
`tion information, such as a billing address, an account
`number and the term of the license, etc. This informa(cid:173)
`tion is entered into a registration request file 25 which is
`reviewed by the licensee. The registration shell pro- 15
`gram would then wait for the licensee to initiate regis(cid:173)
`tration by pressing a designated key. When this key is
`pressed, the registration file is closed and a registration
`shell file transfer program 26 establishes a data link with
`the registration system file transfer program 32. The 20
`registration program 40 in the registration computer is
`protected by a validation means 42 to perform a secu(cid:173)
`rity check ensuring that the data link has been estab(cid:173)
`lished with a legitimate registration shell. The registra(cid:173)
`tion shell then transmits the registration request file 25 25
`to the registration system which would receive the file,
`and perform the necessary error checking and hand(cid:173)
`shaking operation between linked file transfer programs
`26 and 32. When the complete registration request file is
`received at the central registration computer, the regis- 30
`tration request is validated against a database of regis(cid:173)
`tered users 34. The validation would involve various
`checks to determine if the request should be fulfilled.
`For example, if a second request for a temporary license
`is received from a particular licensee, a license would 35
`not be granted to the licensee and the critical segments
`of the program would not be transmitted. If this should
`occur, an appropriate message would be transmitted to
`the registration shell for display to the potential li(cid:173)
`censee. However, if the request is validated, a record 40
`entry into the registered user database is prepared, but is
`not entered until the entire process is complete.
`The user identification data is then used to build a
`unique tamperproof overlay file generated by merging
`the user identification data with critical segment pro- 45
`gram instructions· 36. A cyclic redundancy check
`(CRC) value is computed which is unique to the merged
`data and program files and included within the tamper(cid:173)
`proof overlay file 37. A unique set of encryption and
`decryption keys is generated and the entire contents of 50
`the tamperproof overlay file is encrypted using the
`encryption key. Based upon the encryption key, a de(cid:173)
`cryption key is provided which is transferred along
`with the tamperproof overlay file. The encryption algo(cid:173)
`rithm can be any technique which uses a different key 55
`for encryption and decryption similar to the public key
`encryption system. The registration system assembles
`the tamperproof overlay file and the decryption key
`into a single shipping file 38 for transmission to the
`registration shell of the personal computer. Updated 60
`main program files may also be included into the ship(cid:173)
`ping file which is transmitted to the registration system
`of the PC by means of file transfer programs and the
`previously established data link.
`Upon receipt of the complete shipping file, an un- 65
`packerinstaller subprogram 28 in the registration shell
`program opens the shipping file and installs the tamper(cid:173)
`proof overlay file 40 including the critical program
`
`4
`segment 24, CRC value 22, as well as the decryption
`key 20 and the updated main program files, if included.
`The electronic data link may be disconnected. The
`registration process is now complete. The registration
`data base record is entered and billing for the licensee
`request may be performed by a separate program on the
`central registration computer 12.
`After registration, the distributed product application
`program installed on the licensee's personal computer
`may be activated for use by a process that uses the
`tamperproof overlay file and the decrypt key to load a
`complete product application program for execution
`each time the product application program is run.
`This product application activation process is illus(cid:173)
`trated in FIG. II. As shown therein, when the personal
`computer user commands the operating system to run
`the product application program, the operating system
`will load the main program and the loader segment. The
`loader segment will execute before any other program
`instructions. The loader segment then executes the acti(cid:173)
`vation of the product application program starting with
`a test for the presence of the tamperproof overlay. If no
`tamperproof overlay has been installed, the loader seg(cid:173)
`ment exits to the operating system, thus preempting the
`execution of the main program files. If, however, a
`tamperproof overlay has been installed, the loader seg(cid:173)
`ment finds the decryption key and proceeds to decrypt
`and load the tamperproof overlay, overlaying the main
`program files with the missing critical segment program
`instructions as well as the unique identification and
`license control data. A cyclic redundancy check is per(cid:173)
`formed during the decrypt and load process and, at
`completion, is compared to the cyclic redundancy
`check value stored in the tamperproof overlay when it
`was generated and transmitted by the registration com(cid:173)
`puter to the PC. If the cyclic redundancy check fails,
`the overlay is considered to have been modified in some
`way, and is therefore invalid. At this point, the loader
`segment will unload the overlay and exit to the operat(cid:173)
`ing system. Therefore, as was true with respect to the
`non-inclusion of the tamperproof overlay, the execution
`of the main program files is preempted when any por(cid:173)
`tion of the tamperproof overlay is modified. If the cyc(cid:173)
`lic redundancy check confirms that the overlay has not
`been modified, the loader segment initiates the execu(cid:173)
`tion of the main program files with the overlay included
`and the product application program executes to com(cid:173)
`pletion.
`By requiring the tamperproof overlay to be included
`in any operable form of the product application pro(cid:173)
`gram, licensee identification and license control data are
`always included in subsequent copies of the operable
`program. Thus license abuse may be curtailed and mon(cid:173)
`itored by the licensor.
`As described with respect to FIGS. I and II, the
`registration process, according to the present invention,
`produces a tamperproof overlay file which includes
`critical portions or segments of a main program file and
`license control data. When the registration process is
`complete, this tamperproof overlay file is transferred
`from the registration computer to the personal com(cid:173)
`puter. The tamperproof overlay is the key device that
`prevents license abuse after activation because the criti(cid:173)
`cal segment of program instructions may not be sepa(cid:173)
`rated from the unique licensee identification data and
`license control data without detection, nor may the
`licensee identification and license control data be
`changed without detection.
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0006
`
`

`

`5
`The tamperproof overlay file is considered to be
`made tamperproof by initially storing a cyclic redun(cid:173)
`dancy check value within the overlay file when the
`overlay file is generated. The cyclic redundancy check
`value is computed for the entire contents of the overlay 5
`file including program instruction and licensee data.
`Since licensee data is unique, each CRC will be unique.
`The stored CRC value is compared to the cyclic redun(cid:173)
`dancy check value computed by the loader segment
`each time the overlay is loaded. If the cyclic redun- 10
`dancy check values do not agree, the loader segment
`will exit to the operating system. Thus, any change to
`the overlay file contents renders the overlay file de(cid:173)
`funct, unless a corresponding change the stored cyclic
`redundancy check value is also made. Secondly, the 15
`entire contents of the tamperproof overlay are en(cid:173)
`crypted by the registration system in such a manner as
`to obscure the location of the cyclic redundancy check
`value, thus making it difficult to locate and chan~e its
`value. Encryption also obscures the specific program 20
`instructions contained in the critical segment of this
`portion and the unique user identification and license
`control data as well. Encryption is accomplished by any
`technique that uses a different key for encryption than
`for decryption similar to the public key encryption 25
`system. The algorithm for encryption and for generat(cid:173)
`ing the unique encryption key and the decryption key
`resides in the registration system and is therefore inac(cid:173)
`cessible to the licensee. The decryption key is transmit(cid:173)
`ted to the licensee's computer through the registration 30
`system and the registration program shell. Since the
`algorithm for decrypting the overlay file is in the loader
`segment, it is possible, although difficult, to use the
`decrypt key and the decrypt algorithm to decrypt the
`overlay file and examine its contents. However, at- 35
`tempts to change the contents and encrypt a new, al(cid:173)
`tered overlay file are hindered by a lack of access to the
`encryption key. It is a characteristic of the public key
`encryption system that only overlay files encrypted
`with a complimentary encryption key may be de- 40
`crypted using a complimentary decryption key.
`The tamperproof overlay file contains both the criti(cid:173)
`cal segment of the program instructions as well as
`unique user identification data which is appropriate to
`the method and control of the license. This data would 45
`include the time period of the license, the serial number
`of the computer, the telephone number of the comput(cid:173)
`er's modem, as well as additional information.
`The loader segment 18 is a special purpose subpro(cid:173)
`gram that is linked with the main program files of the 50
`product application program by a technique that ren(cid:173)
`ders the main program files inoperable if the loader
`program is removed or bypassed. The linking technique
`is a process that embeds certain program instructions
`within the main program files of the product application 55
`program. These embedded instructions test for specific
`values at specific memory locations unknown to the
`user. When the loader program segment is executed, it
`stores the specific values at specific memory address
`locations required to allow the main program files to 60
`operate. The loader program segment does this in addi(cid:173)
`tion to its other functions. Thus, if the loader segment is
`removed, or bypassed, the main program files will not
`contain the specific values at specification locations and
`are inoperable.
`Obviously, many modifications and variations of the
`present invention are possible in light of the above
`teachings. For example, it is envisioned that this inven-
`
`65
`
`5,103,476
`
`6
`tion may be implemented in a tiered architecture
`wherein user computers are linked to a local registra(cid:173)
`tion computer which is in tum linked to a regional
`registration computer, and so on. The registration au(cid:173)
`thority of the local registration computer could be con(cid:173)
`trolled by the license control data included in a transac(cid:173)
`tion between the local registration computer and the
`regional registration computer. It is therefore to be
`understood that within the scope of the appended
`claims, the invention may be practiced otherwise than
`as specifically described.
`What is claimed is:
`1. A method of activating a program file, comprising
`the steps of:
`providing a program file including a loader segment
`and a registration shell portion to a remote com(cid:173)
`puter having a display, said program file lacking a
`critical portion, preventing said program file from
`operating properly,
`entering user identification information in said regis(cid:173)
`tration shell portion;
`transmitting said user identification information from
`s..1id registration shell to a separate registration
`program provided in a registration computer, said
`registration program merging user identification
`data with said critical portion to generate a unique
`overlay file;
`transmitting said unique overlay file from said regis(cid:173)
`tration program to said registration shell, said over(cid:173)
`lay file containing the critical portion originally
`lacking from said program file; and
`installing said overlay file in said program file,
`thereby allowing operation of said program file
`only when user identification contained in said
`overlay file is presently installed.
`2. The method in accordance with claim 1 further
`comprising the step of validating said user identification
`information prior to transmitting said overlay file from
`said registration computer to said remote computer.
`3. The method in accordance with claim 2, wherein
`said validating step insures that said user identification
`information is provided a legitimate registration shell.
`4. The method in accordance with claim 1, further
`comprising the step of creating an overlay file which is
`tamperproof.
`5. The method in accordance with claim 4, wherein
`said tamperproof overlay file is created by encrypting
`said overlay file, providing a cyclic redundancy check
`value within said encrypted overlay file and providing a
`decrypt key to said overlay file.
`6. The method in accordance with claim 5, wherein
`the cyclic redundancy check value is computed each
`time said overlay is loaded for execution and compared
`to the cyclic redundancy check value transmitted
`within said tamperproof overlay file to determine
`whether said overlay file has been modified since gener(cid:173)
`ation.
`7. The method in accordance with claim 1, wherein
`said user identification information and said overlay file
`are transmitted between said registration shell and said
`registration program through an electronic data link.
`8. The method in accordance with claim 1, wherein
`said user identification and said overlay file are entered
`and installed on a single computer.
`9. A system for activating a program file for a limited
`or unlimited period of tim!! comprising;
`at least one remote computer, initially provided with
`a program file containing an overlay loader seg-
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0007
`
`

`

`7
`ment but lacking at least one critical program seg(cid:173)
`ment, preventing operation of the program file,
`said overlay loader segment only enabling activa(cid:173)
`tion of the program file when an authentic overlay
`file is presently installed, said remote computer
`provided with a registration shell program, said
`registration shell program enabling a user to enter
`various user identification information;
`a registration computer provided with a registration
`program, a means for receiving and processing said
`user identification information, a means for creat(cid:173)
`ing a unique overlay file containing the critical
`program segment lacking from the program file
`and all or portions of the user identification infor(cid:173)
`mation, and a means for transmitting said overlay 15
`file to said remote computer,
`wherein transmission of said overlay file to said re(cid:173)
`mote computer would allow operation of said pro(cid:173)
`gram file only when user identification contained in
`said overlay file is presently installed.
`10. The system, for activating a program file in accor(cid:173)
`dance with claim 9, further including an electronic data
`link between said remote computer and said registration
`
`8
`computer and file transfer processes provided in both
`said registration computer and said remote computer.
`11. The system for activating a program file in accor(cid:173)
`dance with claim 9, wherein said registration computer
`5 is provided with a central data base including all regis(cid:173)
`tered users as well as a means for validating said user
`identification information.
`12. The system for activating a program file in accor(cid:173)
`dance with claim 9, wherein said means for creating an
`10 overlay file is provided with an encryption device for
`producing a tamperproof overlay file with a cyclic
`redundancy check value stored therein, and a decrypt
`key, and further wherein said decrypt key is transmitted
`to said remote computer along with said overlay file.
`13. The system for activating a program file in accor-
`dance with claim 12, wherein said remote computer is
`provided with a means for decrypting said overlay file,
`calculating a cyclic redundancy check value each time
`said overlay file is loaded for execution, and comparing
`20 this check value to the redundancy check value trans(cid:173)
`mitted by said registration computer within said overlay
`file.
`
`* * * * *
`
`5,103,476
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`DISH-Blue Spike-842
`Exhibit 1012, Page 0008
`
`