Thread: Adding trial period to software

  1. #1
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058

    Adding trial period to software

    I am in the process of writing an software update to allow a 15 day trial period.
    My approach will be as follows:

    1. Trial period key will be based on current date/time and volume serial number.

    2. Will use Rindjael encryption/decryption to store and retrieve the above info
    from an obscure registry key.

    3. The app will decrypt the retrieved data to determine if the 15 day trial
    period is in effect. If so, allow the user to run software.

    4. The trial period app will display the users' public key which is based on
    the encrypted registry key. If the user wishes to purchase the software,
    he/she must email the public key back to the company. The company in turn
    will return a unlock key to remove the trial period from the software.

    I am aware that there is no absolutely foolproof method of keeping software secure
    but I just want to try to keep the average user (non pro hacker) honest.
    Thus my questions...

    1. Can anybody suggest improvements to the above described approach?

    2. Can anybody see any flaws in the above approach?

    3. How can I programmatically determine if a user set the system date back
    to a legal date with the 15 day trial period to circumvent the expiration
    of the trial software?

    4. I'm not sure on how to write the algorithm to convert the users' public
    key into an unlock key. Any suggestions?

    Thanx

    Bob

  2. #2
    Registered User TactX's Avatar
    Join Date
    Oct 2005
    Location
    Germany.Stuttgart
    Posts
    65
    Storing the key in the Windows Registry is a flaw imho. You don't need to a pro hacker to use a tool like regmon or something that gets the difference.

  3. #3
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Good point!

    That also brings up another problem. Since the registry key is created when the software is first run, then a hacker only has to delete the key to keep the software in the trial period since the software will create the key everytime it is run. I would now need to know if the registry key has been deleted prior to executing the software .

    I was also thinking about somehow embedding the encrypted data in the PEF structure. Just don't know how feasible, realistic that would be since I've never dabbled with PEF before.

    Anybody have any suggestions?

    EDIT If I wrote an installer program that installed the software and created the registry key. Then if the software determined the key did not exist, it would abort. Also, the installer would self delete after it's initial use to prevent reinstallation of the software. Knowing the identity of the registry key would not be of much use since the user would still have to decrypt the registry key. As far as I know, the Rijndael encryption scheme still has not been compromised by any super computers yet.


    Thanx

    Bob
    Last edited by BobS0327; 01-02-2006 at 03:29 PM. Reason: Another thought..

  4. #4
    It's full of stars adrianxw's Avatar
    Join Date
    Aug 2001
    Posts
    4,829
    Of course, deleting the installer after it has run will not prevent someone making a copy of the presumably downloaded installation kit and thus be able to run it again.

    Depending on the type of application, you may be able to check in the installer to see if there are data files or similar already existing, and delete them as part of the install, thus your criminal has a new copy, but all of his old work has gone.

    Another possibility is that the format of your apps binary data files include, probably not obviously, a copy of the registry keys data, and the key, and the data files copy are compared to make sure they are the same. You'll need to deal with any modifications caused by the installation of the licence.

    It is difficult to expand really without knowing a lot more about the application under discussion.
    Wave upon wave of demented avengers march cheerfully out of obscurity unto the dream.

  5. #5
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    It is difficult to expand really without knowing a lot more about the application under discussion.
    It's an application to interface with a security/home automation controller via a ethernet connection. The application logs into the controller and sets/updates security throughout a home. It also controls (thru the controller) any home automation installed in the home. Essentially, the user has "Jetsons" style control of his/her home.

    The app does create and update an Access MDB to keep track of certain controller parameters. There is no custom user data in the MDB file. The app does have to be initially configured with the static IP address of the security/automation controller. It also needs the private key for the Rijndael encryption method used to communicate security data to/from the controller. That is, all security data is encrypted before being sent over the wire and must be decrypted by the receiver.


    Link to application

  6. #6
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,268
    3. How can I programmatically determine if a user set the system date back
    to a legal date with the 15 day trial period to circumvent the expiration
    of the trial software?
    One way around this though would be to get the date from a source other than the system. Maybe connect to a time server somewhere. Another option would be to record the current date to a registry key every time your application is run. Then make sure that the system date is never more recent than that reg key.

  7. #7
    !anExpert
    Join Date
    Mar 2005
    Location
    pa
    Posts
    155
    My solution would be to handle the key creation remotely.. That way you can control the ability to create a key, you can encrypt and also enter a termination timestamp in it.. This would force the user to do quite a bit of work to break it I would think.. You would still face the issue of changing the system time.. I know there is a simple solution to this.. I will try to find it..

    bithub's timeserver solution is an idea.. however i would think that that would cause more problems than it would solve.. IMO, you would be better to just hope that a user would be tired of changing the clock all the time or would not even think of it in the first place..

    depends all on you target audience..

  8. #8
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Thanx for the input.

    It just dawned on me that the security controller keeps its own time. I can query the controller for the correct time.

    Now all I have to do is figure out how to prevent the average user from repeatedly using the trial software.

  9. #9
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    I like the idea of creating the trial period key remotely and then emailing the key to the user. It would have a timestamp.

    I could then create an activation key for any trial user who wants to purchase the product.

    anybody see any problems with this approach?

    Thanx

  10. #10
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > Now all I have to do is figure out how to prevent the average user from repeatedly using the trial software.
    You link various bits of functionality to the registration key. Without a key, the user has
    - limited number of commands / events
    - limited number of concurrent devices
    - limited save options

    Beware of spending excessive amounts of time protecting useless software, rather than spending your time making your software more useful / bug free etc. Getting your software to the top of the features and usability lists, and onto the manufacturers 'recommended' lists should also be a serious goal for you.

    Judging from your site, you're not the only provider of software for those devices.

    People who can afford to spend money on additional hardware are not likely to be short of a few extra $$$ to spend on some decent software.

  11. #11
    Registered User
    Join Date
    Jan 2005
    Posts
    847
    Don't foget to include some integrity checking of your application otherwise your activation check will be easily patched. You can encrypt a part of your program to avoid casual patching.

  12. #12
    It's full of stars adrianxw's Avatar
    Join Date
    Aug 2001
    Posts
    4,829
    Now I've seen what it is we're talking about, I tend to agree with Salem. For cheap software in relatively niche markets, I don't think there will be enough interest to attract serious crackers.
    Wave upon wave of demented avengers march cheerfully out of obscurity unto the dream.

  13. #13
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > anybody see any problems with this approach?
    Here's another thought - people will draw all sorts of wrong conclusions if your software randomly tries to send secret messages to some server.

  14. #14
    !anExpert
    Join Date
    Mar 2005
    Location
    pa
    Posts
    155
    Quote Originally Posted by Salem
    > anybody see any problems with this approach?
    Here's another thought - people will draw all sorts of wrong conclusions if your software randomly tries to send secret messages to some server.
    I think the last idea he considered was to just receive an initial key by email and skip the timeserver part...
    Who would ever run an app anyhow that sent secret messages??.. I guess you could disguise them as "Automatic Update"s and then everyone would accept them happily.. as a *feature* even

    Thats an excellent point about focusing more on developing the app itself rather than just the protection. Protections can all be broken anyhow.. So in the end it is futile.. esp if you have a really good app.
    Youre better to opensource and get respect and "honor system" or commercial licenses, or just keep it closed source and make some cheap protection that will stop 75% of users.

    Usually regardless of popularity a project that is made commercially available will be cracked just as a learning project. It does not go on demand, just availability.
    Last edited by xhi; 01-03-2006 at 09:40 AM.

  15. #15
    Registered User
    Join Date
    Jan 2002
    Location
    Vancouver
    Posts
    2,212
    What's stopping the user changing the date so they can continue the trial after 15 days?

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Software Design/Test - Redmond, WA
    By IRVolt in forum Projects and Job Recruitment
    Replies: 2
    Last Post: 06-11-2008, 10:26 AM
  2. Why C Matters
    By DavidP in forum A Brief History of Cprogramming.com
    Replies: 136
    Last Post: 01-16-2008, 09:09 AM
  3. SVN Import Causes Crash
    By Tonto in forum Tech Board
    Replies: 6
    Last Post: 11-01-2006, 03:44 PM
  4. software 30 day trial code/name-> sn code
    By Dummies102 in forum C++ Programming
    Replies: 3
    Last Post: 02-16-2002, 08:45 PM
  5. Software Evaluation
    By Don't Know in forum A Brief History of Cprogramming.com
    Replies: 15
    Last Post: 01-09-2002, 03:59 AM