How do I enforce an expiration date for a trial install of my software?

Asked 30/3, 2011 at 15:13 Answered 1/2, 2012 at 23:9

Solved c#c++encryption installation trial

I need to offer a trial period for my custom software. I have a 64-bit C# app, which uses 64-bit, multi-processor support DLLs. Other utilities to be included are written in C++ (exes and dlls). I must be able to encrypt the C# code, key the software to run only on a particular machine, and enforce an expiration date that cannot be foiled by resetting the machine clock.

I've evaluated several open source and COTS solutions: Infralution Licensing System, Protector, and ExeShield just to name a few. None of them satisfy all of my constraints.

Is anyone aware of an all-ecompasing solution that I should consider? Or do I need to do some registry diving and enforce it through custom code?

Prebendary answered 30/3, 2011 at 15:13 Comment(5)

If your software is good enough, a basic solution (like what you've already investigated) will do the trick: People would rather just pay for it once than go through a ton of hoops to make it work. – Corporate 30/3, 2011 at 15:15

Can you require and internet connection? – Repine 30/3, 2011 at 15:17

Agreed. In this instance, my client requires a rigorous evaluation process for my solar power instrumentation framework. I'm confident they will choose my solution, but I still need to protect myself in case they continue to use it after the trial period. – Prebendary 30/3, 2011 at 15:20

Yes, one of the solutions I've investigated uses a web service for enforcement. It's a valid option. – Prebendary 30/3, 2011 at 15:20

@ctrlShiftBryant: That might work by making sure no one uses the product before or after expiration. – Chet 30/3, 2011 at 15:23

I've discovered over the course of several years of trying out varying licensing systems that there's a strong inverse correlation between security, and alienation of your potential customers.

There are essentially two kinds of piracy you need to worry about. One is casual piracy - users using the software without paying simply because they haven't really thought to pay. The other is deliberate piracy - people who are determined not to pay, and are willing to put real effort into not doing so.

Casual piracy can be handled with what essentially comes down to gentle reminders - activation keys, time limits, etc. Deliberate piracy, on the other hand, essentially can't be prevented. As Sony, Apple, Microsoft, Nintendo, and a number of other companies will tell you, even when you have the benefit of control of the hardware as well as the software, your protection scheme will be broken. And the person breaking it is as likely to be doing it for the sake of a fun challenge as for the desire to get free software. So for a certain demographic, making the protection stronger doesn't discourage them, it does quite the opposite.

Meanwhile all the stuff you do to try and achieve strong protection is driving legitimate users up the wall. Maybe the trip for detecting gerrymandering with the system clock got set off because they changed time zones. Or maybe they had to replace a bad hard drive or CPU or something, and that set off the system cloning mechanism. Or maybe Microsoft changes Windows's default security settings in a way that causes Windows to pop a mess of UAC warnings while your app's in use thanks to it not being friendly to some trick you used to try and hide the file that stores the licensing data. At work we use a commercial solution, and we've discovered that their protection mechanism can trip in ways that, thanks to a bug in the software, can cause the license data to be corrupted, thus locking the user out of the program. Because of the way their system stores that data, its an unrecoverable situation - the customer literally has to choose between not using that software on that computer ever again, and wiping the hard drive. Yes, it's happened multiple times. Yes, we've lost a lot of potential revenue over it. Yes, I get queasy to think of the damage it's caused because we rely primarily on word of mouth and it's generated a whole lot of bad word of mouth. Long story short, the naive paranoia about piracy of earlier years has probably cost me quite a number of sailing vacations in the Caribbean.

And the worst of it is, it's only a problem for legitimate users. Crackers can easily - painfully easily - get around it with the aid of - if it comes to last resorts - a debugger and decompiler. If the software is on a device in the possession of the end user, you might as well start thinking as if your software's already been cracked. It's to the point that there's a cottage industry that has built up around the idea of people cracking software they legitimately own, just to avoid the annoyance of the software protection mechanisms. They'll give you the money, but they'll still crack the software because your copy protection is just that irritating, and just that easy to circumvent. The alternative - and this is the route I've gone - is to just go buy different software that's less annoying, or use free software instead.

So go with the minimum - watch the clock and time out the demo, because you do need to remind your users to send you a check. But don't do it in a way that makes them decide they don't want to give you a check. If your goal is to convert sales, consider this as the most elegant, cost-effective, and efficient system for keeping users from violating your demo period by mucking with the system clock: It's really, really irritating to work with a computer that's got the clock set to the wrong date. And that's just for home users. For (legitimate) businesses, it's not even a feasible option. And anyone who isn't deterred by that is probably a script kiddie who never really had the means to pay for your software in the first place.

Gastroenterology answered 30/3, 2011 at 15:51 Comment(7)

amen to that - great summary. – Omer 30/3, 2011 at 15:53

Nice editorial. I agree with the sentiments you expressed. However, my boss insists on some formal protection for our intellectual property. In this case, I have to find or implement the encryption and trial period protection. I'll definitely shoot for simplicity and elegance as you advocate. – Prebendary 30/3, 2011 at 15:59

finally someone who sees the value behind piracy. I mean, if you can't beat them, it's still free advertising :) Does Microsoft really care about pirated Windows licenses? – Haim 30/3, 2011 at 15:59

+1 Not all companies face that problem however. Take BlackBerry for instance. Never been compromised. – Haematoid 30/3, 2011 at 16:0

@retrodone: I understand the need to make the bosses happy. For encryption, have you considered putting the critical IP in a separate assembly that's encrypted and embedded in the executable file? You can then decrypt and load it at run-time without having to bother with a commercial offering. It's really not all that secure, since at the end of the day you still have to store that encryption key somewhere on the user's computer. But it does achieve a level of obfuscation that might be enough to make management happy. – Gastroenterology 30/3, 2011 at 16:11

Just think of those damn DVD anti-piracy promos you are forced to watch - that's why most people rip DVDs. I've seen a lot written about this and @sean's answer is a great one. – Fillet 5/10, 2016 at 1:26

codeproject.com/Articles/7312/Piracy-and-Unconventional-Wisdom is a good essay, as is offbyzero.com/resources/software_protection_licensing – Fillet 5/10, 2016 at 1:46

Use http://xheo.com/ products for this. They offer a code obfiscator that is great at protecting code, and a licensing platform that can do everything you would ever imagine. they offer a version that can be compiled into your code.

Encrypt - http://xheo.com/products/code-protection License - http://xheo.com/products/copy-protection

Trier answered 30/3, 2011 at 15:23 Comment(4)

Thx for the suggestion. I was able to defeat the trial version by just setting back the clock on my machine. Also, it couldn’t handle my "Any CPU" dll in conjunction with the 64 bit executable. – Prebendary 30/3, 2011 at 15:28

just add a time check and put it in the registry, the next time the app starts if the time is less than the previous time the app was started have it disable its self forever. – Trier 30/3, 2011 at 18:10

ok, if you really have a single target this is what I have done in the past... you get the machine name and the harddrive serial... concat them and MD5 hash it. Have them send you the MD5 and you can generate an activation code which is encrypted using MD5. The encrypted text will have the date and time in it for when the license was created and expires. Every time the app starts the machine name and serial are hashed to decrypt the license info... also put the current date/time in the same file encrypted with that MD5, then check it. – Trier 30/3, 2011 at 18:14

I do agree with @"Sean U" as I have been in that situation, but I also have been in a situation like you. I was writing software for a company that was notorious for making deals that they would just buy one license right now, and in a few months they would buy some more... but then they would just pirate the software onto the other systems. So I used the above method on them, and it worked very well. Most business level users can crack even simple protection... so for one time deals its a good way to go. – Trier 30/3, 2011 at 20:1

Why not just use the time from an internet source, like www.time.gov? You could fold in a C++ Qt app and use their QtWebKit library, http://doc.qt.nokia.com/4.7/qtwebkit.html, to download the time. (I've never in fact done anything like this, but looking at the documentation it looks promising.) The first time the program runs, you create a little file with a timestamp, or, for even more security, write the timestamp into a program-essential dll and recompile it. This gets checked every time the program is run. If you they're not connected to the internet you warn them a few times but eventually abort the load.

Another variation on this, used by a lot of software packages I think, is that you store the date the user starts using your software on your server. Recompile the program for each user (you might be able to script this) with a user-specific code, and the program checks itself against the date stored on the server every time it is loaded.

Cummins answered 30/3, 2011 at 15:28 Comment(0)

How can it be stored in a way as to be unrecoverable? Registry entries and files can be deleted. Alternate data streams don't get coppied into a zip file, so if you know the file that contains the ADS that contains the install data of the software (which is being used to reference the the current time to calculate days since install), you can just compress it in a zip file then extract it again and byebye to the install date reference. Store it as raw data on the harddrive (not referenced in the File Allocation Table as a file) and it will be overwritten when a file is saved to that location on the harddrive.

So I literally can't see a way to make an impossible to remove trial install date for copyprotection. It just can't be done.

Langsdon answered 1/2, 2012 at 23:9 Comment(0)

Perhaps a better idea is to give away, for free, a smaller application that has only minimal features. Customers then pay for extra features or add-ons.

In my application, people have suggest that I offer more data for a fee. The application would be free with minimal data. Another idea is to go the subscription fee route for the advanced data access.

Roseberry answered 30/3, 2011 at 16:55 Comment(0)

Recommended topics

Hot tags