* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Trial limit with no net access?

Okay, so I'm near ready to release another PC app, and I've pretty much given up on my misguided philosophy to trust users to pay.  :(

My app is something that'll be used maybe once or twice a day, depending on the user's obsessive-compulsive nature.  It's not a constantly-running app, but launch, process, then quit.  I want them to be able to launch it a max of 50 times before payment, which is ample time to test its functionality.  (They'd actually know after the first launch if they want it).

I don't want internet access to be used because I often use a laptop that has no net access, so apps that require it go against my principles.

I also don't want to use the Registry to store the trial info, as this can easily be overcome/reset with Sandboxie or RegShot.

What do you suggest for a non-internet, non-Registry protection?

Or does this mean I'm making it all too hard on myself?
PSB136 Send private email
Wednesday, January 01, 2014
 
 
Oh, and I also don't want to pay somebody to protect it for me.  ;)
PSB136 Send private email
Wednesday, January 01, 2014
 
 
>> "I also don't want to use the Registry to store the trial info, as this can easily be overcome/reset with Sandboxie or RegShot."

Files aren't magical. They can be tracked, altered, removed just as easily as the registry. See: Process Monitor, or a thousand other tools.


>> "What do you suggest for a non-internet"

All non-internet trials will be "unverified trials", meaning they can be easily reset by malicious users with the ability to Google "processor monitor".

The alternative is "verified trials". I can explain what goes into this, if you'd like. There are several ways to do verified trials, but a connection to the outside world (via the Internet, horse-drawn carriage, or carrier pigeon) is needed at least once.


>> "Oh, and I also don't want to pay somebody to protect it for me.  ;)"

We have a free plan: https://wyday.com/limelm/signup/free/

You can do either "verified trials" or "unverified trials". Your choice.

;)
Wyatt O'Day Send private email
Wednesday, January 01, 2014
 
 
Registry/files = the same end result.  They both access the hard drive; I know that.  Sandboxie and RegShot can catch file modifications as well as the Registry.

I don't want a connection to the outside world at all.  I personally love apps that once I buy, they're mine to use without ever contacting the author again.  I intend to do the same for others, even though I know it makes my fight against piracy harder (and probably impossible).

I'll pass on your free plan.  When I said "don't want to pay anyone", I should've said, "don't want to depend on anyone".  Nothing against what you do; it's just that I don't want any third parties involved at this time.  :)
PSB136 Send private email
Wednesday, January 01, 2014
 
 
So, you want an app that does one thing when the user has not yet paid (run only 50 times) and another thing if the user has paid (run indefinitely), but to determine which one of those is the case, it cannot use anything on their computer or on the internet?  What is then left?  An extra piece of hardware?

Here is a solution:  have two versions.  The trial requires internet access.  Once they buy, they obtain some extra component, and can then run forever without connecting.  This does require an extra download/install, and they do still need to connect while on the trial, but if you are correct that they will know if they want it after a single launch, the trial period shouldn't last long.
Dora Send private email
Wednesday, January 01, 2014
 
 
"my misguided philosophy to trust users to pay"

This requires more explanation. Is it donationware where you ask them to pay if they find it useful? Or is it something where people have cracked your license scheme and are posting key generators and such?
Scott Send private email
Wednesday, January 01, 2014
 
 
> I also don't want to use the Registry to store the trial info, as this
>can easily be overcome/reset with Sandboxie or RegShot.

What types of users do you target?  99% of people them have never heard of or wouldn't know how to do something like you mention.  But of course if you app is for some very technical or hacker-minded folks, that would change significantly.

But if you're saying no to any sort of persistent on-computer (ie disk) approach, and you're against off-computer (online) approaches, you've pretty much ruled out everything.
Doug Send private email
Thursday, January 02, 2014
 
 
My target are both novice and advanced PC users, and my app even has a switch that they select for their skill level.  Novices get all options in the app enabled, and advanced users can pick and choose.

I think I'll just do a Registry save and be done with it.  I'm so sick of worrying about piracy that if I don't, I'll never release it.  :(
PSB136 Send private email
Thursday, January 02, 2014
 
 
Actually, all credit to my wife for pushing me to just release.  I said, "But people can delete the Registry key and not pay", and her response was, "But nobody's paying you now anyway!"  :)
PSB136 Send private email
Thursday, January 02, 2014
 
 
+1 to your wife.

Yes there are people who may do this but if you spend all your time focused on them you can't sell your product to all the people who will happily pay for it.  And most people DON'T go digging around in the registry. 

Years ago I bought an antivirus software that kept making me register after I'd registered.  There was no mention of this in their knowledge base and they had deliberately made it so hard to find a way to contact them directly that I ended up spending over 30 minutes searching their site just to get email/phone info. 

When I did finally reach someone it was obvious I was no isolated incident.  I brought up how frustrating it was and their response was "well we have to protect ourselves from people who try to steal our software."  I wondered -- at what cost to those of us who paid for it? 

I was so annoyed at being treated with such suspicion that I have never bought their software since and told any friends who wanted advice to steer clear too.  It really made me think -- you can try so hard to protect against the few dishonest people that you end up alienating the good paying clients.
Emily Jones Send private email
Thursday, January 02, 2014
 
 
Okay, the way I'm going to do it, is store the run count and other prefs in one single encrypted REG_SZ entry... so if they do decide to delete this Registry entry to reset the app, then they will also lose all their prefs at the same time, and will have to set it all up manually again.

I think that's a fair enough punishment!  :)
PSB136 Send private email
Friday, January 03, 2014
 
 
To make it a little bit harder: have an installer which creates the (encrypted) registry entry.

That way if someone deleted the entry you, you know they were trying to tamper, so you treat it as running out of trial period.

To restore the functionality they would have to re-run the installer or set the initial registry entry value, which are less obvious than just deleting the registry.

Not that much of additional protection, but simple to implement.

I happen to believe that obscurity, not piracy, will break the software business.

When you get to the point that many people want to pirate your software, you must be getting lots of sales, at which point you can invest in a really good protection.

At the beginning, when you don't know if anyone actually cares about your software, it's a waste of time.

Trust me, I have completely free software than few people are interested in.
Krzysztof Kowalczyk Send private email
Friday, January 03, 2014
 
 
Good idea, KK.  I do in fact use InnoSetup so I'll make it do that.  :)
PSB136 Send private email
Friday, January 03, 2014
 
 
"store the run count and other prefs in one single encrypted REG_SZ entry... so if they do decide to delete this Registry entry to reset the app, then they will also lose all their prefs at the same time"

This sounds like a good idea.
Scott Send private email
Friday, January 03, 2014
 
 
Yep, Scott.  There's no reason to store one Registry entry for license info, one for window X position, one for window Y position, etc.  Encrypt them all together and store once; all eggs in one basket.

Stops the majority of non-payers from mucking around with it, as only the most dedicated cracker will bother trying to reverse the encryption and then make their own prefs writer for the app.

Another step might be to store the data as REG_BINARY instead of REG_SZ, as that's a little bit harder for a newbie to put into the Registry (they can't just paste something in, like they can with a string value).
PSB136 Send private email
Friday, January 03, 2014
 
 
One other thing I just tested was storing the trial numbers as words, instead of digits ("fourteen" instead of "14" launches).  Gives a much better random encryption result.
PSB136 Send private email
Friday, January 03, 2014
 
 
Just today I came up with the idea to also encrypt the window's width and height dimensions (and other parameters) in the saved data... so if anyone deletes the Registry key or modifies it, the app won't be visible when run.  I love it.  It works really well with my (limited) testing.
PSB136 Send private email
Sunday, January 12, 2014
 
 
Your idea is a little vague, but here's what I read:

- You encrypt or hash value (in this case window positions) in the registry.
- You also store the window positions in your customers' data.
- If they mismatch then the trial has been tampered with.

Have I got it right? If so, then that's a terrible idea. What happens if the user uses an old data file? What happens if the user uses the data file on another computer?
Wyatt O'Day Send private email
Sunday, January 12, 2014
 
 
All app settings (window width/height, etc), and user prefs (window x/y pos, etc), and trial uses remaining, are stored in one single encrypted REG_SZ entry.  If the user decides to delete that entry to "reset" the trial, fine -- they lose all their prefs for doing so and the window won't even appear properly when the app runs.  They'll need to reinstall the app to restore the default settings (which InnoSetup will do).  Sounds fair enough to me, as they shouldn't be messing with that Registry entry in the first place.

There's no "old data file" to use, and no problem if the app is used on another PC, because it's only licensed for use on one PC anyway.  There's no problem with this solution at all.  It's not "terrible" except to someone like you who makes a living selling anti-piracy tools.
PSB136 Send private email
Monday, January 13, 2014
 
 
>> "It's not "terrible" except to someone like you who makes a living selling anti-piracy tools."

I should've spelled out the problems with your method and let you come to the conclusion that it is terrible, rather than just asserting it's terrible. Mea culpa. I'll try to do it now.


>> "they lose all their prefs for doing so and the window won't even appear properly when the app runs. "

Ok, so if it's in all one place (nothing being compared), then yes the settings will be deleted. That's absolutely correct. But will the window position be wrong / hidden / obscured? Not unless your new customer's first run of your app is wrong / hidden / obscured.

Do you see my point?


>> "They'll need to reinstall the app to restore the default settings (which InnoSetup will do)."

They can reset the trial by reinstalling your app? Then what's the point of all these elaborate methods? Wouldn't someone that wants to reset your trial just reinstall your app?
Wyatt O'Day Send private email
Monday, January 13, 2014
 
 
Sorry for snapping at you.  I'll consider my options before posting a reply.  I have some things to mull over that you brought to my attention.
PSB136 Send private email
Monday, January 13, 2014
 
 
>> "Sorry for snapping at you."

That's alright.
Wyatt O'Day Send private email
Monday, January 13, 2014
 
 
If you do not want to require internet access at all, or some sort of hardware locked trial license, then it seems like your only other workable solution is to limit the features during the trial. Maybe obfuscate output files, or limit amount of data that is processed, etc.
Bill Anonomist Send private email
Monday, January 13, 2014
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz