A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
Okay, so I'm near ready to release another PC app, and I've pretty much given up on my misguided philosophy to trust users to pay. :(
My app is something that'll be used maybe once or twice a day, depending on the user's obsessive-compulsive nature. It's not a constantly-running app, but launch, process, then quit. I want them to be able to launch it a max of 50 times before payment, which is ample time to test its functionality. (They'd actually know after the first launch if they want it).
I don't want internet access to be used because I often use a laptop that has no net access, so apps that require it go against my principles.
I also don't want to use the Registry to store the trial info, as this can easily be overcome/reset with Sandboxie or RegShot.
What do you suggest for a non-internet, non-Registry protection?
Or does this mean I'm making it all too hard on myself?
>> "I also don't want to use the Registry to store the trial info, as this can easily be overcome/reset with Sandboxie or RegShot."
Files aren't magical. They can be tracked, altered, removed just as easily as the registry. See: Process Monitor, or a thousand other tools.
>> "What do you suggest for a non-internet"
All non-internet trials will be "unverified trials", meaning they can be easily reset by malicious users with the ability to Google "processor monitor".
The alternative is "verified trials". I can explain what goes into this, if you'd like. There are several ways to do verified trials, but a connection to the outside world (via the Internet, horse-drawn carriage, or carrier pigeon) is needed at least once.
>> "Oh, and I also don't want to pay somebody to protect it for me. ;)"
We have a free plan: https://wyday.com/limelm/signup/free/
You can do either "verified trials" or "unverified trials". Your choice.
Wednesday, January 01, 2014
Registry/files = the same end result. They both access the hard drive; I know that. Sandboxie and RegShot can catch file modifications as well as the Registry.
I don't want a connection to the outside world at all. I personally love apps that once I buy, they're mine to use without ever contacting the author again. I intend to do the same for others, even though I know it makes my fight against piracy harder (and probably impossible).
I'll pass on your free plan. When I said "don't want to pay anyone", I should've said, "don't want to depend on anyone". Nothing against what you do; it's just that I don't want any third parties involved at this time. :)
So, you want an app that does one thing when the user has not yet paid (run only 50 times) and another thing if the user has paid (run indefinitely), but to determine which one of those is the case, it cannot use anything on their computer or on the internet? What is then left? An extra piece of hardware?
Here is a solution: have two versions. The trial requires internet access. Once they buy, they obtain some extra component, and can then run forever without connecting. This does require an extra download/install, and they do still need to connect while on the trial, but if you are correct that they will know if they want it after a single launch, the trial period shouldn't last long.
> I also don't want to use the Registry to store the trial info, as this
>can easily be overcome/reset with Sandboxie or RegShot.
What types of users do you target? 99% of people them have never heard of or wouldn't know how to do something like you mention. But of course if you app is for some very technical or hacker-minded folks, that would change significantly.
But if you're saying no to any sort of persistent on-computer (ie disk) approach, and you're against off-computer (online) approaches, you've pretty much ruled out everything.
My target are both novice and advanced PC users, and my app even has a switch that they select for their skill level. Novices get all options in the app enabled, and advanced users can pick and choose.
I think I'll just do a Registry save and be done with it. I'm so sick of worrying about piracy that if I don't, I'll never release it. :(
+1 to your wife.
Yes there are people who may do this but if you spend all your time focused on them you can't sell your product to all the people who will happily pay for it. And most people DON'T go digging around in the registry.
Years ago I bought an antivirus software that kept making me register after I'd registered. There was no mention of this in their knowledge base and they had deliberately made it so hard to find a way to contact them directly that I ended up spending over 30 minutes searching their site just to get email/phone info.
When I did finally reach someone it was obvious I was no isolated incident. I brought up how frustrating it was and their response was "well we have to protect ourselves from people who try to steal our software." I wondered -- at what cost to those of us who paid for it?
I was so annoyed at being treated with such suspicion that I have never bought their software since and told any friends who wanted advice to steer clear too. It really made me think -- you can try so hard to protect against the few dishonest people that you end up alienating the good paying clients.
Okay, the way I'm going to do it, is store the run count and other prefs in one single encrypted REG_SZ entry... so if they do decide to delete this Registry entry to reset the app, then they will also lose all their prefs at the same time, and will have to set it all up manually again.
I think that's a fair enough punishment! :)
To make it a little bit harder: have an installer which creates the (encrypted) registry entry.
That way if someone deleted the entry you, you know they were trying to tamper, so you treat it as running out of trial period.
To restore the functionality they would have to re-run the installer or set the initial registry entry value, which are less obvious than just deleting the registry.
Not that much of additional protection, but simple to implement.
I happen to believe that obscurity, not piracy, will break the software business.
When you get to the point that many people want to pirate your software, you must be getting lots of sales, at which point you can invest in a really good protection.
At the beginning, when you don't know if anyone actually cares about your software, it's a waste of time.
Trust me, I have completely free software than few people are interested in.
Friday, January 03, 2014
Yep, Scott. There's no reason to store one Registry entry for license info, one for window X position, one for window Y position, etc. Encrypt them all together and store once; all eggs in one basket.
Stops the majority of non-payers from mucking around with it, as only the most dedicated cracker will bother trying to reverse the encryption and then make their own prefs writer for the app.
Another step might be to store the data as REG_BINARY instead of REG_SZ, as that's a little bit harder for a newbie to put into the Registry (they can't just paste something in, like they can with a string value).
Just today I came up with the idea to also encrypt the window's width and height dimensions (and other parameters) in the saved data... so if anyone deletes the Registry key or modifies it, the app won't be visible when run. I love it. It works really well with my (limited) testing.
Your idea is a little vague, but here's what I read:
- You encrypt or hash value (in this case window positions) in the registry.
- You also store the window positions in your customers' data.
- If they mismatch then the trial has been tampered with.
Have I got it right? If so, then that's a terrible idea. What happens if the user uses an old data file? What happens if the user uses the data file on another computer?
Sunday, January 12, 2014
All app settings (window width/height, etc), and user prefs (window x/y pos, etc), and trial uses remaining, are stored in one single encrypted REG_SZ entry. If the user decides to delete that entry to "reset" the trial, fine -- they lose all their prefs for doing so and the window won't even appear properly when the app runs. They'll need to reinstall the app to restore the default settings (which InnoSetup will do). Sounds fair enough to me, as they shouldn't be messing with that Registry entry in the first place.
There's no "old data file" to use, and no problem if the app is used on another PC, because it's only licensed for use on one PC anyway. There's no problem with this solution at all. It's not "terrible" except to someone like you who makes a living selling anti-piracy tools.
>> "It's not "terrible" except to someone like you who makes a living selling anti-piracy tools."
I should've spelled out the problems with your method and let you come to the conclusion that it is terrible, rather than just asserting it's terrible. Mea culpa. I'll try to do it now.
>> "they lose all their prefs for doing so and the window won't even appear properly when the app runs. "
Ok, so if it's in all one place (nothing being compared), then yes the settings will be deleted. That's absolutely correct. But will the window position be wrong / hidden / obscured? Not unless your new customer's first run of your app is wrong / hidden / obscured.
Do you see my point?
>> "They'll need to reinstall the app to restore the default settings (which InnoSetup will do)."
They can reset the trial by reinstalling your app? Then what's the point of all these elaborate methods? Wouldn't someone that wants to reset your trial just reinstall your app?
Monday, January 13, 2014
>> "Sorry for snapping at you."
Monday, January 13, 2014
If you do not want to require internet access at all, or some sort of hardware locked trial license, then it seems like your only other workable solution is to limit the features during the trial. Maybe obfuscate output files, or limit amount of data that is processed, etc.
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz