2

How does one implement a trial period in a product properly, e.g. a trial period that lasts 30 days, or limits the number of product uses to 10?

Storing the entries, even in an encrypted form, isn't secure: Users can backup the registry values, and restore it it when the trial ends.

What's the proper way to implement Time/Use Limited trial periods?

AviD
  • 72,138
  • 22
  • 136
  • 218
techno
  • 475
  • 1
  • 4
  • 13
  • 3
    I _think_ the only way to solve this in a water-tight fashion is to enforce clients to connect to a server that stores the information (e.g. number of trial days left), over which you have control. – Steven Volckaert May 07 '14 at 10:33
  • @StevenVolckaert But it will force the user to be connected to the web,when running the program. – techno May 07 '14 at 10:36
  • Indeed. To my knowledge, it's the only water-tight solution. I'm curious if there are other ways. – Steven Volckaert May 07 '14 at 10:38
  • @StevenVolckaert But,i think it wont be problem if the things that user does with the software is web based :) – techno May 07 '14 at 10:40
  • 5
    There is no proper way, since it's impossible to implement securely. So you can only rely on obscurity. – CodesInChaos May 07 '14 at 11:41

2 Answers2

1

The trick isn't implementing the feature: that's basic timekeeping, file use, subtraction, etc. The trick is ensuring they don't bypass it. The body of tricks you must google for that is called "code obfuscation techniques." If this was easy, there wouldn't be entire industries producing and countering them. The major tech in this area is DRM, which is basically what you're creating. It typically doesn't work if it's on a machine they control. So, the software needs to be on one you control.

The TPM's are designed to accomplish this, but are failures. The web option another mentioned is possible, but you say that's unacceptable. The last solution that can work in standalone is to provide a piece of hardware that runs your software while protecting it. Technology such as CODESEAL[1], SecureCore, SecureME, etc (Google them) allows software to run in a system while not trusting memory, devices, etc. You might combine a tech like CODESEAL, a simple OS, a driver, and a tiny form-factor PC to make a solution somewhat convenient for your users. They plug the device into their PC, drivers for communication are installed, an app for interface is installed, they register their device via a code (or online), and from that point on they just click an icon to see the application. Even though it seems like it's on their system, it's actually running on the device which protects its code via memory encryption & control flow protection.

That was my design a while back for solving this problem.

[1] http://www.microsemi.com/products/information-assurance/softwareanti-tamper/codeseal

Nick P
  • 667
  • 4
  • 4
  • Thanks for your answer.But I'm looking for the specific techniques to implement time limited trial.I know about the stuff you are talking about. I expect a more specific answer to the question. – techno May 19 '14 at 02:53
  • 3
    On install, write install date/time, expire data & identifying system data into encrypted file. On load, you get current data/time, get info, compare each for sanity (has time gone backwards?), & check for expr date. If any fails, don't run. Anything more is obfuscation. Best obf. was Skype & it was cracked quick. Hardware dongles help but require you/users to buy them. Still potential bypasses. Copy protection on hostile user's vanilla OS & machine has *never* succeeded over time. A previous SE answer wisely said it's for keeping more honest users acting fair, not for stopping thieves. – Nick P May 27 '14 at 01:27
1

Look up SLP server, a former Microsoft product.

It handles the obfuscation, encryption, and limited use (and reporting) you're looking for.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536