Trial protection?

Hi, I have a ready application, which ported very well to windows, I have been trying to devise some sort of trial copy protection, but I am stuck.

If for example I would like to limit number of executions of the program in trial mode, I could write number of executions in external file (even in encrypted form) and check it every time the application starts, but this file can be easily replaced because resource directory is not protected in any way.

Do you guys have any idea how it could be done?

First, there is no standard way of handling this.  Native windows developers (including Corona Labs) have to come up with their own solution.

If you intend to track the trial length locally, then there is no unhackable full-proof solution to this.  The best you can do is encrypt the start time and hide it somewhere.  Like to a text file, but rename the extension to a DLL.  Of course, once people find out what your scheme is, then it can be circumvented.  Or the end-user could revert to a backup/snapshot.  Another thing they can do is change the system time back.

A more full-proof solution would be to have the trial software ping a server on your end to see if it is still authorized to run.  But of course, this requires you to set up a web server… and it will require the end-user’s system to have Internet access.  But you’ll have more control.  And you can identify the system via system.getInfo(“deviceID”) which returns an encrypted version of the Windows system’s “SID”, which is a unique identifier assigned to the system by Microsoft upon installing Windows.  Just be aware that the SID can change when the user re-installs Windows, which is many shareware software gets invalidated after a re-installation.

Thanks for replay Joshua:)

I know that there is no bullet-proof solution of protecting your app, I just wanted something more difficult than  replacing your files in app/Documents directory with an older version or setting system clock back.

I was thinking about doing internet checks on application but this imposes requirement on the user of being always online which would deter a lot of people from buying your app in first place.

Ideally Corona product for windows should have built in copy/trial protection funcionality:)

A simple solution is to create a text file that holds a code that represents the number of trials, with some built in rules (e.g. the ASCII code of the 7th character should always be double the ASCII code of the 3rd character, minus 5). It’s not uncrackable, but at least it provides a challenge.

And of course you can hash/encrypt this code as well.

@thomas6

I am already saving encrypted file which contains number of trials, the thing is that anyone can copy the file from app/Documents folder on first trial and then put it in place of existing file when user has reached maximum number of trial runs, effectively reseting the trial counter

hmmm. Good point, that wouldn’t work well!

StarCrunch’s suggestion here may be an option: https://forums.coronalabs.com/topic/57527-resources-are-open-any-way-to-compress-or-encode-them/#entry300841

See his second reply from the bottom

Like @InfuseDreams mentioned above, there are 3rd party commercial tools to help you with this.  Several actually…

   https://www.google.com/?gws_rd=ssl#q=win32+copy+protection

Or you can develop your own.  Because if you use a 3rd party tool, then that’s a single target for hackers to target.  Versus if you create your own scheme, nobody will know how it works until they dig into.  It’s of course impossible to make it completely hacker proof, but it just has to be reasonable difficult.

An alternative solution is to make 2 different versions/builds of your app.  I’m thinking of the shareware approach used back in the 90’s.  1 is a gimped trial version that people can use freely without expiration.  The other version is the full/paid version that requires authorization over the Internet on startup.  This might be a simpler approach, provided that it makes sense to make a trial version of your app that does not provide all of its features.  For game it makes sense because you would only provide maybe the first few levels in the trial version.

And like I said in an earlier post above, you can fetch the Windows’ SID (Security Identifier) via system.getInfo(“deviceID”) to authorize the machine with.

First, there is no standard way of handling this.  Native windows developers (including Corona Labs) have to come up with their own solution.

If you intend to track the trial length locally, then there is no unhackable full-proof solution to this.  The best you can do is encrypt the start time and hide it somewhere.  Like to a text file, but rename the extension to a DLL.  Of course, once people find out what your scheme is, then it can be circumvented.  Or the end-user could revert to a backup/snapshot.  Another thing they can do is change the system time back.

A more full-proof solution would be to have the trial software ping a server on your end to see if it is still authorized to run.  But of course, this requires you to set up a web server… and it will require the end-user’s system to have Internet access.  But you’ll have more control.  And you can identify the system via system.getInfo(“deviceID”) which returns an encrypted version of the Windows system’s “SID”, which is a unique identifier assigned to the system by Microsoft upon installing Windows.  Just be aware that the SID can change when the user re-installs Windows, which is many shareware software gets invalidated after a re-installation.

Thanks for replay Joshua:)

I know that there is no bullet-proof solution of protecting your app, I just wanted something more difficult than  replacing your files in app/Documents directory with an older version or setting system clock back.

I was thinking about doing internet checks on application but this imposes requirement on the user of being always online which would deter a lot of people from buying your app in first place.

Ideally Corona product for windows should have built in copy/trial protection funcionality:)

A simple solution is to create a text file that holds a code that represents the number of trials, with some built in rules (e.g. the ASCII code of the 7th character should always be double the ASCII code of the 3rd character, minus 5). It’s not uncrackable, but at least it provides a challenge.

And of course you can hash/encrypt this code as well.

@thomas6

I am already saving encrypted file which contains number of trials, the thing is that anyone can copy the file from app/Documents folder on first trial and then put it in place of existing file when user has reached maximum number of trial runs, effectively reseting the trial counter

hmmm. Good point, that wouldn’t work well!

StarCrunch’s suggestion here may be an option: https://forums.coronalabs.com/topic/57527-resources-are-open-any-way-to-compress-or-encode-them/#entry300841

See his second reply from the bottom

Like @InfuseDreams mentioned above, there are 3rd party commercial tools to help you with this.  Several actually…

   https://www.google.com/?gws_rd=ssl#q=win32+copy+protection

Or you can develop your own.  Because if you use a 3rd party tool, then that’s a single target for hackers to target.  Versus if you create your own scheme, nobody will know how it works until they dig into.  It’s of course impossible to make it completely hacker proof, but it just has to be reasonable difficult.

An alternative solution is to make 2 different versions/builds of your app.  I’m thinking of the shareware approach used back in the 90’s.  1 is a gimped trial version that people can use freely without expiration.  The other version is the full/paid version that requires authorization over the Internet on startup.  This might be a simpler approach, provided that it makes sense to make a trial version of your app that does not provide all of its features.  For game it makes sense because you would only provide maybe the first few levels in the trial version.

And like I said in an earlier post above, you can fetch the Windows’ SID (Security Identifier) via system.getInfo(“deviceID”) to authorize the machine with.