12,064,546 members (57,719 online)
This article actually represents a second part of my previous article Software Copy Protection for .NET Applications - A Tutorial. In that article I have presented several methods for achieving satisfactory software copy protection for .NET applications. In this article I will show you how to create trial versions of your products in a secure manner. Note that completely eliminating software piracy is not generally possible given the today's OS and hardware infrastructure, but this doesn't mean you cannot control it with careful consideration.
Attached to this articles are C# and VB.NET samples (derived from my first article's samples but significantly different) showing how to implement trial versions of your products. The article does not contain source code (it's in the samples), because I would rather concentrate of explaining how to do it, rather than duplicating source code that can already be found in the samples.
One of the most successful models for selling software is the trial software model. In this model, potential customers are allowed to download and use the software free of charge for a limited period of time, after which the software stops working unless a license is purchased. Unfortunately, this model is also one which can cause loss of revenue because it increases the risk of software piracy.
After the user downloads your trial software, you must do the following:
As you can see, this is easier said than actually done. Some pressing questions appear: where do you store the expiration data such that the user cannot find and alter it ? How can you make sure the user didn't alter the system clock ? The answers below...
The answer to this question is that if you have to hide data from the user, your licensing model is already compromised. A good licensing model should never be based on hiding or obscuring data from the user.
The solution that I have found to this matter is to use an online licensing service in conjunction with digital signatures based on public key cryptography. I chose to use SoftActivate Licensing SDK (from www.softactivate.com) because it is quite cheap, and it includes an ASP.NET licensing service which can issue short, human readable license keys (digitally signed using elliptic curve cryptography) and supports product activation which strongly resembles the trial licensing model. In addition to this, it can generate unique hardware id strings, which are very important (see below).
Of course, you can build your own service for this purpose, for example using RSA public/private key pairs and digital signatures. The algorithm is as follows:
This approach solves the "where to store the expiration data" problem. Basically, you can store this data anywhere you want. You don't need to hide anything, because this data cannot be altered without the product detecting it.
Almost every software product uses license keys to "unlock" the software. A good idea is to embed a certain license key into the product, which is marked as a "trial license key". If the product detects the trial license key at startup, it behaves like a trial version, and if it detects a regular license key, it behaves like a registered product.
The concept of trial license keys is important when using online software activation with your products (see my previous article for details). When the product sends the license key to the activation server, the servers issues a license with a shorter expiration date if it receives a trial license key, and a license with a longer (or unlimited) expiration date if it receives a regular (purchased) product key. The samples in this article use this concept: they have an embedded "trial key" which is sent to the licensing service. The licensing service searches for this license key into its database, and issues a digitally signed expiration date according to what is specified for that particular trial key (30 days from the time of receiving the request). You can modify this value in the licensing service database.
System clock manipulation detection involves searching a computer for evidence that the system clock was turned back with the purpose of prolonging a software license past its expiration period.
To my knowledge there are no 100% bullet-proof methods of doing this, but usually this involves:
The included samples contain some simple clock manipulation detection routines searching the event logs for event dates that occur in the future. See the ClockManipulationDetector class in the sample projects.
The samples are created with Visual Studio 2010. Also, SQL Express 2005 or higher should be present on the development machine for the licensing service database. Also make sure that SoftActivate Licensing SDK (2.0 or higher) is installed on the development machine. Before compiling, copy the LicensingService subfolder under the Bin folder from the SoftActivate Licensing SDK installation folder, inside the Tools folder created by unzipping the sample.
First and foremost, you must start the licensing service by running the RunLicensingService.bat file from the Tools folder. Make sure that the paths in the .bat (to Visual Studio and to the sample folder) are set correctly ! Go to the \bin\Release folder and run the SampleAppCS.exe or SampleAppVB file. Click the "Start 30-day Trial" button to start the trial. The application will then connect to the licensing service and request a trial license. Please note that if you try to click it again, it will not work since a trial license has already been issued for your computer. In order to try again, you must connect to the licensing service database (found in the Tools\LicensingService\App_Data folder) and delete the record from the Activations table.
You should be aware that your trial product is not secure if you do not employ the typical software copy protection techniques explained in the first article of this series here . This is because if your application binaries can be altered, the trial checking mechanisms can be bypassed altogether.
October 9, 2012 - Initial publication.
October 16, 2012 - Small bug fixes to the samples.