Where is a good place to store serial code and such?

Question

I have a software with a serial code validation. At first I thought about making a config file and storing the serial, etc there. This didn't work out well for me so I changed it to save the name, serial, and expiration in Windows registry.

It works well so far but I am afraid that users might find out about it and simply delete the entry from the registry; doing so will remove the expiration and allow them to use trial again.

What are other good places to store the user name, serial code, and expiration date?

Thanks

Answer 1

Another effective approach to writing trial software I've often seen used has been to require the user to register online and receive a temporary registration code for the software. Trying to implement a trial period without some sort of external component is going to be much less reliable in general.

Answer 2

I'll save you the trouble and tell you that whatever you store or modify in a user's computer, an experienced user will be able to reverse - and, yes, that will allow the user access to your trial software again. Worst case, they could use a virtual machine and take snapshots of the VM before installing your trial version.

I'll go a step further and mention that a significant number of users would be very annoyed with a program that displays rootkit-like behaviour (any Sony fans here?) and tries to hide in every nook and corner of their OS. Having your software phone home or storing personal information (e.g. OS serials) on your server is at least bad form - if you do it without notifying your users it could also be illegal.

Bottom line: don't try to find a technical solution for a marketing problem. Make your full version appealing enough for a user to buy. Trust your users to be reasonable, rather than consider them indiscrimately potential thieves. And, for insert-favorite-deity's sake, do not mess up their computers...

If you offer a very expensive piece of software, you might want to consider hardware keys - as long as you somehow make sure that they will keep working in 10 years even if your business drops support. I, for one, hate anti-piracy measures that punish the legal users of the software.

Answer 3

I suggest you to store it in some specifically encrypted file, or to self-modify some resource or the application file itself.

For good protection, the application product (executable) is being compressed with specific algorithms which are extracted at run-time in memory, etc. UPX with its variants is used for example.

Large companies develop their own protections, but actually when a reverse engineer(s) starts his/their work it is normal (expected) to overwhelm any defense by a given reverse approach.

The point is to try to hide your algorithms for valid serial matching as for the encryption of your serial, to file or registry etc.

For example, you may has your serial in file, where it is hashed against the file creation datetime. But when somebody disassemble you executable it won't be a big deal reproduce a keygen based on your scenario, when he see the whole picture. :)

As thkala said, you have to focus to earn customers, because probably you have no such resource as the large companies to invest in security.

Answer 4

In theory, there is no way to stop a user from forcibly extending the free trial. Indeed, the user can mess with the system clock, or even use a virtual machine with snapshot capability.

The short answer to your question is summed up as "security by obscurity". You will have to write innocent-looking or weird-looking files or registry entries in creative places, and you must keep these locations a secret. You should also scramble the information that you want to store (e.g. name, serial) so that the user cannot perform a full-text search to find where it's stored.

If you want to be extra creative, you can somehow pad some system files (maybe like notepad.exe) and store your secret payload there.

Additionally, you can have the software phone home over the Internet; you can check against clock attacks; you can try to store data in the free space of a disk partition.