How to make Trial Plugins for 10 days

DabDab

@d-healey Great.. when the link expires how the new links are generated?
Let me clear.. I want to purchase your Piano (just assume ) Natan has already purchased and Downloaded so the links have been destroyed. How do I download the same product? Do you every time re generate the downloading link?

d.healey

@DabDab said in How to make Trial Plugins for 10 days:

when the link expires how the new links are generated?

It's automatic. When the user is in their account and they click download, WooCommerce generates a time limited link.

DabDab

@d-healey That means you have to set Downloads Types (from woocommerce settings) to Always Redirect. Right? Because by default Woocommerce sets it to Bruteforce. In bruteforce mode Links don't work well. It download random file (gibberish) .

d.healey

@DabDab For a long time I had mine set to x-accel. But then I realised this was running the traffic through my website, which was not good! I spoke to WooCommerce and they said to use Redirect Only, it's marked as insecure in the WooCommerce settings, but if you're using the Amazon S3 plugin it's fine.

DabDab

@d-healey Yeah.. I guessed right.. :)

d.healey

Another thing you can do is limit the number of downloads the user has, I limit mine to 10. Very occasionally a user asks for more but most users don't download more than once.

DabDab

@d-healey Yeah.. However 3 is sufficient.

Natan

@DabDab Lets Say they want to crack a Plugin From our devs here...at hise.

First They Look for Unlockable Demo Installers.
If exist they will Crack that Version.

If There was A Demo version, Based on Serial Numbers, They will make a Fake account then Get the Demo, and Crack the Installers.

They never Buy Anything from you, me or anyone else,
People Provide The installers to Some Trusted People, Then They Get The Installers from that guy and Do the Crack. ( why trusted people, Because of keeping their Identity Hidden )

And I don't think you can Track The personNo matter how many You sold. The Installers are Clean of Personal Information.

They can't hack your Server, Or do Phishing, But can Create Emulators That can Fake call your Host, and return The Valid License Found message.
This usually used for the protections Types that Has A Check with server Script.

@lindon and @Orange case is because they Both are using a Serila Number formula, that's why you see A Name like R2R makes a Keygen. Keygen technically Used for Formula Type Protections.

@hisefilo Products doesn't have any protection, That's why you see a Word After the title "Retail".
It means Someone purchased and Provided the Installers to the Public.
From where, Who is That Guy??? It is Clearly Remain Unknown.

As @d-healey stated, It is better to have a Limitation on Dowbloads or you simply get Hijacked, and since this is a Pay per Download Plan you Get in trouble.

Best Copy Protection idea is to have Single Serial Number, It still Brekable, But since Crackers dont Publish Anything that can Put someone in Danger ( The owner of Serial number), so They Dont Publish Someone elses Serial Code (Which is Simply Trackable by Devs).
It takes more time to Patch the Dll files, and once you release an Update It needs another process to Do The Patch.

For video stuffs it is better to Have a Closed and subscription plan, Or you simply get Hijacked at launch day.

DabDab

@Natan Very nice. You cleared many confusion man. God bless Thank you :)

Natan

@DabDab God bless you man
Don't mind The Crackers,
Keep Up the good Work

hisefilo

@Natan Hi mate! in your opinion. What's the strongest way to secure a server-check connection? How to avoid pirates to intercept or reproduce the server response?? SSL api call is enough?

Natan

@hisefilo Hey Mate

Actually I'm not a WebMaster,
From my experience They Make Emulators And It kinda Fakes The Connections, No matter What server, For example Ableton Use Same Server response Method, and R2R Made a Tool to Fake That.
I believe We can't do anything About it

hisefilo

@Natan thanks! It's hard to believe a huge company as Ableton can't figure out how to avoid piracy

Lindon

@hisefilo -- one approach I designed for a server check-in system included a challenge response , so the plugin has a set (of say 500) challenge/response pairs, so it sends the server its "is this registered?" type message along with one of the challenges, and gets back a yes/no and a response, if the message returned from the server is "this plugin is OK " then the plugin looks up the response to make sure its correct for the challenge it sent....

The idea being its pretty hard for the pirates to have a system that fakes the server AND fake the challenge/response when there are 500 different options it would need to cover......

d.healey

@Lindon said in How to make Trial Plugins for 10 days:

The idea being its pretty hard for the pirates to have a system that fakes the server AND fake the challenge/response when there are 500 different options it would need to cover......

If they are able to find the flag in the binary they could just set it to 1 and bypass the server calling altogether. This is the problem with all solutions that don't use a dongle or a live connection.

Lindon

@d-healey -- go read Urs Heckmans commentary(KVRAudio DSP forum) on how to build effective authorisation systems - he has a way around this issue.

d.healey

@Lindon Interesting, I shall go and look it up

Lindon

@d-healey - in the right thread now:

https://www.kvraudio.com/forum/viewtopic.php?f=33&t=523031&p=8235873&hilit=Urs#p8235873

d.healey

Part of the problem I think with Urs idea is he is expecting the cracker to look for the point at which the app performs a delayed check. If I was trying to crack software of this kind I wouldn't bother at all with when the software wants to perform a check. I'd look for the if statement that enables the functionality I want since that can't be delayed. If I have a valid license the software must do what I want when I want it, I compare this against an unlicensed version and find out where the restriction has been placed.

As an example, let's say the app goes silent for 1 second every 30 seconds, well I search for that functionality in the code and disable it. The delayed checker can carry on happily doing its thing, in the meantime I'll just enable all the functionality I want and tell it to ignore any signals that it may receive from the license checker in the future, whenever or however they may be delivered. It still comes down to swapping some boolean tests. The delayed checker is only a block if your plan of attack is to nutralize the checking mechanism, but you can just sidestep it.

In his example there is a message "this demo has expired". All you have to do is find that text string in the binary (of course it could be obfuscated but you can still find it). And then change a boolean value and that message will never appear.

The idea is certainly a valid additional tool to include though. One possible scenario is the crackers don't even notice the check, they think the software just works fine with or without the license, and only end users who've downloaded the app and don't have a valid license discover the security limitation after they've been using it for a while, and that may prompt them to purchase a license.

Lindon

@d-healey - yes all valid.

On another track...its interesting to download my cracked software, as @Natan says it includes a Keygen program - which I cant get to work by the way... but still it means the pirate has worked out what the approach is I'm using - which surprises me - yes each product uses the same approach - however the approach itself uses a secret key as part of the authorisation system - so the inputs and outputs to the authoriastion system have to be different for each product , and they've hacked them all - so either they've spent time on each one - and I think it would be considerable time - or they have some way of "seeing" into my product script code... and reading my approach and my secret keys...

How to make Trial Plugins for 10 days

28

1.8k

10.3k

89.7k