How to make Trial Plugins for 10 days

UD AUDIO

@d-healey I think any digital product should be donationware because anyone can use it and more people would use it in my theory. I know that a lot of people wouldn't donate and some might think it's crap because quality must be expensive. This might not pay all your bills but I think it's not a bad system.
I don't make plugins only for people who can afford it. And the worst system to me is the subscription model like "output arcade". I never would pay for that.

In my opinion, money blocks human evolution because of how knowledge is shared and how it could be shared.. So I would make anything free but we have to pay bills etc so donations are a compromise.

...Oh what I mean is pay-what-you-want, not donations!

UD AUDIO

@natan You say it sounds cheap to you. But what if I make pay-what-you-want software with a $ 1000+ button? :P

Lindon

OK so after some investigation and thinking its clear there is only one(unless anyone else can think of one) system that generally defeats the pirates, and that utilizes both server calls and as part of those calls a public key system of one sort or another.

So I would like to propose HISE adopts one or other of the public key systems, that is also implemented in most common server languages.

Here is how it think it would work:

-- The plugin starts and requests (or reads from disk) the user ID...
-- the plugin calls the server with the following details:
--- User ID (email address)
--- plugin ID
--- Machine ID
--- challenge key

So here the challenge key is a simple past of a challenge /response pair(there could be say 500 in the plugin that it can choose from), it doesn't matter is these are "publicly known" as we will see...these are only really used to vary the messages being returned.

The server checks the user ID and plugin ID to make sure its a valid user...
It checks the frequency of calls about this plug-in and user ID (if too many too often then it invalidates the account - the man-in-the-middle defence)
if the Machine ID is not one of (say) 5 held for the customer then it invalidates the plug-in

• if the plugin is valid it looks up the response for the challenge it has received.

The plugin forms a return message:
--- plugin status
--- response code

The server encrypts the return message using its private key... and sends the plugin the message

The plugin decrypts the return message using the public key (ensuring its not from a fake server) and acts accordingly...

Anyone think of a way around this? Or a better way of doing it?

ustk

@lindon Unless I'm wrong, I can think of a way to crack it... In the end, it is an if statement that will allow or block the plugin. A simple patch, and done... It will prevent from keygen, but when keygens aren't possible they generally go to a patching solution. But correct me if I'm wrong

Christoph Hart

@Lindon: You can implement this scheme in HiseScript but as @ustk said, as soon as somebody reverse engineers the binary, you have lost (and having a hardcoded copy protection scheme in HISE will not add more security).

lalalandsynth

Why not just a 10 day free trial , then a small nag screen prompting the user to buy , while the user can still close the nag and keep using the plugin?
Not sure they would bother cracking a "free" plugin.

Seems to work for Reaper.

Lindon

@christoph-hart said in How to make Trial Plugins for 10 days:

@Lindon: You can implement this scheme in HiseScript but as @ustk said, as soon as somebody reverse engineers the binary, you have lost (and having a hardcoded copy protection scheme in HISE will not add more security).

Im not sure I understand how they can do this...even if they can "read" the source code - but cant alter it....the plugin sends a message somewhere and gets a public key encrypted message back - which they cant really crack - then it acts on it, explain to me what i'm missing here..

ustk

@lalalandsynth But not sure either they would buy it :)

Christoph Hart

@Lindon It doesn't really matter how you communicate with your server and what safe checks you encorporate to make it harder to simulate a legit license. At some point you have to ask

if(isUnlocked())
{
    // proceed as usual
}

And this is usually where the crackers come in and change the function to always return true.

ustk

@lindon Whatever you do upfront, in the end you will have to set off a muter in your plugin, or stop a timer, or allow MIDI note... And it will always be an if statement that does this. So change the "if server ok" into "if server not ok" and the plugin is cracked...
They analyse the bits that are set or tested when the plugin runs, then they just have to change a HEX value somewhere from false to a true or vice versa and repack the binary...

ustk

Except for AAX since they are protected against binary alteration.
If one day other formats can allow this, then this day will be protected... In short, never...

lalalandsynth

@ustk I guess that is the whole issue , if they dont plan to buy it , they might use a crack and if they do there is no real incentive to buy it , having it be free with a nag screen might ?

Of course I have nothing to back that up except for the Reaper model.

Lindon

@christoph-hart said in How to make Trial Plugins for 10 days:

@Lindon It doesn't really matter how you communicate with your server and what safe checks you encorporate to make it harder to simulate a legit license. At some point you have to ask

if(isUnlocked())
{
    // proceed as usual
}

And this is usually where the crackers come in and change the function to always return true.

Obviously yes - but changing this line of code breaks the codesigning...so the Mac version wont work anymore...

Lindon

@ustk said in How to make Trial Plugins for 10 days:

Except for AAX since they are protected against binary alteration.
If one day other formats can allow this, then this day will be protected... In short, never...

which is my understanding of the codesigning process on MacOS....but I've been known to be wrong.

d.healey

@lindon said in How to make Trial Plugins for 10 days:

Obviously yes - but changing this line of code breaks the codesigning...so the Mac version wont work anymore...

I assume people who are using "pirated" software don't care too much if it's codesigned, I would also guess a "pirated" version of Pro-Tools doesn't care either.

@ud-audio said in How to make Trial Plugins for 10 days:

This might not pay all your bills but I think it's not a bad system

Some of my libraries cost $10000+ to just record the samples, then there's a whole bunch of costs on top of that like scripting, graphic design, demos, marketing, hosting, etc. I'm happy just to recover my development costs, if I'm able to pay the bills too then that's a great bonus :)

Lindon

@d-healey said in How to make Trial Plugins for 10 days:

I assume people who are using "pirated" software don't care too much if it's codesigned, I would also guess a "pirated" version of Pro-Tools doesn't care either.

Yeah obviously, but I dont think it matters much what they care about - what matters is will their DAW load an unsigned plug-in? - and as a a side order is the pirated version of their DAW altered so drastically to allow this sort of thing?

So I think the answer to both these questions is: No.

So the approach I suggested seems to stand (and works) for me - so I think my request for a public key system in HISE is valid.

d.healey

@lindon said in How to make Trial Plugins for 10 days:

So the approach I suggested seems to stand (and works) for me - so I think my request for a public key system in HISE is valid.

As far as I know only Pro-Tools supports AAX and Pro-Tools isn't the DAW of choice for virtual instrument work, so that's only a small part of the market that has this extra check. Let me know if I'm wrong but I think Pro-Tools uses iLok which has been cracked several times, I assume a cracked version of Pro-Tools can load cracked plugins.

Lindon

@d-healey said in How to make Trial Plugins for 10 days:

@lindon said in How to make Trial Plugins for 10 days:

So the approach I suggested seems to stand (and works) for me - so I think my request for a public key system in HISE is valid.

As far as I know only Pro-Tools supports AAX and Pro-Tools isn't the DAW of choice for virtual instrument work, so that's only a small part of the market that has this extra check. Let me know if I'm wrong but I think Pro-Tools uses iLok which has been cracked several times, I assume a cracked version of Pro-Tools can load cracked plugins.

err.. I'm not talking about ProTools as the "DAW in question" here, its ANY DAW on MacoS...

d.healey

@lindon Oh I thought it was something special to AAX format. I'm able to load unsigned VSTi plugins into Reaper on Big Sur without issue.

Lindon

@d-healey hmm, not supposed to be able to do that...apparently...tho maybe theres a difference between unsigned and broken signed...