Hi,
I've a question about trial versions of softwares.
There are some trial softwares for people to try. They're like 30 days limited or using 10 times limited.
My question is , how do they achieve it ?
I mean, they can't keep them in a file , because people can easy change it or delete it.
My guess is that , they keep it in windows registers but , they can also be changed or deleted ( even it's a bit difficult than changing or deleting file)
but still unreliable.
So , how software companies built trial versions , how they can be sure that user will not remove day or usage limitation ?
What method shall be used for it ?

The single most important fact in security: no code that's executed in the client side is undefeatable.
No matter how complicated you've made your trial verifier, someone determined enough can and probably will break it. The question is, how determined does a hypothetical user need to be to break it.
Store dates as text in a configuration file: undetermined.
Store dates as binary data in the registry: slightly determined.
Store dates as encrypted binary data: determined.
Store dates as checksummed encrypted binary data: very determined.
Obfuscated machine language plus detection of analysis tools: extremely determined.
Require data being processed by a server: unbreakable*.

_{*Save for breaking into the server room and analyzing the code running on it. By that point it's probably easier and within the user's capabilities to just kidnap a developer and apply a bit of rubber hose cryptanalysis.}

Not even that last one is unbreakable without leaving one's desk, helios. In fact, it seems easier than the second to last one. What kind of data are we talking about exactly?

EDIT: I see.

-Albatross

*Save for breaking into the server room and analyzing the code running on it. By that point it's probably easier and within the user's capabilities to just kidnap a developer and apply a bit of rubber hose cryptanalysis.

Lol.

@helios
What do you mean by "detection of analysis tools" ?

I mean refusing to run if there's something like SoftIce loaded. I've seen Acrobat Reader doing it.

If You deploy an internet-based application , You should go with Server-authentication method...

Else, you could try ADS to , at least, hide your encrypted data^^...
(Never rely on the OSs´ Time to verify the number of days used)...

EDIT: try retrieving the BIOS time instead... It is more annoying to some unexperienced user to change the BIOS time and restart everytiem You need to get the right date, than chaning the OS time with a few clicks)...

Why not just ping the server for the correct time?

Isn´t that covered by "internet-based"?...

Else you could simply disallow the ping due to access restrictions...