Copy protection for Windows software for the case "demo version vs. full version"

Question

I have written a software as a student. All functionality was in the software and it was a 30 days fully functional version. After some years there were cracks around and my income was 10% of before. This was where I decided to switch the paradigm to full version vs. demo version with limited functionality (the function weren't even in the EXE using compiler switches). This in my case ended all piracy and worked very well.

Now you could ask what if a customer uploads his full version to a crack website? For this case I compiled the customer's full address visibly and invisibly into the EXE file so that I could see which customer was a bad boy...

After some more years I had a new problem: anti virus software. Since my software can set keyboard shortcuts, the heuristic algorithms of some anti virus apps started complaining. So I sent the demo version EXE to the anti virus companies to mark it as "safe". This worked very well. But only for the demo version which is fixed in bytesize. When I compile the customer's personal data into the EXE file, the filesize varies a bit and so the checksum differs and the EXE file isn't marked as "safe" by the anti virus software anymore and the complaining starts again for the customers.

Does anyone have an idea how I could solve this? I can't add a separate file because this could be deleted by the customer, of course.

Thanks in advance.

Answer 1

First, let me say the mentioned problem does not have much to do with any anti-piracy measures. The same problem will arise when you deploy different versions and variants of your software frequently (with or without any individual customizations).

Even if the "license files" approach will allow to send a full version of your software to all major AV companies (without providing a license file for them, or only one which allows restricted usage), you

• probably don't want to register each new monthly or weekly version of your software by all of them

• definitely don't want to wait for such a registering process when your customers are waiting for an urgent bugfix.

Hence your best bet is IMHO to buy a commercial certificate from a trusted Certificate Authority and sign your software with it (like described here). This is usually affordable and lowers to chance for most AV scanners to complain about your program.

However, as @Ewan and @GrandmasterB have mentioned in the comments correctly, this is unfortunately not a 100% solution - some AV scanners may still blacklist your program when their heuristics detect some "suspicious" activity. The reasoning behind this should be clear: over the last years, digitally signed malware has appeared, using stolen certificates, so a digital signature is no guarantee for a program not being malware, and AV scanners don't trust such signatures blindly.

Nevertheless, I would recommend to use a signature. If an AV scanner still does not like your program, try to convince its vendor that your signature was not stolen and that programs with your signature do behave well. Maybe it is enough to sign the demo version of your application and register that at the AV company? The AV companies should have a strong interest of not producing too many false positives, since otherwise their customers could be inclined to change to a different AV vendor. Moreover, it should be in their own interest not to enforce a time consuming registering and validating process on each and every software and each and every software vendor, but leave this to the CAs.

Another thing to consider is to check if it may be possible to reimplement the specific activity which caused the AV scanner to pop up, differently. Maybe your way of creating keyboard shortcuts was too low-level, using some deprecated OS API, and there is a new, more "official" way of creating such shortcuts today? Since the question has a "Windows" tag: AFAIK Windows has lots of such quirks and legacy issues, where some workarounds which worked in the past are not the way how they should be implemented today. But I am sure you will know best if that's a viable way to approach the issue.

Answer 2

1. Make your application require a login which is verified by a server you own.
2. Have a non-executable licence file unique to the customer which the program checks.
3. Continually release updates so pirated versions become out of date.

Requiring an internet connection makes things easier for you, as you can have the program phone home, and tell you stuff about the machine its running on and the licence file the customer is using. You can then keep track of how many copies each customer is using, disable licences/logins etc

Sure someone can hack out the checking code, but they could also hack out the customer details

Answer 3

If each customer's EXE is different, then you're not going to be able to get around that. Anti-virus software will always view each EXE as a new and unknown application, even if its signed.

Generally I'd recommend people not put too much effort into stopping piracy because its not going to be very effective. Best is to make it inconvenient for people to share the software to dissuade the 'casual copiers'.

That said, you might consider using a separate license file that contains the same information. Load the file & validate on launch. Then you won't have to have a different executable per customer.