Just look at this:
I just got Little Snitch to keep working even with network filter being off (that should be equivalent to expired 3 hour trial). The game is still not over because only the Once button is working but it seems I have my entry point 😄.
Little Snitch works by using a socket filter (Apple document here) installed when kernel module starts (Correction: Little Snitch kernel module is an IOKit driver and not a simple kernel extension). This filter is not removed when the we stop/start Little Snitch network filter so we can abuse it’s condition check (that’s what I did here).
That’s it… for now!
P.S.: Buy it if you really use it 😉.