[Qt-interest] [OT] RE: how to implement trialware feature

Oliver.Knoll at comit.ch Oliver.Knoll at comit.ch
Wed Jan 14 16:44:48 CET 2009 

Sergey wrote on Wednesday, January 14, 2009 2:27 PM:

> Hi,
> ...
> 4. Program checks, were 15 days elapsed since start date. If yes -
> refuses to work. Program caches web site response using QSettings. So
> request to web site needed only during first launch of program.

So the application receives the date of first start from your server and then what? HOW does the application check whether the 15 days have elapsed? By comparing to the local system time?

That's one of the first things your users are going try, by re-setting the local system time to the date which lies within the valid range (15 days). So I don't really see the need to connect to your server either, as to simply get the start date: you could as well have read this value from the local system and store it somewhere in some cryptical *.ini file or so - The fact that you get the initial date from your server doesn't improve things here (or I simply did not get the idea ;)

> 1. How to create unique ID of Mac OS Machine? So that it would be
> really unique and at the same time would not be changed for the same
> machine from time to time? I think about
> QNetworkInterface::hardwareAddress(). But how to be if there are
> several interfaces on client's machine? May be some other things can
> be used as unique Mac OS Machine ID?

Creating a unique ID which is specific to a certain hardware combination is something Windows XP does (taking into account also the number of network adapters, graphic cards, CPU IDs... whatever might be useful to identify the machine) and is certainly not so trivial.

Oh and yes, everyone loves to call the Microsoft hotline to re-register their Windows XP/Vista license, simply because they installed the long-awaited high-performance 3D graphic card which was lying under the Xmas tree (that doesn't happen with MY XP license, luckily, since it is an "OEM license": it identifies the machine using the vendor (HP) specific BIOS, or so I understand). ;)

> 2. I described algorithm of implementing trialware feature. Is it
> good and strong enough? Can i do something better using other
> methods?

Your method suggested above would be only "secure" if

- you managed to get a unique/hardware-dependent ID
- you store the "Start of usage" date on your server, together with that ID
- EACH time your application starts it contacts your server which then decides
  whether the application is eligible to be run - based on the SERVER date/time!

Off course you would have to encrypt the whole communication, using a master key which is only known to your application (and off course, you have to make sure that this key is not easily extractable from your executable etc. etc.) - else it would be easy to intercept the communication and simply send a "Yes, everything is fine, you can start!" to your application ;)

Finally you would end up implementing a license server such as FlexLM - and dare you and your users if your server would not be reachable ;)

In my last project we had someone implementing such a licensing module - oh and yes, we INDEED ran into the problems on laptops, for example, where it is very common to simply disable the WLAN adapter. Which is the equivalent of removing a network interface and *BANG* depending on which network adapter the license key depended on (oh and yes, the network adapter WAS a part of the unique license key, as you suggested as well ;)  the application would run or not! So the solution to that was to make sure that the "first" network adapter is indeed a "non-removable" one. What a joy the guy had playing around with the Windows HAL API (or whatever API was used to finally solve that issue). Not to metion Linux, Mac OSX, ...


Other solutions might be to store some "magic hidden files" and update their date each time your application is run (or store the current date in some "cryptical place", e.g. in the registry - oh, that reminds me: doesn't the Windows API allow to encrypt parts of the registry, so only your application can read/modify them?), so you could somehow detect whether your users "went back in time", adjusting their local system time.

But with tools such as http://technet.microsoft.com/en-us/sysinternals/default.aspx it is always easily possible to detect which files/registry entries an application is trying to access. And once you know that, it is easy to delete the respective files/entries and simply re-install the application (so it thinks it has never been installed before).

And in case you REALLY manage to protect/encrypt/hide this information somewhere in the OS, then your users will simply install it in a virtual machine. "Oh, 15 days have elapsed? Time to re-install the image and the application, re-set the date :)"

Off course, if your application costs about 30 bucks no one would bother to go into all this trouble and try to "hack" your application. If it is GOOD they will buy it anyway, no need to put too much effort into a "license server" ;) If it costs several 1000 bucks there will ALWAYS be people hacking your application anyway - but in this price category most users are willing to pay anyway (especially in a commercial environment), as to hopefully get good support and updates :)


Good luck, Oliver
--
Oliver Knoll
Dipl. Informatik-Ing. ETH
COMIT AG - ++41 79 520 95 22

More information about the Qt-interest-old mailing list