[Qt-interest] [OT] RE: how to implement trialware feature

[Sergey]

Hi,

Oliver.Knoll at comit.ch wrote:
> So the application receives the date of first start from your server and then what? HOW does the application check whether the 15 days have elapsed? By comparing to the local system time?
> That's one of the first things your users are going try, by re-setting the local system time to the date which lies within the valid range (15 days). So I don't really see the need to connect to your server either, as to simply get the start date: you could as well have read this value from the local system and store it somewhere in some cryptical *.ini file or so - The fact that you get the initial date from your server doesn't improve things here (or I simply did not get the idea ;)

First solution of this: store in cache last time, program run.
each time, program reads trialware info from cache, it reads from it 
current time. If system time is earlier than time in cache, program will 
take time from cache instead of current time.

Second solution: each time analyze time of some system files. And if it 
is later than current time, use files' time.

> Creating a unique ID which is specific to a certain hardware combination is something Windows XP does (taking into account also the number of network adapters, graphic cards, CPU IDs... whatever might be useful to identify the machine) and is certainly not so trivial.
> Oh and yes, everyone loves to call the Microsoft hotline to re-register their Windows XP/Vista license, simply because they installed the long-awaited high-performance 3D graphic card which was lying under the Xmas tree (that doesn't happen with MY XP license, luckily, since it is an "OEM license": it identifies the machine using the vendor (HP) specific BIOS, or so I understand). ;)
this is the main problem for me now. how to be, if hardware 
confuguration changed? if at least one MAC-address of interfaces on the 
computer is identical to the MAC-address of interface on the other 
computer, may i suppose, that it is the same computer?
Are there examples how to get BIOS serial number on Mac OS?

> Your method suggested above would be only "secure" if
>...
> - EACH time your application starts it contacts your server which then decides
>   whether the application is eligible to be run - based on the SERVER date/time!
 > Other solutions might be to store some "magic hidden files" and 
update their date each time your application is run (or store the 
current date in some "cryptical place", e.g. in the registry - oh, that 
reminds me: doesn't the Windows API allow to encrypt parts of the 
registry, so only your application can read/modify them?), so you could 
somehow detect whether your users "went back in time", adjusting their 
local system time.
 > But with tools such as 
http://technet.microsoft.com/en-us/sysinternals/default.aspx it is 
always easily possible to detect which files/registry entries an 
application is trying to access. And once you know that, it is easy to 
delete the respective files/entries and simply re-install the 
application (so it thinks it has never been installed before).

i think it will make use of program non comfortable for user - each time 
wait until program will receive time from server. And it can make server 
too busy, if there are many concurrent requests.
I used adobe trial products and they didn't connect to server each time.
How do they do such a check?

> In my last project we had someone implementing such a licensing module - oh and yes, we INDEED ran into the problems on laptops, for example, where it is very common to simply disable the WLAN adapter. Which is the equivalent of removing a network interface and *BANG* depending on which network adapter the license key depended on (oh and yes, the network adapter WAS a part of the unique license key, as you suggested as well ;)  the application would run or not! So the solution to that was to mak
> e sure that the "first" network adapter is indeed a "non-removable" one. What a joy the guy had playing around with the Windows HAL API (or whatever API was used to finally solve that issue). Not to metion Linux, Mac OSX, ...
As variant - use also BIOS serial. But how to get it on MacOS?

> And in case you REALLY manage to protect/encrypt/hide this information somewhere in the OS, then your users will simply install it in a virtual machine. "Oh, 15 days have elapsed? Time to re-install the image and the application, re-set the date :)"
> Off course, if your application costs about 30 bucks no one would bother to go into all this trouble and try to "hack" your application. If it is GOOD they will buy it anyway, no need to put too much effort into a "license server" ;) If it costs several 1000 bucks there will ALWAYS be people hacking your application anyway - but in this price category most users are willing to pay anyway (especially in a commercial environment), as to hopefully get good support and updates :)
You are right. So i do not hope make 100% protection. I need just make 
hacking of my program as difficult as it is possible.

--
Serge