September 22, 2011

Luca Luca
Ant Farmer
639 posts

develop demo application

Page  
1

Hi all,
I have a Qt application that I need to provide to a customer.
The costumer need to decide if it will buy the application or not .
This is why I need to provide him a “demo” version of the application but I’m not sure on how to do that.

The first solution should be to hard code a date and time on witch the application stop forever but this can be avoided by changing the system time.

I need a demo application that is very difficult to “crack”…

What solution can you suggest me?

24 replies

September 22, 2011

Eddy Eddy
Area 51 Engineer
1612 posts

Since it is a demo I would demo it to the client myself. Upon agreement you can hand it over.

 Signature 

Moderator
Qt Certified Specialist
Nokia Qt Ambassador

September 22, 2011

Vass Vass
Ant Farmer
743 posts

Hehe if your app work with some data, you can limited it.

For example I did app, which check some webpage, parse results and add it to csv file. I limited count of lines in csv file for demo version

 Signature 


Vasiliy

September 22, 2011

Rahul Das Rahul Das
Ant Farmer
437 posts

My “demo” app was [hardcoded] for single user, when the actual app was meant to be for milti users.. :)

 Signature 

——————————-

    Rahul Das

——————————-

September 22, 2011

Luca Luca
Ant Farmer
639 posts

I must provide a “full function” demo application so I’d like to implement some way to block the application after some days…

September 22, 2011

Vass Vass
Ant Farmer
743 posts

Well… you can check some page in web, where you keep actual date of trial limit.
However, you also should block app if internet connection disabled or your page unavailable :)

 Signature 


Vasiliy

September 23, 2011

Gerolf Gerolf
Hobby Entomologist
3287 posts

or you store some date anywhere hidden (in a file, memory wherever) and if time is over, it does not work anymore. To disable the switch back feature, if the system time is before last run —> disable it.

 Signature 

Nokia Certified Qt Specialist.
Programming Is Like Sex: One mistake and you have to support it for the rest of your life. (Michael Sinz)

September 23, 2011

Alicemirror Alicemirror
Lab Rat
825 posts

About the limitation date it is a good way to check date remotely anyway. As my experience if a appliacion don’t need a remote connection to start, it can be cracked. This limitation can be applied only in the demo version. This means that to crack the demo it is not so simple because there is not a simple data somewhere but an enritre part of the code that won’t work.

Suggestion I have done:

  1. When the application starts creates a randon number i.e. between 1 and 15 minutes used to set a timer always running.
  2. The core functions of the application (simple and repetitive to set using #ifdef … #endif or similar) will check if the timer is running else stop working.
  3. Everythime the timer stops fire a signal and restart.
  4. The signal check for connectivity and internet date.
  5. User shouls register on the next (optional)

It is almost very difficult to crach a set of checks like this “intruded” in all the application. When you want simply #undef the value and the applicaiton will work in non-demo mode.

Note that this undef can be a real variable so you can do it dynamically at runtime (e.g. after the user pays) enabling it by remote.

The unblocking of the installation can be done “by defect”: every new installation and / or computer reset the user is asked for the registration code to unclock the application. If the remote server see that the user is already registered this operation is automatic. I avoid these methods because if for any reason you should sto to give the service the application never run in non-demo mode.

 Signature 

Enrico Miglino (aka Alicemirror)
Tech Consulting
Islas Baleares, Ibiza (Spain)
http://www.contesti.eu

September 23, 2011

Luca Luca
Ant Farmer
639 posts
Vass wrote:
Well… you can check some page in web, where you keep actual date of trial limit. However, you also should block app if internet connection disabled or your page unavailable :)

This should be a good solution but the application should run in off-line PC.

Gerolf wrote:
or you store some date anywhere hidden (in a file, memory wherever) and if time is over, it does not work anymore. To disable the switch back feature, if the system time is before last run —> disable it.

I didn’t thought to disable the application if time is before last run. This should be my solution.

September 23, 2011

Lukas Geyer Lukas Geyer
Lab Rat
2074 posts
Luca wrote:
What solution can you suggest me?

A reasonable price for your product and a real added value for paying customers (extended support, cloud features, etc.). Time beeing spent in improving your product instead of protecting it.

From the technical point of view there are a few things that should be taken into account to force at least the average customer to respect your restriction – you can’t force anyone else anyways.

  • Always encrypt and sign your data.
    When storing data locally always encrypt and sign and do some sanity checks – otherwise it is edited in a minute. If it is encrypted and signed properly it doesn’t matter where the data is stored (file, registry, etc.). It can be as simple as XOR – but you have to prevent recreation of valid data. If you rely on an active internet connection always use https and weave the servers public key into your application.
  • Rely on valid data.
    If there is no data or invalid data do not start up. The installer is responsible for creating inital data, not the application.
  • Do not rely on system calls.
    Especially when retrieving dates (this includes QDateTime and platform specific calls like GetSystemTime()). You can download application loaders and hypervisors around every corner nowadays which just hook into those system calls and annul your protection. The better way is to retrieve timestamps from system files which are accessed often (the pagefile or system log files).

Keep in mind that your protection should always correlate with the value of your application. The cost and amount of work for protection will rise exponentially [blackhat.com] to its efficiency and the amount of people it protects from – and is cracked in the end anyways. Software protection is science on its own, which includes anti-debugging and anti-reversing, encryption, hypervisor detection and a lot of other subjects.

There are a lot of ready-made software protection solutions out there (including time-based restriction). Probably they are feasible for you.

There is one more thing I want to add: Whatever you do – the software protection should be as invisible as possible to the end user. A demo is a showcase for your product and should convince people to spend money on it – which is pretty difficult if they are annoyed of the software protection. Nagware or Ubisoft’s always-on copy protection is a prime example for this.

September 23, 2011

fluca1978 fluca1978
Lab Rat
529 posts

I don’t like this kind of demo, but I don’t want to start a flame on licensing.
Limiting the data an application can handle is, in my opinion, the simplest and most effective way of producing a demo. However, I would be in doubt to buy an application that performs well on 10kB of data when I have to handle some GB…
Remember that any kind of data written/read in a file can be intercepted by a malicious user, and having the application to go on the net just to check the license is awkward (in my opinion).
Maybe with a virtual machine you will have much more opportunities to limit the user. I mean, after all, breaking a whole virtual machine is much more complex than breaking an application. And after the time has expired, you virtual machine can simply delete the database (or the data).
It all depends on how much malicious are your clients…

September 23, 2011

Alicemirror Alicemirror
Lab Rat
825 posts

@Lukas: just a note. As I think fluca1978 is developing something for an Italian client. This means that the ethic logics you thing about a product are not applicable at all to this market. Unfortunately

 Signature 

Enrico Miglino (aka Alicemirror)
Tech Consulting
Islas Baleares, Ibiza (Spain)
http://www.contesti.eu

September 23, 2011

Luca Luca
Ant Farmer
639 posts

Alicemirror wrote:
About the limitation date it is a good way to check date remotely anyway. As my experience if a appliacion don’t need a remote connection to start, it can be cracked. This limitation can be applied only in the demo version. This means that to crack the demo it is not so simple because there is not a simple data somewhere but an enritre part of the code that won’t work.

Suggestion I have done:

  1. When the application starts creates a randon number i.e. between 1 and 15 minutes used to set a timer always running.
  2. The core functions of the application (simple and repetitive to set using #ifdef … #endif or similar) will check if the timer is running else stop working.
  3. Everythime the timer stops fire a signal and restart.
  4. The signal check for connectivity and internet date.
  5. User shouls register on the next (optional)

It is almost very difficult to crach a set of checks like this “intruded” in all the application. When you want simply #undef the value and the applicaiton will work in non-demo mode.

Note that this undef can be a real variable so you can do it dynamically at runtime (e.g. after the user pays) enabling it by remote.

The unblocking of the installation can be done “by defect”: every new installation and / or computer reset the user is asked for the registration code to unclock the application. If the remote server see that the user is already registered this operation is automatic. I avoid these methods because if for any reason you should sto to give the service the application never run in non-demo mode.

I don’t understand very well how do you use the timer… Can you explain me better?

September 23, 2011

Alicemirror Alicemirror
Lab Rat
825 posts

Timer is used to check periodically and randomly at every startup that the device is already connected to the net (e.g. exchange a very small confirmation package on the server). This is very difficult to hack in the compiled application and grant you that the demo works as demo. Without the effort creating two different versions.

 Signature 

Enrico Miglino (aka Alicemirror)
Tech Consulting
Islas Baleares, Ibiza (Spain)
http://www.contesti.eu

September 23, 2011

fluca1978 fluca1978
Lab Rat
529 posts
Alicemirror wrote:
@Lukas: just a note. As I think fluca1978 is developing something for an Italian client. This means that the ethic logics you thing about a product are not applicable at all to this market. Unfortunately

A little mess here, I’m not developing a demo application, Luca is…
Anyway, I agree with Lukas: it is worth spending time to improve the product than to protect against malicious users. That is also why I believe that preparing a virtual machine could be simpler, since you can totally control the full execution environment and can get to streets in a very short time. You could also offer a cloud machine, so that it is your client to decide if he wants to push his data to a remote machine that will be (?) erased after the demo time.

September 23, 2011

Lukas Geyer Lukas Geyer
Lab Rat
2074 posts

fluca1978 wrote:
Limiting the data an application can handle is, in my opinion, the simplest and most effective way of producing a demo. However, I would be in doubt to buy an application that performs well on 10kB of data when I have to handle some GB…

Yes.
fluca1978 wrote:
Remember that any kind of data written/read in a file can be intercepted by a malicious user

The data should be already encrypted and signed when passed to the operating system (and a possible hook), and should be decryptde and verified after it has been retrieved from operating system (and a possible hook).

But this is the crux of software protection. It has to be executed on the (malicious) clients machine and therefore it has to be at the clients machine and therefore it can be modified (operating system code and application code). The difference of an unprotected application and a protected application is just the amount of hard time you give to the malicious client.

Even if your application is fully encrypted and secured against modifications it has to be decrypted right before it is executed and passed to the (possibility emulated and recording) processor.

fluca1978 wrote:
… and having the application to go on the net just to check the license is awkward (in my opinion).
Yes.
fluca1978 wrote:
Maybe with a virtual machine you will have much more opportunities to limit the user. I mean, after all, breaking a whole virtual machine is much more complex than breaking an application. And after the time has expired, you virtual machine can simply delete the database (or the data).

This is how modern software protection platforms usually work (at least some of them).

Page  
1

  ‹‹ Zooming content of a Qt application      [Solved] QColor::setNamedColor: Unknown color name ’inherit’ Error ››

You must log in to post a reply. Not a member yet? Register here!