1

I was reading on trial products and the challenge of user forwarding time before installing the product so that it will not expire for long time. One of strategies I read is checking modified time for some files and compare to current time and see the difference if makes sense. My Question is, which are best files to use for the task in both Windows and Linux? Why do you think are the best for the task?

Since I don't remember the url of the site (was reading in a phone and I cannot reproduce url right now), I will appreciate any link on the subject or even SO answer in case I missed it!

Stefano Mtangoo
  • 6,017
  • 6
  • 47
  • 93
  • how about only allowing computers that enables NTP ? – Raptor May 13 '13 at 09:19
  • Is it enabled for all computers by default (OS/BIOS or whatever)? I don't want to interfere with customer simply because he have no NTP enabled. What are pros of the NTP? – Stefano Mtangoo May 13 '13 at 09:24
  • Almost all OS can disable time sync with NTP, i.e. they can set to any time when NTP is disabled. – Raptor May 13 '13 at 09:30
  • so suppose user who is not tech nerd have his computer NTP disabled. (s)he will fail to use the product and may be get turned off! So I will skip this thing. Thank you for raising this though! – Stefano Mtangoo May 13 '13 at 09:34
  • Note: In Windows, it is just a checkbox in Date / Time Settings . Even dummies know how to disable it. – Raptor May 13 '13 at 09:49
  • Instead of using the timestamp of a file you could also save the time of the installation and compare it with the time when the user starts the program. If the starting time is in the past you know somebody modified the time and you block further usage (you could also save a timestamp with every startup/shutdown of the program to improve this) – Michael May 13 '13 at 12:38

1 Answers1

1

Dynamically Embed the date and time of download with in your setup installer package.

Tell the customer to activate the trial product before 48 hours or so. (After activation he can use for entire trial period)

Then, at the time of installation, check whether system time (client machine time) is matching with date time of your installer.

If it is not matching, do not allow the installation.

EDIT:

It can be done in the following ways.

1. Using encryption:

Create an XML file with download time stamp when download button is clicked.

Create a private key using cryptography library such as OpenSSL

Extract public key from private key.

Encrypt xml file using private key, It generates signature file.

Ship EXE file, xml file, public key file and signature file to the client.

When client tries to install, your EXE verifies the signature and xml file using the public key.

If signature matches, it checks whether system time stamp is not greater by more than 48 hours. And it shouldn't be less than download time stamp.

If hack attempt is made to change XML, signature wouldn't match, there by preventing installation / subsequent usage of product.

2. Patching

Patching exe may be done although not recommended. Can a web server dynamically generate an executable on the fly?

It may be resource intensive.

Community
  • 1
  • 1
bjskishore123
  • 6,144
  • 9
  • 44
  • 66
  • Probably not working well. Naughty user still can change the embedded date and time or freeze the system time using other software. A lot of China naughty software is doing this. – Raptor May 13 '13 at 09:48
  • which date do I embed? I want to prevent what Shivan have pointed out though I don't want to fight them very deeper. I will ignore a determined cracker but definitely not the one trying out! – Stefano Mtangoo May 13 '13 at 10:03
  • @Shivan Embedded date time can be encrypted by our own software and then packaged in to the binary. Nobody can decrypt it. Moreover, we can secure it with mechanism such as OpenSSL – bjskishore123 May 13 '13 at 10:25
  • @Stefano You need to embed the date time at your end which is from a proper time source. – bjskishore123 May 13 '13 at 10:28
  • But how to deal with Time Freezing software? – Raptor May 13 '13 at 10:44
  • do you mean I patch exe with time thing or that I download it also as separate file? Suppose setup is made of innosetup, how do I embed time? Plus timezone and other differences! – Stefano Mtangoo May 13 '13 at 10:46
  • 1
    @Shivan To deal with time freeze, If time is same at the time of app start and at the time of app exit, app can understand that there is something wrong with licence and prevent subsequent usage. We can also give licence as number of hours a product can be used as trial as opposed to days. For example, simply give access for 100 hours. Always keep track of last application close time. – bjskishore123 May 13 '13 at 12:22