2

I have made an application in which I want that the application should expire after say 180 Days but the problem is that if I take the system date, anyone could just change it and get going and I cannot also take the internet date because many times the user will be working offline. So how do I make it trial after which it self destructs itself? I cannot put any other DRM as I have read that checking MAC address is a very bad DRM and after going through Making commercial Java software (DRM) I realised I have to make it somewhat simple. So the idea I have in mind is that I put a count that how many times has the application being started, but where do I store the value in registry? (I have already read: read/write to Windows Registry using Java)

I have also read Create a trial version of a Java application, with limited functionality and How to create a trial version of a Java program but the answers given there were not satisfactory. Because:
1. In one answer it is given that use "Rampart" but that is a paid application and I do not want to use it.
2. In another answer they checked with system date but as I told earlier I do not want to use that either.
3. One Question and Answer was related to functionality which is not what I want to reduce
4. and further many of them require internet but my customers may not be using it all the time

I know that there is no perfect DRM and everyone of them can be cracked. What I am asking here is what is my best shot? (Note: I have limited number of users, I will not sell this application online)

Update: This question I believe is not off topic because what I really am asking is just how do I make my software go trial... I am just asking how? I know it can be cracked easily but just tell me what is the best way to set up a trial in java

Community
  • 1
  • 1
Daksh Shah
  • 2,997
  • 6
  • 37
  • 71
  • 1
    Honestly, if you want stringent DRM you'll need a combination of tools. Do note that once the user is capable of cutting off network communication, it becomes significantly harder to maintain that DRM. That, and Java can easily be decompiled and they can just remove any code that supplies DRM. – Rogue Apr 07 '14 at 14:34
  • the registry entry can be deleted :) PS: you cannot protect the app, if your software is so cool and i don;t want to pay for it, I can run it inside a VM, when the trial ends, run it in another VM for example, you cannot stop me :) – Svetlin Zarev Apr 07 '14 at 14:35
  • @Rogue Java can be decompiled? I never heard that one. – Daksh Shah Apr 07 '14 at 14:36
  • 3
    @DakshShah Try googling `jd-gui`, it's a very accurate decompiler for sources newer than java 1.5. – Rogue Apr 07 '14 at 14:37
  • @SvetlinZarev Yah that is the problem, I cannot stop people like you. But I want to make something so that people less knowlagable than you cannot crack my software and thus I have some sort of good security – Daksh Shah Apr 07 '14 at 14:37
  • Everything can be reverese-engineered. There is no software on this planet that can not be cracked.. even Pentagon security systems can be cracked ;) – Maciej Cygan Apr 07 '14 at 14:44
  • Any program can be decompiled and reverse engineered ... it is a question of time and resources. – PeterMmm Apr 07 '14 at 14:44
  • @MaciejCygan Agreed! But What should I do? I gotta put some basic kind of security right? And as I said I am not going to release it online so chances of it reaching to a hacker are less – Daksh Shah Apr 07 '14 at 14:46
  • I use a very very basic on-disk license file. All fits in one-class and it is hand obfuscated. It prevent any normal user from kidding my program. A mid-level hacker will need aproximatly 1 hour to get out how it works and maybe 1 hour more to crack my license code. For me any further mechanism is'nt worth. – PeterMmm Apr 07 '14 at 14:55
  • Probably use it all. Use system clock, everytime they use your program, save the date that they used it in the registry. When they start your program, if the date is less than the last time it was used, call tom foolery and display a red message telling them they're trying to steal your software(do the same if there's no key where you expect it) – Cruncher Apr 07 '14 at 14:56
  • @PeterMmm Even I want exactly that thing, can you tell me how to get that? – Daksh Shah Apr 07 '14 at 14:57
  • @Cruncher Well that is a nice add-on that could be done :D – Daksh Shah Apr 07 '14 at 14:58
  • @Cruncher Have you done that ever? If yes could you please share its code. It would be of gr8 help – Daksh Shah Apr 07 '14 at 14:59
  • `can you tell me how to get that?` start programming I won't give my secret code away ;-) – PeterMmm Apr 07 '14 at 14:59
  • @PeterMmm Ok, My intuition had told me that you won't that's perfectly ok no one like to share their hard worked programs and codes. But could you just explain what you meant by `I use a very very basic on-disk license file. All fits in one-class and it is hand obfuscated.` I did not understand that quite well – Daksh Shah Apr 07 '14 at 15:05
  • @DakshShah I haven't. It would be pretty easy though. The biggest problem is that you need an installation setup to set all of the registry values up first. The other problem is that if they delete all of the registry stuff, and run the installation again then they can start from the beginning – Cruncher Apr 07 '14 at 15:05
  • @Cruncher Why do I need an Installation setup to set all of the registry values? Can't i just set it from java? – Daksh Shah Apr 07 '14 at 15:06
  • @DakshShah You can, and you'll change some every time you run the program. The initial setup is nice so that if they do mess with the registry, the java program can complain that it can't find the registry values and refuse to run. Something that wouldn't work if the file is your installation. – Cruncher Apr 07 '14 at 15:07
  • @Cruncher Understood! I will certainly try that out – Daksh Shah Apr 07 '14 at 15:10

2 Answers2

4

Ship a data file with the package containing:

  1. The name of the customer in full.
  2. The date it was shipped.
  3. The date it should expire.
  4. A checksum of the whole file so it cannot be edited.

Every time you run:

  1. Check that the checksum is still valid.
  2. Check that the file mod date does not suggest that the file has been tampered with.
  3. Display the customer name in a splash screen.
  4. Make sure the mod date on the file is not later than the expiry date.
  5. "Touch" the file to make sure it's mod-date changes to current date.
  6. Make sure the "Touch" worked.

This way:

  1. It is difficult to make a copy as the mod date will change.
  2. It is difficult to distribute copies to others as the source is easily available.
  3. It should be possible to detect most inexpert tampering.

Obviously - without adding hardware - it is impossible to cover all bases but I have found this scheme works well.

OldCurmudgeon
  • 64,482
  • 16
  • 119
  • 213
  • 1
    By any chance do you have any java code regarding any of the above? – Daksh Shah Apr 07 '14 at 15:40
  • They only need to know how you generate checksums for this. I guess that's sufficient for many cases. If you used a custom, unknown algorithm it can make it tricky actually. – Cruncher Apr 08 '14 at 14:15
1

If internet connection is not available, there is one method left behind if end-users are in a company network and using windows with active directory (most companies have active directory if clients are windows), use active directory server as a time server. Most users may change clock time on their client windows, but they don't want to change time on their servers due to other affecting software (mail server etc). License4J can find and check date/time on a local active directory server.

(Disclosure: I work for License4J)

jdiver
  • 2,228
  • 1
  • 19
  • 20