Qt World Summit: Submit your Presentation

Product keys / trial

  • How can I make my application require a product key?
    And how can I make a trial or beta version that lasts for a limited time?
    Thanks in advance.

  • As far as I know, windows applications with time limit store values in windows registry, so they know when the application were installed and how much time is still available. Another approach is a license file. If it is absent or its fields are invalid then the application is not launching at all or has limited functionality.

  • Where should I store all of the valid licenses? Should I hard-code them into my application?

  • What do you want to use: hardware or software protect?

  • Alexander Kuchumov: I am not quite sure what you mean. I want the user to need a valid product key to use the application.

  • Please remember that those protections will be very easy to overcome.

    If you don’t have 1 million budget (well, a little less ;) to write proper cryptography for the application, I think you’ll be best off with simple cd key protection. Even better would be: no protection at all!

    But you didn’t ask that and I won’t fight about that now... I think this information could be nice in the Wiki too.

    I assume your application is not open source, so you can illusionary protection against most simple attacks. Meaning, the application will be cracked anyway, given it gets popular.

    There is few approaches you can use to store data about trial and registration of the program. Most easiest is just to use QSettings to have data about CD key that will be then saved and stored in the computer. If this data is completely missing, there maybe should be a backup field somewhere, maybe even in the actual program, if you can afford/be allowed to modify your own binaries to look if the trial has already started. If this modification is not present, you can assume trial has not yet been started.

    Of course, that way has certain flaw: if someone finds out this flag, it can be used to create crack that will just null that status prior launching.

    Actual CD key data in QSettings should be encrypted using some data that will need bruteforce to decrypt. Then one can check using this data if the copy is legimate and belongs to this user.

    Finally there is another, simple but requires a bit more heavy cracking to override, way to implement protection: require network for authentication. This way you can use your own server to identify, perform calculations and handle user accounts without need to entrust this data to computers of users.

    You can either just put users to register online and use that data to customize a package for the user or write online registration to the application.

  • I like the idea of online activation. But I can't really use my own server. Are there any free / inexpensive online activation services? Is there a way for me to make an online activation service using a regular web host?

  • In principle, you can, yes. Just get one that supports some kind of scripting and some form of database, like any LAMP host offers. As Smar illustrates: it will be hard, and I mean, really hard, to make your application really secure. If there is enough interest in your application, you can be sure it will be cracked. Online verification can also be cracked in various ways, from intercepting the network traffic to disabling the check from your program completely and probably many other ways.

    The basic idea is to make sure that neither the data that you send to the server, nor the reply from the server is predictable. You'll have to setup some challenge/response system for that. To make it harder to listen in, you may want to do that over an SSL secured connection. However, please think about if you really want to force your users to have a live internet connection the whole time your application runs.

  • More program use a network traffic associate with an hardware usb-key.
    I think all software without associate an hardware key is potentially crackable. Look the important software such for word writer, or editing image...new version is avaiable and new version is crackable :)

  • And so are Blu-Ray and HDCP and AES or you-name-it.

    szh1: I suggest not to do online activation unless you can afford to put million euros to it. Seriously, I mean it. Million euros. To get your own servers, backup servers, DDoS resistant servers, and guys to maintain them.

    And someone to do some serious cryptography to protect your application, or whole protection will be completely useless, equally useless as offline activation.

    For failed online authentication, you can point your eyes to Ubisoft's latest games. Cracked in few days, so practically only giving problems to people not using the crack.

  • It looks like any type of security can be cracked. So what is the best choice for a small application?

  • Give the application only to the users who has bought it.

    If you really want to ease your boss, just add simple cd key with mentioned technologies, it shouldn't annoy users too much and is relatively easy to implement so that 15 year old kids won't crack it in a hour, but I think you should consider just making application available to only people that has actuallly bought it.

    This brings us back to the trial thingy: If you need a trial, implementing this cd key thingy may be wise, because then you could just release one binary that can be upgraded to full version if user wants. This can be cracked and then simply copying new executable from the crack will get all features to work. Or if the application is only one executable, just that can be distributed...

    Another way to distribute trials is to have two different executables, one containing only trial stuff and one containing full features. With 30 day trials former option is maybe better for users.

  • Thanks!

Log in to reply