Working on a very valuable piece of software right now, to allow temporary use of it until the 4th of April, then it needs to stop running.
I've made it connect to a NIST time server to find out the date, to work around just changing the system date. If the connection fails or the date is past Apr 4th it shuts down.
Would it be worth verifying it isn't being rerouted via the HOSTS file also? Is there a reliable way to do that?
>>53708372
gfto
>>53708389
no
>>53708407
It's only intended for the use of like 5 companies and it'll make them a shitload of money. I need to make sure don't just work around it to keep it for free.
>>53708372
Always on drm? Fuck off
>>53708462
Not sure if you read >>53708438. It's not like it's a neat little piece of software that everybody could use if I made it free. It's completely useless to anyone except these few companies.
It's set to run only at startup.
I'm not trying to squeeze money out of people that don't have any. They're rich-ass companies and this is easily worth $10-20k to me.
if (checkdate > 4th of april two thousand sixteen)
{
end;
}
>>53708372
>hosts file
Maybe connect via IP address instead of domain name?
>>53708505
>set system time to april 1st
>reset periodically
>use for free
>Connects 2 server
OP, whai dont you make your kiddie scripts into a webapp thats accesible via a webportal. Dunt give them your script straight up dumbass. Let me guess, it's a web scraping tool?
>>53708511
NIST time servers rotate, can't use any one fixed IP for it. Can maintain a list of the ones it can connect to internally.
>>53708524
It's not a script, it's a website automation interface with a desktop GUI. More or less webscraping, but there's a shitload of security it goes around as the site's made to prevent automation.
>web scraping tool
Pretty close though
Same fag here. You could host a db and have your program "log in" to their account. If stored,locally, this would be the way to go if you wanted to add more accounts to others
>>53708524
>>53708542
>>53708557
Also it's time critical, needs to respond to what they tell it to do instantly.
I'm working on a version that's going to be used by multiple users later, but for the time being there's only going to be local users. No need to go to all that trouble when I can just secure it locally.
>>53708372
Get a signed timestamp from a timestamping authority.
>>53708503
Why don't you just have them check you server for validation rather than relying on the program to decide for its self?
>>53708597
Guessing I'm going to need to pay for something like that.
>>53708542
>NIST time servers rotate
OK, this might be too complicated, but connect over HTTPS to the page
https://en.wikipedia.org/wiki/Template:Currentdate
Hardcode Wikipedia's certificate and ensure that it matches.
>>53708629
Or any other site that uses HTTPS and has a correct timestamp. I didn't see an NIST server that used HTTPS.
>>53708620
Because I don't want to run a central server for now. That's another point of failure it doesn't need.
The program runs perfectly by itself without any external server.
>>53708629
>connect over HTTPS
I'm sure I could figure it out but I've reinvented enough wheels to just build HTTP requests into a winsock based scraper. I'll add HTTPS if and when I need to.
>Le googles wat iz SaaS
http://programmers.stackexchange.com/questions/202938/secure-an-application-software-by-expiration-with-date
>>53708658
> And someone who's really keen on getting around this could try and sniff the data you send to and from your service and then build their own service that always validates the application, and then reroute traffic intended to your service to their service instead.
That's pretty much where I'm at now.
>>53708683
You can't really win desu. If a company was shady enough they could just hire an assembly guru to modify the executable to bypass the checks in several different ways. Or they could build a dumby server for false validation. So unless you're charging them more than what that would cost and the major risk of a lawsuit if you find out, you're probably fine.
>>53708781
>So unless you're charging them more than what that would cost and the major risk of a lawsuit if you find out, you're probably fine.
Given the nature of it, if I found out I could probably put them out of business entirely. The cost to change it would be about the same as what I'm charging.
I think I'm worrying too much. Should do as-is.
>>53708372
>babby software dev thinks he can invent DRM that works
Sure, try where every other company for the past 30 years has failed. I'm sure you'll succeed.
>>53708816
I won't have 300 million hackers trying to breach it though seeing as it's useless to the rest of the planet.
>>53708372
>>53708511
>If the connection fails or the date is past Apr 4th it shuts down.
Okay, I'll just redirect it to my own time server then.
>Would it be worth verifying it isn't being rerouted via the HOSTS file also?
>Maybe connect via IP address instead of domain name?
Okay, I'll just use iptables in my router instead of a hosts file then.
>>53708557
>You could host a db and have your program "log in" to their account.
Okay, I'll just set up an emulation server or just disable the logged in check.
>>53708574
>No need to go to all that trouble when I can just secure it locally.
All local security can be worked around locally.
>>53708597
>It's signed, therefore it's impossible to fake
>>53708623
Yes, cryptographic algorithms are very expensive.
>>53708629
>OK, this might be too complicated, but connect over HTTPS to the page
Okay, I'll just install my own root CA and generate a fake wikipedia certificate.
>Hardcode Wikipedia's certificate and ensure that it matches.
Okay, I'll just edit the part in your binary where the fingerprint is stored.
>>53708816
Denuvo DRM has yet to be cracked. The game company has already made the majority of its money by now so even if it is cracked later not a big deal. If they can delay it by a year or two each release then pirates lose.
>>53708893
>I'll just edit the part in your binary where the fingerprint is stored.
You'll have to run it to do that, I've got all the text strings obfuscated with functions in the code.
You'd have to decompile it, sort out the spaghetti in asm and skip the validation. Doable but then again doing that will invalidate just about any security. If your time were being charged at $140 an hour I can make it so it's not exactly cost effective though.
>>53708968
You mean apart from the 3 versions that have been cracked so far?
64-bit debugging tools are still catching up to 32-bit, which is why v4 has been delayed so much.
Also,
>calling it Denuvo instead of VMProtect
Yes goy, believe their marketing. They surely invented it.
>>53708968
>If they can delay it by a year or two each release then pirates lose.
So you not only get games for free but you also have to spend less on graphics hardware due to the games all being ~2 years old? That's a win/win in my books.
>>53708979
>I've got all the text strings obfuscated with functions in the code.
Right because your homebrew obfuscation scheme is surely going to be extremely sophisticated and very difficult to tool for and RE.
>>53708980
>doesn't address any of the points and spergs out
They still stopped pirates which is what they wanted to do. They won.
run your own nist server
hardcode IP
make it send an authentification token to the program and have the program self-destruct if it doesn't receive it
>>53709011hoststr = Chr(116) & Chr(105) & Chr(109) & Chr(101) & _
Chr(46) & _
Chr(110) & Chr(105) & Chr(115) & Chr(116) & _
Chr(46) & _
Chr(103) & Chr(111) & Chr(118)
Good enough to stop you simply pinpointing a plaintext string in the decompiled asm.
>>53709011
>>53709027
And yeah I know you can just pull it out of memory, or just capture packets to figure out what it's doing. Although you'd have to figure out it was doing that in the first place. Then just redirect it to your own server to send back a good response.
It's not foolproof but I think it's enough to make it cost ineffective at first glance for someone to pay to hack it instead of paying to buy it.
>>53709022
Also if you detect a debugger being attached to the process, any modifications to the code (using an obfuscated hash that cross-checks with other obfuscated tools, exploits *itself* at runtime using ROP to form confusing execution chains etc.), or if you detect any signs of the current hardware being a VM, then silently install a hardware rootkit into the audio firmware that will then spread itself via DMA to the rest of the components, intercept any attempts to detect it and bypass airgaps by infecting USB drives and using speakers/microphones to communicate.
This rootkit will then steal all access keys it can get its hands on, and when the april 4th date arrives, silently replace all bootloaders on all corporate servers, home machines, laptops, phones etc. with DBAN and trigger a power outage by loading every single component in all machines to the max at the same time in irregular patterns.
That will fucking teach them
>>53709088
>mfw reading through this
Y-yeah that sounds great..
>>53709107
Do we have a deal, then?
>>53708372
You don't control the network or the machine it's running on. Your method is trivial to break.
>>53709125
Define "trivial"?
You have my program, it's a single .exe, they've said "it stopped working, he said it would stop after April 4, can you fix it?"
Assuming you know nothing that's been said ITT how long would you expect that to take?
Also seeing as they have a legal confidentiality contract with me would you be willing to break the law to do so?
Assuming you're a white hat working for a software company here.
>>53708372
>Is there a reliable way to do that?
No. All applications on the OS will reference the hosts file, only the OS itself can avoid it.
You also probably won't be able to perfectly prevent the use of proxy to intercept and mangle the time server response to tell your app that the date is still behind April 4.
>>53709171
I could just have it read the hosts directly. If it sees the NIST server in there it dies.
Still wouldn't stop a slightly more sophisticated attack but thats unlikely without paid experts being consulted.
>>53708438
>It's only intended for the use of like 5 companies and it'll make them a shitload of money.
>such a great programmer that his software will make companies "shitloads of money"
>not using the software himself
>asking /g/ how to write DRM because he cant fucking do it himself.
fuck off this this shit, Here's an idea. DONT GIVE THEM THE SOFTWARE FOR FREE. Factor a permanent license fee into your price for the software, and then your need for a DRM solution is solved.
>>53709207
>not using the software himself
I don't have $10 million in capital to start the most basic kind of company that could use it.
>>53709207
I'm just thinking of doing that as a trial period might be necessary for them to see the value of it working. Might not be. Meeting with my first prospective customer tuesday.
>>53709203
If the application isn't being run as Administrator it might UAC if you want to open the hosts file, even for viewing.
>>53709244
Cool, that's explainable.
You know even thats probably too far. The chance of it being stolen is miniscule anyway. More worrying is the chance of soneone else figuring out how to make it. I know most of the pro IT consultants in the field have already told these guys its impossible.
>>53709171
Wat if op uses strong encryption? Or is that even relevant given today's brute force capabilities?
>>53709203
I agree.... You can only be so paranoid with security. I would ask how big it's the scale of these companies are and if they have the autism task force sqd to dismantle your program at their disposal. What are the chances of 5 companies having reverse engineers as a resource? Are they top lel companies
Do all the work serverside, expose a rest api for authenticated clients to use your software remotely. Since you control the server, you can ensure it is shut down on April 4th.
>>53709287
>how big it's the scale of these companies
$25-$100 million turnover
>if they have the autism task force sqd to dismantle your program at their disposal
Definitely not. There's big national ones in the field and much much smaller ones, these mid-level ones are my target.
The big ones get the practical effect of this service "free" anyway thanks to corruption and the small ones don't need it.
>>53708372
i would try to measure total run time in ms and check if it matches times provided by system clock. check for any unusual pci/usb devices, SPD, hard drives, access times etc.
however, it seems you don't have much time
>>53708515
save times when program was launched and dates of last modified files
it was one of the basic checks for trail versions.
>>53709323
>save times when program was launched and dates of last modified files
Holy shit, how did I not think of this. Thanks anon.
>>53709149
>Also seeing as they have a legal confidentiality contract with me would you be willing to break the law to do so?
You can make one of two assumptions here.
1. They're willing to break the law to continue using your program for free (illegally).
In this case, they clearly don't care about having to break your DRM and will do so. Only question remains is how long it will take them to break it.
2. They're not willing to break the law
In this case, you don't need DRM. Just a contract would be enough. If they break the contract, they've already broken the law. Just sue them.
>>53709372
This is also why DRM is a wrong solution to a wrong problem.
DRM is trying to bring politics into technology, but by using technology instead of politics. It just doesn't make sense. All DRM can be broken, and the people who are going to break DRM are the ones who don't care about your usage guidelines to begin with.
The only people affected by DRM are legitimate consumers who would have no interest in doing something illegal one way or the other.
It literally only harms the end user, nobody else.
>>53709372
Fair point. Don't want to make 1. too easy though, I'd rather there at least be some material cost if they decide to try it to dissuade them.
>>53709385
There's no "harm," it doesn't affect the end user at all. No interface or functionality interruptions and I'm always directly contactable if something goes wrong. One of the benefits of doing this on such a small scale.
>the people who are going to break DRM are the ones who don't care about your usage guidelines to begin with
Or an opportunist that sees it's easier/cheaper to break it instead of paying for it. I know I'd give it a shot.
Anyway I think this will do for my checks:
1. NIST time
2. Local system time
3. File creation date time
If they manage to break all 3, it's going to have cost them as much as it would've to just buy it outright. Hopefully whoever they consult will tell them that before they start.
>>53709372
also
>Just sue them
Great in theory, in practice I still need to eat here. Six months in court before I get paid would suck.
>>53709410
>There's no "harm," it doesn't affect the end user at all.
Maybe in your case, but my mother sure would like to disagree about all the DRM affecting her daily life.
>>53709287
If anything I would say the best idea would be for the application to phone home, encrypted, to a server OP has set up that only has to be available until 4th April and it doesn't do it at set times.
Like it is not always done on boot but maybe an hour after the application is launched or longer.
If the application talks over the network or Internet then hide it in the traffic.
It'll make it less likely for them to immediately find the traffic or be able to successfully proxy or subvert it.
OP here.
Should also add just FYI that this program will only be functional and useful for a ceiling of 6 months.
At that point I'll be switching to the multi-user server operation. That'll have the security locked up tight as they'll be able to directly spend money within it. I'm thinking PGP for everything from initial logins to routine communication.
Really wish I could launch this system first desu. I'm aiming for $10-15k for this program, and it's only usable by one company at a time.
For the distributed system it could provide its services to the highest bidder at a given time over the day. Could pull up to $1500+ a day with 20 uses @ a peak demand time/price $70-100 ea.
Not really looking for advice on this, just throwing it out there for you.
>>53709344
>>53709323
Yeah I figured out why that doesn't help.
What the fuck am I supposed to compare the creation/modified date to if I don't have a reliable source for the current date?
>>53709244
On my work pc, I can read the hosts file without having to log in to my administrator account. Of course it's different for other companies, but I assume opening a file for read only isn't that locked down for something like hosts.
>>53710094
Make the install pull "necessary" files from your server to install. Those files include a date stamp.
>>53710181
There is no ongoing server yet. The program's just installed in place and has to defend itself.
I haven't incorporated any encryption whatsoever into it, finding libraries that work with VB6 is a pain in the ass. Any file I could create would be pretty basic homebrew encryption I'd write myself.
>>53710181
>>53710197
>set my own system date forward
>create a file with an incorrect future timestamp to be installed in the beginning
Hmmm...
>>53710212
I meant to pull a date stamp from from the server itself and use that for comparison. Why would OP have the wrong date stamp?
>>53710227
I'm OP you're replying to. There is no server.
There's just the program, all by itself in the big scary world. That world doesn't include skilled hackers without a significant cost attached.
>>53710238
Well then it sounds like you are going to have to just trust them not to steal.
Or write in a back door and disable it yourself when it expires.
>>53710258
>Well then it sounds like you are going to have to just trust them not to steal.
Haha fuck that. Read up, I'm putting in some basic security measures. Any further is just going to be impractical and not worth the effort, they won't be able to get around my existing measures without expensive professional help + the legal risk.
>Or write in a back door and disable it yourself when it expires.
I have to be upfront about everything that's in it. Somehow I don't think that'd be taken very well.
>>53710283
>Haha fuck that. Read up, I'm putting in some basic security measures. Any further is just going to be impractical and not worth the effort, they won't be able to get around my existing measures without expensive professional help + the legal risk.
Local security measures are easily defeated if they rely on no outside sources for verification. You need to have it at least call on an outside server and unless you are setting up that server yourself, you have no way of ensuring that it won't be bypassed. Like other anons said, you can have it call a nist server and check the hosts file.
>I have to be upfront about everything that's in it. Somehow I don't think that'd be taken very well.
So it's cool if they steal your software but it's not cool if you steal it back?
>>53709149
>You have my program, it's a single .exe, they've said "it stopped working, he said it would stop after April 4, can you fix it?"
Outside of what everyone else has mentioned: disassemble, strip out hard coded connections to external server, re-assemble, use program. Literally the first thing anyone would do is look for network connections.
Yall might also be interested in the projected profit margins this thing will be worth.
I think I'm selling myself a bit short at $10k.
>>53708372
Just contact your *own* server. Use HTTPS (or if you don't have a high-level HTTP lib, manual public-key cryptography for authenticity) to return the current time value.
>>53708650
This code looks terrible. I hope your product fails.
>>53708372
this is a bait thread, right?
>this massive amount of cucks giving advice to drm shills
https://www.defectivebydesign.org/graphics
>>53708372
Make it always online, if it gets blocked, it doesnt work!
Idk see what ip it's connecting to and analyze the traffic with a sniffer and spoof packets?
>Do you want TRUE, unbreakable (if done correctly), DRM protection?
Then you have no choice but to retain the program on your servers and only offer them an interface. This is easy enough to simply cut off.
>Do you just want some biz people who have no idea about programming/reverse engineering to prevent the usage?
Then do what you suggested.
>Do you want to prevent said biz people from hiring reverse engineering dudes to figure out your DRM?
see above
Anything that is on their local machine, can be bypassed, no matter how many TPMs are between it, unless your program actually RUNS on a proprietary TPM that is physically protected against reading data from it (i.e. it breaks if someone opens it). It's only a matter of time and resources. So adapt your DRM to your audience.
> supporting DRM
This isn't that complicated. Run a rdp machine and let then access it via login...expire the logins after April 4. Don't give them the software if you don't want them to use it.
>>53709005
If you're poorfag that is.
>>53708372
Ask MS how they do it with Windows10. Editing hosts file fails for telemetry. So y'know, get cracking, nigger
>>53713721
Everybody on this board is a poorfag
If you aren't, show your GTX 980 Ti 4-way SLI and 5K display setup
>>53710197
have it ping the international date/time servers. And if it cant reach them, the program wont work.
