Time trials hacking (mac os x)

Time trials hacking

This article aims to give an overall description of various strategies on time trials of software. Its findings are mostly applicable for Mac OS X (Snow Leopard), but some findings are general for other Unices and unix-like systems (Linux). A basic knowledge of Mac (or some other unix or unix-like) system is required.
It is not intended to encourage somebody to repeatedly reset the trial period in purpose to use the commercial software without payment, hence no hints for concrete software are included.

Time trials in general

Time trials allow developers to offer their software to potential customers for a short period of time (generally 2-4 weeks) so the user can explore this software in his preferred settings (own computer, calm place etc.) and decide to buy it. The trial software is sometimes combined with reduced functionality (e.g. if the output is an image, it contains a watermark with the name of the application). After the trial period expires, the application stops work (e.g. Slidepad) or the functionality is significantly reduced (e.g. you cannot save anything — applications from iWork).
Men is generally a curious creature, so he/she wonders how the applications knows, when the trial time started, wether the time trial is over and wether it is possible do some trick (I mean simple trick, not reverse engineering) and reset the trial period.

Common ways how to implement trial time

When you download and install the software with trial time, the application (software) must get know, when the trial period started and wether the trial period is finished. So let’s think how to tell the application the start date of the trial period:
  • The application “phones” home. If it does, anything is possible, so I won’t to analyse this case.
  • The applications look onto “creation” date of its binary (or other) files, for example. This method is a bit pointless, because there is nothing such a “creation date” of a file. There are several timestamps on a file, but each of them can be changed by the system (if you copy files, the new files may have the same timestamps as the original file). Moreover technically speaking such a trial is measured from installation date, which may differ from the first usage date (preinstalled computers). I haven’t met any software which uses this type of starting of the trial period.
  • The application is informed from outside - the most common is probably registration process when you enter your email address on the developer’s page and an email is sent to you with some code you enter into the application. The code contains information about start or end date of the trial and has some redundancy (checksum), so it is not easy to fake the date. The application doesn’t work without the code. Example of such an application: Araxis Merge.
  • Another method which is more comfortable for user is that the application stores silently the information about start of the trial period somewhere in the computer. When the application is run for the first time, a dialog appears with the information that the application is not registered and you have some time to try and explore it. In later runs it usually displays how many days still you can use it. This case looks very appealing for a curious man who wonders: “How is it done”? So we will later explain some basic methods. Example: Apple iWork.
Time trials overview
Time trials overview
I leave aside the question, how the application computes the end of trial period. I assume that it simply takes current date and subtracts the start date. So one can think that it if he/she changes the current date in the computer, the application will think that the trial is not over. Yes, it may work, but please do not try it on unix (unix-like) system, this may lead to unexpected consequences. Moreover Macs use by default NTP (Network Time Protocol) daemon which synchronises the clock (it is convenient for normal user — it always displays the precise time).

Basic analysis

In this section we will analyse in detail the last item from the previous list.
First of all we must say that the information about trial period must be hidden somewhere in the filesystem. I don’t know about any system service where you can store some arbitrary information and then pick it up. So the question is: “Where it is?”. In the following text we will talk about “hidden information” (as developers tend to hide this from the user).
There are several types of installations in Mac OS:
  • classical installation package (.pkg, .mpkg) they are installed by Installer.app (/Applications/Utilities/Installer.app)
  • applications with a special installer (technically there is no reason why it cannot be done by installation package above, developers probably don’t like to reveal their installation process)
  • application bundles — they are just copied into the Applications folder (it is only a convention, they can be run from anywhere), so it can be hardly considered as an installation.
The first 2 groups can possibly store some information during the installation process on any place on the disc (it runs with Administrator privileges), but to be honest I don’t know any such application. The last group cannot store any information, which needs admin privileges. From these sentences we can deduce that it the application itself, not the installer, who stores the hidden information somewhere.

First run

So we run an application from our user account (without admin privileges). The application stores somewhere information that the trial period has started, so guess where it is?
  • Home folder - yes, this is a place where it can write, and it is the only reasonable location.
  • Some other place - as system temporary directory or cache, but it is not very reliable for the developer, because the information may be lost after restart or some regular cleanup (without intention to break anything).
  • Some hidden place on unused part of (physical) disc (there may be some free space after the last partition on the physical disc) — this shouldn’t be possible on unix. However I’ve heard about application on Windows, whose “protection” survived complete reinstallation of the computer.

Macintosh special features

Now it is time to say something more about file system HFS+ used by Mac OS X. For each file, you can store data in the file itself (as expected), then also in so called Resource Fork (see e.g. http://en.wikipedia.org/wiki/Resource_fork) and in extended attributes (http://en.wikipedia.org/wiki/Extended_file_attributes). The later two cases are hidden for normal user (et least at its raw form, e.g. if you “colour” files in Finder, you use the extended attributes), you need use commandline utilities to view them (e.g. lsmac from osxutils, xattr) and it is a bit uncomfortable to display them.

How to find the hidden information

In this section I will describe basic procedure how to find a place where the application stores the information about the trial period.
In the text above we deduced that the hidden information is in the home directory, where it can be in particular?
  • on some regular place - applications are expected to save its preferences in a single file in directory ~/Library/Preferences (e.g. com.apple.iWork.Pages.plist, notice, how the name is created — it is very similar to internet address with reversed order followed by suffix .plist)
  • application support data in directory like ~/Library/Application Support/AppName (e.g. ~/Library/Application Support/DVD Player)
  • somewhere else - rather common case. Very popular are files starting with dot, because they are not displayed in Finder by default.
Let’s meet our new friends which will help us:
  • Finder with hidden files displayed: search internet for “Show hidden files in Finder”. Normally Finder does not display some files (e.g. name starting with dot - so called dot files), because user does not need to see them normally. Or you can use any other file manager.
  • Guest user account - (Mac OS specific) user account home directory is by default created when Guest logs in and deleted when the Guest logs out, so after logging out the application losts its hidden information. It can be enabled in User preferences/User Accounts
  • enabled fast user switching in Mac OS X - you can log in as Guest without logging out from your ordinary account and vice versa.
  • utility fs_usage - open Terminal and type “man fs_usage”
  • Instruments.app - it is a frontend to dtrace utility with, it is installed with XCode (/Developer/Applications/Instruments.app).
  • some other utilities installed together with XCode (in /Developer/Applications/Utilities/) - Property List Editor.app, FileMerge.app
Now I will give some advices, how to find the hidden information ordered from easier to harder.
At first we must clarify, how to check that the trial was reset. Some applications display a big dialog window with information that this as a trial version etc. In the first run and in the consecutive runs it displays only smaller window showing how many days are left. So it is easy to see that the big window appears again. Nevertheless some applications show the same window all the time (so there is no indication that you start the trial period ), so the only clue is number of days left. In such a case you have to wait one or two days, and check the number of days left. In the following text I will only write something like “check wether the trial time was reset”, which may mean to wait one or two days, please keep this in mind (this is the main reason to enable fast user switching - you can continue in work in your regular account).

Step one - preliminary check:

  1. Login as guest and run the application
  2. Now logout and login, once more run the application and check wether the trial time was reset. If yes, you can be sure that the information is stored in the home directory and you can proceed to the step 2. Otherwise it is weird.

Step two - try simple tricks:

  1. Login as guest and run the application
  2. Quit the application
  3. Delete the application’s configuration file (~/Library/Preferences/SOMETHING.plist) and its support directory (~/Library/Application Support/SOMETHING).
  4. Run the application and check wether the trial time was reset. If yes, you are lucky, you can try to investigate, which file is really important (consider also extended attributes).

Step three - use Instruments.app

  1. Log in as Guest (if you are already logged in, log out first).
  2. Run Instruments.app (/Developer/Applications/Instruments.app). From menu on the left hand side select “File System” and then from the menu on the right hand side select “File Activity”.
  3. In the toolbar open the drop down menu called “Launch Executable”, select “Launch Executable” and then “Select” and select your application.
  4. Now click on Record.
  5. The Instruments.app runs your application. The application probably displays some dialog window, where it informs you that you can try it for several days. Click on Try (or something similar) and then Quit the application.
  6. Now study the output from Instruments.app (you can save it and study later–but remember that Guest’s home is deleted when logging out). Look for something suspicious, mainly for created files and writes into files. I recommend to start with “Directory I/O” and look for paths in column marked as “To” (files are usually created as temporary and then renamed). Now go through the files you spot and check their content for anything interesting. Sometimes only existence of the file is important (its “creation” date).
  7. Try to delete suspicious files and check wether the trial time was reset. If yes, you are done. You can play with the files to identify which file is really important.
  8. Sometimes the information is stored in extended attributes, use xattr to display extended attributes of all files in Guest’s home (including /Users/Guest). There will be several items related to ACL (access control list) on several directories, but anything else is suspicious.

Step four - comparing method

  1. Log in as Guest (if you are already logged in, log out first).
  2. Open Terminal and backup all files from the Guest home: tar cvf /tmp/fresh.tar /Users/Guest
  3. Run your application, start the trial period and then Quit the application.
  4. Now backup again all files from the Guest home: tar cvf /tmp/after_run.tar /Users/Guest
  5. Switch to your normal user account
  6. Now move both created files from /tmp somewhere and unpack them into different directories (they both create new directory of the same name). Now use FileMerge.app to compare both directories. Again look for something suspicious.
  7. I’m not sure wether FileMerge.app takes into account extended attributes. Probably not. One solution is to unpack the tars on non-Mac system so the extended attributes will be unpacked as a file with a prefix “._”. However there are not many files where to stick the hidden information. Again you can display all the extended attributes and look for suspicious entries.
  8. Try to delete suspicious files and run the application again. Check wether the trial time was reset. If yes, you can play with the files to identify which file is really important.

Step five - using fs_usage

This is the most painful method, so I use it after failure of previous methods. It is similar to usage of Instruments.app, but uses a different utility.
  1. Log in as Guest (if you are already logged in, log out first).
  2. Prepare Finder so you can run your application on one doubleclick. Every click in Finder usually produces huge list of accesses to files (get names of all files in a directory, get its extended attributes, icons etc.)
  3. Run Terminal and in its preferences set its output buffer size to some large value - 10000 lines should be enough. Enlarge the Terminal window so you can read very long lines (over 100 characters).
  4. In Terminal run fs_usage (consult man page for contingent options)
  5. Run your application, click on Try (or something similar) and then Quit the application.
  6. Switch to Terminal on press Ctrl-c, the fs_usage quits.
  7. Copy from Terminal the output and save it to a text file.
  8. Now study the content of the file. The output from fs_usage may be really huge, so it is really boring activity.
  9. Again, look for anything suspicious.
If you still didn’t manage to reset the trial, it may have two reasons:
  • You’ve omitted something important
  • The developer of the app is really clever.
Previous
Next Post »