Posts
Issue 1
You hate it. You despise it. You dread the crushing reality of your favourite program expiring.
Yes! It's the evaluation version!
Starting today, I will routinely take one program and see if their evaluation version protection really guards against anything.
And before you ask, I will not take on big name companies, I hate getting sued this early in the century.
The target of today is my pals over at InfoSoft Global with their amazing product Fusion Charts.
FC is a set of Flash-based charts for statistical views, from bars to pies to doughnuts and what ever else.
Background Story
While working on an obscure Open Source project (yes, its a shameless plug), I began searching for a better stats system.
Google led me to FusionCharts and I started celebrating... until I saw the results!
As you can see, the chart looks nice, but that ghastly text block has got to go!
By now I already dropped FC, no way I'm putting that thing on the project, and being the law-abiding citizen that I am, the license didn't allow me to.
But this caught my eye:
Higher up they claim the software is fully functional. But now it can't be deployed on any website? That does seem a bit at odds.- Why not?
- What would happen?
- Is it really a full version deep down?
- If so, how do they know when its not "licensed"?
The answer hit me. They check the URL of course.
chart = new FusionCharts("../Charts/MSLine.swf", "ChartId", "600", "350", "0", "0");
That's normal JS for embedding one of the charts, but editing it just ever so slightly...
var chart = new FusionCharts("../Charts/MSLine.swf?=fusioncharts.com", "ChartId", "600", "350", "0", "0");
Removes the restriction immediately!
So much for that protection!
Fix
Without the actual source code, this is a guessing game.
I'm assuming somewhere they just check the URL for the existence of the words "fusioncharts.com". Which is stupid since I clearly show how easy it is to overcome it.
Instead, what they SHOULD be doing is just get the domain part, and check that...
http://www.yourdomain.com/chart.swf?=fusioncharts.com
This gives you www.yourdomain.com, and nope, so Eval it
But then you might ask what about sub domains?
http://fusioncharts.com.yourdomain.com/chart.swf
just get the REAL domain part!
So, InfoSoft Global, great product you have there.
But please fire the moron that coded the evaluation protection.
That is all.
Hi,
ReplyDeleteThanks for letting us know about it. Primarily, we believe in a trust policy and that's why we're the only commercial flash charting component to open-source our product and we provide the full source code even in our Developer license.
If someone has to pirate FusionCharts, he can just visit any site using FusionCharts, take the SWF and use it. We cannot restrict him there too. So our evaluation is just a small roadblock so that not everyone pirates ;-)
But yeah - you showed us a great technique there.
Cheers,
Pallav
FusionCharts Team
Thank you Pallav for that interesting comment. I'm glad to see the company taking an interest.
ReplyDeleteJust do me a favor. Please never claim that FC is Open Source, because its not.
From Wikipedia:
"Open source culture is the creative practice of appropriation and free sharing of found and created content."
Since there is a price-tag attached to the FC source, it is by all definitions not Open Source.