I am currently evaluating VMProtect v3.10.4 (Build 2650) for a Linux x64 console application. I have encountered a critical security concern regarding license persistence and system clock manipulation.
The Scenario:
- I generate a serial number with a specific Expiration Date.
- When the system clock is set to a future date (post-expiry), VMProtectGetSerialNumberState() correctly identifies the license as expired.
- However, if I then manually set the system clock backward to a date within the original validity period, the same serial number becomes valid again. VMProtectGetSerialNumberState() returns 0 (Success), and functions marked as "Lock to Serial Number" execute without issue.
what is the recommended SDK-based method to ensure a license, once expired, cannot be re-validated via clock manipulation?
It's impossible to detect the system clock rollback without getting the real date from the Internet. We can recommenв to use VMProtectActivateLicense and the licensing system will also use the date from your activation server.