AW: OT: locking software to one specific machine?
Jeff Massung
massung at gmail.com
Thu Mar 4 14:30:38 EST 2010
On Thu, Mar 4, 2010 at 1:18 PM, Richard Gaskin
<ambassador at fourthworld.com>wrote:
[... snip ...]
> Then write the inverse of the generator to validate your codes, but break
> up the validation into multiple handlers each doing a small part of it,
> using obscure function names strewn all over your code base with lots of
> red-herring handlers with similar names littered among them. Extra bonus
> points if the handlers you call also call others; the more the merrier.
> Anyone tracing your code in a low-level debugger will find it far more
> annoying than it's worth.
>
>
Just a note on the recommendation below (as I do have a lot of experience in
this area), before someone goes and wastes a lot of time coming up with
something awesome that ends up being cracked in a matter of minutes...
1. Don't have this code in one localized place (as Richard already
mentioned).
2. Don't follow the "Extra bonus points" recommendation. This is a *bad
idea*. You want these functions that check reg codes to be extremely small
and obfuscated.
3. You *DO* want to checksum the code that checks regcodes (either the
optimized assembly or the raw script in Rev) and stick that checksum in
several random places through out the code.
4. Inside the reg check code is also the check against one of those random
checksums with a checksum of itself. You're protecting against someone who
modifies the registration checking code (which is trivial to do).
5. Don't make a global variable that is true if the user is registered and
false if not. This will get hacked in ~2 minutes. Instead, every time you
want to make sure the user is registered, call your check function.
6. Check often, and in random places. If possible, make it a completely
random check (e.g. have a timer or message loop that checks it every 60
seconds, regardless of what the user is doing).
7. Don't error out immediately if the check fails. Instead, you want to wait
and die later on, and often times in subtle ways. For example, suddenly
prompt the user to re-enter their code.
Those are some good starting points.
It should be noted that white-listing reg codes usually isn't a great idea.
Reg codes should be generated from something personal (like the user's email
address), and can be reverse engineered by you if needed. But white listing
is easy.
Jeff M.
More information about the use-livecode
mailing list