[ANN] LiveCode External to validate the MAS Receipt

Wed May 30 15:27:17 EDT 2012

I'd like to thank Guglielmo fo guiding me through the horrendous process of
creating an external when I knew nothing about C, xCode, or where to put
the darn thing when it's done!
Pete
lcSQL Software <http://www.lcsql.com>

On Wed, May 30, 2012 at 11:50 AM, Guglielmo Braguglia <
guglielmo at braguglia.ch> wrote:

> Dear members of this list,
>
> all of you, with your posts, your information and your suggestions, have
> helped me a lot of times so, this time, I would like to freely share
> something that, I hope, useful for all member involved in development of
> OSX application with LiveCode and interested in publishing their App in Mac
> Apple Store ...
>
> ... a Livecode OSX External to validate the MAS Receipt.
>
> As you probably already know, a user can download from the MAS the
> purchased App on 5 different devices, but ... if inside your App you don't
> validate the "MAS Receipt", ANY user _can make a copy_ and distribute your
> App without any control !
>
> Unfortunately, the code to validate the MAS Receipt, can't be still the
> same because, otherwise, it will be too easy for crackers to discover the
> weak point and to patch the code once and for all. For this reason I think,
> Apple has not provided a fixed 'call' to use, but has provided some
> guidelines :
>
> https://developer.apple.com/**library/mac/#releasenotes/**General/**
> ValidateAppStoreReceipt/_**index.html<https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html>
>
> As you can see, to write a good MAS Receipt Validation code, is not so
> simple, but for this, fortunately, there is on the App Store, a very good
> program, called *Receigen*.
> _Each time_ you run, Receigen generates a complex C  "MAS Receipt
> Validation" source code, where the constants and the strings are
> re-obfuscated, the checks are performed differently, and the code flow
> changes, so ... each time a different, _unique_ code ! (more info on :
> http://receigen.etiemble.com/**index.php<http://receigen.etiemble.com/index.php>
> )
>
> So, starting from this, I developed a very simple External for LiveCode,
> to call the validation process from inside our applications. :-)
>
> You can download the following items from my web server :
>
>    - All you need to build YOUR validation External :
> http://www.phoenixsea.ch/**downloads/phxMASValidate.zip<http://www.phoenixsea.ch/downloads/phxMASValidate.zip>
>
>    - A simple test program that shows how to dynamically load and how to
> call the External : http://www.phoenixsea.ch/**downloads/phxMASValidate_**
> TestProgram.zip<http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip>
>
>    - An 8 minutes video showing "How To Do" : http://www.phoenixsea.ch/**
> downloads/phxMASValidate.mov<http://www.phoenixsea.ch/downloads/phxMASValidate.mov>
>    ... about this video ... I know that probably the slides go too
> quickly, but you can still use the pause/resume button to stop and resume
> the video.
>
> Now, to briefly explain "How to do" ...
>
> 1. with Receigen.app generate your MAS Receipt Validation C code (/DON'T
> FORGET to flag the "Perform only receipt checks" on Advanced Settings/) and
> save in a file named*receigen.h*
>
> 2. go inside phxMASValidate folder and _*replace*_ the file :
> phxMASValidate/phxvalidate/**src/receigen.h with your just generated
>
> 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the
> project phxvalidate.xcodeproj
>
> 4. to avoid problems, first do a "Clean" so ... from the menu bar, select
> Product -> Clean
>
> 5. verify that the 'Release' build is selected, so ... from the menu bar,
> select Product -> Edit Scheme and verify that the Build Configuration is on
> *Release*
>
> 6. still to avoid problems, put YOUR bundle identifier for this external,
> so ... click on the left pane, on the first item (/the project name, with
> blue small icon/) and in the central pane, on the *Info *TAB, the first row
> is 'Bundle Identifier' ... change it (/e.g. com.yourname.phxvalidate/)
>
> 7. build the external, so ... from the menu bar, select Product -> Build
> ... XCode must say : 'Build Succeeded'
>
> 8. you can close XCode ... your external is ready ! You will find it in :
> phxMASValidate/phxvalidate/_**build/Release/phxvalidate.**bundle
>
> 9. Include this external into your livecode app and, on the preOpenStack
> (/... but I suggest to call also in different points of the code to make
> harder the work to crackers/) and call :
>
>    put phxValidateMAS(the filename of this stack) into tRetCode
>
> where the *phxValidateMas* is the name of the C call that you find into my
> source code; the parameter is the Path to the REAL executable that you find
> inside your Mac .app and tRetCode is the return code (/... 0 if all is OK/).
>
> That's all ...
>
> _Important note_ :
> fortunately/unfortunately, LiveCode is not a real common language so, as
> far as I know, there are not LiveCode decompilers and it's not so easy to
> debug a livecode application. The weakness is exactly the external, which
> is a real OSX executable easy to debug and to replace.
> About debugging ... Receigen creates a quite complex code to debug, but
> ... anybody can easily replace the bundle with another one with just
> 'return 0' as return value for my validation call.
> To avoid this, you MUST find a way to _validate the external_ BEFORE using
> it.
> I have spoken with the author of Receigen and, after having explained the
> situation, he also suggested to protect the External with different
> checking.
>
> So, in my programs, I obfuscate the following values :
>
>    - the MD5 of the External CODE (/the real one that you find *_INSIDE_
> *the External bundle/)
>    - the SHA1
>    - the size in bytes
>
> ... and I will check the values each time, before calling the External !
> Quite difficult to work around ...
>
> If you need, don't hesitate to contact me.
>
> Guglielmo
>
> ______________________________**_________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/**mailman/listinfo/use-livecode<http://lists.runrev.com/mailman/listinfo/use-livecode>
>