[ANN] LiveCode External to validate the MAS Receipt

Guglielmo Braguglia guglielmo at braguglia.ch
Mon Sep 14 04:14:55 EDT 2015 

Hi Matthias,
I see that "Receigen" is still updated and, probably, is one of the best 
tools.

About the described procedure and how to make the OS X external ... I 
don't know, I don't have tested with last versions of OS X and Xcode. So 
... try and let we know :)

Guglielmo

> Matthias Rebbe | M-R-D <mailto:matthias_livecode_150811 at m-r-d.de>
> 13 Sep 2015 23:32 pm
> Hi,
>
> is this still the recommended way to integrate a validation? Or are 
> the information and the recommended tools and downloads outdated?
>
> Regards,
>
> Matthias
>
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
> Guglielmo Braguglia <mailto:guglielmo at braguglia.ch>
> 30 May 2012 20:50 pm
> Dear members of this list,
>
> all of you, with your posts, your information and your suggestions, 
> have helped me a lot of times so, this time, I would like to freely 
> share something that, I hope, useful for all member involved in 
> development of OSX application with LiveCode and interested in 
> publishing their App in Mac Apple Store ...
>
> ... a Livecode OSX External to validate the MAS Receipt.
>
> As you probably already know, a user can download from the MAS the 
> purchased App on 5 different devices, but ... if inside your App you 
> don't validate the "MAS Receipt", ANY user _can make a copy_ and 
> distribute your App without any control !
>
> Unfortunately, the code to validate the MAS Receipt, can't be still 
> the same because, otherwise, it will be too easy for crackers to 
> discover the weak point and to patch the code once and for all. For 
> this reason I think, Apple has not provided a fixed 'call' to use, but 
> has provided some guidelines :
>
> https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html
>
> As you can see, to write a good MAS Receipt Validation code, is not so 
> simple, but for this, fortunately, there is on the App Store, a very 
> good program, called *Receigen*.
> _Each time_ you run, Receigen generates a complex C  "MAS Receipt 
> Validation" source code, where the constants and the strings are 
> re-obfuscated, the checks are performed differently, and the code flow 
> changes, so … each time a different, _unique_ code ! (more info on : 
> http://receigen.etiemble.com/index.php)
>
> So, starting from this, I developed a very simple External for 
> LiveCode, to call the validation process from inside our applications. 
> :-)
>
> You can download the following items from my web server :
>
>     - All you need to build YOUR validation External : 
> http://www.phoenixsea.ch/downloads/phxMASValidate.zip
>
>     - A simple test program that shows how to dynamically load and how 
> to call the External : 
> http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip
>
>     - An 8 minutes video showing "How To Do" : 
> http://www.phoenixsea.ch/downloads/phxMASValidate.mov
>     ... about this video ... I know that probably the slides go too 
> quickly, but you can still use the pause/resume button to stop and 
> resume the video.
>
> Now, to briefly explain "How to do" ...
>
> 1. with Receigen.app generate your MAS Receipt Validation C code 
> (/DON'T FORGET to flag the "Perform only receipt checks" on Advanced 
> Settings/) and save in a file named*receigen.h*
>
> 2. go inside phxMASValidate folder and _*replace*_ the file : 
> phxMASValidate/phxvalidate/src/receigen.h with your just generated
>
> 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open 
> the project phxvalidate.xcodeproj
>
> 4. to avoid problems, first do a "Clean" so ... from the menu bar, 
> select Product -> Clean
>
> 5. verify that the 'Release' build is selected, so ... from the menu 
> bar, select Product -> Edit Scheme and verify that the Build 
> Configuration is on *Release*
>
> 6. still to avoid problems, put YOUR bundle identifier for this 
> external, so ... click on the left pane, on the first item (/the 
> project name, with blue small icon/) and in the central pane, on the 
> *Info *TAB, the first row is 'Bundle Identifier' ... change it (/e.g. 
> com.yourname.phxvalidate/)
>
> 7. build the external, so ... from the menu bar, select Product -> 
> Build ... XCode must say : 'Build Succeeded'
>
> 8. you can close XCode ... your external is ready ! You will find it 
> in : phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle
>
> 9. Include this external into your livecode app and, on the 
> preOpenStack (/... but I suggest to call also in different points of 
> the code to make harder the work to crackers/) and call :
>
>     put phxValidateMAS(the filename of this stack) into tRetCode
>
> where the *phxValidateMas* is the name of the C call that you find 
> into my source code; the parameter is the Path to the REAL executable 
> that you find inside your Mac .app and tRetCode is the return code 
> (/... 0 if all is OK/).
>
> That's all ...
>
> _Important note_ :
> fortunately/unfortunately, LiveCode is not a real common language so, 
> as far as I know, there are not LiveCode decompilers and it's not so 
> easy to debug a livecode application. The weakness is exactly the 
> external, which is a real OSX executable easy to debug and to replace.
> About debugging ... Receigen creates a quite complex code to debug, 
> but ... anybody can easily replace the bundle with another one with 
> just 'return 0' as return value for my validation call.
> To avoid this, you MUST find a way to _validate the external_ BEFORE 
> using it.
> I have spoken with the author of Receigen and, after having explained 
> the situation, he also suggested to protect the External with 
> different checking.
>
> So, in my programs, I obfuscate the following values :
>
>     - the MD5 of the External CODE (/the real one that you find 
> *_INSIDE_ *the External bundle/)
>     - the SHA1
>     - the size in bytes
>
> ... and I will check the values each time, before calling the External 
> ! Quite difficult to work around ...
>
> If you need, don't hesitate to contact me.
>
> Guglielmo
>

More information about the use-livecode mailing list