[ANN] LiveCode External to validate the MAS Receipt
Matthias Rebbe | M-R-D
matthias_livecode_150811 at m-r-d.de
Mon Sep 14 04:47:47 EDT 2015
Hi Guglielmo,
> Am 14.09.2015 um 10:14 schrieb Guglielmo Braguglia <guglielmo at braguglia.ch>:
>
> Hi Matthias,
> I see that "Receigen" is still updated and, probably, is one of the best tools.
>
> About the described procedure and how to make the OS X external ... I don't know, I don't have tested with last versions of OS X and Xcode. So ... try and let we know :)
>
The reason why i asked was to avoid buying receigen.app and then finding out that it does not work anymore.
But i will take the risk and will let you know.
Regards,
Matthias
> Guglielmo
>
>> Matthias Rebbe | M-R-D <mailto:matthias_livecode_150811 at m-r-d.de>
>> 13 Sep 2015 23:32 pm
>> Hi,
>>
>> is this still the recommended way to integrate a validation? Or are the information and the recommended tools and downloads outdated?
>>
>> Regards,
>>
>> Matthias
>>
>>
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> Guglielmo Braguglia <mailto:guglielmo at braguglia.ch>
>> 30 May 2012 20:50 pm
>> Dear members of this list,
>>
>> all of you, with your posts, your information and your suggestions, have helped me a lot of times so, this time, I would like to freely share something that, I hope, useful for all member involved in development of OSX application with LiveCode and interested in publishing their App in Mac Apple Store ...
>>
>> ... a Livecode OSX External to validate the MAS Receipt.
>>
>> As you probably already know, a user can download from the MAS the purchased App on 5 different devices, but ... if inside your App you don't validate the "MAS Receipt", ANY user _can make a copy_ and distribute your App without any control !
>>
>> Unfortunately, the code to validate the MAS Receipt, can't be still the same because, otherwise, it will be too easy for crackers to discover the weak point and to patch the code once and for all. For this reason I think, Apple has not provided a fixed 'call' to use, but has provided some guidelines :
>>
>> https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html
>>
>> As you can see, to write a good MAS Receipt Validation code, is not so simple, but for this, fortunately, there is on the App Store, a very good program, called *Receigen*.
>> _Each time_ you run, Receigen generates a complex C "MAS Receipt Validation" source code, where the constants and the strings are re-obfuscated, the checks are performed differently, and the code flow changes, so … each time a different, _unique_ code ! (more info on : http://receigen.etiemble.com/index.php)
>>
>> So, starting from this, I developed a very simple External for LiveCode, to call the validation process from inside our applications. :-)
>>
>> You can download the following items from my web server :
>>
>> - All you need to build YOUR validation External : http://www.phoenixsea.ch/downloads/phxMASValidate.zip
>>
>> - A simple test program that shows how to dynamically load and how to call the External : http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip
>>
>> - An 8 minutes video showing "How To Do" : http://www.phoenixsea.ch/downloads/phxMASValidate.mov
>> ... about this video ... I know that probably the slides go too quickly, but you can still use the pause/resume button to stop and resume the video.
>>
>> Now, to briefly explain "How to do" ...
>>
>> 1. with Receigen.app generate your MAS Receipt Validation C code (/DON'T FORGET to flag the "Perform only receipt checks" on Advanced Settings/) and save in a file named*receigen.h*
>>
>> 2. go inside phxMASValidate folder and _*replace*_ the file : phxMASValidate/phxvalidate/src/receigen.h with your just generated
>>
>> 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the project phxvalidate.xcodeproj
>>
>> 4. to avoid problems, first do a "Clean" so ... from the menu bar, select Product -> Clean
>>
>> 5. verify that the 'Release' build is selected, so ... from the menu bar, select Product -> Edit Scheme and verify that the Build Configuration is on *Release*
>>
>> 6. still to avoid problems, put YOUR bundle identifier for this external, so ... click on the left pane, on the first item (/the project name, with blue small icon/) and in the central pane, on the *Info *TAB, the first row is 'Bundle Identifier' ... change it (/e.g. com.yourname.phxvalidate/)
>>
>> 7. build the external, so ... from the menu bar, select Product -> Build ... XCode must say : 'Build Succeeded'
>>
>> 8. you can close XCode ... your external is ready ! You will find it in : phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle
>>
>> 9. Include this external into your livecode app and, on the preOpenStack (/... but I suggest to call also in different points of the code to make harder the work to crackers/) and call :
>>
>> put phxValidateMAS(the filename of this stack) into tRetCode
>>
>> where the *phxValidateMas* is the name of the C call that you find into my source code; the parameter is the Path to the REAL executable that you find inside your Mac .app and tRetCode is the return code (/... 0 if all is OK/).
>>
>> That's all ...
>>
>> _Important note_ :
>> fortunately/unfortunately, LiveCode is not a real common language so, as far as I know, there are not LiveCode decompilers and it's not so easy to debug a livecode application. The weakness is exactly the external, which is a real OSX executable easy to debug and to replace.
>> About debugging ... Receigen creates a quite complex code to debug, but ... anybody can easily replace the bundle with another one with just 'return 0' as return value for my validation call.
>> To avoid this, you MUST find a way to _validate the external_ BEFORE using it.
>> I have spoken with the author of Receigen and, after having explained the situation, he also suggested to protect the External with different checking.
>>
>> So, in my programs, I obfuscate the following values :
>>
>> - the MD5 of the External CODE (/the real one that you find *_INSIDE_ *the External bundle/)
>> - the SHA1
>> - the size in bytes
>>
>> ... and I will check the values each time, before calling the External ! Quite difficult to work around ...
>>
>> If you need, don't hesitate to contact me.
>>
>> Guglielmo
>>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
More information about the use-livecode
mailing list