[ANN] LiveCode External to validate the MAS Receipt

Guglielmo Braguglia guglielmo at braguglia.ch
Wed May 30 14:50:47 EDT 2012 

Dear members of this list,

all of you, with your posts, your information and your suggestions, have 
helped me a lot of times so, this time, I would like to freely share 
something that, I hope, useful for all member involved in development of 
OSX application with LiveCode and interested in publishing their App in 
Mac Apple Store ...

... a Livecode OSX External to validate the MAS Receipt.

As you probably already know, a user can download from the MAS the 
purchased App on 5 different devices, but ... if inside your App you 
don't validate the "MAS Receipt", ANY user _can make a copy_ and 
distribute your App without any control !

Unfortunately, the code to validate the MAS Receipt, can't be still the 
same because, otherwise, it will be too easy for crackers to discover 
the weak point and to patch the code once and for all. For this reason I 
think, Apple has not provided a fixed 'call' to use, but has provided 
some guidelines :

https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html

As you can see, to write a good MAS Receipt Validation code, is not so 
simple, but for this, fortunately, there is on the App Store, a very 
good program, called *Receigen*.
_Each time_ you run, Receigen generates a complex C  "MAS Receipt 
Validation" source code, where the constants and the strings are 
re-obfuscated, the checks are performed differently, and the code flow 
changes, so ... each time a different, _unique_ code ! (more info on : 
http://receigen.etiemble.com/index.php)

So, starting from this, I developed a very simple External for LiveCode, 
to call the validation process from inside our applications. :-)

You can download the following items from my web server :

     - All you need to build YOUR validation External : 
http://www.phoenixsea.ch/downloads/phxMASValidate.zip

     - A simple test program that shows how to dynamically load and how 
to call the External : 
http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip

     - An 8 minutes video showing "How To Do" : 
http://www.phoenixsea.ch/downloads/phxMASValidate.mov
     ... about this video ... I know that probably the slides go too 
quickly, but you can still use the pause/resume button to stop and 
resume the video.

Now, to briefly explain "How to do" ...

1. with Receigen.app generate your MAS Receipt Validation C code (/DON'T 
FORGET to flag the "Perform only receipt checks" on Advanced Settings/) 
and save in a file named*receigen.h*

2. go inside phxMASValidate folder and _*replace*_ the file : 
phxMASValidate/phxvalidate/src/receigen.h with your just generated

3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open 
the project phxvalidate.xcodeproj

4. to avoid problems, first do a "Clean" so ... from the menu bar, 
select Product -> Clean

5. verify that the 'Release' build is selected, so ... from the menu 
bar, select Product -> Edit Scheme and verify that the Build 
Configuration is on *Release*

6. still to avoid problems, put YOUR bundle identifier for this 
external, so ... click on the left pane, on the first item (/the project 
name, with blue small icon/) and in the central pane, on the *Info *TAB, 
the first row is 'Bundle Identifier' ... change it (/e.g. 
com.yourname.phxvalidate/)

7. build the external, so ... from the menu bar, select Product -> Build 
... XCode must say : 'Build Succeeded'

8. you can close XCode ... your external is ready ! You will find it in 
: phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle

9. Include this external into your livecode app and, on the preOpenStack 
(/... but I suggest to call also in different points of the code to make 
harder the work to crackers/) and call :

     put phxValidateMAS(the filename of this stack) into tRetCode

where the *phxValidateMas* is the name of the C call that you find into 
my source code; the parameter is the Path to the REAL executable that 
you find inside your Mac .app and tRetCode is the return code (/... 0 if 
all is OK/).

That's all ...

_Important note_ :
fortunately/unfortunately, LiveCode is not a real common language so, as 
far as I know, there are not LiveCode decompilers and it's not so easy 
to debug a livecode application. The weakness is exactly the external, 
which is a real OSX executable easy to debug and to replace.
About debugging ... Receigen creates a quite complex code to debug, but 
... anybody can easily replace the bundle with another one with just 
'return 0' as return value for my validation call.
To avoid this, you MUST find a way to _validate the external_ BEFORE 
using it.
I have spoken with the author of Receigen and, after having explained 
the situation, he also suggested to protect the External with different 
checking.

So, in my programs, I obfuscate the following values :

     - the MD5 of the External CODE (/the real one that you find 
*_INSIDE_ *the External bundle/)
     - the SHA1
     - the size in bytes

... and I will check the values each time, before calling the External ! 
Quite difficult to work around ...

If you need, don't hesitate to contact me.

Guglielmo

More information about the use-livecode mailing list