[ANN] LiveCode External to validate the MAS Receipt
guglielmo at braguglia.ch
Mon Sep 14 04:14:55 EDT 2015
I see that "Receigen" is still updated and, probably, is one of the best
About the described procedure and how to make the OS X external ... I
don't know, I don't have tested with last versions of OS X and Xcode. So
... try and let we know :)
> Matthias Rebbe | M-R-D <mailto:matthias_livecode_150811 at m-r-d.de>
> 13 Sep 2015 23:32 pm
> is this still the recommended way to integrate a validation? Or are
> the information and the recommended tools and downloads outdated?
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> Guglielmo Braguglia <mailto:guglielmo at braguglia.ch>
> 30 May 2012 20:50 pm
> Dear members of this list,
> all of you, with your posts, your information and your suggestions,
> have helped me a lot of times so, this time, I would like to freely
> share something that, I hope, useful for all member involved in
> development of OSX application with LiveCode and interested in
> publishing their App in Mac Apple Store ...
> ... a Livecode OSX External to validate the MAS Receipt.
> As you probably already know, a user can download from the MAS the
> purchased App on 5 different devices, but ... if inside your App you
> don't validate the "MAS Receipt", ANY user _can make a copy_ and
> distribute your App without any control !
> Unfortunately, the code to validate the MAS Receipt, can't be still
> the same because, otherwise, it will be too easy for crackers to
> discover the weak point and to patch the code once and for all. For
> this reason I think, Apple has not provided a fixed 'call' to use, but
> has provided some guidelines :
> As you can see, to write a good MAS Receipt Validation code, is not so
> simple, but for this, fortunately, there is on the App Store, a very
> good program, called *Receigen*.
> _Each time_ you run, Receigen generates a complex C "MAS Receipt
> Validation" source code, where the constants and the strings are
> re-obfuscated, the checks are performed differently, and the code flow
> changes, so … each time a different, _unique_ code ! (more info on :
> So, starting from this, I developed a very simple External for
> LiveCode, to call the validation process from inside our applications.
> You can download the following items from my web server :
> - All you need to build YOUR validation External :
> - A simple test program that shows how to dynamically load and how
> to call the External :
> - An 8 minutes video showing "How To Do" :
> ... about this video ... I know that probably the slides go too
> quickly, but you can still use the pause/resume button to stop and
> resume the video.
> Now, to briefly explain "How to do" ...
> 1. with Receigen.app generate your MAS Receipt Validation C code
> (/DON'T FORGET to flag the "Perform only receipt checks" on Advanced
> Settings/) and save in a file named*receigen.h*
> 2. go inside phxMASValidate folder and _*replace*_ the file :
> phxMASValidate/phxvalidate/src/receigen.h with your just generated
> 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open
> the project phxvalidate.xcodeproj
> 4. to avoid problems, first do a "Clean" so ... from the menu bar,
> select Product -> Clean
> 5. verify that the 'Release' build is selected, so ... from the menu
> bar, select Product -> Edit Scheme and verify that the Build
> Configuration is on *Release*
> 6. still to avoid problems, put YOUR bundle identifier for this
> external, so ... click on the left pane, on the first item (/the
> project name, with blue small icon/) and in the central pane, on the
> *Info *TAB, the first row is 'Bundle Identifier' ... change it (/e.g.
> 7. build the external, so ... from the menu bar, select Product ->
> Build ... XCode must say : 'Build Succeeded'
> 8. you can close XCode ... your external is ready ! You will find it
> in : phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle
> 9. Include this external into your livecode app and, on the
> preOpenStack (/... but I suggest to call also in different points of
> the code to make harder the work to crackers/) and call :
> put phxValidateMAS(the filename of this stack) into tRetCode
> where the *phxValidateMas* is the name of the C call that you find
> into my source code; the parameter is the Path to the REAL executable
> that you find inside your Mac .app and tRetCode is the return code
> (/... 0 if all is OK/).
> That's all ...
> _Important note_ :
> fortunately/unfortunately, LiveCode is not a real common language so,
> as far as I know, there are not LiveCode decompilers and it's not so
> easy to debug a livecode application. The weakness is exactly the
> external, which is a real OSX executable easy to debug and to replace.
> About debugging ... Receigen creates a quite complex code to debug,
> but ... anybody can easily replace the bundle with another one with
> just 'return 0' as return value for my validation call.
> To avoid this, you MUST find a way to _validate the external_ BEFORE
> using it.
> I have spoken with the author of Receigen and, after having explained
> the situation, he also suggested to protect the External with
> different checking.
> So, in my programs, I obfuscate the following values :
> - the MD5 of the External CODE (/the real one that you find
> *_INSIDE_ *the External bundle/)
> - the SHA1
> - the size in bytes
> ... and I will check the values each time, before calling the External
> ! Quite difficult to work around ...
> If you need, don't hesitate to contact me.
More information about the use-livecode