I need help with adding verification to my program. What I essentially want to happen is when they purchase the program they get sent an activation email containing their code then when they install the program it asks for and needs to match up with the code from the email.
It sounds like you're asking for help designing a serial number system. You could look at this post for a basic method of doing it. Ultimately, it doesn't need to be complex unless your app will be very widely used.
Related
I created expect script for customer and i fear to customize it like he want without returning to me so I tried to encrypt it but i didn't find a way for it
Then I tried to convert it to excutable but some commands was recognized by active tcl like "send" command even it is working perfectly on red hat
So is there a way to protect my script to be reading?
Thanks
It's usually enough to just package the code in a form that the user can't directly look inside. Even the smallest of speed-bump stops them.
You can use sdx qwrap to parcel your script up into a starkit. Those are reasonably resistant to random user poking, while being still technically open (the sdx tool is freely available, after all). You can convert the .kit file it creates into an executable by merging it with a packaged runtime.
In short, it's basically like this (with some complexity glossed over):
tclkit sdx.kit qwrap myapp.tcl
tclkit sdx.kit unwrap myapp.kit
# Copy additional assets into myapp.vfs if you need to
tclkit sdx.kit wrap myapp.exe -runtime C:\path\to\tclkit.exe
More discussion is here, the tclkit runtimes are here, and sdx itself can be obtained in .kit-packaged form here. Note that the runtime you use to run sdx does not need to be the same that you package; you can deploy code for other platforms than the one you are running from. This is a packaging phase action, not a compilation or linking.
Against more sophisticated users (i.e., not Joe Ordinary User) you'll want the Tcl Compiler out of the ActiveState TclDevKit. It's a code-obscurer formally (it doesn't actually improve the performance of anything) and the TDK isn't particularly well supported any more, but it's the main current solution for commercial protection of Tcl code. I'm on a small team working on a true compiler that will effectively offer much stronger protection, but that's not yet released (and really isn't ready yet).
One way is to store the essential code running in your server as back-end. Just give the user a fron-end application to do the requests. This way essential processes are on your control, and user cannot access that code.
Can using the checksum of a file somehow prevent (hinder) piracy? Perhaps I could calculate the checksum of my final exe and then at random intervals, have the exe check the checksum of itself, to ensure that it hasn't been tampered with?
EDIT:
I guess I was a bit naive with my original question. There is a link to an interview with a cracker here:
http://successfulsoftware.net/2011/04/07/interview-with-a-cracker/
"
What are the commonest mistakes software developers make related to security?
In no particular order:
Not integrity checking against patching.
"
So how would I implement the cracker's suggestion?
Checksumming a product doesn't stop piracy, it simply indicates that the item being checksummed may have changed. It doesn't stop people copying your application to a new machine. This means that you will have to use some other method to tie the product to a machine or user.
It can also be kind of difficult to calculate the checksum of a product, then insert that into the product somehow so that the product may check itself, and that action actually changes the application which will also change the checksum.... if you see what i mean.
Generally a cracker will modify your executable to remove your security checks (e.g. that check if they have a valid licence key). If your product is on Windows and has been digitally signed, you can use WinVerifyTrust() to check if it has been tampered with and then refuse to run. The cracker can of course remove your calls to WinVerifyTrust(), but it makes his job harder.
To make it harder for the cracker:
use a preprocessor/inlining to make sure the checks can't be removed by changing a single function
do a longjmp, goto or pass through the event loop before exiting, that makes it harder to locate the check
use random numbers to only make each check only run intermittently, then they can't be sure if they have removed all the checks
Note that it isn't worth obsessing too much about security. You are much better spending that time making your product, marketing and support awesome. A more secure product is just more of a challenge to a cracker. If Adobe can't stop people cracking Photoshop, what chance of you got? Just do enough to make sure it isn't too easy.
There is this executable that is packed however neither peid nor protection_id nor RDG tell me what it is, as they dont know.
How do i go about finding the packer?
Or what if its' custom made?
It could easily have been derived from another packer in such a way as to destroy the signature by which the packer is recognized by those tools. Someone with experience looking at packed binaries might be able to detect obvious signs that it originated from a specific tool, but if all three tools fail to detect it, there's a good chances that it's custom made. A sign that it's custom made would be if the unpacking code is fairly simple and doesn't go through more than a few KB of code before executing the payload. Also look for signs that it doesn't look like it could pack generic program binaries.
i have been programing in vc++ for sometime and i want to make some free software for people to use but i really don't want people to have a unprotected copy of my work. i just use what ever vc++ 2008 has when i build in right now so i don't know if it is encrypted or now. i don't need something that is top of the line i was just hopeing for something free and it would encrypt my project before i gave it out.
You need to start by thinking about what you want people to be able to do with your code, and what you want people not to be able to do. If all you want is that people can run your code, but can't change it (without significant difficulty) and can't see how you're doing what you're doing, then you can simply compile the program with your compiler, and send them the executable code. This is the way in which much commercial, paid-for software is distributed: as an example, if you buy a copy of Microsoft Word, you get an executable program which you can install on your machine and run, but you don't get the source code from which it was built. This means that you can't make changes to Word if you want to fix a problem or change the way in which it works.
If what you want it more complicated than this, please tell us what you want various people to be able to do and not do, and we'll try to help.
Well, "free software" can mean one of two things- free as in beer or free as in freedom. It sounds like you're looking for the first of the two.
I'd say don't bother with encrypting it. If you're distributing a compiled program, there's really no way to prevent someone from reverse engineering it if they wanted to... which is unlikely if your program is free anyway. Same goes if you're distributing the source. Encrypt it all you like, but all it takes is one person with a decrypted copy to redistribute it.
no one is going to use any 3rd party library if it can't be maintainable/debugable(because you don't want to provide source code)
its like installing unknown program on your computer... you never know that's gonna happen
if you really want to release it, then you might split it and release it in parts?
or maybe someone is already doing something like you.. check github for example
i don't really get what you want, maybe you just want to encrypt your project files?
if you want to encrypt it with free software why don't just compress and put password, for example you can use 7-zip, the encryption is AES-256 bit which is really good, no one can break it, except maybe NSA.
I need to write a small program that can detect that it has been changed. Please give me a suggestion!
Thank you.
The short answer is to create a hash or key of the program and have the program encrypt and store that key within itself. From time to time the program would make a checksum of itself and compare it against that hash/key. If there is a difference then handle it accordingly.
There are lots and lots of ways to go about this. There are lots of very smart engineers out there that know how to work around it if that is what you are trying to avoid.
The simplest way would be to use a hash function to generate a short code which is a digest of the whole program and then check this.
It would be fairly easy to debug the code and replace the hash value to subvert this.
A better way would be to generate a digital signature using your private key and with the public key in the program to check it.
This would then require changing the public key and the hash as well as understanding the program, or changing the program code itself to subvert the check.
All you can do in the case described so far is make it more difficult to subvert but it will be possible with a certain amount of effort. I'd suggest looking into cryptographic techniques and copy protection for more information to suit your specific case.
Do you mean that program 'foo' should be able to tell if some part of it was modified prior to / during run time? That's not the responsibility of the program, its the responsibility of the security hooks in the target OS.
For instance, if the installed and trusted 'foo' has signature "xyz1234" , the kernel should refuse to run a modified (or completely new) 'foo'. The same goes for 'foo' while its currently running in memory. Look up 'Trusted Path Of Execution', aka TPE to start.
A better question to ask would be how to sign your released version of 'foo', which depends upon your target platform.
try searching for "code signing"
The easiest way would be for the program to detect its own md5 and store that in a separate file, but this isn't totally secure. An MD5 + CRC might work slightly better.
Or as others here have suggested, a sha1, sha2 or sha3 which are much more secure than md5 currently.
I'd ask an external tool to do the check. This problem reminds me of the challenge to write a program that prints itself. In Bash you could do something like this:
#!/bin/bash
cat $0
which really asks for an external tool to do the job. It's kind of solving the problem by getting away from solving the problem...
The best option is going to be code signing -- either using a tool supplied by your local friendly OS (For example, If you're targeting Windows, you probably want to take a look at Authenticode where the Operating System handles the tampering), or by rolling your own option storing MD5 hashes and comparing
It is important to remember that bets are off if someone injects a thread into your process (to potentially kill your ongoing checks, etc.), or if they tamper with your compiled application to bypass said checks.
An alternative way which wasn't mentioned is to use a binary packer such as UPX.
If the binary gets changed on the disk then the unpacking code is likely to fail.
This however doesn't protect you if someone changes the binary while it is in memory.