Hi Matthias,
I see that "Receigen" is still updated and, probably, is one of the best
tools.
About the described procedure and how to make the OS X external ... I
don't know, I don't have tested with last versions of OS X and Xcode. So
... try and let we know :)
Guglielmo
Matthias Rebbe | M-R-D <mailto:matthias_livecode_150...@m-r-d.de>
13 Sep 2015 23:32 pm
Hi,
is this still the recommended way to integrate a validation? Or are
the information and the recommended tools and downloads outdated?
Regards,
Matthias
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Guglielmo Braguglia <mailto:guglie...@braguglia.ch>
30 May 2012 20:50 pm
Dear members of this list,
all of you, with your posts, your information and your suggestions,
have helped me a lot of times so, this time, I would like to freely
share something that, I hope, useful for all member involved in
development of OSX application with LiveCode and interested in
publishing their App in Mac Apple Store ...
... a Livecode OSX External to validate the MAS Receipt.
As you probably already know, a user can download from the MAS the
purchased App on 5 different devices, but ... if inside your App you
don't validate the "MAS Receipt", ANY user _can make a copy_ and
distribute your App without any control !
Unfortunately, the code to validate the MAS Receipt, can't be still
the same because, otherwise, it will be too easy for crackers to
discover the weak point and to patch the code once and for all. For
this reason I think, Apple has not provided a fixed 'call' to use, but
has provided some guidelines :
https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html
As you can see, to write a good MAS Receipt Validation code, is not so
simple, but for this, fortunately, there is on the App Store, a very
good program, called *Receigen*.
_Each time_ you run, Receigen generates a complex C "MAS Receipt
Validation" source code, where the constants and the strings are
re-obfuscated, the checks are performed differently, and the code flow
changes, so … each time a different, _unique_ code ! (more info on :
http://receigen.etiemble.com/index.php)
So, starting from this, I developed a very simple External for
LiveCode, to call the validation process from inside our applications.
:-)
You can download the following items from my web server :
- All you need to build YOUR validation External :
http://www.phoenixsea.ch/downloads/phxMASValidate.zip
- A simple test program that shows how to dynamically load and how
to call the External :
http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip
- An 8 minutes video showing "How To Do" :
http://www.phoenixsea.ch/downloads/phxMASValidate.mov
... about this video ... I know that probably the slides go too
quickly, but you can still use the pause/resume button to stop and
resume the video.
Now, to briefly explain "How to do" ...
1. with Receigen.app generate your MAS Receipt Validation C code
(/DON'T FORGET to flag the "Perform only receipt checks" on Advanced
Settings/) and save in a file named*receigen.h*
2. go inside phxMASValidate folder and _*replace*_ the file :
phxMASValidate/phxvalidate/src/receigen.h with your just generated
3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open
the project phxvalidate.xcodeproj
4. to avoid problems, first do a "Clean" so ... from the menu bar,
select Product -> Clean
5. verify that the 'Release' build is selected, so ... from the menu
bar, select Product -> Edit Scheme and verify that the Build
Configuration is on *Release*
6. still to avoid problems, put YOUR bundle identifier for this
external, so ... click on the left pane, on the first item (/the
project name, with blue small icon/) and in the central pane, on the
*Info *TAB, the first row is 'Bundle Identifier' ... change it (/e.g.
com.yourname.phxvalidate/)
7. build the external, so ... from the menu bar, select Product ->
Build ... XCode must say : 'Build Succeeded'
8. you can close XCode ... your external is ready ! You will find it
in : phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle
9. Include this external into your livecode app and, on the
preOpenStack (/... but I suggest to call also in different points of
the code to make harder the work to crackers/) and call :
put phxValidateMAS(the filename of this stack) into tRetCode
where the *phxValidateMas* is the name of the C call that you find
into my source code; the parameter is the Path to the REAL executable
that you find inside your Mac .app and tRetCode is the return code
(/... 0 if all is OK/).
That's all ...
_Important note_ :
fortunately/unfortunately, LiveCode is not a real common language so,
as far as I know, there are not LiveCode decompilers and it's not so
easy to debug a livecode application. The weakness is exactly the
external, which is a real OSX executable easy to debug and to replace.
About debugging ... Receigen creates a quite complex code to debug,
but ... anybody can easily replace the bundle with another one with
just 'return 0' as return value for my validation call.
To avoid this, you MUST find a way to _validate the external_ BEFORE
using it.
I have spoken with the author of Receigen and, after having explained
the situation, he also suggested to protect the External with
different checking.
So, in my programs, I obfuscate the following values :
- the MD5 of the External CODE (/the real one that you find
*_INSIDE_ *the External bundle/)
- the SHA1
- the size in bytes
... and I will check the values each time, before calling the External
! Quite difficult to work around ...
If you need, don't hesitate to contact me.
Guglielmo
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
