Hi Guglielmo, > Am 14.09.2015 um 10:14 schrieb Guglielmo Braguglia <guglie...@braguglia.ch>: > > Hi Matthias, > I see that "Receigen" is still updated and, probably, is one of the best > tools. > > About the described procedure and how to make the OS X external ... I don't > know, I don't have tested with last versions of OS X and Xcode. So ... try > and let we know :) > The reason why i asked was to avoid buying receigen.app and then finding out that it does not work anymore.
But i will take the risk and will let you know. Regards, Matthias > Guglielmo > >> Matthias Rebbe | M-R-D <mailto:matthias_livecode_150...@m-r-d.de> >> 13 Sep 2015 23:32 pm >> Hi, >> >> is this still the recommended way to integrate a validation? Or are the >> information and the recommended tools and downloads outdated? >> >> Regards, >> >> Matthias >> >> >> >> _______________________________________________ >> use-livecode mailing list >> use-livecode@lists.runrev.com >> Please visit this url to subscribe, unsubscribe and manage your subscription >> preferences: >> http://lists.runrev.com/mailman/listinfo/use-livecode >> Guglielmo Braguglia <mailto:guglie...@braguglia.ch> >> 30 May 2012 20:50 pm >> Dear members of this list, >> >> all of you, with your posts, your information and your suggestions, have >> helped me a lot of times so, this time, I would like to freely share >> something that, I hope, useful for all member involved in development of OSX >> application with LiveCode and interested in publishing their App in Mac >> Apple Store ... >> >> ... a Livecode OSX External to validate the MAS Receipt. >> >> As you probably already know, a user can download from the MAS the purchased >> App on 5 different devices, but ... if inside your App you don't validate >> the "MAS Receipt", ANY user _can make a copy_ and distribute your App >> without any control ! >> >> Unfortunately, the code to validate the MAS Receipt, can't be still the same >> because, otherwise, it will be too easy for crackers to discover the weak >> point and to patch the code once and for all. For this reason I think, Apple >> has not provided a fixed 'call' to use, but has provided some guidelines : >> >> https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html >> >> As you can see, to write a good MAS Receipt Validation code, is not so >> simple, but for this, fortunately, there is on the App Store, a very good >> program, called *Receigen*. >> _Each time_ you run, Receigen generates a complex C "MAS Receipt >> Validation" source code, where the constants and the strings are >> re-obfuscated, the checks are performed differently, and the code flow >> changes, so … each time a different, _unique_ code ! (more info on : >> http://receigen.etiemble.com/index.php) >> >> So, starting from this, I developed a very simple External for LiveCode, to >> call the validation process from inside our applications. :-) >> >> You can download the following items from my web server : >> >> - All you need to build YOUR validation External : >> http://www.phoenixsea.ch/downloads/phxMASValidate.zip >> >> - A simple test program that shows how to dynamically load and how to >> call the External : >> http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip >> >> - An 8 minutes video showing "How To Do" : >> http://www.phoenixsea.ch/downloads/phxMASValidate.mov >> ... about this video ... I know that probably the slides go too quickly, >> but you can still use the pause/resume button to stop and resume the video. >> >> Now, to briefly explain "How to do" ... >> >> 1. with Receigen.app generate your MAS Receipt Validation C code (/DON'T >> FORGET to flag the "Perform only receipt checks" on Advanced Settings/) and >> save in a file named*receigen.h* >> >> 2. go inside phxMASValidate folder and _*replace*_ the file : >> phxMASValidate/phxvalidate/src/receigen.h with your just generated >> >> 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the >> project phxvalidate.xcodeproj >> >> 4. to avoid problems, first do a "Clean" so ... from the menu bar, select >> Product -> Clean >> >> 5. verify that the 'Release' build is selected, so ... from the menu bar, >> select Product -> Edit Scheme and verify that the Build Configuration is on >> *Release* >> >> 6. still to avoid problems, put YOUR bundle identifier for this external, so >> ... click on the left pane, on the first item (/the project name, with blue >> small icon/) and in the central pane, on the *Info *TAB, the first row is >> 'Bundle Identifier' ... change it (/e.g. com.yourname.phxvalidate/) >> >> 7. build the external, so ... from the menu bar, select Product -> Build ... >> XCode must say : 'Build Succeeded' >> >> 8. you can close XCode ... your external is ready ! You will find it in : >> phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle >> >> 9. Include this external into your livecode app and, on the preOpenStack >> (/... but I suggest to call also in different points of the code to make >> harder the work to crackers/) and call : >> >> put phxValidateMAS(the filename of this stack) into tRetCode >> >> where the *phxValidateMas* is the name of the C call that you find into my >> source code; the parameter is the Path to the REAL executable that you find >> inside your Mac .app and tRetCode is the return code (/... 0 if all is OK/). >> >> That's all ... >> >> _Important note_ : >> fortunately/unfortunately, LiveCode is not a real common language so, as far >> as I know, there are not LiveCode decompilers and it's not so easy to debug >> a livecode application. The weakness is exactly the external, which is a >> real OSX executable easy to debug and to replace. >> About debugging ... Receigen creates a quite complex code to debug, but ... >> anybody can easily replace the bundle with another one with just 'return 0' >> as return value for my validation call. >> To avoid this, you MUST find a way to _validate the external_ BEFORE using >> it. >> I have spoken with the author of Receigen and, after having explained the >> situation, he also suggested to protect the External with different checking. >> >> So, in my programs, I obfuscate the following values : >> >> - the MD5 of the External CODE (/the real one that you find *_INSIDE_ >> *the External bundle/) >> - the SHA1 >> - the size in bytes >> >> ... and I will check the values each time, before calling the External ! >> Quite difficult to work around ... >> >> If you need, don't hesitate to contact me. >> >> Guglielmo >> > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
