Log in

View Full Version : License sheme


OHPen
May 9th, 2007, 06:41
Hi,

i recently working on a license sheme which looks like that:

Code:

<?xml version="1.0" encoding="ISO-8859-1"?>

<xxx-licenses>
<license-group format="1.0" product="xxx product name" release="1.0">
<license
component="xxx component name"
expiration="2007-07-15"
licensee="Evaluation Customer"
serial="1122334455668-1212121212121"
type="EVAL"
signature="MC4CFQDVAKQ4tMqr1QZs5Q/lgedKYMgjkwIVANGjJ9Mv5Y3NqihZphCK12/2cskM"
/>
</license-group>
</xxx-licenses>


I was able to do a keygen for the serial, only thing i have to do is to sign the license file to make it valid. Im not 100 % sure that the signing of the file is done online, because i think the programm itself has to ability to generate a signed demo lic.
I have the strange feeling that there is some license model used which is implended in a apache library because the serial also use some function of these library.

Has anybody an idea whether im dealing with online generated signature and if not does someone know anything about apache signing abilities ?

Regards,

OHPen

LLXX
May 10th, 2007, 01:48
Looks like a public key system... those seem to be somewhat popular.

In which case it would be easier to just force it licensed.

squidge
May 10th, 2007, 07:43
If the program can create a demo.lic without an internet connection, then either it's a public key system with the private key also (dumb, but I've seen it happen), or some other kind of license system.

OHPen
May 10th, 2007, 07:57
I found out that the unsigend lic is sent to the server and returned signed. So no chance to sign it by myself. I tried to send a manipulated license file to the server but it was rejected.

Now i have two possibilities. Either i try attack the sign algorithm itself which is probably not very successfull if they are not so stupid to take a weak one , or i just have to patch it, but this seems also to be difficult since I'm dealing with an java application with 1000s of classes...

Anyway,

thx.

LLXX
May 12th, 2007, 15:22
Quote:
[Originally Posted by OHPen;65568] but this seems also to be difficult since I'm dealing with an java application with 1000s of classes...
Are you aware that Java can be decompiled almost perfectly?

squidge
May 12th, 2007, 16:14
I would assume that since they have gone to trouble of online signature's, that they will use a decent obfuscation tool. But, it's always worth a shot of course, just in case they didn't!

OHPen
May 15th, 2007, 06:19
@LLXX: Of course, i know I'm reversing java applications for a long time now. But this project is not recompilable due the size and the obfuscation. It is difficult even difficult enough to patch it...

@squidge: yeah obfuscation is applied and it's a good one.

Regards