PDA

View Full Version : How NOT to protect your app.

FrankRizzo
June 10th, 2008, 21:42
Sanitized to protect the guilty.

Attn software authors. Javascript is NOT a good language to write your licensing protection in. Since it has to be run from it's source state, that makes removing your protection trivial. See example below:

Code:
function licenseCheck()

{

    try {

        gInfoSvc = Components.classes["@SomeAuthor.com/InfoService;1"].

              getService(Components.interfaces.IInfoService);





        while (!licenseValidOnStartup()) {



            if (licenseTrialCheck()) {

                // first time install of a trial license

                return gInfoSvc.licenseValid;

            }

            // fall through, the invalidLicense dialog will handle showing

            // the apropriate information.  The trial is now expired.



            var args =  Components.classes["@mozilla.org/supports-array;1"]

                   .createInstance(Components.interfaces.nsISupportsArray);

    

            var paramBlock = 

                Components.classes["@mozilla.org/embedcomp/dialogparam;1"].

                createInstance(Components.interfaces.nsIDialogParamBlock);

            paramBlock.SetInt(0, Components.interfaces.ILicenseCallback.LICCB_ABORT);

            args.AppendElement(paramBlock);

    

            openWindow(null, licDialog,

                             "AppTitle",

                             "chrome,modal=yes,titlebar",

                             args);

            if (paramBlock.GetInt(0) == Components.interfaces.ILicenseCallback.LICCB_RETRY) {

                gInfoSvc.refreshLicenseInfo();

                continue;

            }

            return false;

        }



    } catch(ex) {

        // We've already shown a dialog for this error.

        return false;

    }

    return true;

}


So, what does it take to COMPLETELY disable your elaborate scheme?

Code:
function licenseCheck()

{

    // Return TRUE that the license is good.

    return true;

}


I think that should be self explanatory. If not, feel free to ask your questions.
There, I've done my community service for the week.
nanobit
June 10th, 2008, 22:55
there are some programs out there which converts readable java script codes to unreadable ones which yet are executable by the browsers. I think the critical parts of java script codes should be hidden that way unlike the above example
that's a shame some authors know nothing about security.
FrankRizzo
June 11th, 2008, 00:08
Thanks for the info nanobit, I was unaware of that. But, it seems that someone has already taken care of that:

hxxp://www.virtualconspiracy.com/?page=scrdec/intro

It decodes the encoded scripts. (the jscript.encode stuff).
nanobit
June 11th, 2008, 01:42
nice! I wasn't either aware of existence such a program.
Shub-nigurrath
June 11th, 2008, 08:45
A note: you can also use malzilla to decode scripts with most common obfuscating techniques..
owl
June 11th, 2008, 11:08
umm, something new to play with.
dELTA
June 12th, 2008, 13:17
CRCETL:

http://www.woodmann.com/collaborative/tools/Windows_Script_Decoder

http://www.woodmann.com/collaborative/tools/Malzilla
bobby
June 28th, 2008, 04:59
Quote:
[Originally Posted by Shub-nigurrath;75079]A note: you can also use malzilla to decode scripts with most common obfuscating techniques..


You are welcome to send me the script which can't be de-obfuscated.
I will de-obfuscate it for you.

regards
bobby (Malzilla's developer)