Re: Serial number verification / obfuscation (was: Re: Hiding [...] symbols [...])
Re: Serial number verification / obfuscation (was: Re: Hiding [...] symbols [...])
- Subject: Re: Serial number verification / obfuscation (was: Re: Hiding [...] symbols [...])
- From: David Remahl <email@hidden>
- Date: Sun, 28 Jul 2002 00:20:59 +0200
>
On lxrdag, juli 27, 2002, at 10:21 , Pierre-Olivier Latour wrote:
>
>
>> If you'd like, I could take a look at your registration solution and
>
>> provide
>
>> feedback on how you could make it more secure. I have had some
>
>> experience
>
>> with this lately. I have evaluated about 30 cocoa programs and their
>
>> respective serial number mechanisms in order to find the best solution
>
>> for
>
>> my own application. I managed to crack 20 of them in less than an hour
>
>> each [...]
>
>
It would be very interesting if you'd write a summary of your
>
observations! I realize the potential harm that could do to the weak
>
registration-schemes out there, OTOH you may help those authors do
>
better, and as long as you don't mention programs by name... furthermore
>
it's unlikely that Joe User will be able to use the summary to crack his
>
favourite program...
An essay on the topic would probably be appreciated by many. Software
developers and crackers alike...Many programs are so open that just about
anyone could crack them, which would probably harm shareware developers to
some extent. But it is not like the serials don't get out anyway...There are
some people who do know all the information I found, but I don't think many
of them are shareware developers.
>
> However, I'm seriously concerned about serial numbers in cocoa programs:
>
> because because of Obj-C, it seems easier to crack.
>
>
If your software is any good it *will* be cracked -- I once read the
>
"news bulletin" on a cracker-site and saw many comments like this:
>
"Program XXX cracked due to weak pseudo-random-number-generator" -- so
>
not only is it no problem for the crackers to ressource your program
>
(and the site in question actually dealt with Windows software, i.e.
>
already highly obfuscated x86 assemblar ;-) ) and figure out the logic,
>
but they can also overcome mathematical challenges you may introduce by
>
e.g. using a secret key to sign the name of the person who register your
>
program, and use that signature as the serial number...
Industrial strength signatures are difficult to step around. But still a
crack is pretty simple to make in those cases...
I will think about sharing some of my experiences. If anyone has any input,
please send it to me privately, since this is on the borderline of the topic
of this mailing list.
/ Sincerely, David Remahl
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.