On Tue, Aug 19, 2003, Beni Cherniavsky wrote about "Re: License creator source": > [EMAIL PROTECTED] wrote on 2003-08-19: > > > The program can probably be attacked in several ways, one way I can > > think of right now is to replace the public key in the program so it > > matches the attacker's invented private key. Another is that the code > > which checks the license will be skipped altogether. > > > The complexity of replacing the public key is about as low as of > replacing any non-signed hidden data (like simply the timestamp).
It is possible to make it harder to skip the license check altogether or change the checked-for public key buy obfuscating the relevant code, making it jump all over the program text and making it all-but-impossible to understand by anyone except the most dedicated assembly hackers. But needless to say, all it takes is *one* of those dedicated assembly hackers - he or she could then publish the modified code that doesn't check the license. This is what is known in the warez world as a "crack". By the way, there's another thing anyone can do defeat this licensing scheme - change the clock :) Even schemes which use a public information of time (such as from the Internet) could be defeated relatively easily (as far as I can see) using what is known as a "replay attack". > I don't see what can you gain from the cryptography here. Well, the idea with signed license files is that you don't need to send the user a new program - only a tiny license file - when they acquire a new license. The user also doesn't need to be online to use this license (according to Murphie, you end up needing to use your license exactly when your network connection is down :( ). -- Nadav Har'El | Wednesday, Aug 20 2003, 22 Av 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |Guarantee: this email is 100% free of http://nadav.harel.org.il |magnetic monopoles, or your money back! ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
