I'd like to thank Guglielmo fo guiding me through the horrendous process of creating an external when I knew nothing about C, xCode, or where to put the darn thing when it's done! Pete lcSQL Software <http://www.lcsql.com>
On Wed, May 30, 2012 at 11:50 AM, Guglielmo Braguglia < guglie...@braguglia.ch> wrote: > Dear members of this list, > > all of you, with your posts, your information and your suggestions, have > helped me a lot of times so, this time, I would like to freely share > something that, I hope, useful for all member involved in development of > OSX application with LiveCode and interested in publishing their App in Mac > Apple Store ... > > ... a Livecode OSX External to validate the MAS Receipt. > > As you probably already know, a user can download from the MAS the > purchased App on 5 different devices, but ... if inside your App you don't > validate the "MAS Receipt", ANY user _can make a copy_ and distribute your > App without any control ! > > Unfortunately, the code to validate the MAS Receipt, can't be still the > same because, otherwise, it will be too easy for crackers to discover the > weak point and to patch the code once and for all. For this reason I think, > Apple has not provided a fixed 'call' to use, but has provided some > guidelines : > > https://developer.apple.com/**library/mac/#releasenotes/**General/** > ValidateAppStoreReceipt/_**index.html<https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html> > > As you can see, to write a good MAS Receipt Validation code, is not so > simple, but for this, fortunately, there is on the App Store, a very good > program, called *Receigen*. > _Each time_ you run, Receigen generates a complex C "MAS Receipt > Validation" source code, where the constants and the strings are > re-obfuscated, the checks are performed differently, and the code flow > changes, so ... each time a different, _unique_ code ! (more info on : > http://receigen.etiemble.com/**index.php<http://receigen.etiemble.com/index.php> > ) > > So, starting from this, I developed a very simple External for LiveCode, > to call the validation process from inside our applications. :-) > > You can download the following items from my web server : > > - All you need to build YOUR validation External : > http://www.phoenixsea.ch/**downloads/phxMASValidate.zip<http://www.phoenixsea.ch/downloads/phxMASValidate.zip> > > - A simple test program that shows how to dynamically load and how to > call the External : http://www.phoenixsea.ch/**downloads/phxMASValidate_** > TestProgram.zip<http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip> > > - An 8 minutes video showing "How To Do" : http://www.phoenixsea.ch/** > downloads/phxMASValidate.mov<http://www.phoenixsea.ch/downloads/phxMASValidate.mov> > ... about this video ... I know that probably the slides go too > quickly, but you can still use the pause/resume button to stop and resume > the video. > > Now, to briefly explain "How to do" ... > > 1. with Receigen.app generate your MAS Receipt Validation C code (/DON'T > FORGET to flag the "Perform only receipt checks" on Advanced Settings/) and > save in a file named*receigen.h* > > 2. go inside phxMASValidate folder and _*replace*_ the file : > phxMASValidate/phxvalidate/**src/receigen.h with your just generated > > 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the > project phxvalidate.xcodeproj > > 4. to avoid problems, first do a "Clean" so ... from the menu bar, select > Product -> Clean > > 5. verify that the 'Release' build is selected, so ... from the menu bar, > select Product -> Edit Scheme and verify that the Build Configuration is on > *Release* > > 6. still to avoid problems, put YOUR bundle identifier for this external, > so ... click on the left pane, on the first item (/the project name, with > blue small icon/) and in the central pane, on the *Info *TAB, the first row > is 'Bundle Identifier' ... change it (/e.g. com.yourname.phxvalidate/) > > 7. build the external, so ... from the menu bar, select Product -> Build > ... XCode must say : 'Build Succeeded' > > 8. you can close XCode ... your external is ready ! You will find it in : > phxMASValidate/phxvalidate/_**build/Release/phxvalidate.**bundle > > 9. Include this external into your livecode app and, on the preOpenStack > (/... but I suggest to call also in different points of the code to make > harder the work to crackers/) and call : > > put phxValidateMAS(the filename of this stack) into tRetCode > > where the *phxValidateMas* is the name of the C call that you find into my > source code; the parameter is the Path to the REAL executable that you find > inside your Mac .app and tRetCode is the return code (/... 0 if all is OK/). > > That's all ... > > _Important note_ : > fortunately/unfortunately, LiveCode is not a real common language so, as > far as I know, there are not LiveCode decompilers and it's not so easy to > debug a livecode application. The weakness is exactly the external, which > is a real OSX executable easy to debug and to replace. > About debugging ... Receigen creates a quite complex code to debug, but > ... anybody can easily replace the bundle with another one with just > 'return 0' as return value for my validation call. > To avoid this, you MUST find a way to _validate the external_ BEFORE using > it. > I have spoken with the author of Receigen and, after having explained the > situation, he also suggested to protect the External with different > checking. > > So, in my programs, I obfuscate the following values : > > - the MD5 of the External CODE (/the real one that you find *_INSIDE_ > *the External bundle/) > - the SHA1 > - the size in bytes > > ... and I will check the values each time, before calling the External ! > Quite difficult to work around ... > > If you need, don't hesitate to contact me. > > Guglielmo > > ______________________________**_________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/**mailman/listinfo/use-livecode<http://lists.runrev.com/mailman/listinfo/use-livecode> > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
