On Thu, Mar 4, 2010 at 1:18 PM, Richard Gaskin <[email protected]>wrote:
[... snip ...] > Then write the inverse of the generator to validate your codes, but break > up the validation into multiple handlers each doing a small part of it, > using obscure function names strewn all over your code base with lots of > red-herring handlers with similar names littered among them. Extra bonus > points if the handlers you call also call others; the more the merrier. > Anyone tracing your code in a low-level debugger will find it far more > annoying than it's worth. > > Just a note on the recommendation below (as I do have a lot of experience in this area), before someone goes and wastes a lot of time coming up with something awesome that ends up being cracked in a matter of minutes... 1. Don't have this code in one localized place (as Richard already mentioned). 2. Don't follow the "Extra bonus points" recommendation. This is a *bad idea*. You want these functions that check reg codes to be extremely small and obfuscated. 3. You *DO* want to checksum the code that checks regcodes (either the optimized assembly or the raw script in Rev) and stick that checksum in several random places through out the code. 4. Inside the reg check code is also the check against one of those random checksums with a checksum of itself. You're protecting against someone who modifies the registration checking code (which is trivial to do). 5. Don't make a global variable that is true if the user is registered and false if not. This will get hacked in ~2 minutes. Instead, every time you want to make sure the user is registered, call your check function. 6. Check often, and in random places. If possible, make it a completely random check (e.g. have a timer or message loop that checks it every 60 seconds, regardless of what the user is doing). 7. Don't error out immediately if the check fails. Instead, you want to wait and die later on, and often times in subtle ways. For example, suddenly prompt the user to re-enter their code. Those are some good starting points. It should be noted that white-listing reg codes usually isn't a great idea. Reg codes should be generated from something personal (like the user's email address), and can be reverse engineered by you if needed. But white listing is easy. Jeff M. _______________________________________________ use-revolution mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
