|
|
Home » Developing U++ » UppHub » Protect package - A starting copy protection system
|
|
|
|
|
Re: Protect package - A starting copy protection system [message #29028 is a reply to message #29024] |
Sat, 02 October 2010 18:08 |
mdelfede
Messages: 1308 Registered: September 2007
|
Ultimate Contributor |
|
|
281264 wrote on Sat, 02 October 2010 16:00 | Hi Massimo,
I am finding some unexpected outcome. The problem seems to be related with the key. The encryption key I am using is AABBCCDDEEFF00112233445566778899 (as shown, without quotes); the GetKey function is as the example:
String GetKey(void)
{
// WARNING -- TO PUT A NULL BYTE (0X00) INSIDE KEYSTRING
// REQUIRES SOME ADDITIONAL WORK !
String k = "\xAA\xBB\xCC\xDD\xEE\xFF";
k.Cat('\x00');
k += "\x11\x22\x33\x44\x55\x66\x77\x88\x99";
return k;
}
The application compiles well and it runs fine, but it does not recognize the kye!
Where is the bug?
|
The bug is that your encryption key is AABBCCDDEEFF00112233445566778899 but in your source you use AABBCCDDEEFF.... Keys in optional build step command line and inside your code must match.
Quote: |
Remarks:
1.- can I use an ASCII String, such as “AA………99” without the hex format?
|
well, you can use whathever you like, it's enough that keys are 16 or 32 byte long.
Of course, for sake of simplicity, the key in custom build step is entered as hex-ascii string, so AABB.... where each couple of chars form an hex byte, otherwise it would be hard to enter keys with control chars there.
If you enter for example 303132333435 in custom build step, the key in your code should be any of :
[code]
12345
\x30\x31\x32\x33\x34\x35
[/quote]
I'd suggest the second form as it's easy to compare with the custom build step one.....
2.- what is len in the PROTECT_DECRIPT function? The length of the key, perhaps (the it should be 16bytes or 32 bytes)?
[/quote]
PROTECT_DECRYPT is an helper function which takes following parameters :
Address of the block to be decoded
Length of the block
A String containing the key
In your case you should use :
bool Decrypt(byte *start, size_t len)
{
return PROTECT_DECRYPT ( start, len, GetKey());
}
Where the GetKey() function is your above one.
Anyways, I guess I've to change the help a bit.....
Ciao
Max
|
|
|
|
|
|
Re: Protect package - A starting copy protection system [message #29203 is a reply to message #29170] |
Sun, 10 October 2010 14:35 |
mdelfede
Messages: 1308 Registered: September 2007
|
Ultimate Contributor |
|
|
Protect Client/Server auth development is progressing.
In Bazaar you'll find following stuffs :
Protect package, with added ProtectServer and ProtectClient classes
ProtectServerDemo, a demo SCGI protection server
ProtectClientDemo, a demo SCGI protection client
It's all still in very early development phase, in particular database connections on server side is still missing (I've to learn how to do it )
Anyways, the encrypted connection works quite well, and client/server communication is quite reliable.
When more advanced I'll put the demo server on my remote server; by now, to test it you have to setup an HTTP server (I'm using Apache2 on ubuntu or on centos), add mod_scgi module, enable it and so on.... Not a difficult task but you must google for some docs.
I'll add some docs when finished.
Some technical details :
Client/Server communication is done via encrypted xml data, so it's not possible to gather application key sniffing web traffic.
Encryption is done by Cypher package, defaulting to Snow2 encryptor, but you can optionally switch to RC4 and other (future) encryptors added to Cypher package.
Client/Server Protocol is SCGI (thanx Jeremy!!)
Feel free to add suggestions to the package and/or to help with MySql database stuff !
Ciao
Max
[Updated on: Sun, 10 October 2010 14:36] Report message to a moderator
|
|
|
|
|
Re: Protect package - A starting copy protection system [message #29286 is a reply to message #29245] |
Thu, 14 October 2010 01:42 |
mdelfede
Messages: 1308 Registered: September 2007
|
Ultimate Contributor |
|
|
Hi,
Now in bazaar there's a demo of my client/server app to get encryption key, along with a demo server installed on a remote machine.
To test, just run the client, register with your email, click on activation link sent by email and then play with buttons
The server is setup with a timeout of 5 minutes, i.e. if you don't refresh the connection in 5 minutes it disconnects the client.
If you launch the client twice, it will allow just ONE connection at a time, as the license number is set to 1.
Demo license has an 1 month expiration time (configurable too).
Still missing some fancy stuffs, but functionality is almost complete now.
@DOLIK-RCE : could you please test it somehow ?
Ciao
Max
[Updated on: Thu, 14 October 2010 01:45] Report message to a moderator
|
|
|
Re: Protect package - A starting copy protection system [message #29292 is a reply to message #29286] |
Thu, 14 October 2010 10:30 |
|
mdelfede wrote on Thu, 14 October 2010 01:42 | @DOLIK-RCE : could you please test it somehow ?
|
I'll try But I'm going to be busy this weekend, so it might take some time.
Also, I will try to update the php version to use the same "protocol". Btw: Still no luck in getting snow2.0 ported to php... If there is someone with spare time and little knowledge of php,, help would be appreciated. The only outcome of my attempts so far is that I actually understood how the cipher works
Honza
|
|
|
|
Re: Protect package - A starting copy protection system [message #29312 is a reply to message #29293] |
Fri, 15 October 2010 10:54 |
|
koldo
Messages: 3394 Registered: August 2008
|
Senior Veteran |
|
|
Hello Massimo/Honza
Some questions:
- About Protect
It includes MySql package. Is it possible to remove it?
- About ProtectServer
What are the ProtectServer requirements from server and from client side?.
Is ProtectServer a C++ program running on a server?. What is the role of PHP in this?
Would it be possible to use it with other database instead of MySql?.
Thank you for your work .
Best regards
Iñaki
[Updated on: Fri, 15 October 2010 10:58] Report message to a moderator
|
|
|
Re: Protect package - A starting copy protection system [message #29314 is a reply to message #29312] |
Fri, 15 October 2010 11:23 |
mdelfede
Messages: 1308 Registered: September 2007
|
Ultimate Contributor |
|
|
koldo wrote on Fri, 15 October 2010 10:54 | Hello Massimo/Honza
Some questions:
- About Protect
It includes MySql package. Is it possible to remove it?
|
MySql is needed for ProtectServer, not for the client.
As I made a single package for both (some include files are needed for both cases) the MySql package is needed.... It'll not be linked in cliente, anyways.
Quote: |
- About ProtectServer
What are the ProtectServer requirements from server and from client side?.
Is ProtectServer a C++ program running on a server?. What is the role of PHP in this?
|
ProtectServer requires, by now, an SCGI capable server, so any http server which can support SCGU. I guess almost all servers do. The PHP version that Honza is developing will relax this need.
For apache2 it's enough to install and enable mod_scgi module, and create a small config file for it. For Ubuntu :
sudo apt-get install libapache2-mod-scgi
sudo a2enmmod scgi
And, in /etc/apache2/config.d folder, add an scgi.conf file with this content (as an example) :
SCGIMount /scgi 127.0.0.1:8787
Where the server is listening on port 8787 on local host (configurable) and the http path for it will be /scgi.
For centos OS it'll just a bit more complicated on step 1, mod_scgi must be manually inserted in apache2.conf.
Anyways, there are many docs on the net to enable SCGI on many http servers... probably I'll add some docs.
ProtectServer is an upp executable. Honza's version will be in PHP and make (maybe) stuffs easier on server side.
Communication is done via encrypted http, so it should pass any routers/firewalls on the way.
ProtectServer NEEDS to run as a daemon / service (it must be continuously running and listening to SCGI port (8787 in my case). It doesn't need to run as root/privileged user.
Quote: |
Would it be possible to use it with other database instead of MySql?.
|
Client is unaware of database type, so the changes are just in server. Honza's PHP is already capable of handling a couple of db engines.
ProtectServer is, by now, tied to MySql, but just because I've no time/no other db engine installed on my server. Adding Postgresql, MSSQL and others should be trivial, as long as they're supported by Upp sql engines.
Quote: |
Thank you for your work .
|
You're wellcome
Please test it, It's setup on my server, you just need to build and run the client. I've still a nasty bug which makes it crash sometimes, but just in devel mode, not in debug builds... so I still didn't caught it.
Ciao
Max
|
|
|
|
Re: Protect package - A starting copy protection system [message #29318 is a reply to message #29315] |
Fri, 15 October 2010 12:23 |
mdelfede
Messages: 1308 Registered: September 2007
|
Ultimate Contributor |
|
|
koldo wrote on Fri, 15 October 2010 12:05 | Hello Massimo
Sorry for the petitions...
I think MySql would have to be removed from Protect, and included only if MySql is explicitly used. In my case I do not use MySql in any case . And now Protect package includes many MySql elements.
Could you do a basic server version using sqlite, and the possibility to extend it to other databases?. As I do not expect many clients running out there , with sqlite should have to be enough.
What is the advantage of a PHP version if C++ one works?
Quote: | Please test it, It's setup on my server
|
For now with MySql in Protect, I cannot use it, and I really want it .
|
Mhhhh... what's your problem about including MySql ? It's for the library linking ? It shouldn't be linked anyways for client, just for server.
If your problem is about compiling the server, yep... I could do it. But you could do it also, the *only* files on which the database stuff is used (and encapsulated) are ProtectDB.h/ProtectDB.cpp.
It should be quite easy to add sqlite implementation there.
If you can't / have no time to do it, I can try on this week end.
Last thing... the engine is still missing some cosmetics and a major hardening. By now a malicious client could record a client/server communication (even if it can't decrypt it...), and replay it on the client side to unlock the app.
The solution is quite simple but I haven't implemented yet.
It will be done by passing a random number from/to server, so the replayed communication will be useless.
Ciao
Max
|
|
|
|
Goto Forum:
Current Time: Sat Sep 21 01:33:39 CEST 2024
Total time taken to generate the page: 0.03330 seconds
|
|
|