Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » Developing U++ » UppHub » Protect package - A starting copy protection system
Re: Protect package - A starting copy protection system [message #29001 is a reply to message #28998] Fri, 01 October 2010 08:11 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Hello Massimo

All of this sounds very good.

Many people here are freelance or work in small companies without money to pay the very expensive commercial protections available.

Web-authentication sounds great and dongle is also interesting.

If you need windows specific things I can help.


Best regards
Iñaki
Re: Protect package - A starting copy protection system [message #29003 is a reply to message #29001] Fri, 01 October 2010 13:53 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Hi Koldo, thanks for your help Smile
By now dolik-rce is helping with PHP parts, I guess that's the easiest (and more portable way) to do it.
I'd like to have the encryption package ported there, as we need it to communicate with server in encrypted form... he's working on it.
About the windows part.... the missing stuffs are debugger detection AND some better hardening tools, but then I guess we'll have problems to keep all that compatible between words.
Also GDB detection wouldn't be bad, but I've no idea on how to do it.

Anyways, the most weak of my protection scheme is that the decoding parts are fixed and traceable.
It wouldn't be bad to make them variable and somehow autodecoding... but that can be done later.

Ciao

Max
Re: Protect package - A starting copy protection system [message #29009 is a reply to message #29003] Fri, 01 October 2010 21:53 Go to previous messageGo to next message
281264 is currently offline  281264
Messages: 270
Registered: June 2010
Location: Spain
Experienced Member
Massimo,

How can I download the package?

Cheers,

Javier
Re: Protect package - A starting copy protection system [message #29010 is a reply to message #29009] Fri, 01 October 2010 22:36 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
281264 wrote on Fri, 01 October 2010 21:53

Massimo,

How can I download the package?

Cheers,

Javier



It's in Bazaar, just use svn or fetch latest nighty builds, it should be there.

Ciao

Max
Re: Protect package - A starting copy protection system [message #29024 is a reply to message #29010] Sat, 02 October 2010 16:00 Go to previous messageGo to next message
281264 is currently offline  281264
Messages: 270
Registered: June 2010
Location: Spain
Experienced Member
Hi Massimo,

I am finding some unexpected outcome. The problem seems to be related with the key. The encryption key I am using is AABBCCDDEEFF00112233445566778899 (as shown, without quotes); the GetKey function is as the example:
String GetKey(void)
{
	// WARNING -- TO PUT A NULL BYTE (0X00) INSIDE KEYSTRING
	// REQUIRES SOME ADDITIONAL WORK !
	String k = "\xAA\xBB\xCC\xDD\xEE\xFF";
	k.Cat('\x00');
	k += "\x11\x22\x33\x44\x55\x66\x77\x88\x99";
	return k;
}

The application compiles well and it runs fine, but it does not recognize the kye!

Where is the bug?

Remarks:

1.- can I use an ASCII String, such as “AA………99” without the hex format?
2.- what is len in the PROTECT_DECRIPT function? The length of the key, perhaps (the it should be 16bytes or 32 bytes)?


Thank you,

Javier

Re: Protect package - A starting copy protection system [message #29028 is a reply to message #29024] Sat, 02 October 2010 18:08 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
281264 wrote on Sat, 02 October 2010 16:00

Hi Massimo,

I am finding some unexpected outcome. The problem seems to be related with the key. The encryption key I am using is AABBCCDDEEFF00112233445566778899 (as shown, without quotes); the GetKey function is as the example:
String GetKey(void)
{
	// WARNING -- TO PUT A NULL BYTE (0X00) INSIDE KEYSTRING
	// REQUIRES SOME ADDITIONAL WORK !
	String k = "\xAA\xBB\xCC\xDD\xEE\xFF";
	k.Cat('\x00');
	k += "\x11\x22\x33\x44\x55\x66\x77\x88\x99";
	return k;
}

The application compiles well and it runs fine, but it does not recognize the kye!

Where is the bug?



The bug is that your encryption key is AABBCCDDEEFF00112233445566778899 but in your source you use AABBCCDDEEFF.... Keys in optional build step command line and inside your code must match.

Quote:


Remarks:

1.- can I use an ASCII String, such as “AA………99” without the hex format?


well, you can use whathever you like, it's enough that keys are 16 or 32 byte long.
Of course, for sake of simplicity, the key in custom build step is entered as hex-ascii string, so AABB.... where each couple of chars form an hex byte, otherwise it would be hard to enter keys with control chars there.
If you enter for example 303132333435 in custom build step, the key in your code should be any of :
[code]
12345
\x30\x31\x32\x33\x34\x35
[/quote]
I'd suggest the second form as it's easy to compare with the custom build step one.....

2.- what is len in the PROTECT_DECRIPT function? The length of the key, perhaps (the it should be 16bytes or 32 bytes)?
[/quote]

PROTECT_DECRYPT is an helper function which takes following parameters :
Address of the block to be decoded
Length of the block
A String containing the key


In your case you should use :

bool Decrypt(byte *start, size_t len)
{

    return PROTECT_DECRYPT ( start, len, GetKey());

}


Where the GetKey() function is your above one.

Anyways, I guess I've to change the help a bit.....

Ciao

Max
Re: Protect package - A starting copy protection system [message #29060 is a reply to message #29028] Sun, 03 October 2010 22:49 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Changed Protect to use new Cypher encryption package.
Added handling of IV (initialization vectors) on encryption to harden security.
Now 2 identical functions encrypts differently.

Ciao

Max
Re: Protect package - A starting copy protection system [message #29168 is a reply to message #29060] Fri, 08 October 2010 12:29 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Hello Massimo

What is the status of this?

Quote:

Anyways, dolik-rce and I we're preparing a web-authentication module to be used together with Protect, which will allow registering and auth through a web server, which, BTW, is a thing I need for my app Smile


Best regards
Iñaki
Re: Protect package - A starting copy protection system [message #29170 is a reply to message #29168] Fri, 08 October 2010 14:10 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Hi Koldo,

I'm quite busy on these days, but I'm developing an SCGI solution alternative to PHP one.
So, I'm working on SCGI and dolik-rce on PHP, we'd like to post both with a common interface.
I guess we'll need a couple of weeks or a bit more... not too much time on these days Smile

Ciao

Max
Re: Protect package - A starting copy protection system [message #29203 is a reply to message #29170] Sun, 10 October 2010 14:35 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Protect Client/Server auth development is progressing.
In Bazaar you'll find following stuffs :

Protect package, with added ProtectServer and ProtectClient classes

ProtectServerDemo, a demo SCGI protection server
ProtectClientDemo, a demo SCGI protection client

It's all still in very early development phase, in particular database connections on server side is still missing (I've to learn how to do it Smile )

Anyways, the encrypted connection works quite well, and client/server communication is quite reliable.

When more advanced I'll put the demo server on my remote server; by now, to test it you have to setup an HTTP server (I'm using Apache2 on ubuntu or on centos), add mod_scgi module, enable it and so on.... Not a difficult task but you must google for some docs.

I'll add some docs when finished.

Some technical details :

Client/Server communication is done via encrypted xml data, so it's not possible to gather application key sniffing web traffic.

Encryption is done by Cypher package, defaulting to Snow2 encryptor, but you can optionally switch to RC4 and other (future) encryptors added to Cypher package.

Client/Server Protocol is SCGI (thanx Jeremy!!)

Feel free to add suggestions to the package and/or to help with MySql database stuff ! Smile

Ciao

Max

[Updated on: Sun, 10 October 2010 14:36]

Report message to a moderator

Re: Protect package - A starting copy protection system [message #29239 is a reply to message #28850] Wed, 13 October 2010 01:06 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
I posted last version of web authentication package.
Still no docs, but code is enough self explaining.

As before, there's a ProtectServerDemo and a ProtectClientDemo test apps.
All work besides license activation, mail is sent but the activation link is still not ready.

To test it, as before, you shall setup an http server with SCGI module installed.... By now I'd suggest it only for people experienced enough.

On next days I'll setup the test server.

The app supports multiple licensing, timed demo, check for multiple runs of the application and so on.

Ciao

Max
Re: Protect package - A starting copy protection system [message #29245 is a reply to message #29170] Wed, 13 October 2010 09:11 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
mdelfede wrote on Fri, 08 October 2010 14:10

Hi Koldo,

I'm quite busy on these days, but I'm developing an SCGI solution alternative to PHP one.
So, I'm working on SCGI and dolik-rce on PHP, we'd like to post both with a common interface.
I guess we'll need a couple of weeks or a bit more... not too much time on these days Smile

Ciao

Max


Great!


Best regards
Iñaki
Re: Protect package - A starting copy protection system [message #29286 is a reply to message #29245] Thu, 14 October 2010 01:42 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Hi,

Now in bazaar there's a demo of my client/server app to get encryption key, along with a demo server installed on a remote machine.

To test, just run the client, register with your email, click on activation link sent by email and then play with buttons Smile

The server is setup with a timeout of 5 minutes, i.e. if you don't refresh the connection in 5 minutes it disconnects the client.

If you launch the client twice, it will allow just ONE connection at a time, as the license number is set to 1.

Demo license has an 1 month expiration time (configurable too).

Still missing some fancy stuffs, but functionality is almost complete now.

@DOLIK-RCE : could you please test it somehow ? Smile

Ciao

Max

[Updated on: Thu, 14 October 2010 01:45]

Report message to a moderator

Re: Protect package - A starting copy protection system [message #29292 is a reply to message #29286] Thu, 14 October 2010 10:30 Go to previous messageGo to next message
dolik.rce is currently offline  dolik.rce
Messages: 1789
Registered: August 2008
Location: Czech Republic
Ultimate Contributor

mdelfede wrote on Thu, 14 October 2010 01:42

@DOLIK-RCE : could you please test it somehow ? Smile

I'll try Smile But I'm going to be busy this weekend, so it might take some time.

Also, I will try to update the php version to use the same "protocol". Btw: Still no luck in getting snow2.0 ported to php... If there is someone with spare time and little knowledge of php,, help would be appreciated. The only outcome of my attempts so far is that I actually understood how the cipher works Smile

Honza
Re: Protect package - A starting copy protection system [message #29293 is a reply to message #29292] Thu, 14 October 2010 10:45 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
dolik.rce wrote on Thu, 14 October 2010 10:30

mdelfede wrote on Thu, 14 October 2010 01:42

@DOLIK-RCE : could you please test it somehow ? Smile

I'll try Smile But I'm going to be busy this weekend, so it might take some time.

Also, I will try to update the php version to use the same "protocol". Btw: Still no luck in getting snow2.0 ported to php... If there is someone with spare time and little knowledge of php,, help would be appreciated. The only outcome of my attempts so far is that I actually understood how the cipher works Smile

Honza


Hehehehe.... knowledge is power Smile

Max
Re: Protect package - A starting copy protection system [message #29312 is a reply to message #29293] Fri, 15 October 2010 10:54 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Hello Massimo/Honza

Some questions:

- About Protect

It includes MySql package. Is it possible to remove it?


- About ProtectServer

What are the ProtectServer requirements from server and from client side?.

Is ProtectServer a C++ program running on a server?. What is the role of PHP in this?

Would it be possible to use it with other database instead of MySql?.

Thank you for your work Smile.


Best regards
Iñaki

[Updated on: Fri, 15 October 2010 10:58]

Report message to a moderator

Re: Protect package - A starting copy protection system [message #29314 is a reply to message #29312] Fri, 15 October 2010 11:23 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
koldo wrote on Fri, 15 October 2010 10:54

Hello Massimo/Honza

Some questions:

- About Protect

It includes MySql package. Is it possible to remove it?



MySql is needed for ProtectServer, not for the client.
As I made a single package for both (some include files are needed for both cases) the MySql package is needed.... It'll not be linked in cliente, anyways.

Quote:


- About ProtectServer

What are the ProtectServer requirements from server and from client side?.

Is ProtectServer a C++ program running on a server?. What is the role of PHP in this?



ProtectServer requires, by now, an SCGI capable server, so any http server which can support SCGU. I guess almost all servers do. The PHP version that Honza is developing will relax this need.
For apache2 it's enough to install and enable mod_scgi module, and create a small config file for it. For Ubuntu :

sudo apt-get install libapache2-mod-scgi
sudo a2enmmod scgi

And, in /etc/apache2/config.d folder, add an scgi.conf file with this content (as an example) :
SCGIMount /scgi 127.0.0.1:8787


Where the server is listening on port 8787 on local host (configurable) and the http path for it will be /scgi.

For centos OS it'll just a bit more complicated on step 1, mod_scgi must be manually inserted in apache2.conf.
Anyways, there are many docs on the net to enable SCGI on many http servers... probably I'll add some docs.

ProtectServer is an upp executable. Honza's version will be in PHP and make (maybe) stuffs easier on server side.
Communication is done via encrypted http, so it should pass any routers/firewalls on the way.
ProtectServer NEEDS to run as a daemon / service (it must be continuously running and listening to SCGI port (8787 in my case). It doesn't need to run as root/privileged user.

Quote:


Would it be possible to use it with other database instead of MySql?.




Client is unaware of database type, so the changes are just in server. Honza's PHP is already capable of handling a couple of db engines.
ProtectServer is, by now, tied to MySql, but just because I've no time/no other db engine installed on my server. Adding Postgresql, MSSQL and others should be trivial, as long as they're supported by Upp sql engines.

Quote:


Thank you for your work Smile.


You're wellcome Smile
Please test it, It's setup on my server, you just need to build and run the client. I've still a nasty bug which makes it crash sometimes, but just in devel mode, not in debug builds... so I still didn't caught it.

Ciao

Max
Re: Protect package - A starting copy protection system [message #29315 is a reply to message #29314] Fri, 15 October 2010 12:05 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Hello Massimo

Sorry for the petitions...

I think MySql would have to be removed from Protect, and included only if MySql is explicitly used. In my case I do not use MySql in any case Sad. And now Protect package includes many MySql elements.

Could you do a basic server version using sqlite, and the possibility to extend it to other databases?. As I do not expect many clients running out there Smile, with sqlite should have to be enough.

What is the advantage of a PHP version if C++ one works?

Quote:

Please test it, It's setup on my server

For now with MySql in Protect, I cannot use it, and I really want it Sad.


Best regards
Iñaki
Re: Protect package - A starting copy protection system [message #29318 is a reply to message #29315] Fri, 15 October 2010 12:23 Go to previous messageGo to next message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
koldo wrote on Fri, 15 October 2010 12:05

Hello Massimo

Sorry for the petitions...

I think MySql would have to be removed from Protect, and included only if MySql is explicitly used. In my case I do not use MySql in any case Sad. And now Protect package includes many MySql elements.

Could you do a basic server version using sqlite, and the possibility to extend it to other databases?. As I do not expect many clients running out there Smile, with sqlite should have to be enough.

What is the advantage of a PHP version if C++ one works?

Quote:

Please test it, It's setup on my server

For now with MySql in Protect, I cannot use it, and I really want it Sad.


Mhhhh... what's your problem about including MySql ? It's for the library linking ? It shouldn't be linked anyways for client, just for server.

If your problem is about compiling the server, yep... I could do it. But you could do it also, the *only* files on which the database stuff is used (and encapsulated) are ProtectDB.h/ProtectDB.cpp.
It should be quite easy to add sqlite implementation there.
If you can't / have no time to do it, I can try on this week end.

Last thing... the engine is still missing some cosmetics and a major hardening. By now a malicious client could record a client/server communication (even if it can't decrypt it...), and replay it on the client side to unlock the app.
The solution is quite simple but I haven't implemented yet.
It will be done by passing a random number from/to server, so the replayed communication will be useless.

Ciao

Max
Re: Protect package - A starting copy protection system [message #30973 is a reply to message #29318] Sun, 30 January 2011 19:24 Go to previous messageGo to previous message
mdelfede is currently offline  mdelfede
Messages: 1307
Registered: September 2007
Ultimate Contributor
Protect package :

- Fixed a dumb bug on encryption key (Cypher package)

- Refactored Client/Server stuffs, now an authorization key is sent by email in order to activate software on a PC

- Made connection expiration mechanics less sensitive to app crashes on client side.
Now if application crashes, on next run it won't say "license number exceeded" anymore.

- connections not refreshed on give time (default, 5 minutes) will expire on server side; this avoids auth on client side
just on app startup (avoids tricks with hibernations on PC)

Features :

- Product registration; defaults with a timed demo of 1 month

- Settable number of licenses per registered email

- Settable expiration date

- Collects statistics about number of connections per client and total time (seconds) of connections.

- Uses a simple mysql database on server side

- Client/Server communication is encrypted on both sides so it's virtually impossible to fake the authentication

- Allow usage on multiple machines, limited by number of licenses. Once a machine disconnects, it's license is available for another one.

- Returns a key (given on server side) useable with protect code encryption package.

There are still no docs for Client/Server stuffs, but ProtectServerDemo and ProtectClientDemo are quite well commented and shows almost all features

Ciao

Max
Previous Topic: UPDATED PROTECT PACKAGE
Next Topic: OAuth2 package for U++
Goto Forum:
  


Current Time: Thu Mar 28 21:53:24 CET 2024

Total time taken to generate the page: 0.01039 seconds