The weakest link: Setup.dll/Unrar.dll
Formerly, below Build #48, all stuff was packed into 4 RAR files (Help, HtmlHelp, Demos and Sources) with same password. So when the installer calls Setup.dll (or Unrar.dll in other words), just capture the password in DLL call stack. Your reviewer remembers they used to keep changing it every build, but then, since the weakest link was setup.dll, you could always get it from there. Then, you could hack it different ways, like substituting your own setup.dll with YourOwnUnRar.Dll with same parameter calls and obtain the password, or maybe set Olly/WinDbg to break-point on DLL call.
Calling Home correctly
The next deterrent is using SSL/https instead of HTTP. That greatly deterred wannabe "vendors" from capturing packets in mid-air, such as, like man-in-the-middle attack. You could capture the SOAP packet in transit, then try dissecting it. With HTTPS, unless you can emulate https://register.devexpress.com with a valid SSL certificate, you're in for serious debugging.
Your reviewer, remembers Andrei (Feandy) discussing on some Russian forum, how he would setup virtual machine with http://register.express.com redirecting to his private webserver to hack it, then how he complained it changed to HTTPS (which made it obviously much harder).
Custom Archives
Your reviewer was thrilled to learn about DXIF archive file-format (anyone still remembers Julian wrote parts of TurboPower LockBox/Abbrevia?), but since the person who wrote TurboPower Lockbox knew the security flaws, DeveloperExpress used AES instead. Way to go!, at least, the person writing DXIF file format knew what they were doing.
DXIF --> Borrowed parts from TurboPower Abbrevia (PKXX --> DXIF),
changed cipher to custom cipher AES with key-checking.
Excellent choice :)
Watermarking
Your reviewer was happy to find watermarked source code, or least where you could not see it. Your reviewer found many strange comments, unusual constants and strings (I'll be fair: I won't disclose them) in the source code that was not there since last builds. Also, since some of these watermarks are in last build, how could your reviewer possibly know? :)
Oh, by the way, if Andrei/Feandy releases source code from Build #48, most of source codes are watermarked. Please Andrei/Feandy, release the sources, so Andrei/Feandy license could become invalid and the only DevExpress leak in whole world would be gone ;)
What's in Feandy's mind...
Your reviewer thinks there could be some improvements done for next build, like:
- Watermarking help files. Watermarking help files would be least noticeable, and that would greatly stop Andrei/Feandy from releasing demos/help files for everyone
- It would be much better if VM detection was present. There is already code to detect VirtualPC or VMWare, so why not throw that in? That would make it really fun
- Use different AES passwords for DXIF archives. Think about it... 4 times the fun
Last:
- By the way, can you use this copy-protection scheme for .NET edition, your reviewer would love it
Delphi-Love
With stronger, better protection, that means, people who used DevExpress illegally will have hard-time getting updates. Maybe it's time to look at LMD/TMS, but wait, TMS also have better protection now (guess who recommended it?)
Conclusion
With friends
:)
No comments:
Post a Comment