If you're using ClickOnce to manage your deployments and updates it may be configured to actively query a URL/manifest for the latest version of your project and then comparing its current version to this to determine if an update needs to be done. Does anyone know what the numerical limits are of the comparison routine? Because I have an automated process doing the builds, we're dropping a timestamp into the four-component of the version (e.g. 1.0.0.x; it's just digits without any symbols). However, I'm concerned that there being an eight-digit number in this spot might potentially crash the comparison. Microsoft no no do so good with unexpected requirements.
Does anyone have experience with this?
Thanks.
Let's walk the trail. If you start plugging in larger numbers, eventually setup.exe will poll for the latest version and then fail with "Cannot continue. The application is improperly formatted. Contact the application vendor for assistance."
If you look at the details, you'll see a log which may say the following:
+ The 'version' attribute is invalid - The value '1.0.0.161739' is invalid according to its datatype 'urn:schemas-microsoft-com:asm.v1:fourPartVersionType' - The Pattern constraint failed.
+ The Pattern constraint failed.
If you Google for "fourPartVersionType", you'll find yourself at FourPartVersionType Simple Type, which provides the following regular expression:
([0-9]{1,4}|[0-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])(\.([0-9]{1,4}|[0-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])){3}
This basically limits each component to four- or five-digits and, essentially, no greater than 65536 in the latter.
Related
I am building a custom installer fed from an xml document...
I know most programmers do not build their own anymore but this is specifically what I was assigned so work with me please. The installer will need to uninstall old versions of the program before it can do its job.
I can obtain registry uninstall strings no problem the problem is that the users building the instructions files are not always going to have an exact display name.
So...
I am using Levenshteins difference to obtain possible matches above 70%, this leaves me open to mistakes. To correct them was hoping i could deserialize the the GUID to obtain the name and make sure I had the right one. or somethign along those lines.
Can someone let me know where to look, or any recomendations on how to make a redundant check in the event the likeness is less than 100% based on levenshteins difference (and confirmed with Hamming difference when words/phrases are of equal length)
Note:
Versions may not be know it is a remove all old versions
Publisher will be identical on all
install location should be network but not guarenteed users love to copy locally
GUIDs do not (or at least SHOULDN'T!) contain any information from the domain they were generated from. These are randomly generated numbers, with a keyspace large enough that they are supposedly guaranteed to be unique.
Unless you have a database or some form of repository to search for this GUID's associated information, a bare GUID is no more useful than an integer ID on a random database table. It's only a identifier.
GUIDs
EDIT
I found a VBS script that may do what you are looking for. This will uninstall an application by it's Registry Id. If your program is written in another language, you can still launch VBS scripts using the System.Diagnostics namespace.
System.Diagnostics.Process.Start("path to script here");
I am not a software engineer as you will see if you continue reading, however I managed to write a very valuable application that saves our company lots of money. I am not paid to write software, I was not paid for writing this application, nor is my job title software engineer so I would like to have total control over who uses this application if I ever had to leave since as far as I can tell it is not legally theirs (did not write during company hours either).
This may sound childish but I've put much much time into this and I've been maintaining it almost on a daily basis so I feel that I should have some control over it, or at least could sell it to my company if they ever had to let me go, or I wanted to move on.
My current protection scheme on this application looks something like this:
string version;
WebRequest request = WebRequest.Create("http://MyWebSiteURL/Licence text file that either says 'expired' or "not expired'");
WebResponse response = request.GetResponse();
StreamReader stream = new StreamReader(response.GetResponseStream());
version = stream.ReadToEnd();
stream.Close();
response.Close();
if (version == ("not expired") == false)
{
MessageBox.Show(Environment.NewLine + "application expired etc etc", "Version Control");
}
It checks my server for "not expired" (in plain text), and if the webrequest comes back as anything but "not expired", it ultimately pops up another form stating it is expired and allows you to type in a passcode for the day which is a multiplication of some predetermined numbers times the current date to create "day passes" if ever needed (I think Alan Turing just rolled over in his grave).
Not the best security scheme, but I thought it was pretty clever having no experience in software security. I have however heard of hex editing to get around security so I did a little test for science and found this area of my compiled EXE:
"System.Net.WebRequest." Which I filled in with zeros to look like this: System.Net000000000
That was all it took to offset the loading of the application to hiccup during the server check which allowed me to click "continue" and completely bypass all my "security" and go along using the program without it ever expiring.
Now would a normal person go to this length (hex editing) to try to get past my protection scheme? Not likely, however just as a learning experience, what could I do as an added step to make hex editing or any other common workarounds not work unless it was by "professional" cracker?
Again I'm not paranoid, I'm just eager to learn more about security of applications. I was both proud of myself and ashamed at the same time for creating and breaking my own protection.
If commenting, please be kind since I know this is probably a humerus post to those more informed than I as I really have little experience in writing software and have never taken any type of course etc. Thanks for reading!
Another way to bypass the license check is to redirect the checking url to localhost returning always the desired text...
A better way is to make a call to a function doing the same thing but make your server response a signed XML including the server response time-stamp, that you can check on addition with the system datetime (use UTC dates in both sides). It is also a good idea to throw exceptions whenever something is not the way you expect it, and control the flow of your program with exception handling.
Check the following to get a how to clue:
How to: Sign XML Documents with Digital Signatures
How to: Verify the Digital Signatures of XML Documents
Now would a normal person go to this length (hex editing) to try to
get past my protection scheme?
Well i guess, that depends on how useful the application is for that "normal person", and how determines he is to make it work.
Most .net application unless obfuscated can be easily de-compiled to the source code using tools like (Telerik JustDecompile) or they can simple use the ildasm to see the IL code, i heard there are tools to even de-compile obfuscated .net libraries, although i haven't used or found any.
With my little experience, i can suggest two approaches
Enforcing licensing and cracking it in a application which runs plainly on the user machine is a cat and mouse game, you can add some extra protection to your code by moving some part of the applications functionality to the server and expose it as a web service which your client can consume, the part you move to the server must be an important part for the application to work and should be something that is hard to simulate.
The other approach is to add a auto updater feature to your application that will check the server for latest updates, and when ever it finds a new version it will overwrite the older one, thus overriding any cracked version, this can be easily disabled, but if disabled this will also stop any bug fixes you might release
I tried both the approaches, but they are only useful to some extent and you have to decide whether it is worth the effort enforcing or not
The title basically says it all. I need to determine the Windows Service Pack number (in numeric form), and Environment.OSVersion.ServicePack (which basically just returns OSVERSIONINFO.szCSDVersion) just returns a string.
In all my tests, this string turned out to be in the form "" (no service pack) or "Service Pack X", with X being a number. So the algorithm to parse this should be quite simple.
My question: Can I rely on this string to always have this format?
(One part of me says no, beause it's not documented. The other part says yes, because surely a lot of existing code would break if MS would decide to return, say, "SP 2 (x86)" for Windows 7 SP2. Thus, they won't do it. Does anyone have more information on that?)
No you can't, some versions use translated strings! If you look at the strings from the image in that link you see that you might get away with just using the first number you find in the string.
OSVERSIONINFOEX was added in NT4 SP6, if you call GetVersionEx you only need to deal with the string on Win9x and < NT4 SP6 and use OSVERSIONINFOEX.wServicePackMajor on other systems.
You should use BuildLabEx instead. It has a specified format which has held since early builds of Windows. Not sure if you can find it in WMI (you should be able to), but it's in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx
Example:
7601.17640.amd64fre.win7sp1_gdr.110632-1508
If it makes you feel more comfortable, you could rely initially on CSDVersion matching a certain regex for simplicity, and fail back onto BuildLabEx if it doesn't match.
I need some ideas how to create a activation algorithm. For example i have demo certificate. Providing that the application runs in demo mode. When full version certificate is provided then application runs in full mode.
Is it even possible and how would be a good way creating this system?
One simple was i was thinking would be just have a 2 encrypted strings, now when the decryption is succsessful with the demo public key certificate then the application will run in demo mode and etc..
You could do something like:
Generate public/private key pair
As owner of private key, you can sign those "activation certificates" (called AC from now on)
In your app, with public key, you can check if the sign is correct
As Overbose mentioned -- you can't prevent reverse engineering. In general someone could take functionality and put it in his/hers own app and thus eliminate any possible activation algorithm. So you can only assume (or make) this is hard enough not to be worth the effort (this is the same as for cryptography -- when you make the cost of breaking the message greater then the profit of gaining it you can say it is well secured).
So you could:
Make executable self-verifying (signed by you, self-checking based on hard-coded public key (one thing: you must skip this value when self-checking)).
Do some tricks with pointers (point to the activation function, go to 7th bit and change value of it for something based on value of another pointer; in some weird places change hard-coded values to those based on occurrence of some bits in other places of the code; generally -- make it more difficult to break than by simply changing bits in executable with hex editor)
Try to make some protocol that your server would use to ask questions about the app ("gimme the value of 293 byte of yourself") and check answers.
Use imagination and think of some weird self-checking method nobody used before :)
As mentioned -- none of this is secure from cutting the authentication part off. But nothing is and this could make it harder for crackers.
Background: I've deployed an activation based system built on top of a third-party license system, i.e. server, database, e-commerce integrations. I've also separately written a C# activation system using RSA keys, but never deployed it.
Product Activation commonly means that the software must be activated on a given machine. I assume that's what you mean. If all you want to do is have two strings that mean "demo" and "purchased", then they will be decrypted and distributed within hours (assuming your product is valuable). There is just no point.
So. assuming you want "activation", then when the user purchases your software, the following process needs to happen:
Order-fulfillment software tells Server to generate "Purchase Key" and send to user
User enters "Purchase Key" into software
Software sends Purchase Key and unique Machine ID to server.
Server combines Purchase Key and Machine ID into a string and signs it with its certificate and returns it to user.
Software checks that signature is valid using Servers public key.
Software could check in lots of places: loading the sig in lots of places, checking it in others.
When generating Purchase Keys, the server can store not only what produce was purchased, but what level of product. You can also have "free" products that are time limited, so the user can try the full version of the software for 30 days.
You are using C#, so make sure you obfuscate the binaries, using dotfuscator or equivalent. However, even with that there is nothing you can do against a determined hacker. Your goal, I assume, is to force non-paying users to either be hackers themselves, or to have to risk using a cracked version: kids wont care, corporations might. YMMV.
The code that does the checking needs to be in every assembly that needs protecting, otherwise an attacker can trivially remove protection by replacing the assembly that does the checking. Cut and paste the code if you have to.
Or just buy something.
Another option is to have the server pre-generate "Purchase Keys" and give them to the Order fulfillment service, but then you dont get to link the key to the customers details (at least not until they register). Better to have the ecommerce server hit your server when a purchase has been made, and have your server send it out.
The hard part isn't so much the generation of activation keys as it is the creation of the server, database, and the integration with e-commerce software, and most of all, human issues: do you allow unlimited installs per Purchase Key? Only 1? If only 1 then you have to have customer-support and a way to allow a user to install it on a new machine. That's just one issue. All sorts of fun.
This guy wrote a blog post about a similar idea, explaining what he did with their own commercial software. Also wrote a list of recommendations about the most obvious cracking techniques. Hope it helps.
One simple was i was thinking would be just have a 2 encrypted
strings, now when the decryption is succsessful with the demo public
key certificate then the application will run in demo mode and etc..
Could be a simple solution. But this way you won't prevent someone to reverse engineer your binaries and make the execution jump to the correct line. Everyone has your program, has a complete version of it, so it's only a matter of find how to break this simple mechanism.
Maybe a better solution is encrypt a part of the binaries needed to use the full application version, instead of a simple string. This way to execute the application complete version someone need to decrypt those binaries in order to execute them.
Please take in consideration that even that solution isn't enough. There are other problems with that:
Does all the version of your tool will share the same encryption key? Breaking one of them for breaking all..
Even if you use a different key for each binary application released, does the encrypted binary are identical? Once cracked one, you can reuse the unencrypted binaries for all distributed applications.
How to solve these problems? There's no simple solution. Most of the more important commercial software with even sophisticated protection systems are broken just few hours or days after they have been released.
Product activation is not a problem that asymmetric cryptography can solve. Asymmetric cryptography is about keeping secrets from your adversary. The problem is that you can't keep a secret that is stored on you're adversaries machine, that would be security though obscurity.
The correct way to do product activation. Is to generate a Cryptographic Nonce that is stored in a database on your server. You give this Nonce to the customer when they buy the product, and then they activate it online. This activation process could download new material, which would make it more difficult for the attacker to modify the copy they have to "unlock" new features.
But even with DRM systems that require you to be online while using the product. Like the ones found in new games like "From Dust" are still broken within hours of their release.
One of the benefits of public key encryption is that you can verify the origin of a given piece of data. So if you store the public key in your assembly, then sign a given piece of data (say an authorization code or serial number) your assembly can verifiably determine that you were the one that created that data - and not a hacker. The actual data itself isn't all that important - it can be a simple pass/fail value.
This is actually pretty easy to do with .NET. You can use an x509 certificates or like we use in DeployLX Licensing the RSACryptoServiceProvider.
I would highly recommend buying a commercial product (doesn't really matter which one, though DeployLX is excellent) and not doing this yourself for 2 reasons
Even if you're a great developer, you'll probably get it wrong the first time. And any savings you might have enjoyed by rolling your own will be lost to recovering from that mistake.
You'll spend far more time working on your own system - time that you should spend making your product great.
The second phase in protecting the software is to make sure that it runs the way you created it - and hasn't been modified by a hacker. It really doesn't matter what encryption you use if hackers can check if( licensed ) to if( true ).
You can use AsProtect to solve this problem. This is good staring point.
I will start from example: I have an version of my app which looks like this
1.0.3450.26573 (it is hard to read and looks nasty). Code to take this version is:
String Version = System.Reflection.Assembly.GetExecutingAssembly().GetName().Version.ToString();
I want to see version 1.0.12, 1.0.13, 1.0.14 where 1.0.[BUILD], where BUILD is auto increasing on each build.
How can I do this in a best way?
Actually, build number will not do you any good unless you'll be able to track which build number corresponds to which version of source code your application was built from. Rather, consider using revision number from your repository (if your SCM tool is anything similar to Subversion; to do so try svnversion).
Versioning Controlled Build
You have to integrate that with your build environment. For us, CruiseControl.net increments the version number on each build. But you could also use a SVN revision number etc. There are several possibilities.
If you only want 3 digits instead of 4, you have to format the string yourself.
Yeah, revision number would be great, but how I can get it, I use SourceGear Vault.