Now I'm done .. What about piracy protection?

melligeorgiou · August 23, 2008, 10:19pm

Hi All!

I’ve finally finished porting over my Windows project …

All I need now is some information on how to go about protecting my software … Over on Windows, I set up a custom blowfish algorithm over a serial key which seems to be quite solid for the most part …

Over here on the mac side I’m a noob again when it comes to anything advanced! LOL … Any suggestions?

Thanks a lot!

-Mel

julifos · August 24, 2008, 3:46pm

This is sample code:

set usermail to "john@doe.net"
set userkey to "1686cc2ebb13204f4b2806178f8f512d"

checkIfValidKey(usermail, userkey)

to getKeyForMail(x)
	--> customize the following as you wish
	set u1 to (count x) * 67
	set u2 to round (u1 / (offset of "@" in x))
	set u3 to (offset of "." in x) * (u1 + u2)
	
	set u4 to ((u1 * u2) / u3) * 0.123456
	set u5 to text -8 thru -1 of ("0000000" & (u4 as text))
	
	do shell script "echo -n " & quoted form of u5 & " | openssl md5"
end getKeyForMail

to checkIfValidKey(mail, k)
	if k is getKeyForMail(mail) then return true
end checkIfValidKey

If you check the “algorithm”, it will return OK for “john@doe.net” and “kate@doe.net” and “suzy@qua.tro”. It’s left to you customize what happens when creating the algorithm. You can base it on numbers, characters, a mix of them, check them against a pre-defined table of digits, etc. The simplest thing would be getting a CRC32/MD5/whatever from the user mail (or entire name, etc.). But so simple for a pirate. You could generate the number on-the-fly, based on user’s MAC address (but the validation would be broken every time the user moves the software to a new machine), etc.

Take into account only the way AppleScript stores the data, so the pirate can’t read and guess what’s going on in your algorithm: don’t use names for your handlers as “getKeyForMail”, don’t state:

do shell script "apple"

But:

local o, l
set o to {}
{101, 108, 112, 112, 97}
repeat with l in result
	set o's end to (ASCII character l)
end repeat
do shell script "" & (reverse of o)

Etc. Basically, try to “hide” handler and variable names, and plain text.

You can also program it to be run only one time every ten minutes (for example), so no one can brute-force it…

After you finish your protecting scheme, compile (as run-only) and open your script with a plain-text editor, and see how strong it seems.

melligeorgiou · August 24, 2008, 3:51pm

Thanks a lot for the advice!

Priceless!

-Mel

Adam_Bell · August 24, 2008, 5:27pm

Julio wrote a great article in unScripted about this too: Protecting AppleScripts Compiled as Run-Only Applications. I’ve put a link to his post above at the end of his article.