And the free versionĪ 64-bit Ubuntu machine, real or virtual. Hopper is a disassembler and debugger that runs on Mac OS X or Linux,īut not Windows. I think it's most likely the companies the GP reported this to just decided it's best to not bother until they have actual proof that this is a wide enough spread problem for them to make it worth putting in significant dev resources (because it does require significant resources).Proj 7x: Introduction to Hopper (20 pts.) Proj 7x: Introduction to Hopper (20 pts.) Purpose All of which will be cracked by someone halfway experienced in a matter of days. So now you have to obfuscate your API calls, put in extra layers of crypto, hide your private keys for that will enough in your machine code. If you really 'need' protection against this, you use a 3rd party product which essentially converts your program into something that runs on their proprietary virtual machine.īut if you do online license checking - how do you even 'fix' this? It's trivial to MITM all requests. It's a honey trap for developers - it's so easy to overthink it and spend months on 'hardening' your licensing, to the point where you have to check the generated assembly to see if your compiler doesn't do something clever where now all of a sudden 'cracking' your software turns into replacing a single JNZ instruction with a JMP. I wrote several 'licensing systems' over the years. That effort is likely better spend on developing new features. There is no way to stop a determined attacker. Licensing is a matter of throwing up enough roadblocks to prevent the majority of users from easily bypassing your checks. "Everybody" (i.e., everybody who thinks about this for 20 seconds) knows about this. Sometimes it is very easy, sometimes it is very difficult. and you simply need to put the pieces together to re-implement the API endpoint(s) that the app expects to use. You may find API keys, public SSL certificates, JSON field names, form field names, etc. I have used several disassemblers over the years but the one I like the most is Hopper Disassembler ( ). The difficult part(s), and the meat of the solution, is to reverse engineer every app to understand what and how it does things. Then, I created and installed my own Certificate Authority to automatically trust any self-signed certificate. > I have no idea how something like this would be built, especially in a way that it allows checking on telemetry would be interesting to look at it.įor the sake of learning, I will give you some hints: I originally used nginx, then I wrote my own Go program, and nowadays I use envoy proxy, but pretty much any proxy server will do the trick. I would not get anything out of publishing the code: it will not get me a better job, it will not get me clean money, it will not get me good publicity, it will do no good to anyone other than the people who want to use these apps for free without doing any work. However, if I publish the code, many of these potential customers may stop purchasing their software licenses or subscriptions, and I do not want to be responsible for their loss in revenue.Īlso, I spent a lot of hours reverse engineering these apps and their corresponding APIs. These companies surely do not care if I use their apps for me, because I am just one person among several thousand potential customers. Did you publish the source code?Īt the risk of sounding like a hypocrite, I do not want to enable other people to “steal” from these companies.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |