A blog that accompanies our progress creating this product

We have started selling the new version of Looking Glass
See: https://www.securedglobe.net/looking-glass

Advertisements

I got MVP for 2018

Great news from CodeProject. I have been announced as a MVP(Most Valued Professional) for 2018.

My profile: https://www.codeproject.com/Members/Michael-Haephrati

Secured Globe, Inc.

Setting an upper limit

When a software house uses the Wizdome system, there is always the scenario where you need to check (and display) the remaining credit which the end-user has. Another scenario could be checking the status of a pending payment initiated via our Payment gateway (powered by PayPal).

This remaining credit can be anything billable: amount of data (MB),  time of use (hours / days) and we even had once a customer who measured their diamonds….

We assume that a customer should pay up to a certain amount and after paying it, he will get an unlimited license or unlimited access to this specific feature / resources that is currently restricted. To embed this functionality in the Wizdome system, we have added an attribute named “Max Billable Value”. When the Max Billable Value is reached,  the customer doesn’t have to pay any further. For example, if the Restriction is ‘amount of data (MB)’, then if we set the Max Billable Value to 200 (MB), then the moment 200 MB were purchased, any additional MB will be added for free, or there will be no limitation on using any number of MB from that moment.

From the source code point of view, the constant RESTRICTION_REACHED_UNLIMITED which is -2, when returned by the GetRemainingCredit(Restriction Name), indicates that the upper limit has been reached.

For example, the following source code can be used to generate a message based on the situation which could either be:

  • Additional credit has been added.
  • Credit has been added to the point, the Max Billable Value was reached.
 if (Global.GetRemainingCredit(MB_LIMIT) == RESTRICTION_REACHED_UNLIMITED)
 message.Format(L"You have reached the maximum billable credit ");
 else
 message.Format(L"You have %dMB credit. Payment was successful ", Global.GetRemainingCredit(MB_LIMIT));

We have recently added a unique feature to Wizdome: payment processing embedded in your program using just few lines of source code.

Wizdome has a built-in payment processing engine which allows you to accept payments from any credit card holder (regardless of being a PayPal customer) and pay for unlocking your software or for specific features. As part of Datattoo Recovery, one of our other products, the customer can pay per each MB of successfully restored data.

To process payments you need to choose 2 routes:

  1. Apply as a PayPal developers and obtain your own PayPal credentials
  2. Use Wizdome credentials and receive all payments from Secured Globe, Inc.

Technically, the SG_PayPal API is used as described below. Following, your program can continue as before, while Wizdome will continue monitor the status of each payment initiated and in the event of a successful payment to a Pending Transaction, the credit (“max” value) of the associated Restriction, will be updated accordingly, so if your program checks the allowed maximum value per each per-defined Restriction, the value will become higher and your software can give additional access flawlessly.

Void InitPayPal(BOOL Sandbox, LPTSTR User, LPTSTR password, LPTSTR signature, LPTSTR successUrl, LPTSTR failedURL)

Sandbox – indicates whether you are testing your integration using PayPal's Sandbox account, or going live.

User – your PayPal user name

Password – your PayPal password

Signature – you PayPal signature

successUrl – a url leading to a web page which you wish to be shown after successful payment.

failedURL – a url leading to a web page which you wish to be shown after failed / cancalled payment.

Initiating a payment

When you wish to initiate a payment, you call

BOOL InitiatePaypalPayment(int nUnits, int PricePerUnit, LPWSTR UnitName, LPWSTR RestrictionName)

nUnits (integer) - number of unique needed to be purchased

PricePerUnit (integer) - cost per each unit (in default currency).

UnitName (string) - the name of the unit to be purchased

RestrictionName (string) - optional - the name of any restriction tied to this transaction

For example: if you would like a data recovery software to allow recovery of 15 MB for the price of $15, and provided that a Restriction named “MB_RESTRICTION” was defined, you call this function using the following parameters:

InitiatePaypalPayment(15,1,L”MB”,L”MB_RESTRICTION”);

Currency

By default the currency used for transactions is USD, however that can be changed.

Tying a transaction to a Restriction

Wizdome allows you to tie a transaction (payment) to a Restriction. When you do so, the user will be able to lift or change a Restriction by making a payment and without having to switch versions, restart your program or restart any work done by your end-users.

This article is about obfuscation and protection against hacking.

Copy protection can’t be complete without some sort of obfuscation. The Wikipedia definition of Obfuscation is:

Obfuscation is the willful obscuring of the intended meaning of communication, usually by making the message confusing, ambiguous, or difficult to understand. The obfuscation might be unintentional or intentional (although intent usually is connoted), and is accomplished with circumlocution (talking around the subject), the use of jargon (technical language of a profession), and the use of an argot (ingroup language) of little communicative value to outsiders”

When applying this to software copy protection, our goal is to prevent a hacker from using reverse engineering methods, or more simple, hacking a protected application (which can even be examining the strings and other resources within the application).

Preventing that is done in several layers:

Source code obfuscation – if various elements of the source code and resources are obfuscated before the program is built, the built program will be obfuscated.

Binary obfuscation – manipulating the executable whilst making it hard to reverse engineer. That is usually done by making changes in the executable and yet preserving its format so it can still be executed (obviously if you encrypt an entire executable, you will reach the goal of making it impossible to reverse engineer but with the price of ruining the executable (PE) format in a way that will make it impossible to run it.

So clearly you need to make enough changes and manipulation to make it next to impossible to hack and reverse engineer and yet preserve the PE structure so it will still be a valid executable.

One solution to this problem is packing the executable by another executable (“loader”). I personally find this approach problematic. First, anti viruses detect a packer + loader as malicious code. Second, it complicates the process of protecting a program while we, at Secured Globe, Inc. aim to make it as simple as possible. The mechanism of storing parts of a program encrypted and decrypting these parts during run-time can be embedded as part of the program itself without having to wrap it entirely. For example, all resources can be stored as binary encrypted data or even stored as encrypted data without using the mechanism of resources which can easily be hacked using dedicated tools. Also all strings can be kept encrypted and decrypted during run-time. Strings reveal a lot of information about an application, its credentials (for example a server to which the program connects to, etc.).

Michael Haephrati published an article with source code about string obfuscation. We have examined a source code level obfuscation system and put aside the fact it is really a hard and exhausting work to obfuscate a c++ source code, the results are quite good.

The following code segment:

for (i=0; i < M.length; i++){
   // Adjust position of clock hands
   var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style;
   ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll;
   ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min);
 }

will be changed to

for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers["nsM
\151\156u\164\145s"+O79]:ieMinutes[O79].style;O63.top=l61[O79]+O76+(O79*O75)
*Math.sin(O51)+l73;O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}

Focusing in c++, the features supported by Semantic Designs are:

  • Output encoding in ASCII, European ASCII, or UNICODE
  • No changes to the your C++ compilation or execution procedurs or environment
  • User definable list of preserved names
  • Predefined list of reserved identifiers for C++ standard libraries provided
  • Can preserve most preprocessor conditionals and macro calls in obfuscated source
  • Option to neatly format C++ source code to aid development before obfuscation.
  • Output encoding in ASCII, European ASCII, or UNICODE
  • Command line and GUI interfaces

To explain further, our goal is to disguise the following elements: API calls, variables, function names, program flow, as they also reveal a lot (as strings and resources do) and should be changed to meaningless names. That can be done in house by a simple search-replace taken place just before the final generation of the Release version, and right after all code changes are made and all tests are completed.

While the process of hiding and disguising strings, resources, variables and functions with in the program is quite straight forward, when it comes to calling an API function, things become more complex since you want to obfuscate an API call and yet have the operating system respond to it…

One way of doing it is as follow: Instead of calling the API function directly, we use

GetProcAddress(hModule,reinterpret_cast<const char*>(reinterpret_cast<int>(szName) ^ MASK)); 

Then you build on top of it a function that receives an encrypted name of the API function, decrypts it during runtime and return the address of the real (decrypted) API function name. In our example, the encryption method is a simple XOR but of course any ecryption can be used as long as it is straight forward to decrypt it during runtime.

Next, the program calls the function at the returned address without specifying its name in any way. As a result, it will be hard to find this call by examining the obfuscated executable.

Obfuscating an application won’t do any good if a hacker is trying to break it using a debugger, so anti-debug techniques are also required. For example: we can assume that if a debugger is ran, various actions that we can measure the time they take, will take more time to be completed, so one way is to measure them and compare the results.

Of course we can check the existence of a pre-defined list of process names which we know are associated with know debuggers.

We can digitally sign various parts of our program and compare it to an ad-hoc generated signature during runtime, so in case a manual change was made by a hacker we will detect it.

The most efficient protection is creating a virtual machine during runtime and running the program code in it. This VM should be a custom one not known to others so it will be impossible to debug it without knowing how it works and impossible to find out how it works without debugging it. That will lead the average hacker to a dead end.

 

 

 

SQLiteWrappers v1.06

We read about an excellent wrapper library by PJ Naughter, an old friend, who is constantly creating and updating great solutions, code snippets and libraries.

PJ Naughter's space

Just to let everyone know that v1.06 of SQLiteWrappers has been released. Updates for this version include:

  • Updated copyright details.
  • Updated the code to compile against SQLite 3.17.0. Added support for sqlite3_expanded_sql, sqlite3_trace_v2, sqlite3_set_authorizer & sqlite3_system_errno.
  • Updated the code to clean compile in VC 2017.
  • Removed support for the deprecated APIs: sqlite3_trace & sqlite3_profile.
  • Replaced NULL with nullptr throughout the code. This does mean that VC 2010 is now the minimum compiler required.

View original post

Tailor Made Licensing

We have published a new blog post named: Tailor Made Licensing – by Michael Haephrati at www.securedglobe.com. The post is about Tailor Made Licensing as opposed to shelf licensing. If you are a software vendor who is interested in having your own in-house licensing and copy protection system, developed especially for you, please read this post and contact us.

c40fc1_5ebb097f12914f32996a198b0353b53b-mv2.png