Registration plug-in: Difference between revisions
m (Lazarus Registration Component moved to Registration plug-in) |
|||
| Line 18: | Line 18: | ||
In fact, the better way is to use user password as decryption key for packed data. | In fact, the better way is to use user password as decryption key for packed data. | ||
--[[User:GAG|GAG [Jaguar]]] 05:19, 22 December 2005 (PST) | --[[User:GAG|GAG [Jaguar]]] 05:19, 22 December 2005 (PST) | ||
Although I'm not happy that my installer has a vulnerability, I am glad to see that somebody was good enough to point out the one that I did have. As an immediate stop-gap solution to get around the silent installer problem, dropping the following code into the .onInit function might do the trick: | |||
Function .onInit | |||
IfSilent nosilent safetoproceed | |||
safetoproceed: | |||
Return; | |||
nosilent: | |||
Quit; | |||
FunctionEnd; | |||
This hack is completely untested and should be taken with a grain of salt. I need to look further into GAG's suggestion of encrypting the payload and will post an update here when I get something useful. | |||
--[[User:clay|Clay Dowling]] | |||
http://www.lazarusid.com/images/registration-screenshot.jpg | http://www.lazarusid.com/images/registration-screenshot.jpg | ||
[[Category:Plugins]] | [[Category:Plugins]] | ||
Revision as of 14:55, 20 February 2006
| Author: clay (talk, contrib) |
Description
The Lazarus Registration components lets you add a serial number/registration key dialog to your script. Downloadable from www.lazarusid.com.
Version 2 of this package was released on November 3, 2005 as open source software. A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.
Serious vulnerability of installer, created by Clay: user can bypass registration code input by launching silent install example: download http://www.lazarusid.com/download/Registration-Commercial-2.0.2.exe and launch it with silent install command line switch: /S you'll get full version. I'm currently investigating code generation/validation, but as I can see, there is no encryption or strong cryptography, so Clay's method is very weak. In fact, the better way is to use user password as decryption key for packed data. --GAG [Jaguar] 05:19, 22 December 2005 (PST)
Although I'm not happy that my installer has a vulnerability, I am glad to see that somebody was good enough to point out the one that I did have. As an immediate stop-gap solution to get around the silent installer problem, dropping the following code into the .onInit function might do the trick:
Function .onInit
IfSilent nosilent safetoproceed
safetoproceed:
Return;
nosilent:
Quit;
FunctionEnd;
This hack is completely untested and should be taken with a grain of salt. I need to look further into GAG's suggestion of encrypting the payload and will post an update here when I get something useful. --Clay Dowling
