Registration plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
Line 5: Line 5:


Version 2 of this package was released on November 3, 2005 as open source software.  A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.
Version 2 of this package was released on November 3, 2005 as open source software.  A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.
----
Serious vulnerability of installer, created by Clay:
user can bypass registration code input by launching silent install
example:
download http://www.lazarusid.com/download/Registration-Commercial-2.0.2.exe
and launch it with silent install command line switch: /S
you'll get full version.
I'm currently investigating code generation/validation, but as I can see, there is no encryption or strong cryptography, so Clay's method is very weak.
In fact, the better way is to use user password as decryption key for packed data.
--[[User:GAG|GAG [Jaguar]]] 05:19, 22 December 2005 (PST)


http://www.lazarusid.com/images/registration-screenshot.jpg
http://www.lazarusid.com/images/registration-screenshot.jpg


[[Category:Plugins]]
[[Category:Plugins]]

Revision as of 13:19, 22 December 2005

Author: clay (talk, contrib)


Description

The Lazarus Registration components lets you add a serial number/registration key dialog to your script. Downloadable from www.lazarusid.com.

Version 2 of this package was released on November 3, 2005 as open source software. A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.



Serious vulnerability of installer, created by Clay: user can bypass registration code input by launching silent install example: download http://www.lazarusid.com/download/Registration-Commercial-2.0.2.exe and launch it with silent install command line switch: /S you'll get full version. I'm currently investigating code generation/validation, but as I can see, there is no encryption or strong cryptography, so Clay's method is very weak. In fact, the better way is to use user password as decryption key for packed data. --GAG [Jaguar] 05:19, 22 December 2005 (PST)

registration-screenshot.jpg