Registration plug-in: Difference between revisions

Revision as of 12:39, 2 May 2006

Description

The Lazarus Registration components lets you add a serial number/registration key dialog to your script. Downloadable from www.lazarusid.com.

Version 2 of this package was released on November 3, 2005 as open source software. A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.

Some viewers have pointed out that there is a "flaw" in this component that fails to encrypt the included package. This is not a flaw, but a limitation of the free version. The registered version is designed so that the program itself must also check the registration code. This prevents one user from installing the program and simply copying the binaries to another machine, and allows for the distribution of "feature-reduced" copies that change their behavior depending on whether or not the registration code is present.

For instance, simply by using the silent installer option you can get the full commercial version of the registration component, without entering a serial number or key. Without the serial number and key though you won't get the features of the commercial program, but the more limited features of the free version.

Instructions are included with the package to help you add these features to your program.

--Clay Dowling

@@ Line 6: / Line 6: @@
 Version 2 of this package was released on November 3, 2005 as open source software.  A commercial version is also available which provides greater security and resistance to decompilers who go looking for your registration code.
+-----
-----
+Some viewers have pointed out that there is a "flaw" in this component that fails to encrypt the included package.  This is not a flaw, but a limitation of the free version.  The registered version is designed so that the program itself must also check the registration code.  This prevents one user from installing the program and simply copying the binaries to another machine, and allows for the distribution of "feature-reduced" copies that change their behavior depending on whether or not the registration code is present.
-Serious vulnerability of installer, created by Clay:
+For instance, simply by using the silent installer option you can get the full commercial version of the registration component, without entering a serial number or key.  Without the serial number and key though you won't get the features of the commercial program, but the more limited features of the free version.
-user can bypass registration code input by launching silent install
-example:
-download http://www.lazarusid.com/download/Registration-Commercial-2.0.2.exe
-and launch it with silent install command line switch: /S
-you'll get full version.
-I'm currently investigating code generation/validation, but as I can see, there is no encryption or strong cryptography, so Clay's method is very weak.
-In fact, the better way is to use user password as decryption key for packed data.
---[[User:GAG|GAG [Jaguar]]] 05:19, 22 December 2005 (PST)
-Although I'm not happy that my installer has a vulnerability, I am glad to see that somebody was good enough to point out the one that I did have.  As an immediate stop-gap solution to get around the silent installer problem, dropping the following code into the .onInit function might do the trick:
+Instructions are included with the package to help you add these features to your program.
-    Function .onInit
-      IfSilent nosilent safetoproceed
-    safetoproceed:
-      Return;
-    nosilent:
-      Quit;
-    FunctionEnd;
-This hack is completely untested and should be taken with a grain of salt.  I need to look further into GAG's suggestion of encrypting the payload and will post an update here when I get something useful.
 --[[User:clay|Clay Dowling]]

Registration plug-in: Difference between revisions

Revision as of 12:39, 2 May 2006

Description

Navigation menu

Page actions

Page actions

Personal tools

Website navigation

Search

Tools