PDA

View Full Version : Making a Script Installer



NewsArchive
04-30-2008, 12:47 PM
Hi,

I'm trolling for ideas for installing scripts rather than .exes. I will be
installing scripts for CATIA. They are written in CATIA script and
VBScript. The scripts have been obscurificated, which helps to a degree
from a reverse engineering standpoint, but not from the standpoint of
copying from machine to machine. Since they are MS vbscript based, I can
add things to the scripts to check if they are legal copies. I do own
Software Passport, but that is designed for .exes.

This is what I would like to accomplish in priority order::
1. Tie the installed scripts to the computer.
2. Optionally be able to allow a trial period where you can be issued a
permanent key after purchase.

Note: If I need to write a background monitor process .exe for this to
work, that would be acceptable.

Thanks,
Jack T.

NewsArchive
04-30-2008, 12:48 PM
> This is what I would like to accomplish in priority order::
> 1. Tie the installed scripts to the computer.
> 2. Optionally be able to allow a trial period where you can be issued a
> permanent key after purchase.
>
> Note: If I need to write a background monitor process .exe for this to
> work, that would be acceptable.

Jack,

AFAIK, your best bet is to create a dummy exe (it can run as a process) and
make your script dependant on THAT exe being running. Then use Software
Passport to protect the EXE.

It is the same problem users will have with the .NET stuff (there are some
protection schemes there too, but they are very limited in what security
they offer).

Good luck!

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
05-01-2008, 03:37 AM
Hi Charles,

> make your script dependant on THAT exe being running.<

That's one of the things I'm considering.

Another is during the install, create a number based on the hardware, and
send or phone it to the vendor. The vendor then generates a number from
that. The customer puts it in during install and it is written written to
the registry. That is the same with either method. However, instead, the
scripts have an algorithm that checks if the number matches before it
executes. The drawback of couse is the algorithm is in the obscurifacted
script. However, I'm not sure that is any different than if the script
checks for the .exe. All a hacker would need to do is find out where in the
script it checks the registry. The advantage is I could write them a simple
keygen program so they wouldn't need to buy and deal with the complexities
of Software Passport. Thoughts?

Thanks,
Jack T.

NewsArchive
05-01-2008, 03:38 AM
> Another is during the install, create a number based on the hardware, and
> send or phone it to the vendor. The vendor then generates a number from
> that. The customer puts it in during install and it is written written to
> the registry. That is the same with either method. However, instead, the
> scripts have an algorithm that checks if the number matches before it
> executes. The drawback of couse is the algorithm is in the obscurifacted
> script. However, I'm not sure that is any different than if the script
> checks for the .exe. All a hacker would need to do is find out where in the
> script it checks the registry. The advantage is I could write them a simple
> keygen program so they wouldn't need to buy and deal with the complexities
> of Software Passport. Thoughts?

I doubt seriously that either you or I could write anything that even comes
close to being as secure as Software Passport/Armadillo.

After all, there is a reason that Digital River paid several million
dollars for the technology<g>.

That being said, you need to pass some data into an exe (protected by
Armadillo), do something with it and pass it back. Then the script needs
to consume the data. It should NOT be able to run correctly if the data is
not processed correctly.

BTW - I am not talking about just a startup process, but rather something
that happens over and over again at runtime.

That means that the script can not be hacked to bypass a Registry call or
even hacked so that it thinks that it has already made contact with the
exe.

If the exe is actually doing some (variable) work to perform a part of what
the script does - then the script without the exe is useless.

The exe can be bound to hardware easily with Armadillo (if that is what you
want to do).

Armadillo can also detect multiple copies of the same key running on the
LAN and you can shut down the exe if detected.

Anything you can do in the script can be hacked out. Any Registry call or
any call to the exe for that matter.

Only an ongoing function (that happens with each use or every so many
minutes (but still does some actual work on the data passed to it) will
give you a chance of being protected.

Other than that - a hacker is just going to jump it out in the script and
have a free pass around copy.

That would be my suggestion (and how I would do it if it were me).

BTW - you can write a code generator and use/distribute it as needed. The
only copy of Armadillo/Software Passport needed is by the person that
protects the exe. However it is a good idea to bind the code generator to
a particular machine and perhaps even limit the number of keys it can
generate before you replace it.

Alternatively you use a two-key system. Set your distributor code gen to
only be able to create the first key. This is good for 60-75 days and it
gives you time to look for credit card fraud or a chargeback. It expires
after that and the exe stops working.

Then YOU send the second (permanent) key to the end user.

This gives you a safeguard to protect you (and the distributor) from CC
issues and it protects YOU from a rogue distributor. At the same time it
makes it easy for them to issue keys as needed (for the initial key).

;-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
05-01-2008, 03:40 AM
> I doubt seriously that either you or I could write anything that even
> comes
> close to being as secure as Software Passport/Armadillo.

I've owned and used Software Passport for some time. I'm aware it's pretty
solid, even with Clarion .exes.

>If the exe is actually doing some (variable) work to perform a part of what
>the script does - then the script without the exe is useless.<

There may be something here I can use but CAD macros are often constructed
by a recording function and then automated. I need to be careful not to
complicate things too much for the vendor lest the cure be worse than the
disease.

Thanks for you thoughts,
Jack T.

NewsArchive
05-01-2008, 03:41 AM
> I've owned and used Software Passport for some time. I'm aware it's pretty
> solid, even with Clarion .exes.

Still the best protection I know of (which is why I use it<g>).


> There may be something here I can use but CAD macros are often constructed
> by a recording function and then automated. I need to be careful not to
> complicate things too much for the vendor lest the cure be worse than the
> disease.

I understand exactly.


> Thanks for you thoughts,
Glad to help Jack - good luck on finding a solution that works for you.

Take care,

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------