Search This Blog

Friday, January 11, 2013

Hacker's thoughts or how to make license validation really safe

Hi guys

From time to time when I look on some new LN application downloaded from Internet I see that it is quite easy to fool its licensing validation. For the last few months I managed to do that a couple of times.
Notice: I do this just because its interesting, I do not use any of such applications in any way.

If we are talking about solution approaches which are based on native Lotus Notes possibilities then there are next main options here:

  • put license validation into some lss-file and  use it everywhere through the application via %INCLUDE statement. In the most of cases, database design is not hidden with such approach
  • implement license validation in some dll-file (for Windows solutions) and apply it everywhere through the application using DECLARE statement. In this case database design is not hidden also.
  • hide database design and no matter where/how license validation was implemented.

Notice, that I do not take into account Lotus Notes targeted applications which are mainly developed using not Lotus Notes technologies, like .Net or C/C++. I speak about usual Lotus Notes databases developed using inbuilt languages.

So, first two options can be easily foolish.
There are many options here but in general with the same idea inside.

Using Lotus Script debugger you may define function name that does license validation and which implementation is somewhere in lss/dll-file. Then you create your own function with the same name that simply returns TRUE or any other "right" value and put it into your lss-file (or dll-file created with Visual Studio, for example). After that you copy your lss-file to the location that is used in %Include statement and run recompilation of all  lotus scripts in the database. In case of dll-file you just need to overwrite the old one with your new dll-file. That's it.

The advantage of such approach is that you do not need to change code of original application for every database. Of course, sometimes lss/dll file contains more than one function that need to be rewritten but anyway its just a matter of time (I speak about a couple of days, not even weeks). This technique works very good and I proved it on a few of really big and expensive Lotus Notes based systems.

Third option with hidden design is the most complicated. But from my experience, people do not like to buy applications with hidden design. Everyone wants open source, especially for systems like CRM, CMS, etc. So, basically this is not an often case but if you need to do something to database with hidden design you may start from unhiding its design.

There is a known approach how to do that. You need to change address 0x000000BC from the hexadecimal code 20 to 00 using some kind of free HexEditor.

After that you may analyze application, check existing design elements, search for any formulas etc. to understand the validation algorithm. The funny thing is that sometimes developers can not hide all design elements since some lotus script functions do not work in database with a hidden design. I personally saw such cases but with release 6x. So what I am trying to say it that even databases with hidden design still may contain some design elements with lotus script inside intentionally saved by developers - you can check that also.

After everything I said above a logical question arises - what ways of custom license validation implementation are really good for Lotus Notes application? I understand that any application on any platform can be hacked - it is just a question of time and money but it is always nice to have a balanced solution where efforts spent on development of defensive functionality and achieved safety level are good enough.

So, can anyone share with me any thoughts about the best options of development of license validation functionality for Lotus Notes applications with open design?

No comments:

Post a Comment