Oct 11 2011

A wrong grasp of security – The conclusion

Few days a go, I’ve written about a bad licensing design and mentioned I’ve send the company email regarding their problem and recommended a way to improve their licensing method. Today I’ve received a “thank you” response and they told me how they plan to fix it using some third party licensing modules (why build something your self, if someone already have done that?).

Of course, I wasn’t going to use the cracked version of the product and I’ve sent them a request to purchase this product (in a different email). I’ve received a response to that email as well and the response as following:

Hi again DiGMi,

I know you now have the key by decompiling the code and appreciate the feedback and honesty. Please continue to use the key as you wish as a token of our appreciation.

For future reference, the option to remove branding is now available:
https://some.web.address.com/info/here

Thanks again and best wishes,
John Doe

The conclusion: Doing the right thing can benefit you in many ways, even financially


Oct 8 2011

A wrong grasp of security

Lately, I’ve started using Sitefinity CMS (A cool .NET CMS system by Telerik, a bit expensive though). Anyway, like many other CMS providers, they have their own marketplace where you can buy modules and widgets for your CMS.

I was interested in one of the widgets that was developed by a third-party company (In order to prevent abuse, the name of the company won’t be mentioned). I was glad to find out that they provide the widget for free, so I’ve just download it and installed it in my development environment. As I restarted the CMS and tried to use the widget, I discovered something my mom used to say to me as a child “There are no free gifts”. And of course, under the widget there was a copyright notice indicating this is a free version and links to the company’s site where you can buy the product without this advertisement.

Now, just to make it clear, If I’ll be using this product, I will buy it. But still, I wanted to look around see how hard will it be to remove this annoying advertisement. Sitefinity is written in .NET, So this widget as well was written in .NET. Meaning: Reflector can be a great help. And it was. I’ve analysed the provided DLL with reflector and was amazed when I’ve dound the BrandLicense class inside the DLL.

This class contains static method named ValidatedLicense which looks more or less like the following:

public static bool ValidatedLicense(/* ... */){
 // ...
 return (ConfigurationManager.AppSettings["WidgetName.License"] == "12345678901234567890123456789012");
 //...
}

The license key and appsetting key was modified, At least the key is not that easy.

So, basically the first thing I’ve tried was to add to my web.configĀ the following lines:

<appSettings>
 <add key="WidgetName.License" value="12345678901234567890123456789012"/>
</appSettings>

And as I’ve restarted the CMS and looked at the place the widget was located, I found out the advertisement was gone.

I’ve sent an email to the company who created this widget telling them how easy it was to crack it and that they will probably want to use asymmetric encryption in order to store the key, And also they should at least try to obfuscate the code so it won’t be that easy. I’m hoping they will fix it soon.