Overview of Xbox Browser by Softwareelves
So . . Kendall Hopkins decided to make his used-to-be-free utility into a pay-because-your-a-noob utility. I have never seen somebody try to lock down an AppleScript application before. Since AS stores strings as strings in the script files, so far his methods have failed.
His first method was to have the Xbox Browser access the internet (using AS's 'do shell' command and having it use the curl command-line utility) to try and access a specially crafted page on his webserver. The page either says 'true' or 'false'. It you want to go to the page, it is "http://softwareelves.com/store/xbregcheck.php?their_regnumber=123&their_id=123". AFAIK the their_regnumber is the registration code they were given and their_id is the specially generated id, based on the MAC address of en0. I imagine that the php page just checks the database. I noticed that, due to piss-poor logic, if you direct a browser to the page with the their_id empty or omitted, it returns 'true'. Heheh. Ok, so the webpage for checking registration is fundamentally flawed. First of all, returning 'true' or 'false' is just stupid. It is as easy to get around as replacing "curl 'http:" with "echo true;#". If you know about command-line stuff, the ';' terminates the command and the '#' comments out the rest of the line. So if he was going to fix it, he would need to have it return something else. Maybe a simple DES32 of their_id with the current GMT day as the salt, and don't bother having the program submit their_id for registration checking. Oh well.
After he was informed that it was a piece-of-pie to have Xbox Browser think that it was registered, he added in a seperate script that is run to make sure the main script, binary (which is generic anyway), and main menu nib were not tampered with. Like I said before, in Apple Script strings are strings. All you have to do is md5 the files that are checked before you edit them and notice that the 'hash' that the authentice script is verifying them with is using a static subset of the numbers. This allows us to just change it hash and everything in hunky-dory.
We'll see if he ever figures out how to lock down an AppleScript application.
UPDATE:
The file hashing is now invalid, he concatenates the md4, md5 hashes together with a string. Just read the AS Hacking entry.
His first method was to have the Xbox Browser access the internet (using AS's 'do shell' command and having it use the curl command-line utility) to try and access a specially crafted page on his webserver. The page either says 'true' or 'false'. It you want to go to the page, it is "http://softwareelves.com/store/xbregcheck.php?their_regnumber=123&their_id=123". AFAIK the their_regnumber is the registration code they were given and their_id is the specially generated id, based on the MAC address of en0. I imagine that the php page just checks the database. I noticed that, due to piss-poor logic, if you direct a browser to the page with the their_id empty or omitted, it returns 'true'. Heheh. Ok, so the webpage for checking registration is fundamentally flawed. First of all, returning 'true' or 'false' is just stupid. It is as easy to get around as replacing "curl 'http:" with "echo true;#". If you know about command-line stuff, the ';' terminates the command and the '#' comments out the rest of the line. So if he was going to fix it, he would need to have it return something else. Maybe a simple DES32 of their_id with the current GMT day as the salt, and don't bother having the program submit their_id for registration checking. Oh well.
After he was informed that it was a piece-of-pie to have Xbox Browser think that it was registered, he added in a seperate script that is run to make sure the main script, binary (which is generic anyway), and main menu nib were not tampered with. Like I said before, in Apple Script strings are strings. All you have to do is md5 the files that are checked before you edit them and notice that the 'hash' that the authentice script is verifying them with is using a static subset of the numbers. This allows us to just change it hash and everything in hunky-dory.
We'll see if he ever figures out how to lock down an AppleScript application.
UPDATE:
The file hashing is now invalid, he concatenates the md4, md5 hashes together with a string. Just read the AS Hacking entry.
posted by James Hood at
7:17 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home