Simplified Logic Inc

In part two, we cover using the Asset Encrypter application to encrypt AIR module swfs.  This demo also contains a before and after look at the code using a decompiler.

In this two-part article, I'm going to run through a quick demo of how to protect the source code in an AIR app from decompilers using the Nitro-LM module encryption technique.  Nitro-LM is a hosted licensing solution that can be enabled in your flex/AIR app for a nominal fee per license.

 In video 1, I go through setting up your application for Nitro-LM so that you can enable encryption on two example AIR module swfs.  

So what do you do when your company ships out thousands of CDs with License String Codes that are *not* printed properly?

Easy - post some advice on your support site telling customers to "guess" the final digits on the license string to get the software to work...  Classic! 

It is CRUCIAL to remember that "licensing" is the FIRST THING your customers see when evaluating or installing your product for use!   Why would you not strive to make it as painless as possible for your users?

...Click Read More to see the rest of this article... 

Modifying or replacing a DLL is one way that a hacker can gain access to your protected application. If you're using the Nitro-LM solution with the DLL client, or even if you're only interested in protecting your own DLLs, the solution provided here should prove useful to you. For our purposes, we'll focus on how you can code your application to prevent tampering on the nitrolm.dll inside a C++ application.

Nitro-LM is an Internet-based licensing solution. It allows you to license and protect your application from unauthorized users. Nitro-LM offers many client options, one of which is the DLL method. Your application calls licensing functions inside the DLL to retrieve licenses, create users, store server variables, etc. It checks response codes from the function calls to determine whether operations succeeded or not.

How can you prevent a hacker from modifying this DLL, or replacing it entirely with their own that returns positive responses and thus unlocking an unauthorized copy of your software?

The nitrolm.dll file is digitally signed with Microsoft Authenticode technology. In order for your software to detect if the dll has been changed or tampered with, you'll need to verify the digital signature in your code.

The verification is a two-step process in this example. The first step is to verify the embedded signature on the DLL. This will detect if the DLL has been tampered with, but will still succeed if a hacker has replaced your signature with their own. The second step is to verify that the DLL is signed with the correct signature. This will ensure that the hacker hasn't replaced your certificate with their own, or replaced the DLL in its entirety with their own. The beginning of your main method should look something like this:

 
int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
    char str[1024];
    int ret = 0;
    char outmessage[512];
 
    //verify the dll's signature
    int success = VerifyEmbeddedSignature(L"nitrolm.dll", outmessage);
    if(success)
        int success = VerifyCertificate(L"nitrolm.dll", outmessage);
 
    if(success <= 0)
    {
        MessageBox(NULL, outmessage, "DLL Verification Error", 0);
        return 0;
    }
 
    <...call some dll method here...>
 

Doug McCune, world renowned expert on Adobe Flex/AIR and recently published Author, recently put on a presentation in England regarding decompiling SWFs.  He covered many of the free and commercial applications used for both compiling and decompiling SWFs, and also the benefits/issues with obfuscation and encryption.

Doug has presented something very cool for people to think about - and he even plugged Nitro-LM in the process (mention as a commercial solution - not an endorsement).  As a side note, Nitro-LM already embraces his recommendations for security. 

The material presented by Doug can be easily applied to other languages and technologies - they all suffer the same issues.  His presentation is worth the read.  Click below to check it out:

Here is another screen-cam of the team's in-process Administration tool written in Flex. This video highlights the new menu navigation system. As with many flex apps, this menu component borrows from open source and combines it with proprietary code to create a seamless user experience.

The menu component uses the Open Source library Object Handles. Object Handles is used to handle the resizing of each individual menu item. It's a good example of taking open sourced software and making it do something the original developer probably never intended. Object Handles is really designed to handle moving, rotating, and resizing items on a free-form canvas. This menu locks down the capabilities to only use horizontal resizing. This gives the menu a similar feel to a VDividedBox except that you don't have to steal pixels from neighboring components.

This video is for those people who are still in denial about their software being stolen.

Andrew Westberg was recently featured on The Flex Show broadcasting from 360|Flex San Jose talking about Nitro-LM.

The team is in the process of developing a new Adobe Flex Administration tool for Nitro-LM.  Here is a short video from the User Management screen.  It allows you to search for users, and see their relationships to computers, software, companies, and other users.

It's useful to quickly see if users are sharing computers or usernames/passwords. In the first search, you'll see a fairly typical user.  The second search shows a company who is sharing machines and usernames.