stopping piracy one step at a time...
well not really.
further down the line, we realised after pushing to github that people would poke around at our code. Find vulnerabilities and send pirate copies of the system to others
YES I KNOW IT'S OPEN SOURCE! BUT YOU NEED TO BE PREPARED!
step 1. the name
We needed a name that sounded professional but friendly, in the end we settled for the name EN_LICE_ULOCK. It was a bad name but we didn't have a lot of time.
step 2. the code
There needed to be a way to stop execution on startup if something was missing, licelock 1.0 looked like this:
import os
import sys
import logging
from datetime import datetime
from time import *
f = open("LICENSE.txt", "r")
it was bad, really bad...
all it does is look for a LICENSE.txt file, and python throws the tantrum when it can't be found, we needed to change and fast.
step 3. securing further and the API
First, we needed to change the way licelock works...
instead of putting it in the main code, we turn it into a module and ship with every copy.
change what it looks for, or at least seperate into levels of protection.
get the update out fast.
so our new proccedure worked like this:
def keylock():
from base64 import (
b64encode,
b64decode,
)
from Crypto.Hash import SHA256
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA
message = "Validated"
digest = SHA256.new()
digest.update(message)
# Read shared key from file
private_key = False
with open ("superpy.pem", "r") as myfile:
private_key = RSA.importKey(myfile.read())
# Load private key and sign message
signer = PKCS1_v1_5.new(private_key)
sig = signer.sign(digest)
# Load public key and verify message
verifier = PKCS1_v1_5.new(private_key.publickey())
verified = verifier.verify(digest, sig)
assert verified, ("Signature verification failed")
print("Successfully verified signature, booting...")
os.system("python3 boot.py")
look for secure keys instead of editable text files!
just for ref- the keys are generated through openSSL:
openssl genrsa -out private_key.pem 1024
now with that sorted, we needed to import it into the code. We saved it as licelock.py and in our main file we added-
import licelock
licelock.keylock()
and there we go, a simple but secure mechanism that shuts off the script if there isn't a key. I WOULD NOT use this in production if I was you!
Top comments (0)