Recently I was faced with a difficult problem. A component that a contractor choose for a site which I now maintain, is licensed per domain name. The site is for a relativley young company which hadn't choosen how it was going to brand the software they were selling.
After they had choosen the domain they wanted, we switched the site over and the component as we knew was going to break. We had emailed the control's manufacturer three times over a three month period, and they never replied to us. So now I was stuck with the following choices. Either we buy another license through their channel, replace the control, or find a plan c.
Considering they hadn't responded to any of my emails, I was reluctant to send them any more money. The control was used extensivley in a site that isn't worth the time to replace so that leaves us with plan c.
I have to state that plan c is a temporary fix until they respond to our emails. So I started digging around in the compiled assemblies wondering if there was a way to get around this licensing issue (again as a temporary fix).
What I saw shocked me. First the assembly wasn't obfuscated. Had it been obfuscated, I probally would have given up, as I only wanted to spend 20 minutes on this max. The second thing was that licensing scheme basically makes a call to an external assembly which returns a decrypted string that the caller then used to match against the URL's, or it would match against the host name if the string was properly formated.
Well this was easy to fix. All I had to do was create a new assembly which matched their signature, and return a very simple string. This was the only thing this assembly did.
This is where obfuscating becomes important, it is not fool proof but again nothing is foolproof, if the computer can understand someone somewhere can understand but you want to raise the bar high enough to make it so that it is not worth ones time to break through.
I'm also confused why they shipped this assembly seperate had it been compiled with the rest of their stuff it would have been riskier for me to mess around with it. Lesson learned here is either protect your code a little bit, or at least be competent enough to respond to customers emails.
No comments:
Post a Comment