Jump to content
Sign in to follow this  
JimmyBeam

Token System

Recommended Posts

JimmyBeam

Hello,

I thought about a token system which allows you to secure your program.

For example you have a program that has some _INetGetSource() functions. Now someone

can decompile the script and use the functions outside of the program.

What if you write a .dll in C or C++ that do the same like _INetGetSource.

You deliver the dll some parameters with AutoIt, do a MD5 Hash with a Salt and use this as a key.

The dll sends this key to a php which checks if the key is right or wrong.

It would be more secure and you can be sure to 99% that they can only use your program.

What do you think about it? I cannot test it because I dont know how to write this in C or C++

Maybe there is a way to do the same in AutoIt.

Share this post


Link to post
Share on other sites
martin

You don't need a dll if you use a web site. The user gives their user name and passwsord, the AutoIt script sends the function to call, the parameters, the user name and password. If the password is correct the server returns the output of the function.

The way you desribe it sounds like the key is generated by the dll and it is always going to be correct so what's it for?


Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.

Share this post


Link to post
Share on other sites
JimmyBeam

With _INetGetSource you send the the username and password to the php. So its HTTP_GET

Everything you send can be also send with a browser. When someone decompile the AutoIt Program he can get the URL and the parameters. So its possible that the user dont need the program because he have the url.

When there is a .dll you send parameters to the dll can salt and hash the parameters to a key and send it via HTTP_POST to the php. Dont forget to obfuscate the dll code. So its hard for someone to get the salt to generate the key and fake the HTTP_POST

Share this post


Link to post
Share on other sites
martin

You would need to include in the encrypted data something to identify the PC so that copying the code onto another PC wouldn't work, otherwise you haven't protected it.

Hiding the url is not so easy as using a dll; Wireshark for example will tell you straight away what url is being used.

Edited by martin

Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.

Share this post


Link to post
Share on other sites
JimmyBeam

I've created a surfbar which I want to release. Everything works fine but I thought about the creditsystem.

I dont want to hide a url. I just want to create a key that is not easy to manipulate. When I call the php's with INetGetSource

I have to send things like username and siteid. So it will be possible that someone takes the URL's to the php's and call them with the parameters.

So I have to create a dll which cannot be decompiled as easy as an autoit .exe

Because everything you write in autoit can be manipulate.

Share this post


Link to post
Share on other sites
Unsigned

DLL's can be disassembled. And even a web server check can be redirected through a quick HOSTS edit and a server on localhost (such as XAMPP).


.

Share this post


Link to post
Share on other sites
martin

I've created a surfbar which I want to release. Everything works fine but I thought about the creditsystem.

I dont want to hide a url. I just want to create a key that is not easy to manipulate. When I call the php's with INetGetSource

I have to send things like username and siteid. So it will be possible that someone takes the URL's to the php's and call them with the parameters.

So I have to create a dll which cannot be decompiled as easy as an autoit .exe

Because everything you write in autoit can be manipulate.

This is the bit that looses me. You use a dll so that if someone decompiles the AutoIt script they still can't see what the dll does. But they can see how the AutoIt script calls the dll. So either they can use the dll with a modified script or if they can't in which case the question is why use AutoIt at all? Maybe your explanation isn't clear enough for me.

Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.

Share this post


Link to post
Share on other sites
JimmyBeam

So either they can use the dll with a modified script or if they can't in which case the question is why use AutoIt at all? Maybe your explanation isn't clear enough for me.

I would let the .dll check the checksum of the .exe so its not possible to manipulate the script otherwise the token would not work.

Too bad I just can write such a program in AutoIt but not in C# or C++.

Share this post


Link to post
Share on other sites
Unsigned

I would let the .dll check the checksum of the .exe so its not possible to manipulate the script otherwise the token would not work.

Hex editor. Replace DLL checksum. Or NOP out the check routine entirely. Edited by Unsigned

.

Share this post


Link to post
Share on other sites
JimmyBeam

Hex editor. Replace DLL checksum. Or NOP out the check routine entirely.

Okay I dont know that this is possible. Is there a way to secure the surfbar that nobody can cheat the creditsystem?

I wrote some checks with php but its possible to get credits without viewing the sites.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×