_Secure functions UDF for your application !

[mafioso]

Hello everybody,

This is my first UDF I am writing for AutoIt.

With this UDF, you can easily embed login security in your application. Just call _SecureLogin and you're done. If you want your application to be REALLY HARD to reverse, use the _SecureCheck function. Now let me explain how does these functions work :

To use _SecureLogin and _SecureCheck function you must have a site. If you really want to use these functions, and you don't have a site, just google 'free web hosting'. This script checks the directory on your site that contains MD5 hashes of the username and password. How the site can contain a MD5 hash ? It's simple. With SecureUserMaker attached in this post, it's easy. Input the wished username, password and attribute, and just upload the file that SecureUserMaker created to your website. You can also add attribute to the user : OK or BAN. OK means that the user can use your application, while BAN is obvious . The user is banned and it won't let that user pass.

So,

_SecureLogin checks the .txt file on the web you specified. The name of the .txt file is MD5 hash of the username. Then it reads the .txt file. If the MD5 hash of the password that the user inputed in application is same as in the .txt file then go on the next step. If the attribute is OK, you can use the application. If the attribute is BAN, the user is banned and application will exit. If _SecureLogin can't find the .txt file with the MD5 hash of the username specified, then it will exit again. Pretty simple.

Now, reverse engineer can actually just "jump" over this login check and start using the application, if you didn't pack your script with some powerful packer, like Themida.

_SecureCheck checks the username and password 'on the fly' without asking the user anything. It will pause the script for a really short time, but that's worth the sacrifice. _SecureCheck requires just one parameter, a previous call to _SecureLogin. Run _SecureCheck more times in the script. That will make reversing a pain-in-the-ass.

Here's an example of how to use it (don't try to run it lol) :

#include <SecureLogin.au3>

$Login = _SecureLogin("http:/website.com/users")

MsgBox (64, "Blah", "wooho")

_SecureCheck ($Login)

MsgBox (64, "Blah", "wo0t")

;===============================================================================
; Function Name:    _Login()
; Description:    Adds login-security to your application (using MD5 hash).
; Syntax:
; Parameter(s):  $webDirectory - The directory on your website which contains .txt files.
;                                The .txt file must contain MD5 hash of the user's password 
;                                and OK/BAN attribute ($MD5PW & @CRLF & $ATTRIBUTE).
;                                Name of the .txt file must be the MD5 hash of username.
;                                Don't add " / " at the end of the web adress.
;
;               $OKMessage - The message that will show up if the username and password are correct
;                $BANMessage - The message that will show up if the user is banned
;                $WRONGMessage - The message that will show up if the user specified wrong username/password
; Requirement(s):
; Return Value(s):  Success = Returns ID and Password in format like this (without quotes) : "username,password"
; Author(s):   mafioso
; Modification(s):
;===============================================================================

;===============================================================================
; Function Name:    _SecurityCheck()
; Description:    Checks if the login is OK. This function is great if you think that someone may
;                   reverse your application. Add this function more times at random lines in your code.
; Syntax:
; Parameter(s):  $Login - Previous call to _Login function
;                $Message - The message that will show if someone tried to reverse your application
;                $BANMessage - The message that will show up if the user is banned
; Requirement(s):
; Return Value(s): 
; Author(s):   mafioso
; Modification(s):
;===============================================================================

Important : Don't add / at the end of the file (WRONG : http:/website.com/users/, CORRECT: : http:/website.com/users)

BTW, credits to Siao for _Crypt_HashData() function.

SecureLogin.au3

SecureUserMaker.au3

Edited June 29, 2008 by mafioso

[malu05]

Well the main problem with all this is that by default any autoit script can be hack decompiled into pure source code.

But something you might also want to do is to store variable data online. So after the login check and everything is ok they will get a little piece of variable data which is needed for the application to function.

[mafioso]

And that's why I recommend to use other packer than UPX. I pack all my applications with Themida, which makes the application 'un-decompilable'.

[malu05]

And that's why I recommend to use other packer than UPX. I pack all my applications with Themida, which makes the application 'un-decompilable'.

That was also why i said "by default".

But putting some variable data online you can make sure that the person would need to have a "working account" before he can start cracking it, and not just a yes/no check where you just need a copy of the client. Even more you could with the PHP script make it return some code that is encrypted with the usernmae / password in some way so the cracker were going to just inject the data into the variables he would have to make sure not too add the raw data recived from the server since that would include his username / password.

There are serval encryption methods that are easy to get up running on both PHP and AutoIt.