Jump to content
Sign in to follow this  
Drew

Security Theory Help

Recommended Posts

Drew

Alright so this is what I'm trying to do. I have created a program for a community that I moderate and need to ensure that ONLY those I entrust with it may use it.

Here's my idea:

Each program distributed will be custom to the one that it was given to. And for each program given out , there will be a .txt or .ini file on my server with a security key and possibly a way I can deny its use.

What my problem is...

I need help working the bugs out of this idea, closing any potential loopholes, and overall a second brain on the matter.

At startup - the program should use INetGet and download the file , read it and ensure that the user is permitted to run the program. If not , close and delete itself ( if possible ).

But I need a way that users can't just send it to eachother , or share keys.

Anyone have any ideas?

EDIT:

Note: I'm hoping to make this in a way where I can revoke access to the program if the reason exists.

Edited by Drew

Share this post


Link to post
Share on other sites
furrycow

Alright so this is what I'm trying to do. I have created a program for a community that I moderate and need to ensure that ONLY those I entrust with it may use it.

Here's my idea:

Each program distributed will be custom to the one that it was given to. And for each program given out , there will be a .txt or .ini file on my server with a security key and possibly a way I can deny its use.

What my problem is...

I need help working the bugs out of this idea, closing any potential loopholes, and overall a second brain on the matter.

At startup - the program should use INetGet and download the file , read it and ensure that the user is permitted to run the program. If not , close and delete itself ( if possible ).

But I need a way that users can't just send it to eachother , or share keys.

Anyone have any ideas?

EDIT:

Note: I'm hoping to make this in a way where I can revoke access to the program if the reason exists.

I mean i am 100% sure there are better ways out there to do this, but you could get their MAC address, because each network card in any computer has a different MAC address, so if you were to match the address at startup of the program with the one on your server then the program would be allowed to run.


Instant Lockerz Invite - www.instantlockerzinvite.co.uk

Share this post


Link to post
Share on other sites
Melba23

Drew,

Have you seen this from Valuater? Might be the solution - or give you a few ideas.

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites
cherdeg

Anyone have any ideas?

Note: I'm hoping to make this in a way where I can revoke access to the program if the reason exists.

You could do it like this:

1) Let the user DL a generic "Compatibility-Cecker" that "prepares" his system :)

2) This tool collects the volume serial number of the users c:-drive (WMI) and writes it to a db on your webserver

3) You use the number and compile it hardly into the actual program

4) The actual program checks the volume serial number on each start and runs...or not.

You could automate the whole thing by e.g. running a "Daemon" / "Server" on your Host checking for new entries in the file containing the volume serial numbers every ten secs or so, modifying your sourcecode with the new number, starting a compile by command line and moving the resulting executable to a certain DL-location. The "Deamon" tells the "Compatibility-Cecker" (which would be more of a "Internet-Installer" in this case) about this location and the Client downloads the file and installs it to the location given by the user. You could make a nice progress bar to appease and distract the user for the time.

A self-deletion could be done with this function:

; Function _SuiCide to delete the script from the local machine
; ==============================================================================================
Func _SuiCide()
    $SC_File = @TempDir & "\suicide.bat"
    FileDelete($SC_File)
    $SC_batch = 'loop:' & $s_LineBreak & 'del "' & @ScriptFullPath & '"' & $s_LineBreak & _
            'ping -n 1 -w 250 zxywqxz_q' & $s_LineBreak & 'if exist "' & @ScriptFullPath & _
            '" goto loop' & $s_LineBreak & 'del suicide.bat' & $s_LineBreak

    FileWrite($SC_File, $SC_batch)
    _SetSystemCursor($h_WaitCur, $OCR_NORMAL)
    $h_WaitCur = 0
    Run($SC_File, @TempDir, @SW_HIDE)
    Exit
EndFunc   ;==>_SuiCide

Regards,

Chris

Share this post


Link to post
Share on other sites
Drew

How would I get the computers MAC address , or another form of unique identification?

Share this post


Link to post
Share on other sites
Inverted

Noone is going to give you their MAC address, forget about that.

I have a better idea.

Put a little watermark in every file you give out. I mean use a hex-editor to put a few bytes in a non-essential area of the each executable. And keep a record of who got which file. Then if it's leaked, you'll have proof of who is the lamer. You can use PE Compact to compress the compiled autoit script (don't use UPX compressor at this case), it includes a watermark utility to automate the process. Also, PECompact has a free trial version.

Also, put a RAR password on the file for deception (more than 9 characters)

Share this post


Link to post
Share on other sites
Prab

Not sure about MAC address, but DriveGetSerial( "c:\" ) works pretty well.

My logic would be:

Local program gets serial number

Local program ecrypts serial number

Local program sends encrypted serial number to server

Server decrypts serial number

Server responds "Valid" or "Invalid" and a time stamp (Both encrypted)

Program decrypts message and time stamp. (Time stamp prevents replay attack)

Program reacts accordingly

You may want to look at this thread for client/server communication. http://www.autoitscript.com/forum/index.php?showtopic=74325

Edit: Fixed a small bug in my logic

Edited by Prab

Share this post


Link to post
Share on other sites
jvanegmond

The only solution that doesn't rely on computer hardware is making the users and authenticate with a login and/or password. You could then check how many IP addresses use the login and password, so you could stop any accounts that are being used by several people.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×