By this I mean retrieving a file of the net and reading it's content and matching up a username. If the username does not appear the application will shutdown. I will match the username upon the time the bot logs on to the username.
What I'd like to know is:
- How can make this better?
- How can I stop someone from using reverse engineering techniques and/or hexing?
- What other methods can I use that are possibly better.
http://forum.valhallalegends.com/phpbbs/index.php?topic=9883.0
Thank you for searching before posting.
Just a note since he might not read all that, that is a really poor method of security.
Quote from: Soul Taker on February 10, 2005, 01:23 PM
Just a note since he might not read all that, that is a really poor method of security.
Well, I'd say the average Battle.net bot user would not know how to get around it
Make the program required to be on disc? :-\
I like trust's harddrive serial idea, that is what I used to do.
I'd make a CDkey based on the harddrive serial or something and require them to enter it, that way everything is done withought contacting a website. Like UserLoser said the average Battle.net use wont know how to bypass anything
Which makes connecting to a website just as secure, and requires 100% less work.
Quote from: JoeTheOdd on February 10, 2005, 04:49 PM
Which makes connecting to a website just as secure, and requires 100% less work.
It is less secure because there are SOME ppl on bnet that might get bored & break the authorization. Also, 100% - 100% = 0%, nothing can take 0 effort/work to do.
Quote from: CrAz3D on February 10, 2005, 01:38 PM
Make the program required to be on disc? :-\
I like trust's harddrive serial idea, that is what I used to do.
You could have the most complex method of generating and verifying a key known to man, but if you have code like this then your program can be cracked in < 5 minutes.
If VerifyKey(key)
ContinueLoad();
else
InvalidKey();
Here's an example of the above code in Assembly:
push key
call VerifyKey
add esp, 4
test al, al
je abc
call InvalidKey
abc:
ContinueLoad
Now you could do any number of simple things to crack this. One of which being, changing je (jump if equal) to jne (jump if not equal) which will make all invalid keys, valid.
Quote from: LoRd[nK] on February 10, 2005, 05:47 PM
Quote from: CrAz3D on February 10, 2005, 01:38 PM
Make the program required to be on disc? :-\
I like trust's harddrive serial idea, that is what I used to do.
You could have the most complex method of generating and verifying a key known to man, but if you have code like this then your program can be cracked in < 5 minutes.
If VerifyKey(key)
ContinueLoad();
else
InvalidKey();
Here's an example of the above code in Assembly:
push key
call VerifyKey
add esp, 4
test al, al
je abc
call InvalidKey
abc:
ContinueLoad
Now you could do any number of simple things to crack this. One of which being, changing je (jump if equal) to jne (jump if not equal) which will make all invalid keys, valid.
Or just make it 0xeb which solves everything
Yes, however it only takes one person to know how to bypass something like that to allow the entire bot community to get ahold of it.
Sorry I didn't search but I had to leave my class because the bell rang so I just did it really quick.
Most people who are smart enough to bypass Auths arn't jackasses.
So it's a test of honesty if you make it easy I guess.
Quote from: Warrior on February 10, 2005, 10:47 PM
Most people who are smart enough to bypass Auths arn't jackasses.
So it's a test of honesty if you make it easy I guess.
A test of honesty isn't very good security :P
Yeah, just look at M$ ;)
Quote from: Warrior on February 10, 2005, 10:47 PM
Most people who are smart enough to bypass Auths arn't jackasses.
So it's a test of honesty if you make it easy I guess.
If it was a test of honesty, I would just tell everyone who has it, "Please don't leak it." I am going for more of a forceful approach.
Quote from: Networks on February 11, 2005, 10:46 AM
Quote from: Warrior on February 10, 2005, 10:47 PM
Most people who are smart enough to bypass Auths arn't jackasses.
So it's a test of honesty if you make it easy I guess.
If it was a test of honesty, I would just tell everyone who has it, "Please don't leak it." I am going for more of a forceful approach.
I remember that Fr0z3N (from exile) had created an authentication servery thing that checked a username/password & hd serial I think. He ran the auth server on his computer & it was encrypted, how, I don't remember.
Changing the hosts file fixes that. You can run your own server that returns a positive result, or just alter the JE/JNE/JZ/JNZ/JMP locations anyway.
Im speaking more of the people who actually know how to bypass it and them not leaking it out, not users in General.