How would I add an authorization code (something like feanors?) to a bot so that it can't be leaked... (using hex protection :P)
I've used Inet.
It logs onto a site, checks to see if the username and password is valid, if valid = true then let them connect, if value = false then give them an error.
Quote from: Brr on July 04, 2003, 02:34 PM
How would I add an authorization code (something like feanors?) to a bot so that it can't be leaked... (using hex protection :P)
Saying "like X's bot" isn't terribly helpful, since most of us don't want to go run a bot just to see what feature you're talking about. This is especially true if it's a feature to keep random people from running it!
Create a server. Have the bot connect to the server. Encrypt your exe so nobody can really hex edit it and know what they're doing. Do some sort of client-server stuff. IP address, hostnames, mac addressed, usernames, anything really.
A good way to make unhexable inet authorization is to make it into a .ocx and add the .ocx to your project :)
Also, try using active lock. That is another good leak protector.
Quote from: DaRk-FeAnOr on July 04, 2003, 03:37 PM
A good way to make unhexable inet authorization is to make it into a .ocx and add the .ocx to your project :)
Also, try using active lock. That is another good leak protector.
How does that protect it? One could simply hex the ocx...
Camel didn't you have a good way to auth using php and inet?
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)
Quote from: DaRk-FeAnOr on July 04, 2003, 08:31 PM
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)
if (DoAuthCheck() == false)
UnloadAndQuit();
I don't see any need to recreate a server to patch that. The only way your authorization server will be usefull is if it supplies information the client cannot operate without: hashing, decoding, etc.
But that can be hexed out...
That's what I was saying.
Well, if you don't name it, "DoAuthCheck" I doubt it's going to be AS obvious to people to find. If you name it "ConnectToBnet" ... It'll be rarer that they'd find it and hex it out :p
how bout using php or whatever and using an auth server how bout it enters a username and password to log in to pass auth like a pass protected site type thing then they have to pass the name check maybe just a little more secure
Quote from: SNiFFeR on July 04, 2003, 11:32 PM
Well, if you don't name it, "DoAuthCheck" I doubt it's going to be AS obvious to people to find. If you name it "ConnectToBnet" ... It'll be rarer that they'd find it and hex it out :p
That's one of the less informed comments I've seen in a while. Any bot where it would be necessary to "hex out" a feature is a compiled bot (no one in their right mind uses a hex editor when a text editor would do, as it should for any interpreted bot); if the bot was compiled, the author's original names *should* all be gone, providing he didn't leave debug symbols in or go exporting names (both of which are a bad idea if you're trying to make it a pain for people to modify). Therefore, all the attacker will see is a call, a return value test, and some other calls in reaction to the return value.
Nothing is entirely leakproof - there are simply levels beyond which no one with the skills to break the protection considers it worth the effort to break.
Quote from: DaRk-FeAnOr on July 04, 2003, 08:31 PM
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)
That's what I first said in the third reply.
it's really hard to have something thats unhexable in someway. If you make it not worth the persons while though to get around your security measures then you might have a chance. but if someone wants to use it bad enough they will ruin your security measures for sure.
The more information you make it dependent that it pulls from a server encrpyted the more time it will take to break it. But if it's easy enough to duplicate your server that can be done too.
The better suggestion would be do not give out your software then it would be safe. Or give it to only people you trust. Although ive done that and those people you trust become not so trustworthy when they have something no one else has.
If it's worth breaking someone will break it. Weather for fun, to show you how much better they are then you, to make you loose profits, because they got challenged someone somewhere will always be able to break your security measures.
I believe it was stated best in the matrix (not sure if this is exact) the system is based on the rules of a computer. Rules that can be bent and broken.
Camel: the entire internet should just be one big LAN
Camel: that would solve all of the piracy problems :)
Cap'n Hack : heh yea
Camel: and none of this dialup or satelite crap; everyone is hardwrired to one ginormous hub
Camel: that way everyone can get 100mbit+ speeds
Camel: from everyone else
Camel: hrm, forget hubs. switches.
Cap'n Hack : how about..were all plugged into this massive computer program called, oh i dunno 'the matrix' or something..
Nero ~Con~: LIAR