• Welcome to Valhalla Legends Archive.
 

Visual Basic Program Protection

Started by MysT_DooM, January 05, 2006, 03:15 PM

Previous topic - Next topic

MysT_DooM

ok so i made a little prog that asks for the user to enter a password to use the program. it was very effective for people with no cracking knowledge.

But some people were able to hex the program and figure out the password....
any1 have any ideas how to protect from these types of things or if you can point me in the right direction.


vb6, something about that combination of numbers and letters is sexy

Eric

#1
Quoteany1 have any ideas how to protect from these types of things

Don't use password-based authentication.

vuther.de

Did you put the password just in a string and that's it?

MyndFyre

Quote from: inner. on January 05, 2006, 03:20 PM
Did you put the password just in a string and that's it?

Even that wouldn't be effective (hashing the password, or some other encryption method).  At the end of the day, he's going to need multiple layers of protection to be effective, including possibly runtime code modification, encryption, and code verification.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

vuther.de

I didn't mean it to be effective, I was going to say to him if he was doing that then that would be a very inefficent/bad way of doing a Authentication Protection for a program.

MysT_DooM

#5
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

:(

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password. 


vb6, something about that combination of numbers and letters is sexy

Eric

Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

:(

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password. 

That would be just as easy to bypass, if not easier.

MyndFyre

Quote from: Lord[nK] on January 05, 2006, 04:47 PM
That would be just as easy to bypass, if not easier.
One byte in a hex editor.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Networks

#8
Quote from: Lord[nK] on January 05, 2006, 04:47 PM
Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

:(

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password. 

That would be just as easy to bypass, if not easier.

Give the guy some slack, I highly doubt any leet crackers are THAT interested in his application.

You can do that, use MSINET control or the Winsock control. However lord is correct it's easy to just jump your entire authentication completely, I recently cracked a program like that.

I would think about who ever you're giving this application out to, if they are knowledge people they WILL crack it however if they aren't I wouldn't worry to much then. IT really depends.

Edit:
I wouldn't recommend the online thing since they could hex-edit the URL and direct to their own computer locally and use any password they choose. Try to create an algorithm of some sort similar to serials. Seems harder to crack and can be unique to each user.

Eric

Quote from: MyndFyre on January 05, 2006, 05:07 PM
Quote from: Lord[nK] on January 05, 2006, 04:47 PM
That would be just as easy to bypass, if not easier.
One byte in a hex editor.

Or a single viewing of a webpage. ;p

Eric

#10
Quote from: Networks on January 05, 2006, 05:13 PM
Quote from: Lord[nK] on January 05, 2006, 04:47 PM
Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

:(

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password. 

That would be just as easy to bypass, if not easier.

Give the guy some slack, I highly doubt any leet crackers are THAT interested in his application.

They were interested enough to "crack" it in the first place.

We're simply trying to make a point: It's difficult to secure an application from even the most novice "crackers".  There was an enitre thread concerning this exact topic made just a few months ago.  I'd recommend looking it over.

Forged

This is still easy to crack, just by nopping the entire check, but it might keep out some of the hex kids.

Public Function Hash(ByVal Val$)
On Error Resume Next
Dim Q$

If Len(Val) <> 12 Then
    MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
    Form1.txtPass = ""
Else
    Q = Val * 12
    'Form1.txtPass = Q
    ' 1 0 5 1 6 2 5 1 5 8 5 0 2 4
    ' L     L E     L           O
    Q = Replace(Q, "0", "")
    Q = Replace(Q, "1", "L")
    Q = Replace(Q, "2", "")
    Q = Replace(Q, "3", "")
    Q = Replace(Q, "4", "O")
    Q = Replace(Q, "5", "")
    Q = Replace(Q, "6", "E")
    Q = Replace(Q, "7", "")
    Q = Replace(Q, "8", "")
    'Form1.txtPass = Q
        If Len(Q) <> 5 Then
            MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
            Form1.txtPass = ""
        Else
            Q = Replace(Q, "L", 7)
            Q = Replace(Q, "O", 3)
            Q = Replace(Q, "E", 5)
            Q = Q * 3
            'Form1.txtPass = Q
            '2 3 2 7 1 9
            '   K  I L L
           
                If Len(Q) = 6 Then
                    Q = Replace(Q, "2", "")
                    Q = Replace(Q, "3", "k")
                    Q = Replace(Q, "7", "i")
                    Q = Replace(Q, "1", "l")
                    Q = Replace(Q, "9", "L")
                        If Q = "kilL" Then
                            Form2.Show
                        Else
                            MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
                            Form1.txtPass = ""
                        End If
                Else
                    MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
                    Form1.txtPass = ""
                End If
        End If
           
           
End If

End Function
QuoteI wish my grass was Goth so it would cut itself

Joe[x86]

May want to post what hashes to kilL.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Forged

or just look at the source code, doesn't take a rocket scientist. 
QuoteI wish my grass was Goth so it would cut itself

Tazo

Use hardware based authorization [Grab info about their system, make it a hex string, check a website for the string].