Visual Basic Program Protection

MysT_DooM · January 05, 2006, 03:15 PM

ok so i made a little prog that asks for the user to enter a password to use the program. it was very effective for people with no cracking knowledge.

But some people were able to hex the program and figure out the password....
any1 have any ideas how to protect from these types of things or if you can point me in the right direction.

Eric · January 05, 2006, 03:16 PM

Quoteany1 have any ideas how to protect from these types of things

Don't use password-based authentication.

vuther.de · January 05, 2006, 03:20 PM

Did you put the password just in a string and that's it?

MyndFyre · January 05, 2006, 03:35 PM

Quote from: inner. on January 05, 2006, 03:20 PM
Did you put the password just in a string and that's it?

Even that wouldn't be effective (hashing the password, or some other encryption method). At the end of the day, he's going to need multiple layers of protection to be effective, including possibly runtime code modification, encryption, and code verification.

vuther.de · January 05, 2006, 03:37 PM

I didn't mean it to be effective, I was going to say to him if he was doing that then that would be a very inefficent/bad way of doing a Authentication Protection for a program.

MysT_DooM · January 05, 2006, 04:27 PM

Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password.

Eric · January 05, 2006, 04:47 PM

Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password.

That would be just as easy to bypass, if not easier.

MyndFyre · January 05, 2006, 05:07 PM

Quote from: Lord[nK] on January 05, 2006, 04:47 PM
That would be just as easy to bypass, if not easier.

One byte in a hex editor.

Networks · January 05, 2006, 05:13 PM

Quote from: Lord[nK] on January 05, 2006, 04:47 PM
Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password.

That would be just as easy to bypass, if not easier.

Give the guy some slack, I highly doubt any leet crackers are THAT interested in his application.

You can do that, use MSINET control or the Winsock control. However lord is correct it's easy to just jump your entire authentication completely, I recently cracked a program like that.

I would think about who ever you're giving this application out to, if they are knowledge people they WILL crack it however if they aren't I wouldn't worry to much then. IT really depends.

Edit:
I wouldn't recommend the online thing since they could hex-edit the URL and direct to their own computer locally and use any password they choose. Try to create an algorithm of some sort similar to serials. Seems harder to crack and can be unique to each user.

Eric · January 05, 2006, 05:13 PM

Quote from: MyndFyre on January 05, 2006, 05:07 PM
Quote from: Lord[nK] on January 05, 2006, 04:47 PM
That would be just as easy to bypass, if not easier.
One byte in a hex editor.

Or a single viewing of a webpage. ;p

Eric · January 05, 2006, 05:14 PM

Quote from: Networks on January 05, 2006, 05:13 PM
Quote from: Lord[nK] on January 05, 2006, 04:47 PM
Quote from: MysT_DooM on January 05, 2006, 04:27 PM
Private Sub Command1_Click()
If Text1.text = "ΨΫαͮds" Then
MsgBox "Key Machine Access Granted"
Form1.Show

Else
MsgBox "Key Machine Access Denied"
Text1.text = ""
End If
Unload Me
End Sub

Edit: what i was thinking was if there could be a way when the user types in the password and hits the command button, it will verify the password with a text file online at some site with the latest password.

That would be just as easy to bypass, if not easier.

Give the guy some slack, I highly doubt any leet crackers are THAT interested in his application.

They were interested enough to "crack" it in the first place.

We're simply trying to make a point: It's difficult to secure an application from even the most novice "crackers". There was an enitre thread concerning this exact topic made just a few months ago. I'd recommend looking it over.

Forged · January 05, 2006, 05:23 PM

This is still easy to crack, just by nopping the entire check, but it might keep out some of the hex kids.

Code Select


Public Function Hash(ByVal Val$)
On Error Resume Next
Dim Q$

If Len(Val) <> 12 Then
    MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
    Form1.txtPass = ""
Else
    Q = Val * 12
    'Form1.txtPass = Q
    ' 1 0 5 1 6 2 5 1 5 8 5 0 2 4
    ' L     L E     L           O
    Q = Replace(Q, "0", "")
    Q = Replace(Q, "1", "L")
    Q = Replace(Q, "2", "")
    Q = Replace(Q, "3", "")
    Q = Replace(Q, "4", "O")
    Q = Replace(Q, "5", "")
    Q = Replace(Q, "6", "E")
    Q = Replace(Q, "7", "")
    Q = Replace(Q, "8", "")
    'Form1.txtPass = Q
        If Len(Q) <> 5 Then
            MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
            Form1.txtPass = ""
        Else
            Q = Replace(Q, "L", 7)
            Q = Replace(Q, "O", 3)
            Q = Replace(Q, "E", 5)
            Q = Q * 3
            'Form1.txtPass = Q
            '2 3 2 7 1 9
            '   K  I L L
            
                If Len(Q) = 6 Then
                    Q = Replace(Q, "2", "")
                    Q = Replace(Q, "3", "k")
                    Q = Replace(Q, "7", "i")
                    Q = Replace(Q, "1", "l")
                    Q = Replace(Q, "9", "L")
                        If Q = "kilL" Then
                            Form2.Show
                        Else
                            MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
                            Form1.txtPass = ""
                        End If
                Else
                    MsgBox "Invalid Password, Try Again", vbExclamation, "Wrong"
                    Form1.txtPass = ""
                End If
        End If
            
            
End If

End Function

Joe[x86] · January 05, 2006, 06:16 PM

May want to post what hashes to kilL.

Forged · January 05, 2006, 07:53 PM

or just look at the source code, doesn't take a rocket scientist.

Tazo · January 05, 2006, 09:27 PM

Use hardware based authorization [Grab info about their system, make it a hex string, check a website for the string].