• Welcome to Valhalla Legends Archive.
 

Add authorization to bot

Started by Brr, July 04, 2003, 02:34 PM

Previous topic - Next topic

Brr

How would I add an authorization code (something like feanors?) to a bot so that it can't be leaked... (using hex protection :P)

SNiFFeR

#1
I've used Inet.

It logs onto a site, checks to see if the username and password is valid, if valid = true then let them connect, if value = false then give them an error.

Kp

Quote from: Brr on July 04, 2003, 02:34 PM
How would I add an authorization code (something like feanors?) to a bot so that it can't be leaked... (using hex protection :P)
Saying "like X's bot" isn't terribly helpful, since most of us don't want to go run a bot just to see what feature you're talking about.  This is especially true if it's a feature to keep random people from running it!
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

UserLoser

Create a server.  Have the bot connect to the server.  Encrypt your exe so nobody can really hex edit it and know what they're doing.  Do some sort of client-server stuff.  IP address, hostnames, mac addressed, usernames, anything really.

Dark-Feanor

A good way to make unhexable inet authorization is to make it into a .ocx and add the .ocx to your project :)
Also, try using active lock. That is another good leak protector.
- Feanor[xL]
clan exile
Firebot
iago: "caps lock is like cruise control for cool"

Camel

Quote from: DaRk-FeAnOr on July 04, 2003, 03:37 PM
A good way to make unhexable inet authorization is to make it into a .ocx and add the .ocx to your project :)
Also, try using active lock. That is another good leak protector.
How does that protect it? One could simply hex the ocx...

SNiFFeR

#6
Camel didn't you have a good way to auth using php and inet?

Dark-Feanor

#7
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)
- Feanor[xL]
clan exile
Firebot
iago: "caps lock is like cruise control for cool"

K

Quote from: DaRk-FeAnOr on July 04, 2003, 08:31 PM
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)


if (DoAuthCheck() == false)
  UnloadAndQuit();


I don't see any need to recreate a server to patch that.  The only way your authorization server will be usefull is if it supplies information the client cannot operate without: hashing, decoding, etc.

Dark-Feanor

But that can be hexed out...
- Feanor[xL]
clan exile
Firebot
iago: "caps lock is like cruise control for cool"

K


SNiFFeR

Well, if you don't name it, "DoAuthCheck" I doubt it's going to be AS obvious to people to find. If you name it "ConnectToBnet" ... It'll be rarer that they'd find it and hex it out :p

RhiNo

how bout using php or whatever and using an auth server how bout it enters a username and password to log in to pass auth like a pass protected site type thing then they have to pass the name check maybe just a little more secure

Kp

Quote from: SNiFFeR on July 04, 2003, 11:32 PM
Well, if you don't name it, "DoAuthCheck" I doubt it's going to be AS obvious to people to find. If you name it "ConnectToBnet" ... It'll be rarer that they'd find it and hex it out :p
That's one of the less informed comments I've seen in a while.  Any bot where it would be necessary to "hex out" a feature is a compiled bot (no one in their right mind uses a hex editor when a text editor would do, as it should for any interpreted bot); if the bot was compiled, the author's original names *should* all be gone, providing he didn't leave debug symbols in or go exporting names (both of which are a bad idea if you're trying to make it a pain for people to modify).  Therefore, all the attacker will see is a call, a return value test, and some other calls in reaction to the return value.

Nothing is entirely leakproof - there are simply levels beyond which no one with the skills to break the protection considers it worth the effort to break.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

UserLoser

Quote from: DaRk-FeAnOr on July 04, 2003, 08:31 PM
You could also create a winsock chat server/client type thing that when the program tries to connect, it sends you the username it is running on and the server checks it againts a list at a local directory. They could not hex it out, because they could not recreate the server that you have :)
That's what I first said in the third reply.