Server Authentication to Strengthen Software Protection

Started by Sean1337, October 24, 2009, 06:33:47 AM

Previous topic - Next topic

Sean1337

Hi everyone,

I was wondering whether there were any resources/tutorials that I could read that would assist me with server authentication.

Specifically, I would like something basic that does something like the following:

- Obtains a users hardware ID
- Communicates with an FTP server where a txt file (e.g. 123.txt) is stored
- Compares hardware ID that was obtained when application was run with users hardware ID that is stored on the server
- If comparison is valid, let program continue, otherwise exit process

So yea I'm just trying to get into some of the more advanced ways of protecting your program from mischievous individuals.

If anyone could assist me with implementing a server authentication algorithm (written in MASM32) into my code, I would greatly appreciate it.

Thanks,
-Sean

sinsi

> Obtains a users hardware ID
That is the problem - how? The other parts are trivial.
Light travels faster than sound, that's why some people seem bright until you hear them.

jj2007

Perhaps you might be able to construct some kind of checksum from various client side variables as shown here?

BlackVortex

Quote from: Sean1337 on October 24, 2009, 06:33:47 AM
- If comparison is valid, let program continue, otherwise exit process
So if they are the same, it will continue ? Well, so the cracker patches the check and that's the end of that.

ecube

you can use the users IP and map it to country etc too...If people from another country/region watever start trying to access your server with this persons hardware ID then that means they leaked it, or it got hacked somehow and you can either disable that paticular ID's access or just try and filter out any not from the original region, and inform the user of it. Also stress ahead of time its important for the user to keep his unique ID private.

1)This avoids problems with users with dynamic IP changes
2)this makes crackers ability to bypass 0
3)it allows your customers to upgrade their hardware without issues
4)its simple

can also have alittle thing where customers register, and can login to your site and update what city they're in, if they travel alot or moved.

BlackVortex

If the code is working as is, then the cracker can totally bypass the whole online check and just continue normally. How naive you are  :P

Slugsnack

FtpOpenFile() and FtpGetFile() will help you for FTP communication

For ID comparison, if you don't want to do a simple string compare you could hash the reply sent by server and then hash the ID returned by your proggie and see if they match, not sure how much point there is in doing that though

The last step is of course, trivial

drizz

Writing software in asm is like suplying source code with it.

file on ftp? are you serious?

My real questions are:
Is this software even finished? Is it popular/You are seeing it warezed?
If your concern is protecting it before even finishing then good like with your business.
The truth cannot be learned ... it can only be recognized.

ecube

Quote from: Slugsnack on October 24, 2009, 11:12:56 AM
FtpOpenFile() and FtpGetFile() will help you for FTP communication

For ID comparison, if you don't want to do a simple string compare you could hash the reply sent by server and then hash the ID returned by your proggie and see if they match, not sure how much point there is in doing that though

The last step is of course, trivial

its never good to keep passwords and anything that you're able to hash as plaintext on a server incase it gets compromised, that way the dmg is minimum.I also recommend you salt your hashes(generate a random word ahead of time and append to all  strings u want to hash, this makes brute forcing extremely difficult/impossible if the attacker doesn't know your salt)

evlncrn8

Quote from: E^cube on October 24, 2009, 09:47:02 AM
you can use the users IP and map it to country etc too...If people from another country/region watever start trying to access your server with this persons hardware ID then that means they leaked it, or it got hacked somehow and you can either disable that paticular ID's access or just try and filter out any not from the original region, and inform the user of it. Also stress ahead of time its important for the user to keep his unique ID private.

so if im a business person, and i buy your software, and go on a business trip and use my laptop on some different inet connection in a different country, then its leaked?

you clearly have 0 idea ..

what if i use a proxy?, what if i run the software on multiple machines.. all of which are mine.. which have a license?

if you're going to do anything with server based protection, have the server send some code down to the client each time containing other data which can be retrieved if a crack is made
such as encrypted data containing the customer name which is in resource in the exe, updated at runtime etc..


ecube

Quote from: evlncrn8 on October 24, 2009, 03:43:31 PM
Quote from: E^cube on October 24, 2009, 09:47:02 AM
you can use the users IP and map it to country etc too...If people from another country/region watever start trying to access your server with this persons hardware ID then that means they leaked it, or it got hacked somehow and you can either disable that paticular ID's access or just try and filter out any not from the original region, and inform the user of it. Also stress ahead of time its important for the user to keep his unique ID private.

so if im a business person, and i buy your software, and go on a business trip and use my laptop on some different inet connection in a different country, then its leaked?

you clearly have 0 idea ..

what if i use a proxy?, what if i run the software on multiple machines.. all of which are mine.. which have a license?

if you're going to do anything with server based protection, have the server send some code down to the client each time containing other data which can be retrieved if a crack is made
such as encrypted data containing the customer name which is in resource in the exe, updated at runtime etc..



no sir, YOU clearly not only have no idea, but are unable to read and comprehend correctly.

"
Quote from: E^cube on October 24, 2009, 09:47:02 AM
can also have alittle thing where customers register, and can login to your site and update what city they're in, if they travel alot or have moved.

and a proxy wouldn't be easy, as you can resolve ips down to region/city as I mentioned before, so they'd have to have one that's real specific. Not to mention its not hard to filter out common proxies, which would shutdown the majority of malicious users attempts.
As far as multiple machines, that doesn't pose a problem in the protection scheme i'm talking about?

also your suggestion about client side whatever alone, COMPLETELY_FAILS. As it gives the user the power, they could reverse it top to bottom, and you're defeated, there's a common saying among php database coders "never trust client input", and this couldn't be more true here.

Sean1337

Guys...the example I put up obviously is weak as hell. Easily crackable. I'm just looking for code as a STARTING POINT.

I just want to see how I could do something basic like that =.=.

hutch--

The magic words are "dynamic" and "ever changing" when it comes to security methods. Its starting to enter OS design as things like random stack addressing for each app started, something the the MAC Snow Leopard missed out on but apparently late Windows includes. Internet verification is fundamentally leaky as someone can get a look at it in transmission but you have a lot of options in terms of ports to use, data formats to transfer and combinations to use but nothing much beats building the clients personal data into the application and making it trackable on the internet.

You go for the dynamic approach because usually someone can find a way around a single static method but if it only works once and they have to do it again and again, it becomes another story. If you know what can be fiddled at the use APP end you can ajust the server authentication end to make it more difficult.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

NervGaz

As for generating hardware ID's the easiest sulloution is grabbing hardware info
from the registry and devices and using any hashing algorithm to generate a string
that will be unique to that specific hardware setup.
Obviously at least one totally unique piece of information is needed, say for instance
the MAC address of the NIC. Form there on it's all pretty much straight forward.

1. The app connects to the server and sends the string.
2. The server compares it and replies with OK/BAD
3. App does what it does.

Like you said this is easily crackable unless further security checks are added, but that
would be my starting point. Adding strong crypto based on a high level crypto library
such as having parts of code encrypted and requiring a public key that is never stored
on the client PC for instance. This can be circumvented to release leaked versions that
are decrypted and dumped, but it requires a license to start with. The reason I say
using a crypto based on a high level library is that you don't have to worry about making
you're implementation safe from sidechannel attacks and such. Again probably not
something that is that important in software protection but it should be considered best
practice when implementing any crypto unless you're a cryptographer and know exactly
how to safely implement crypto.

One of the few software protection schemes that has come out more or less uncracked
since ever is even simpler. If you look at Datarescue/HexRays IDA Pro, it's compiled for
every customer and watermarked by having pieces of code moved around and the key
used to check that it's the right executable compared to the key. At least that's the way
I understood the protection scheme in it. I say simpler, and it is in theory. However I'm
pretty sure it's a lot more work to implement.

Obviously this isn't what you're looking for but I just thought I'd throw it in the mix as
something to consider for at least combining with server authentication. Anyway feel
free to ignore my ramblings I need a lot more caffeine before I start making any real sense.