You are viewing our Forum Archives. To view or take place in current topics click here.
Authrorization Samples | Simple to Advanced | VB & C#
Posted:

Authrorization Samples | Simple to Advanced | VB & C#Posted:

Bashful
  • TTG Senior
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
I'll update this if people show interest, but I see people wondering about simple ways to authorize applications. This will have simple to advanced, to efficient methods.

This way is by far the simplest method while reducing the validation to a one time event.

GIF preview
[ Register or Signin to view external links. ]
VB Code (C# can be released if requested. Also, a source file can be released as well!)
Imports System.Net 'Allows Access to Webclient for WebAuth
Imports System.Text.RegularExpressions 'Only for sorting through text, not needed right now.
Public Class Form1
    'This is a sample for Visual Basic .NET 4.5 written and coded by Bashful.
    'Home:
    'TTG: http://www.thetechgame.com/bashful
    'Don't take credit for this :P
    'The goal is to create a simple, bandwidth friendly, one time authorization which can't be spread between computers without having to worry about modifying anything to technical.
    'The solution is to create a hidden file, when this exists, the program is now authorized (which really won't be shown here, but it's fairly simple and with the code existing should be easy to tell how to do so)

    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        MessageBox.Show("Welcome to Authorization Test by Bashful. Use the given authorization key to show what happens when valid.")
        'check for authfile already
        If IO.File.Exists(Application.StartupPath & "authtrue.bshtst") Then
            statusauth.Text = "Authorized"
        End If
    End Sub

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        Dim web As New WebClient 'Calls webclient
        Dim authkey As String = web.DownloadString("http://paste*bin.com/raw.php?i=UCz8NydM") 'The paste*bin link is the link to your authkey. This downloads the html source. Remove the asterisk
        If authkey = authtxt.Text Then
            'This occurs if the authkey matches
            MessageBox.Show("Authorization Key valid!")
            If IO.File.Exists(Application.StartupPath & "authtrue.bshtst") Then
                'authfile exists
                statusauth.Text = "Authorized"
            Else
                IO.File.Create(Application.StartupPath & "authtrue.bshtst")
                statusauth.Text = "Authorized"
            End If
        Else
            'This is what happens when it doesn't
            MessageBox.Show("Authorization Key invalid!")
            statusauth.Text = "Not Authorized"
        End If
    End Sub
End Class


Last edited by Bashful ; edited 1 time in total

The following 2 users thanked Bashful for this useful post:

-Deano (10-01-2014), vSmithy (09-30-2014)
#2. Posted:
-Deano
  • Rated Awesome
Status: Offline
Joined: Aug 19, 201014Year Member
Posts: 5,243
Reputation Power: 532
Status: Offline
Joined: Aug 19, 201014Year Member
Posts: 5,243
Reputation Power: 532
Just to make sure I understand how this works..

So you would give them the program, they have have to enter their auth key in a text box. This is then compared to the secret url on paste-bin.
If it matches, it creates a file that is checked for to see if they are authorised?

How is this authtxt.bshtxt file actually hidden?
Couldn't someone just copy it and 'authenticate' any other people wanting to use it?
#3. Posted:
Bashful
  • TTG Senior
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
-Deano wrote Just to make sure I understand how this works..

So you would give them the program, they have have to enter their auth key in a text box. This is then compared to the secret url on paste-bin.
If it matches, it creates a file that is checked for to see if they are authorised?

How is this authtxt.bshtxt file actually hidden?
Couldn't someone just copy it and 'authenticate' any other people wanting to use it?

It's all at the creator's discretion.

For example:
This method could be used to, get a textfile with the auth codes. If the auth code matches, then it's a valid "license".

"authtxt.bshtxt" is a placeholder, so is the location. You can hide this file in a remote location.

To add more security, encrypt it with a custom key and store the authorization key in the authorizer, and disable all authorization function from there to ensure the user doesn't copy to others.

Simplified
-User uses key '505050'
-Application downloads auth files and can disable all functions/remove authorizer/disable key for future use
-Auth Files are encrypted with the user account name on the PC or very specific event numbers which can't be replicated
-If auth files are copied, they can't be decrypted because they don't know the auth key, and the program doesn't either.
-User can't connect/use application.


It can get pretty extensive, depending on how you want to do it
#4. Posted:
0xCuddz
  • New Member
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
I am only doing this so you can improve. Please take this as constructive criticism.

how to 'crack' this:
1. sniff traffic and find website
2. copy a key from website
3. enter into textbox
4. autherized
#5. Posted:
Bashful
  • TTG Senior
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
0xCuddz wrote I am only doing this so you can improve. Please take this as constructive criticism.

how to 'crack' this:
1. sniff traffic and find website
2. copy a key from website
3. enter into textbox
4. autherized

This is the simple version, I don't have time right now to write the rest.

This has nothing to do with improving lmfao.

Tell me now, how would you 'crack',
FTP authorization? Or a server side code to ensure that only the application is accessing the data.
#6. Posted:
0xCuddz
  • New Member
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
Bashful wrote
This is the simple version, I don't have time right now to write the rest.

This has nothing to do with improving lmfao.

Tell me now, how would you 'crack',
FTP authorization? Or a server side code to ensure that only the application is accessing the data.


I would then just use the app and manipulate it to my needs. If you write the code, ill show you. don't take this personally, I point out the flaws with everyones 'security'.
#7. Posted:
Bashful
  • TTG Senior
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
0xCuddz wrote
Bashful wrote
This is the simple version, I don't have time right now to write the rest.

This has nothing to do with improving lmfao.

Tell me now, how would you 'crack',
FTP authorization? Or a server side code to ensure that only the application is accessing the data.


I would then just use the app and manipulate it to my needs. If you write the code, ill show you. don't take this personally, I point out the flaws with everyones 'security'.

:facepalm:
With a good obfusticated program you wouldn't have access to the keys and with an encryption used for the keys you would need the decryption key.

Everything is crackable, but not everything is worth months/days finding the hole in which it works.
#8. Posted:
Fold
  • Moderator
Status: Offline
Joined: Oct 01, 201113Year Member
Posts: 2,844
Reputation Power: 19778
Motto: Brandon has stopped paying for his motto advertising space. This motto is now vacant.
Motto: Brandon has stopped paying for his motto advertising space. This motto is now vacant.
Status: Offline
Joined: Oct 01, 201113Year Member
Posts: 2,844
Reputation Power: 19778
Motto: Brandon has stopped paying for his motto advertising space. This motto is now vacant.
Bashful wrote
0xCuddz wrote
Bashful wrote
This is the simple version, I don't have time right now to write the rest.

This has nothing to do with improving lmfao.

Tell me now, how would you 'crack',
FTP authorization? Or a server side code to ensure that only the application is accessing the data.


I would then just use the app and manipulate it to my needs. If you write the code, ill show you. don't take this personally, I point out the flaws with everyones 'security'.

:facepalm:
With a good obfusticated program you wouldn't have access to the keys and with an encryption used for the keys you would need the decryption key.

Everything is crackable, but not everything is worth months/days finding the hole in which it works.


Deobfuscators and unpackers would get rid of obfuscation and packing respectively. Obfuscation is a layer of security, not the entirety of it and I don't know where you could store the decryption keys to keep them safe. If they are anywhere accessible to the application (especially hardcoded in), they are accessible to the cracker.

Also, as previously said, just editing one of the If statements in an assembly editor would open the application wide open or as previously mentioned, using a packet sniffer would also suffice.

Just things to think about when making an auth system.
#9. Posted:
0xCuddz
  • New Member
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
Status: Offline
Joined: Aug 31, 201410Year Member
Posts: 18
Reputation Power: 0
Bashful wrote
:facepalm:
With a good obfusticated program you wouldn't have access to the keys and with an encryption used for the keys you would need the decryption key.

Everything is crackable, but not everything is worth months/days finding the hole in which it works.

why are you taking this so personal? lol. and i guarantee you I can crack any of your .net apps
#10. Posted:
Bashful
  • TTG Senior
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
Status: Offline
Joined: Aug 02, 201212Year Member
Posts: 1,915
Reputation Power: 77
0xCuddz wrote
Bashful wrote
:facepalm:
With a good obfusticated program you wouldn't have access to the keys and with an encryption used for the keys you would need the decryption key.

Everything is crackable, but not everything is worth months/days finding the hole in which it works.

why are you taking this so personal? lol. and i guarantee you I can crack any of your .net apps

I'm not. I'm just pointing out that not everything is crackable by a skid, were you talking to me from a different source, I may believe you.

Regardless, if you truely believe so, pm me what you would do to crack,
1) FTP authorization. Not by using HTTP login.
2) Encoding the key. Not by ROT13 or any other low level encryption. But one that needs a key.
3) Obfusticated application
4) Single use keys.
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.