CodeEnding Posted June 22, 2015 Posted June 22, 2015 (edited) I can Use Cheat Engine Scan String password found . How can I protect Thank you Edited June 22, 2015 by CodeEnding
SmilingWolf Posted June 22, 2015 Posted June 22, 2015 (edited) That's not your problem at all. Do whatever you want in the code, as soon as the request is sent it can be sniffed with Wireshark or whatever other network sniffer unless you're using something like this -> https://dev.mysql.com/doc/refman/5.1/en/ssl-connections.htmlEven if you do, though, at some point the correct string must be stored in memory, even just for the time needed to compose the request and send it, at which point it can be fished.You have to rethink the way your tool communicates with the server. Edited June 22, 2015 by SmilingWolf
GIV Posted June 22, 2015 Posted June 22, 2015 (edited) I think you can use this way: Use from client a form function that make a encryption of the password (simple xor, moded base64 etc). The server decrypt and if the password is in database acces granted, else quit. Insert the call to that procedure in every form of the aplication and call by a timer event at 30 seconds. If you put 100 checks in different named functions called by timers that all do the same thing using diferent variables the cracker will leave your app alone. BTW I like the buy.vb stuff in your project... Edited June 22, 2015 by GIV
atom0s Posted June 22, 2015 Posted June 22, 2015 You should not be using any type of actual connection to a database from your application. No matter how you protect the exe you can always sniff the traffic to get the password like SmilingWolf mentioned. Instead you should look into using a backend web service that accepts commands from your application. .NET provides a great way of doing this via WCF services. If you do not have the option to host a .NET specific service you can always resort to things like REST/SOAP interfaces via php or similar as well. Basically your application should have 0 login information stored in it, that should be something the user has to input if they have valid access. If you do not want them to have a login then your service should just be for querying information and not adding anything to the database for security reasons. Basically what you will want is something like: - Application sends login information to your service. - Service sends back a session token or similar to the application is required for all future calls to the service. - Application makes a call to the service including the session token it was given to ensure the call is allowed. - Service checks to ensure the token is valid, if not it does nothing, if its ok it will process the request. So you could do something like: - Application -> Service doLogin(username, password) - Service validates the login information, sends back a token if valid. - Application Service getUserInfo(session_token, username) - Service validates the session_token, if invalid do nothing, if valid retrieve the user info by their name in the db. This leaves the application free of any sensitive data, and the server handles everything securely.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now