Jump to content

Protecting your code, and an authentication method.


MirnesC2
 Share

Recommended Posts

Hey guys,

I have been working on this project for some time now and have made a really useful tool for people to use. I want to sell my software (1 month, 3 month, lifetime licenses, etc). I have two worries.

  • Someone will reverse engineer my program and take the source code which I worked hard on.

  • People find a way to bypass my user authentication system.
So my question here, for those more experienced in the subject, is...
  • What is the best and most sure way to protect my code? (I don't want hackers unwinding it)

  • What is the best and most sure way to set this user authentication system up?
I ask about the protecting source code part because with previous programs I have made and shared for free. I have had other people de-compile my "protected/encrypted" .exe file and send me the code... :(

For the user authentication part, I was thinking of making an online database, mySQL or something along those lines. But the problem with that is that I will probably have to input the database details into the source code... which again brings me back to worry #1. If the source code can be unraveled, then my entire database becomes a security hazard.

Any ideas and/or suggestions will be GREATLY appreciated! :)

Edited by MirnesC2
Link to comment
Share on other sites

You should make a special logic in your code where things fall apart if they dont follow license check routines. By adding variables on weird places and just being creative with it. Have those people sent you autoit decompiled? Did you use obfuscator?

If they can pass this then you are pretty much out of luck.

Also you dont need to access database through client code, you can access it through server calls and they cant access that even if they get your source.

Edited by Aktonius
Link to comment
Share on other sites

Lots of people ask this question, mostly because it has never been answered satisfactorily. Not because no-one has bothered to post the answer but because there isn't one.

Do as much of the logic as possible on the server. That's something people often overlook (Aktonius touched on it in his post). If your program was just a web browser with a license key then it would be incredibly secure (they would have to get to the files on the server to get your program code).

Edited by Mat
Link to comment
Share on other sites

You should make a special logic in your code where things fall apart if they dont follow license check routines. By adding variables on weird places and just being creative with it. Have those people sent you autoit decompiled? Did you use obfuscator?If they can pass this then you are pretty much out of luck.Also you dont need to access database through client code, you can access it through server calls and they cant access that even if they get your source.

Thanks for the reply!

Is it okay if I make a separate function called _AuthCheck() and then call it from random points in the code or would it better to embed it with random points of code?And yes I used obfuscator. There is nothing else to use besides that?

As for the server calls you mentioned. Any specific autoit functions I should be looking at? Or is there even an example of it laying around some where o.O

Edited by MirnesC2
Link to comment
Share on other sites

Having logic on your server is as secure as it gets gets, but this raises the problem of server downtime.

I don't think paying customers would appreciate their paid application failing because your server is having

issues/being maintained/whatever.

How many different hosts are enough when failure occurs on one.

The end of this question is always the same.

You have to weigh up the pro's and con's of your particular circumstances and act accordingly.

If your application is going to make enough money for instance, you might consider getting two or maybe three hosts

to apply your logic server side <- example

Believe it or not, there are still people in there hundreds of thousands who are honest paying customers for a good product

with support and updates. Not everybody knows how to attack/crack a script, or where to find a cracked script, or even

where to look, and wouldn't even get it if they did.

My advice is always this: (which I probably read on here) Make some basic authentication checks and focus on the quality

of the product rather than it's security.

Ask Bill Gates how he protects windows.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...