CryptEncode, WebRequest combo for client validation

To add comments, please log in or register
Ian Tavener
1329
Ian Tavener  

I'm trying to do my best to find a way to control client keys, without using DLL.  So far the method I'm using, is I use a keygen script that uses AES256 then Base64 on a list of customer names, to create an array of 'serial' codes, and then publish that array to a directory on my website.  Then when a customer loads the EA on their terminal, it uses the exact same method to encode their ACCOUNT_NAME, then compares it to array that was pulled using WebRequest.  The customer doesn't need to do anything, except allow webrequest for the specified page, then wait for me to update the page with the serial codes, so there's no external parameters for them to enter a serial key, and no way to know from looking at the page which one is theirs.

Wondering if storing more variable as uchar arrays (besides encryption keys) that would make decompiling more of a challenge?  Secondly, I was thinking of making the EA generate massive amounts of false orders that were included and mixed in with the logic used for generating true signals, if an attacker found a way to defeat the ExpertRemove() call from a failed authorization check.  I've found some resources, I guess I'm just asking if someone has had experience with these sorts of methods and could provide a comment or criticism?  Thanks a lot!

JC
1646
JC  
Ian Tavener:

Wondering if storing more variable as uchar arrays (besides encryption keys) that would make decompiling more of a challenge?

In the absence of a known way of decompiling EX4 files, you're almost certainly at far more risk of a man-in-the-middle attack than an assault on the EA logic. (In essence: disable the WebRequest() call without actually modifying the EA.) 

To add comments, please log in or register