Script authing & the internet

Welcome!

Where to start, where to start...

Assuming that you know what script authing is, I'm gonna start out with probably the simplest script auth a person can make. Note, however, that with simplicity comes weakness ;)

SCAR Code:

program New;

var
UserCode, Code: String;

 procedure UserInput;
  begin
   Code := 'Passcode';
   UserCode := Readln('Please type in the authorization code below.');
   if(Code = UserCode)then
    Writeln('Authorized');
   if(Not(Code = UserCode))then
    Writeln('Not authorized');
  end;

begin
UserInput;
end.

Yes... This is a very weak auth script. The user can simply go through and take out the authorization part of your script.

Let's try hosting our auth code on another site...

SCAR Code:

program New;

var
UserCode, SubCode, Code: String;

 procedure UserInput;
  begin
   SubCode := GetPage('http://Jason2gs.fileave.com/Code.txt');
   Code := Copy(SubCode, 1, 8);
   UserCode := Readln('Please type in the authorization code below.');
   if(Code = UserCode)then
    Writeln('Authorized');
   if(Not(Code = UserCode))then
    Writeln('Not authorized');
  end;

begin
UserInput;
end.

The reason we have to use the Copy() tag with code, is because the site I'm using to host my auth code on adds a couple of characters to the end of your file. If you used GetPage() it would screw up.

You can also use the Copy() tag to hide your auth code somewhere inside of the text file. Just to add a bit of (much needed) security to it ;)

Anyways, we seem to be getting somewhere. Looks like it's time for my favorite part- Obfuscating!

Let's put this over here, that over there... Oh, this looks like it can fit perfectly over here... Oops, can't forget to one line it!

*it's in the attachments*

Alright, that wasn't the best obfuscating. Just be creative. It's a lot of fun once you really get into it ;)

Try to declare a variable as two different things, twice inc your script. That makes it more confusing.

Using a variable once in the main script, and once in the obfuscated authorization, will make it very confusing to the person trying to crack the obfuscation.

Some other things you can do that are kind of in the same boat (that, being having to do with connecting to the internet):

Script news. Easy to do, but looks impressive.

Turn a script on and off. Just have something in your script connect to the internet, and check to see if a certain code is there. If it is, run the script. If it's not, terminate.

With a bit of php, you could probably have progress reports sent directly to you. (Wouldn't know, don't know php :D)

There's a lot of stuff you can do. Again, just be creative.

Thanks for reading!

-Mike

Aha! Firstest Post!


PS: I got a great auth idea at school today, so expect to get a few pm's

EDIT:

You might want to clear up the bit about using two variables with the same name, it's a tad confusing

Maybe also some different ways to obfuscate?

*clicks tongue*

We should sell auths...

Like...premade auths that people can just pop into a script?

Ya; that idea passed through my mind the other day, but I really didn't think much of it

There's really not that many pay scripts, so....

True. Plus, if someone is good enough to make a pay-script, they probably don't need our help making an auth :D

You probably need to add '

SCAR Code:

terminate;

' after

SCAR Code:

Writeln('Not authorized');

Mine didn't need that. In my case, it would already terminate.

People can add in whatever they need ;)

I got a question.

What about they just go to the web page?just checking

Did you not read the tutorial? The whole thing?

*sigh*

Quote:

---

Originally Posted by Jason2gs

You can also use the Copy() tag to hide your auth code somewhere inside of the text file. Just to add a bit of (much needed) security to it ;)

---

Must I quote myself?

Couldn't they just copy it and put into scar?

That's why you hide the whole thing in a very lengthly bit of words

But still it would just take longer... you still could do it.

Did I not just say that? Hmm...

Take a look at this:

http://Jason2gs.fileave.com/AuthCode.txt

That's one of my auth codes. More accurately, my auth code is inside of that.

ok... (nice) wheres the script?

Like heck I'm gonna give you that :D

It's my favorite and best auth code, I'm keepin' it private for the moment ;)

Quote:

---

I getting tired of Signatures...

---

Oh :(

Do you mind if I use your old signature? Just modified a bit?

Wzoah!

Was that made with my keygen?

Looks like it....



What's nice is that you can use one piece of text with multiple auths, and have each one different

Sure i don't need it anymore:D

Couldn't you i make one up for me?

Actually this was made before you made your keygen. A while before ;)

I took my spammer on JASF and modified it to only type thirty characters, then go down a line. Ran it for a few seconds, and got that :D

Quote:

---

Originally Posted by smithspsbob

Sure i don't need it anymore:D

Couldn't you i make one up for me?

---

Awesome :)

That last part is a bit confusing.

"Could you make one up for me"?

Edit: Could you get me the image URL?

A script and a Auth Code so i can try to break it...:D

Ah, alrighty ;)

I'll plan on doing that later tonight. I think we're gonna eat soon, then go see Wild Hogs :)

Awesome! Have a good one!

Thanks ;)

[offtopic]

You've got a soul stealer too! :p

Don't click Michael... Don't click... *tries to resist clicking* Noo! *clicks*

[/offtopic]

Well now where even because i clicked yours!:o

Got to go eat =P

:( I feel left out

:D

Anyways, you should remember that you're not restricted to text files for authcodes

If somebody wanted to use the script what is stopping them from simply changing this

SCAR Code:

if(Code = UserCode)then

to this so that it always returns true. Doesn't matter how hidden your actual password is then...

SCAR Code:

if(5 = 5)then

Quite simple.

You have several if...thens in your auth. Some of which will, when deleted, cause your script to work horribly. Or just not compile at all.

You could put the real if...then in a separate function of it's own. (Pretty well obfuscated, of course.) Then you just need if(-function name here-)then...

Why not use a picture on a site and program a pseudo random number algorithm that randomly takes a few bytes of the picture's contents. Sorta like RSA. You could even go so far as to paint the picture on a canvas in SCAR and then use drawing functions on it to get an image that is always different, but always the same. Then make the script send a confirmation message to the server. If the script is authed, it will take commands FROM the server and run RS with them. A perl/cgi based app could do that. This means the script doesn't even CONTAIN the code to run it, merely the auth system and a way to receive/send commands/conf messages encrypted with md5 sums or RSA.

Very complex, but would make it almost impossible to rip the script (unless you can reverse md5 or RSA :D).

I don't think anyone would ever go to such lengths to protect his/her itellectual property, but it seems to be the favored method of protecting code (look at google apps - almost same, but less complex and NO encryption).

Would't that be a bit of a security hazard? I think people would want to know what codes they're running. Don't you?

SCAR Code:

Access to outgoing connection denied by user
Authorized
Successfully executed

i just got authorized?

Quote:

---

Originally Posted by Jason2gs

Quite simple.

You have several if...thens in your auth. Some of which will, when deleted, cause your script to work horribly. Or just not compile at all.

You could put the real if...then in a separate function of it's own. (Pretty well obfuscated, of course.) Then you just need if(-function name here-)then...

---

I still don't think that solves the problem. Anyone who knows how to script can go through and pick out the if-thens. Basically, if the check is in your scar-code then it would probably be easy to get around. Botmaster's idea is interesting, but I don't know of any scar-functions that would allow you to do that.

What you would do is to tie the Auth stuff to the main script so if you take out it you ruin the script.

Quote:

---

Originally Posted by smithspsbob

What you would do is to tie the Auth stuff to the main script so if you take out it you ruin the script.

---

Exactly ;)

@ Inf

That's strange... Not sure it should do that...

Sadly I can't check, I don't have SCAR on this computer. (:()

lol once i denied access to the internet, i was authed :D

Quote:

---

Originally Posted by botmaster

Why not use a picture on a site and program a pseudo random number algorithm that randomly takes a few bytes of the picture's contents. Sorta like RSA. You could even go so far as to paint the picture on a canvas in SCAR and then use drawing functions on it to get an image that is always different, but always the same. Then make the script send a confirmation message to the server. If the script is authed, it will take commands FROM the server and run RS with them. A perl/cgi based app could do that. This means the script doesn't even CONTAIN the code to run it, merely the auth system and a way to receive/send commands/conf messages encrypted with md5 sums or RSA.

Very complex, but would make it almost impossible to rip the script (unless you can reverse md5 or RSA :D).

I don't think anyone would ever go to such lengths to protect his/her itellectual property, but it seems to be the favored method of protecting code (look at google apps - almost same, but less complex and NO encryption).

---

I don't think that's possible in scar.

You could make the script load all variable values from the web, but you can't execute remote code

(execute(functionstr);)
(functionstr is the string with the name of a function in it)

^_^ I actually got a perfect idea for authing.

Lets say you made a simple auth procedure and put the integer 'I' in it and if they get the code right, 'I' will equal '10846943218' or something

Then in different procedures do

if not(I = 10846943218) then TerminateScript;

Probably wouldnt work very good but yeah.

:p Actually, that's one of the best auth strategies

Except, instead of terminating, you do:
1) SaveSetting(scriptname,'auth','good'); then, at some main functions, if(loadsetting(scriptname,'auth')='good')then exit; - messes stuff up, but the person won't know.
2) Send the computer's ip address to a php page, aka: your script's ban list. Every time the script starts, have it download some essential material (strings, variable values) from another php page, which would check incoming ip's against the ban list

Heh thats a good idea. ^_^ Although I dont have a FTP so.. I cant host PHP files. ^_^

Cracked: its 'passcode' =] although ur auth was very basic, one way was to deny acess to ur url, the other was just to go to the url it self =]

Successfully compiled
Authorized
Successfully executed

Rofl XD. Simple crack.

Guys, relax... anyone who looked at it could have cracked it. There is nothing to gloat about. Besides, this is just an example, and not his good version.