Announcement

**mencore** · 09-05-2013, 11:09 PM

Re: Using DPAPI in C++

EDIT: Nevermind

Is this any help?

http://msdn.microsoft.com/en-us/library/ms995355.aspx

**CR4SH** · 09-06-2013, 08:31 AM

Re: Using DPAPI in C++

Yes, this will be very usefull, nervetheless, i don't really understand the DATA_BLOB struct.
Just another question : Do you think using this API is a secure way to protect some data ?
Thanks you anyway

**mencore** · 09-06-2013, 09:08 AM

Re: Using DPAPI in C++

Originally posted by CR4SH View Post

Yes, this will be very usefull, nervetheless, i don't really understand the DATA_BLOB struct.
Just another question : Do you think using this API is a secure way to protect some data ?
Thanks you anyway

I really dont know anything about this API since I've never looked into Microsoft CryptoAPI and this is based on that I think so I can't say much about it.
However

>Microsoft
>secure

Usually you have to pick another. It also relies on API-calls ( daah ) so it's quite easy to at least figure out how you're protecting data unless you obfuscate the API-calls somehow. There's also plain strings you need to take care of.
Could you tell what you're trying to achieve?

**CR4SH** · 09-06-2013, 09:46 AM

Re: Using DPAPI in C++

Actually, I'm developing a client which restrict user to 1 account per computer.
So, my way to do that is : during the registration process, I regenerates a unique id based on some personal user informations. I hash et send his identifier to my API which stores it into a database. In the same times, I'm trying to store this ID on the user's computer. Like this, when he'll try to connect through my client, i'll can check if it's his account or not ( to prevent account stealing and multiaccount ).

That's why i'm searching a secure way to stores his identifier into his computer.

( Sorry, i'm not very fluent in enligsh, i'm doing my best )

Btw, I'm not really sure but, does someone can steal/see/modify his identifier using a memory dump ?

**GT3X** · 09-08-2013, 10:54 PM

Re: Using DPAPI in C++

Why would you store it local? Theres no need for that lol

Read ID -> send it to DB if login and ID matches allow him to login or not

also make sure to protect your login against license faking w/e

**CR4SH** · 09-10-2013, 11:46 AM

Re: Using DPAPI in C++

But this way don't fix the multiaccount : my way to generate the ID is : I send personal information from user's computer to my API, which generate ID throught different action, stores it into DB etc ...
But, during registration, users can enter differente information to generate differente ID and bypass it.

That's why I keep looking for a secure way to store this identifier on the user computer ( like Wi-Fi keys or password's user are stored on Windows ).
I've found this but I don't know how much it is secure, since I've never heard anything about that : http://technet.microsoft.com/en-us/l...=WS.10%29.aspx

And what are you calling 'licence faking' ?

**wav** · 09-10-2013, 01:52 PM

Re: Using DPAPI in C++

1. Generate Encrypted Binary Payload using HWID or whatever
2. Download to Client
3. Public Key Cryptography
4. ???
5. Profit

**GT3X** · 09-10-2013, 02:58 PM

Re: Using DPAPI in C++

Originally posted by CR4SH View Post

But this way don't fix the multiaccount : my way to generate the ID is : I send personal information from user's computer to my API, which generate ID throught different action, stores it into DB etc ...
But, during registration, users can enter differente information to generate differente ID and bypass it.

That's why I keep looking for a secure way to store this identifier on the user computer ( like Wi-Fi keys or password's user are stored on Windows ).
I've found this but I don't know how much it is secure, since I've never heard anything about that : http://technet.microsoft.com/en-us/l...=WS.10%29.aspx

And what are you calling 'licence faking' ?

Why do you generate a ID in your API? I dont know wheres your problem.

User downloads Client first time -> Read HWID -> send it to Database

With a unique hardware ID the account is limited to 1 computer lol

**CR4SH** · 09-10-2013, 03:51 PM

Re: Using DPAPI in C++

This is exactly my problem: the generation of this unique ID (I used the MAC address but I prefer to use something else)
That's why I'm trying to generate my own unique ID using some personal informations and store it on the user computer.
Using HWID bring some problems if user change his computer or something like that.
But just to know, how do you generate this HWID ?

**GT3X** · 09-10-2013, 09:04 PM

Re: Using DPAPI in C++

tg

Originally posted by CR4SH View Post

This is exactly my problem: the generation of this unique ID (I used the MAC address but I prefer to use something else)
That's why I'm trying to generate my own unique ID using some personal informations and store it on the user computer.
Using HWID bring some problems if user change his computer or something like that.
But just to know, how do you generate this HWID ?

If you dont generate a ID which is bounded to some hardwareparts, whats the point in making these ID anyways? lol

**mencore** · 09-11-2013, 06:32 AM

Re: Using DPAPI in C++

Seriously HWID is nothing but any kind of static hash that's made from PC parts, dont make it harder than it is.
What you should really consider is how you handle other stuff,

Decryption/Encryption of your software, is it streamed from memory and not from disk, how do you handle logins, how obvious your softwares (pay2hakes I assume) protection is so it's not too easy to make keygen or just simple patch against it etc.
I would go for public/private -key pair like wav said, also make somekinda heartbeat system that drops => no auth => kick from hakens. Pure client-side protection is going to fail so hard anyway.

**CR4SH** · 09-11-2013, 09:23 AM

Re: Using DPAPI in C++

Nah, it's absolutly not related to a pay2hack ( or something else about the cheatscene ).
About public/ private keys, i'm agree with you but, what ddo you exactly want to encrypt with those ?

Originally posted by wav View Post

1. Generate Encrypted Binary Payload using HWID or whatever
3. Public Key Cryptography

I don't really understand your way, can you explain more ?

**GT3X** · 09-11-2013, 10:59 AM

Re: Using DPAPI in C++

Originally posted by CR4SH View Post

Nah, it's absolutly not related to a pay2hack ( or something else about the cheatscene ).
About public/ private keys, i'm agree with you but, what ddo you exactly want to encrypt with those ?

I don't really understand your way, can you explain more ?

Take a look at RSA or just google asymmetric encryption

You dont even need to implement it by yourself -> http://www.cryptopp.com/

**CR4SH** · 09-11-2013, 01:37 PM

Re: Using DPAPI in C++

Yeah, I know the asymmetric encryption and the RSA ( I've already an implementation of it in C++ ) but what do you exactly encrypt with it ?
In fact : I have just few problems actually : restrict 1 account per computer ( which can probably solved by storing some serial number hash into DB i guess ) and secured the exchanges between client and API ( in PHP ).
For the second one, I have thinking about using RSA encryption ( by storing public key into the client, encrypt data, send it to my API and decrypt data using private key stored into my API ) but I have no idea about the first one ...

PS : Sorry about wasting your time

**GT3X** · 09-12-2013, 02:48 AM

Re: Using DPAPI in C++

Take the hwid, encrypt with w/e you want and send it to your php script, encrypt it and check if it matches -> return true / false to client and allow user to login / not login

**wav** · 09-12-2013, 03:45 AM

Re: Using DPAPI in C++

Without the correct HWID to generate the correct private key the dumped binary is useless.

**CR4SH** · 09-12-2013, 11:01 AM

Re: Using DPAPI in C++

About HWID, I've thinking to use WMI to steal serials numbers, that's a wrong way ?
But wav, i've not completly understand the end of your line : In fact, the private key is stored into my API, no need to use it into my client ( using only the public key to encrypt data ), isn't exactly ?

**wav** · 09-12-2013, 01:49 PM

Re: Using DPAPI in C++

The client only has the bootstrapper. All the cool stuff is done on the server. Eg, resolving imports, relocations, strings, etc. Even some memory lookups using a memory map eg for locating sigs in memory. The only hooking stuff the client sees is what can't be resolved on the server. Now as for the payload, as I said before the client sends their hardware information. The server generates a public/private key for this. Keep in mind we've already established a secure line of communication through public key cryptography and switched to AES 256 by this point. The only thing left for the server to do is stream the binary in pieces. Only after our bootstrapper / DLUtility has done everything, does the client ever see the private key.

If you still don't understand, fuck off and just die.

**CR4SH** · 09-12-2013, 02:09 PM

Re: Using DPAPI in C++

Calm down

I understand now what you mean, thank you for the precision!
Problem solved, thank to all.

Announcement

Using DPAPI in C++

Using DPAPI in C++

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment