-2

We are developing online software which requires an username/pass authentication to our servers. There are two kind of users (Paid and Free users). The paid users should have different features available than the free users of course. Unfortunately our application is getting cracked within 1-2 Weeks after every new release. We want to pay for an existing authentication system or an expert who can do it, which makes it as hard as possible for Crackers. We have some experience with Crack protection, but this time we have no idea anymore.

This is what we have tried: - Splitting up the authentication in two parts (AES-256 sending and AES-256 receiving with each own nonces - 8char static nonce and 24char flexible nonce each session) - Both parts has been obfuscated with two different obfuscators (EAzfuscator + virtualization feature and ConfuserEx with virtualization feature). - Several killswitches - MD5 Checks (They haven't helped because the cracker is creating a "Loader" which emulates our authentication server)

Do you know any company who offers such services? The application is written in C#.

kentor
  • 16,553
  • 20
  • 86
  • 144
  • Your question is off-topic on SO since we don't recommend other companies to provide services. – Patrick Hofman Sep 03 '15 at 19:35
  • Other solutions also welcome, I am sorry! – kentor Sep 03 '15 at 19:45
  • If your authentication server can be simulated that easy, then your server is very likely responding with the same ACK text always. You maybe should include date and time. How do you create your license keys? Is a computer hardware depentant ID used for generating a corresponding key? – Tobias Knauss Sep 03 '15 at 20:14
  • You could avoid a server emulation by using asymmetric encryption and authentication with public and private keys. – Tobias Knauss Sep 03 '15 at 20:19
  • We create for every session a unique id but of course we also have to transmit this key as well to the user and this id needs to be validated by the client then. – kentor Sep 03 '15 at 20:22

1 Answers1

0

Have your app generate a random token string each time it sends anything to the server. Then have your server send back an encrypted string back to the app based on the token. If the encrypted token string from the server decrypts to the original in memory random token string allow the software to proceed....if not halt execution. This will stop the loader.

When you send responses back in plain text the cracker can easily spoof it as they know how to emulate it. Encrypting the response back so it is random each time makes it harder to crack.

smedley
  • 1
  • This is what we are doing already of course, but the hacker is able to read our code even though we use virtualization as encryption. – kentor Sep 08 '15 at 22:47