Results 1 to 3 of 3

Thread: Logging in with an exe file

  1. #1
    Join Date
    Mar 2011
    Posts
    1,930
    Thanks
    59
    Thanked 105 Times in 103 Posts
    Blog Entries
    4

    Default Logging in with an exe file

    Hello everyone,
    In programs such as skype, where you log into an exe file, how do they connect to the database without the user getting hold of the companies database connection details; what is stopping someone from reverse engineering a program, then writing there own to query all the results from the databse using the connection string from the application they reverse engineered?

  2. #2
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    I think a lot of it is done using sockets.

    http://en.wikipedia.org/wiki/Network_socket

    You can make your own little program trying php's socket functions.

  3. #3
    Join Date
    Apr 2012
    Location
    Chester, Cheshire
    Posts
    329
    Thanks
    7
    Thanked 35 Times in 35 Posts

    Default

    A few technologies:

    • HTTPS
    • AES Salted Hash Encryption
    • Polymorphic Code
    • Obfuscaton
    • Bespoke Encryption Algorithms
    • Key file Encryption
    • A fair few other security techniques


    You can write a very simple polymorphic program in AutoIT as an example, it ensures that the program is much harder to reverse engineer, as the program, in effect, writes itself as it goes.

    Obfusation of code, especially using CLSIDs and APIs that are on the server will allow the program to be unreadable by humans, even if it is reverse engineered.

    Or they just write it in ASM.

    However, the biggest security measure will be on the server itself. It will check the MD5/SHA-1 checksum of the file itself and perform various other security checks, including file size, fragmentation, file location, etc to verify the file is legitimate. Only then will it accept the input parameters.

    The parameters that the program itself will send are the bare minimum, just a username and password. It doesn't have any access to the server, nor the database; all it can do is ask for information about the currently logged in user. When it asks for that information, the server will send back an information package, usually an object that can be programmed from. If the program asks the information it's not allowed, it simply won't receive it.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •