0

I have a dll with an "authentication" method in it that checks if a password is valid, like this:

public static void AuthenticationExample(string password)
{
    if (PasswordIsValid(password))
        this.locked = false;
}

To prevent the password from being "cracked" by a loop, I want the method to crash the entire application if authentication fails, like this:

public static void AuthenticationExample(string password)
{
    if (PasswordIsValid(password))
        this.locked = false;
    else
        Crash();
}

Is there a way of doing this?

Alternatively, what is a better way of protecting a dll?

Improve this question
8
  • As far as I am aware, the only sure-fire way to crash the application is to cause a StackOverflowException, since other exceptions could be caught and ignored. Why does your DLL have a password? And why do you expect the end-user not to simply reverse engineer the DLL in order to crack it. Perhaps more notably, why do you expect the user won't simply just set locked = false via reflection? I replaced properties in a third party DLL's licensing class at runtime once (for fun, not for profit), and the DLL instead called my methods to verify the licence. Commented Nov 19, 2019 at 7:37
  • 1
    Also i guess user could restart the application, or am i missing something? Commented Nov 19, 2019 at 7:41
  • The dll has a password to make pirating harder. I startred by just obfuscating it but then I realized anyone could still use it if they implement it in a project. Could you elaborate on how you would change the 'locked' field? Yes, the user could restart the application but it's way harder and more time consuming. Commented Nov 19, 2019 at 7:47
  • 1
    typeof(AuthenticationClass).GetField("locked", BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.SetField).SetValue(authenticationClassInstance, false); - Working example Commented Nov 19, 2019 at 7:48
  • Rip my locking method. Do you know of a better way of doing this? Commented Nov 19, 2019 at 7:51

1 Answer 1

Reset to default
1

CLOSING WPF:

You can just call the main window and close it or throw a custom exception.

PASSWORD PROTECTION:

I had same issue. Finally, understood that whatever you do, it can be cracked. Nothing is fail proof. If your license verification is done on the cloud, like sending some info to a server and receiving back response, it can be managed to an extent.

Just because everything can be hacked, doesn't mean that you have to leave your product wide open for cracking. You can add some barriers so that it is little hard for the crackers. If the product is worth the effort, eventually someone will hack it.

For my applications, I have 2 or 3 licensing steps (which can slow down a hacker but not stop him/her)

  1. A dll (say, DLL-A) with cryptography methods for verifying a license. DLL-A will be placed in working directory. Along with that, a copy of this dll (say, DLL-B) will also be placed as an embedded resource.

  2. During runtime, when the DLL-A is about to be loaded, the DLL-B will be extracted and hash for both will be compared. This is to ensure that DLL-A is not tampered with. In case, DLL-A is tampered, the DLL-B will replaced DLL-A.

  3. Along with that dll method, a XML-Signed file will also be used. This will be verified somewhere in the code.

  4. A C++ native library, with different cryptography methods. This will also be used similar to DLL-A /DLL-B procedure (steps 1,2).

Thus, in my application, i generally use 3 to 4 different license verification scheme. All are independent. Even though everything can be hacked and broken, the hacker will have to be fed up trying to hack all the 4. And with every year, I change my licensing methods and update the new app. So, this means that for every year, hacker has to spend hard time to hack it. (Which should eventually make them feel frustrated).

Above all, I also have cloud based verification for my apps (the ones which store credentials in cloud DB). But, there are still some clients who expect their app to run without connection to internet (due to some security reasons).

Note: Eventually everything is hackable. Point is you just make it hard for hackers.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

To work around those 4, I'd probably just see if I can replace the methods that think they are doing the verification. And yes, it is possible to replace methods at runtime, without inheriting the class, etc. It did take me a while to find enough information to do it, and I can't immediately find it again, so your methods would probably hold up/discourage most people.
Exactly.. It is possible.. I also use RSA based public /private keys methods. So, the key point is it will take little more time to crack than an application which has no protection.. Eventually, everything is hackable..
And as you pointed out, the methods that they 'THINK".. They have to think and figure out.. So, we can check it at different places.. In one of my application, the validation is done in one stage and the exception in thrown in a different stage. So, these are all little tricks to throw the hackers off guard..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.