Solution for authorizing an application on a server (C/C++)

A

askogorev2014-05-07 09:04:19

C++ / C#

askogorev, 2014-05-07 09:04:19

It is required to run the client application only if it successfully authorizes on the server.
Those. a license will be sewn into each application. License + IP address = key
Verify the key on the server and run the application only after authorization.
My guesses on this:
Server and client have the same encryption mechanism that the user doesn't know about, for example, something like hash(hash(key)).
When launched, the client application will send service information: key + ip address + system start time + some other data. The IP and the key will be checked on the server and, upon successful authorization, will be sent to the client tokenFromServer = hash(hash(key + metadata)). The client, in turn, also makes token = hash(hash(key + metadata)) which it sends to the server.
If tokenFromServer == token, then run the application.
How vulnerable is this method to hacking, what are the alternatives, are there any ready-made solutions?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Rsa97, 2014-05-07
@Rsa97

That is, it is enough to find the place where the comparison is located (tokenFromServer == token) and replace the operation code from == to !=

G

Gibbon Cho, 2014-05-14
@gibboncho

1) You can cut out the check in the client, as Rsa97 already said.
2) Even if the verification is "more complicated", you can see the encryption mechanism through disassembly ...
The only solution, in my opinion, is to transfer part of the logic from the software to the server + use an obfuscator and debug protection