1

I am creating a binary file for registered users of my application. The user already knows what information is stored in the file because he is providing me with that information while registering. Every time my application is launched the registration file is read and compared with the information obtained from hardware. So I am concerned whether "power users" would be able to understand the logic in which the information is stored in the file.

Long story short, is it possible to reverse engineer the contents of a binary file? If yes, then what would be a better approach to check for registered applications?

Potatoswatter
  • 134,909
  • 25
  • 265
  • 421
Cool_Coder
  • 4,888
  • 16
  • 57
  • 99
  • Binary won't protect anything, it's just a conversion. Maybe encrypt information before storing it? And then plain text or whatever can be fine. – Rémi Benoit Nov 18 '13 at 06:31
  • 4
    My understanding of commercial EXE protectors is that some of them can be had for relatively little money. Perhaps $100 or $200. Anything home-rolled by someone at what I perceive to be your level of expertise is a total non-event to defeat. Last time I bothered, a particular $150 program was a 35 minute exercise to pwn. People actually make and break these types of schemes in preference to doing cross-word puzzles or sudoku. Here's an example of such a challenge: http://forum.tuts4you.com/topic/33778-crackme-crackme-v11/ - Many good tuts on that site, enjoy! – enhzflep Nov 18 '13 at 07:07

1 Answers1

3

Binary will be no hindrance to anyone with experience in reverse engineering. "Back in my day" (the 90's) binary was the default choice in general.

Hackers are going to be able to defeat your registration process, not by faking the registration file but by altering the instructions that check for it. (Instructions are also binary, incidentally.) Encryption is no use because everything is on one machine and the hacker can read the cleartext in RAM with a debugger inside the program. Not that they probably care, because they'll instead be going after the "business logic" that sets a flag to display an error and quit.

Tying registration to specific machines will also frustrate legitimate users when they upgrade or switch computers.

A good approach in this online age is to have machines phone home, but it's a bit obtrusive.

Just off the top of my head, you could access a server at irregular intervals based on a registration hash code and a real-time clock (be sure to handle time zones properly). Since it's not done at app launch, hackers will have a hard time finding it. If two different IP addresses phone home with the same hash code at about the same time, instruct them all to delete the registration files and prompt the user to re-register.

Potatoswatter
  • 134,909
  • 25
  • 265
  • 421
  • 1
    the target audience for my application does not necessarily have internet all the time. Since they would be requiring internet connection to run the application it would bug them a lot... But I now understand that using binary files for registration is like using sand walls to protect your castle from the rough sea tides... – Cool_Coder Nov 18 '13 at 06:48
  • @Cool_Coder My last paragraph does not require an internet connection. Read closely: I only suggested a process for *deleting* the registration when a pirate *is* connected. It would also be a good idea to store that registration code on the server to kill any other copies that turn up online later. – Potatoswatter Nov 18 '13 at 06:49
  • The user will be able to restore from a backup (or undelete, so you should zero out the file) but only until the online check successfully runs again. It would be annoying, and hard to reverse-engineer due to the sporadic nature. May or may not meet your needs, but it's just the first solution that comes to my mind right now. – Potatoswatter Nov 18 '13 at 06:56
  • how will the application know when to check with the server? This logic cannot be added in code because it will not have information for when the previous check was done. So eventually I will have to maintain a file which will keep a record for next registration date. If this is true then hackers can easily modify the code of my application to check the date in a dummy file instead of my file. Is there anything I am saying incorrect? – Cool_Coder Nov 18 '13 at 07:01
  • 1
    @Cool_Coder Define an appropriate function. "Given this registration code and the current time, generate the next time to phone home." All machines with the same code and correctly set clocks should call simultaneously. – Potatoswatter Nov 18 '13 at 07:04