Fold wrote

Bashful wrote

0xCuddz wrote

Bashful wrote
This is the simple version, I don't have time right now to write the rest.

This has nothing to do with improving lmfao.

Tell me now, how would you 'crack',
FTP authorization? Or a server side code to ensure that only the application is accessing the data.

I would then just use the app and manipulate it to my needs. If you write the code, ill show you. don't take this personally, I point out the flaws with everyones 'security'.

:facepalm:
With a good obfusticated program you wouldn't have access to the keys and with an encryption used for the keys you would need the decryption key.

Everything is crackable, but not everything is worth months/days finding the hole in which it works.

Deobfuscators and unpackers would get rid of obfuscation and packing respectively. Obfuscation is a layer of security, not the entirety of it and I don't know where you could store the decryption keys to keep them safe. If they are anywhere accessible to the application (especially hardcoded in), they are accessible to the cracker.

Also, as previously said, just editing one of the If statements in an assembly editor would open the application wide open or as previously mentioned, using a packet sniffer would also suffice.

Just things to think about when making an auth system.

Well yes, but any type of freeware deobfuscators or relatively cheap ones, generally don't unpack everything or can't. There is always new methods that make it harder.

Unless you have a very expensive application, generally no one will spend money to crack your system if it proves illusive enough. If you have an expensive application, generally it SHOULD garner a large enough revenue to develop a better system.

This is for small time developers, who shouldn't have to worry about anything like this.

As far as the key, this wouldn't be stored in the application. Knowing enough about cryptography, you would understand what I mean and that having a decryption key stored wouldn't work as every platform decodes differently and this would suffice for a single platform stored entity.

So, once again.
-This isn't meant for large applications where people would actually strive to crack your security. I expect you wouldn't be looking on here for tutorials on this, if this were the case regardless. I'm catering to the demographics of this forum, which generally consists of younger males, without any substantial knowledge.

-Deobfuscation software works depending on current methods and what methods that software can reverse.

There are also methods that make it severely hard to reverse, [ Register or Signin to view external links. ] <- example.

But everything is crackable, it's just a matter of how adept the cracker is, and how strong your security is.

In reality, I've used simple protection methods and never once, had an unauthorized access to any of my applications, because even better yet, you could always store users by IP Address and restrict access by IP. As far as dynamic IP Address problems, it's easy to circumvent.

Bashful wrote
Well yes, but any type of freeware deobfuscators or relatively cheap ones, generally don't unpack everything or can't. There is always new methods that make it harder.

Unless you have a very expensive application, generally no one will spend money to crack your system if it proves illusive enough. If you have an expensive application, generally it SHOULD garner a large enough revenue to develop a better system.

This is for small time developers, who shouldn't have to worry about anything like this.

As far as the key, this wouldn't be stored in the application. Knowing enough about cryptography, you would understand what I mean and that having a decryption key stored wouldn't work as every platform decodes differently and this would suffice for a single platform stored entity.

So, once again.
-This isn't meant for large applications where people would actually strive to crack your security. I expect you wouldn't be looking on here for tutorials on this, if this were the case regardless. I'm catering to the demographics of this forum, which generally consists of younger males, without any substantial knowledge.

-Deobfuscation software works depending on current methods and what methods that software can reverse.

There are also methods that make it severely hard to reverse, [ Register or Signin to view external links. ] <- example.

But everything is crackable, it's just a matter of how adept the cracker is, and how strong your security is.

In reality, I've used simple protection methods and never once, had an unauthorized access to any of my applications, because even better yet, you could always store users by IP Address and restrict access by IP. As far as dynamic IP Address problems, it's easy to circumvent.

I would love for you to make a crackme. hmu if you're down

0xCuddz wrote

Bashful wrote
Well yes, but any type of freeware deobfuscators or relatively cheap ones, generally don't unpack everything or can't. There is always new methods that make it harder.

Unless you have a very expensive application, generally no one will spend money to crack your system if it proves illusive enough. If you have an expensive application, generally it SHOULD garner a large enough revenue to develop a better system.

This is for small time developers, who shouldn't have to worry about anything like this.

As far as the key, this wouldn't be stored in the application. Knowing enough about cryptography, you would understand what I mean and that having a decryption key stored wouldn't work as every platform decodes differently and this would suffice for a single platform stored entity.

So, once again.
-This isn't meant for large applications where people would actually strive to crack your security. I expect you wouldn't be looking on here for tutorials on this, if this were the case regardless. I'm catering to the demographics of this forum, which generally consists of younger males, without any substantial knowledge.

-Deobfuscation software works depending on current methods and what methods that software can reverse.

There are also methods that make it severely hard to reverse, [ Register or Signin to view external links. ] <- example.

But everything is crackable, it's just a matter of how adept the cracker is, and how strong your security is.

In reality, I've used simple protection methods and never once, had an unauthorized access to any of my applications, because even better yet, you could always store users by IP Address and restrict access by IP. As far as dynamic IP Address problems, it's easy to circumvent.

I would love for you to make a crackme. hmu if you're down

Ditto. To Bashful, it seems like you're taking a lot of what people are giving you personally, and I'm not sure why.

If you want to find out how secure your program is, then release it and let 0xCuddz, myself and whomever else take a crack at it (get it?). I can't speak for anyone else, but given everything that you're saying and the way you're saying it, I'm almost certain I could manipulate your program to my needs. I implore you to give us a shot.

Also, if you think expensive means better, than you're wrong.

Minato_Namikaze wrote

0xCuddz wrote

Bashful wrote
Well yes, but any type of freeware deobfuscators or relatively cheap ones, generally don't unpack everything or can't. There is always new methods that make it harder.

Unless you have a very expensive application, generally no one will spend money to crack your system if it proves illusive enough. If you have an expensive application, generally it SHOULD garner a large enough revenue to develop a better system.

This is for small time developers, who shouldn't have to worry about anything like this.

As far as the key, this wouldn't be stored in the application. Knowing enough about cryptography, you would understand what I mean and that having a decryption key stored wouldn't work as every platform decodes differently and this would suffice for a single platform stored entity.

So, once again.
-This isn't meant for large applications where people would actually strive to crack your security. I expect you wouldn't be looking on here for tutorials on this, if this were the case regardless. I'm catering to the demographics of this forum, which generally consists of younger males, without any substantial knowledge.

-Deobfuscation software works depending on current methods and what methods that software can reverse.

There are also methods that make it severely hard to reverse, [ Register or Signin to view external links. ] <- example.

But everything is crackable, it's just a matter of how adept the cracker is, and how strong your security is.

In reality, I've used simple protection methods and never once, had an unauthorized access to any of my applications, because even better yet, you could always store users by IP Address and restrict access by IP. As far as dynamic IP Address problems, it's easy to circumvent.

I would love for you to make a crackme. hmu if you're down

Ditto. To Bashful, it seems like you're taking a lot of what people are giving you personally, and I'm not sure why.

If you want to find out how secure your program is, then release it and let 0xCuddz, myself and whomever else take a crack at it (get it?). I can't speak for anyone else, but given everything that you're saying and the way you're saying it, I'm almost certain I could manipulate your program to my needs. I implore you to give us a shot.

Also, if you think expensive means better, than you're wrong.

I'm not (I stated this several times) taking this personal.

Expensive does NOT mean better. However, expensive projects tends to have better security because it has more assets worth protecting and the developers have a ton of experience.

Agile .NET is 1000$, but it supports almost every known and exclusive obfuscation methods.

I never once said that not everything is crackable or that I could make an uncrackable application.

Consistently having to repeat myself is annoying and a nuisance. If that's why you think I'm taking it personal I'm not.

Facts I stated:
1) being a skid, does not make you a cracker. You can't use a program to magically crack everything.

2) encryption methods vary in strength.

3) not everything is crackable in a small timeframe, thus deterring 90% of "crackers"

This whole time, I tried to explain that this is by all means not meant for super tight security and that I know this. However, everyone is quite literally repeating the same statements.

So, if you will continue to do so, I will discontinue responding to those statements.

When I do have time to create a crackable, I will. I'm not sure when, but I'll tell you this, deobfuscating the application or "reflecting" the source will provably not count unless I actually get my obfuscator back, since all of my applications are open source upon release

Bashful wrote I'm not (I stated this several times) taking this personal.

Expensive does NOT mean better. However, expensive projects tends to have better security because it has more assets worth protecting and the developers have a ton of experience.

Agile .NET is 1000$, but it supports almost every known and exclusive obfuscation methods.

I never once said that not everything is crackable or that I could make an uncrackable application.

Neither did I nor did I say you said that, but okay.

Consistently having to repeat myself is annoying and a nuisance. If that's why you think I'm taking it personal I'm not.

Seems reasonable.

Facts I stated:
1) being a skid, does not make you a cracker. You can't use a program to magically crack everything.

I think this is what entices me to this conversation, is you saying that. Are implying that I'm a skid? You have NO IDEA who I am so how could you say that?

2) encryption methods vary in strength.

3) not everything is crackable in a small timeframe, thus deterring 90% of "crackers"

This whole time, I tried to explain that this is by all means not meant for super tight security and that I know this. However, everyone is quite literally repeating the same statements.

So, if you will continue to do so, I will discontinue responding to those statements.

When I do have time to create a crackable, I will. I'm not sure when, but I'll tell you this, deobfuscating the application or "reflecting" the source will provably not count unless I actually get my obfuscator back, since all of my applications are open source upon release

Listen, I'm not trying to annoy and I'm sorry if that's how it came off, believe it or not, I just want to help. And being that you're asking about security, I just wanted to see if your initial intuition was secure or not. That's all!

All my responses are in red.

You're only talk. I gave you a chance to prove yourself with the crackme and you turned it down. You don't know shit about authorization or security in general. **** make a crackme to prove me wrong

@Minato_Kamikaze
1) By asking me, a hobbyist, to make a crackme to "prove" me wrong you are presenting the idea, to at least me, that I believe I have methods to circumvent security risks. I don't. I have methods that may work. This conversation was taken out of context from my original point of a simple security system with more to come later. If you didn't mean to point it out in this manner, or the other users didn't, then it should have been worded correctly to state your point.

2) If you are being serious in the response, I appreciate you realizing my aggravation and why so, not because you believe you are teaching me something.

3) I'm not implying that you or the other user are a skid, however you realize that most of the cracking methods you posted about revolve around products others made to do so.

It's like me calling myself a hacker by using metasploit to crack into websites and shells to ddos.

I use this example because this is more of my knowledge of vulnerabilities to an extent, sqli without program or application assistance as opposed to letting an application do your work.

4) that's fine. I was trying to state that even the smallest security will deter most users because, in reality, not everyone knows how to crack or knows enough to do so.

Everything is crackable. It's a matter of the security. You COULD also bruteforce an encryption key or password but certain variables increase time for example.

Like the Galaxy 5. It took months and a reward for anyone to be able to root the OS.

@0xCuddz
LOL yes because what I want to do on my free time is make a crack me so you could have your fun.

I work everyday. I'm not a child. I have things I need to do, like work and have a life away from my phone/computer. Why so you think I'm hardly on and almost always on the same time.

Want a task?
I'll give you several
1) SQLi, XSS several sites (not illegal plenty of sites allow this legally)
2) find a database through Google
3) find vulnerable cpanel and WordPress logins

Since you are a security expert or know more then I do, this should be simple. Provide picture proof.

This is not illegal, if you want more tasks just ask.
Bonus challenge: how do you crack netseal?

Bashful wrote @Minato_Kamikaze
1) By asking me, a hobbyist, to make a crackme to "prove" me wrong you are presenting the idea, to at least me, that I believe I have methods to circumvent security risks. I don't. I have methods that may work. This conversation was taken out of context from my original point of a simple security system with more to come later. If you didn't mean to point it out in this manner, or the other users didn't, then it should have been worded correctly to state your point.

2) If you are being serious in the response, I appreciate you realizing my aggravation and why so, not because you believe you are teaching me something.

3) I'm not implying that you or the other user are a skid, however you realize that most of the cracking methods you posted about revolve around products others made to do so.

It's like me calling myself a hacker by using metasploit to crack into websites and shells to ddos.

I use this example because this is more of my knowledge of vulnerabilities to an extent, sqli without program or application assistance as opposed to letting an application do your work.

4) that's fine. I was trying to state that even the smallest security will deter most users because, in reality, not everyone knows how to crack or knows enough to do so.

Everything is crackable. It's a matter of the security. You COULD also bruteforce an encryption key or password but certain variables increase time for example.

Like the Galaxy 5. It took months and a reward for anyone to be able to root the OS.

@0xCuddz
LOL yes because what I want to do on my free time is make a crack me so you could have your fun.

I work everyday. I'm not a child. I have things I need to do, like work and have a life away from my phone/computer. Why so you think I'm hardly on and almost always on the same time.

Want a task?
I'll give you several
1) SQLi, XSS several sites (not illegal plenty of sites allow this legally)
2) find a database through Google
3) find vulnerable cpanel and WordPress logins

Since you are a security expert or know more then I do, this should be simple. Provide picture proof.

This is not illegal, if you want more tasks just ask.
Bonus challenge: how do you crack netseal?

the bonus challenge is easy AF. netseal is a licensing system and not security at all. you deobfuscate the app, decompile, remove the netseal activation code and you're done.
As for the other stuff, im a cracker not a hacker.

0xCuddz wrote

Bashful wrote @Minato_Kamikaze
1) By asking me, a hobbyist, to make a crackme to "prove" me wrong you are presenting the idea, to at least me, that I believe I have methods to circumvent security risks. I don't. I have methods that may work. This conversation was taken out of context from my original point of a simple security system with more to come later. If you didn't mean to point it out in this manner, or the other users didn't, then it should have been worded correctly to state your point.

2) If you are being serious in the response, I appreciate you realizing my aggravation and why so, not because you believe you are teaching me something.

3) I'm not implying that you or the other user are a skid, however you realize that most of the cracking methods you posted about revolve around products others made to do so.

It's like me calling myself a hacker by using metasploit to crack into websites and shells to ddos.

I use this example because this is more of my knowledge of vulnerabilities to an extent, sqli without program or application assistance as opposed to letting an application do your work.

4) that's fine. I was trying to state that even the smallest security will deter most users because, in reality, not everyone knows how to crack or knows enough to do so.

Everything is crackable. It's a matter of the security. You COULD also bruteforce an encryption key or password but certain variables increase time for example.

Like the Galaxy 5. It took months and a reward for anyone to be able to root the OS.

@0xCuddz
LOL yes because what I want to do on my free time is make a crack me so you could have your fun.

I work everyday. I'm not a child. I have things I need to do, like work and have a life away from my phone/computer. Why so you think I'm hardly on and almost always on the same time.

Want a task?
I'll give you several
1) SQLi, XSS several sites (not illegal plenty of sites allow this legally)
2) find a database through Google
3) find vulnerable cpanel and WordPress logins

Since you are a security expert or know more then I do, this should be simple. Provide picture proof.

This is not illegal, if you want more tasks just ask.
Bonus challenge: how do you crack netseal?

the bonus challenge is easy AF. netseal is a licensing system and not security at all. you deobfuscate the app, decompile, remove the netseal activation code and you're done.
As for the other stuff, im a cracker not a hacker.

Netseal is also made by a scrub.



So....'cracker' doesn't have to just do with software. You claim to know a lot about security but you don't. This isn't necessarily hacking. Its all cracking into security and finding flaws.

Stop acting like you know everything about a field. You don't. SQLi would be useful for accessing databases apps use. Do you know how to find crypto keys? How about editing registry values? Changing program trial values? Redirecting server calls?