我的应用程序是否安全.如何保护? [英] Is my application SECURED.. How to protect ?

问题描述

我用SQL数据库用C#制作了一个Windows应用程序，我想出售此应用程序，所以我通过以下步骤保护了我的应用程序:
-根据客户端PC的指纹创建应用程序的序列号.
-每当程序启动时，将此序列号放入数据库中以进行指纹检查.
请对此应用程序进行预期的黑客攻击?以及如何保护我的应用程序免受它的侵害?

I made a windows application in C# with SQL database, and I want to sell this application so I protected my application by the following steps:
- Create the serial number of the application based on finger print of the client PC.
- Put this serial number in the database to check it with the finger print whenever the program is started.
Please what is the expected hacking on this application? And how to protect my application against it ?

推荐答案

如果仅验证从数据库到输入的序列号，那么它是不安全的. if(input serial == db serial)只是反汇编中的一条简单跳转指令.以其他方式更改跳转只是在哈希编辑器中更改字节值.

您可以做的是用盐消化序列，并保留序列，然后将消化后的哈希值进行自定义加密并存储在全局内存中.您的解密功能应足够强大，不能进行反向工程.在您的应用程序的许多地方，对照序列检查此盐消化后的哈希的有效性.因此，这绝非易事，但黑客并没有逃脱提供有价值的序列化应用程序或对应用程序进行完全反向工程的过程.

除此之外，还要对数据库中的序列进行加密

希望对您有所帮助.

我会根据您的问题在此处添加更多要点.

基于两个全局变量的轻量级比较函数在性能上不会是一个重大问题，因此可以在许多地方调用.

保留虚假函数名称仅有助于防止新手黑客.

我在这里建议的详细工作流程是...

1)使用滑动时，请以某种方式消化输入的序列并存储在应用程序内存中.加密方式与原始序列不同.因为如果您以相同的方式进行操作，则此输入将导致您存储在数据库中的哈希相同.当您还将在应用程序中获取真实哈希时，黑客可以将真实哈希交换为输入哈希.然后两者的比较结果硕果累累.因此，此输入必须采用与原始哈希不同的方式进行哈希处理，从而导致产生不同的哈希值.
2)从数据库中获取加密的序列并存储在内存中.

3)现在，您必须对在步骤1中存储的输入哈希和在步骤2中来自数据库的真实哈希进行数学运算.例如，如果用户正确输入/刷卡，则数学运算可能会得出零.用零除以其他数字将导致异常.因此，如果提供了不正确的序列号，则会导致异常.在退出事件上，您可以显示取消身份验证用户的消息.

基本思想不是使用if条件，而是使用复杂的数学运算，如果未提供正确的序列，则会导致异常.

在应用程序的不同主要功能中检查此功能不会显着影响性能，因为它只是对内存中两个变量的一些数学运算，而这需要花费几个CPU周期，对于当今的计算机而言，这并不是什么大问题.但是，当安全性具有重要意义时，很少的性能问题(尽管微不足道)将是一个权衡.

If you are simply validate the serial number from the DB to the input, it is not secure. The if(input serial== db serial ) is just a simple jump instruction in the disassembly. Change the jump other way is just change a byte value in a hash editor.

What you can do is have the serial digested with a salt and keep the serial and the resulted hash af ter digestion has to be custom encrypted and stored in the global memory. You decryption function should be strong enough, not possible to reverse engineering. Check the validity of this salt digested hash against the serial in many places of your application. So it is not simple a jump, but the hacker not escaped from providing a valuable serial or complete reverse engineering your app.

Apart from that keep the serial in the database encrypted

hope this helps.

I am adding more points here as per your question.

a light weight comparing function based on two global variable will not be a significant issue in performance, so can be called in many places.

Keeping fake function names only help to prevent newbie hackers.

The detailed work flow of what I suggested here is...

1) When use swipe, digest the input serial in a way and store in the app memory. Not the same way encrypted as you did for the original serial. Because if you did the same way this input supposed to result in the same hash you stored in the database. As you are going to get the real hash also in the app, a hacker can swap the real hash to the input hash. Then comparison of both result fruitful. So this input has to hash in a different way than you did for the original hash and it result in a different hash.
2) Get the encrypted serial from the database and store in memory.

3) Now the input hash you stored in step 1 and real hash from database in step 2 has to be subjected to mathematical operations. For example if the user input/ swipe in correctly the mathematical operations may result in zero. Divide a zero with other number will result in a exception. So if incorrect serial is provided it will be result in exception. On the exiting event you can show the message of unauth user.

The basic idea is not using an if condition, but a complex mathematical operation which results in an exception if not provided correct serial.

Checking this function in different major functions of your app doesn''t significantly affect the performance as it is simply a few math operations on a two variables in memory which cost a few CPU cycles, not big issue in present day computers. However the little performance issue (though insignificant) will be a tradeoff when security given importance

如果不进行广泛研究，很难说出应用程序中的安全性问题是什么.如果它是Windows应用程序，则应检查Windows客户端应用程序中的常见安全漏洞.如果它要在某个时刻在网络上进行连接和通信，那么您的情况就不同了.取决于您的应用程序是如何构建的以及它将要做什么.如果有数据库，则应先进行以下准备:SQL注入攻击，密码哈希攻击等.

Its very hard to say what the security issues in an application is without doing a extensive study of it. If it is a windows application then you should check for common security vulnerabilities in windows client applications. If it going to connect and communicate on a network at some point, then you have a different story. Depends on how your application was built and what it''s going to do. If it''s got a database, you should start with the preliminaries: SQL injection attacks, password hash attacks etc.

如果您的应用程序和数据库位于同一台计算机上(物理上)，对于初学者而言，您可以混淆代码以使其更难于对文件进行反向工程:
blogs.msdn.com/b/ericgu/archive/2004/02/24/79236.aspx


您还可以通过加密保护数据库连接字符串:
http://msdn.microsoft.com/en-us/library/89211k9b (v = vs.80).aspx

If your app and DB are in the same machine (physically), you could for starters obfuscate your code to make it harder to reverse engineer your files:
blogs.msdn.com/b/ericgu/archive/2004/02/24/79236.aspx


You could also secure the DB connection string by encryption:
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx

这篇关于我的应用程序是否安全.如何保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！