How to do magic number in a file?
Blitz3D Forums/Blitz3D Programming/How to do magic number in a file?
| ||
| Hi all. How would I create & use a magic number in a file, to check for tampering of the file? Thank You! |
| ||
| You wouldn't. 1) Completely unrelated to what magic numbers are for 2) There is no way to check for tampering using a file's contents 3) For the twelve thousand'th time, stop trying to abuse your users. You have no right to tell people what files they can and can't run, and as a point of principle, this avenue is not one you should be investigating The correct way to do this would be with a hash or checksum: a mathematical function applied to the complete contents of a data file and the result compared to a value stored safely somewhere else, not part of the data file (if it were part of the file, it would be trivial to change it to match the requirement). Doing this is in turn completely pointless unless you have an online verification system that can communicate with a remote server, as if the checksum is stored anywhere in your distributed software (e.g. compiled into the exe), a hacker will find it and will simply hex edit your program to contain the desired value. Also, for all but the most advanced hashing functions, there are tools that allow users to tweak data so it produces the right result code because all such functions get reversed eventually. e.g. MD5 is completely useless for security purposes for this reason as it can be broken in a matter of seconds. So not only is it highly morally questionable, it's also a waste of your time: this is the sort of thing governments and megacorps spend millions of dollars on to try and come up with a security measure that will take the punks at 4chan more than 24 hours to defeat. |
| ||
| Just write the bytes of the file signature on the begening For exemple, a b3d start with 4 chars "B"+"B"+"3"+"D" -> MyStream = Writefile("Myb3d.b3d") WriteByte(MyStream,asc("B") WriteByte(MyStream,asc("B") WriteByte(MyStream,asc("3") WriteByte(MyStream,asc("D") And Voila. To use it, just read the tag byte per byte and check for each loop (until a maximum length) if the tag match with a parser you have. ex: if you find BB3D then you can launch a b3d parser (if you have any) I remember some file are not "0" offset for the signature (the signature can be somewhere else, but it's really not typical) for the "tampering", I don't even know what it is ... [edit] mmmm ... ok, I just come and see what "tampering" is. unless you use some user32 function to get the timestamps of the file (for edition vs creation) of course, it 's signature are absolutely not relevant. |
| ||
| Checking for tampering is one thing - tho trying to stop users editing or extracting from datafiles is a complete waste of your time and resources. The only way to effectively do it means low level compromising an end user's machine which is a big no no. I refuse to use any software that has DRM beyond simple stuff for checking for cheating online - anything that uses ring0 IO filtering doesn't get within a mile of my PCs. |
| ||
| Well Thundros, I haven't had time to study this option in depth, so the following is only a good guess: You can do something similar to PureBasic's PureValid library, shown at the link: http://www.purebasic.fr/english/viewtopic.php?t=9825 { Can ultimately be turned into a DLL, and therefore be accessed by Blitz3D too } ;------------------ sample code ------------------ PureValid_CheckFile(EncryptionKey.s) Returned values : 1 if EXE is valid ; 0 if EXE is corrupt (program stops) . ;------------------------------------------------- The strong point there is that even if 'hackers' know that the validation info is located at the end of the EXE, there is still the complication that they do not know the Encryption Key. Hence, any changes made to the 'body' of the program will still have to be encrypted with your special key that they don't know, and will be matched up with the end point validation. Or, something like that... Maybe, put several validations, hidden in several places of the body of the program. Each validation checks on the other validations inclusively as part of the 'body' of the program, etc. Eventually the hackers will get exhausted changing 'validation codes', because there is more than one validation code, and each validation code mutually checks on the validity of every other validation code. Is that possible? ;-------------------------------------------------------------------------- As an alternative to the "PureValid" idea, you can make your program's code so horrifically cryptic and complex that only you know what the code does and how it does it. Therefore anyone else (including hackers) that shall try to decipher your stuff will just give up. I'm sure there are ways to make stuff more complicated than it needs to be. Maybe you can use random numbers in various obfuscation techniques. :) Integer obfuscation Techniques: http://stackoverflow.com/questions/2565478/integer-id-obfuscation-techniques How to obfuscate Integers: http://raymorgan.net/web-development/how-to-obfuscate-integer-ids/ Gray Code: http://en.wikipedia.org/wiki/Gray_code Obfuscation: http://en.wikipedia.org/wiki/Obfuscation ;----------------------------------------------------------- Some more options: You can use various programs to compress your EXE; this will further make your program hard to alter. UPX - executable packer { is free! } http://upx.sourceforge.net/#downloadupx PEtite - { very nice & free } http://www.un4seen.com/petite/ Expressor v1.8 {is not free} http://www.cgsoftlabs.ro/express.html The AsPack programs for Compression + Protection, { not free } http://www.aspack.com/aspack.html PEcompact { not free } http://bitsum.com/pecompact.php Other EXE file compression comparisons: http://www.maximumcompression.com/data/exe.php ;----------------------------------------------------------- |
   |