[OFF-TOPIC] How to secure client-server connection...
As i can't get help in any place i will ask CO2 professionals [ i am so sorry for the off topic, but i am sure i will find best help here ] i am developing a client-server application and i will demonstrate what is the client \ server role just to make things clear
When client is opened it creates a connection to the server [which is a socket server that listens and handles received packets - you may think of it like CO2 server] Then asks for a username and password
When the user types his\her username and password the client sends it to the server, here comes the server role. The server compares them to the ones in the database then sends back the response which is either Login Fail packet or Login Succeed packet
So what i want to achieve here is how to make this process secured so no one could easily log my login succeed packet and sends it to my client to fool it and gain access with any Invalid username and password
Please i want the best security for my app cuz it will handle crucial information
[NOTE] : i implemented DH Key Exchange to secure my connection once but i found that it is very vulnerable to MITM attacks
Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data.
If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client.
Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.
Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data.
If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client.
Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.
I understand you but let's give you an example
In a bot like Conquer AI the user must enter a valid [payed] account in order to use the bot how could the owners make sure at least 90% that their client is not being fooled with a fake server [ which handles the authentication instead of the real server ]
My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ]
1- using the loopback adapter to redirect the bot connection to 127.0.0.1
2- creating a TcpListener to listen for the bot connection
3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ...
The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.
The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.
I will get Themida license i think it is a good obfuscator ?
I don't want this to happen to my app
Quote:
My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ]
1- using the loopback adapter to redirect the bot connection to 127.0.0.1
2- creating a TcpListener to listen for the bot connection
3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ...
How to:Secure client 01/24/2010 - Dekaron Private Server - 19 Replies Can anyone tell me how to encrypt or secure ur client of getting leeched or copied? Im not talking about packing it up only.
Im talking even if people unpack it they still cant do shit with the files.
How can this be realised?
Very helpfull to me and many others i think.
Thanks
Connection between server and client. 10/16/2009 - Silkroad Online - 1 Replies Hello everyone, who reads my post,
Today, I started to look at code how many sro-private server's are build;
I have a question to proffessional's how to change the client's sro files, so that they start connecting to my server, not the off sro ip?
Where can I modify file's(silkroad.exe, or different file?) so that all packet's would go to my server.
(How to do it from server side I understood while looking on source code's)
Thank you for your answers.
connection to the server has ended with noparameters client. any solutions? 07/22/2009 - S4 League - 4 Replies so ive been trying to hack s4league for a few weeks now and when ever i found a working bypass and tried to open s4league.exe with cheatengine it always said error. so i found the noparameters client and its great.but one huge problem it always dces are there any solutions?:confused:
![[OFF-TOPIC] How to secure client-server connection...](https://www.elitepvpers.com/forum/iconimages/co2-private-server/off-topic-how-secure-client-server-connection_ltr.gif){kind=small}
