Dynamic Password – Logic

Authentication is very much important if you are programming Encryption or security tools. Generally we all apply a common logic to authenticate the user. Following are the very well known code :-

C code :-

char password[100];
printf("nntEnter your Password :: ");
gets(password);
if(strcpy(password,"secretpassword")==0)
{
printf("nntWelcome..");
/*------- Next applicatuon code ---------- */
}
else
{
printf("nntIntruder suspected...");
exit(0); // Application aborted

C# code :-

String password;
Console.Write("nntEnter Password :: ");
password=Console.Readline();
if(password=="secretpassword")
{
Console.Write("nntWelcome..");
/*------- Next applicatuon code ---------- */
}
else
{
Console.Write("nntIntruder suspected..");
/* appliction abortion code or as specified.. */
Image source from internet

But it has a major disadvantage. This code won’t help you to change the password. Once you code the application there would be no way to modify by the assembly code in ordinary manner. You can imagine a scenario where one of your friend has seen the password of the application, thereafter there’s no way to change it. Either you have to write another program or you have to take that friend under your confidence 😛 (..this seems to be ridiculous 😀 :D..)

Storing Password in some file seems the solution but it also carries some problems. Here the application becomes dependent on that file and would be worthless if the file gets deleted.

But there’s way by which you can store the password in the application itself. This is like playing with the executable code, where we’ll store the password in the executable in such a way that it doesn’t crashes it.

The Logic is simple. It includes following steps :-

  • Scan the Password
  • Create a copy/dummy of self
  • Encrypt the password and append it in that copy. Try to append it somewhere at the beginning of the copy. Be sure about the place where you append, else it can crash the EXE
  • Rename self with other name.
  • Rename the dummy to the application name
  • Self-Destruct the self

Similary to scan the password. It includes following step :-

  • Create a copy/dummy of self
  • Read the password from the dummy
  • Delete the dummy
  • Decrypt the password to get the actual password

Following is the deployment of the code in C. It’s tested in Borland C++ 5.02

#include <stdio.h>
#include <conio.h>
#include <stdlib.h>


char content[100];
void encryptstr(char *str,int key)
{

/* Customize your own or built-in encryption code */

long i=0;
char c;
while((c=str[i])!=NULL)
{
content[i]=c+key;
i++;
}
content[i]=NULL;
}

void decryptstr(char *str,int key)
{
/* Customize your own or built-in decryption code */

long i=0;
char c;
while((c=str[i])!=NULL)
{
content[i]=c-key;
i++;
}
content[i]=NULL;
}
void SelfDestruct(char *appname)
{

/* Customize your self-destruction code */

FILE *f;
f=fopen("Selfdestruct.bat","w");
fprintf(f,"@echo offnping -n 1 0 >NULnnnn");

fprintf(f,"del %snclsn",appname);



fprintf(f,"echo rjprozrjprozrjprozrjproz ");
fprintf(f," rjprozrjprozrjprozrjpro");
fprintf(f,"zrjproznecho rjprozrjprozrjpro");
fprintf(f,"zrjproz rjprozrjprozrjp");
fprintf(f,"rozrjprozrjproznecho rjproz ");
fprintf(f," rjproz ");
fprintf(f," rjproznecho rjproz ");
fprintf(f," rjproz r");
fprintf(f,"jproz necho rjproz ");
fprintf(f," rjproz rj");
fprintf(f,"proznecho rjproz rj");
fprintf(f,"proz rjprozn");
fprintf(f,"echo rjproz rjproz ");
fprintf(f," rjproznecho ");
fprintf(f,"rjproz rjproz ");
fprintf(f," rjproznecho rjpro");
fprintf(f,"z rjproz ");
fprintf(f," rjproznecho rjprozrjpr");
fprintf(f,"ozrjprozrjproz ");
fprintf(f," rjproznecho rjprozrjprozrjp");
fprintf(f,"rozrjproz rj");
fprintf(f,"proznecho rjprozrjproz ");
fprintf(f," rjprozn");
fprintf(f,"echo rjproz rjproz ");
fprintf(f," rjproznecho ");
fprintf(f,"rjproz rjproz ");
fprintf(f," rjproznecho rjpro");
fprintf(f,"z rjproz ");
fprintf(f," rjproznecho rjproz ");
fprintf(f," rjproz ");
fprintf(f," rjproznecho rjproz rjp");
fprintf(f,"roz rj");
fprintf(f,"proznecho rjproz rjproz ");
fprintf(f," rjprozn");
fprintf(f,"echo rjproz rjproz ");
fprintf(f," rjproznecho ");
fprintf(f,"rjproz rjproz ");
fprintf(f," rjproznecho rjpro");
fprintf(f,"z rjproz rjpr");
fprintf(f,"oz rjproznecho rjproz ");
fprintf(f," rjproz rjproz ");
fprintf(f," rjproznecho rjproz ");
fprintf(f," rjproz rjprozrjprozrj");
fprintf(f,"proznecho rjproz r");
fprintf(f,"jproz rjprozrjprozrjproz ");
fprintf(f," nnnnnping -n 3 0 ");
fprintf(f,">NULnnnnnnnnnnnnnnnnnnnnnnnnnn");
fprintf(f,"nnnnecho .necho .necho .necho .necho .necho .necho .necho ");
fprintf(f,".necho .necho .necho .nnecho S");
fprintf(f,"elf destructed successfully...");
fprintf(f,"......necho .necho .necho .nec");
fprintf(f,"ho .necho .necho .necho .necho .necho ");


fprintf(f,"Now terminate this program.......");

fprintf(f,"necho .necho .necho .necho .ne");
fprintf(f,"cho .necho .nping -n 2 0 >NULn");
fprintf(f,"del selfdestruct.bat");



fclose(f);

system("start "SElf Destruction" selfdestruct.bat");
exit(0);
}
void main(int arc,char *argv[])
{


printf("nntEnter 1 to change passwordnntElse press any other key to view passwordnntEnter your choice ::");
char pass[100],ck[100];
int i=0;
FILE *f;
char c=getch();
clrscr();
if(c=='1')
{
// Change pass

printf("nntEnter new password:: ");
gets(pass);
encryptstr(pass,9);
rename(argv[0],"todie.rj_proz_trans"); // argv[0] stores the full path of self
system("copy todie.rj_proz_trans newapp.rj_proz_trans");
f=fopen("newapp.rj_proz_trans","rb+") ;
fseek(f,25L,0); // This step is very important.. choosing right place to append the password

fprintf(f,"%s ",content);
fclose(f);
rename("newapp.rj_proz_trans",argv[0]);
SelfDestruct("todie.rj_proz_trans");
}
else
{
rename(argv[0],"doscomp.rj_proz_trans");
system("copy doscomp.rj_proz_trans dupli.rj_proz_ref");
rename("doscomp.rj_proz_trans",argv[0]);
clrscr();
f=fopen("dupli.rj_proz_ref","rb+") ;
fseek(f,25L,0);
while((c=getc(f))!=' ')
{
ck[i]=c;
i++;
}
ck[i]=NULL;
decryptstr(ck,9);
printf("nnttPassword is :: %s .",content);
getch();
fclose(f);
remove("dupli.rj_proz_ref");

}



Download this to see a demo application..


It is recommended to use one-way encryption like MD5 before storing the password.
If you are using dos commands to copy files in the code then don’t use spaces in the application name, i.e. you can name it as “dynamic_pass.exe” but not “dynamic pass.exe“.

Depending upon the compiler the right place to append the password may differ. You have to spent little time to study that with your own compiler. Keep that in mind that long password can crash the EXE as it can overwrite the EXE code 😛

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *