Jump to content
UBot Underground

[FREE] Google Crypt.js - AES Encryption / Decryption

Bot-Factory

By Bot-Factory,
in Bots and Scripts

 Share Followers 5

Recommended Posts

Bot-Factory

Bot-Factory 602

Posted
Posted

Hi.

 

There are a lot of great plugins than can encrypt and decrypt data.

The "problem" with those plugins is, that it's not possible to encrypt / decrypt that stuff on a server backend via PHP / JS.

 

So I was playing around with the Google crypto-js "https://code.google.com/p/crypto-js/"

 

I had to include the JS code into the script. Downloading it via read file required to navigate to a website to execute the code.

 

 

The complete command is included in a Define function. 

So you can call the encrypt and decrypt function 

 

Attached is a txt file with the define function and short example.

 

 

Hope this helps someone.

 

Cheers

Dan

 

example.txt

  • Like 4
Link to post
Share on other sites
whoami

whoami 26

Posted
Posted

Let me tell you this is a very interesting thread. Yet I dont understand it totally.. I will take a look about it this month and update you what I have done when i play with it.

What I understand is that I can create sessions to grab data into database with hashkeys encrypt and unencrypt? Is this for secure sessions so database is protected?

What comes to best uses for this tool which are the 3 most important uses for you?

Link to post
Share on other sites
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

Let me tell you this is a very interesting thread. Yet I dont understand it totally.. I will take a look about it this month and update you what I have done when i play with it.

What I understand is that I can create sessions to grab data into database with hashkeys encrypt and unencrypt? Is this for secure sessions so database is protected?

What comes to best uses for this tool which are the 3 most important uses for you?

 

Yes, that's exactly what I'm working on currently. I was looking for a way to encrypt / decrypt data within ubot. But with a technique that I can also use with PHP. 

So I needed some generic encryption / decryption routine.

 

At the moment I'm working on a PHP script that is able to take encrypted informations via HTTP post, decrypt it and save it into a database. 

But with individual session keys, so that it doesn't matter if someone has a sniffer in between. They will not be able to steal or recreate the session.

 

Dan

Link to post
Share on other sites
blumi40

blumi40 222

Posted
Posted

dan the idea is good but have u thing about if someone decompile ya bot?

so there will find this routine.

i made it near same but what i do i thing its bit more secure

i was wrote a small bot which encrypt the complete sqlquerys

so before i finish my bots i encrypt all sqlserverscripts

that also gave me the option to handle all querys with one phpsite

Link to post
Share on other sites
brusacco

brusacco 20

Posted
Posted

If someone gets to the point that he wants to decompile your bot(and have the skills to do that), well there is almost nothing that you can do to stop it.

There are many good programs out there ... that wraps your app and crypt it, check IP's, domains, trial times ... and many other features like limited time licenses, 1 yer for example, and many more.

Link to post
Share on other sites
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

dan the idea is good but have u thing about if someone decompile ya bot?

so there will find this routine.

i made it near same but what i do i thing its bit more secure

i was wrote a small bot which encrypt the complete sqlquerys

so before i finish my bots i encrypt all sqlserverscripts

that also gave me the option to handle all querys with one phpsite

The current idea is to not have the queries stored in the bot. They will be on the server only. 

But let me finish it and I will share it with the community. Then we can start optimizing. 

 

But in my opinion it's always necessary to have some kind of client side encryption for your bots in place. I'm using Meters protection system for that. 

Works great to so far.

 

Dan

Link to post
Share on other sites
blumi40

blumi40 222

Posted
Posted

brusacco it is not the issue that any program can decompile  more the issue

that  some programs which holds important routins on a server  like HMA VPN

decompile that programm is not the act but to get needable data from the server.

 

and sure also that is possible  but we dont talk about NSA we talk about scriptkiddis

who means everything is free on the web

Link to post
Share on other sites
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

brusacco it is not the issue that any program can decompile  more the issue

that  some programs which holds important routins on a server  like HMA VPN

 

decompile that programm is not the act but to get needable data from the server.

 

and sure also that is possible  but we dont talk about NSA we talk about scriptkiddis

who means everything is free on the web

 

Yeah, security processes should always match the possible attack scenarios. It's not possible to prevent everything. 

And the more you want to secure something, the more expensive it gets.

 

The most critical part for me is, that no one can intercept and change the communication from the bot and the backend server.

And that one communication can not be repeated. Man in the middle stuff.

So I'm currently working on a unique session key which can only be used once. So even if someone intercepts the communication it is:

A: aes256 encrypted

B: has an unique session key, so that you can't send the same post command again. 

 

Running a sniffer like Fiddler is a much for a lot of people than decompiling an encrypted executable.

 

And hey... if everything else doesn't matter... at least it's fun to code it :-)

Link to post
Share on other sites
whoami

whoami 26

Posted
Posted

Yes, that's exactly what I'm working on currently. I was looking for a way to encrypt / decrypt data within ubot. But with a technique that I can also use with PHP. 

So I needed some generic encryption / decryption routine.

 

At the moment I'm working on a PHP script that is able to take encrypted informations via HTTP post, decrypt it and save it into a database. 

But with individual session keys, so that it doesn't matter if someone has a sniffer in between. They will not be able to steal or recreate the session.

 

Dan

 

I am kinda learning Laravel in parallel with other technologies. I was thinking to extend sessions in laravel to Ubot exe so it could verify the account and login, so everytime the bot is running it send data to the user id database. I guess this method will work for what Im looking for, will let you know eventually how is it going.

Looking forward to really achieve this.

Link to post
Share on other sites
blumi40

blumi40 222

Posted
Posted

a man in the middle or fiddler doesnt help...
if u send the complete post encryptet  even the dbconnect and user...
the only way to get on the raw data is bruteforcing...

Link to post
Share on other sites
  • 4 months later...
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

a man in the middle or fiddler doesnt help...

if u send the complete post encryptet  even the dbconnect and user...

the only way to get on the raw data is bruteforcing...

 

Just spotted this reply. :-)

 

Just encrypting isn't enough. There must be some kind of session key involved. If not, someone could sniff the communication and resend it hundred times. 

Which could flood the database. They can't extract the data because it's encrypted, but without session keys, there is no protection against DOS. 

 

Dan

Link to post
Share on other sites
  • 5 months later...
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

Hi Dan

 

Interesting although a bit old thread - did you manage to get your idea into a working project? 

 

Working on one remaining security issue with the php script. 

But will probably release it within the next 1-2 weeks.

 

 

Dan

Link to post
Share on other sites
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

Maybe you can help me a bit. Could you describe the usecase for what you would like to use this?
At the moment you can send an encrypted / secure SQL query to a server (php script). And it will return the result of that query. 

The only challenge I have at the moment is the correct formatting of that reply. It can be returned in JSON format, but you can not directly import it into a ubot table or anything. 
So this is the part I'm still working on. 

 

Dan

 

Link to post
Share on other sites
dyvel

dyvel 20

Posted
Posted

Thats one of the cases I have thought about - a case could be an order form on a website - when the order is made and paid, the bot starts working to fulfill the order. You could consider XML for the return. Was it Aymen who made a XML plugin?

Link to post
Share on other sites
Bot-Factory

Bot-Factory 602

Posted
  • Author
Posted

Thats one of the cases I have thought about - a case could be an order form on a website - when the order is made and paid, the bot starts working to fulfill the order. You could consider XML for the return. Was it Aymen who made a XML plugin?

 

I'm not sure if I understand what you mean. This PHP script I'm working on is to communicate with YOUR server and YOUR database. So that you can load and save data from a cloud mysql database. But instead of using the built in sql commands (which is not secure when you sell your bot). You can communicate with your database via HTTP post in a secure way.

 

Dan

Link to post
Share on other sites
dyvel

dyvel 20

Posted
Posted

Let me try to explain - we are talking about the same functions. My idea was just a specific case, as I also don't like to talk directly to an online database from ubot. But I had an idea, that I would create a "service" - selling something a ubot could do. I would set up a website with a mysql backend. I could talk directly with the database and query for new sales, perform the action and return it to the customer - all without my involvement  :)

 

But to do it right, I would prefer a secure connection between the bot and my database. Your idea using session variables and encrypted message strings sounds like a good idea. I also have another idea, but I'm not quite ready to share that one yet  ^_^

Link to post
Share on other sites
  • 11 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 5
Go to topic listing
×
×
  • Create New...