Bot-Factory 602 Posted March 8, 2014 Report Share Posted March 8, 2014 Hi. There are a lot of great plugins than can encrypt and decrypt data.The "problem" with those plugins is, that it's not possible to encrypt / decrypt that stuff on a server backend via PHP / JS. So I was playing around with the Google crypto-js "https://code.google.com/p/crypto-js/" I had to include the JS code into the script. Downloading it via read file required to navigate to a website to execute the code. The complete command is included in a Define function. So you can call the encrypt and decrypt function Attached is a txt file with the define function and short example. Hope this helps someone. CheersDan example.txt 4 Quote Link to post Share on other sites
Bot-Factory 602 Posted March 8, 2014 Author Report Share Posted March 8, 2014 Here's my ubot file. With a little UI to test the function. Executing JavaScript still depends on the browser. So you have to ensure that a website is loaded. DanCrypto.ubot Quote Link to post Share on other sites
whoami 26 Posted March 9, 2014 Report Share Posted March 9, 2014 Let me tell you this is a very interesting thread. Yet I dont understand it totally.. I will take a look about it this month and update you what I have done when i play with it.What I understand is that I can create sessions to grab data into database with hashkeys encrypt and unencrypt? Is this for secure sessions so database is protected?What comes to best uses for this tool which are the 3 most important uses for you? Quote Link to post Share on other sites
Bot-Factory 602 Posted March 9, 2014 Author Report Share Posted March 9, 2014 Let me tell you this is a very interesting thread. Yet I dont understand it totally.. I will take a look about it this month and update you what I have done when i play with it.What I understand is that I can create sessions to grab data into database with hashkeys encrypt and unencrypt? Is this for secure sessions so database is protected?What comes to best uses for this tool which are the 3 most important uses for you? Yes, that's exactly what I'm working on currently. I was looking for a way to encrypt / decrypt data within ubot. But with a technique that I can also use with PHP. So I needed some generic encryption / decryption routine. At the moment I'm working on a PHP script that is able to take encrypted informations via HTTP post, decrypt it and save it into a database. But with individual session keys, so that it doesn't matter if someone has a sniffer in between. They will not be able to steal or recreate the session. Dan Quote Link to post Share on other sites
brusacco 20 Posted March 9, 2014 Report Share Posted March 9, 2014 We need some sha256 or crypt, plugins in c# or build onto Ubot itself. 1 Quote Link to post Share on other sites
blumi40 222 Posted March 9, 2014 Report Share Posted March 9, 2014 dan the idea is good but have u thing about if someone decompile ya bot?so there will find this routine.i made it near same but what i do i thing its bit more securei was wrote a small bot which encrypt the complete sqlquerysso before i finish my bots i encrypt all sqlserverscriptsthat also gave me the option to handle all querys with one phpsite Quote Link to post Share on other sites
brusacco 20 Posted March 9, 2014 Report Share Posted March 9, 2014 If someone gets to the point that he wants to decompile your bot(and have the skills to do that), well there is almost nothing that you can do to stop it.There are many good programs out there ... that wraps your app and crypt it, check IP's, domains, trial times ... and many other features like limited time licenses, 1 yer for example, and many more. Quote Link to post Share on other sites
Bot-Factory 602 Posted March 9, 2014 Author Report Share Posted March 9, 2014 dan the idea is good but have u thing about if someone decompile ya bot?so there will find this routine.i made it near same but what i do i thing its bit more securei was wrote a small bot which encrypt the complete sqlquerysso before i finish my bots i encrypt all sqlserverscriptsthat also gave me the option to handle all querys with one phpsiteThe current idea is to not have the queries stored in the bot. They will be on the server only. But let me finish it and I will share it with the community. Then we can start optimizing. But in my opinion it's always necessary to have some kind of client side encryption for your bots in place. I'm using Meters protection system for that. Works great to so far. Dan Quote Link to post Share on other sites
blumi40 222 Posted March 9, 2014 Report Share Posted March 9, 2014 brusacco it is not the issue that any program can decompile more the issuethat some programs which holds important routins on a server like HMA VPNdecompile that programm is not the act but to get needable data from the server. and sure also that is possible but we dont talk about NSA we talk about scriptkiddiswho means everything is free on the web Quote Link to post Share on other sites
Bot-Factory 602 Posted March 9, 2014 Author Report Share Posted March 9, 2014 brusacco it is not the issue that any program can decompile more the issuethat some programs which holds important routins on a server like HMA VPN decompile that programm is not the act but to get needable data from the server. and sure also that is possible but we dont talk about NSA we talk about scriptkiddiswho means everything is free on the web Yeah, security processes should always match the possible attack scenarios. It's not possible to prevent everything. And the more you want to secure something, the more expensive it gets. The most critical part for me is, that no one can intercept and change the communication from the bot and the backend server.And that one communication can not be repeated. Man in the middle stuff.So I'm currently working on a unique session key which can only be used once. So even if someone intercepts the communication it is:A: aes256 encryptedB: has an unique session key, so that you can't send the same post command again. Running a sniffer like Fiddler is a much for a lot of people than decompiling an encrypted executable. And hey... if everything else doesn't matter... at least it's fun to code it :-) Quote Link to post Share on other sites
whoami 26 Posted March 9, 2014 Report Share Posted March 9, 2014 Yes, that's exactly what I'm working on currently. I was looking for a way to encrypt / decrypt data within ubot. But with a technique that I can also use with PHP. So I needed some generic encryption / decryption routine. At the moment I'm working on a PHP script that is able to take encrypted informations via HTTP post, decrypt it and save it into a database. But with individual session keys, so that it doesn't matter if someone has a sniffer in between. They will not be able to steal or recreate the session. Dan I am kinda learning Laravel in parallel with other technologies. I was thinking to extend sessions in laravel to Ubot exe so it could verify the account and login, so everytime the bot is running it send data to the user id database. I guess this method will work for what Im looking for, will let you know eventually how is it going.Looking forward to really achieve this. Quote Link to post Share on other sites
blumi40 222 Posted March 9, 2014 Report Share Posted March 9, 2014 a man in the middle or fiddler doesnt help...if u send the complete post encryptet even the dbconnect and user...the only way to get on the raw data is bruteforcing... Quote Link to post Share on other sites
Bot-Factory 602 Posted August 4, 2014 Author Report Share Posted August 4, 2014 a man in the middle or fiddler doesnt help...if u send the complete post encryptet even the dbconnect and user...the only way to get on the raw data is bruteforcing... Just spotted this reply. :-) Just encrypting isn't enough. There must be some kind of session key involved. If not, someone could sniff the communication and resend it hundred times. Which could flood the database. They can't extract the data because it's encrypted, but without session keys, there is no protection against DOS. Dan Quote Link to post Share on other sites
Code Docta (Nick C.) 638 Posted August 5, 2014 Report Share Posted August 5, 2014 Thanks for this Dan, Any luck with the session key? 1 Quote Link to post Share on other sites
dyvel 20 Posted January 26, 2015 Report Share Posted January 26, 2015 Hi Dan Interesting although a bit old thread - did you manage to get your idea into a working project? Quote Link to post Share on other sites
Bot-Factory 602 Posted January 27, 2015 Author Report Share Posted January 27, 2015 Hi Dan Interesting although a bit old thread - did you manage to get your idea into a working project? Working on one remaining security issue with the php script. But will probably release it within the next 1-2 weeks. Dan Quote Link to post Share on other sites
dyvel 20 Posted January 27, 2015 Report Share Posted January 27, 2015 Looking forward to seeing it :-) Quote Link to post Share on other sites
Bot-Factory 602 Posted January 27, 2015 Author Report Share Posted January 27, 2015 Maybe you can help me a bit. Could you describe the usecase for what you would like to use this?At the moment you can send an encrypted / secure SQL query to a server (php script). And it will return the result of that query. The only challenge I have at the moment is the correct formatting of that reply. It can be returned in JSON format, but you can not directly import it into a ubot table or anything. So this is the part I'm still working on. Dan Quote Link to post Share on other sites
dyvel 20 Posted January 28, 2015 Report Share Posted January 28, 2015 Thats one of the cases I have thought about - a case could be an order form on a website - when the order is made and paid, the bot starts working to fulfill the order. You could consider XML for the return. Was it Aymen who made a XML plugin? Quote Link to post Share on other sites
Bot-Factory 602 Posted January 28, 2015 Author Report Share Posted January 28, 2015 Thats one of the cases I have thought about - a case could be an order form on a website - when the order is made and paid, the bot starts working to fulfill the order. You could consider XML for the return. Was it Aymen who made a XML plugin? I'm not sure if I understand what you mean. This PHP script I'm working on is to communicate with YOUR server and YOUR database. So that you can load and save data from a cloud mysql database. But instead of using the built in sql commands (which is not secure when you sell your bot). You can communicate with your database via HTTP post in a secure way. Dan Quote Link to post Share on other sites
Bot-Factory 602 Posted January 28, 2015 Author Report Share Posted January 28, 2015 I added the first version to my website. There's also a video with some more details:http://www.bot-factory.com/downloads/php-sql-script-ubot-studio/ CheersDan Quote Link to post Share on other sites
dyvel 20 Posted January 28, 2015 Report Share Posted January 28, 2015 Let me try to explain - we are talking about the same functions. My idea was just a specific case, as I also don't like to talk directly to an online database from ubot. But I had an idea, that I would create a "service" - selling something a ubot could do. I would set up a website with a mysql backend. I could talk directly with the database and query for new sales, perform the action and return it to the customer - all without my involvement But to do it right, I would prefer a secure connection between the bot and my database. Your idea using session variables and encrypted message strings sounds like a good idea. I also have another idea, but I'm not quite ready to share that one yet Quote Link to post Share on other sites
bilalkhanicom 0 Posted January 11, 2016 Report Share Posted January 11, 2016 onxyCrypter-fud crypter http://crypterwar.blogspot.com/2016/01/onxycrypter-fud-crypter.html Quote Link to post Share on other sites
bilalkhanicom 0 Posted January 11, 2016 Report Share Posted January 11, 2016 Dragon Crypter-Fud Stub http://crypterwar.blogspot.com/2016/01/dragon-crypter-fud-stub.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.