-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Completly insecure, no offence #2
Comments
What is Resolved |
pepper is like salt but system wide |
I don't know much about cryptography but it sounds interesting. Do you have any links that could help me understand and learn? |
I agree, this is just default .NET encryption, its not that hard to make your own Encryption algorithm, also, the Project Owner pointed out he made it for legal purposes, but why would he add "Windows doesn't detect it" and "Virustotal" scan, if its for fun that shouldn't matter. And the .NET program can be disassembled within seconds, even if you obfucaste it, .NET is like Java, its so easy to Dump the orginial EXE |
Hey, I stopped coding in .net, so I don't really remember any but i think fox learn can help point you in the right direction and Microsoft docs are also good. Just keep in mind fox learn almost never explains thoroughly and almost never does the most efficient way to execute code. But Microsoft docs are wonderful and if you ever need help you can post to reddit.com as well, they are really helpful. and if you need anything else feel free to reply to me, seriously i love helping people |
sup! while i agree, generally .net isnt the best if you dont want your code to be seen. but i disagree when you say its so easy, maybe if you obfuscate with confuser Ex or something everyone know how it works but something like netguard.io or something similar is EXTREMELY difficult to de-obfuscate to the point that its not worth it unless your being paid a giant sum of $$, at least when i used to use it(it may have gotten patched now, i dont code in .net anymore). Thanks! |
For a better encryption example, see my example at : https://github.com/imerzan/CryptoLocker/blob/master/IOWorker.cs Of course mine isn't meant to be reversed, or used to ransom, but the concept of encryption is more or less the same. Keep in mind, mine uses a random 32 byte key for each file lol. Instead of a password (which is easier to brute force), why not generate 32 crypto random bytes, and then you can POST those back to your remote? You could then use a Base64 string based on those bytes as a "decryption password". Considerations:
byte[] GetRandomBytesCrypto(int length) // Generate crypto-random byte array, can use for a key/salt, etc.
{
using (var rng = new RNGCryptoServiceProvider())
{
byte[] bytes = new byte[length];
rng.GetBytes(bytes);
return bytes;
}
}
byte[] key = GetRandomBytesCrypto(32); // Use for encryption,etc.
string decryptionPassword = Convert.ToBase64String(byte[]); // Convert key to Base64 string that is human readable.
// POST above string to your remote, can then provide for decryption (decryption program convert base64 back to byte[] ) |
you're 'encryption algorhythem can easly be broken if someone finds the source code to this, all it does is shift the text inside of the file, if you want to be secure, when generating a key use sha-512
Here is my function for sha-512 you need to pass it the text and a salt
public static string hash(string inp,string salt) { SHA256 s = SHA256.Create();//creatae new sha256 byte[] hashit = Encoding.UTF8.GetBytes(inp + salt + pepper) ;//convert to bytes and add salt+pepper string hashed = Convert.ToBase64String(s.ComputeHash(hashit));//HASHHHH return hashed; }
When encrypting and Decryption you also make it dificult on your self while making it insecure, You should be sending the key, initlization vector and teh salt to the webserver, and encrypting files with AES-256 CBC here is the function i use for that aswell
Decryption is pretty straight forward just reverse that lol.
` public static byte[] encryptdata(byte[] bytearraytoencrypt, string key, string iv)//make it byte just in case we need to encrypt a file 🤷
{
try
{
Anyways, not trying to be offencing just giving constructive critisisim.
The text was updated successfully, but these errors were encountered: