A user online approached me about writing a tool to help manage licenses for a paid game modification they developed. They wanted to be able to sell the modification, but feared people would redistribute it. To solve this, I volunteered to write a total authentication and injection solution that solved his problems. Not only did it add authentication, but it has a built in launcher, updater, and is fully obfuscated.
The Interface uses WinForms to create and dynamically adjust the contents based on what is needed at that point in time. When the user opens the application, they enter their login details (or it is loaded by the autosave function) and can also navigate to the options page to edit their game path or toggle autosave. The user flow is designed to be as minimal as possible, and in most cases, users just log in and inject the mod.
The bulk of the interface uses tabs that are dynamically added and removed. For example, the injector is not visible until the user is logged in, and the command line is not accessible unless the application is in developer mode.
The application goes through a very simple workflow at startup. First, it downloads a public JSON file using a WebClient from a Google Cloud VM instance that contains basic information such as the latest version, any urgent messages, and a download URL for the latest binary. If the server cannot be reached, the application pings a time server to determine if the server is down, or the internet cannot be reached and displays a message to the user. After the JSON is downloaded, it is parsed using JSON.NET and processed by the application.
When the user enters their Auth Token and PIN, the auth token and PIN are encrypted locally using a hardcoded password that changes every update (the author wanted old launchers to be obsolete when updated), and the resulting string is sent to a Google Cloud VM instance that decrypts it and checks for the user in a Google Spreadsheet. (all server side) It then returns whether the user exists, and if so, includes their purchased “tier.” This is the most effective method when keeping costs minimal (literally cents a day using a Google Cloud VM instance) and designed to keep the vast majority of users from breaking through.
The mod author was very worried his tool would be used to harass other players, so I implemented a tempban and ban feature. This allowed the mod author to respond to user reports by issuing temporary bans or permanent bans and also allowed them to specify a reason that is displayed to the user at a login attempt.
The modification for the game is written in C++. Once injected into the game’s process, the mod calls a simple function I wrote that decrypts the localauthkey.dat generated by the application using a key that cycles every update. This file contains the username, paid tier, and date generated in Unix time. (Anything over 30 minutes old is ignored to prevent users from just sharing auth files)