Hardening — Anti-Cheat · Anti-RE · Anti-Inject

Production-grade protection for LibreAuth — configure server and client to maximize bypass resistance.

WARN

No system is 100% unhackable — the goal is to make attacks costly and slow enough to deter attackers, while enabling fast server-side detection.

Three-Layer Overview

Layer	Protects Against	LibreAuth
Server	Replay, session hijack, forged hash, VPN/proxy	IntegrityGuard, HashCore, HWID lock, rate limit
Wire	MITM sending forged JSON success responses	Ed25519 + HMAC, AES enckey
Client	RE, binary patching, DLL injection, debugger	Obfuscator + hardening.hpp + hash on init

Panel — Lockdown Settings (Recommended)

App → Settings → Access Controls — enable these before production release:

Setting	Value	Reason
Require Sign	ON	Force client Ed25519 verification — blocks fake responses
Anti-Tamper (integrity_guard)	ON	Master switch — HWID-bound session, digest replay protection
Hash Check	ON	Whitelist MD5 of release-built exe only
Bind Session IP (strict_ip)	ON*	Session bound to IP — *disable if users change IP frequently
Anti Replay (nonce chain)	ON	Client returns nonce on every request after init
HWID Lock / Force HWID	ON	One key per machine · require hwid on every request
Token File Check	ON (C++)	token.dat + thash on init — blocks bare client copy
Block VPN	As needed	Block alt accounts / proxy login
Session TTL	Short (e.g. 6–24 hrs)	Harder to reuse stale sessions
Max Login Fails	5–10	Prevent username/password brute force

TIP

After enabling Hash Check — remove dev build auto-captured hashes from the Hashes tab · whitelist only obfuscated exe files

Wire — MITM / Fake API Protection

Enable Require Sign in the panel
Client verifies X-Signature-Ed25519 + timestamp before parsing JSON — see Response Signing
Send 35-char enckey on init → AES-encrypted body — wire capture via Fiddler is unreadable
Do not embed Application Secret in the client — use Ed25519 public key only
HTTPS only · pin certificate in native client when possible

Hash Check — Binary Patch Protection

Build release → obfuscate (VMProtect / Themida) → then compute MD5
Panel → Hashes → add MD5 of the actual exe (drag & drop)
Client sends hash= on every init call
Even a 1-byte jmp/nop patch → MD5 changes → server rejects

Fix errors: Hash troubleshooting

Reverse Engineering — Making RE Harder

Server protects the wire · but attackers can open the exe in x64dbg if the client is not hardened:

Technique	Purpose
Commercial packer	VMProtect, Themida, Enigma — virtualization + built-in anti-debug
String encryption	API URL, ownerid, app name, Ed25519 pubkey — decrypt briefly at runtime then wipe
Control-flow obfuscation	Split auth logic across multiple functions · avoid a single login block
Integrity self-check	Hash .text section before init — exit if patched
Split auth module	Separate auth DLL · load from resource · self-sign the DLL
Anti-dump	Do not keep license key / session as plain strings in memory for long

WARN

Never hardcode keys or webhooks in the client — attackers can dump strings unless obfuscated

Anti-Inject — DLL / Hook / Debugger Protection

Attackers often inject DLLs or attach debuggers to bypass auth — hardening.hpp runs multi-layer checks:

Layer	Detects
Debugger	IsDebuggerPresent, RemoteDebug, NtQueryInformationProcess (DebugPort / DebugObject)
HW Breakpoint	DR0–DR3 registers — catches x64dbg/CE hardware breakpoints
Loaded DLL	cheatengine, dbk64, x64dbg, minhook, frida, scyllahide, etc.
Process scan	CE, IDA, x64dbg, OllyDbg, dnSpy, Ghidra, Process Hacker, Fiddler, etc.
Window title	Windows titled "Cheat Engine", "IDA -", "x64dbg" when enabled
VM detect	VMware, VirtualBox, Hyper-V, QEMU — block when score ≥ 3

Call la_guard::RunChecks() before init() and in a loop every 30–60 seconds
Inspect fail reason: la_guard::FailName(la_guard::LastFail())
Dev on VM: RunChecks(false) temporarily disables VM check
Call check() heartbeat alongside the guard loop

C++ — Usage Example

#include "hardening.hpp"
#include "auth.hpp"

int main() {
    if (!la_guard::RunChecks()) {
        // la_guard::FailName(la_guard::LastFail()) → "bad_process", "virtual_machine", ...
        return 1;
    }

    LibreAuth::Client app("MyApp", "OWNER_ID_10", "1.0", "https://your-domain/api/1.3/");
    app.setPublicKey("ED25519_HEX_FROM_HEALTH");
    app.setHash(la_guard::ExeMd5Hex());

    if (!app.init()) return 1;
    if (!app.login("user", "pass", la_guard::Hwid())) return 1;

    while (running) {
        if (!la_guard::RunChecks()) break;   // CE/IDA/x64dbg/VM
        if (!app.check()) break;
        Sleep(45000);
    }
    return 0;
}

// Dev on VMware/VBox:
// la_guard::RunChecks(false);  // disable VM check

File: sdk/cpp/hardening.hpp · setup: C++ Client Setup

C# / Unity / WPF

Obfuscate with ConfuserEx / Dotfuscator / VMProtect .NET
Check Debugger.IsAttached + Environment.GetEnvironmentVariable for profilers
Use LibreAuth.cs · verify signature before trusting response
Unity: IL2CPP build is harder to RE than Mono · do not store keys in plain ScriptableObject

FiveM / Lua

Client Lua is always modifiable — use auth as a gate only
Critical logic (give item, teleport) must be validated server-side in the resource
Use libreauth.lua for license gate · heartbeat check()

Monitor & Response

Panel → Event Logs — review hash fail, IP mismatch, duplicate request
Discord webhook in app settings — alert on abnormal login
Blacklist HWID / IP for repeated bypass attempts
Rotate Ed25519 keys if private key leaks (server config)

Pre-Production Checklist

#	Item
1	HTTPS + Require Sign + Anti-Tamper ON
2	Hash Check ON + whitelist obfuscated exe only
3	Client verifies Ed25519 on every response
4	enckey + AES on wire (optional but recommended)
5	Obfuscate binary + encrypt credential strings
6	Anti-debug + anti-inject loop (hardening.hpp / equivalent)
7	check() heartbeat + HWID lock
8	Close install/ after setup · config.production.php not in git
9	Admin password + 2FA on panel
10	Seller API IP whitelist

INFO

Server anti-tamper: Anti-Tamper · Signing: Response Signing · Security: Security Practices