Making an OTP Lock for Windows Applications or Games — using Go and React Native

Abhinav Dabral
Sep 8, 2019 · 5 min read
Making an OTP Lock with Go and React Native
Making an OTP Lock with Go and React Native
Photo by Anomaly on Unsplash

A simple hobby project that makes use of Go, to create the locker part and React Native to generate the OTP to unlock. It’s an offline project.

The Idea and Backstory

So my wanted to prevent my two nephews to not be able to access games at their leisure, rather something where they can only access it as and when they’re allowed to do so.

So I came up with an idea to implement a fairly simple application that can work as a time based OTP lock. It was designed in two pieces:

This is not something unique but I’m a sucker for quick usable projects and I thought, why not?

Let’s start, shall we?

What’s the plan?

So, here’s what we’re doing.

  • ⏱ Take the UNIX timestamp
  • 🗝 Generate SHA1 (or SHA256 or whatever you want) off that timestamp
  • 🧲 Extract Numbers (or maybe entire sub-string) from it.

NOTE: We’re only about to take date & hour in terms of timestamp, and exclude the minutes and seconds. Example, if it’s 7th of September, 2019, and it’s 08:49PM, then we only consider 7th September, 2019 at 08:00PM. So that our OTP is valid for that hour (i.e. 08:00PM to 08:59PM). You can adjust that bit according to your requirement. Maybe take the last quarter into consideration or something like that.

How do we start? — Let us start with the Lock

To make the lock I’m using Go, because I always wanted to use that (pull requests are welcomed). You can use gcc , python or whatever you’re comfortable with.

You can pick anything that can generate an executable binary. Here’s my piece.

Go code to generate a time based OTP

I’ve left plenty of comments so it should be sufficient.

Oh, what’s with that DLL file? — Keep reading, I’ll explain that below.

To use it, we will create a binary off that go file using go build (or if you’re on macOS and want to generate the Windows executable, then use). Also I’m aiming this guide for Windows because this use-case aligns to it, but you may as well have a similar thing ready for other platforms as well.

Image for post
Image for post

And, now onto the Key app — using React Native

It’s also another pretty straight forward app. What we’re aiming to do here is that we’ll generate the OTP exactly the same way as it’s counterpart, obviously. You can make the same thing using HTML + JS but I went with the React Native because an app was easier to use. The actual app has a few more bells and whistles that I omitted here to focus on implementation.

Image for post
Image for post

Here’s pretty much what I did, and like above, this code also have some comments that will help you understand the bits of it:

A mini application that works as our key generator for its lock counterpart

External third party libraries that I used were:

What now? How do we use it?

So, we’ve got a React Native application that generates OTP, based on a date and hour. And, we’ve also got a console application that validates that OTP and launches an application that we’ve hardcoded into the application.

We’ll now put the console application in the application directory wherever the application or game that we’ve locking exists. In this example let’s say we’re locking Halo. Now here’s what we do:

  • Let’s say that our tool is named otpexe.exe and we copy it into, let’s say C:\Program Files\Microsoft Games\Halo\
  • Now our game executable is halo.exe . Rename that to app.dll
  • And also rename otpexe.exe to halo.exe
Image for post
Image for post
Renaming halo.exe to app.dll and optexe.exe to halo.exe

Now if it’s not obvious, I’ll explain it. When someone tries to run halo.exe you’ll actually be presented by the OTPExe console application that will request the OTP. If the OTP is right, it will execute app.dll which is in real an executable, but only we know that, and system is able to run DLL files as executables, so it all works out. This is for Windows, for other platforms, you can plan something similar out.

Additional things to watch out for

  • System time — It can be changed, so make sure to lock the admin account with password and give kids(or whatever target user) a seperate limited account where the security policies for changing time and timezones are not granted. (Read — http://support.payrollhero.com/knowledge-base/how-to-secure-your-timezone-settings-on-your-windows-computer/)
  • BIOS — Secure the BIOS options with another password so nobody tries to enter and change it. If you’re dealing with a smart and naughty bunch, there’s not much you can do if they decide to rest the CMOS by popping the battery out of motherboard and putting it back it, thereby resetting BIOS password and settings, but otherwise you should be fine.

I personally did those two things to ensure that otpexe tool isn’t fooled as easily. I also understand that this application wouldn’t work in some cases where you could break things by replacing the exe which probably gets verified for it’s checksum and such before launch, but if you come across that case and figure it out then please leave a comment.

That’s it?

There’s still room for improvements to this, a lot more enhancements like the time-based killing of the application but this post wasn’t aiming to go that far. I’d sure love to hear your suggestions though.

It’s a basic idea to solve a basic problem, which can be developed using any basic set of languages you already know. I chose Go and React Native, but you can even get away with a simple gcc for the lock and HTML+ JS for the key generator to achieve the exactly same thing.

Thank you for reading this post. You’re awesome! 😇

The Startup

Medium's largest active publication, followed by +717K people. Follow to join our community.

Abhinav Dabral

Written by

Software developer, currently aboard the ReactJS and React Native bandwagon, who likes to spend his weekends on personal projects 📟 or road-trips 🛵

The Startup

Medium's largest active publication, followed by +717K people. Follow to join our community.

Abhinav Dabral

Written by

Software developer, currently aboard the ReactJS and React Native bandwagon, who likes to spend his weekends on personal projects 📟 or road-trips 🛵

The Startup

Medium's largest active publication, followed by +717K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store