Making an OTP Lock for Windows Applications or Games — using Go and React Native
A simple hobby project that makes use of Go, to create the locker part and React Native to generate the OTP to unlock. It’s an offline project.
The Idea and Backstory
So my wanted to prevent my two nephews to not be able to access games at their leisure, rather something where they can only access it as and when they’re allowed to do so.
So I came up with an idea to implement a fairly simple application that can work as a time based OTP lock. It was designed in two pieces:
- OTP Lock — made using Go (https://golang.org)
- OTP Key Generator — made using React Native (https://facebook.github.io/react-native/)
This is not something unique but I’m a sucker for quick usable projects and I thought, why not?
Let’s start, shall we?
What’s the plan?
So, here’s what we’re doing.
- ⏱ Take the UNIX timestamp
- 🗝 Generate SHA1 (or SHA256 or whatever you want) off that timestamp
- 🧲 Extract Numbers (or maybe entire sub-string) from it.
NOTE: We’re only about to take date & hour in terms of timestamp, and exclude the minutes and seconds. Example, if it’s 7th of September, 2019, and it’s 08:49PM, then we only consider 7th September, 2019 at 08:00PM. So that our OTP is valid for that hour (i.e. 08:00PM to 08:59PM). You can adjust that bit according to your requirement. Maybe take the last quarter into consideration or something like that.
How do we start? — Let us start with the Lock
To make the lock I’m using Go, because I always wanted to use that (pull requests are welcomed). You can use gcc , python or whatever you’re comfortable with.
You can pick anything that can generate an executable binary. Here’s my piece.
I’ve left plenty of comments so it should be sufficient.
Oh, what’s with that DLL file? — Keep reading, I’ll explain that below.
To use it, we will create a binary off that go file using go build (or if you’re on macOS and want to generate the Windows executable, then use). Also I’m aiming this guide for Windows because this use-case aligns to it, but you may as well have a similar thing ready for other platforms as well.
And, now onto the Key app — using React Native
It’s also another pretty straight forward app. What we’re aiming to do here is that we’ll generate the OTP exactly the same way as it’s counterpart, obviously. You can make the same thing using HTML + JS but I went with the React Native because an app was easier to use. The actual app has a few more bells and whistles that I omitted here to focus on implementation.
Here’s pretty much what I did, and like above, this code also have some comments that will help you understand the bits of it:
External third party libraries that I used were:
- js-sha1 (https://github.com/emn178/js-sha1) to generate the SHA1 Hash
- datetimepicker (https://github.com/react-native-community/react-native-datetimepicker) helps us to open the native date picker and time picker modals.
What now? How do we use it?
So, we’ve got a React Native application that generates OTP, based on a date and hour. And, we’ve also got a console application that validates that OTP and launches an application that we’ve hardcoded into the application.
We’ll now put the console application in the application directory wherever the application or game that we’ve locking exists. In this example let’s say we’re locking Halo. Now here’s what we do:
- Let’s say that our tool is named
otpexe.exeand we copy it into, let’s sayC:\Program Files\Microsoft Games\Halo\ - Now our game executable is
halo.exe. Rename that toapp.dll - And also rename
otpexe.exetohalo.exe
Now if it’s not obvious, I’ll explain it. When someone tries to run halo.exe you’ll actually be presented by the OTPExe console application that will request the OTP. If the OTP is right, it will execute app.dll which is in real an executable, but only we know that, and system is able to run DLL files as executables, so it all works out. This is for Windows, for other platforms, you can plan something similar out.
Additional things to watch out for
- System time — It can be changed, so make sure to lock the admin account with password and give kids(or whatever target user) a seperate limited account where the security policies for changing time and timezones are not granted. (Read — http://support.payrollhero.com/knowledge-base/how-to-secure-your-timezone-settings-on-your-windows-computer/)
- BIOS — Secure the BIOS options with another password so nobody tries to enter and change it. If you’re dealing with a smart and naughty bunch, there’s not much you can do if they decide to rest the CMOS by popping the battery out of motherboard and putting it back it, thereby resetting BIOS password and settings, but otherwise you should be fine.
I personally did those two things to ensure that otpexe tool isn’t fooled as easily. I also understand that this application wouldn’t work in some cases where you could break things by replacing the exe which probably gets verified for it’s checksum and such before launch, but if you come across that case and figure it out then please leave a comment.
That’s it?
There’s still room for improvements to this, a lot more enhancements like the time-based killing of the application but this post wasn’t aiming to go that far. I’d sure love to hear your suggestions though.
It’s a basic idea to solve a basic problem, which can be developed using any basic set of languages you already know. I chose Go and React Native, but you can even get away with a simple gcc for the lock and HTML+ JS for the key generator to achieve the exactly same thing.
Thank you for reading this post. You’re awesome! 😇
