Jump to content
Sign in to follow this  
xwinterx

Licensing Validation (Remote)

Recommended Posts

xwinterx

I did some au3, PHP, MySQL examples a long long time ago how to get info from a database. Anyhow, here is the same thing but you can use it to validate software licenses within your script. This is a VERY simple example.

First here is the code for the function:

Func validate($iLicense)
    Local $o_IE
    Dim $html_text
    
    ; Create IE obect
    $o_IE = ObjCreate("Shell.Explorer.2")
    ; Create Validation GUI
    GuiCreate("Licensing", 300, 45,-1, -1)
    ; Create IE object in the GUI
    GUICtrlCreateObj($o_IE, 0, 0, 1, 1)
    
    ; Load Validation URL into object
    $o_IE.navigate2($page & "?ilicense=" & $iLicense)
    
    ; Wait for IE Object to load page
    While $o_IE.Busy
        Sleep(10)
    WEnd
    
    ; Split HTML source return by "~"
    $html_text = StringSplit($o_IE.document.body.innerHTML, "~")
    
    ; Fire notification if stringsplit failed due to page not loading.
    If @error Then
        MsgBox(4096, "Error", "Cannot connect to page!")
        Exit
    EndIf
    
    ; Delete GUI since we are no longer using it.
    GUIDelete()
    
    ; Check for return by PHP page
    If $html_text[2] = "yes" Then
        return 1
    Else
        return 0
    EndIf
EndFuncoÝ÷ ØÚ0¶®±¨jëh×6; Address of webpage, must be globaled in main script
Global $page = "www.webiste.com/path/to/check.php"

; Check for valid code, if not then exit
if validate("enter-code-here") = 0 then Exit

Not sure how you want to store your code, whether you'd recompile the au3 with a different code for each customer or what, but how ever you do it, you'd pass it to the validate() function.

Now on to the PHP page.

Share this post


Link to post
Share on other sites
xwinterx

I assume you have some knowledge of MySQL or enough of it to get your database set up and configured. You can create your database and import this sql dump to make your tables:

CREATE TABLE `customers` (
  `id` int(11) NOT NULL auto_increment,
  `license` varchar(15) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=5;

Next create a new file named check.php and put the following code in it:

<?
ob_start();

// DB Info
define('DB_HOST', 'localhost');
define('DB_USER', 'username');
define('DB_PASSWORD', 'password');
define('DATABASE', 'database');
// Connect to DB
$conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die("~no~");
$db = mysql_select_db(DATABASE) or die("~no~");

?>
<html>
<head>
<title>Untitled</title>
</head>
<body>
<?
// Queries table for "ilicense" passed through url
$query = mysql_query("SELECT * FROM customers WHERE license= '" . $_REQUEST['ilicense'] . "'") or die("~no~");

// Validates affiliate licensed release
if (mysql_num_rows($query) == 0)
{
    echo "~no~";
} else {
    echo "~yes~";
}

// Closes Database Connection
mysql_close($connection);

?>
</body>
</html>

You will need to put in your own username, password, and database depending on what you have created during setup. Now just go through and add some codes to your database using your db administration portal.

Share this post


Link to post
Share on other sites
Xand3r

and if someone manages to change the content of the $page variable with a page of their own where it says yes no matter what then .. the validation is worhless:D


Only two things are infinite, the universe and human stupidity, and i'm not sure about the former -Alber EinsteinPractice makes perfect! but nobody's perfect so why practice at all?http://forum.ambrozie.ro

Share this post


Link to post
Share on other sites
xwinterx

Well you would only use it in a compiled EXE.

yup! that is why I said you most likely recompile with a new code for each customer.

Share this post


Link to post
Share on other sites
James

Anyway of adding an email to it? I would like to check for email and license code. I'm just thinking about ways of storing the information.

Edit: Maybe a table like this?

ID|EMail|License|Amount|Active

Hmm.. I have no idea, how to make a program portable yet licensed.

Edited by JamesBrooks

Share this post


Link to post
Share on other sites
xwinterx

Anyway of adding an email to it? I would like to check for email and license code. I'm just thinking about ways of storing the information.

Edit: Maybe a table like this?

ID|EMail|License|Amount|Active

Hmm.. I have no idea, how to make a program portable yet licensed.

yeah, it actually really easy. Just modify the au3 function to accept additional data (ie codes and stuff) then pass them additionally to your php page. you'd have to add them to your database and modify the php script, but it is really easy. this was just a simple example. if you like, PM me with what you are looking for and I can help you out. don't want to drag alot of code out but gimme a little and I will try to do something here too to get you pointed in the right direction.

I chose the php method so you wouldnt have to install the ODBC connector software on every machine that would run the program.

edit:

As far as storing the info, there use to be a script here that would modify the hex headers of a compiled EXE to make it less likely for someone to decompile with the cracked decompiler that had been running around for an older version. I have toyed with an idea but really have no where to start. I believe it is possible that you can make a script that would let you enter all the data you want, encrypt it and store it in the hex code of the target compiled EXE. you could have your script access the hex code, decrypt it and pass it to your validation script. it would take some playing with, I'd imagine, but I am sure there are tons of gurus here that could come up with that. Or you could just insert the data into your script for each customer and re-compile. The later is easiest. heh.

Edited by xwinterx

Share this post


Link to post
Share on other sites
spyrorocks

In theory, one could set up a local proxy and have it return false info for that URL, or even add a hosts file exception.

Its a good idea, just easily bypassible.

Share this post


Link to post
Share on other sites
Gigglestick

Maybe it would be better to do something like using MD5, or hitting the PHP with SSL, or letting the license be stored in an INI file or the registry and create a hash of it to send to the PHP script, expecting a predetermined code based on the license key itself or something.

I'm curious how this is handled by larger companies that want to protect their software. How does Windows Activation work (though that might possibly be a worst-case scenario of how to do such a thing)?


My UDFs: ExitCodes

Share this post


Link to post
Share on other sites
xwinterx

I wouldn't say it is easily bypassible. Even if you set up your own local proxy and all that stuff, you'd have to know what info to pass back to the script. I use my own encryption and store the serial, email and other info into the registry then read upon that to check. You can even have your own activation/registration script. So when someone buys your stuff, they get the program and a serial. when they run the program, it asks them to register it since it doesnt find the info in the registry. so they enter all their info with the serial. You can have a function that sends the info to another php script which verifies that the serial number exists in your database (of course you enter serial numbers into the database as you issue them) then it fills in all their info.

Share this post


Link to post
Share on other sites
JRSmile

just set up a local xampp installation and add the url of the check page to your hosts file routed to 127.0.0.1 ... create the specified folder structure and decompile the autoit source with some bad tools around, to see what the tool needs to know to be validated, this ca even be done by a wrapper.au3 which will then be released as keygen or crack for this... as usual...


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites
Emiel Wieldraaijer

I like this idea..

There must be a double check in it with multiple retry otherwise the program will not work when there is no connection established.

Futher you need to mention the license check in an Eula to respect the privacy rights of the person who bought it.


Best regards,Emiel Wieldraaijer

Share this post


Link to post
Share on other sites
jokke

Look into MySQL ODBC connection, connect then to the database with a view only user and check licence.

With security, where "proccesssor.id=xxx-xxx-xxx" can only check licence every few minutes to not get brute forced. If no processor.id is sent to server client is not allowed to preform the search.

Edited by jokke

UDF:Crypter a file encrypt / decrypt tool with no need to remember a password again. Based on Caesar cipher using entire ASCII Table.Script's: PixelSearch Helper, quick and simple way to create a PixelSeach.Chatserver - simplified, not so complicated multi-socket server.AutoIT - Firewall, simple example on howto create a firewall with AutoIt.

Share this post


Link to post
Share on other sites
CoePSX

Adding some encryption would fix the proxy/hosts workaround.


[quote name='Valik' post='301213' date='Jan 31 2007, 10:36 PM']You seem to have a habit of putting things in the wrong place. I feel sorry for any female you attempt to have sex with.[/quote][font="Lucida Sans Unicode"][/font]

Share this post


Link to post
Share on other sites
xwinterx

Look into MySQL ODBC connection, connect then to the database with a view only user and check licence.

but this would require the MySQL ODBC driver to be installed on the computers running the program. you can surely do it that way too, no harm in it, but this is a pretty simple idea is all.

and yes, if you got a tool to decompile the code, you could just set up your own server and know what to return to it, or you could just take the code out and recompile. :P

not saying this is unhackable, just giving an example. you can use any data to validate whether it is a combo of unique id's as a result of a processor id, window key, mac address combo or whatever. the possibilities are only limited by your imagination and coding abilities.

Share this post


Link to post
Share on other sites
ken82m

I'm gonna try playing with this.

I found a free php/mysql web hoster if anyone's interested :)

http://www.zymic.com/free-web-hosting/

5gig's of bandwith a month.


My Contributions _StringMultiReplace PC Builders Console - Secure PDF Creator - Cisco VPN Installer MS DNS Server Backup Script - MS DHCP Backup Script IT Admin Console - Toggle Admin Mode - MyMovies-Add Discs Script - IT Help Desk and System Information Tool - Set On Lid Close Power Option - Streaming Media Server & Website "I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains."

Share this post


Link to post
Share on other sites
Cynagen

I've actually thought about this before myself, and I've even done it before with other PHP scripts that you could get from me, but had to 'purchase' (request for private usage, never got a commercial customer) a license to use. I was thinking of doing something like this in AutoIt, but 2 things are really preventing this from going forward. Firstly, that hacked decompiler (bane of existence), and secondly, plain text returns can be spoofed by the many ways already listed here. Frankly, you need some kind of encryption to secure the transaction back from the license server, which isn't nessicarily a bad thing, but it's a bad thing in terms of that decompiler, as then whoever would know exactly what kind of encryption you're using. Either communications (SSL), or some type of plain-text encryption (which is easily broken).

Don't get me wrong, this is a step forward, but it's not onto solid ground, not yet at least. I already have an encryption method written up, completely custom, but it's completely exposed in the script, so a quick decompile, and whoop, there goes the secret. It really wouldn't matter what you used at this point, simply because of that decompiler. Now I'll definitely be working on ideas that ignore the decompiler problem.

Edited by Cynagen

Blah, blah, blah... lip service... lip service.Working on a number of projects right now, just waiting for my time to post them here on AutoIt forums.

Share this post


Link to post
Share on other sites
tottalk2003

just set up a local xampp installation and add the url of the check page to your hosts file routed to 127.0.0.1 ... create the specified folder structure and decompile the autoit source with some bad tools around, to see what the tool needs to know to be validated, this ca even be done by a wrapper.au3 which will then be released as keygen or crack for this... as usual...

hi dear i have php application run on xampp with mysql database id like your idea but i cant procceed can you guide me step by step with screen shot if possibal

to excute this idea on my application

i know the first step

1- create database

2- import tables + new table for customers(

CREATE TABLE `customers` (
  `id` int(11) NOT NULL auto_increment,
  `license` varchar(15) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=5;

3- ???

4- ???

5-???

please complete your steps with details if possible and as per information i need to add client  processor id to let applicaton work on one pc only

Share this post


Link to post
Share on other sites
tottalk2003

just set up a local xampp installation and add the url of the check page to your hosts file routed to 127.0.0.1 ... create the specified folder structure and decompile the autoit source with some bad tools around, to see what the tool needs to know to be validated, this ca even be done by a wrapper.au3 which will then be released as keygen or crack for this... as usual...

hi dear i have php application run on xampp with mysql database id like your idea but i cant procceed can you guide me step by step with screen shot if possibal

to excute this idea on my application

i know the first step

1- create database

2- import tables + new table for customers(

CREATE TABLE `customers` (
  `id` int(11) NOT NULL auto_increment,
  `license` varchar(15) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=5;

3- ???

4- ???

5-???

please complete your steps with details if possible and as per information i need to add client  processor id to let applicaton work on one pc only

appriciate your help

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.