AutoHotkey Community

I was wrong.

What I thought was wrong behavior in the php xtea implementation is not actually wrong, and it looks like that php implementation of xtea works, even on 64-bit platforms.

The problem is the original from php-einfach.de (which is what I based my code on) has an error in its validation routine. It has a function called check_implementation() that verifies that the functions return what they should, and that routine is broken. It erroneously reports that the implementation has errors. While I thought I was fixing a bug, I was really just addressing the symptom.

The finger print idea is really good for software that you want to have activate once and be done.

I've actually moved in another direction and been working on something that would do subscription based software. Most of the work is done by the php. All the program has to do is prompt the user for username / password (and optionally store it for future sessions so it doesnt have to prompt), then pass that info along with the softwares Name/ID to the php script which would check the login, then check to see if that software is on their account, and if it is lets the program continue, otherwise gives them the appropriate error. Also if you wanted to restrict the program from running on more then one machine (probably would want to, otherwise people could share username/passwords), then when it logs in have it upload a fingerprint (if its empty) otherwise if its not empty compare its fingerprint to the one in the database, if they match, then ok, if not then give the error. Could write the php so they could manage their account and "reset" the fingerprint every so often (just have a delay in between resets (save reset time stamp, and if users tries again, compare current timestamp to saved timestamp.

I have most of the php in place for my project so far, its a sloppy disastrous mess at the moment, but working, now I have to work on attaching the program to the php.

Anyone have any ideas along these lines I havent mentioned?

_________________
Computerspazzz The Technowizard
The Wizard Is In!

Using a login/password on a website has some similarities and differences to the license key method I described, and I think overall the login method is a better solution if you expect a continuing relationship with the customer. It's a burden for the user to register for yet another website (and potentially a barrier to sales), especially if they are only going to activate and be done, but if you are going to control a set of features or manage a subscription, you will most likely need a login for those controls anyway.

I have been contemplating something similar for one of my applications, and one thing I am worried about is if the server goes down temporarily. This happens far too often on my shared host. Even if it's brief, suddenly all the users are locked out of the application they paid for. This could generate a lot of angry emails. Or in a mobile setting, they may not have internet connectivity (this might not matter if the application has only online usefulness).

What I have been considering is a set of rotating keys built into the application, maybe one per week, and the application needs to get a new authentication code periodically. You can pre-load enough keys to last a while, and release a new version of the client before they are exhausted. This would have implications for them resetting their machine fingerprint though, as it could allow them temporary use on up to 2 computers.

For the paranoid, you could periodically change the validation method as well, so hacked clients quit working unless the hacker understands the validation scheme very thoroughly. But this is a lot of non-productive work and it's not really applicable if hacking the client reveals the full source code.

I dont think there really is an absolute solution to the hosting server going down. My suggestion would be if your making any money at all off your product, get a better webhost... or better yet, get TWO different companys as webhosts, and program a backup to your secondary webhosting. Webhosting these days is like $5/monthly.

I also forgot to mention that something subscription based would probably apply mostly to something you plan to keep updates frequently for one reason or another. I also wrote myself a nice "patcher" system that downloads files based on a manifest I upload to my server, which also include MD5's, the client would then check its MD5's against the servers manifest, and download any files that dont match. So for this kind of thing the subscription is definately the best idea to keep residual income paying for the updates.

I think your solution about the revolving codes would work really well for a mobile app cause then it wouldnt have to connect everytime... BUT... not everyone has DATA plans on their phone... so yeah would pertain mostly to interest based apps.

For mobile apps I had an idea that something programmed in that prompts the user to enter the most recent code yearly or something... and you could email that code automatically to them on the same day the app would prompt them. The idea could use some work, but I once had a mobile app like that a while back, but it was monthly and was annoying... and you had to go to the website and enter your email each time... could have been a MD5 or something of the email address and the MONTH / YEAR or something... since phones always have an accurate time/day available to them.

As far as changing the validation method... if someone could hack the program I think they'd just hack the validation section out completely... but the easy thing to do would just change the name of the php validation file to something else.

And lastly I think rotating keys is neat, but if someone can hack the program validation wise, i think they would also be able to see the preset keys right? I have never tried to decompile a no-decompile ahk script... maybe I should try and see how easy it is... any ideas on how one would go about doing it?

I figure if the price is reasonable and the program useful people will pay and not cheat the system if its just reasonably hard to cheat the system.

_________________
Computerspazzz The Technowizard
The Wizard Is In!

curious if anyone's seen this link and tried to implement it in AHK:

http://www.brandonstaggs.com/2007/07/26 ... in-delphi/

Ok what am i missing where is http.ahk located?

in the first post there is a mention of "bad" users changing the environment variables in order to avoid this fingerprint-securing method.
how exactly would that be done?
can it be done with AHK?

...

this is wise and probably the best way to go




i posted some fixes in this thread as best i could. i didnt think that people were keeping things secret, just that they didnt know. i just dont think many ppl have PHP/mysql knowledge on this site

given all the work you've put into it, i dont know if you would be willing to share your interface, obviously leaving out the meat of the checks that you do, but it would be greatly appreciated if you would share the PHP/mysql stuff and how that web stuff is implemented

..

In general: why bother, "protected" or not any script can be decompiled in a few seconds making it easy to remove any security checks anyway. Why not spend the time on improving your program rather than waste it on so called "protection" Those 'capable' of cracking can also decompile it, the average user might not be so you are only annoying your actual clients.

_________________
AHK FAQ
TF : Text files & strings lib, TF Forum

This depends greatly on the mechanism used. If the paid code is entirely absent from the free version, then no. If the 'valuable' code and security checks are mixed together in a DLL, then no. It is hard to make cracking 'impossible' but it is not that hard to make it require some effort, and there are cases where this is worthwhile.

Why would you lock your car? Or even bother having locks at all? A small hammer will let a burglar get in, and then not only is your stuff gone, but you have a busted window too. Yet there are plenty of mischievous kids and opportunistic thieves who won't go to the trouble to break a window.

Even though most pure-ahk "protections" compiled the normal way are very weak and can be easily bypassed by people on this forum, the average end user unfamiliar with AHK would definitely need time and effort to figure it out. Although I would agree that you get almost the same protection by having (for example) a simple registry key that says paid=yes, without all the extra fingerprinting and online verifying and so on.

So yes, I think the extra protection is essentially a waste of time if it's pure AHK and compiled the normal way. Which I think was the point you were trying to make. I guess I talked myself into agreeing with you.

Yes indeed, a simple check is good enough security, the demo version idea is a nice touch as well.

_________________
AHK FAQ
TF : Text files & strings lib, TF Forum

Jamie,

i just got around to testing out your files, i dont know much at all about php/mysql, and am having trouble

i've created a db through my webhost webadmin interface. ive updated those user/pw/db infos from the config.php file. i got a "query failed" when i tried to run gen.php. so i edited config.php to give me more info for each failure, and it now echoes out "query failed from exists() func". then i realized that the table is never built, the maketable() function is included but never executed. so i ran this script:



but that doesnt seem to build the table either, i dont think, since i get the same query failure from exists func

ok for Jamie's scripts i needed to do a mysql_setup before calling maketable(). that seemed to do it:

buildtableinit.php



then in the ahk i needed to modify the InternetFileRead call, it kept returning -4 which SKAN says is unable to read file length, so i've just used this which works: