One time token to run script? (security) Topic is solved

[armoz]

Hello,
I have been looking for hours but couldn't find this.
I need a program/script that generates one time tokens to authenticate my ahk script.. (like an otp)

Eg: Mr. X opens my script, he needs to enter a token to use it (one time use), without it script cant be run. I have already encrypted my script.

Please suggest me a method..!

Thanks.

[mikeyww]

Random

You can run a timer for any frequency, send the code to the user, and match the user's entry against it.

[armoz]

How can it be done with random?

Please provide a link/snippet.

How will my client's pc check the dynamic value?

[Jim Dunn]

How can it be done with random?

Please provide a link/snippet.

Code: Select all

MsgBox % FnGenerateRandomKey(20)

; Function to generate a random key
FnGenerateRandomKey(Length:=12) { ; defaults to length 12 - or you can supply any length as a parameter
	Loop %Length% {
		Loop {
			Random, ch, 48, 122
		} Until !((ch > 57 and ch <65) OR (ch > 90 and ch <97)) ; alphanumeric only
		RandomKey .= Chr(ch)
	}
	Return RandomKey
}

How will my client's pc check the dynamic value?

However you decide to implement the check in your code.

Only you know your use-case scenario - how you will provide the key, or how you will restrict the copies of your application you provide to a particular key.

If, instead, you want to be able to generate a whole bunch of keys which match some cipher/algorithm which your application knows, and will use to see if they are 'valid' or not, then this might give you some ideas: https://build-system.fman.io/generating-license-keys

Whatever you do, you'll still be open to people 'sharing' copies of your application and whatever key you provided, or meddling with/erasing registry entries you make - unless you also try to implement some kind of check against their machine details, or similar, like making the app 'phone-home' to check against an online database of authorised users which you maintain. And there are ways to beat that, too - a pirate can run a local server impersonating your online server and redirect relevant local online auth calls to their bogus auth-server with entries in their "hosts" file.

Or, someone can simply hack your app, encrypted or not, to not check at all, or behave as though the check succeeded...

It's not simple.

If you search online, you'll find various services/software which can generate and validate keys like this, in various ways, but mostly neither free, nor trivial to implement.
That's why even the big software companies are still, constantly searching for foolproof ways to implement copy protection, and why some very expensive, proprietary software even still requires you to have a physical "dongle" supplied by them plugged into a PC to run their app.

[mikeyww]

Since this is a random number generated on the fly where the script resides, reproducing it would actually be difficult for scripts running at the end, I.e., on the user's end. You could easily just use digits and only six of them, because the chance of guessing correctly with one chance, or even a few chances, would then still be small. You would lock out the user after a small number of tries. The main thing to know about Random is that it is not random. It is explained in the documentation. Combining with the user's machine ID is a good idea in many instances. This number is obtainable and adds a measure of security.

A permanent license key is a different approach from random numbers, which are more like temporary license keys. The permanent key usually generates a single random string. In many instances, that number is also generated using a hash based on something specific about the user, such as a machine ID, name, or account information.

The following gets you a string unique to the Windows installation. It could be hashed into a license key.

Code: Select all

RegRead, machineGUID, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, MachineGuid
MsgBox, 64, Machine GUID, %machineGUID%