Execute part of the script on the server

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Execute part of the script on the server

20 Nov 2020, 15:42

Good evening. Perhaps this is called something different, but how can you split the script into two parts so that one of them is executed on the server side?
For example, upload a file with functions to the server and make part of the ahk script on the computer work in tandem with another part. Those. the script will not work without the server side. At least theoretically, is it possible to imagine, where to start and how can it be arranged at all?

Thanks.
User avatar
mikeyww
Posts: 26612
Joined: 09 Sep 2014, 18:38

Re: Execute part of the script on the server

20 Nov 2020, 17:27

Sure. #Include would enable that, not only for functions but any part of a script. You could also read an INI file if you want to exchange variables and values.
User avatar
TheArkive
Posts: 1027
Joined: 05 Aug 2016, 08:06
Location: The Construct
Contact:

Re: Execute part of the script on the server

20 Nov 2020, 17:50

@Botsy
Can you give a little more information as to what you are trying to do?

Based on the general info you have provided so far, there are several ways to go about what you are trying to do (if I"m reading it right).
For example, upload a file with functions to the server and make part of the ahk script...
This is of course possible, but would require the server-side script to be modified to include the "split file" with functions. Once you add this #INCLUDE to your server-side script, then you could theoretically update this include on-the-fly in order to expand server functionality, or even fix it.

But, this is also taking into account several other assumptions as well.

Can you give more info on what you are trying to accomplish?

EDIT: My first big question is... do you have access to the server side? ... just making sure
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

21 Nov 2020, 04:35

There is ahk script. I took its functions into a separate file and connect it via #include. Is it possible to transfer these functions to the server (hosting), and leave the script itself on the computer? It turns out that the script pulls them from the server, like a client-server architecture. Or if this is not possible, then not all functions can be transferred, but only some part of the script to the server (hosting) so that the script cannot work without it.
User avatar
TheArkive
Posts: 1027
Joined: 05 Aug 2016, 08:06
Location: The Construct
Contact:

Re: Execute part of the script on the server

21 Nov 2020, 05:39

@Botsy

Anything is possible. What is the actual problem you are having?

I'm still unclear what you are trying to do. I'm assuming your computer can execute AHK script.

Is your intent to have the server execute this AHK script?
Is this server meant to be only network storage?

I really am trying to understand what you are asking, but I'm afraid I need more info.
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

21 Nov 2020, 12:41

This is a kind of source code protection. When a part of the program will be executed on the server side. This is a mass-market solution. Since ahk is very vulnerable and easy to hack, I thought to move some of the logic to the server. Those. even if you find out the source code of the script, it will still not be enough for the script to work. After all, the part will be on the server. It's like any MMORPG game when there is a client side and a server side.
User avatar
mikeyww
Posts: 26612
Joined: 09 Sep 2014, 18:38

Re: Execute part of the script on the server

21 Nov 2020, 12:53

OK. It's a lot of effort. Why not just protect the compiled script with a password? That also obviates the need for an Internet connection.
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

21 Nov 2020, 13:13

@mikeyww Password protection is also weak, it seems that you can still get the code from the process memory. And it’s interesting for me to do it with server separation, though I don’t know yet how it will be with ahk.
User avatar
TheArkive
Posts: 1027
Joined: 05 Aug 2016, 08:06
Location: The Construct
Contact:

Re: Execute part of the script on the server

21 Nov 2020, 15:05

@Botsy

If you need the client to be able to run code from a server, then this is not so much an AHK problem. It's more of a "network storage" problem. Securely storing the login credentials to be able to connect and get the updated functions from the server.

Or, maybe not even login credentials, maybe some other kind of registration data (IP / mac address?) to validate a user or user account.

I understand you are trying to protect the source. Perhaps users can login with user account credentials, and then the network connection can be authenticated, then the functions hosted on the server can be downloaded after authentication?
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

21 Nov 2020, 16:17

Do you propose to transfer part of the script functions from server after passing the verification? For example, as a "response" from the server, and a script to catch the function through "WinHTTPRequest ResponseText"?
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Execute part of the script on the server

21 Nov 2020, 19:56

Botsy wrote:
21 Nov 2020, 04:35
There is ahk script. I took its functions into a separate file and connect it via #include. Is it possible to transfer these functions to the server (hosting), and leave the script itself on the computer? It turns out that the script pulls them from the server, like a client-server architecture. Or if this is not possible, then not all functions can be transferred, but only some part of the script to the server (hosting) so that the script cannot work without it.
It is possible for hackers to attack or get code from your server or monitor the traffic between the client program and the server to find a vulnerability. I'm not saying that one shouldn't have protection, but one should be realistic about how much protection that they really need. If we are talking client and server, another possibility is to simply have the client program authenticate to a web sever, and most of the code is on the client side. Here too, hackers/crackers can monitor the internet connection and find ways to fool the the client, or possibly fool the server too.

There can also be issues with running programs from a web server. Things like your monthly fees, speed of the internet connection, if most of the code is running on the the web server and it goes down than what will clients do, etc...
Botsy wrote:
21 Nov 2020, 13:13
@mikeyww Password protection is also weak, it seems that you can still get the code from the process memory. And it’s interesting for me to do it with server separation, though I don’t know yet how it will be with ahk.
Nothing is going to be hackerproof. I've read of some very wild and amazing stuff hackers/crackers have done, and we are talking big name companies like Microsoft. If you will only lose 2% of sales to hackers/crackers, by using password protection, then why lose so much sleep? And one has to be mindful that the program created might not even be that popular or generate a high level of interest.

Setting up or paying up front for much more advanced and sophisticated protection could possibly result in higher expenses per month and very little return on investment. Maybe not overthink it too much and go the simple route first and see how it goes. As an interpreted language, AutoHotkey is in the same category as Python, AutoIt, C#, Java, JavaScript, etc... They also need encryption or obfuscation to protect source code. Yet, people still proceed in doing business with these languages.

You also do have legal options, like going after ISPs of individuals or websites hosting your cracked software, it it gets to that point. The threat of legal action can be just as strong as a deterrent as many forms of software protection.
User avatar
TheArkive
Posts: 1027
Joined: 05 Aug 2016, 08:06
Location: The Construct
Contact:

Re: Execute part of the script on the server

22 Nov 2020, 01:46

Botsy wrote:
21 Nov 2020, 16:17
Do you propose to transfer part of the script functions from server after passing the verification? For example, as a "response" from the server, and a script to catch the function through "WinHTTPRequest ResponseText"?
Basically yes, but of course I don't know exactly what requirements or constraints you are working with, so of course make adjustments as needed.

You may want to take @SOTE's and @mikeyww's words into account. If too much protection starts to cause you more trouble than it is worth, hopefully you might reconsider your approach.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Execute part of the script on the server

22 Nov 2020, 05:10

TheArkive wrote:
21 Nov 2020, 15:05
I understand you are trying to protect the source. Perhaps users can login with user account credentials, and then the network connection can be authenticated, then the functions hosted on the server can be downloaded after authentication?
I agree with you that this is a viable method. However, there is still more that has to be added. Just because the person has been authenticated and downloaded functions or software, doesn't stop them from then loading the software on any computer, giving it away, or cracking it (then pushing their cracked version on the web). Code will still be needed that makes sure the software runs only on authorized computers or according to license terms. But that will still just put a person into the game, as with so many other software companies, of having to deal with those that crack software.

a web server is not an escape from worries. People can give away their account credentials or hackers can find databases of user names and accounts. The web server can become a vulnerability, just like any software running on client computers. But even more, it can become a central point of failure too. Pretty much no matter what a person does, there is going to be risks and problems. It's arguably a matter of does one think the risks are acceptable and are they willing to take their chances and deal with whatever problems come their way.

If a person decides to go that route, there is just always going to be a certain percentage of loss, as no solution will ever be 100%. One can never be sure what the exact percentage is going to be, but if the person has decided to go in that direction, probably best they just accept it.
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

22 Nov 2020, 09:51

Now I'm making a binding of a script to a person a computer against multi-use. However, in addition to this, I would like take out some of the logic to the server.
This is my scheme for binding a script to a person, maybe it will be normally, or maybe it will not work at all.

*SID - Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID.
*Demo version - demo version of script. Basic configuration.
*License version - licensed version of the script. Full functionality.

Demo version:
- I process the primary information in the script. I get the SID of the computer and pull up the license key from the registry, if it is there.
- I send it to the php file on the server.
- then on the server I process the information. hashed the received SID.
- I check the SID in the database, if there was one - I verify the hash of the license key from the database with the key from the registry.
- if the SID was not in the database, then I generate a license key, hash it and enter it into the database.
- then I send the processed information back to the script.
- I show the client his license key, saved it into the registry.
- the client sends the key to the telegram bot for payment.

Licensed version:
- I process the primary information in the script. I get the SID of the computer and pull up the license key from the registry.
- I send it to the php file on the server.
- on the server, I verify the received information with the information in the database.
- if everything is OK, the script continues to work, if verification is not passed, then I interrupt the session.

*I hope Google translate did not disappoint me
shemeEng.jpg
shemeEng.jpg (150.92 KiB) Viewed 1233 times
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Execute part of the script on the server

22 Nov 2020, 10:37

Botsy wrote:
20 Nov 2020, 15:42
...how can you split the script into two parts so that one of them is executed on the server side?
For example, upload a file with functions to the server and make part of the ahk script on the computer work in tandem with another part.
...the script will not work without the server side. At least theoretically, is it possible to imagine, where to start and how can it be arranged at all?
In regards to your original question, the simpler solution would be to have an installer that asks the user for their registration information and license key. The installer would communicate with the server to verify that the information is correct. Upon verification, it would then download the program.

Probably best that you study a huge help topic "SW copy protection" on the archive forums. It gives examples and discusses various aspects of what you are seeking to do. https://autohotkey.com/board/topic/5427-sw-copy-protection/
Botsy wrote:
22 Nov 2020, 09:51
Now I'm making a binding of a script to a person a computer against multi-use. However, in addition to this, I would like take out some of the logic to the server. This is my scheme for binding a script to a person, maybe it will be normally, or maybe it will not work at all.
This thinking that you have of "putting logic on the server", comes off as a bit odd. Are you going to run the program on the user computers or from a web server? As you are here on the AutoHotkey forums, you are more likely to be running if from off of users computers. From parts of what you typed, sounds like you want users to download a non-functioning or only partially-function program. The partially-functioning program could be your Demo. Then after they receive the license key, they then can download the rest of the program or full version.

This is a common methodology, and doable. The true issue is that now you must build it. Asking people as to what is the best protection and licensing scheme will just be a lot of running in circles. At the end of the day, you have to choose what is the best approach for your situation, build the program, and setup the server. People might be able to help you on small aspects of it and on specific questions, but they are not going to build something like that for you (which will take a lot of man-hours), unless you pay them.

As for your protection scheme, many crackers/hackers are well aware of it, because it's common. Don't get me wrong, you are making the correct start in planning and visualizing what you want to do. The previous point being made was that you are going to have to accept risks and issues associated with your plan, if you are going to proceed.

Also keep in mind that there is an alternative option of buying license management software from a 3rd party. A lot of these types of software have various protection schemes as well to prevent cracking. The negative about such is that they are often relatively expensive.
Botsy
Posts: 19
Joined: 25 Aug 2020, 16:59

Re: Execute part of the script on the server

22 Nov 2020, 17:06

Thanks everyone for the answers).
Are you going to run the program on the user computers or from a web server?
The script is run on the PC, verification and part of the program logic will be on the server side.
I was advised to cut one of the functions in ahk and implement it on the server side, for example in php. At the right time, send data to the server, the function in php will process them and send back the executed result, which is necessary to continue the script's work on the PC.

I understand that there is no absolute protection and that’s fair.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Execute part of the script on the server

22 Nov 2020, 20:52

Botsy wrote:
21 Nov 2020, 16:17
Do you propose to transfer part of the script functions from server after passing the verification? For example, as a "response" from the server, and a script to catch the function through "WinHTTPRequest ResponseText"?
In regards to adding functions, for the AutoHotkey language, it would probably be better if you update your program entirely. So that the updated program includes the new functions.

If you download an .ahk file for use with the main program using #Include, that file will usually be exposed as it's basically plain text. The other options, in an "add functions" scheme, would be for the .ahk file downloaded from the server to be encrypted or you are downloading a .dll (containing the new functions) that was created in another programming language. Those two options, encrypted .ahk file or .dll, have weaknesses. A .dll file can possibly be analyzed and then used for the hacker's own purposes. Unless of course you have some tricky business going on with the .dll that makes it extremely hard for anybody to use. In addition to that, you would have to know another programming language to make the .dll. The encrypted .ahk would be difficult to crack by itself, but then the cracker would then be focusing on the main program in order to crack it and get the decryption function or be looking for any decrypted file.

Consequently, if you are going to "add functions", probably would be better to do this in the form of an update, after the user has authenticated their credentials with your web server. Delete the old version of your file first, and only after deletion is verified (this can be done with an installer that deletes or uninstalls the old program before getting the new), download the new version with additional functions. Of course, this is all a cat and mouse game, so how it all will go is a depends type of thing. But the vast majority of users, I would say 95% or so, will not have a clue about such things or will be law-abiding types. If a person doesn't want to play such cat and mouse games, there is the alternative of making the software freeware and accepting donations. That way has become increasingly popular.

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: a_bolog, Google [Bot], mcd, mikeyww and 132 guests