Archive: Issues while validating license key online via installer


Issues while validating license key online via installer
  HI , Have attached the script ...when i enter the correct key , it still shows Invalid key .

URL :http://pnilyaoverseas.com/pankaj/tes...aa-aaaaa-aaaaa

SO correct key :aaaaa-aaaaa-aaaaa-aaaaa-aaaaa

Regards
Pankaj


correct file
  Sorry attached the wrong file , find the correct one.

Thanks


You may wish to check your PHP code. The file that gets downloaded reads 'INVALID', itself.

P.S. you've got a typo.. slient -> silent


Attaching the php too .

But when i try from browser it returns "VALID"


try adding the value that the PHP appears to get ($_GET['test']) to the output, or use one of the PHP debug print statements.. I don't have a PHP server up and running anywhere, but I'm guessing that it's not getting what you think it's getting from the POST command


Here's what you'd want to do:

First of all, good thing you're taking measures to prevent SQL injection. However there's a much easier way to go about it:


<?php

define
('HOSTNAME', 'localhost');
>define('USERNAME', 'indiamm_test');
>define('PASSWORD', 'test');
>define('DATABASE_NAME', 'indiamm_pankaj');
>define('RESPONSE_KEY', '4PdUAoeGZ9Tq*1bpI***93;Le4P!{MsXUtqzR***93;p!T%++xf2&wbb4ISe7jGoIAQAusMw,j');

>$db = mysql_connect(HOSTNAME, USERNAME, PASSWORD) OR die ('I cannot connect to MySQL.');
if ( !mysql_select_db(DATABASE_NAME) )
{
die('Unable to select database.');
}

>$key = ( isset($_GET***91;'key'***93;) ) ? mysql_real_escape_string($_GET***91;'key'***93;) : '';
if ( empty($key) )
die('INVALID');

>$result = mysql_query("SELECT status FROM key WHERE id = '$key';");
if ( !$result )
{
die('INVALID');
}

>// check if records were returned
>if ( mysql_num_rows($result) > 0 )
{
// this hash will be unique among all installers.
$hash = md5($_GET***91;'test'***93; . RESPONSE_KEY);
echo <<<EOF
>***91;result***93;
status=valid
hash=$hash
>EOF;
}
else
{
echo <<<EOF
>***91;result***93;
status=invalid
hash=
>EOF;
}
@mysql_free_result($result);

>mysql_close($db);

>?>
I should warn you that simply fetching a URI is a highly un-trustworthy operation. It would be trivial for someone to fuss around with their hosts file and point the installer to a different license server through DNS spoofing. If you hardcode the IP address, that can still be changed by working with the host computer's routing tables. The only way to ensure a secure response is to use a primitive sort of digital signature to ensure that the response came from a trusted server.

Warning: reverse-engineering of the installer can still crack this! I use a very similar scheme for some of my projects.

The way you would do this is by echoing back a hash that was created from the key (ensuring that each response is unique) and also contains a (hashed) unique, global key shared among your license validation script and all your installers. A sample is shown above. Here's how you would go about validating this with NSIS:


'4PdUAoeGZ9Tq*1bpI***93;Le4P!{MsXUtqzR***93;p!T%++xf2&wbb4ISe7jGoIAQAusMw,j'


>Function ValidateLicense
Exch$0
Push$1
Push$2
Push$3
Push$4
GetTempFileName$1
nsisdl
::download_quiet "http://yoursite.com/checklicense.php?key=$0" $1
ReadINIStr$2 $1 "result" "status"
StrCpy $4 "invalid"
StrCmp $2 "valid" "" done
; remote server claims the key is valid
; $2 = hash from server - untrusted
ReadINIStr$2 $1 "result" "hash"
; $3 = the correct hash
DCryptDll::MD5Hash "SS" "$0${RESPONSE_KEY}" "--End--"
Pop $3
; make sure DCryptDll didnt error out
StrCmp$3 "OK" "" done
Pop$3
StrCmp$2 $3 "" done
; hash is valid
StrCpy$4 "valid"
done:
Delete $1
Pop$4
Pop$3
Pop$2
Pop$1
Exch$0
FunctionEnd
>
This is untested code as I'm currently on a Linux system and lack the resources to test, but I believe it should work. Hopefully this will give you an idea of how a server's response can be fully authenticated.

--Dan