I am trying to understand the below code how exactly it was verifying the license key and can it be bypassed in php file its self to put self license key and get verified
<?php
session_start();
if (!function_exists('curl_init')) {
die('cURL is not available on your server! Please enable cURL to continue the installation. You can read the documentation for more information.');
}
function currentUrl($server)
{
$http = 'http';
if (isset($server['HTTPS'])) {
$http = 'https';
}
$host = $server['HTTP_HOST'];
$requestUri = $server['REQUEST_URI'];
return $http . '://' . htmlentities($host) . '/' . htmlentities($requestUri);
}
$current_url = currentUrl($_SERVER);
if (isset($_POST["btn_purchase_code"])) {
$_SESSION["purchase_code"] = $_POST['purchase_code'];
$response = "";
$url = "http://jobsearchers.in/api/license?purchase_code=" . $_POST['purchase_code'] . "&domain=" . $current_url;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
if (empty($response)) {
$url = "http://jobsearchers/api/license?purchase_code=" . $_POST['purchase_code'] . "&domain=" . $current_url;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
}
$data = json_decode($response);
if (!empty($data)) {
if ($data->status == "300" || $data->status == "400") {
$_SESSION["error"] = "Invalid purchase code!";
} else {
$_SESSION["status"] = $data->status;
$_SESSION["license_code"] = $data->license_code;
header("Location: folder-permissions.php");
exit();
}
} else {
$_SESSION["error"] = "Invalid purchase code!";
}
}
?>
I tried removing the curl and place my own key in $data place like $data = 123456789 and tried to validate it doesn't work.
In that snippet of code, the application sends an HTTP request with the purchase_code and gets back the license_code.
This is better than hard-coding the license code on the device to avoid users sharing license codes.
Let's assume that the license_code returned does not get verified, in that case you can just change the script to do the following:
However, what the above code does is it only spoofs the response of the server, there usually is some sort of "correlation" between your purchase_code and your license_code that only the devs know, and they use that knowledge to verify that your license code matches the purchase code.
If you are doing this for malicious reasons, big shame, but if you're doing this to foolproof your application from being cracked, then you have to figure out a way to locally verify the "license_code" and make sure it's a valid code sent by the server, this can be done by signing the code with a private key from the server, which would make it impossible to replicate.
My favorite way of creating unique verifiable tokens or license codes, is JWT.
You can use JWT to create a token that contains a timestamp, purchase_code and other information, then sign it using a private key, that makes it impossible to replicate. The client can verify the isser through a public key.
TL;DR: The above snippet will only work if no extra steps are done to verify the license_code, which is unlikely. A good step to verify that the license_code is one shared by the server is to sign it with a private key.