Script help

Hey guys im need of some help. I have a php script which i am going to use as a licensing system for my application. now the script was open source so i no its not perfect. what it does is sends a web request to my website like http://yourdomain.com/auth.php?a=login&user={USERNAME}&pass={PASSWORD}&hwid={HWID} . I have added encryption so username and password and hwid are not in plain text, it also adds 11 randomly generated numbers at the end of username, password, hwid before its encrypted so every request is unique. now for some reason its not working and i cannot see why i have spent the last week looking and looking with no luck. Maybe some with more skill with me can see where i have gone wrong.

Here is the original script

[php]<?php
error_reporting(E_ERROR);
define(“IN_SCRIPT”, 1);
// Validate if the user is real and if not ban their IP
require_once(“includes/init.php”);
/*
$user = mysql_real_escape_string($_GET[‘user’]);
$pass = md5($_GET[‘pass’]);
$hwid = md5($_GET[‘hwid’]);
$lid = $_GET[‘aid’];
*/

$user = $_GET[‘user’];
$pass = md5($_GET[‘pass’]);
$hwid = md5($_GET[‘hwid’]);
$lid = $_GET[‘aid’];

// Ban checking
// Check make sure the user has no previous bans.
// If they do alert them of it.
if ($bans->isBanned($_SERVER[‘REMOTE_ADDR’])){
die(“Your access has been restricted. This ban only lasts “.$settings->loadValue(“BANTIME”).” minutes.”);
}

switch($_GET[‘a’]){
case “verCheck”:
echo $auth->checkVer($_GET[‘ver’], $_GET[‘aid’]);
break;
case “login”:
if ($user == “” || $pass == “”){
echo “Failed”;
}else{

                    if ($auth->sessionExists($_SERVER['REMOTE_ADDR']) == true){
                            // destroy the previous hash.
                            mysql_query("UPDATE app_sessions WHERE ip = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."' SET expires = '".(time() - 10)."'");
                    }
            
                    $userData = $auth->validLogin($user, $pass, $hwid);
                    
                    if (is_array($userData) == false){
                            //print_r($auth->validLogin("Geo", "Password", ""));
                            echo "FAILED.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);        
                    }else{
                            
                            if ($userData['active'] == "1"){
                                    if ($userData['hwid'] == $hwid){
                                            if ($userData['expires'] <= time() AND $userData['expires'] != 0){
                                                    echo "ERROR: Your account has expired.";
                                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                            }else{
                                                    $auth->logAccess($userData['id']);
                                                    $key = $auth->generateHash();
                                                    $auth->createSession($key, $userData['id']);
                                                    echo $key;
                                            }
                                    }else{
                                            echo "ERROR: HWID Invalid. Only try logging in on the computer you activated the serial.";
                                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                    }
                            }else{
                                    echo "ERROR: Your account is suspended.";
                            }
                    }
            
            }
            break;
    case "appNews":
            if ($auth->checkHash($_GET['hash']) == false){
                    echo "Invalid Session Hash.";
            }else{
                    $getId = mysql_query("SELECT * FROM app_sessions WHERE hash = '".mysql_real_escape_string($_GET['hash'])."'");
                    $hashInfo = mysql_fetch_assoc($getId);
                    echo $auth->getNews($hashInfo['lid']);        
            }
            break;
    case "activateSerial":
            $serial = mysql_real_escape_string($_GET['serial']);
            $information = array("serial" => $_GET['serial']);
            
            $userInfo = $auth->getLicenceInfo($information);
            
            if ($userInfo == false){
                    echo "ERROR: Serial is Invalid.";
                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
            }else{        
                    if ($userInfo['active'] == "1"){
                            if ($userInfo['user'] == "" && $userInfo['pass'] == ""){
                                    // Serial has not been activated.
                                    if ($_GET['user'] == "" || $_GET['pass'] == "" || $_GET['hwid'] == ""){
                                            echo "ERROR: Missing Username/Password/HWID.";
                                    }else{
                                            $user = mysql_real_escape_string($_GET['user']);
                                            $pass = md5($_GET['pass']);
                                            $hwid = md5($_GET['hwid']);
                                            $serial = mysql_real_escape_string($_GET['serial']);

                                            $getName = mysql_query("SELECT * FROM licences WHERE user = '{$user}'");
                                            
                                            if (mysql_num_rows($getName) == 0){
                                                    mysql_query("UPDATE licences SET user = '{$user}', pass = '{$pass}', hwid = '{$hwid}' WHERE serial = '{$serial}'") or die(mysql_error());
                                                    echo "SUCCESS: Serial has be activated with your details. You can now login.";
                                            }else{
                                                    echo "ERROR: Username Taken.";
                                            }
                                    }
                            }else{
                                    echo "ERROR: Serial has already been claimed.";
                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                            }        
                    }else{
                            echo "ERROR: Serial is not active.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                    }
            }
            
            break;
            case "loadUserData":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Failed.";
                    }else{
                            $array = $db->fetchRow($run);
                            $run = $db->select("licences", "*", array("id" => $array[0]));
                            
                            print_r($db->fetchAssoc($run));
                    }
            break;
            case "timeLeft":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Invalid session.";
                    }else{
                            $array = $db->fetchRow($run);
                            $getData = $db->select("licences", "*", array("id" => $array[0]));
                            $data = $db->fetchAssoc($getData);
                            // Find the seconds left on the serial.
                            $timeLeft = $data['expires'];
                            
                            if ($timeLeft == "0"){
                                    // the licence is lifetime.
                                    echo "Lifetime Licence.";
                            }else{
                                    // work out the time left.
                                    $deltaTime = $timeLeft - time();
                                    $daysLeft = $deltaTime / 86400;
                                    $niceDaysLeft = floor($daysLeft);
                                    if ($niceDaysLeft == "0"){
                                            $niceDaysLeft = "<1";
                                    }
                                    echo $niceDaysLeft;
                            }
                    }
                    
            break;

}
?>[/php]

And here is my version of it.

[php]<?php
error_reporting(E_ERROR);
define(“IN_SCRIPT”, 1);
// Validate if the user is real and if not ban their IP
require_once(“includes/init.php”);
/*
$user = mysql_real_escape_string($_GET[‘user’]);
$pass = md5($_GET[‘pass’]);
$hwid = md5($_GET[‘hwid’]);
$lid = $_GET[‘aid’];
*/

$userc = $_GET[‘user’];
$passc = $_GET[‘pass’];
$hwidc = $_GET[‘hwid’];
$lid = $_GET[‘aid’];

// Set the encrytion options
$cipher = mcrypt_module_open(MCRYPT_RIJNDAEL_128, ‘’, MCRYPT_MODE_CBC, ‘’);
$key256 = ‘1A3B56C89D123E6123F456A890B2345F’; // 32 bytes
$iv = ‘C234A67D901B34F6’; // 16 bytes

// Start decrypting the username
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $userc);
$userd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Start decrypting the password
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $passc);
$passd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Start decrypting the hwid
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $hwidc);
$hwidd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Now we need to grab randomly generated numbers.
$randomnumbers = substr($hwid, -12);
echo $randomnumbers;

//Now we need to seprate the random numbers and the username
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $userd;
$user = str_replace($numbers, $words, $phrase);

// Now we nee to seprate the random numbers and the password
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $passd;
$passr = str_replace($numbers, $words, $phrase);

// Now we nee to seprate the random numbers and the hwid
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $hwidd;
$hwidr = str_replace($numbers, $words, $phrase);

$pass = md5($passr);
$hwid = md5($hwidr);

// Ban checking
// Check make sure the user has no previous bans.
// If they do alert them of it.
if ($bans->isBanned($_SERVER[‘REMOTE_ADDR’])){
die(“Your access has been restricted. This ban only lasts “.$settings->loadValue(“BANTIME”).” minutes.”);
}

switch($_GET[‘a’]){
case “verCheck”:
echo $auth->checkVer($_GET[‘ver’], $_GET[‘aid’]);
break;
case “login”:
if ($user == “” || $pass == “”){
echo “Failed”;
}else{

                    if ($auth->sessionExists($_SERVER['REMOTE_ADDR']) == true){
                            // destroy the previous hash.
                            mysql_query("UPDATE app_sessions WHERE ip = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."' SET expires = '".(time() - 10)."'");
                    }
            
                    $userData = $auth->validLogin($user, $pass, $hwid);
                    
                    if (is_array($userData) == false){
                            //print_r($auth->validLogin("Geo", "Password", ""));
                            echo "FAILED.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);        
                    }else{
                            
                            if ($userData['active'] == "1"){
                                    if ($userData['hwid'] == $hwid){
                                            if ($userData['expires'] <= time() AND $userData['expires'] != 0){
                                                    echo "ERROR: Your account has expired.";
                                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                            }else{
                                                    $auth->logAccess($userData['id']);
                                                    $key = $auth->generateHash();
                                                    $auth->createSession($key, $userData['id']);
                                                    echo $key;
                                            }
                                    }else{
                                            echo "ERROR: HWID Invalid. Only try logging in on the computer you activated the serial.";
                                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                    }
                            }else{
                                    echo "ERROR: Your account is suspended.";
                            }
                    }
            
            }
            break;
    case "appNews":
            if ($auth->checkHash($_GET['hash']) == false){
                    echo "Invalid Session Hash.";
            }else{
                    $getId = mysql_query("SELECT * FROM app_sessions WHERE hash = '".mysql_real_escape_string($_GET['hash'])."'");
                    $hashInfo = mysql_fetch_assoc($getId);
                    echo $auth->getNews($hashInfo['lid']);        
            }
            break;
    case "activateSerial":
            $serial = mysql_real_escape_string($_GET['serial']);
            $information = array("serial" => $_GET['serial']);
            
            $userInfo = $auth->getLicenceInfo($information);
            
            if ($userInfo == false){
                    echo "ERROR: Serial is Invalid.";
                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
            }else{        
                    if ($userInfo['active'] == "1"){
                            if ($userInfo['user'] == "" && $userInfo['pass'] == ""){
                                    // Serial has not been activated.
                                    if ($_GET['user'] == "" || $_GET['pass'] == "" || $_GET['hwid'] == ""){
                                            echo "ERROR: Missing Username/Password/HWID.";
                                    }else{
                                            $user = mysql_real_escape_string($_GET['user']);
                                            $pass = md5($_GET['pass']);
                                            $hwid = md5($_GET['hwid']);
                                            $serial = mysql_real_escape_string($_GET['serial']);

                                            $getName = mysql_query("SELECT * FROM licences WHERE user = '{$user}'");
                                            
                                            if (mysql_num_rows($getName) == 0){
                                                    mysql_query("UPDATE licences SET user = '{$user}', pass = '{$pass}', hwid = '{$hwid}' WHERE serial = '{$serial}'") or die(mysql_error());
                                                    echo "SUCCESS: Serial has be activated with your details. You can now login.";
                                            }else{
                                                    echo "ERROR: Username Taken.";
                                            }
                                    }
                            }else{
                                    echo "ERROR: Serial has already been claimed.";
                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                            }        
                    }else{
                            echo "ERROR: Serial is not active.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                    }
            }
            
            break;
            case "loadUserData":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Failed.";
                    }else{
                            $array = $db->fetchRow($run);
                            $run = $db->select("licences", "*", array("id" => $array[0]));
                            
                            print_r($db->fetchAssoc($run));
                    }
            break;
            case "timeLeft":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Invalid session.";
                    }else{
                            $array = $db->fetchRow($run);
                            $getData = $db->select("licences", "*", array("id" => $array[0]));
                            $data = $db->fetchAssoc($getData);
                            // Find the seconds left on the serial.
                            $timeLeft = $data['expires'];
                            
                            if ($timeLeft == "0"){
                                    // the licence is lifetime.
                                    echo "Lifetime Licence.";
                            }else{
                                    // work out the time left.
                                    $deltaTime = $timeLeft - time();
                                    $daysLeft = $deltaTime / 86400;
                                    $niceDaysLeft = floor($daysLeft);
                                    if ($niceDaysLeft == "0"){
                                            $niceDaysLeft = "<1";
                                    }
                                    echo $niceDaysLeft;
                            }
                    }
                    
            break;

}
?>[/php]

What am i doing wrong.

First, get it working before you and add all of that encryption. Once its working, then go through and add it all back in one step at a time. Saves a lot of time troubleshooting.

Assuming the registration is working as it should, either do a print_r on $_GET[] or echo each of the variables to verify that its not empty.

Also need to update this line - $userData = $auth->validLogin($user, $pass, $hwid);, change the variables to the ones you changed, else it’ll fail everytime since the information its looking for is empty.

You might also run into some issues with the HID since residential ips can change.

If you look at my code the variables do not need to be changed as i keep the variables the same and i have echoed out every variables i have stuck in and they contain the correct data.

one thing i realized is that your so called “random number” is taken from $hwid, witch isn’t even set (turn on error reporting). and even if $hwid was set, it would not work with md5 hashes, as you try to replace that number with an empty string.

i think your whole concept is flawed. either use encription and decription (no random number needed), or use a hash (md5) and to avoid dictionary attacs use the fixed same seed at both ends

Yes you where right that $hwid variable was not set i have since then corrected it, But the script still will not work. Its not flawed let me explain i choose to encrypt my web request and responses so that fiddler can not easily edit them.
So my app world grab the username password and hwid, then would generate a 11 digit random number.
Example (12345678910) then it would add the random number on the end of username password and the hwid.
Example (username12345678910) (password12345678910) (hwid12345678910).
Then my application will encrypt each one of them separately with the same key, this would make every request unique.
when it gets to the script it should decrypt all of them one by one, then separate the randomly generated numbers from the username password hwid but, also save the randomly generated numbers in a variable.
so the they would look like this example: (username) (password) (hwid).
Then the username and password would be hashed and stored in to the database. I hope that make things clearer. Here is my re fixed code.

[php]<?php
error_reporting(E_ERROR);
define(“IN_SCRIPT”, 1);
// Validate if the user is real and if not ban their IP
require_once(“includes/init.php”);
/*
$user = mysql_real_escape_string($_GET[‘user’]);
$pass = md5($_GET[‘pass’]);
$hwid = md5($_GET[‘hwid’]);
$lid = $_GET[‘aid’];
*/

$userc = $_GET[‘user’];
$passc = $_GET[‘pass’];
$hwidc = $_GET[‘hwid’];
$lid = $_GET[‘aid’];

// Set the encrytion options
$cipher = mcrypt_module_open(MCRYPT_RIJNDAEL_128, ‘’, MCRYPT_MODE_CBC, ‘’);
$key256 = ‘1A3B56C89D123E6123F456A890B2345F’; // 32 bytes
$iv = ‘C234A67D901B34F6’; // 16 bytes

// Start decrypting the username
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $userc);
$userd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Start decrypting the password
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $passc);
$passd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Start decrypting the hwid
if (mcrypt_generic_init($cipher, $key256, $iv) != -1) {
$ciphertext = pack(“H*”, $hwidc);
$hwidd = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
}

// Now we need to grab randomly generated numbers.
$randomnumbers = substr($hwidd, -12);

//Now we need to seprate the random numbers and the username
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $userd;
$user = str_replace($numbers, $words, $phrase);

// Now we nee to seprate the random numbers and the password
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $passd;
$passr = str_replace($numbers, $words, $phrase);

// Now we nee to seprate the random numbers and the hwid
$numbers = array($randomnumbers,);
$words = array("",);
$phrase = $hwidd;
$hwidr = str_replace($numbers, $words, $phrase);

$pass = md5($passr);
$hwid = md5($hwidr);

// Ban checking
// Check make sure the user has no previous bans.
// If they do alert them of it.
if ($bans->isBanned($_SERVER[‘REMOTE_ADDR’])){
die(“Your access has been restricted. This ban only lasts “.$settings->loadValue(“BANTIME”).” minutes.”);
}

switch($_GET[‘a’]){
case “verCheck”:
echo $auth->checkVer($_GET[‘ver’], $_GET[‘aid’]);
break;
case “login”:
if ($user == “” || $pass == “”){
echo “Failed”;
}else{

                    if ($auth->sessionExists($_SERVER['REMOTE_ADDR']) == true){
                            // destroy the previous hash.
                            mysql_query("UPDATE app_sessions WHERE ip = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."' SET expires = '".(time() - 10)."'");
                    }
            
                    $userData = $auth->validLogin($user, $pass, $hwid);
                    
                    if (is_array($userData) == false){
                            //print_r($auth->validLogin("Geo", "Password", ""));
                            echo "FAILED.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);        
                    }else{
                            
                            if ($userData['active'] == "1"){
                                    if ($userData['hwid'] == $hwid){
                                            if ($userData['expires'] <= time() AND $userData['expires'] != 0){
                                                    echo "ERROR: Your account has expired.";
                                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                            }else{
                                                    $auth->logAccess($userData['id']);
                                                    $key = $auth->generateHash();
                                                    $auth->createSession($key, $userData['id']);
                                                    echo $key;
                                            }
                                    }else{
                                            echo "ERROR: HWID Invalid. Only try logging in on the computer you activated the serial.";
                                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                                    }
                            }else{
                                    echo "ERROR: Your account is suspended.";
                            }
                    }
            
            }
            break;
    case "appNews":
            if ($auth->checkHash($_GET['hash']) == false){
                    echo "Invalid Session Hash.";
            }else{
                    $getId = mysql_query("SELECT * FROM app_sessions WHERE hash = '".mysql_real_escape_string($_GET['hash'])."'");
                    $hashInfo = mysql_fetch_assoc($getId);
                    echo $auth->getNews($hashInfo['lid']);        
            }
            break;
    case "activateSerial":
            $serial = mysql_real_escape_string($_GET['serial']);
            $information = array("serial" => $_GET['serial']);
            
            $userInfo = $auth->getLicenceInfo($information);
            
            if ($userInfo == false){
                    echo "ERROR: Serial is Invalid.";
                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
            }else{        
                    if ($userInfo['active'] == "1"){
                            if ($userInfo['user'] == "" && $userInfo['pass'] == ""){
                                    // Serial has not been activated.
                                    if ($_GET['user'] == "" || $_GET['pass'] == "" || $_GET['hwid'] == ""){
                                            echo "ERROR: Missing Username/Password/HWID.";
                                    }else{
                                            $user = mysql_real_escape_string($_GET['user']);
                                            $pass = md5($_GET['pass']);
                                            $hwid = md5($_GET['hwid']);
                                            $serial = mysql_real_escape_string($_GET['serial']);

                                            $getName = mysql_query("SELECT * FROM licences WHERE user = '{$user}'");
                                            
                                            if (mysql_num_rows($getName) == 0){
                                                    mysql_query("UPDATE licences SET user = '{$user}', pass = '{$pass}', hwid = '{$hwid}' WHERE serial = '{$serial}'") or die(mysql_error());
                                                    echo "SUCCESS: Serial has be activated with your details. You can now login.";
                                            }else{
                                                    echo "ERROR: Username Taken.";
                                            }
                                    }
                            }else{
                                    echo "ERROR: Serial has already been claimed.";
                                    $bans->addStrike($_SERVER['REMOTE_ADDR']);
                            }        
                    }else{
                            echo "ERROR: Serial is not active.";
                            $bans->addStrike($_SERVER['REMOTE_ADDR']);
                    }
            }
            
            break;
            case "loadUserData":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Failed.";
                    }else{
                            $array = $db->fetchRow($run);
                            $run = $db->select("licences", "*", array("id" => $array[0]));
                            
                            print_r($db->fetchAssoc($run));
                    }
            break;
            case "timeLeft":
                    $hash = $_GET['hash'];
                    // find the lid
                    $run = $db->select("app_sessions", "lid", array("hash" => $hash));
                    
                    if ($db->numRows($run) == 0){
                            echo "Invalid session.";
                    }else{
                            $array = $db->fetchRow($run);
                            $getData = $db->select("licences", "*", array("id" => $array[0]));
                            $data = $db->fetchAssoc($getData);
                            // Find the seconds left on the serial.
                            $timeLeft = $data['expires'];
                            
                            if ($timeLeft == "0"){
                                    // the licence is lifetime.
                                    echo "Lifetime Licence.";
                            }else{
                                    // work out the time left.
                                    $deltaTime = $timeLeft - time();
                                    $daysLeft = $deltaTime / 86400;
                                    $niceDaysLeft = floor($daysLeft);
                                    if ($niceDaysLeft == "0"){
                                            $niceDaysLeft = "<1";
                                    }
                                    echo $niceDaysLeft;
                            }
                    }
                    
            break;

}
?>[/php]