Checking if plugin is allowed to run!

Discussion in 'Plugin Development' started by mimc, Oct 31, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    mimc

    Hi,
    I have made a kitpvp plugin but want to controll it so if someone i have gived the plugin to just take it i want to disable it easy. maybe with mysql?
     
  2. @mimc What?
    You want to disable the plugin on other servers?

    When the plugin first starts, call a PHP script on your webserver, sending the IP of the server and a true / false bool onto the MySQL DB.

    Then, whenever the server / plugin starts, send a request to another PHP script checking if the IP has the bool value on true / false. If it's true, continue, if its false, stop the plugin.

    But why would you need that?
     
  3. Offline

    Hawktasard

    @mimc
    Doing something with the jar would probably not be a very effective way to deal with people leaking your plugins.
    If you're working on some big server you should make everybody that gets access to any of the jars or source code sign an NDA or something of the sorts.
     
    Lionhard likes this.
  4. Online

    timtower Administrator Administrator Moderator

  5. @timtower Using PHP Files instead of directly connecting to the MySQL database would atleast prevent users from directly accessing them.

    Though he would have to play with .htaccess files to prevent people from accessing the webpage themselves or some PHP checks to see if the server is the one who tries to access the page.
     
  6. Online

    timtower Administrator Administrator Moderator

    @Lionhard Was more talking about stripping away the security.
    As in decompiling and removing code.
     
  7. @timtower Oh, well yeah, I have no idea. :D The thing is he atleast doesn't give out credentials to the DB. But well, if he gives the plugin just privately to some non-developers, the risk is low. Just make one function calling another function calling another function, passing some parameters, using those parameters call another function and in THAT function, with a complete different name than it actually does, send the requests. :):):)
     
  8. Online

    timtower Administrator Administrator Moderator

    @Lionhard Then you can still bypass it by forcing the internet calls through a proxy that is able to fake certain calls.
     
    Lionhard likes this.
  9. Offline

    mimc

  10. Online

    timtower Administrator Administrator Moderator

    @mimc Yes you can, but it can be bypassed very easily.
     
  11. Offline

    Zombie_Striker

    @mimc
    There is only one option; Make it so no one can get your jars. This can be easily done by keeping it to yourself. If this can't be done, then there is no other way to protect your plugin. Anyone can de-compile code to remove the checks inside the code. The next step would be to add code that would delete the whole jar for their system, but that can be viewed as "malicious" code and any Anti-Virus would stop it.
     
  12. Offline

    mimc

    @Zombie_Striker but how can i delite the jar file? tell me, the code etc. im not pro
     
  13. Offline

    Zombie_Striker

    @mimc
    Short answer: If you are not a pro, you cant. And even if you are a pro, you have to bypass any AntiVirus (which you most likely can't)

    Long answer:
    You would need to devise a way of duplicating some code that is not in the jar file you want to delete (so you would have plugin 1.jar create plugin2.jar), Activate that plugin, then have that plugin2 deactivate plugin1, and then delete that file.

    But the problem is, that person may have also copied that file somewhere else (having two copies of plugin1 on his computer), so you would need to look around the entire drive(s) (which would raise flags for the anti-virus) (this is assuming he only has one drive, and that he didn't save the jar to a flash-drive, if he saved it to a flash drive, game over) and then delete all files containing that .jar (WHICH THE ANTI-VIRUS WOULD NOT ALLOW).
     
    Last edited: Oct 31, 2015
  14. Offline

    mythbusterma

    @mimc @Zombie_Striker @timtower

    Actually, in short:

    If you distribute this plugin, you cannot put access controls on it. Period. You would be violating the terms of Bukkit's license if you did so.

    If it's for personal use only (which is the only acceptable case for putting access controls on it), then just make sure you actually keep it to yourself.

    Zombie, I'm not sure what you're on about. Most servers don't have AV, and most AV won't flag a scan (I mean, that means they would get tripped by the POSIX "find" utility, come on), that would be a very weird behaviour for antivirus. In addition, on most systems, you can override the "in use" thing and delete the file anyway (read: Windows, Linux).

    It's a futile effort anyway, I doubt you could write anything that would take me more than one hour to rip out of the plugin regardless.
     
Thread Status:
Not open for further replies.

Share This Page