license API

This is the old version of my license management system I built for my security research and red team forum XorBytes (xorbytes.org). Started as a simple license checker but grew into something pretty solid for managing my security research tools, reverse engineering suites, and security software with proper license validation, HWID locking, and all that good stuff. even though its not that safe, its still a good resource to learn from.

What This Actually Does

I run a security research community and needed a way to:

• Sell licenses for my security tools (packers, obfuscators, RE automation suites)
• Prevent account sharing between users (HWID locking is clutch for this)
• Keep binaries secure (SHA256 hash verification so nobody distributes modified versions)
• Handle subscriptions automatically without dealing with payment processor webhooks every damn time
• Ban abusers who try to crack or bypass the licensing system

How I Actually Built This

Look, I'm not some elite developer. This whole thing came together through:

• Googling everything - Stack Overflow, NestJS docs, TypeORM tutorials, random Medium articles
• YouTube university - Shoutout to those Indian CS professors who explain things better than official docs
• Copying code snippets from GitHub repos and adapting them (don't we all?)
• AI tools sometimes (ChatGPT/Copilot, though honestly 60% of what they give me is broken junk)
• Trial and error - lots of console.log debugging and cursing at TypeScript errors
• Reading docs at 2 AM when production breaks and users are yelling at me

If you're reading this code thinking "wow this is really good" - I promise It isn't. I just spent way too many hours Smashing my head against the keyboard until it worked!

Features That Actually Work

Security Stuff

• HWID Auto-Banning: Try to brute force licenses? Get banned after 5 attempts in 15 minutes (permanent ban too)
• License Key Validation: Clean format like TRIAL-A3F9K-2D8P1-M4N7Q (much better than my old random UUID approach)
• SHA256 Binary Verification: Makes sure nobody's running modified/cracked versions of your tools
• JWT Session Tokens: Proper stateless auth (learned this the hard way after session storage kept eating RAM)
• API Key Protection: Extra layer for binary authentication (because just license keys wasn't enough apparently)

License System

• 4 Simple License Types (tried doing more but it got too complicated):
  • TRIAL-XXXXX-XXXXX-XXXXX (1-7 days depending on product)
  • WEEKLY-XXXXX-XXXXX-XXXXX (7 days - great for short reverse engineering contracts)
  • MONTHLY-XXXXX-XXXXX-XXXXX (30 days - most customers go with this)
  • YEARLY-XXXXX-XXXXX-XXXXX (365 days - best value, obviously)
• Product-Specific Enforcement: A license for "Advanced Packer Pro" only works for that product, not your RE Suite
• HWID Locking: First machine to activate gets locked to that hardware (saved my ass from account sharing)

Real-Time Features

• WebSocket Verification: Binaries stay connected and validate in real-time
• Instant Ban Notifications: Revoke a license? User gets kicked immediately
• Single Session Enforcement: Only one connection per HWID (no more "oh I'm running it on 5 machines")

Products I'm Using This For

Advanced Packer/Obfuscator Pro

Professional binary protection for security-sensitive applications:

• Trial: 7-day full feature access (or watermark-limited builds for extended trials)
• Weekly: Perfect for short-term binary protection (tournaments, beta testing phases, time-sensitive contracts)
• Monthly/Yearly: Continuous use for organizations/developers with regular release cycles
• Features: Code obfuscation, anti-debugging, virtualization, custom packers

Reverse Engineering Automation Suite

Comprehensive RE toolkit with automated analysis capabilities:

• Trial: Limited binary size and feature restrictions (gotta keep the freeloaders out)
• Weekly: Great for project-based reverse engineering contracts
• Monthly/Yearly: Full access for professional researchers and pentesters
• Features: Automated binary analysis, pattern recognition, decompilation tools, scripting API

Quick Start

# Install dependencies (using pnpm because npm is slow as hell)
pnpm install

# Copy environment file
cp .env.example .env

# Edit .env with your actual database credentials
# (Don't forget to change JWT_SECRET and LOADER_API_KEY from defaults!)

# Run the database schema
# Execute db/db.sql in your PostgreSQL database

# Fire it up in dev mode
pnpm start:dev

API Endpoints (The Important Ones)

For Your Users

• POST /api/v1/loaders/check-hwid - Check if HWID is banned before even showing login (prevents wasted attempts)
• POST /api/v1/loaders/verify - Main verification endpoint (binary hash + license validation)
• POST /api/v1/auth/register - User registration with email verification
• POST /api/v1/auth/login/credentials - Standard username/password login

For Admins

Still needs polish but here's what works:

• POST /api/v1/licenses/create - Generate new license keys for products
• POST /api/v1/products - Add new security tools to the system
• POST /api/v1/loaders/create - Upload new binary versions with SHA256 hashes

Tech Stack

• NestJS - Everyone recommended it for APIs and they were right (way better than Express spaghetti)
• PostgreSQL - Solid, free, handles thousands of license checks without breaking a sweat
• TypeORM - Makes database operations less painful than raw SQL (most of the time)
• Socket.io - Real-time WebSocket connections for live license verification
• bcrypt - Password hashing with 12 rounds (bumped from 10 after reading a security audit post)
• JWT - Stateless authentication tokens (refresh tokens too, learned about those after users complained about constant logouts)

Issues I Actually Faced (And How I Fixed Them)

• HWID Reliability: Spent like 3 weeks testing different hardware ID methods across VMs, containers, and bare metal. Ended up using a combination approach.
• WebSocket Timeouts: Initially just checked connections every 30 seconds. Had to implement proper heartbeat system after users kept getting disconnected.
• License Format Evolution: Started with UUID4, then switched to prefix-based format for easier support ("is it trial or monthly?" became instantly visible)
• Auto-Banning Logic: First version banned after ANY failed attempt. Bad idea. Refined to 5 attempts in 15 minutes and only for credential failures (not network issues).
• Product Isolation: Originally licenses could be used across products. Fixed this after realizing people were buying cheap licenses and using them everywhere.

API Documentation

Once you get it running, check out: http://localhost:3000/api/docs

Full Swagger/OpenAPI docs with examples, request/response formats, and you can even test endpoints directly in the browser!

Contributing

This is mainly for XorBytes stuff, but if you're from the security research community and want to improve something, PRs are welcome. Just don't completely refactor everything because I actually need to understand my own code.

Project License

MIT licensed because I figure if someone wants to use this for their own security tools business, go for it. Just don't blame me if something breaks in production at 3 AM.

---

Made with ❤️ (and copious amounts of Persian Chai ☕) by neox1de