Finding a way to live with the Woo kit

As the Woo kit is a bit clumsy, I tried to find a way to live with it. I made two versions of the kits: one for the 30-days trial workbook, the other is for the 365-day subscription. Both of them work fine with their own channel, however there is an annoying issue: the 365-day subscription users may use the free trial token to activate the workbook to get a free ride.

In order to prevent this, I put a slug, say ‘trial’, into the trial product to differentiate it to the registered one. However I’m still struggling to get the slug from the order. I put a pseudo-code into the MainController.php as shown in the screenshot, could someone spare a bit of time to give me a clue how to make it work. I would highly appreciate it.


So if I understand your question…your trial is a short period and your other option is 1 year -cant you just create the keys associated with the periods into the store via /Tools import/License keys Import ? I dont see the reason you want to change the code as the licence keys need to be imported via a CSV file into the Woocommerce store. ?The licence keys you can create with the tool for bulk licence numbers then simply only import your CSV file with the codes into the store(Trial and 1 year codes). The controll of the periods are controlled with the software…nothing needs to be changed on the store.The only thing you need to do is to associate the products you sell with the store.There is 1 modification I can think off out of my head.Then you need to set the amount of activations you require or allow on the code(Licence key).That is a modification in code


There is no licence key to hand over to customers when they purchase either the trial or the registered version. All keys will be generated on the fly and there is no way to enter the keys manually. The customer will activate the software via tokens. Every time the software runs the validation process kicks in to verify the token. They need internet connection to run the software.

I hope that implementing the activation and validation this way will avoid the risk of using the master key to generate licence keys. Even the master key is leaked, I hope it’s not easy for someone to break my dll engine to make it works.
For algorithm protection, only God understands the code now, I don’t unfortunately.

I believe the weakest point now is lying on the connection to the XLSPadlock’s server. To be honest, I hate this.

The only way around this sadly is to have 2 different secret keys and master keys.

key1 = 30 days
key2 =365 days

So even if the codes work the keys will be different…They wont be able to activate the 1 key with a different master and secret key. That will prevent thm activating the full product with demo key.You can setup two templates. I understand your concern now.You got a vallid point only way around it is to have two set of different secret and master keys on the same product

I would not allow the creation of keys in the first place…create the manual keys and import the keys into store like I have mentioned above. There your problem is solved my doing it that way.

I did setup the two sets of Woo kits with different API keys. Now the complex problem has been simplified to getting the tokens entered in correct gates.
I’ve improved the checking points a bit to allow more type of subscriptions, ie subscription-3year, perpetual etc as shown in the screenshots.
This logic works exactly the way you reserved a table in a restaurant and you could have peace in mind to get that spot at that place and at that time. If someone pretended to be you, he would be kicked out immediately once you complained to the gate keeper, then you got your spot again. And once you have seated there at that table, no one can jump in and claim that table.
If you or someone can help to write a function to get the slug from the $customer_order_id, the problem would be solved!

What is the format of your $customer_order_id then? Do you have an example?

The $customer_order_id is defined in your Woo kit MainController.php
I guess it is integer type, ie 123.

So what should Get_Product_Slug do exactly? Should it retrieve some info from WooCommerce based on $customer_order_id?

Yes, the Get_Product_Slug function should retrieve the slug as a string from the purchased product.

But where in WooCommerce do you enter the slug? Maybe you have defined two different products in WooCommerce? If this is the case, you could get info about which product has been purchased thanks to the $order_data variable.

Oh, I’m sorry, the slug is from the categories, please see screenshot
So, the workflow should be: $customer_order_id=>purchased_product=>product_categories=>slug.

OK, I’ve got one checkpoint works. Just want to share it to someone in need. Put these lines somewhere into the MainController.php then you can stop the workbook before the order completed.

Got one checkpoint done, now I’m proceeding to the next but also the last one, I hope. I totally have no idea about what kind of information the $order_data variable can provide and how to extract it.

Support - can you please give me a clue how to do this?

Alright, I’ve got my own problem solved. I would like to share this to you, my fellow XLSPadlock users.
Put these below lines into both getactivation and dovalidation functions within the MainController.php at the location as shown in the screenshot, then you can have some additional features to the Woo kit:

  • Allows workbook to activate/validate by controlling the order status. You may either control the order status on your website or by using the WooCom app on iPhone. If you want to block someone from using the workbook for whatever reason, change the order status to something different to ‘completed’.
  • Set expiry date for your product. You can change the ‘+365 days’ to whatever suits you.
  • If you have a couple of products in your shop, you may want to prevent customers from accidentally/intentionally crossing activation.

Credit is due here -for a VBA guy with no php skills we salute you for a job well done PhuongM -fantastic job to solve this by your own without anyone’s help. Job well done

I would love to see screenshots to showcase it…Check your email there is one concern still. Hope support can help. We need also a silent validation where it doesnt give an error message but it will ONLY close the application. Reason being any person that want to reverse engineer can simply go on the error message and remove the code…thus bypassing it. There is always back doors…Make it as difficult as possible to hack.So we need a silent mode without any error message that will simply close the application down.

Currently the setting is Mandatory…require a message for Validation.
We need an option to make that Mandatory a silent validation

Good work. We’ll place a link to your post in the documentation for users who want to add expiration feature checking for instance.

We’ll see whether the message can be avoided. Anyway, you could also use our VBA helper to see if validation was successful or not, and quit Excel from your VBA code too.

Golfer65/Support - thanks for your kind praises. Although I’ve managed to jump over those hoops, I’m definitely not a PHP guy, it’s not my expertise, it took me 3 days to write those lines. I wish I could use that time to do something better ie. improving my app to better serve my users. I believe that you guys are PHP experts and it would take you couple of minutes to write those newbie lines of code. Anyway, please see screenshots for the showcase as requested.

I don’t use the method that Golfer65 suggested which is generating the keys then upload to the activation server because from my logic, it is impossible to use the hardware-locked keys option by using that method.

XLSPadlock support - Now the whole activation process of my app depends on the link to your server. Everything works perfectly so far, and I can have peace in mind that I don’t have to worry about leaking of the master key or breaking the EXE. If the attacker could break my DLL, it would be my fault, I won’t blame you for breaking the parts on your side.

However, there is a big concern in my head - the activation link to your server. I understand that now the activation is free, you are still in business and if you are out of business you would make the
XLSPlKeyGen.exe available to the public as promised, I highly appreciate it.

But, can you please confirm if you have any intention to charge for that activation link in the future?
Block crossing activation-validation
Check Expiry Date
Check order status

Thank you Support.Please do as that is a BIG vulnerability and security hole that can be EASILY exploited…we need a silent validation. It will be preferable that the validation DONT lie on the exe but on the PHP -BUT on the software the validation should have the option to do that silently -giving away no reference in code. Any hacker will attack the error message and by making it silent you will making it ten times harder to reverse engineer as you wont give them a source to troubleshoot. I hope you can do this on the next release support as this is a critical exploit that needs your urgent attention.


Quite correct that will work for your demo codes the non hardware locked keys.On your full version software there must be a way to implement that the hardware locked keys be passed to the Woostore. Thank you for the screenshots -looks fantastic PhuongM