>I guess it would be an interesting experiment to create a proxy that captures any values going out to gumroad's license verification api endpoint and change all server responses to be true instead of false. Ditto for altering the number of uses of a product in case there is a limit there too.
You don't need to create a custom proxy for that.
There are many general-purpose tools that will let you inspect/modify HTTP/HTTPS traffic between your browser and a remote server:
> You don't need to create a custom proxy for that.
Wrong, you still need a custom proxy server for this to work.
The programs you suggested only help to (temporarily) inspect the Request/Response, as you say, but you would need to manually modify the responses every time they come through the proxy, which could easily translate to hundreds of requests per day while using a single app. Surely no one wants to have to sit there modifying every single HTTP request while using an app like Adobe Photoshop.
Instead, what you want is to inspect these requests/responses once using one of those programs you suggested, and then immediately translate your findings into a permanent API endpoint in your custom proxy server, which is constantly running in the background. This way you can use the app as any other user and the app will think that it is communicating with the real (remote) API.
Your suggestion to use either Burp Suite, Charles Proxy, or mitmproxy only helps if the app you are trying to crack checks for a valid license once in its entire installation lifetime. Unfortunately, the great majority of apps out there try to validate the license every few days, hours, and even minutes, for example, Sublime Text sends a request to license[.]sublimehq[.]com/check/<license> several times in a day.
>The programs you suggested only help to (temporarily) inspect the Request/Response, as you say, but you would need to manually modify the responses every time they come through the proxy, which could easily translate to hundreds of requests per day while using a single app. Surely no one wants to have to sit there modifying every single HTTP request while using an app like Adobe Photoshop.
The tools I mentioned all support rules for automatically modifying requests/responses. Most of them support custom scripting as well.
>Wrong, you still need a custom proxy server for this to work.
Not sure why the rudeness here. I'm just sharing some useful tools that would be easier to use than writing an entire HTTP proxy from scratch.
You'll certainly have more power writing a custom proxy from scratch, but off-the-shelf HTTP proxying tools are a good start for someone exploring this space.
Wrong, you still need a custom proxy server for this to work.
The programs you suggested only help to (temporarily) inspect the Request/Response, as you say, but you would need to manually modify the responses every time they come through the proxy, which could easily translate to hundreds of requests per day while using a single app. Surely no one wants to have to sit there modifying every single HTTP request while using an app like Adobe Photoshop.
Instead, what you want is to inspect these requests/responses once using one of those programs you suggested, and then immediately translate your findings into a permanent API endpoint in your custom proxy server, which is constantly running in the background. This way you can use the app as any other user and the app will think that it is communicating with the real (remote) API.
Your suggestion to use either Burp Suite, Charles Proxy, or mitmproxy only helps if the app you are trying to crack checks for a valid license once in its entire installation lifetime. Unfortunately, the great majority of apps out there try to validate the license every few days, hours, and even minutes, for example, Sublime Text sends a request to license[.]sublimehq[.]com/check/<license> several times in a day.