Need Tips On Securing Licensing For PHP Script

MadMax · 2005-07-13, 07:01 PM

I'm coming right along on the script I've been working on, and now I need to look at building in some sort of licensing architecture to make sure that one purchase can't be installed on 1000 domains. Can anyone direct me toward a tutorial or some info on how to do this effectively?

I've been searching the web with no success.

TIA

b1ng0 · 2005-07-14, 12:35 AM

The only thing that comes to mind, and I think this is how most do it, is to Zend encode at least part of the script and use a 'phone home' function that basically tells you the hostname/domain that the script is being used on. There used to be another encoder/compiler that was really cheap but I can't remember the name of it

b1ng0 · 2005-07-14, 12:44 AM

The other one I was thinking of is IonCube ( www.ioncube.com ) but it looks like that is $200.. I was thinking it was a lot cheaper. That still beats the shit out of Zend at $960 though. It also requires a decoder that I don't think is installed on most servers, but I seem to remember there's standalone binaries that can be uploaded w/ the script.. cant find anything on the site about it though.

Barron · 2005-07-14, 01:11 PM

Short of encoding, there is no sure fire way. Anyone who has done any coding can reverse engineer and take out any licensing attempt.

But, you can hender the novice by using a combination of "manifest" checking, file size reports, and key swapping. The down side is, all require you to keep a server up and running for the life of the script you sold.

Another way is to take a look at the functions of your script. In every script there are one or two primary functions that make it do what its suppose to. Put those functions on your server and make the copy of the script you sold ask your server for the results. Example: Have the script ask for the html to create a form from your server, if the script doesnt pass the correct checking info, send the form with misspelled variables or leave out something important. Or, dont send the form at all.

It all starts with "install.php". Do the various things you need to do to get the script installed then do a file size report and send it to your server. Make your script do the various checks against the file size and key swapping.

If your using mysql, there are tons of things you can create to check against. Be creative when creating seeds. Also, at the time of install, no two servers are alike.

When your all done, go back and rename all your variables to something eligible, $qrspdf=0; and either remove your comments, or completely mis-label your comments.

Anything can be reverse engineered, the idea is to make it as hard as possible to do so that they nearly have to rewrite the script to make it work.

That leaves what to do if the checks fail.
Check for non-existant cookie and cause another variable to be true. Or, session variables wont hold arrays. Or, unset a session variable and call it later. Leave a blank line in the same file call header(). The user will delete that blank line and change the file size. If a someone tries to comment out lines or remove them, the file size will change.

And last but not least, use shell exec command and get the Mac address(s) at time of install.(some web hosts allow this, some dont).

http://coffer.com/mac_info/locate-unix.html

Done of this is fool proof. If all else fails, get a encoder : )

-

MadMax · 2005-07-14, 01:17 PM

Thanks Barron

I'll get Zend Encoder eventually, just can't spring for it right now and you make some great short term suggestions

2005-07-13, 07:01 PM	#1
MadMax "Without evil there can be no good, so it must be good to be evil sometimes" ~ Satan Join Date: Aug 2004 Location: Motor City, baby, where carjacking was invented! Now GIMME THOSE SHOES! Posts: 2,385	Need Tips On Securing Licensing For PHP Script I'm coming right along on the script I've been working on, and now I need to look at building in some sort of licensing architecture to make sure that one purchase can't be installed on 1000 domains. Can anyone direct me toward a tutorial or some info on how to do this effectively? I've been searching the web with no success. TIA

2005-07-14, 12:35 AM	#2
b1ng0 I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES Join Date: Jan 2005 Posts: 85	The only thing that comes to mind, and I think this is how most do it, is to Zend encode at least part of the script and use a 'phone home' function that basically tells you the hostname/domain that the script is being used on. There used to be another encoder/compiler that was really cheap but I can't remember the name of it

2005-07-14, 12:44 AM	#3
b1ng0 I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES Join Date: Jan 2005 Posts: 85	The other one I was thinking of is IonCube ( www.ioncube.com ) but it looks like that is $200.. I was thinking it was a lot cheaper. That still beats the shit out of Zend at $960 though. It also requires a decoder that I don't think is installed on most servers, but I seem to remember there's standalone binaries that can be uploaded w/ the script.. cant find anything on the site about it though.

2005-07-14, 01:11 PM	#4
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	Short of encoding, there is no sure fire way. Anyone who has done any coding can reverse engineer and take out any licensing attempt. But, you can hender the novice by using a combination of "manifest" checking, file size reports, and key swapping. The down side is, all require you to keep a server up and running for the life of the script you sold. Another way is to take a look at the functions of your script. In every script there are one or two primary functions that make it do what its suppose to. Put those functions on your server and make the copy of the script you sold ask your server for the results. Example: Have the script ask for the html to create a form from your server, if the script doesnt pass the correct checking info, send the form with misspelled variables or leave out something important. Or, dont send the form at all. It all starts with "install.php". Do the various things you need to do to get the script installed then do a file size report and send it to your server. Make your script do the various checks against the file size and key swapping. If your using mysql, there are tons of things you can create to check against. Be creative when creating seeds. Also, at the time of install, no two servers are alike. When your all done, go back and rename all your variables to something eligible, $qrspdf=0; and either remove your comments, or completely mis-label your comments. Anything can be reverse engineered, the idea is to make it as hard as possible to do so that they nearly have to rewrite the script to make it work. That leaves what to do if the checks fail. Check for non-existant cookie and cause another variable to be true. Or, session variables wont hold arrays. Or, unset a session variable and call it later. Leave a blank line in the same file call header(). The user will delete that blank line and change the file size. If a someone tries to comment out lines or remove them, the file size will change. And last but not least, use shell exec command and get the Mac address(s) at time of install.(some web hosts allow this, some dont). http://coffer.com/mac_info/locate-unix.html Done of this is fool proof. If all else fails, get a encoder : ) -

2005-07-14, 01:17 PM	#5
MadMax "Without evil there can be no good, so it must be good to be evil sometimes" ~ Satan Join Date: Aug 2004 Location: Motor City, baby, where carjacking was invented! Now GIMME THOSE SHOES! Posts: 2,385	Thanks Barron I'll get Zend Encoder eventually, just can't spring for it right now and you make some great short term suggestions