Need Tips On Securing Licensing For PHP Script

Barron · 2005-07-14, 01:11 PM

Short of encoding, there is no sure fire way. Anyone who has done any coding can reverse engineer and take out any licensing attempt.

But, you can hender the novice by using a combination of "manifest" checking, file size reports, and key swapping. The down side is, all require you to keep a server up and running for the life of the script you sold.

Another way is to take a look at the functions of your script. In every script there are one or two primary functions that make it do what its suppose to. Put those functions on your server and make the copy of the script you sold ask your server for the results. Example: Have the script ask for the html to create a form from your server, if the script doesnt pass the correct checking info, send the form with misspelled variables or leave out something important. Or, dont send the form at all.

It all starts with "install.php". Do the various things you need to do to get the script installed then do a file size report and send it to your server. Make your script do the various checks against the file size and key swapping.

If your using mysql, there are tons of things you can create to check against. Be creative when creating seeds. Also, at the time of install, no two servers are alike.

When your all done, go back and rename all your variables to something eligible, $qrspdf=0; and either remove your comments, or completely mis-label your comments.

Anything can be reverse engineered, the idea is to make it as hard as possible to do so that they nearly have to rewrite the script to make it work.

That leaves what to do if the checks fail.
Check for non-existant cookie and cause another variable to be true. Or, session variables wont hold arrays. Or, unset a session variable and call it later. Leave a blank line in the same file call header(). The user will delete that blank line and change the file size. If a someone tries to comment out lines or remove them, the file size will change.

And last but not least, use shell exec command and get the Mac address(s) at time of install.(some web hosts allow this, some dont).

http://coffer.com/mac_info/locate-unix.html

Done of this is fool proof. If all else fails, get a encoder : )

-

2005-07-14, 01:11 PM	#4
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	Short of encoding, there is no sure fire way. Anyone who has done any coding can reverse engineer and take out any licensing attempt. But, you can hender the novice by using a combination of "manifest" checking, file size reports, and key swapping. The down side is, all require you to keep a server up and running for the life of the script you sold. Another way is to take a look at the functions of your script. In every script there are one or two primary functions that make it do what its suppose to. Put those functions on your server and make the copy of the script you sold ask your server for the results. Example: Have the script ask for the html to create a form from your server, if the script doesnt pass the correct checking info, send the form with misspelled variables or leave out something important. Or, dont send the form at all. It all starts with "install.php". Do the various things you need to do to get the script installed then do a file size report and send it to your server. Make your script do the various checks against the file size and key swapping. If your using mysql, there are tons of things you can create to check against. Be creative when creating seeds. Also, at the time of install, no two servers are alike. When your all done, go back and rename all your variables to something eligible, $qrspdf=0; and either remove your comments, or completely mis-label your comments. Anything can be reverse engineered, the idea is to make it as hard as possible to do so that they nearly have to rewrite the script to make it work. That leaves what to do if the checks fail. Check for non-existant cookie and cause another variable to be true. Or, session variables wont hold arrays. Or, unset a session variable and call it later. Leave a blank line in the same file call header(). The user will delete that blank line and change the file size. If a someone tries to comment out lines or remove them, the file size will change. And last but not least, use shell exec command and get the Mac address(s) at time of install.(some web hosts allow this, some dont). http://coffer.com/mac_info/locate-unix.html Done of this is fool proof. If all else fails, get a encoder : ) -