Login/Register
license key for php script
Asked Answered
Solved phpioncube
O

7

5

I have a script, and I sell it to some people. I need a way to make sure that my script won't work on any website that not in my clients list.

  • First of all, I am using IonCube to encrypt my PHP code.
  • I have all my clients in my server database.
  • Each Client has a domain name, email, name, phone.

What is the best method to avoid making people from stealing my script?

I read about making a license key in the script, so any script without license won't work. However, there are many ways to generate a license key without taking my permission right?

All I need is to not activate any script in any domain name, unless I have it in my clients list.

Obsolesce answered 16/12, 2012 at 1:58 Comment(12)
If you read my name, I am only capable to recommend `<iframe>...Jp
@eicto if it's your own software, are you going to make some people pay and some not ?Obsolesce
does your software cost so much that you want to place a licensing server, make full licensing frameworks and keep your greedy eye on all of that. - piracy it is free ad for you.Yelmene
If you are using IonCube sucessfully; you can make a seperate connection to a Database which can be connected to through remote SQL; select the database and ensure that Licensed=1 and company=$company --- Make sure $company is set to the company/name of the user.Caudex
@eicto OP didn't ask to be morally judged, don't be like that, it's not up to you.Sextain
@EvanTrimboli it is not only moral, it is also economy reason to not have licensing machine for small scripts.Yelmene
@EvanTrimboli - Yeah, it's Othman's business. Othman, doesn't IonCube have something for this? Some encryption method that requires server mac addresses and one-time RSA codes or something? You might expire a certainly critical part of the system every 90 days, maybe, where they're required to get a new AES-256 encrypted file from you, of which the system won't work in any significant way. But, beware of snake oil and fast-talking charlatans bearing "unbreakable wonderithms" that have never been reviewed by real security professionals. They always turn out to be XOR and a bunch of malarkay.Gyimah
It is fairly easy to make a such system, but it cost to much to support it. for example you can generate license based on customer's IP and hardware, and at nearest migration customer will curse you. Sell with minimum protection, give a signed license which will need to be updated monthly and you will be ok. But remember - it probably will requere more resources than your program will bring to you, that why I talking about greed.Yelmene
@eicto - Let's get back to the business at hand. I'm a certified risk manager and can tell you for a fact well over half of all people fear what will never hurt them while living with risks that eventually will, directly or indirectly. But that kind of analysis and moral and ethical discussion isn't really appropriate in this context. Focus...Gyimah
@eicto The word you're looking for is either unprofitable or uneconomical. We're not here to judge the OPs business nor the size of his project. PHP projects are not always "small scripts". Stick to the question.Assuntaassur
@ccKep I sure that is small project, because elseway OP would to know answer alreadyYelmene
Implementing the protection based on ionCube + maintaining infrastructure for it (license server, etc) costs more than price of decoding. Whereas the protection should always be cheaper than the price of data.Esbjerg
H
6

There's a reason Adobe, Microsoft, and others don't over actively pursue pirates (not saying they don't, just not at epic, absolutism levels) - they make most of their money from business to business sales and support. A simple license and support structure is typically enough to posture yourself for profit from legitimate businesses and parties who want your product.

Technical protection is a losing battle if you're going to give anyone the code. That's why SaaS is so popular.

Humbuggery answered 16/12, 2012 at 3:20 Comment(0)
L
7

Your question is very interesting because way too many php developers wonder the same thing. How can I protect my product from being stolen and copied?

Some of the comment talk about not being greedy, but the truth is that many people program for a living, so it isn't a matter of just some software you built as a hobby, it is your work and you deserve to get paid for it, just like any other profession.

Sadly, PHP is a language that is very hard to protect, but I will give you a few pointers:

1) Don't trust encryption: I have seen way too many tools for un-encrypting code, even some tools that I used to trust like Zend Guard, are also vulnerable. The most advanced tools I have seen can reveal your code in minutes.

EDIT: Another thing I forgot to mention about encryption. It will require the server to have certain special modules installed in order for your code to work and this is a deal-breaker for all the people who use shared hosting and can't install the unencryption module.

2) Try obfuscation: Even though your code will be still readable, if the obfuscator does a good job at mixing variables, adding nonsense and making functions within functions, the code itself will become almost non-modificable, so it will be useless to try to modify it.

3) Take advantage of obfuscation to insert domain-lock code within your software itself: Instead of a license file, just sell the software to a certain customer with some domain verification code within the software itself, that approach combined with obfuscation, will make it very hard to figure out what to change to make it work in some other domain, so you will probably achieve your goal.

4) Make a great software: This is the most important part, build an outstanding software that people will be willing to pay for, create a proper website for it, get the word out there.

I hope I have helped you.

Levorotation answered 16/12, 2012 at 3:12 Comment(13)
"will make it very hard to figure out what to change" --- nope, it won't. With debugger it will be found in minutes.Esbjerg
@Esbjerg it seems like you haven't worked with obfuscators. No matter what debugger you use, the logic becomes so screwed up that it is impossible work to follow it. There are tools that try to get it again in order, but since variable names are lost and additional useless variables are added, it is still impossible. Just think about it, it is already very hard to maintain code that is not properly documented, a large software that is obfuscated is just a nightmare to follow.Levorotation
I know what I'm talking about. You think it's difficult - okay, but I have another point of view. It's not about maintaining the obfuscated spaghetti, it's about finding several checks about current domain.Esbjerg
@Esbjerg the point isn't about finding them, it is about how to deactivate them without breaking the software. If you understand the logic, you just remove the piece of code or modify it, but if you can't figure out what variables the check is supposed to set or what effect those have, it is hard. Add several of those and it certainly becomes more cost-effective to just pay the programmer a proper fee and get it working.Levorotation
show an example of such check? It's likely to be a single if with exit; or calling some function. And this will be fixed easily.Esbjerg
Ok, I will give you an example from an actual software I saw that was obfuscated. For reference, It had about 100 php scripts. On one specific file it set a global variable $foj973 = eval(base64_decode("base64 code that got the $_SERVER['http_host'])), then in a series of other files, there were certain if that check just certain letters of this string, so for example, in one file it check if the first letter of $foj973 was "a" and then in another if the last letter was "u" and so on, creating certain new variables $s977X, $isj33, etc to different values. * CONTINUES... *Levorotation
well, no reason to continue - even if you split your checks to a several parts - there will be anyway one final check with breaking further execution. After you found it (it's easy) - you have all what it depends on.Esbjerg
in the end, there were certain libraries that were used through the application that relied on those variables to draw graphics, display tables, etc. If the values were wrong, nothing worked properly. And since it was impossible to figure out the logic, it was also very hard to actually trace all these variables back to the point where the key variable $foj973 was set. Trust me....it was WAY more cost-effective to just pay for the software because it wasn't a matter of an "exit", the software still worked, just completely messed up.Levorotation
To add things up: Placing an exit in certain part of your code isn't what you usually do to protect it, like you correctly said, it is easy to find with a debugger and it is a really naive approach. But mixing the logic of the application itself along with the check, in an obfuscated environment (that messes up the logic and also nullifies code searches using evals with regular expresions and base encodings), is a killer combination.Levorotation
is it a real case? I cannot imagine some one could continue developing a software when you have to keep in mind dozens of switches. From my perspective it's error prone and makes development much harder. But indeed - I see your point now.Esbjerg
Yes man, it is a real case. However, the original logic was relatively simple with just the base 64 encoding and some "if" within several key libraries. But the custom obfuscator they used converted it into several variables, placed it into several files and sliced the strings into pieces, making the original trick untraceable. It was very smart indeed.Levorotation
this should work for me and I guess for most of the people as well.Kilan
Actually the 3) point ... gives the answer. BUT it woulnt be the same to use a deofuscator? Im pretty sure there's a lot webpages that make that for freeSweltering
H
6

There's a reason Adobe, Microsoft, and others don't over actively pursue pirates (not saying they don't, just not at epic, absolutism levels) - they make most of their money from business to business sales and support. A simple license and support structure is typically enough to posture yourself for profit from legitimate businesses and parties who want your product.

Technical protection is a losing battle if you're going to give anyone the code. That's why SaaS is so popular.

Humbuggery answered 16/12, 2012 at 3:20 Comment(0)
B
2

The only true way to lock down script-based code that you give away, is to keep a core part of that code executing on a server you control -- and have the code you've given to your client 'call home' to your server on each execution. Then all you have to do is block access to this 'call home' script based on the requesting ip.

Also, in this 'call home' mechanism it is no good just performing a simple connection test or handshake because this can be worked around -- the script on your server has to do something integral to the system as a whole so that the client would have to rewrite that missing part in order to use your code elsewhere without you knowing. This could be some key calculation or data provision.

Obviously this is not ideal as many clients will not like a script calling a remote server, plus you'd have to make sure your network and server could handle the number of requests -- otherwise you'll slow or timeout your clients own systems.

Borglum answered 16/12, 2012 at 3:8 Comment(4)
Your idea is good, it can be improved by just calling home once every 10 times for example, and then if the software is not properly licensed, you just deactivate it somehow (delete database, add a certain flag that won't let it run, etc)Levorotation
@Mickle Foretic: drop/add flag once, change 10 to 99999999999. Profit.Esbjerg
@MickleForetic whilst I'd agree an average client wouldn't be able to get around what you suggest, other coders could quite easily... Even if you employ complex code obfuscation it would be simple to deactivate the counter or the db drop. The key to what I stated is that the client/coder is never given the entire code to themselves - this is the only way to protect a system from being fully cracked or reverse engineered, without some hefty work on the side of the person who wants to steal your code (don't mind if they put effort in :). This means that the 'call home' has to happen every time.Borglum
@pebbl yeah, I understand your reasoning on this. Take a read at the conversation we had with zerkms on another answer, it is pretty much the same thing (making a key part of the logic depend on having a valid copy of the software) but without having to use an independent server. This also solves the problem that you stated about making the software itself slow because of the calls.Levorotation
L
2

All I need is to not activate any script in any domain name, unless I have it in my clients list.

Ok you narrowed it enough.

create your openssl certificate, hardcode public part to checking code, when issuing license sign domain.name string with your private key, issue sign part as license, in your license:

$lic=<<<EOL
LICENSE CODE HERE - SIGNATURE of string contained domain name
EOL;

in your code to check license:

include 'license.php';
$cert=<<<EOK
PUBLIC KEY DATA HERE
EOK;
$pub_key=openssl_get_publickey($cert);
$ok = openssl_verify($_SERVER['SERVER_NAME'], $lic, $pub_key);
if ($ok !== 1) {die ('bad license!')}

O'c all should be encrypted as much as possible.

this probably vulnerable for special crafted libopenssl binaries but I hope it will help you. to avoid running of such code every you can add condition like this:

if (int(random()*100))==6) {check_license();}

but it depends on which part is should be protected.

also, in all parts of the code you should check md5summ of file that contain license check code.

Lukelukens answered 16/12, 2012 at 3:43 Comment(4)
How this is better than $ok = $_SERVER['SERVER_NAME'] == 'hardcoded_server_name';?Esbjerg
you can issue license for limited time, you can issue license without recode your source every timeYelmene
@Esbjerg I see you making all these comments but I haven't seen you even make an attempt at this question it's self.Caudex
@Daryl Gill: My opinion - it's not possible and not worth it. And I made a comment to the original question.Esbjerg
S
2

You can use http://www.ioncube.com to obfuscate your source code or http://www.phplicengine.com to license your php code remotely or locally.

Sherbet answered 1/8, 2014 at 5:23 Comment(0)
D
1

My thoughts are that you can't successfully save code from to be nulled. I really don't like way the Non-Free apps are created, but I won't judge you. Best solution to protect code is sometimes not worth of it, because many people (read websites) have very restricted hosting, where they cant install ioncube... Best protection is to join many types of protections (ex. IonCube + injected licence connection to your data server in different places with different code+if site NEED to use some ssl, you can try to make some protection with to sell also ssl with public key check on your data server), or many, many, other ways, just be creative)

But however as I said, If you want very high protection, you will get loss of money for creating it, and loss of money of loosing your customers, because they use some cheap hosting...

You need to think about everything...

Forgot to say: Hosting on your server is best protection, but have disadvantages: you need to add possibility for 'templating' site, access to be created some plugins, and similar stuff... But sometimes Clients just don't like to keep all data on your hosted server.

I think I helped somehow...

Dyewood answered 16/12, 2012 at 2:55 Comment(0)
Y
1

There are some good comments from other posters to this. Depending on the edition of the ionCube Encoder that you're using the features that you need are there already (in Pro and Cerberus), including features to allow you to craft your own layers of licensing if you wish, though this shouldn't be necessary. Some basic steps give the biggest wins, and as others have said, it's not generally worth going over the top with a massive licensing infrastructure. Keep in mind too that a main benefit to licensing comes not so much from stopping those who are intent on cheating and not paying, but from keeping the paying customers in line.

Say that you have a fee for each domain where your software is used. If you mention this somewhere but do nothing to enforce it, then when an honest customers tries your scripts on a second domain and finds that it works, chances are that they'll simply use it without even realising that they should have paid. In contrast, if your software alerts them to the fact that a new license is needed, it's likely that they'll purchase for the second domain.

Realistically it's impossible to stop the most determined thieves, and as one poster eluded to it may even be beneficial in the long term to have cheaters using software for free rather than not at all, but licensing can definitely lock in revenue from the honest majority who are happy to purchase good software (plus support, bug fixes, upgrades etc.), and it's foolish not to do that.

Yoong answered 17/12, 2012 at 22:19 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.