Get Computer Unique ID from PHP

Asked 8/7, 2013 at 9:26 Answered 14/1, 2023 at 4:37

I've created an application using PHP and I'm going to sell it to my local market. I will personally be going to their locations to install/configure Apache & MySQL as well as installing my own code.

I would like a security system so that if anyone attempts to copy my code to an unauthorized machine, it won't run.

I know no one can prevent reverse engineering an application. even .exe (binary) files are cracked and with PHP (source code) anyone can do.

In my country those reverse engineers are really hard to find, so I would like to propose minimal security options like:

1) Create class (say, Navigation) which identifies system information like CPU ID, Computer name or any combination of hardware ID to make a UNIQUE_ID and matches with my given UNIQUE_ID (to the individual to whom I sold the application). If it's valid, it returns the navigation menu. Otherwise it will simply destroy the database and halt the execution by throwing an exception, maybe like:

class Navigation {

    public function d() {
        return current system UNIQUE_ID;
    }

    public function get() {
        $a = file_get_contents('hash');
        $c = $this->d();
        if (crypt($c) != $a) {
            //destory database
            throw new Exception('');
        } else {
            return "<ul><li><a>home</a></li></ul>"; //navigation menu
        }
    }

}

2) Then during the installation process I'll change system UNIQUE_ID in "hash" file, create an object, and save it into a file (nav.obj):

(install.php)

<?php
      $a=new Navigation;
      $out=serialize($a);
      file_put_contents('nav.obj', $out);

3) in header.php (which gets included in every file):

<?php
     $menu=file_get_contents('nav.obj');
     $menu=unserialize($a);
     echo $menu->get();
 ?>

I know this method isn't full proof, but I'm pretty sure that around 60% of PHP developers won't be able to crack it!

Now I only need to get current system UNIQUE_ID.

Taper answered 8/7, 2013 at 9:26 Comment(13)

what about DOMAIN? Set it to domain where it should work make some hash of it and check it. – Nonrecognition 8/7, 2013 at 9:29

There is no such thing as a system unique ID – Pitcher 8/7, 2013 at 9:29

And now, when you published this openly, those 60% will drop to 10%... – Gambeson 8/7, 2013 at 9:29

strangers are going to let you install this on their computers? weird – Rim 8/7, 2013 at 9:30

I reckon it will take about 10 minutes to identify and disable this. Don't waste time on it - concentrate on selling your services. – Bridie 8/7, 2013 at 9:37

do you know ioncube? en.wikipedia.org/wiki/IonCube – Wail 8/7, 2013 at 9:44

what about DOMAIN? No there isn't any domain, it will be installed in intranet or private network. strangers are going to let you install this on their computers? : he isn't any stranger! he is my buyer and ofcourse he will ask me to install it on his server(he isn't that technical person) thanks for answering! – Taper 8/7, 2013 at 9:54

@Mike W how u gonna disable it? u have only header.php file to edit. and if your comment out that $menu->get(); you won't get any navigation menu on your app! – Taper 8/7, 2013 at 10:7

you can't secure your php app from being copied once you give out the code (thats why i write SaaS), Microsoft cant secure windows - don't bother; license your app, move on. – Rim 8/7, 2013 at 10:14

@Anigel: you could combine CPU number, motherboard number,HDD number to generate a unique ID. From which you can tell "No this isn't he PC im looking for!" i've done it in C++. you will get lots of source code(c++) over net. – Taper 8/7, 2013 at 10:15

There you go, c++ != php – Pitcher 8/7, 2013 at 10:28

@Dagon yes i know(i told it in 3rd paragraph). I'm not going to develop so much renown app like windows and world class hacker's going to crack it! i Just want to propose a minimal security. I know eventually you will crack it! but not like copy-paste, try harder! so you can earned it! – Taper 8/7, 2013 at 10:31

I realize this comment is many years late, but no one appears to have pointed out that intentionally deleting a database just because of a value comparison mismatch could be considered a crime in some countries. Having the software just stop functioning is very different from performing active data destruction. Computer systems aren't perfect. Even if you are somehow extremely careful, an uncontrollable external event like cosmic radiation or a brief power fluctuation at the wrong moment could flip a bit and result in triggering the false conditional and thus delete the database. – Callender 1/3, 2023 at 20:41

I have created this function to get an unique ID based on hardware (Hard disk UUID). It is possible to use different resources like machine names, domains or even hard disk size to get a better approach depending on your needs.

 function UniqueMachineID($salt = "") {
    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
        $temp = sys_get_temp_dir().DIRECTORY_SEPARATOR."diskpartscript.txt";
        if(!file_exists($temp) && !is_file($temp)) file_put_contents($temp, "select disk 0\ndetail disk");
        $output = shell_exec("diskpart /s ".$temp);
        $lines = explode("\n",$output);
        $result = array_filter($lines,function($line) {
            return stripos($line,"ID:")!==false;
        });
        if(count($result)>0) {
            $result = array_shift(array_values($result));
            $result = explode(":",$result);
            $result = trim(end($result));       
        } else $result = $output;       
    } else {
        $result = shell_exec("blkid -o value -s UUID");  
        if(stripos($result,"blkid")!==false) {
            $result = $_SERVER['HTTP_HOST'];
        }
    }   
    return md5($salt.md5($result));
}


echo UniqueMachineID();

Dagley answered 17/9, 2014 at 9:50 Comment(5)

Do you have an alternative that doesn't use shell_exec? – Trantrance 27/12, 2016 at 16:11

Please give a sample diskpartscript.txt file for the code above. How should it look like? – Echikson 12/8, 2017 at 10:18

$result = shell_exec("blkid -o value -s UUID") on systems without the blkid command available, result will be an empty string, so the condition right below will not be satisfied. A possible fix would be to change the condition to if (stripos($result, 'blkid') !== FALSE || ! $result) { – Krasnoff 30/12, 2019 at 8:13

thanks for your code, BUT what if I want to get the id of the visitors. here when the user visits the website it returns the id of my machine NOT him !! how I can fix this issue? – Thelen 26/7, 2021 at 15:30

you can use the user agent combined with ip address, as an example – Dagley 7/2, 2022 at 18:8

As per http://man7.org/linux/man-pages/man5/machine-id.5.html

$machineId = trim(shell_exec('cat /etc/machine-id 2>/dev/null'));

EDIT for Tito:

[ekerner@**** ~]$ ls -l /etc/machine-id
-r--r--r--. 1 root root 33 Jul  8  2016 /etc/machine-id

EDIT 2 for Tito: Some things to consider and scenarios:

Is the user allowed to get a new machine? Id guess yes. Or run on multiple devices? Sounds like the machine could be irrelevant in your case?

If its user only (no machine restrictions) then Id go for a licencing service (relies on network). There are many services for this: Google Play (for Android apps) is a good example: https://developer.android.com/google/play/licensing/index.html MS and Apple have similar services. However just search the web for the term "Software Licensing Service" or "Cloud Based Software Licensing Service".

If its user + single device, then youll need to pass up the device id to whatever service you use or make, then allow the machine id to be updated, but not allow revert to previous machine id (would mean multiple devices). However said services will give you the client code which should take care of that if its a requirement.

Two scenarios from experience: 1: User on any device: we simply made an API in the cloud (in a website) and a login screen in the app, when the user logged in it authenticated via the API and kept a token, and whenever the device was connected to the net the app would query the API and update the login and/or token. You could alternatively have the login screen in the purchase (like maybe they already logged into a site to purchase), generate a key and pack it with or bind it into the app.

2: User plus machine: Same thing except when the API is queried the machine id is passed up. The machine ID can change as many times as the user updates their device, but we kept a record of machine ids and made to ban rule on: if we saw an old (previously used) machine id then a certain amount of time had to have passed. Thus allowed the user to break their machine and pull out an old one.

Also to consider if you make one, how will you stop the app from working? Ppl are pretty clever it will need to be core compiled.

However that all being said, the various licensing services are pro at this and can cater for most needs. Plus in their experience theyve already overcome the security pitfalls. Id name one that I like except its yours to search out.

Nice if you can come on back with and positive or negative outcomes from your trails.

Madi answered 13/2, 2017 at 12:17 Comment(7)

The /etc/machine-id file contains the unique machine ID of the local system that you can easily modify with the working ones. – Taper 9/3, 2017 at 4:2

Machine-id can be changed on reboot. What is its purpose for licensing? – Echikson 10/8, 2017 at 14:16

No, you cant easily modify the machine id file. It belongs to root and is readonly. No sensible sysadmin is going to change it. Ill edit above. – Madi 10/8, 2017 at 20:27

@Madi so is it something reliable for licensing purpose? – Echikson 11/8, 2017 at 5:47

@Echikson Depends what youre trying to license, and what youre trying to license it to. Licensing software/hardware/service? To software/hardware/user? Did you read the man page (above link). – Madi 11/8, 2017 at 12:41

@Madi I am trying to license a software to a software user. Is machine-id good beside mac address to license a software? – Echikson 12/8, 2017 at 4:26

Add to my above answer. – Madi 12/8, 2017 at 22:3

function getMachineId() {
    $fingerprint = [php_uname(), disk_total_space('.'), filectime('/'), phpversion()];
    return hash('sha256', json_encode($fingerprint));
}

This will get a probably-unique id based on a hash of:

The server's OS, OS version, hostname, and architecture.
The total space (not free space) on the drive where the php script is.
The Unix timestamp creation time of the computer's root file system.
The currently installed PHP version.

Unlike the other answers it doesn't depend on shell_exec() being enabled.

Archibaldo answered 14/1, 2023 at 4:37 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags