Page 1 of 3
[poll] Program only works if registered
Posted: Wed Jun 08, 2005 4:41 am
by malcolmboston
im currently at looking at ways to get a project that im going to be selling unable to (harder at least) for someone to purchase it and simply pass it on on to other people free of charge
im thinking a require("") file that only resides on my host, however this could slow things down, i wopuld simply only allow access to that file from verified users by me..
This is just one of a few ideas ive had, however all have major downsides. Does anyone have any ideas? i could encrypt but you can still pass it on in full working condition
ps. (i do not want to pay for any "key" system if possible, i would rather code my own
Posted: Wed Jun 08, 2005 5:12 am
by CoderGoblin
Could you produce a "key" from the "domain name" being used.
http://www.mysetting.com would have a different key to
http://www.secondname.com. An administration form within the system would allow you to enter the key which would be stored (file or database). The key is only obtainable from yourself when registering or when people contact you to ask for a new one. Simple encryption could be used to produce the key. The downside is how to "hide" the encrytion method from someone you can look at the PHP code. (Possibly have a validator as compiled C code ? Pass in domain name and stored key and get if valid or not. This would be a shell executable or somesuch).
Just an initial thought, will try and think of something better.
Posted: Wed Jun 08, 2005 5:18 am
by malcolmboston
zendencode the class that defined and retrived the encryption?
it would still require some sort of communication with the server that my site resides on for callback to check if the key is legit or fake or is being used on more than the designated domains (im thinking multi license), are there any potential problems with this, remote file requiring etc
Posted: Wed Jun 08, 2005 5:41 am
by CoderGoblin
Don't know zendencode...
The intention was to have the installed system knowing it's domain name and storing a key somewhere also on the installed system. You would then have a "validator executable" again on the installed system which would perform the same encryption method of the domain name and compare it against the key. All of this would take place on the installed system. My initial thought was the validator being compiled C as the exact encryption method on the installed system needs to be hidden from somone who looks at the PHP code. The encrytion method could be as simple as md5("Hello"+$domain_name+"There"); Although I would make it more secure by possibly taking only the middle 12 characters or something.
Posted: Wed Jun 08, 2005 8:36 am
by Syranide
first off, zendencoder doesn't work with passwords and so on, it only makes it unreadable for the human being.
second, the only way to do this, would be to have it rely on another server, not read a file (as that could just be copied)...
and really, there is no way to create such software, that is what all the companies are trying today, but none have succeeded very far... and no one will ever succeed using opensource and PHP as PHP is never more lets say commonly 1000 rows, which could easily be scanned for the "protection" part.
as long as you have the source, which you must give him, he is free to do whatever he wants...
the only real possibility with PHP is the zendencoder (which can be reversed) or to make it rely on another server for a specific task, such as calculating something, however this is very unlikely to come up with.
but I without doubt say, what will it really matter, he buys it... then what, no one on this planet who would like it would ever find it, it's not like GTA San Andreas... this software would go as far as to his home and perhaps his friends, and that's it.
and I always say, don't protect just because you must, as the client will always suffer in some degree because of your paranoia, and at a certain degree, they won't care about your product anymore.
if you want a really cheap protection, make it query from your server, and mcheck what it returns (you can check his IP/domain)... however, still problems, it has to query, he might change IP, you might change your IP... and then he will never again buy from you.
Posted: Wed Jun 08, 2005 10:14 am
by malcolmboston
yours posts are way off-topic
Syranide wrote:first off, zendencoder doesn't work with passwords and so on, it only makes it unreadable for the human being.
i was talking about my encryption function, what use is it if the user can read how it is decrypted / encrypted, it could simply be reverse engineered and considering the fact this isnt going to be a world renowned app like windows, i really doubt people will try too hard to crack it
Syranide wrote:
if you want a really cheap protection, make it query from your server, and mcheck what it returns (you can check his IP/domain)... however, still problems, it has to query, he might change IP, you might change your IP... and then he will never again buy from you.
no need for IP, use fopen to open a file on my webserver (with a FIXED domain name) check they have permissions to the file then serve it
Syranide wrote:
and really, there is no way to create such software, that is what all the companies are trying today, but none have succeeded very far... and no one will ever succeed using opensource and PHP as PHP is never more lets say commonly 1000 rows, which could easily be scanned for the "protection" part.
it is very possible, ive just explained how to do it, in theory at least this should work, and you dont think huge companies can come up with better ideas / execution than me?
Syranide wrote:
but I without doubt say, what will it really matter, he buys it... then what, no one on this planet who would like it would ever find it, it's not like GTA San Andreas... this software would go as far as to his home and perhaps his friends, and that's it.
i wouldnt be selling it if i thought it was worthles, im guessing when its finished, every member of devnetwork who is a serious coder with a large workload will want it, whether or not they want to pay for it is a different story, but i should imagine i would get good feedback which is a "win win" situation in itself
Posted: Wed Jun 08, 2005 10:56 am
by Buddha443556
malcolmboston wrote:yours posts are way off-topic
Maybe he'll get a phpDN Award? I think I'm in the running for that one myself.
But since we're off topic ... Have you considered hosting the application yourself and selling accounts? No need for elaborate protection measures just keep your server secure.
Posted: Wed Jun 08, 2005 11:15 am
by Syranide
you weren't talking about encryption, you were talking about protecting your own work from copying... and I answered to that.
and thus, as you say encrypting I'm guessing realtime decryption, what is the meaning by that? since the key is static anyone can use that key, unless you start relying on another server. which still could be used, just save the stream you get and it would be done.
regarding your comment to it not being able, take a good guess, how could you possibly hide protection in a 1000-10000 row application which is opensource and extremely easy to read? it is more or less impossible, they have been trying the same thing for games for years now, and still they aren't very successful, and then we are not talking about opensource, nor PHP, nor copy protections which has been developed in their own backyard... and still not being very successful.
regarding the last one, I didn't say it was trash, I pointed out the fact that the possibility of it being copied to outside a very local point is most unlikely as even small games aren't even possible to find.
I would say zendencoder is the best solution, but that is reversable and also puts another huge requirement, the availability of zendencoder, which is most unlikely to find on any server.
another thing which can be done is "watermarking" the code by making extremely small and unnoticable modifications to the code resulting in each client getting a specific one, however this is also easily overcome.
the fact remains, something that is opensource and not relying on another service cannot ever have sufficient protection, especially for PHP. anyone who is serious (which seems to be your target) could easily take out any protection you have.
Posted: Wed Jun 08, 2005 11:25 am
by malcolmboston
you said wrote:you weren't talking about encryption, you were talking about protecting your own work from copying... and I answered to that.
i said earlier wrote:
zendencode the class that defined and retrieved the encryption?
you said wrote:what is the meaning by that? since the key is static anyone can use that key, unless you start relying on another server.
not anyone can use a key, key is unique to each user and is only given out when purchased, therefore if i made the file config.php only reside on my server for eg, they would do a require("") on my server, first part of my code for config would be to check the key was legit and let them retrieve it, otherwise print "Key Error" and die();
you said wrote:
regarding your comment to it not being able, take a good guess, how could you possibly hide protection in a 1000-10000 row application which is opensource and extremely easy to read? it is more or less impossible, they have been trying the same thing for games for years now, and still they aren't very successful, and then we are not talking about opensource, nor PHP, nor copy protections which has been developed in their own backyard... and still not being very successful.
if my decryption/encryption class was encrypted itself they could not read how it was done, therefore not allowing them to reverse engineer, and fyi, although zend is cracked im guessing it will be updated shortly because of it, although i would like to use my own where the "hacker" would have no basis to start from
you said wrote:
the availability of zendencoder, which is most unlikely to find on any server.
even though i probably wont use it, you'd be surprised how supported it is
the fact remains, something that is opensource and not relying on another service cannot ever have sufficient protection, especially for PHP. anyone who is serious (which seems to be your target) could easily take out any protection you have.
not if they cant see how its decrypted or encrypted and seeing as a very important file is residing on my own server then they simply cannot dupe this as they have no idea of contents of it, missing out on var or an inproper defintion would cause PHP errors.
i personally believe it is possible and if done correctly 100% safe
as a side note: thanks for your suggestions though
Posted: Wed Jun 08, 2005 11:30 am
by malcolmboston
Buddha443556 wrote:since we're off topic ... Have you considered hosting the application yourself and selling accounts? No need for elaborate protection measures just keep your server secure.
i personally believe because this is an advanced project manager with other stuff, it would be more suited to localhost only
Posted: Wed Jun 08, 2005 11:33 am
by Syranide
uhm, I'll take it all in one answer...
do you know the golden rule of including? ... if you can include it... you can read it? ... uhm let's see, that takes me too... "
http://yourserver.com/mykey.php" ... thanks for the my key, no I have it... now everyone have it.
and you cannot encrypt your own class, unless you use an external utility, the decryption-class must be readable to PHP.
However, and still... golden rule again... as PHP can read it... so can I... meaning, that if PHP can execute it, I can copy it. how much you encrypt and hack, it will always boil down to one thing, something mustn't be encrypted, thus, just walking the road will finally get you the decrypted source.
zendencoder I can tell you is not widely available as far as I've seen, I have account at 3 webhosts (large), 5 servers at my friends... not a single one use zendencoder, just one friend.
Posted: Wed Jun 08, 2005 11:40 am
by malcolmboston
your not understanding the point here and i want suggestions not to disprove your theories
if for eg my config file looks like this
Code: Select all
<?php
if(isset($_GET['licenceKey']))
{
// its set
$isValid = ValidateKey();
if ($isValid == TRUE)
{
// ah, i like this user, he hasnt tried to hack into my code
// possibly update the DB with relevant new information
// serve the VARS
$important_var = "something";
}
else
{
// KEY PASSED BUT INVALID
// print "KEY PROBLEM";
exit;
}
}
else
{
// not set
// print "KEY PROBLEM";
exit;
}
?>
if im wrong and this wouldnt work, tell me why
Posted: Wed Jun 08, 2005 11:46 am
by JAM
malcolmboston wrote:im currently at looking at ways to get a project that im going to be selling unable to (harder at least) for someone to purchase it and simply pass it on on to other people free of charge
phpbb and visionboard use keys, that do get hacked but still. Disecting their solutions might be of interest to get a feel on how others do it.
Relying on a server is, stupid. (My personal opinion, based on the very little info about the software you've created and how things 'work').
This because of my first thouhts were; You sell the product to 10 customers that are happy. Then your host/server takes a dive (harddrive failure, inetd fubared, stolen, <insert reason here>) and it wont be restared in, god forbid, one week. You, and 10 customers now have nothing working...
Not saying that it couldn't work, but it shouldn't be depending of 'calling home' alone.
Syranide wrote:...that if PHP can execute it, I can copy it...
Well, not
entirely true. Encrypted code is used here and there, but I doubt the ordinary customer might be able to reverse that. Someone with greater skill can of course, but then again, then nothing is foolproof. There are and will always be those that can reverse <whatever>, but the key is to make it as hard as possible.
I'd personally go for encoding the entire code due to that it's widely supported. Why would someone need to read it anyway...
Posted: Wed Jun 08, 2005 11:54 am
by Syranide
it works, but it has two flaws...
and is extremely easy to hack
1. as it resides on another server, you can simply remap hostnames (easily done on any computer), meaning that your server, would actually point to localhost, to a script just printing "OK".
2. as it is in PHP, it is human readable, making it possible to just find it, and remove it from the code, thus eliminating the check, presuming it's ok by default, sure, the file could be encrypted, but still, if PHP is going to read it... it has to be readble by PHP, and if it is readable by PHP then it is readable by a human as PHP only interprets common source (by means of tapping onto the readstream or simply doing the steps PHP would do to get be able to read the source and saving it to a file, this last one would be fairly simple), or the zendencoder type (which is excluded for now) which is not readable by a human, thus needs interpreting (reversing).
(I'm considering the "cracker" is the one who bought it of coarse)
any thoughts?
EDIT: (yes I know it is harder to crack, I'm not countertalking that, but considering you said this forum to be a potential customer there will be serious people.)
Posted: Wed Jun 08, 2005 11:55 am
by timvw
The simplest way to bypass the "require external files" is host the licensedomain and serve the key yourself... Even legitimate users will choose such a solution if they notice your server is down once in a while...
Imho, i would write a php extension, and only deliver the compiled version.. And then write scripts that load the extension...