Code Obfuscation + Enforce License (not strictly security)
Moderator: General Moderators
Code Obfuscation + Enforce License (not strictly security)
Hi,
I'm sorry if this isn't strictly PHP security - but I'm sure the skills required to solve the problem are similar.
I'm developing a large web-app for a customer. I trust him, but you can never trust anyone 100% imo. And given the complexity of the project I believe it's worth making sure I have full control over what happens with the code and where it is run, and for how long, etc.
The first step I will take to protect my code is obfuscation. This will prevent him ditching me without paying, and just going to another developer with my code to iron out any bugs that crop up or features that need adding.
The problems with this are:
Problem 1) Obfuscation does not totally prevent reverse-engineering. (This is ok - I can live with this, as it's 99% certain the budget for reverse engineering will exceed or closely match the cost of the creation of the proeject)
Problem 2) Obfuscation does nothing to stop him running the code where he wants, for as long as he wants.
My solution:
Create an algorithm that requires a license key. This key would last X days for a specified domain. (incase relevant, would need to specify 3-4 domains).
Problems: (Requiring your help!!)
Problem 3) The problem in creating this is that the two variables specified above (domain and license expiration) would be constants that could be hacked quite easily, as I don't think obfuscation obfuscates constants - only code?
Problem 4) Also, I would appreciate any help in getting the algorithm right for this (specifically if I need a particular type of encryption, what type it should be and a brief summary about how it would work with respect to the algorithm).
Problem 5) If I'm right, most license algorithms can be bypassed by finding a single 'flag' and hacking it? How could this be increased, or made more difficult?
Thanks!
Jody
I'm sorry if this isn't strictly PHP security - but I'm sure the skills required to solve the problem are similar.
I'm developing a large web-app for a customer. I trust him, but you can never trust anyone 100% imo. And given the complexity of the project I believe it's worth making sure I have full control over what happens with the code and where it is run, and for how long, etc.
The first step I will take to protect my code is obfuscation. This will prevent him ditching me without paying, and just going to another developer with my code to iron out any bugs that crop up or features that need adding.
The problems with this are:
Problem 1) Obfuscation does not totally prevent reverse-engineering. (This is ok - I can live with this, as it's 99% certain the budget for reverse engineering will exceed or closely match the cost of the creation of the proeject)
Problem 2) Obfuscation does nothing to stop him running the code where he wants, for as long as he wants.
My solution:
Create an algorithm that requires a license key. This key would last X days for a specified domain. (incase relevant, would need to specify 3-4 domains).
Problems: (Requiring your help!!)
Problem 3) The problem in creating this is that the two variables specified above (domain and license expiration) would be constants that could be hacked quite easily, as I don't think obfuscation obfuscates constants - only code?
Problem 4) Also, I would appreciate any help in getting the algorithm right for this (specifically if I need a particular type of encryption, what type it should be and a brief summary about how it would work with respect to the algorithm).
Problem 5) If I'm right, most license algorithms can be bypassed by finding a single 'flag' and hacking it? How could this be increased, or made more difficult?
Thanks!
Jody
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Code Obfuscation + Enforce License (not strictly security)
Your problem is that you are worried about not getting paid?
Why not develop this on your local computer or another development server? Then, when and if he pays you, upload it onto his server. I'm sorry, but this has to be asked
Why not develop this on your local computer or another development server? Then, when and if he pays you, upload it onto his server. I'm sorry, but this has to be asked
Re: Code Obfuscation + Enforce License (not strictly security)
Heya,
That's a good question!
The project is to be released in stages, and there will come a point when the bandwidth would be too intensive for my server but would still need developing - hence I would not be fully paid at that point.
I've done some more research. (Did some a while back but things have really changed it seems!!)
There are a LOT of obfuscators out there. Ranging from free to $600+. Obviously I would like to use a free one if it does what I want!
(Anyone used any good ones? Low budget!)
Here's a bit more info on what I need:
- php5
- no (silly??) limitations like variable variables (eg $varname = 'country'; $$varname = 'spain'; echo $country;)
- able to be run from a standard shared hosting account
- straight forward to use - no fussing about with settings, like which vars/function names to alter and which not.
- (If relevant, size of project...)I have about 50+ files each with an average of about 50+ lines in 10+ directories
I don't really need any other features like:
- Html encoding?? Not sure how that could work, but I don't think I need it!
Not sure but probably don't need time/domain/ip limiting, I can program that in myself I suppose. Except that I can't think of a way of encrypting the domain name so it's not just a string - since after looking around some (if not all) obfuscators that fit the above criteria leave strings/constants untouched?
What do you use? Can you recommend any good open source ones? Or worthwhile ones around the $40 mark?
Cheers
That's a good question!
The project is to be released in stages, and there will come a point when the bandwidth would be too intensive for my server but would still need developing - hence I would not be fully paid at that point.
I've done some more research. (Did some a while back but things have really changed it seems!!)
There are a LOT of obfuscators out there. Ranging from free to $600+. Obviously I would like to use a free one if it does what I want!
(Anyone used any good ones? Low budget!)
Here's a bit more info on what I need:
- php5
- no (silly??) limitations like variable variables (eg $varname = 'country'; $$varname = 'spain'; echo $country;)
- able to be run from a standard shared hosting account
- straight forward to use - no fussing about with settings, like which vars/function names to alter and which not.
- (If relevant, size of project...)I have about 50+ files each with an average of about 50+ lines in 10+ directories
I don't really need any other features like:
- Html encoding?? Not sure how that could work, but I don't think I need it!
Not sure but probably don't need time/domain/ip limiting, I can program that in myself I suppose. Except that I can't think of a way of encrypting the domain name so it's not just a string - since after looking around some (if not all) obfuscators that fit the above criteria leave strings/constants untouched?
What do you use? Can you recommend any good open source ones? Or worthwhile ones around the $40 mark?
Cheers
Re: Code Obfuscation + Enforce License (not strictly security)
Want cheap obfuscation? Write it yourself. (Assuming your time doesn't cost anything; if it does - try to estimate how long it would take and correct the $40 budget accordingly)
Want to learn how to do copy protection? Learn how to crack it. Study what protectors do and how reversers break it. Find the sweet spot between hard to implement and hard to break protections according to how much effort you're ready to invest.
It's not a simple matter, and it's not an easy matter (and by extension it's not a "cheap" matter, regardless of how you measure cost - money, time, effort, skill).
-----
If you reside in a country where you have a better chance of protecting your property by contract, this may be an easier alternative ( I personally don't know, it's not the case here, so I just resort to dirty tricks
)
Want to learn how to do copy protection? Learn how to crack it. Study what protectors do and how reversers break it. Find the sweet spot between hard to implement and hard to break protections according to how much effort you're ready to invest.
It's not a simple matter, and it's not an easy matter (and by extension it's not a "cheap" matter, regardless of how you measure cost - money, time, effort, skill).
-----
If you reside in a country where you have a better chance of protecting your property by contract, this may be an easier alternative ( I personally don't know, it's not the case here, so I just resort to dirty tricks
Re: Code Obfuscation + Enforce License (not strictly security)
Mmm I don't want to go offtopic but what Jcart said is quite relevant. Stages or no stages.... you can get him pay by stages...and just see each new feature on your host before deployment on live.foobaa wrote:Heya,
That's a good question!
The project is to be released in stages, and there will come a point when the bandwidth would be too intensive for my server but would still need developing - hence I would not be fully paid at that point.
......
If at the end customer should not own the code but rather pay only for the functionlity then I guess you need all those license,encryption and other stuff. If he is to own the code at the end... I really don't see any point in all this trouble.
Re: Code Obfuscation + Enforce License (not strictly security)
Ok thanks for the advice guys.
I'll have another go at weighing up the pro's and cons. I was hoping there was a trick to it but I guess there isn't.
Thanks again
I'll have another go at weighing up the pro's and cons. I was hoping there was a trick to it but I guess there isn't.
Thanks again
Re: Code Obfuscation + Enforce License (not strictly security)
I think that you should have some trust at some point. If you have a good business relationship with a company, and have a solid signed contract, what can they do? Look at it the other way. They need to trust you as well. That you don't run off with their money or build in some malicious code into the application.
If you ask them to pay a certain percentage upfront and they do that, isn't that enough to have some faith things will go well?
If you ask them to pay a certain percentage upfront and they do that, isn't that enough to have some faith things will go well?
Re: Code Obfuscation + Enforce License (not strictly security)
If your worried about the source code being nicked, and what a cheap solution, use the bcompiler http://www.php.net/bcompiler
Ok, they will need to install the relevant pear package, but it is a "dependency" of the software
I have used two methods in the past to protect me again people not paying me:
1) Put a call back to my own server using curl to validate a license key embedded in the code
2) Put and easter egg in so when I call a certain url, a piece of code nested within some innocent piece of code gets triggered and a file is written which can then be picked up disabling the site.
On one occaision, I worked for a client I know quite be chance as I had been sub-contracted (so was a surprise)... The customer did not trust the design agency that had subcontracted me, so with his permission, I used suexec to create the killer of all easter eggs... Like point two above, but this time it tar'd all the code and emailed it to the customer and then deleted it's self. Not really something I am proud of doing and yes I did have to use it and yes they did pay up and yes the customer got the site.
Ok, they will need to install the relevant pear package, but it is a "dependency" of the software
I have used two methods in the past to protect me again people not paying me:
1) Put a call back to my own server using curl to validate a license key embedded in the code
2) Put and easter egg in so when I call a certain url, a piece of code nested within some innocent piece of code gets triggered and a file is written which can then be picked up disabling the site.
On one occaision, I worked for a client I know quite be chance as I had been sub-contracted (so was a surprise)... The customer did not trust the design agency that had subcontracted me, so with his permission, I used suexec to create the killer of all easter eggs... Like point two above, but this time it tar'd all the code and emailed it to the customer and then deleted it's self. Not really something I am proud of doing and yes I did have to use it and yes they did pay up and yes the customer got the site.
Re: Code Obfuscation + Enforce License (not strictly security)
I'm supposedly getting a percentage of the company but have yet to see any papers or signed agreements. So I'm taking precautions because I've been stung before - I actually really trust the guy but I've learnt the hard way not to take chances.pay a certain percentage upfront
Hchaggis, thanks for your reply - appreciated.
I've not heard of bcompiler before, so it's one to add to the list.
The easter egg idea is really sneaky! Not heard of that before either.
After having another think, I'm probably just going to take some mild precations until I see a signed agreement, nothing substantial, unless it gets to the point where most bugs are gone and most features are implemented - there's still a fair amount of work to be done.
I was just getting concerned because in working on this project I've sacrificed 'proper' paying projects, and I need to make sure I get something out of this one! I have bills to pay, and in the business world I've learnt that trust is not always enough - I wish it was - I'm the kind of person who sticks to my word but there are people out there without scruples and have learnt how to be manupulative. If you think trust alone is enough, you have yet to learn, my friend! Why do you think obfuscators exist in the first place? And why do you think some people pay $600 for them?
So back to the topic of obfuscators - In case anyone can help further or is interested, I'm going to casually research them for a week or two, then hopefully implement something which:
- doesn't take too much time to configure, if any
- doesn't require much coding, if any
- doesn't require much money, if any
- will be reliable (bcompiler sounds ideal if only it were not in the experimental stage)
I still need to get my head round how obfuscators work so will try out some of the many trial versions available to see if I can find a cheap one that satisfies the above points.
Thanks again mcHaggis you've given me more ideas to fall back on.
All the best
Re: Code Obfuscation + Enforce License (not strictly security)
Ideas and underwater rocks I can remember:
1. token_get_all()
2. get_defined_functions() and similar
3. Be careful with callbacks and class names in strings and variable variables
4. Don't change the superglobals and $this
1. token_get_all()
2. get_defined_functions() and similar
3. Be careful with callbacks and class names in strings and variable variables
4. Don't change the superglobals and $this