Lock Script to Domain
Moderator: General Moderators
Lock Script to Domain
I am trying to find the code to lock a script to a domain prior to encrypting a file. Something that just verifies the script is on the correct url.
Thanks
Thanks
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Lock Script to Domain
Code: Select all
$_ENV['HTTP_HOST']Then compare it to the target domain name.
And encode your script with Zend Guard, for instance.
Re: Lock Script to Domain
No, it won't work.
1. It's $_SERVER['HTTP_HOST'], maybe in some setups you can have the http headers in ENV, but the canonical place is $_SERVER.
Also, HTTP_HOST is the contents of the Host: header as sent by the client. The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.
2. The check is trivial to bypass:
In reality this is a hard thing to do correctly, a better way of protection may be with a legally binding contract that prohibits re-selling of your code and/or some under-the-table (or "blackhat" if you prefer) techniques to make sure you can stop pirates.
1. It's $_SERVER['HTTP_HOST'], maybe in some setups you can have the http headers in ENV, but the canonical place is $_SERVER.
Also, HTTP_HOST is the contents of the Host: header as sent by the client. The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.
2. The check is trivial to bypass:
Code: Select all
//pirate.php
$_SERVER['SERVER_NAME'] = 'legitimate.host.com';
include('encrypted.php');Re: Lock Script to Domain
Doesn't work so well when all of the sites URL's are created from that value. LOL.Mordred wrote:2. The check is trivial to bypass:
Re: Lock Script to Domain
If you don't mind an extra dependency on an external server of your own: in the protected script, you retrieve a (time limited) decryption key (through https) from some authentication server (or multiple servers, to keep things working when one goes down). The key is necessary to decrypt an essential part of the protected code. Your server only returns the correct key if the request is made from the allowed server / IP.
Of course the key-retrieval-and-decryption part should also be encrypted itself, with a generic method like Zend Guard. And it isn't 100% safe, it just helps.
Of course the key-retrieval-and-decryption part should also be encrypted itself, with a generic method like Zend Guard. And it isn't 100% safe, it just helps.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Lock Script to Domain
Doesn't work here.. it's just empty. HTTP_HOST, however, will not change even if I modify my headers. Are you sure? Well, it makes sense, actually. Any HTTP_* should be modifieable. Maybe my configuration is messed up then.Mordred wrote:The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.
Btw, the $_ENV with SERVER_NAME is portable. Worked with IIS, Apache, nginx and Lighttpd. It also works in both CGI and as an Apache handler, but $_SERVER does not always work that great. Try IIS 7.5 x64, PHP 5.2.8 x64, XCache x64 and now fire up your $_SERVER['SERVER_NAME'] and enjoy
Re: Lock Script to Domain
Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:
Code: Select all
$headers = apache_request_headers();
$host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Lock Script to Domain
Since the value comes from the request, it's easy to circumvent that "protection"Apollo wrote:Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:Code: Select all
$headers = apache_request_headers(); $host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script
Re: Lock Script to Domain
Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection"
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Lock Script to Domain
I'm saying that if you want your script to work on a specific website (e.g. you are selling your script and the license applies to certain sites only), then the script is actually usable to certain extent if you are able to "modify" the domain name. For example, some scripts are only one user usable, like the PHP FirewallScript.Apollo wrote:Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection"
But you are right, it does not make sense if your script is supposed to work for your visitors and they supply an invalid hostname
Moreover, we cannot forget that it is easy to modify those $_SERVER['SERVER_NAME'] variables. This is especially true with those open source HTTPDs.
Re: Lock Script to Domain
I wrote a script years ago and have detected numerous guys trying to defeat the copyright protection. One guy worked on it every day for about a month. They all gave up in the end. There's a lot you can do to make it a nightmare for someone. When it gets to the point where it would be easier to rewrite the entire application than crack it, I think that takes the fun out of it.
Re: Lock Script to Domain
You sure? Isn't it possible he actually succeeded, and stopped the script from further notifying you?astions wrote:They all gave up in the end.
Seriously, what kind of protections did you apply?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Lock Script to Domain
If it would be practically possible to crack into Bill Gate's PayPal account, I wonder how many would just give up. 
This kind of feature is a psychological protection or so-called PP. It could help in some cases, but should be only applied after you have applied a proper defense.
This kind of feature is a psychological protection or so-called PP. It could help in some cases, but should be only applied after you have applied a proper defense.
Re: Lock Script to Domain
Tons of stuff. The entire applications code is in a single encoded file. RC4 Encryption, Digital signatures, the MD5 for every file is stored internally. Numerous other methods. Even if someone were to crack it, there's also remote kill.
Re: Lock Script to Domain
All copy protections based on http headers or server vhost names can be bypassed. If not trivially with the include method I've shown, then by installing it in a server that is an exact duplicate of the original (including vhosts etc.) and placing a reverse proxy between the server and the clients. The proxy will "translate" requests to stolen.com rewriting the relevant headers to original.com. The clients will see stolen.com working, and the server behind the proxy will think it's original.com.
Calling-home can also be disabled with a firewall.
astions, I'm very interested in your protection scheme, how will it behave in the described circumstances?
Calling-home can also be disabled with a firewall.
astions, I'm very interested in your protection scheme, how will it behave in the described circumstances?