Lock Script to Domain

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

One would still need to get a digitally signed key for the domain they wanted to use the script on. Every URL on every page would point to that domain name, and it's not possible to disable the kill methods.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Lock Script to Domain

Post by Mordred »

Um, you maybe need to reread my last post again. The domain on the pirated server will not be changed. The reverse proxy will do it for the client. The call-home will be disabled by simply denying all outgoing connections. An incoming kill signal will work only the first time, then they will reinstall and look for it and filter it on the proxy.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Mordred wrote:The call-home will be disabled by simply denying all outgoing connections. An incoming kill signal will work only the first time, then they will reinstall and look for it and filter it on the proxy.
What if the script bases on the principle Fail Securely? Blocking the outgoing connection makes the script to refuse from working.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

I read your question right. There's a lot more to it than that. To put it midly you'll be chasing ghosts for months trying to disable kill signals.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Lock Script to Domain

Post by Chris Corbyn »

Even with apache_request_headers() your users don't need to forge their requests. An internal proxy would do the trick. We can keep going all day and we'll keep finding holes ;)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

I never said it wasn't uncrackable, all I said is that everyone has given up ;)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Lock Script to Domain

Post by John Cartwright »

Licensed desktop software has historically failed miserably at protecting itself from unauthorized use. I would imagine this be nearly impossible to do on the web. I hope I'm wrong :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Web applications can be better than offline software in this area. If the application requires talk with the developer's server, then obviously an illicit installation will not work. The developer's server will resolve the legit domain name legit.com to an IP 1.2.3.4 and it will notice that it will not match the server's IP it is talking to. Blocking a connection to the developer's server with a firewall will just make sure the script will never run. Only thing you can do is to decrypt the whole application. Guys, I can tell you that decrypting an application that is protected by Zend Guard is totally waste of time. ;) Even if you succeed in this area, you will not get original source code - just lots of really obfuscated crap and you will literally have to rewrite the entire application by yourself - which defeats the purpose of cracking the application. If you crack it, you want it. You do not want to recreate the application. Even if you "just" need to rewrite 50% of the application, I would call it a recreation of the application.

This, however, only happens when you know what you are doing when you are protecting your application with something like Zend Guard. Just going for encrypting a single license validator PHP file is not that good. For sure you can always crack any applications, but we are trying to make it so slow and painful that cracking becomes worthless. Yebee I cracked it! Oh, is there a newer version out now? Cracking can become a job for someone and he would be literally doing it all day long without getting paid. If this is the case, I would consider my protection good. :)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

kaisellgren wrote:Guys, I can tell you that decrypting an application that is protected by Zend Guard is totally waste of time. ;)
???
Post Reply