Page 2 of 2
Re: Lock Script to Domain
Posted: Fri Apr 10, 2009 1:54 pm
by Benjamin
One would still need to get a digitally signed key for the domain they wanted to use the script on. Every URL on every page would point to that domain name, and it's not possible to disable the kill methods.
Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 10:15 am
by Mordred
Um, you maybe need to reread my last post again. The domain on the pirated server will not be changed. The reverse proxy will do it for the client. The call-home will be disabled by simply denying all outgoing connections. An incoming kill signal will work only the first time, then they will reinstall and look for it and filter it on the proxy.
Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 10:27 am
by kaisellgren
Mordred wrote:The call-home will be disabled by simply denying all outgoing connections. An incoming kill signal will work only the first time, then they will reinstall and look for it and filter it on the proxy.
What if the script bases on the principle Fail Securely? Blocking the outgoing connection makes the script to refuse from working.
Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 1:19 pm
by Benjamin
I read your question right. There's a lot more to it than that. To put it midly you'll be chasing ghosts for months trying to disable kill signals.
Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 6:55 pm
by Chris Corbyn
Even with apache_request_headers() your users don't need to forge their requests. An internal proxy would do the trick. We can keep going all day and we'll keep finding holes

Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 7:44 pm
by Benjamin
I never said it wasn't uncrackable, all I said is that everyone has given up

Re: Lock Script to Domain
Posted: Sun Apr 12, 2009 7:58 pm
by John Cartwright
Licensed desktop software has historically failed miserably at protecting itself from unauthorized use. I would imagine this be nearly impossible to do on the web. I hope I'm wrong

Re: Lock Script to Domain
Posted: Mon Apr 13, 2009 6:45 am
by kaisellgren
Web applications can be better than offline software in this area. If the application requires talk with the developer's server, then obviously an illicit installation will not work. The developer's server will resolve the legit domain name legit.com to an IP 1.2.3.4 and it will notice that it will not match the server's IP it is talking to. Blocking a connection to the developer's server with a firewall will just make sure the script will never run. Only thing you can do is to decrypt the whole application. Guys, I can tell you that decrypting an application that is protected by Zend Guard is totally waste of time.

Even if you succeed in this area, you will not get original source code - just lots of really obfuscated crap and you will literally have to rewrite the entire application by yourself - which defeats the purpose of cracking the application. If you crack it, you want it. You do not want to recreate the application. Even if you "just" need to rewrite 50% of the application, I would call it a recreation of the application.
This, however, only happens when you know what you are doing when you are protecting your application with something like Zend Guard. Just going for encrypting a single license validator PHP file is not that good. For sure you can always crack any applications, but we are trying to make it so slow and painful that cracking becomes worthless. Yebee I cracked it! Oh, is there a newer version out now? Cracking can become a job for someone and he would be literally doing it all day long without getting paid. If this is the case, I would consider my protection good.

Re: Lock Script to Domain
Posted: Mon Apr 13, 2009 12:41 pm
by Benjamin
kaisellgren wrote:Guys, I can tell you that decrypting an application that is protected by Zend Guard is totally waste of time.

???