Page 1 of 2

Lock Script to Domain

Posted: Sat Apr 04, 2009 12:08 pm
by idllc
I am trying to find the code to lock a script to a domain prior to encrypting a file. Something that just verifies the script is on the correct url.
Thanks

Re: Lock Script to Domain

Posted: Sat Apr 04, 2009 2:13 pm
by kaisellgren

Code: Select all

$_ENV['HTTP_HOST']
Will contain the domain name.

Then compare it to the target domain name.

And encode your script with Zend Guard, for instance.

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 1:07 am
by Mordred
No, it won't work.

1. It's $_SERVER['HTTP_HOST'], maybe in some setups you can have the http headers in ENV, but the canonical place is $_SERVER.

Also, HTTP_HOST is the contents of the Host: header as sent by the client. The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.

2. The check is trivial to bypass:

Code: Select all

//pirate.php
$_SERVER['SERVER_NAME'] = 'legitimate.host.com';
include('encrypted.php');
In reality this is a hard thing to do correctly, a better way of protection may be with a legally binding contract that prohibits re-selling of your code and/or some under-the-table (or "blackhat" if you prefer) techniques to make sure you can stop pirates.

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 2:45 am
by Benjamin
Mordred wrote:2. The check is trivial to bypass:
Doesn't work so well when all of the sites URL's are created from that value. LOL.

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 3:04 am
by Apollo
If you don't mind an extra dependency on an external server of your own: in the protected script, you retrieve a (time limited) decryption key (through https) from some authentication server (or multiple servers, to keep things working when one goes down). The key is necessary to decrypt an essential part of the protected code. Your server only returns the correct key if the request is made from the allowed server / IP.

Of course the key-retrieval-and-decryption part should also be encrypted itself, with a generic method like Zend Guard. And it isn't 100% safe, it just helps.

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 7:02 am
by kaisellgren
Mordred wrote:The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.
Doesn't work here.. it's just empty. HTTP_HOST, however, will not change even if I modify my headers. Are you sure? Well, it makes sense, actually. Any HTTP_* should be modifieable. Maybe my configuration is messed up then.

Btw, the $_ENV with SERVER_NAME is portable. Worked with IIS, Apache, nginx and Lighttpd. It also works in both CGI and as an Apache handler, but $_SERVER does not always work that great. Try IIS 7.5 x64, PHP 5.2.8 x64, XCache x64 and now fire up your $_SERVER['SERVER_NAME'] and enjoy ;)

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 10:23 am
by Apollo
Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:

Code: Select all

$headers = apache_request_headers();
$host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 10:25 am
by kaisellgren
Apollo wrote:Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:

Code: Select all

$headers = apache_request_headers();
$host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script
Since the value comes from the request, it's easy to circumvent that "protection" :P

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 12:46 pm
by Apollo
kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection" :P
Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 1:15 pm
by kaisellgren
Apollo wrote:
kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection" :P
Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?
I'm saying that if you want your script to work on a specific website (e.g. you are selling your script and the license applies to certain sites only), then the script is actually usable to certain extent if you are able to "modify" the domain name. For example, some scripts are only one user usable, like the PHP FirewallScript.

But you are right, it does not make sense if your script is supposed to work for your visitors and they supply an invalid hostname :P

Moreover, we cannot forget that it is easy to modify those $_SERVER['SERVER_NAME'] variables. This is especially true with those open source HTTPDs.

Re: Lock Script to Domain

Posted: Wed Apr 08, 2009 2:35 pm
by Benjamin
I wrote a script years ago and have detected numerous guys trying to defeat the copyright protection. One guy worked on it every day for about a month. They all gave up in the end. There's a lot you can do to make it a nightmare for someone. When it gets to the point where it would be easier to rewrite the entire application than crack it, I think that takes the fun out of it.

Re: Lock Script to Domain

Posted: Thu Apr 09, 2009 5:06 am
by Apollo
astions wrote:They all gave up in the end.
You sure? Isn't it possible he actually succeeded, and stopped the script from further notifying you? ;)

Seriously, what kind of protections did you apply?

Re: Lock Script to Domain

Posted: Thu Apr 09, 2009 7:35 am
by kaisellgren
If it would be practically possible to crack into Bill Gate's PayPal account, I wonder how many would just give up. :P

This kind of feature is a psychological protection or so-called PP. It could help in some cases, but should be only applied after you have applied a proper defense.

Re: Lock Script to Domain

Posted: Thu Apr 09, 2009 12:47 pm
by Benjamin
Tons of stuff. The entire applications code is in a single encoded file. RC4 Encryption, Digital signatures, the MD5 for every file is stored internally. Numerous other methods. Even if someone were to crack it, there's also remote kill.

Re: Lock Script to Domain

Posted: Fri Apr 10, 2009 1:36 pm
by Mordred
All copy protections based on http headers or server vhost names can be bypassed. If not trivially with the include method I've shown, then by installing it in a server that is an exact duplicate of the original (including vhosts etc.) and placing a reverse proxy between the server and the clients. The proxy will "translate" requests to stolen.com rewriting the relevant headers to original.com. The clients will see stolen.com working, and the server behind the proxy will think it's original.com.
Calling-home can also be disabled with a firewall.

astions, I'm very interested in your protection scheme, how will it behave in the described circumstances?