Page 1 of 1

close source php application?

Posted: Wed Feb 13, 2008 10:31 pm
by nincha
I have built an application that i would like to make close source, any one have any ideas or links on how to do this? I dont even have the slightest idea how to prevent people from taking my code or editing it.

Re: close source php application?

Posted: Wed Feb 13, 2008 10:32 pm
by Christopher
Ask Hockey? ;)

Re: close source php application?

Posted: Wed Feb 13, 2008 10:53 pm
by alex.barylski
Haha... :P

A few techniques:

1) Use one of those byte code obfuscators (ie: ionCube) - apparently easily reverse engineered.
2) Write a custom code obfuscator. Pull everything into a single script and expand all functions, etc...
3) Compile into binary code (RoadSend) - you'd have to *really* dedicated to reverse engineer this.

Lastly, you could simply keep your application hosted...which is the route I finally settled on after a few weeks of struggle with option #2.

Option #3 is promising but you have to code your application in such a way that it's capable of being compiled.

Cheers :)

Re: close source php application?

Posted: Thu Feb 14, 2008 1:42 am
by Mordred
I do it with a custom obfuscator and all code in a single file, plus a couple of copy-protection tricks.

Hockey, there is a mixed solution I have thought about, but not yet tried and not sure of how viable it is. The app in question is an intranet app, so it might not be suitable for public web sites (but in that case just hosting it yourself would work fine). The idea is to install a virtual appliance in the client's intranet - on booting it starts a web server with your app installed. The client has a mechanism for making database backups, so he is in control of the data. The source (still obfuscated / encoded or whatever) lies on the appliance, and the question here is how well can you deny access to the appliance FS.

I'm not well-versed in GNU/Linux or virtual appliances, but I imagine it is possible to have an installation with no users bar root, so an attacker should have to either exploit the OS remotely (good luck with nothing but a web server running) or access the hard-disk emulation files on the host OS. If both options are hard enough things to do, thus we have an additional layer of protection between the attacker and the source code.

Anyone with experience in these matters?

Re: close source php application?

Posted: Thu Feb 14, 2008 2:28 am
by Benjamin
This is something that interests me as well. Maybe the 3 of us can get together and create our own methods. I have software that I need to keep protected as well. I currently use ioncube but I'm in the dark as to what someone can see when they do an opcode dump. I think ioncube is better than zend, but neither of them are rock solid.

Re: close source php application?

Posted: Fri Feb 15, 2008 7:03 am
by Mordred
IonCube is paid, right?

I've downloaded several ready-made virtual appliances for VMWare, but haven't found time to play with them yet.

----
The strength of a copy protection should not (and cannot) be infinite - just enough that the cost of reversing the protection would be comparable to the cost of development. Thus, any simple layer we can add will help immensely, as generally users are not smart and experienced enough to reverse engineer protection schemes, and a specialist in the area will cost them.

Re: close source php application?

Posted: Fri Feb 15, 2008 11:47 am
by Benjamin
Yeah ioncube is a purchased product.