I will release soon a PHP script. I want to release two versions : one paid, with the full source code and one trial, with the code encrypted. I don't want the user to install any additional software on the server. I had myself enough issues with this approach, so I don't want to hurt others. So, how do I protect my script? I will use a 64base encode/decode. But ... how do I prevent the user from adding a $source_code = before the eval statement? I can scramble the code, before encoding with 64 base. Still, the source can be retrieved. I was thinking of forcing the user to leave myscript.php as it is. That is, to keep its name and the exact content. How do I do this? When the script starts, it will send my server the md5(myscript.php) and ask my server for an number. If the server does not receive the correct value for md5(myscript.php), will respond with a number and the program will terminate. I need a way to prevent the user to calculate md5(myscript.php) and to send it, using a modified version of script. I must be sure that my script was not touched. I do this in 2 steps: My script will ask my server for a number, in the range 0.6 ... 0.9. After receiving that number, my script will send a md5(myscript.php) - more exactly, the md5 of first 0.6 ... 0.9 lines (that is, the first 60% - 90% of the script) In this way, I verify the integrity of the first (at least) 50% I do the same for the last 50%. If my server will receive a request for the second number directly, it will return an error. After I verify that the myscript.php was not modified, I ask my server for $part1 and $part2. I will make $base64 as $part1 . $base64_from_myscript.php . $part2. Then I decode the $base64, and the user will not be able to see the source code. I realize that the trial version is not standalone, and it must communicate with my server, but at least I can offer a trial version without forcing the user to install a PHP extension on his server. Trial versions have limitations anyway, so I expect the user not to complain. By the way, I will not allow the user to run myscript.php on localhost, by checking the address of the script on all steps. It's easier to install some fancy debuggers locally than remotely. Sorry for the PHPist language used for explanations. What do you think? Do you know a better solution for protection of PHP scripts?
Hi , I am doing php programming from last 7 years . i think it is very hard to secure a script like this , according to me the best way is while installation or every day you script have to send some values to your server , you can make a random system like md5(sitename (www.example.com) + date + year + any number) combination for value and your server also do the same calculation and check in your client database if they are same then pass or lock it and ask to pay Thanks,
The bottom line is, it can't be done. Why? Imagine this: <?php $is_valid = false; // 1,000 lines of checking here if ($checks_are_true){ $is_valid = true); } ?> PHP: The user can still open the code, remove all your checks and just alter the flag from false to true. Even with server side checking, unless you can protect the code from view, it won't help. If your server returns invalid, they can just hardcode valid. Sorry , Jay
hmmm...quite interesting...but i still am lost where it stops a user who is trying to dump the eval? PHP: If the users wants to dump the eval, (s)he has to edit the code. An edited code will be different from the original and will not pass the MD5 test, and the program will stop before adding the $part1 and $part2. Well, the $is_valid variable is on my server and you can't change it. If you add it to myscript.php, located on your server, then the modified script won't pass the MD5 validation. What do you say about this?
If the users wants to dump the eval, (s)he has to edit the code. An edited code will be different from the original and will not pass the MD5 test, and the program will stop before adding the $part1 and $part2. Well, the $is_valid variable is on my server and you can't change it. If you add it to myscript.php, located on your server, then the modified script won't pass the MD5 validation. What do you say about this? It's not that simple An encoder will need an additional program on the user's server, which I try to avoid and an obfuscater will make the code visible, even if it's in a crippled form. I want my code not to be visible at all.
MD5 Validation is just a formality. Assume this: <?php $code = md5(file_get_contents(__FILE__)); // Post $code to server in whatever way you like $response = SERVER_RESPONSE_HERE; if ($response == 'valid') ... ?> PHP: Can you see it? Your client needs to test the $response, and that code can be modified. Jay
The client will not test the response - my server will do that. If my server don't get the correct MD5 on one step, then it will not generate anything in the next step and the program from your server will timeout or will go awry, but will not execute the real code. I'll release in the near future a file encrypted in my way and I'll offer a $5 prize for the one who will be able to see the code.
This isn't getting very far. Is all the code on your server? As far as I can see, you're saying everything is your-server side, which isn't possible. Either way, TCPDump will log your servers response, that and some tweaking you can have it returned instead of your servers real response. Send me the code once you're done and you'll see it can/will be broken Jay
The code is made of $part1 . $local_code . $part2. $part1 and $part2 are located on my server, $local_code is on your server. Using TCPDump is not for the average user Obviously, you have way more knowledge than the average user of my script. Do you know a method to run TCPDump on a shared hosting server, with no command line available? I realize no code can be 100% protected, no matter what method is used. The question is what knowledge, tools and time are involved to break it. The simple base64 local protection I've seen so far is easy to break with no tools at all. By the way, do you know a better way to protect than the one I'm trying to use?
$part1 & $part2 can be intercepted using TCPDump How about Burp Proxy? Probably not. Does it require root (I can't remember now). If it doesn't, then yes, you can (most likely) using PHP. Why was the question specifically at shared? What about VPS owners who have root and a CLI? My only worry is one person will break it, and publish that code. Yes. Making the file binary is a good start, as a text editor will more than likely ruin it when you go to save. Honestly? Not without something like IonCube. That way your source is less likely to be meddled with. Yes, I know, you don't want to put your users though that though. Jay
I'll take a look. Thank you for the info. Because the shared hosting users have a lot of restrictions, way more than the VPS owners. For the last category, I would go with something similar to IonCube. You're right. This can happen and I have no way to prevent it. I believe though that if I add some extra incentives, like free support and free installing with the package, some will buy from me. I never heard of crackers to provide support
I'll take a look. Thank you for the info. Because the shared hosting users have a lot of restrictions, way more than the VPS owners. For the last category, I would go with something similar to IonCube. You're right. This can happen and I have no way to prevent it. I believe though that if I add some extra incentives, like free support and free installing with the package, some will buy from me. I never heard of crackers to provide support, so I'll try to make my offer more convenient for the users who want to be certain someone will take care of any problems they might have with my script. On the other hand, someone who is good enough to get the script, decode it, unscramble it and make sense of it, it's good enough to write a better script than mine.
I think you've be pleasantly amused when you Google for it The question wasn't exactly intended that way, I meant Shared users aren't just the ones who would try to break it Yes, support the developer. People will buy, just keep defeaters as away as possible for as long as possible. Best of luck. Jay
Do you mean http://uk2.php.net/manual/en/function.function-exists.php? You can test for the ioncube_* ones. Jay
Yes, something along this lines. I also might take another approach : the shareware version of the script will do the same thing as the full version, but in a different way. Example : I make a script that import a local RSS feed in WordPress. The full version will import any local RSS feed. The shareware version will read only the example file I provide, just to give the user a feel about how things works. The shareware file can't be modified to turn it in a full version, because the full version has 90% more code than the shareware version. The extra code can import ANY local RSS feed. Yes, I know that a local RSS importer exists - it's just an example.
Yes, that's the kind of protection you want. A bit like Adobes Try-before-you-buy system Best of luck! Jay