license key ideas for script

Isn't the SourceGuardian comes with a feature called license generator?

yes but it is not a licensing system.  if you create a license, it never changes.  this is not what I desire.  I need a web based licensing system.  basically a script that generates a user license for a person that purchased the full version, more than likely, based on the domain the user intends to use the script on.

How about:

A client pays for your script, and also specifies the domain name of the server that the script will be run on.
You hash this domain name with a super-secret hashing algorithm of your own design.
Send the hash to the client.
The client then hardcodes this into the script they bought from you.*
Then, each time your script is run, it hashes the domain name that it is being run on and compares with the hash provided by the client.
And proceeds if there is a match.


*I don't know how SourceGuardian works but you could either put $key = 'hash'; at the top of your secured php script. or your could add some code to your script that checks for the existence of a .key file and tries the read the contents (the hash).

By the way, I'd be very interested to see the output of SourceGuardian. I'm very dubious that it can really protect your php.

as2003.  you and i are thinking along the same lines there.  something like that is what i would be needing, although i hate to have to manually send the client the file or something.  maybe have the file automatically written including two variables like $domain and $hash and something in my main script files that reads the generated key file and does some sort of comparison between the $domain and $has variable??  is that possible?  could also get the domain that the script is running on and compare it to the domain that is in the key file based on what they submitted upon purchase.
When you say you would like to see the output of sourceguardian, what do you mean?  i can provide you with a protected script and the loaders are all of course free for download on sourceguardian.com.  i am a registered user of their program so i have the latest version.  supposedly it puts the scripts in bytecode and the newest version supports obfuscation of the functions etc etc.
let me know how i can get an example script to you and i will certainly do that for you!
thanks. also, i'm not good with hashing algorithm's.  is there somewhere i can learn about this or one i could modify for my own use?

also, sourceguardian i'm pretty sure is meant to compete with the ioncube folks.  not sure which is better though.

ahh, that sounds real nice.  good think'n.
ummm, the encrypted SG scripts i don't believe are one large variable but what i can do is around 11:30 CST i can paste an example in here so you can see, then you can just download the correct loader for whatever operating system you have, and run the script.  you can also bind the scripts to mac address and ip address and a few other options.  i don't really ever use those options except for scripts i personally run on my own servers at work...so no one can modify them in case i leave :)

That sounds cool! I'm really interested to see how it works, and find out how secure it is!

awsome!  will you be able to keep me posted in some way so i can see what you think of the security?  i'd like to know just so i can determine if i need to keep using it or scrap it.  i can post an email addr here that you can send to!

Sure, no problem. I could post my findings on this question perhaps.

cool.  here's the email you can send to also:

coder 'at' westky.com

i'll post an encrypted example here in about 30-45 minutes!

you think i should just fread() the keyfile into a variable and if the key matches the hash then set the variable to empty or something?  

Yeah, that would work. Or your could make a file called something like key.inc.php contain

<? $key = "fdsjkfdsjfkdslfjksdlj"; ?>

and make your script contain

require('key.inc.php');
if ($key is not good){
  die('invalid key');
}

Either way would be fine I think.

as2003:  below is just a really simple "hello world" thing.  all it does is echo hello world. lemme know what you find out man! thanks.

---original-------
<php
echo "hello world";
?>
--------------------

so all you need to do is just download the correct loader from their site and put it in, i think the root dir of your site, then run the script.

encrypted:

<?php @SourceGuardian; 730710976; 3889299394; //v5.5
if(!function_exists('sg_load')){$__v=phpversion();$__u=strtolower(substr(php_uname(),0,3));$__f=$__f0='ixed.'.substr($__v,0,strpos($__v,'.',3)).'.'.$__u;$__ff=$__ff0='ixed.'.$__v.'.'.$__u;$__ed=ini_get('extension_dir');if(!$__e=realpath($__ed)) die('extension_dir does not exists '.$__ed);if(file_exists($__e.'/'.$__ff)) dl($__ff);else if(file_exists($__e.'/'.$__f)) dl($__f);else {$__d=getcwd();if(@$__d[1]==':'){$__d=str_replace('\\','/',substr($__d,2));$__e=str_replace('\\','/',substr($__e,2));}$__e.=($__h=str_repeat('/..',substr_count($__e,'/')));$__f='/ixed/'.$__f;$__ff='/ixed/'.$__ff;while(!file_exists($__e.$__d.$__ff) && !file_exists($__e.$__d.$__f) && strlen($__d)>1){$__d=dirname($__d);}if (file_exists($__e.$__d.$__ff)) dl($__h.$__d.$__ff);else if (file_exists($__e.$__d.$__f)) dl($__h.$__d.$__f);}if(!function_exists('sg_load')){die('PHP script <B>'.__FILE__.'</B> is protected by <A HREF="http://www.sourceguardian.com/">SourceGuardian</A> and requires the SourceGuardian loader <B>'.$__f0.'</B>. The SourceGuardian loader has not been installed, or is not installed correctly. Please visit the <A HREF="http://www.sourceguardian.com/ixeds/">SourceGuardian php encoder</A> site to download required loader.');exit();}}return sg_load('AAQAAAALAAAABIAAAACABAAAAAAAAAD/FrF2hm77+W9iGxBNu8i6yXZGRNhA+ZfAGnk+mxNoS8P/Imi2z4kPZqfTc+N4oPsT5f8Iyo4XBGNhjrQTF0aJ7Vd7KZBP3g92C2KICwCoGXtiumneM0FiS2BxWLsoFcEn7FPkkvoJM++IKF0xpzs8q9rxZHZs+PuaR4fdGUPmszhnpmpTDsc7/JrhFBL2mdAw1VJP/td/dmcnPPjGynCBOjUUUpbiiYQzXfKGNRMCT06HCbRdHBYxTz4SRQqCTPLeQPClFqsoh3byDPjS3G5kTmlyuQ6iX/228GKI/wK7weL4v9eEfdqCoA==');
?>

oops..let me resubmit the encrypted portion.  i forgot the <?    lol.

ok, here is the correct version that should echo hello world when run.  let me know if you have problems with it:
this file was called helloworld.php

<?php @SourceGuardian; 725011392; 1455280259; //v5.5
if(!function_exists('sg_load')){$__v=phpversion();$__u=strtolower(substr(php_uname(),0,3));$__f=$__f0='ixed.'.substr($__v,0,strpos($__v,'.',3)).'.'.$__u;$__ff=$__ff0='ixed.'.$__v.'.'.$__u;$__ed=ini_get('extension_dir');if(!$__e=realpath($__ed)) die('extension_dir does not exists '.$__ed);if(file_exists($__e.'/'.$__ff)) dl($__ff);else if(file_exists($__e.'/'.$__f)) dl($__f);else {$__d=getcwd();if(@$__d[1]==':'){$__d=str_replace('\\','/',substr($__d,2));$__e=str_replace('\\','/',substr($__e,2));}$__e.=($__h=str_repeat('/..',substr_count($__e,'/')));$__f='/ixed/'.$__f;$__ff='/ixed/'.$__ff;while(!file_exists($__e.$__d.$__ff) && !file_exists($__e.$__d.$__f) && strlen($__d)>1){$__d=dirname($__d);}if (file_exists($__e.$__d.$__ff)) dl($__h.$__d.$__ff);else if (file_exists($__e.$__d.$__f)) dl($__h.$__d.$__f);}if(!function_exists('sg_load')){die('PHP script <B>'.__FILE__.'</B> is protected by <A HREF="http://www.sourceguardian.com/">SourceGuardian</A> and requires the SourceGuardian loader <B>'.$__f0.'</B>. The SourceGuardian loader has not been installed, or is not installed correctly. Please visit the <A HREF="http://www.sourceguardian.com/ixeds/">SourceGuardian php encoder</A> site to download required loader.');exit();}}return sg_load('AAQAAAALAAAABIAAAACABAAAAAAAAAD/IhxiHUqG/+DVix8ywwKPhQRRiE61Z69aSX+1HsqP7gEbDaUabLy1VO3jlIoKXie5A1ZpaeLgUyJaY4v9+zfhhDNHZp0K6blBOrnDdBjRSdaPV2W8ZHgrtcECgI/HXu42PBN1jK06u68N4At5Dr67TlyWCnTyVu5QgOaIlPN8ZC/Y/xdeR2+zOSsyZ9xfwaaV2IKoIjhfQF3nQhKFvF0TXwIM1Ft2rTO9pp2O2D7EMugxhUdQhtXejlstFhmHfDtruRfm/5dGknJVZzGkGvXJrg==');
?>

forgot to add.  the folder that the loaders goes into is called "ixed" , so just make that folder the root of your site and it should work fine.  i tested the above and it does echo hello world just fine.

isn't using the md5 or sha1 hash on the domain alone a bad idea?  because if i knew that the domain name was the glue that bound thing together and i figured out that the license key file contained an md5 hash i could just md5 the domain name and easily figure out that is what really creates a valid license?  then if there was extra text at the beginning and end of the hash, that would be in all licenses and would never change so to create a valid key for another domain, so long as i get the hash for the domain name down, i just add the same text to front and end of the hash in the key file and now i have another valid key....

seems that a better way would be to have some sort of a unique hash that can't really be figured out easily like using an md5 or sha1 hash on a string.

perhaps i should tear apart smaller portions of the submitted domain name and make multiple hashes in an odd order and make that the key.  wouldn't that really make it very difficult to piece together?

That's why I suggest appending some random text to the domain name before hashing it. The client could try hashing their domain name in various ways, but by appending a secret string, they will never be able to reverse it without bruteforcing. If the string is long enough (12 alphanumeric characters long), bruteforcing is unfesiable. This assumes that they know how you formed the string that you hashed. Which they wont!

ahh yes.. i see.  that was my problem...i wasn't hashing the secret string WITH the domain.  i was doing it seperate which would be a dead giveaway.
any luck on the encrypted file i posted?

not yet, i've been asleep between this and my last post!

Just checked it out. It seems that SG used to be pretty easy to reverse, but the latest version you are using is pretty solid. IonCube and Zend both appear to be popular alternatives.

that's what i've read but i'll find a post and see what you think about it.  it's pretty recently posted on a forum and quite disturbing about all 3 companies....

http://forums.invisionpower.com/index.php?showtopic=203505&st=0

i still don't know of the link that actually shows the evidence of this post but from what i've read it is or WAS true.
i would like to find the link just to test things out on current scripts i've written.

also, check this link out:
http://www.sitepoint.com/forums/showthread.php?t=340785

http://www.phprecovery.com/ appears to think it can decode!

dang!!  this is crazy.  i'm gonna submit to them what i posted here and see what they can do with it.  the example on that page you submitted shows a version 5 SG file decrypted!!  i have 5.5 so who knows if it's any different!
sheesh....this is scary!

http://www.litfuel.net/plush/?postid=109

interesting article about zend..good reading!

Interesting stuff! Just a couple of days ago I didn't even know about these encryption programs!

really???!!!
are you in US or somewhere else?
i've known about them for years !
you've been coding php for a good while right?

Coding for 4 years now, but always just for fun. I'm from the UK.

I guess I probably knew they would exists but I wouldn't have been able to name any. Although I see the name 'Zend' all over the place!

ahh.. cool.  actually source guardian is in the UK i do believe.

Inovica Ltd (Trading as SourceGuardian)
Suite 20, Quay Level
St. Peters Wharf
Newcastle Upon Tyne
NE6 1TZ
United Kingdom


familiar with that area?

I know of it but I don't think I've ever visited it. Next time I do, I'll drop by and tell them their software is broken!

haha.  i wish i was over there, i'd be over there quicker than television!!