linuxrox
asked on
license key ideas for script
Hello. What I'd like to do is have ideas or possibly an answer on a good way of providing a licensing system for someone who purchases a script. For instance, if someone purchases the script, they could install and setup the program and enter a registration key to let the program run. My problem is determining what the key looks for and how i can provide the key. I'd really like to keep away from requiring the person to email me a unique number for me to manually run through a generator to provide the license. Does anyone around have any experience with this sort of thing? The script i have that i would like to generate a small income from is encrypted with sourceguardian so it's pretty safe from reverse engineering but i'd like to just provide an easy way for someone to register the program.
thanks very much!
thanks very much!
ASKER
yes but it is not a licensing system. if you create a license, it never changes. this is not what I desire. I need a web based licensing system. basically a script that generates a user license for a person that purchased the full version, more than likely, based on the domain the user intends to use the script on.
How about:
A client pays for your script, and also specifies the domain name of the server that the script will be run on.
You hash this domain name with a super-secret hashing algorithm of your own design.
Send the hash to the client.
The client then hardcodes this into the script they bought from you.*
Then, each time your script is run, it hashes the domain name that it is being run on and compares with the hash provided by the client.
And proceeds if there is a match.
*I don't know how SourceGuardian works but you could either put $key = 'hash'; at the top of your secured php script. or your could add some code to your script that checks for the existence of a .key file and tries the read the contents (the hash).
By the way, I'd be very interested to see the output of SourceGuardian. I'm very dubious that it can really protect your php.
A client pays for your script, and also specifies the domain name of the server that the script will be run on.
You hash this domain name with a super-secret hashing algorithm of your own design.
Send the hash to the client.
The client then hardcodes this into the script they bought from you.*
Then, each time your script is run, it hashes the domain name that it is being run on and compares with the hash provided by the client.
And proceeds if there is a match.
*I don't know how SourceGuardian works but you could either put $key = 'hash'; at the top of your secured php script. or your could add some code to your script that checks for the existence of a .key file and tries the read the contents (the hash).
By the way, I'd be very interested to see the output of SourceGuardian. I'm very dubious that it can really protect your php.
ASKER
as2003. you and i are thinking along the same lines there. something like that is what i would be needing, although i hate to have to manually send the client the file or something. maybe have the file automatically written including two variables like $domain and $hash and something in my main script files that reads the generated key file and does some sort of comparison between the $domain and $has variable?? is that possible? could also get the domain that the script is running on and compare it to the domain that is in the key file based on what they submitted upon purchase.
When you say you would like to see the output of sourceguardian, what do you mean? i can provide you with a protected script and the loaders are all of course free for download on sourceguardian.com. i am a registered user of their program so i have the latest version. supposedly it puts the scripts in bytecode and the newest version supports obfuscation of the functions etc etc.
let me know how i can get an example script to you and i will certainly do that for you!
thanks. also, i'm not good with hashing algorithm's. is there somewhere i can learn about this or one i could modify for my own use?
When you say you would like to see the output of sourceguardian, what do you mean? i can provide you with a protected script and the loaders are all of course free for download on sourceguardian.com. i am a registered user of their program so i have the latest version. supposedly it puts the scripts in bytecode and the newest version supports obfuscation of the functions etc etc.
let me know how i can get an example script to you and i will certainly do that for you!
thanks. also, i'm not good with hashing algorithm's. is there somewhere i can learn about this or one i could modify for my own use?
ASKER
also, sourceguardian i'm pretty sure is meant to compete with the ioncube folks. not sure which is better though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ahh, that sounds real nice. good think'n.
ummm, the encrypted SG scripts i don't believe are one large variable but what i can do is around 11:30 CST i can paste an example in here so you can see, then you can just download the correct loader for whatever operating system you have, and run the script. you can also bind the scripts to mac address and ip address and a few other options. i don't really ever use those options except for scripts i personally run on my own servers at work...so no one can modify them in case i leave :)
ummm, the encrypted SG scripts i don't believe are one large variable but what i can do is around 11:30 CST i can paste an example in here so you can see, then you can just download the correct loader for whatever operating system you have, and run the script. you can also bind the scripts to mac address and ip address and a few other options. i don't really ever use those options except for scripts i personally run on my own servers at work...so no one can modify them in case i leave :)
That sounds cool! I'm really interested to see how it works, and find out how secure it is!
ASKER
awsome! will you be able to keep me posted in some way so i can see what you think of the security? i'd like to know just so i can determine if i need to keep using it or scrap it. i can post an email addr here that you can send to!
Sure, no problem. I could post my findings on this question perhaps.
ASKER
cool. here's the email you can send to also:
coder 'at' westky.com
i'll post an encrypted example here in about 30-45 minutes!
coder 'at' westky.com
i'll post an encrypted example here in about 30-45 minutes!
ASKER
you think i should just fread() the keyfile into a variable and if the key matches the hash then set the variable to empty or something?
Yeah, that would work. Or your could make a file called something like key.inc.php contain
<? $key = "fdsjkfdsjfkdslfjksdlj"; ?>
and make your script contain
require('key.inc.php');
if ($key is not good){
die('invalid key');
}
Either way would be fine I think.
<? $key = "fdsjkfdsjfkdslfjksdlj"; ?>
and make your script contain
require('key.inc.php');
if ($key is not good){
die('invalid key');
}
Either way would be fine I think.
ASKER
as2003: below is just a really simple "hello world" thing. all it does is echo hello world. lemme know what you find out man! thanks.
---original-------
<php
echo "hello world";
?>
--------------------
so all you need to do is just download the correct loader from their site and put it in, i think the root dir of your site, then run the script.
encrypted:
<?php @SourceGuardian; 730710976; 3889299394; //v5.5
if(!function_exists('sg_lo ad')){$__v =phpversio n();$__u=s trtolower( substr(php _uname(),0 ,3));$__f= $__f0='ixe d.'.substr ($__v,0,st rpos($__v, '.',3)).'. '.$__u;$__ ff=$__ff0= 'ixed.'.$_ _v.'.'.$__ u;$__ed=in i_get('ext ension_dir ');if(!$__ e=realpath ($__ed)) die('extension_dir does not exists '.$__ed);if(file_exists($_ _e.'/'.$__ ff)) dl($__ff);else if(file_exists($__e.'/'.$_ _f)) dl($__f);else {$__d=getcwd();if(@$__d[1] ==':'){$__ d=str_repl ace('\\',' /',substr( $__d,2));$ __e=str_re place('\\' ,'/',subst r($__e,2)) ;}$__e.=($ __h=str_re peat('/..' ,substr_co unt($__e,' /')));$__f ='/ixed/'. $__f;$__ff ='/ixed/'. $__ff;whil e(!file_ex ists($__e. $__d.$__ff ) && !file_exists($__e.$__d.$__ f) && strlen($__d)>1){$__d=dirna me($__d);} if (file_exists($__e.$__d.$__ ff)) dl($__h.$__d.$__ff);else if (file_exists($__e.$__d.$__ f)) dl($__h.$__d.$__f);}if(!fu nction_exi sts('sg_lo ad')){die( 'PHP script <B>'.__FILE__.'</B> is protected by <A HREF="http://www.sourceguardian.com/">SourceGuardian</A> and requires the SourceGuardian loader <B>'.$__f0.'</B>. The SourceGuardian loader has not been installed, or is not installed correctly. Please visit the <A HREF="http://www.sourceguardian.com/ixeds/">SourceGuardian php encoder</A> site to download required loader.');exit();}}return sg_load('AAQAAAALAAAABIAAA ACABAAAAAA AAAD/FrF2h m77+W9iGxB Nu8i6yXZGR NhA+ZfAGnk +mxNoS8P/I mi2z4kPZqf Tc+N4oPsT5 f8Iyo4XBGN hjrQTF0aJ7 Vd7KZBP3g9 2C2KICwCoG XtiumneM0F iS2BxWLsoF cEn7FPkkvo JM++IKF0xp zs8q9rxZHZ s+PuaR4fdG UPmszhnpmp TDsc7/JrhF BL2mdAw1VJ P/td/dmcnP PjGynCBOjU UUpbiiYQzX fKGNRMCT06 HCbRdHBYxT z4SRQqCTPL eQPClFqsoh 3byDPjS3G5 kTmlyuQ6iX /228GKI/wK 7weL4v9eEf dqCoA==');
?>
---original-------
<php
echo "hello world";
?>
--------------------
so all you need to do is just download the correct loader from their site and put it in, i think the root dir of your site, then run the script.
encrypted:
<?php @SourceGuardian; 730710976; 3889299394; //v5.5
if(!function_exists('sg_lo
?>
ASKER
oops..let me resubmit the encrypted portion. i forgot the <? lol.
ASKER
ok, here is the correct version that should echo hello world when run. let me know if you have problems with it:
this file was called helloworld.php
<?php @SourceGuardian; 725011392; 1455280259; //v5.5
if(!function_exists('sg_lo ad')){$__v =phpversio n();$__u=s trtolower( substr(php _uname(),0 ,3));$__f= $__f0='ixe d.'.substr ($__v,0,st rpos($__v, '.',3)).'. '.$__u;$__ ff=$__ff0= 'ixed.'.$_ _v.'.'.$__ u;$__ed=in i_get('ext ension_dir ');if(!$__ e=realpath ($__ed)) die('extension_dir does not exists '.$__ed);if(file_exists($_ _e.'/'.$__ ff)) dl($__ff);else if(file_exists($__e.'/'.$_ _f)) dl($__f);else {$__d=getcwd();if(@$__d[1] ==':'){$__ d=str_repl ace('\\',' /',substr( $__d,2));$ __e=str_re place('\\' ,'/',subst r($__e,2)) ;}$__e.=($ __h=str_re peat('/..' ,substr_co unt($__e,' /')));$__f ='/ixed/'. $__f;$__ff ='/ixed/'. $__ff;whil e(!file_ex ists($__e. $__d.$__ff ) && !file_exists($__e.$__d.$__ f) && strlen($__d)>1){$__d=dirna me($__d);} if (file_exists($__e.$__d.$__ ff)) dl($__h.$__d.$__ff);else if (file_exists($__e.$__d.$__ f)) dl($__h.$__d.$__f);}if(!fu nction_exi sts('sg_lo ad')){die( 'PHP script <B>'.__FILE__.'</B> is protected by <A HREF="http://www.sourceguardian.com/">SourceGuardian</A> and requires the SourceGuardian loader <B>'.$__f0.'</B>. The SourceGuardian loader has not been installed, or is not installed correctly. Please visit the <A HREF="http://www.sourceguardian.com/ixeds/">SourceGuardian php encoder</A> site to download required loader.');exit();}}return sg_load('AAQAAAALAAAABIAAA ACABAAAAAA AAAD/IhxiH UqG/+DVix8 ywwKPhQRRi E61Z69aSX+ 1HsqP7gEbD aUabLy1VO3 jlIoKXie5A 1ZpaeLgUyJ aY4v9+zfhh DNHZp0K6bl BOrnDdBjRS daPV2W8ZHg rtcECgI/HX u42PBN1jK0 6u68N4At5D r67TlyWCnT yVu5QgOaIl PN8ZC/Y/xd eR2+zOSsyZ 9xfwaaV2IK oIjhfQF3nQ hKFvF0TXwI M1Ft2rTO9p p2O2D7EMug xhUdQhtXej lstFhmHfDt ruRfm/5dGk nJVZzGkGvX Jrg==');
?>
this file was called helloworld.php
<?php @SourceGuardian; 725011392; 1455280259; //v5.5
if(!function_exists('sg_lo
?>
ASKER
forgot to add. the folder that the loaders goes into is called "ixed" , so just make that folder the root of your site and it should work fine. i tested the above and it does echo hello world just fine.
ASKER
isn't using the md5 or sha1 hash on the domain alone a bad idea? because if i knew that the domain name was the glue that bound thing together and i figured out that the license key file contained an md5 hash i could just md5 the domain name and easily figure out that is what really creates a valid license? then if there was extra text at the beginning and end of the hash, that would be in all licenses and would never change so to create a valid key for another domain, so long as i get the hash for the domain name down, i just add the same text to front and end of the hash in the key file and now i have another valid key....
seems that a better way would be to have some sort of a unique hash that can't really be figured out easily like using an md5 or sha1 hash on a string.
seems that a better way would be to have some sort of a unique hash that can't really be figured out easily like using an md5 or sha1 hash on a string.
ASKER
perhaps i should tear apart smaller portions of the submitted domain name and make multiple hashes in an odd order and make that the key. wouldn't that really make it very difficult to piece together?
That's why I suggest appending some random text to the domain name before hashing it. The client could try hashing their domain name in various ways, but by appending a secret string, they will never be able to reverse it without bruteforcing. If the string is long enough (12 alphanumeric characters long), bruteforcing is unfesiable. This assumes that they know how you formed the string that you hashed. Which they wont!
ASKER
ahh yes.. i see. that was my problem...i wasn't hashing the secret string WITH the domain. i was doing it seperate which would be a dead giveaway.
any luck on the encrypted file i posted?
any luck on the encrypted file i posted?
not yet, i've been asleep between this and my last post!
Just checked it out. It seems that SG used to be pretty easy to reverse, but the latest version you are using is pretty solid. IonCube and Zend both appear to be popular alternatives.
ASKER
that's what i've read but i'll find a post and see what you think about it. it's pretty recently posted on a forum and quite disturbing about all 3 companies....
ASKER
http://forums.invisionpower.com/index.php?showtopic=203505&st=0
i still don't know of the link that actually shows the evidence of this post but from what i've read it is or WAS true.
i would like to find the link just to test things out on current scripts i've written.
i still don't know of the link that actually shows the evidence of this post but from what i've read it is or WAS true.
i would like to find the link just to test things out on current scripts i've written.
ASKER
also, check this link out:
http://www.sitepoint.com/forums/showthread.php?t=340785
http://www.sitepoint.com/forums/showthread.php?t=340785
http://www.phprecovery.com/ appears to think it can decode!
ASKER
dang!! this is crazy. i'm gonna submit to them what i posted here and see what they can do with it. the example on that page you submitted shows a version 5 SG file decrypted!! i have 5.5 so who knows if it's any different!
sheesh....this is scary!
sheesh....this is scary!
ASKER
Interesting stuff! Just a couple of days ago I didn't even know about these encryption programs!
ASKER
really???!!!
are you in US or somewhere else?
i've known about them for years !
you've been coding php for a good while right?
are you in US or somewhere else?
i've known about them for years !
you've been coding php for a good while right?
Coding for 4 years now, but always just for fun. I'm from the UK.
I guess I probably knew they would exists but I wouldn't have been able to name any. Although I see the name 'Zend' all over the place!
I guess I probably knew they would exists but I wouldn't have been able to name any. Although I see the name 'Zend' all over the place!
ASKER
ahh.. cool. actually source guardian is in the UK i do believe.
Inovica Ltd (Trading as SourceGuardian)
Suite 20, Quay Level
St. Peters Wharf
Newcastle Upon Tyne
NE6 1TZ
United Kingdom
familiar with that area?
Inovica Ltd (Trading as SourceGuardian)
Suite 20, Quay Level
St. Peters Wharf
Newcastle Upon Tyne
NE6 1TZ
United Kingdom
familiar with that area?
I know of it but I don't think I've ever visited it. Next time I do, I'll drop by and tell them their software is broken!
ASKER
haha. i wish i was over there, i'd be over there quicker than television!!
Isn't the SourceGuardian comes with a feature called license generator?