Jump to content


Photo

Way To Protect PHP Source Code, Encrypt?


  • Please log in to reply
22 replies to this topic

#1 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 16 September 2006 - 08:19 PM

Hello, I am devolping a commerical PHP application and I have a php function which does my license check. It basically connects to my database and verify the license_key they have entered, matches a valid license key that I stored in my database.

The problem is, anybody with a little brains can go searching through my functions.php file and find the function that does the check and remove it. Bam, they don't a license anymore. Is there a way to make my entire functions.php file encryped, i.e. so you can open it up and see all the source?

Thanks much.

#2 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 16 September 2006 - 08:40 PM

Yes, but not for free - which shouldn't really bother you if it's a commercial application.

http://www.phpaudit.com
https://www.olate.co.uk/index.php
Legend has it that reading the manual never killed anyone.
My site

#3 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 16 September 2006 - 09:12 PM

Andy,

Thanks, after viewing these sites, these products are much more then I need, they are full distrubution and tracking software. I simply need a way to hide one file functions.php. Perhaps I could cheat a little, and not make it 100% secure, but have it work against the noob coders.

How about encrypting the functions.php file, then on the fly from php decrypt the file when I access it? Any other ideas are welcomed.

#4 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 16 September 2006 - 09:32 PM

You could add some code in an unexpected place to check for a change in the file size of the function.php file and then give an ambiguous error message and instruct them to contact you in order to continue using the program.  You could even better make an md5 hash of the file and then check for a change in that in some unexpected places.

that would only protect the function.php file, you would also have to protect the code that calls it as a modification there can reroute security as well.  Similiar methods can be used for that though.



#5 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 16 September 2006 - 09:34 PM

Well if they remove the include of functions.php the aplication will not work correctly, so I figure securing funtions.php is good enough.

#6 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 16 September 2006 - 09:38 PM

Here is something that I just found. I am going to test it and see what happens. It claims to be an opensource encoder.

Give it a shot http://www.byterun.c...php-encoder.php

Like I said I have yet to try this but I will.

Hope this helps,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#7 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 16 September 2006 - 09:41 PM

If it's a commercial application then a real encoding/protection scheme is what helps protects your time investment as well as protecting against 'noobs' who scope out code or simply copy it and distribute it for free. I too have a commercial application in final beta testing, and my partner spent a considerable amount ot time researching protection and decided those two were the best, with phpAudit the preferred solution for us.  Given that the lite version's free, we'll be trying that first to see how it 'looks and feels'.

Give us some feedback on Tom's suggestion as that might be worth considering for some 'low level' commercial apps we're developing as well.

Oh, the link Tom gave also has an html 'encoder' that can stop right clicks and everything. My hopes that their php encoder is useful just dropped to near zero.
Legend has it that reading the manual never killed anyone.
My site

#8 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 16 September 2006 - 09:46 PM

but in the file that includes the functions.php file there will somewhere be a call to your security function like:
$passed = checklicense($enterbyuser); //calls your function
if I just change that line to:
$passed = true; //checklicense($enterbyuser);
//complete bypass of license system accomplished!


#9 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 16 September 2006 - 10:13 PM

I tested that encoder. Maybe I did something wrong but I got the following error.


Parse error: parse error, unexpected $ in \test_function.php(1) : eval()'d code(1) : eval()'d code on line 6



Here is the test_function.php before encodding

<?php
function test_message($word) {
     $message = "The word that you sent to this function is <b>$word</b>";
     return $message;
}
 ?>

and here is what it looked like afterwords.

<?php $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

Here is how I called the function

<?php
include("test_function.php");
$word = "test";
$message = test_message($word);
echo $message;
?>

I got the following error:

Fatal error: Call to undefined function: test_message()


So as it seems this is worthless. Ether that or I am not doing something correctly

Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#10 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 16 September 2006 - 10:19 PM

$message = "The word that you sent to this function is <b>$word</b>; <- the quote is never closed :)
Legend has it that reading the manual never killed anyone.
My site

#11 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 16 September 2006 - 10:20 PM

yea lol. I closed it in the orginal. I just made a typo here

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#12 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 16 September 2006 - 10:23 PM

LOL I guess I didn't. I retried it and it worked just fine...lol

I luv it when I make my self look like an idiot..

lol.. So for the record it does work.

Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#13 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 16 September 2006 - 10:28 PM

Sweet, I'll have to give this a try.

Also, mainewoods,

My key checking function would not return a variable, like isValid. It would do something like:

if(mysql_num_rows($result) == 0)
{
  die("Fatal Error: Invalid license.");
}

The script would stopp executing very early, the application would be worthless.

#14 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 16 September 2006 - 10:28 PM

No worries, Tom. I'm well ahead of you in the "of course my code didn't work, here's the real version" race.
Legend has it that reading the manual never killed anyone.
My site

#15 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 16 September 2006 - 10:43 PM

so what if I just commented out the call to that function in the code?

//checksecurity($license); //commented out will not be called
by the way I just disected the encoded code, try this:
<?php  $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';
/*
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
*/

echo base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==');
//the value just above converts to below which would be eval'ed in the original:
$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);

echo "<br>&nbsp;<br>$_R";
//eval($_R);$_R=0;$_X=0; //eval'ed orignally

?>


#16 makeshift_theory

makeshift_theory
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts

Posted 16 September 2006 - 11:42 PM

Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders.    Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code.  I know this isn't exactly a php solution but I find it to be useful. 

PS> I just got a new laptop, my mom's fiancee only bought it to go to the islands to watch movies and take pictures.  So I said I would  back it all up if I could have it since he doesn't use it and he agreed haha =).  It's a Turion 64 processor running @ 2.0 ghz it's not to bad and who doesn't love free things =).
<b>Emacs</b> it's great for the body.
<br><br>
<b>Trust the TechnoLust</b>

<b><u>Have a question check here:</u></b>
PHP Manual: http://www.php.net

#17 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 16 September 2006 - 11:47 PM

Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders.    Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code.


So if your server is down, the application on my site won't run?  If I don't have a static IP address, the application won't run?  That doesn't sound like a paying customer would be too thrilled with your method.
Legend has it that reading the manual never killed anyone.
My site

#18 makeshift_theory

makeshift_theory
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts

Posted 16 September 2006 - 11:52 PM

Well no the client's server not mine specifically, and if the application is running on that server it won't make a difference anyway, I wouldn't think lol.  No server = No application
<b>Emacs</b> it's great for the body.
<br><br>
<b>Trust the TechnoLust</b>

<b><u>Have a question check here:</u></b>
PHP Manual: http://www.php.net

#19 makeshift_theory

makeshift_theory
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts

Posted 17 September 2006 - 02:51 AM

Don't know if this is relevant but it was quite a interesting read:
http://www.zend.com/...on.php#Heading4
<b>Emacs</b> it's great for the body.
<br><br>
<b>Trust the TechnoLust</b>

<b><u>Have a question check here:</u></b>
PHP Manual: http://www.php.net

#20 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 17 September 2006 - 03:44 AM

tomfmason,

Trying to use the php encoder, did you download the demo, or use the free encoding tool. I don't get it though, I used the free encoding tool, but how do you know how to decode it? You must have download the demo right?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users