I develop various modules/addons for WHMCS and so far have encrypted(ioncube) all of them. I'm now looking to release a new module that I'd like to leave totally unencrypted except the licensing functions..

At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used. This is fine if the entire thing is encrypted, but if only the license file is encrypted anyone with a keyboard and eyes could cause the license function to return true.. Which totally defeats the purpose..

I've been pulling my hair out over this for a while and am finally looking for help :) I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

Any help is appreciated. :) Thanks!

Encode the database class file too, and in it add the function to validate the license . Eventually in the constructor of the database class.

I'm afraid it's impossible. If you lave other files unencrypted, then it will take only minutes to disable your protection system.

Any important reason for leaving source code readable? Usually I always encrypt all files except templates, so customers still can make all changes they need.

I'm afraid it's impossible. If you lave other files unencrypted, then it will take only minutes to disable your protection system.

Not very sure the above is true.
The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.

Not very sure the above is true.
The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.

Exactly :)
Although the template files will not be encoded, I would like to leave as much of it unencoded as possible so those who wish to are able to customize it, etc without removing the licensing functions.

What you can do is encrypt the function file, then all the license verification is done within that function file. Then if you client wish to customize it, they can just call the function within the function file.

or if you wish to let your client to edit the functions then you can try this way.

2 encrypted files
config.php
licensecheck.php

So in the config.php, you will have all the variables that your script needs to run properly. This file will be required by all files within your script

In your licensecheck.php, just have a license check function but then if it fails just run a die();. And this licensecheck file is called by config.php.

At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used.


In your licensecheck.php, just have a license check function but then if it fails just run a die();. And this licensecheck file is called by config.php.

This is one of the single biggest mistakes we see in terms of software licensing.

If you keep the licensing code in a separate file and not integrated within your main function files and the rest of your code, it is trivial for someone to replace that external file with another, which will always return true.

In many cases, removing the file will return a PHP error saying function xyz not found. It's then trivial to create a new licensecheck.php with:

<?php
function xyz() {
return true
}
?>

While you can add some protection through trying to obscure names and functions etc..., it is still normally very little work to find out what is actually going on.

Having your license check function within a larger function file, containing key/critical functions for your product, which is then encoded, offers a much greater level of protection and increased challenge for people trying to steal your software.

Not very sure the above is true.
The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.

Is it really true? I saw many nulled Kayako versions YEARS AGO. As soon as new version is released, I see a nulled copy on the Internet within next few days.

While you can add some protection through trying to obscure names and functions etc..., it is still normally very little work to find out what is actually going on.

Having your license check function within a larger function file, containing key/critical functions for your product, which is then encoded, offers a much greater level of protection and increased challenge for people trying to steal your software.

I think this is about the best suggestion you can get aside from encoding every non-template file.
For instance, most of my applications include a header file in every script. The header file includes things like template includes, configuration settings (including database settings) and miscellaneous functions that the rest of the application needs in order to run properly. Putting your licence check in there and encoding that would mean that anyone replacing header.php with a file that returns "licence valid" (or whatever your scripts look for) would also need to replicate and replace all the other important code (most of which they would never have seen so it would be impossible).

Out of curiousity, why the need to leave so much code readable? Are you going for an open(ish) source approach?

Is it really true? I saw many nulled Kayako versions YEARS AGO. As soon as new version is released, I see a nulled copy on the Internet within next few days.
It was few nulled versions years ago, because it seem that the Zend Encoder has some bugs .
The latest nulled version that i know is 3.11.01, which is very old, the current is 3.60.04.
Are you sure you saw an 3.60.04 nulled version ?

shoperotic, a few days ago I have downloaded version 3.60.04 from one of file sharing sites for testing purposes and can confirm it's really nulled.

I also saw many pirated (but NOT nulled) versions (like 3.30, 3.40, etc.) which were working perfectly.

I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

Any help is appreciated. :) Thanks!


Impossible. Because as long as you leave your code as open source, somebody can by-pass license request by checking your codes. Maybe you are including a file, a function whatever... he/she can complete the missing (encoded) part of it.

Your best option is to encode php side and leave template section unencoded.

Yes, I would also recommend encoding EVERYTHING except templates.

shoperotic, a few days ago I have downloaded version 3.60.04 from one of file sharing sites for testing purposes and can confirm it's really nulled.

I also saw many pirated (but NOT nulled) versions (like 3.30, 3.40, etc.) which were working perfectly.
Well, from what i know, Zend encoded files *can* be decoded. And a Zend encoded version was decoded and leaked.
Not the ioncube encoded one.
I prefer to encode ALL files that are not templates related( *.php) with ioncube.

I develop various modules/addons for WHMCS and so far have encrypted(ioncube) all of them. I'm now looking to release a new module that I'd like to leave totally unencrypted except the licensing functions..

At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used. This is fine if the entire thing is encrypted, but if only the license file is encrypted anyone with a keyboard and eyes could cause the license function to return true.. Which totally defeats the purpose..

I've been pulling my hair out over this for a while and am finally looking for help :) I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

Any help is appreciated. :) Thanks!

hmm, this is me just thinking briefly, but you can create a function that checks and see's if the license is valid and then encode that and put it on each page,

Topic update...

I have made new software and decided to make 2 versions of it - Zend and ioncube. While Zend version works just fine, ioncube version displays fatal errors about non-existing functions. I'm not sure why, but ioncube isn't able to load all functions properly for unknown reasons.

Sure, you could tell me there is a problem with software, but non-encoded and Zend versions work just fine...

Topic update...

I have made new software and decided to make 2 versions of it - Zend and ioncube. While Zend version works just fine, ioncube version displays fatal errors about non-existing functions. I'm not sure why, but ioncube isn't able to load all functions properly for unknown reasons.

Sure, you could tell me there is a problem with software, but non-encoded and Zend versions work just fine...
It seem ioncube is not working yet under php 5.3.0

Ah, that may explain everything :)

hmm, this is me just thinking briefly, but you can create a function that checks and see's if the license is valid and then encode that and put it on each page,

That's obviously what I'm doing, but I need to keep those files open :(

I don't have multiple pages going on here.. I have 3 files that are currently encoded. 1 uses smarty templates and does not require the license function, the other 2 do not use smarty but do require the license function..

I've been trying to come up with a solution for this for months now and I think I'll just offer a full source/owned version to those who want it bad enough to sign a NDA and verify their identity..

The only possible way I can see leaving any of the source open is if I have multiple(10+) files that are open & the "master file" that's encoded contains the license check and all the DB queries..

Oh well, I'll play with it more, thanks fo the effort everyone :)

By the way, Ioncube CAN be decoded. Just last week someone decoded some of my software(they have disappeared since I reacted :)

By the way, Ioncube CAN be decoded. Just last week someone decoded some of my software(they have disappeared since I reacted :)

I'm sorry to say, but your files will surely appear on the Internet again. It's because many persons should have your decoded files at the moment.

If you use a lot of functions within your php code you can drop the licensing in the functions page and encode that, this way they can't bypass it without not using the functions which will make the site useless.

jcroom, if bad guys decode your software, they will be able to remove license check features from your functions as easy as 1-2-3

Well you should encode your main functions file and that should be more than enough. Have all your main functions in it and encode it. For your License file encode it using some of your own encryption techniques which are encoded in your functions file.

This way its a lot safer as no one will be able to produce a encoded license file as yours and know whats in there

Regards,
Alons

Yes, this way is safer. However, I know a programmer who encoded his software exactly in the same way and software got nulled in 2 months. It wasn't very popular script anyways...

I also saw nulled copy of my software on warez forums. I have downloaded it, launched installer and installation went fine (installer doesn't check for active license). As soon as main administration interface was launched, I got 'license check has failed error'. I'm not sure how guys have nulled this tool if it still doesn't work without a valid license :)

Considering that companies like Adobe, Microsoft etc... all fail to protect their products against piracy, it is slightly naive (I think) to believe that we, with far less resources, will be able to achieve an unbreakable solution.

All the tools out there can only help protect your product from piracy. People who are determined not to pay will likely find away to do so. Even simple things like preventing a customer purchasing one license and using it in two locations etc... will help generate additional revenue.

tickedon, you are right. However, if you are just a "small person", most likely no one will bother spending hours in order to crack your software (if it's not very popular).

No matter what you do it's still possible to decode your source. After a while on the phone with Ioncube I went for the Basic PHP Encoder and decided that for those who don't want my software to call back to the server for license verification that I'll just write their domain into the source before encoding. The nice thing about that is that a simple WHMCS module & actionhook automates this process :)

"Good news" to all coders. Just found website made by people from Russia, and this website can decode zended files in less than a second. Service is completely free.

I did some tests and the latest version of Zend was decoded immediately.

"Good news" to all coders. Just found website made by people from Russia, and this website can decode zended files in less than a second. Service is completely free.

I did some tests and the latest version of Zend was decoded immediately.

The latest version of Zend is quite old. A hacked PHP installation with a dezend.exe has been floating around for quite some time. No external website needed for people seriously interested in breaking the Zend Guard protection.

I forgot to say that these persons also offer decryption of other platforms like .NET for example... Smart guys :)

I don't think that is possible, you might want to ask Matt at WHMCS if he has any idea on how to do that.

As the license check logic can simply be removed on the unencrypted files by someone who understands php.

Good thread. To comment on a few points, there's now an ionCube Loader for PHP 5.3 on Linux x86. Others are being phased in to follow soon. The Zend forum mentions that Zend encoded files may not be able to run on PHP 5.3 and that the original sources would need to be re-encoded for 5.3, but with the first ionCube Loader for PHP 5.3 we concentrated on back compatibility to support existing encoded PHP 5 files, as well as most PHP 4 encoded files.

The comment on functions not found was interesting and is not something we've had reported before except in connection to obfuscation. The function name obfuscation feature by definition changes the names of functions, and while most scenarios including dynamic function calls via variables is supported, if an obfuscated function is called from a non-encoded context it will indeed not be found precisely because it no longer exists with its original name. Functions can be excluded from being obfuscated on a case by case basis though to handle this.

When deciding what to encode, it typically makes sense to encode the files that you really want hidden as well as any that end users shouldn't be changing. This isn't just for code protection reasons, as it can be a real problem when a user reports a bug in some scripts and it eventually turns out that they've been tinkering with the code themselves! Some corporations lock down their code precisely so that their own developers cannot make changes to production code, bypassing the proper change control procedures. Files that users might reasonably want to change should be left unencoded.

With the problem of hackers trying to break code and licensing systems, as people have said, this can never be 100% guaranteed to be prevented. However, the majority of serious users who are prepared to pay for a product will have no interest in putting major effort or funds behind trying to "break the system", and those who will do are doing so precisely because they don't want to pay and have no intention of doing so. That said, having no licensing system at all and relying purely on trust, where people should pay but there's nothing to actually require them to, will definitely lose potential revenue. Some form of licensing mechanism should be largely effective in securing revenue from people who are happy to pay.

However, the majority of serious users who are prepared to pay for a product will have no interest in putting major effort or funds behind trying to "break the system", and those who will do are doing so precisely because they don't want to pay and have no intention of doing so.

No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product. Then the damage gets done when it gets handed around like candy, and thousands of people who may of bought it find it on Rapidshare and say.. Well why not.

A guy i know who can reverse your IonCube spent weeks on it, that's a lot of resources if the intent was to prevent paying for a product.

Am also try to find a way to encoder less files to they can edit more :)

No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product. Then the damage gets done when it gets handed around like candy, and thousands of people who may of bought it find it on Rapidshare and say.. Well why not.

A guy i know who can reverse your IonCube spent weeks on it, that's a lot of resources if the intent was to prevent paying for a product.

I agree with you but I think this is a process.
We make a system and they break it if its easy and you have left loopholes.
When we come to know of a leak you redesign the system sealing the leak.
When you seal it all the people who installed it free will not be anle to use it anymore. So they will purchase it from you or leave it.
I think Hackers help us in a way in finding the loopholes we have left at times (thats the bright side I can look at).

No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product.

Exactly. Most notably, the serious users of software who are genuinely prepared to make a purchase will typically have no interest in wasting time hacking it or trying to find an illegal copy; they have a desire or need to be fulfilled, and if they find a solution at what they consider to be a fair price, they purchase it and move on. Even if there is a hacked copy available, most purchasers who are genuinely prepared to pay will do so not just because they're fundamentally honest and it simply doesn't occur to them to steal it, but also because they recognise the added value that comes with the real item.

In some cases a generally honest person may decide that a high value item is not worth it to them to purchase but they would like it to play with, and they do end up with a warez copy. We can't condone this behaviour and being "generally honest" does not make it any more acceptable, however this is not necessarily bad news for the manufacturer as it may actually increase their sales from positive recommendations of the product to persons who do purchase, or by their "extended evaluation" eventually converting into a sale.

An example might be Cubase, which to a professional business user is not expensive at all, but for a home user who merely wants to tickle the ivories on a Sunday afternoon and who never intends to make any money with the product, several hundred dollars couldn't be justified and they would be unlikely to purchase it up front. However if they used it more than once or twice and grew to appreciate it, they might in a year or two.

The hackers, who demonstrably lack the skills and creativity to develop any worthwhile software of their own, may hack for the intellectual challenge or for personal validation that they fail to receive elsewhere in their lives, although any thanks in a warez forum means nothing.

The big win from encoding PHP is as per the title of the thread, software licensing, and helping to ensure that software license policies of (for example) per-domain licensing can be implemented effectively. It's one thing to say that a license must be purchased for each domain, but if the customer who has purchased a license for their first domain finds that a product also works for every other domain that they want to use it on, the chance of receiving extra revenue for those other domains is slim.