Results 1 to 36 of 36
  1. #1
    Join Date
    Oct 2006
    Location
    Salt Lake City, UT
    Posts
    849

    * Software Licensing.. Pulling out my hair!!

    I develop various modules/addons for WHMCS and so far have encrypted(ioncube) all of them. I'm now looking to release a new module that I'd like to leave totally unencrypted except the licensing functions..

    At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used. This is fine if the entire thing is encrypted, but if only the license file is encrypted anyone with a keyboard and eyes could cause the license function to return true.. Which totally defeats the purpose..

    I've been pulling my hair out over this for a while and am finally looking for help I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

    Any help is appreciated. Thanks!
    | | i write code

  2. #2
    Join Date
    Jan 2003
    Location
    Romania
    Posts
    96
    Encode the database class file too, and in it add the function to validate the license . Eventually in the constructor of the database class.
    Dotboost Technologies - Enterprise PHP Solutions

    I treat PHP hate as a strong indicator of an inexperienced, insecure developer.

  3. #3
    Join Date
    Aug 2009
    Posts
    476
    I'm afraid it's impossible. If you lave other files unencrypted, then it will take only minutes to disable your protection system.

    Any important reason for leaving source code readable? Usually I always encrypt all files except templates, so customers still can make all changes they need.

  4. #4
    Join Date
    Jan 2003
    Location
    Romania
    Posts
    96
    Quote Originally Posted by Hosting24 View Post
    I'm afraid it's impossible. If you lave other files unencrypted, then it will take only minutes to disable your protection system.
    Not very sure the above is true.
    The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.
    Dotboost Technologies - Enterprise PHP Solutions

    I treat PHP hate as a strong indicator of an inexperienced, insecure developer.

  5. #5
    Join Date
    Oct 2006
    Location
    Salt Lake City, UT
    Posts
    849
    Quote Originally Posted by shoperotic View Post
    Not very sure the above is true.
    The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.
    Exactly
    Although the template files will not be encoded, I would like to leave as much of it unencoded as possible so those who wish to are able to customize it, etc without removing the licensing functions.
    | | i write code

  6. #6
    Join Date
    Feb 2004
    Location
    Toronto, ON, Canada
    Posts
    1,443
    What you can do is encrypt the function file, then all the license verification is done within that function file. Then if you client wish to customize it, they can just call the function within the function file.

    or if you wish to let your client to edit the functions then you can try this way.

    2 encrypted files
    config.php
    licensecheck.php

    So in the config.php, you will have all the variables that your script needs to run properly. This file will be required by all files within your script

    In your licensecheck.php, just have a license check function but then if it fails just run a die();. And this licensecheck file is called by config.php.
    Last edited by lonea; 09-11-2009 at 06:39 PM.
    VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers ~ Premium Hosting in Canada
    Email Hosting | RTMP Hosting | FFMPEG Hosting

  7. #7
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,900
    Quote Originally Posted by siforek View Post
    At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used.
    Quote Originally Posted by lonea View Post
    In your licensecheck.php, just have a license check function but then if it fails just run a die();. And this licensecheck file is called by config.php.
    This is one of the single biggest mistakes we see in terms of software licensing.

    If you keep the licensing code in a separate file and not integrated within your main function files and the rest of your code, it is trivial for someone to replace that external file with another, which will always return true.

    In many cases, removing the file will return a PHP error saying function xyz not found. It's then trivial to create a new licensecheck.php with:

    <?php
    function xyz() {
    return true
    }
    ?>

    While you can add some protection through trying to obscure names and functions etc..., it is still normally very little work to find out what is actually going on.

    Having your license check function within a larger function file, containing key/critical functions for your product, which is then encoded, offers a much greater level of protection and increased challenge for people trying to steal your software.
    Alasdair

  8. #8
    Join Date
    Aug 2009
    Posts
    476
    Quote Originally Posted by shoperotic View Post
    Not very sure the above is true.
    The kayako 'owned' version have only 4 or 5 files encoded out of few thousands, and nobody disabled the protection in years.
    Is it really true? I saw many nulled Kayako versions YEARS AGO. As soon as new version is released, I see a nulled copy on the Internet within next few days.

  9. #9
    Join Date
    Apr 2009
    Location
    Adelaide, Australia
    Posts
    83
    Quote Originally Posted by tickedon View Post
    While you can add some protection through trying to obscure names and functions etc..., it is still normally very little work to find out what is actually going on.

    Having your license check function within a larger function file, containing key/critical functions for your product, which is then encoded, offers a much greater level of protection and increased challenge for people trying to steal your software.
    I think this is about the best suggestion you can get aside from encoding every non-template file.
    For instance, most of my applications include a header file in every script. The header file includes things like template includes, configuration settings (including database settings) and miscellaneous functions that the rest of the application needs in order to run properly. Putting your licence check in there and encoding that would mean that anyone replacing header.php with a file that returns "licence valid" (or whatever your scripts look for) would also need to replicate and replace all the other important code (most of which they would never have seen so it would be impossible).

    Out of curiousity, why the need to leave so much code readable? Are you going for an open(ish) source approach?

  10. #10
    Join Date
    Jan 2003
    Location
    Romania
    Posts
    96
    Quote Originally Posted by Hosting24 View Post
    Is it really true? I saw many nulled Kayako versions YEARS AGO. As soon as new version is released, I see a nulled copy on the Internet within next few days.
    It was few nulled versions years ago, because it seem that the Zend Encoder has some bugs .
    The latest nulled version that i know is 3.11.01, which is very old, the current is 3.60.04.
    Are you sure you saw an 3.60.04 nulled version ?
    Dotboost Technologies - Enterprise PHP Solutions

    I treat PHP hate as a strong indicator of an inexperienced, insecure developer.

  11. #11
    Join Date
    Aug 2009
    Posts
    476
    shoperotic, a few days ago I have downloaded version 3.60.04 from one of file sharing sites for testing purposes and can confirm it's really nulled.

    I also saw many pirated (but NOT nulled) versions (like 3.30, 3.40, etc.) which were working perfectly.

  12. #12
    Join Date
    Sep 2009
    Location
    Istanbul
    Posts
    15
    Quote Originally Posted by siforek View Post

    I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

    Any help is appreciated. Thanks!

    Impossible. Because as long as you leave your code as open source, somebody can by-pass license request by checking your codes. Maybe you are including a file, a function whatever... he/she can complete the missing (encoded) part of it.

    Your best option is to encode php side and leave template section unencoded.

  13. #13
    Join Date
    Aug 2009
    Posts
    476
    Yes, I would also recommend encoding EVERYTHING except templates.

  14. #14
    Join Date
    Jan 2003
    Location
    Romania
    Posts
    96
    Quote Originally Posted by Hosting24 View Post
    shoperotic, a few days ago I have downloaded version 3.60.04 from one of file sharing sites for testing purposes and can confirm it's really nulled.

    I also saw many pirated (but NOT nulled) versions (like 3.30, 3.40, etc.) which were working perfectly.
    Well, from what i know, Zend encoded files *can* be decoded. And a Zend encoded version was decoded and leaked.
    Not the ioncube encoded one.
    I prefer to encode ALL files that are not templates related( *.php) with ioncube.
    Dotboost Technologies - Enterprise PHP Solutions

    I treat PHP hate as a strong indicator of an inexperienced, insecure developer.

  15. #15
    Join Date
    Jul 2007
    Location
    Southampton, NY
    Posts
    229
    Quote Originally Posted by siforek View Post
    I develop various modules/addons for WHMCS and so far have encrypted(ioncube) all of them. I'm now looking to release a new module that I'd like to leave totally unencrypted except the licensing functions..

    At the moment there's a licensing function in a separate required file that returns true or false whether the license is valid or not and a simple "if true" allows the software to be used. This is fine if the entire thing is encrypted, but if only the license file is encrypted anyone with a keyboard and eyes could cause the license function to return true.. Which totally defeats the purpose..

    I've been pulling my hair out over this for a while and am finally looking for help I'm looking to leave as much of my software unencrypted as possible while still retaining license protection. I know this is possible as Kayako does something similar.

    Any help is appreciated. Thanks!
    hmm, this is me just thinking briefly, but you can create a function that checks and see's if the license is valid and then encode that and put it on each page,
    "Unix is simple. It just takes a genius to understand its simplicity." Dennis Ritchie

  16. #16
    Join Date
    Aug 2009
    Posts
    476
    Topic update...

    I have made new software and decided to make 2 versions of it - Zend and ioncube. While Zend version works just fine, ioncube version displays fatal errors about non-existing functions. I'm not sure why, but ioncube isn't able to load all functions properly for unknown reasons.

    Sure, you could tell me there is a problem with software, but non-encoded and Zend versions work just fine...
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  17. #17
    Join Date
    Jan 2003
    Location
    Romania
    Posts
    96
    Quote Originally Posted by Hosting24 View Post
    Topic update...

    I have made new software and decided to make 2 versions of it - Zend and ioncube. While Zend version works just fine, ioncube version displays fatal errors about non-existing functions. I'm not sure why, but ioncube isn't able to load all functions properly for unknown reasons.

    Sure, you could tell me there is a problem with software, but non-encoded and Zend versions work just fine...
    It seem ioncube is not working yet under php 5.3.0
    Dotboost Technologies - Enterprise PHP Solutions

    I treat PHP hate as a strong indicator of an inexperienced, insecure developer.

  18. #18
    Join Date
    Aug 2009
    Posts
    476
    Ah, that may explain everything
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  19. #19
    Join Date
    Oct 2006
    Location
    Salt Lake City, UT
    Posts
    849
    Quote Originally Posted by cPHost View Post
    hmm, this is me just thinking briefly, but you can create a function that checks and see's if the license is valid and then encode that and put it on each page,
    That's obviously what I'm doing, but I need to keep those files open

    I don't have multiple pages going on here.. I have 3 files that are currently encoded. 1 uses smarty templates and does not require the license function, the other 2 do not use smarty but do require the license function..

    I've been trying to come up with a solution for this for months now and I think I'll just offer a full source/owned version to those who want it bad enough to sign a NDA and verify their identity..

    The only possible way I can see leaving any of the source open is if I have multiple(10+) files that are open & the "master file" that's encoded contains the license check and all the DB queries..

    Oh well, I'll play with it more, thanks fo the effort everyone

    By the way, Ioncube CAN be decoded. Just last week someone decoded some of my software(they have disappeared since I reacted
    | | i write code

  20. #20
    Join Date
    Aug 2009
    Posts
    476
    Quote Originally Posted by siforek View Post
    By the way, Ioncube CAN be decoded. Just last week someone decoded some of my software(they have disappeared since I reacted
    I'm sorry to say, but your files will surely appear on the Internet again. It's because many persons should have your decoded files at the moment.
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  21. #21
    Join Date
    Jun 2008
    Location
    Atlanta, Georgia
    Posts
    111
    If you use a lot of functions within your php code you can drop the licensing in the functions page and encode that, this way they can't bypass it without not using the functions which will make the site useless.

  22. #22
    Join Date
    Aug 2009
    Posts
    476
    jcroom, if bad guys decode your software, they will be able to remove license check features from your functions as easy as 1-2-3
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  23. #23
    Well you should encode your main functions file and that should be more than enough. Have all your main functions in it and encode it. For your License file encode it using some of your own encryption techniques which are encoded in your functions file.

    This way its a lot safer as no one will be able to produce a encoded license file as yours and know whats in there

    Regards,
    Alons
    Softaculous - Auto Installer for cPanel, Direct Admin, InterWorx, Plesk, H-Sphere
    The only Auto Installer that installs 260+ scripts. Install in just ONE STEP!
    Virtualizor - VPS Control Panel supporting OpenVZ, Xen, KVM and has 60+ OS Templates
    Webuzo - Softaculous for the Cloud i.e. Softaculous Standalone

  24. #24
    Join Date
    Aug 2009
    Posts
    476
    Yes, this way is safer. However, I know a programmer who encoded his software exactly in the same way and software got nulled in 2 months. It wasn't very popular script anyways...

    I also saw nulled copy of my software on warez forums. I have downloaded it, launched installer and installation went fine (installer doesn't check for active license). As soon as main administration interface was launched, I got 'license check has failed error'. I'm not sure how guys have nulled this tool if it still doesn't work without a valid license
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  25. #25
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,900
    Considering that companies like Adobe, Microsoft etc... all fail to protect their products against piracy, it is slightly naive (I think) to believe that we, with far less resources, will be able to achieve an unbreakable solution.

    All the tools out there can only help protect your product from piracy. People who are determined not to pay will likely find away to do so. Even simple things like preventing a customer purchasing one license and using it in two locations etc... will help generate additional revenue.
    Alasdair

  26. #26
    Join Date
    Aug 2009
    Posts
    476
    tickedon, you are right. However, if you are just a "small person", most likely no one will bother spending hours in order to crack your software (if it's not very popular).
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  27. #27
    Join Date
    Oct 2006
    Location
    Salt Lake City, UT
    Posts
    849
    No matter what you do it's still possible to decode your source. After a while on the phone with Ioncube I went for the Basic PHP Encoder and decided that for those who don't want my software to call back to the server for license verification that I'll just write their domain into the source before encoding. The nice thing about that is that a simple WHMCS module & actionhook automates this process
    | | i write code

  28. #28
    Join Date
    Aug 2009
    Posts
    476
    "Good news" to all coders. Just found website made by people from Russia, and this website can decode zended files in less than a second. Service is completely free.

    I did some tests and the latest version of Zend was decoded immediately.
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  29. #29
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,900
    Quote Originally Posted by Hosting24 View Post
    "Good news" to all coders. Just found website made by people from Russia, and this website can decode zended files in less than a second. Service is completely free.

    I did some tests and the latest version of Zend was decoded immediately.
    The latest version of Zend is quite old. A hacked PHP installation with a dezend.exe has been floating around for quite some time. No external website needed for people seriously interested in breaking the Zend Guard protection.
    Alasdair

  30. #30
    Join Date
    Aug 2009
    Posts
    476
    I forgot to say that these persons also offer decryption of other platforms like .NET for example... Smart guys
    Hosting24.com Web Hosting - First class web hosting services.
    Boxbilling - Complete billing, invoicing and client management system.

  31. #31
    Join Date
    Oct 2002
    Location
    Langley, BC
    Posts
    2,046
    I don't think that is possible, you might want to ask Matt at WHMCS if he has any idea on how to do that.

    As the license check logic can simply be removed on the unencrypted files by someone who understands php.
    We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
    Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
    WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com

  32. #32
    Join Date
    Mar 2002
    Location
    London & Kent, UK
    Posts
    372
    Good thread. To comment on a few points, there's now an ionCube Loader for PHP 5.3 on Linux x86. Others are being phased in to follow soon. The Zend forum mentions that Zend encoded files may not be able to run on PHP 5.3 and that the original sources would need to be re-encoded for 5.3, but with the first ionCube Loader for PHP 5.3 we concentrated on back compatibility to support existing encoded PHP 5 files, as well as most PHP 4 encoded files.

    The comment on functions not found was interesting and is not something we've had reported before except in connection to obfuscation. The function name obfuscation feature by definition changes the names of functions, and while most scenarios including dynamic function calls via variables is supported, if an obfuscated function is called from a non-encoded context it will indeed not be found precisely because it no longer exists with its original name. Functions can be excluded from being obfuscated on a case by case basis though to handle this.

    When deciding what to encode, it typically makes sense to encode the files that you really want hidden as well as any that end users shouldn't be changing. This isn't just for code protection reasons, as it can be a real problem when a user reports a bug in some scripts and it eventually turns out that they've been tinkering with the code themselves! Some corporations lock down their code precisely so that their own developers cannot make changes to production code, bypassing the proper change control procedures. Files that users might reasonably want to change should be left unencoded.

    With the problem of hackers trying to break code and licensing systems, as people have said, this can never be 100% guaranteed to be prevented. However, the majority of serious users who are prepared to pay for a product will have no interest in putting major effort or funds behind trying to "break the system", and those who will do are doing so precisely because they don't want to pay and have no intention of doing so. That said, having no licensing system at all and relying purely on trust, where people should pay but there's nothing to actually require them to, will definitely lose potential revenue. Some form of licensing mechanism should be largely effective in securing revenue from people who are happy to pay.
    Real-time intrusion protection and error reporting for PHP sites ioncube24.com
    Software protection for website owners and PHP developers ionCube PHP Encoder

  33. #33
    Join Date
    Jan 2004
    Location
    Oztrayla Mate!
    Posts
    572
    Quote Originally Posted by phpa View Post
    However, the majority of serious users who are prepared to pay for a product will have no interest in putting major effort or funds behind trying to "break the system", and those who will do are doing so precisely because they don't want to pay and have no intention of doing so.
    No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

    They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product. Then the damage gets done when it gets handed around like candy, and thousands of people who may of bought it find it on Rapidshare and say.. Well why not.

    A guy i know who can reverse your IonCube spent weeks on it, that's a lot of resources if the intent was to prevent paying for a product.

  34. #34
    Join Date
    Nov 2003
    Location
    USA
    Posts
    784
    Am also try to find a way to encoder less files to they can edit more
    WHMCS Services - sales (at) whmcsservices.com
    WHMCS Development | WHMCS Addons / Modules

  35. #35
    Quote Originally Posted by 1boss1 View Post
    No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

    They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product. Then the damage gets done when it gets handed around like candy, and thousands of people who may of bought it find it on Rapidshare and say.. Well why not.

    A guy i know who can reverse your IonCube spent weeks on it, that's a lot of resources if the intent was to prevent paying for a product.
    I agree with you but I think this is a process.
    We make a system and they break it if its easy and you have left loopholes.
    When we come to know of a leak you redesign the system sealing the leak.
    When you seal it all the people who installed it free will not be anle to use it anymore. So they will purchase it from you or leave it.
    I think Hackers help us in a way in finding the loopholes we have left at times (thats the bright side I can look at).
    Softaculous - Auto Installer for cPanel, Direct Admin, InterWorx, Plesk, H-Sphere
    The only Auto Installer that installs 260+ scripts. Install in just ONE STEP!
    Virtualizor - VPS Control Panel supporting OpenVZ, Xen, KVM and has 60+ OS Templates
    Webuzo - Softaculous for the Cloud i.e. Softaculous Standalone

  36. #36
    Join Date
    Mar 2002
    Location
    London & Kent, UK
    Posts
    372
    Quote Originally Posted by 1boss1 View Post
    No not at all, people reverse things for the challenge and the ensuing "street cred" when they accomplish something nobody has yet done.

    They don't spend years learning how to reverse code just to obtain a free product, and mostly they will reverse it then push it out to the public and move on to the next challenge without even using the product.
    Exactly. Most notably, the serious users of software who are genuinely prepared to make a purchase will typically have no interest in wasting time hacking it or trying to find an illegal copy; they have a desire or need to be fulfilled, and if they find a solution at what they consider to be a fair price, they purchase it and move on. Even if there is a hacked copy available, most purchasers who are genuinely prepared to pay will do so not just because they're fundamentally honest and it simply doesn't occur to them to steal it, but also because they recognise the added value that comes with the real item.

    In some cases a generally honest person may decide that a high value item is not worth it to them to purchase but they would like it to play with, and they do end up with a warez copy. We can't condone this behaviour and being "generally honest" does not make it any more acceptable, however this is not necessarily bad news for the manufacturer as it may actually increase their sales from positive recommendations of the product to persons who do purchase, or by their "extended evaluation" eventually converting into a sale.

    An example might be Cubase, which to a professional business user is not expensive at all, but for a home user who merely wants to tickle the ivories on a Sunday afternoon and who never intends to make any money with the product, several hundred dollars couldn't be justified and they would be unlikely to purchase it up front. However if they used it more than once or twice and grew to appreciate it, they might in a year or two.

    The hackers, who demonstrably lack the skills and creativity to develop any worthwhile software of their own, may hack for the intellectual challenge or for personal validation that they fail to receive elsewhere in their lives, although any thanks in a warez forum means nothing.

    The big win from encoding PHP is as per the title of the thread, software licensing, and helping to ensure that software license policies of (for example) per-domain licensing can be implemented effectively. It's one thing to say that a license must be purchased for each domain, but if the customer who has purchased a license for their first domain finds that a product also works for every other domain that they want to use it on, the chance of receiving extra revenue for those other domains is slim.
    Real-time intrusion protection and error reporting for PHP sites ioncube24.com
    Software protection for website owners and PHP developers ionCube PHP Encoder

Similar Threads

  1. Pulling my hair out over dns settings!
    By thefandango in forum Hosting Security and Technology
    Replies: 7
    Last Post: 07-01-2007, 09:23 AM
  2. pulling my hair out!!! PHP issue
    By Alex in forum Programming Discussion
    Replies: 3
    Last Post: 05-03-2005, 05:56 AM
  3. Pulling my hair with this SQL Query
    By null in forum Programming Discussion
    Replies: 2
    Last Post: 03-14-2005, 02:31 AM
  4. pulling my hair out - cpanel
    By xWho in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 04-23-2003, 05:12 PM
  5. Pulling my hair out (CPanel/WHM)
    By Tazzman in forum Hosting Security and Technology
    Replies: 0
    Last Post: 10-06-2002, 09:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •