1

I want to prevent coping my custom made CMS from domain to domain and I want that it is operable only on a doain that it is bought for and onluy for the period 1, 2 years from the purchase.

The code generation part is not a problem, but how to prevent it from modifying from hackers is the hardest part.

E.g. something like vBulletin protection. (I know it can be nulled too)

How to implement such thing into my CMS written in php?

I think it needs to be spread through the whole app on various places the variable check and masked in some ways, so the dependencies is not easy to detect and remove.

I know that it is very difficult and hard topic, so I appreciate some direction like book, web discussion or article.

Btw. connecting to my server and checking if the domain is ok is not an option, my servers could be down and the clients as a result of not possible connection too.

Derfder
  • 3,204
  • 11
  • 50
  • 85
  • There is no way to do what you are describing, If you give client's your PHP code, they will be able to do whatever they want with it including read and write. Thus whatever protections you may want to put on it, could be removed by somebody who knows what they are doing. – thatidiotguy Dec 07 '12 at 18:29
  • 2
    Only way I know of doing this is using a PHP Encoder like ionCube PHP Encoder. However, every server that runs it will have to have the decoder installed. – Pitchinnate Dec 07 '12 at 18:32
  • Only other option I can think of is to have part of the code on your own server and use `include(http://yourserver.com/core.php)` but you would have to turn on `allow_url_include` which is a security risk. – Pitchinnate Dec 07 '12 at 18:37
  • @Pitchinnate I have mentioned that this is not an option. "connecting to my server and checking if the domain is ok is not an option, my servers could be down and the clients as a result of not possible connection too." – Derfder Dec 07 '12 at 20:30
  • @Pitchinnate So, how does vBulletin and other proprietary software works? I mentioned that everything can be nulled too, but I am speaking about some implementations that can make this process hard for somebody who is not a professional coder. Look, I guess that you couldn't hack vBulletin (but maybe I am wrong and you are a programming guru) and nulled that script. But I know that there are people and groups that can do it in a week or two or maybe in a day. But I am talking baout average people. I just want to make difficult for them to use multiple copies of my cms if it is not bought – Derfder Dec 07 '12 at 20:35
  • from me. I can do some stuff be myself, but I assumed that people on stackoverflow know much more and give me some advice and direction which methods, books, articles should I try to study so I can implement that. It would be perfectly fine if my CMS is so only "hacking-proof" as vBulletin ;). In fact 10 times less is enough ;). And if somebody hack my CMS, no problem. But I am talking about casual customers or maybe script kiddies and average programmers. I want to protect my CMS before THEM. Professional hackers, script mafia members and other "dark entities" aren't people who are my concern – Derfder Dec 07 '12 at 20:39
  • 1
    @Derfder If that is the case then somewhere in your code use something like this: http://stackoverflow.com/a/1459794/1401720 you would obviously just need to change the approved domains when you sell it to someone. – Pitchinnate Dec 07 '12 at 21:09
  • 1
    possible duplicate of [Preventing PHP Code from being Pirated](http://stackoverflow.com/questions/1698672/preventing-php-code-from-being-pirated) – Charles Dec 08 '12 at 00:16
  • If you're really worried about this, PHP may not be the language for you. This is fundamentally antithetical to how PHP works. You should choose instead to produce good software and provide excellent support, ie, things people actually find valuable and will want to pay for. – user229044 Dec 09 '12 at 18:56
  • I think we have a different viewpoint of what is ethical. As long as I will be living in a capitalist and not resource based country I will lock my car, bike, website, load my gun etc. I put an effort to my work and will not let it go for nothing. Sorry, if you live in Christiania or in other hippie community, but the world outside is not so nice. I just want to protect my work. And PHP is used on many projects that are proprietary. – Derfder Dec 09 '12 at 19:17
  • Please read the linked duplicate. There is no effective technological measure you can take to protect your code with any degree of certainty. Every bytecode compiler can be cracked wide open with a minimum of effort. Your best protection is in the terms of your license agreement. – Charles Dec 09 '12 at 19:41
  • "Please read the linked duplicate. Every bytecode compiler can be cracked wide open with a minimum of effort." Sir, you should probably read too... "It would be perfectly fine if my CMS is so only "hacking-proof" as vBulletin ;). In fact 10 times less is enough ;). And if somebody hack my CMS, no problem. But I am talking about casual customers or maybe script kiddies and average programmers. I want to protect my CMS before THEM. Professional hackers, script mafia members and other "dark entities" aren't people who are my concern" It's from my 6th comment in the discussion. Thank you. – Derfder Dec 09 '12 at 19:53
  • I DO KNOW that everyrhing can be hacked, cracked or whatever. I just need to make it impossible for a casual customer or a basic programmer to advanced php prgrammer. Some tricks how could me masked variables etc. E.g. I saw a code where every variable has some name like $rf56loki and the methods were like fgLpodferBikolErsdfr and the whole code looks ike a pieco of crap. So, this is 1 thing, but I am sure there are ton other tips and tricks how to make it difficult to hack for somebody who is not proffesional and don't have a ton of time to find out what is what etc. – Derfder Dec 09 '12 at 19:59
  • then you must run an encryption with you codes on the domain you want to be used .. this will created a lock code that says your codes is locked in a psecific domain .. – Jhonathan H. Dec 10 '12 at 01:33
  • @Kaii I need php techniques like I mentioned above (variables and methodes masking) – Derfder Dec 10 '12 at 09:05
  • You probably need to read more about solutions that compile your php code into a C or C++ executable. like phc (not sure of hiphop php of facebook does this) take a look at the solutions mentioned in this post : [Can you use HipHop PHP to build a php extension?](http://stackoverflow.com/questions/1408417/can-you-compile-php-code) – Mehdi Karamosly Dec 11 '12 at 21:39
  • PLease everybody stop suggesting me encoding,encrytion etc. I am looking for techniques how to fool people in my code. Again I know it can be soved but, proffesional hackers or advanced programmers are not my concern. How many times need I repeat that to be clear? Again: I DON'T WANT ENCODING SUGGESTIONS. Thank you in advance for respecting my wish. It is a bounty question so please respect my wish. Thank you. – Derfder Dec 12 '12 at 08:12

1 Answers1

3

You could do a combination of things..

  1. New client domains can be given generated license keys that are unique to each of your client's install that is need for your software to work. The key should be bound one per hosted domain and should be stored remotely on your servers as well as locally on the client install.

  2. When you or someone else is installing the cms for the first time make it required to enter the license key and verify it with a remote server. This should suffice for the initial setup time. Store some info about the server in your remote database. If this remote procedure fails installation should render unsuccessful. Think of clever ways to make this necessary and required like fetching an encryption key to be stored in the database.

  3. During or after install you can generate encryption keys (or not) and store something unique in a file on the app server that is required by your code. Super cheap would be to create the file /MY-CUSTOM-CMS-LICENSE.txt with the key in plain text right inside it. This can be another vector for verification later on. Should you discover a website which has copied your cms you can check this txt file.

  4. Have your software call home to your server every now and then sending the key plus some server info (ip, host, etc). It does not have to be dependent on your server to run. Meaning you can let the software run if it fails. It is just very helpful to call home every now and then. For example every X days to ping a url on your server and if your server is down just have it do the call home check the next day. One reason why this is so handy is if your client copies the app folder from one domain to another domain to setup a second illegal site, as soon as they run index.php file it will call home. And if they have not checked every line of your code and don't know it even does this they would be caught rather easily. All you need to do is check some kind of log of who 'called home' so to speak.

  5. Write up proper software license agreement with the terms for your product and place it in a file called LICENSE located in the root directory of your app. This will ensure clients (and their developers) are aware it is not free to copy and reuse. Later if someone copies it, you (or your lawyers) can point to the file and say 'didn't you read this jerky-boy'

  6. Make something (or many things) in your code unique to your code. For example wordpress' admin by default is /wp-admin and almost every single file in their app starts with wp- which makes it easy to detect. Add the entire app in a special folder. Add a meta tags to all output like <meta name="generator" content="vBulletin 4.0.4" />. There are many other things you can incorporate and write into your app that could be tell tail signs it is your code. The point is to have so many things that make the job of removing everything a daunting task or just annoying to the thief. I don't think anyone would be crazy enough to refactor all your code just to steal it. If they do remove these code bits and resell/reuse it you have an even stronger case for litigation.

  7. You could write a script to crawl the web (ugh) or just do searches on google or even setup Google alerts to notify you if any of detectable methods you placed in your app are found (like in #3, #4, #5, #6, #8)

  8. You could buy a CDN like www.maxcdn.com and host a JavaScript file on there and put that into your code. <script src="http://cms-headquarters.example.com/license.js"> since it is on a CDN is has very small chance of failing and if it goes down for a week that's OK too, all you need to do is check who hasn't hit your server.

  9. Obfuscate some of your code for an added annoying deterrence.

On how vbulletin does it:

Finally here's a PHP class that tries to offer a partial solution: PADL (PHP Application Distribution License System)

Anthony Hatzopoulos
  • 10,437
  • 2
  • 40
  • 57