How can you make a PHP application require a key to work?

Question

About 4 years ago I used a php product called amember pro, it is a membership script which has plugins for lie 30 different payment processors, it was an easy way to set up an automated membership site where users would pay a payment and get access to a certain area.

The script used ioncube http://www.ioncube.com/sa_encoder.php to prevent non-paying users from using the script, it requered that you register the domain that the script would be used on, you were then given a key to enter into the file that would make the system/script work.

Now I am wanting to know how to do such a task, I know ioncube encoder just makes it hard to see the code, in the script I mention, they would just have a small section at the tp of 1 of the included pages that was encrypted and without that part of the code it would break and in addition if the owner of the script did not put you domain in the list and give you a valid key it would not work, also if you tried to use the script on a different domain it would not work.

I realize that somewhere in the encrypted code that is must of sent you key to there server and checked that it was valid for the domain name it is on, or possibly it did not even do that, maybe the key would just verify that it matched the domain the script was on, that more likely what it did.

Here is where the real question is, How would you make a script require the portion that is encrypted? If I made a script and had a small encrypted part at the top, it would seem a user would be able to easily just remove the encrypted part and figure out what the non encrypted part is doing and fix it to work. Any ideas?

Answer 1

fever has a similar model, you sign up, download the software (also PHP), then get an activation key. You can see how it works in the demo video (towards the end).

If you're giving away the source code, there's no way you can prevent someone with programming knowledge from patching out whatever copy protection / security you put in.

One thing I can think of is distributing a C/C++ compiled program or extension that the PHP app calls in to to verify the license. That compiled part could then phone home, etc. Even that could be easily circumvented though.

You can see some other ideas in these similar questions:

• Code obfuscator for php?
• Best solution to protect PHP code without encryption

Basically if you're giving away the code you're in an arms race with putting increasingly complex copy protection, which can always be broken in the end. You'll have to decide how much effort is worth it. I personally wouldn't invest much effort.

Answer 2

Not a perfect way of doing it, however you could use an encoder to hide the code and make it call a page on your server that returns a value that is difficult to forge. It would be server intense, but could do what you want. You would want to do something where time was involved. Updating the code so often.

Answer 3

I have seen it done multiple ways. Just about any software method you think of can be bypassed if somebody is interested enough to work at it. We use ioncube to encrypt our non-hosted products and back it up with a USB hardware dongle. Can it be cracked? Yes. But, people are basically honest. I think the thing to do to keep people paying for the script is to make it a pain to crack and release frequent updates with new features that people won't want to wait for. If your price isn't too high, people will just decide to pay for it instead of cracking.