TalkPHP - View Single Post - How to check valid license without connecting to external server

Sam Granger · 05-01-2009, 01:46 PM

Hey guys!

I've been working on a paid script and was brainstorming how I could protect my script against piracy. While I like products like IONCube, I do not like encoding a whole product - the user has to be free to make some modifications, right?

So what's my current idea? Have the user insert a key when installing, either in a config file or MySQL. If it's a trial version, you have to insert date the key was given.

Let's say you have a login class, or database class, something big that would be hard to rewrite, something that offers major functionality of the site and would be hard to replicate - this would be a class you have to encrypt with IONCube or SourceGuardian, this is important, otherwise people will see how keys are made. In the construct, or whatever function gets used a lot, parse the license details - if it passes the check, continue, else die.

The idea behind the generation of keys/checking them:
Get the server http host, remove subdomain or www. if wanted. Then, salt the http host + add date if it's a trial, reverse string, md5 it and sha1 it. This means the key would return false and cause the script to die if the domain does not have a license. The salt/generated password to check the site key with would have to remain private variables obviously for security reasons. Salt would be stored in the same class you have the function/the one you encrypt. This would also mean that you'd only have to encrypt the class once, and not every time someone buys a copy for their domain. the key should be pretty damn hard to crack!

05-01-2009, 01:46 PM	#1 (permalink)
Sam Granger The Acquainted Join Date: Sep 2007 Posts: 126 Thanks: 4	How to check valid license without connecting to external server Hey guys! I've been working on a paid script and was brainstorming how I could protect my script against piracy. While I like products like IONCube, I do not like encoding a whole product - the user has to be free to make some modifications, right? So what's my current idea? Have the user insert a key when installing, either in a config file or MySQL. If it's a trial version, you have to insert date the key was given. Let's say you have a login class, or database class, something big that would be hard to rewrite, something that offers major functionality of the site and would be hard to replicate - this would be a class you have to encrypt with IONCube or SourceGuardian, this is important, otherwise people will see how keys are made. In the construct, or whatever function gets used a lot, parse the license details - if it passes the check, continue, else die. The idea behind the generation of keys/checking them: Get the server http host, remove subdomain or www. if wanted. Then, salt the http host + add date if it's a trial, reverse string, md5 it and sha1 it. This means the key would return false and cause the script to die if the domain does not have a license. The salt/generated password to check the site key with would have to remain private variables obviously for security reasons. Salt would be stored in the same class you have the function/the one you encrypt. This would also mean that you'd only have to encrypt the class once, and not every time someone buys a copy for their domain. the key should be pretty damn hard to crack!