SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 31
  1. #1
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    encode your php? Binary config file?

    Hi all.

    A long time ago, before I knew how to write my own PHP scripts, I downloaded a demo version of a photo gallery... I liked it so much that I decided to spend the 20$ to buy full access to it.

    One of the perks of buying the code was that I could remove the link to the programmers website. This is the cool part: after buying the code, the programmer sent me a new "config.dat" file... and after I replaced the old config with the new, the website link disappeared.

    Here is what a "config.dat" file looks like (before buying the PHP):

    Code:
    11001100
    01101100
    00000100
    10001100
    00001100
    00011100
    00000100
    
    ....
    ....
    (A lot more ones and zeros go here)
    ....
    ....
    
    00000100
    00101100
    11101100
    00000100
    00101100
    11101100
    00000100
    The replacement config file looked very similar... just different organization of ones and zeros.

    QUESTION: How is the above "config.dat" technique accomplished? (I only ask because I am starting to write my own PHP apps/scripts for clients, and I would like to be able to protect my code from being altered and/or handed-out to others.)

    QUESTION: Does anyone have any good links about protecting PHP code?

    QUESTION: How do you protect your scripts? Do you add any one thing to your code? If so, could you post an example?

    Again, I am only asking because I would like to restrict some of my clients usage of the script(s).

    Any help/links/comments/suggestions would be really great.

    Thanks in advance.

    Cheers,
    Micky

  2. #2
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Without seeing the rest fo the code, it's pretty difficult to say what they did.

  3. #3
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here is a link to the gallery script:

    Gallery Script

    Gallery demo

    Example gallery script with programmers link at bottom

    I have not spent a lot of time looking through the code... but from what I have looked at, I can't seem to figure it out.

    -- I do not want to hack this code... I have bought this code a while back, and I have moved on to writing my own scripts... I personally try to avoid the use of other peoples code because it motivates me to learn how to do it myself.

    I just think that this is a really cool way of protecting a PHP script (encoding the config file... so cool!)

    THanks in advance.
    Micky

  4. #4
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmmm, is this the right forum for this type of question?

    Does anyone try to protect their PHP code from redistribution?

    I would love to learn how I could apply a footer-link like stadtaus.com gallery script... anyone have any ideas on how to do that?

    Thanks.

  5. #5
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For PHP source encryption, try the Zend Encoder or for a cheaper alternitive, the IonCube Encoder.

  6. #6
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ---------------------------
    Errors = Improved Programming.
    My Site

  7. #7
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Dylan, thanks for the response... I really appreciate your time.

    Is that what Stadtaus gallery did to encrypt the config file? The only thing that the config file did was remove the link on bottom of gallery page... I can't believe someone would pay hundreds of dollars just to hide/encrypt a website link into a script...

    Anyone else think about these types of things? I guess I will spend some more time on Google...

    Hehe, maybe this is a stupid question...

    Cheers,
    m

  8. #8
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, I am wondering where in the script the binary data is converted???? How the heck is that done??? Remotely??? If so, can't seem to find any code that does anything other than read the file (standard built-in PHP functionality).

  9. #9
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jaswinder_rana

    Doh, I did not see this post... sorry jaswinder_rana, I think I was posting when you were... Hehe, thanks for links, checking them now.

    Many thanks! Thanks for your time.

    M

  10. #10
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    BTW, this link http://freelock.sourceforge.net/, somebody posted here on SitePoint when they started it, so search for FreeLock in sitepoint and you'll find interesting reviews about it
    ---------------------------
    Errors = Improved Programming.
    My Site

  11. #11
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jaswinder_rana
    BTW, this link http://freelock.sourceforge.net/, somebody posted here on SitePoint when they started it, so search for FreeLock in sitepoint and you'll find interesting reviews about it
    COol cool, thanks for the tip. Freelock sounds like it may be a decent option to consider. Cool... Thanks.

    M

  12. #12
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ---------------------------
    Errors = Improved Programming.
    My Site

  13. #13
    SitePoint Guru mwolfe's Avatar
    Join Date
    Mar 2005
    Posts
    912
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can't believe someone would pay hundreds of dollars just to hide/encrypt a website link into a script...
    well i'm not sure thats what products like the zend encoder are for.. besides hiding the source code, it also basically "compiles" the code, optimizing its execution time..

    But besides that, spending hundreds of dollars to hide/encrypt a website link into a script cuased you to buy the full version, and it probably did the same for others as well.. and on there end, it was probably worth it.

    I've seen other web products do the same thing... such as some very fancy dropdown menu's out there.. i tried making sense of the code to figure out how to keep the extra links from showing up, but couldnt.

  14. #14
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You see, like other products PHP scripts can not be given on trial versions. So, they came up with this idea of encrypting not only to cover that part, but also for the licensing purposes
    ---------------------------
    Errors = Improved Programming.
    My Site

  15. #15
    SitePoint Evangelist dmsuperman's Avatar
    Join Date
    Feb 2005
    Location
    A box
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://php.net/base64
    http://php.net/eval
    All you need, just run it through the encoder, save it, then eval the base64 decoded version :P
    Alright so it's nothing really good, but most people get discouraged right away lol.
    <(^.^<) \(^.^\) (^.^) (/^.^)/ (>^.^)>
    Core 2 Duo E8400 clocked @ 3.375GHz, 2x2GB 800MHz DDR2 RAM
    5x SATA drives totalling 2.5TB, 7900GS KO, 6600GT

  16. #16
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well perhaps the gallery application is parsing the config.dat file, searching for a specific string in it. If found just removes the lines, that show the link in the file. (or may be just skips it).

    No other tricks.

  17. #17
    La la la la la bronze trophy lieut_data's Avatar
    Join Date
    Jun 2003
    Location
    Waterloo, ON
    Posts
    1,517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by REMIYA
    Well perhaps the gallery application is parsing the config.dat file, searching for a specific string in it. If found just removes the lines, that show the link in the file. (or may be just skips it).

    No other tricks.
    Seems a rather round-about (and ultimately pointless!) way to 'protect' his script, given that the source appears to be un-obfuscated.

    More than likely, the config.dat file contains (as posted above), some PHP code central to the application, and stored in an obfuscated form. Search the source for the above mentioned functions, or better yet, for wherever the source reads from config.dat.
    My name is Steve, and I'm a super-villian.

  18. #18
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all the info folks, some great tips/ideas/examples/links... I really appreciate everyones help!

    I am at work now, but plan to do some more research on all this info later tonight....

    Again, thanks folks, you guys rock!

    Cheers,
    Micky

  19. #19
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lieut_data
    Seems a rather round-about (and ultimately pointless!) way to 'protect' his script, given that the source appears to be un-obfuscated.

    More than likely, the config.dat file contains (as posted above), some PHP code central to the application, and stored in an obfuscated form. Search the source for the above mentioned functions, or better yet, for wherever the source reads from config.dat.
    Sometimes unobfuscated code with no comments is as useless as no code

    Obfuscated config.dat for sure, no one said it wasn't, but just a simple text search somewhere between other string functions can do the same trick and still stay out of suspection.

    And do you think that creating a self modifying script on the client's server is an easy work to do?

  20. #20
    SitePoint Evangelist dmsuperman's Avatar
    Join Date
    Feb 2005
    Location
    A box
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I once made a function that encrypted and decrypted itself. It was confusing work but I lost it. It was cool though, you run the source with ?encrypt=TIMESTAMP (where it had to be the timestamp) and it would encrypt the whole source and remove the encryption part (so no one goes to it again) and then running it would run the small un-encrypted function that started decrypting and finally running the file. Very confuzzling.
    <(^.^<) \(^.^\) (^.^) (/^.^)/ (>^.^)>
    Core 2 Duo E8400 clocked @ 3.375GHz, 2x2GB 800MHz DDR2 RAM
    5x SATA drives totalling 2.5TB, 7900GS KO, 6600GT

  21. #21
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmsuperman
    I once made a function that encrypted and decrypted itself. It was confusing work but I lost it. It was cool though, you run the source with ?encrypt=TIMESTAMP (where it had to be the timestamp) and it would encrypt the whole source and remove the encryption part (so no one goes to it again) and then running it would run the small un-encrypted function that started decrypting and finally running the file. Very confuzzling.
    Wow, that is really a wonderful script. Are you sure you can't dig it it out from an old backup or something?

  22. #22
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmsuperman
    I once made a function that encrypted and decrypted itself. It was confusing work but I lost it. It was cool though, you run the source with ?encrypt=TIMESTAMP (where it had to be the timestamp) and it would encrypt the whole source and remove the encryption part (so no one goes to it again) and then running it would run the small un-encrypted function that started decrypting and finally running the file. Very confuzzling.
    What did you use for the actual encryption?

  23. #23
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lieut_data
    More than likely, the config.dat file contains (as posted above), some PHP code central to the application, and stored in an obfuscated form. Search the source for the above mentioned functions, or better yet, for wherever the source reads from config.dat.
    Well, here is where the source reads from config.dat:

    Code:
    (includes folder/gallery.inc.php)
    
     /*****************************************************
      ** Include template functions and initialyze global
      ** and table template.
      *****************************************************/
              require('./inc/template.class.inc.php');
    
              $tpl = new template;
              $tpl->load_file('gal', $global_template);
    
              $tpc = new template;
              $tpc->load_file('cell', $cell_template);
    
              $cell_content   = $tpc->files['cell'];
              $gal            = @file('./inc/config.dat');
              $tplt           = 'gal';
              $str            = '';
              $conf_var       = '';
              $use_order_file = '';
    So, $gal var holds the config.dat info, but that is the only spot that I can find $gal being used...


    Only other spot I can find anything related to the "powered by" link, is in a file called window.html in the templates folder:

    Code:
    #poweredby {
              text-align:center;
          }
    I wish I knew more about templating and Classes, maybe then I could follow the code.

    See, i would like to give clients code, and just make sure they retain the link to my site at bottom... that is kinda nice feature (also protects from re-sale of my scripts without some credit).

    Any more thoughts?

  24. #24
    SitePoint Member
    Join Date
    Aug 2003
    Location
    Cameron Park, CA
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, for the free versions of my scripts I require a link and have the script insert it at the end of every page automatically. To disguise where this is done I made these simple functions:

    Code:
    function texttoascii($text)
    {
     $chars = str_split($text);
     for ($x=0; $x<sizeof($chars); $x++)
     {
      $ascii .= ord($chars[$x]) .' | ';
     }
     return $ascii;
    }
    
    function asciitotext($ascii)
    {
     $chars = explode(' | ', $ascii);
     for ($x=0; $x<sizeof($chars); $x++)
     {
      $text .= chr($chars[$x]);
     }
     return $text;
    }
    (Note: depends on having either an str_split function of your own or PHP5.)

    I just run the "Powered by..." text through texttoascii in a temporary test somewhere, and then feed the result of that to asciitotext in the actual script. I suppose a base64encode/base64decode as has already been mentioned would be a simpler way to do the same thing... for my purposes, I did some needless work there. If you wanted to allow a file to switch it off though, using custom functions like this would allow you to have the value $gal read from the file like in what you posted above, and then tested in the asciitotext function with something like
    if (base64_decode($gal[3]) == 'x') return '';
    You could even mix in a license key there, I suppose, to prevent the same config.dat from working for everyone.

    It is of course theoretically possible for a very determined person to overcome these methods, particularly one who's read this thread, but it ensures that somebody searching the files won't be able to come up with any search term that'll lead them to the spot (they can't for example turn up something simply by searching for "Powered"). And if they were to read the spot at random they wouldn't be likely to recognize what it's for since all they see is numbers being fed to a function.

    Of course there are other ways people can manage to hide a 'powered by', like leaving various unclosed tags in the template just before it would appear. Difficult to defend against every possibility.

  25. #25
    SitePoint Enthusiast
    Join Date
    Jun 2005
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i need help learning php from the start because i don't kow anything can one of you teach me?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •