How to encrypt PHP source code and require "Activation Key"

Hi all,

How do I all create a PHP application and require all my customers to enter a unique activation key to use the software? I also wanna encrypt my PHP code so that can’t copy my work… Any ideas?

Cheers,

Vincent

raydenx, there are several ways doing this, for example:

  • you may encode the script with zend safeguard which supports licenses.[*]you may make you’re own license generation algorithm written in php end encode that file.

A custom generated license may look like this:

===== LICENSE (mysite.com, mysite.com, valid thru 2005-12-29) =====
AAFD28B592D6A8564E6F39D31594E5D0EDD783AEE18C3B609CB252000CF82B6F757Q
X3BAD829B13C3BD87C15A2A5408094FAEDX323A30352D31322D3239P
C6D65657770656F706C65696E747261666669632E636F6FDAB54F74401BC08249ABAF1BFC2DDB7BFCO
ACF008D2ED7AABD27A89C4A8A5D99872B6D65657470656F706C62696E747261666669642E636F9DQ
===== ENF OF LICENSE =====

User inputs this license while script installation, then it is stored in Db and is checked on each script execution. Php-files are encripted (for example with [google]Zend Encoder[/google], [google]InnoCube[/google]), so user won’t be able to cut off license check calls.

Zend had a product that should encrypt your work:

http://www.zend.com/store/products/zend-encoder.php

I use www.phpcodelock.com and it works great.

Thanks guys… Zend’s product is way too expensive for me. I am looking for some kind of alternative to Zend…

IonCube (not InnoCube!)

SourceGuardian

I really would advise you to look at Zend or IonCube (SourceGuardian may compile to bytecode these days, I’m not sure).

IonCube also have an online encoder, which can work out fairly inexpensive for small projects (btw I don’t work for IonCube).

     I briefly looked at codelock a year ago, responding to a couple of threads:
     [Free PHP script encoder](/t/free-php-script-encoder/1646/1)
      [ionCube -vs- SourceGuardian ??](/t/ioncube-vs-sourceguardian/1344/1)
     
     I wasn't impressed then, and I'm not sure much has changed.
     
     Excerpts from their own FAQ at [http://www.phpcodelock.com/faq.html](http://www.phpcodelock.com/faq.html)
     "Codelock for PHP is a strong deterrent."
     "The fact is, any PHP encryption program does needs to decrypt the file at some time, so the code will theoretically be available to experienced crackers during its execution."
     
  You could interpret experienced to mean "is able to replace eval with echo!"
     As I said then, if you're serious about protecting your code from prying eyes then I would stay well away from any PHP based encoding system.
 
 Just my $0.02
Off Topic:

I think this might actually be my first post in the Application Design (Advanced PHP) forum, a pity it couldn’t be more positive. I’ve learned a great deal from the threads in here over the last year, hopefully I’ll even be able to contribute more in future.

Yeah i think IonCube is better than PHPCodeLock

I wouldn’t touch PHPCodeLock at all. The reason it’s so cheap is that it’s stupidly insecure. Read the “How secure is it?” from their FAQ to hear that in their own words.

If you like the look of Zend but the price is the only thing that puts you off, you might want to take a look at their Small Business Program (http://www.zend.com/store/products/zend-smallbiz.php). This gets you Zend Studio and Zend Encoder for $395 (and then $295 every year) which are both excellent applications. Well worth a look :slight_smile:

SourceGuardian v4 is a lot more secure than previous versions (which could be returned to some form of source). Adrian and the other people at SourceGuardian are happy to admit prior mistakes and talk about what happened, so if you are concerned then you shouldn’t hesitate to drop them an email. The features in SourceGuardian are roughly comparable to ionCube’s, so it’s well worth a look.

Out of all three, I would recommend ionCube to you. It’s secure, well priced from only $199 and Nick and his team are extremely good at supporting users. ionCube (and SourceGuardian) include methods for generating license files as well which should also be useful to you - with Zend you need to purchase their SafeGuard suite at $6000 or so to do that.

If you have the cash available, then you might want to consider offering both an ionCube encoded version of your script and also a Zend encoded one. Lots of companies do this and there’s nothing wrong with offering more choice to your users :slight_smile:

I use IonCube. It works fine, plus it speeds up the application too. You can dynamically incldue the required dll’s or so’s if you don’t have access to the server’s pph.ini, so as long as dl() is enabled, you can use the IonCube Loaders on shared hosting too.

Zend looks good, but I’ve found it too expensive to have a look at.

Here are my questions to ioncube:

> Let’s say I wanna sell a PHP script and I want my customers to
> “register” their script so that they can use it on their web site. If
> they choose to refund their purchase after X days, I will reserve the
> right to remove the “license” so that they can’t use my script anymore.
> Can your software do that? Can I automate this process on my web site
> when a customer orders something?

You cannot physically remove license files, and we don’t provide any
“spyware” features in the Loader API. However, you could issue a short
term expiring license that runs the length of the initial refund period,
say 21 days, and then replace their license with a new one after that
period has passed and where they can no longer have a refund.

Alternatively, you could code in phone-home type idea using URL fopen.
Note though, that this is not enabled on some servers, and so you could
only phone home where it was.

Another alternative is simply not to allow refunds. Provide evaluations,
and say that customers should take advantage of the evalations to
determine whether or not your product is for them. State clearly that once
licensed, there are no refunds. This is a quite common practice in the
absense of phone home type systems.

We have considered putting in these features to the Loader, however the
problem would be accusations of spyware. No matter how clear it was that
the system was very specific, limited in functionality, and that no
personal details were transferred between machines, there would be those
that didn’t believe it and it could damage the product.

> Let’s say I wanna sell my software. So I give them a 30 day guarantee
> and they pay upfront. So I have to send them another copy of the
> software after 30 days? Do I need to generate the new license file for
> each customer? I just don’t wanna do it manually you know what I mean?

If you use our licensing system, you could just send them a new license
file. There’s a command line tool for creating licenses that could be run
programatically, and so it would be possible to even automate the sending
of new licenses. You would have to do some PHP coding for that though, but it would be interesting and you’d have a powerful setup once done.


From what I understand from their reply, I can dynamically generate a license key for every customer but I have to do the coding myself. Hopefully its not that complicated to do.

We use IonCube in combination with Iono - Iono handles all the license stuff for us, including the phone-home stuff. We’ve basically set it up so our app phones home whenever a user logs in. Then, a local key file is generated, which we store somewhere in the app’s path. That’s valid for 30 days, and is used instead of the phone home. Once the 30 days have passed, the next login simply repeats the process. This way, all licenses are checked every 30 days, and we don’t overload the server too much with license check requests.

If someone runs the app on a server that has no ability to phone home (I like that term :wink: ), then we can generate a key file which the user can place in the application himself. This will then last until the end of the license (if it’s not perpetual), after which the user will need to request a new key file.

Due to the important parts of the license and key file checking being encoded by IonCube, we can be pretty sure the users will not be able to decipher the contents of the key file or stub the phone home functions.

innocube just replied to my email… They told me to go to http://www.phpaudit.com/ to get their script and also a discount for innocube’s script.

Have a look at eAccelerator;

http://eaccelerator.net/HomeUk

This used to be called Turcke MMCache (see http://turck-mmcache.sourceforge.net/index_old.html) but changed after the lead developer moved on.

It’s released under GPL. You could encode your scripts with it. The downside is (I believe) your customers will need eAccelerator installed on their server to run the scripts.

Using a licensing system (whether it’s PHPAudit or not) in conjunction with the ionCube encoder allows you to automate the entire encoding, ordering, distributing and licensing of your script - it’s a great combination leaving you to focus on script development and support; rather than processing orders, validating payments, creating license keys, preventing piracy etc… as that’s all done for you automatically.

You may encypt and obfuscate your code with phpSecureIt at http://phpsecureit.remiya.com, and create a full functional demo with PHP Shareware at http://phpshareware.remiya.com. All for FREE and you need only PHP to decode. :wink:

PS. PHP Shareware doesn’t like too much code, otherwise it gets out of time.

If existing PHP functions are used to decode the script prior to executing it you not only create a rather large overhead and performance issue, it also makes it extremely easy to reverse engineer. IonCube, Zend and SourceGuardian all use custom components to execute the encoded scripts and as a result are much more secure and very hard to return to source.

Some people like talking for the sake of talking.
Just test.

Maybe this one http://pecl.php.net/package/bcompiler will help.

Not to bump and OLD thread but my problem with things like zend, ioncube or sourceguardian is the fact that additional software is required on the end-user’s server. Having looked at the server configurations of many of my customers, I am aware that not everyone has any… and therefore I don’t want to cut out a number of potential customers…

Is codelock the best option that doesn’t require something extra to reside on user’s server? (Also note that they have released a new version which seems to make improvements)