-
May 9th, 2007, 07:40 PM
#1
Junior Member
examine the security of my code
Hi,
I wrote a license generator and validator for my PHP software, but before releasing my software in public I want experts to examine the security of the license by trying to fake or break the license. anyone interested in helping me for this, please pm me your email that I can send you my script to discover the bugs and secururity holes. I would give credits to people who report the issues.
Best Regards,
-
September 1st, 2007, 03:12 PM
#2
Junior Member
What type of software is it? Is it a game? Why not crack the license yourself? Why ask some else to do it for you? If I or anyone should do it do we get paid? Are you sure it isn't some else's license you want to crack?
Salmos 23:4 Aunque ande en el valle de sombra profunda, no temo nada malo, porque tu estas conmigo; tu vara y cayado son las cosas que me consuelan.
-
September 1st, 2007, 03:46 PM
#3
Bollix!
If micro$haft cannot protect their products, how the hell can you?
Also, if I had a way, I would be a billionaire, not handing stuff out to lusers?
-
September 1st, 2007, 07:21 PM
#4
Having this as your first post may make some suspicious as to your motives. Just a thought.
I figured on at least 3 more posts before I ask how to become a leet haxor.
Only trust Pipe-smoking Penguins.
-
September 3rd, 2007, 01:20 AM
#5
-
September 3rd, 2007, 08:27 AM
#6
AndreF,
the answer to your question is easily given: Quite a few people,
myself included, would be able to break the protection - even
without knowing how you implemented it in detail. Nihil
pointed this out in his own fashion
It is a matter of revenue and expense - the target audience
und the market penetration. Except you really have a killer
application, which may be the case, you have to realise that
you and your software are one of thousands out there - most likely,
nobody will take the effort to "break" your protection - in
particular, if your target audience are companies, they will
easily pay a few (hundred) bucks, if the software is worth the
money.
If a crack for your software is available - that's great as
well - use it for marketing purposes!
An example - we are developing and/or selling software
to the government (costs a bit more than a few hundred bucks).
We do have a licensing mechanism, but it could be easily broken.
We do have such a thing because of the following two points:
1. The government must make sure that they are not violating
licensing terms. For example they are buying 6 floating licenses
for module A - it must be technically ensured that no more than
6 of these licenses can be used at the same time. If your software
cannot provide such a mechanism, your software will not be bought.
An implementation of licensing terms enforcement by regulations never
works.
2. If the customer (e.g. the government) is breaking the technical
licensing mechanism, it must be done by intention (it cannot be done by
accident). This often is sufficient to succesfully settle a lawsuit.
Cheers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
December 19th, 2007, 07:38 PM
#7
Junior Member
Hmmm, such nonsense answers I got here.
No, this is not a game this is a standalone license generator/validator that I can give away to public that users can integrate it with their software if they wish to offer their softwares with license. But before I give it away I just wish some good experts test its security that I can make sure if this is enough hack safe or reliable.
If you wish to get my script, give me your email that I can send it to you, if you wish not, then don't waste your time by giving nonsense answers like the one by BabyNet.
Last edited by AndreF; December 19th, 2007 at 07:42 PM.
-
December 20th, 2007, 08:40 AM
#8
Ok.. Maybe some "expert" advice.. Nothing is "hack safe"
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 20th, 2007, 07:20 PM
#9
Just post the script here, and I'll give it a go. Or PM me the script and I'll post it here.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
December 25th, 2007, 12:42 PM
#10
Hi
preliminaries
I had a glance at the licensing mechanism. Although
the following argumentation certainly has to be taken
with a grain of salt (and I may have misunderstood
something completely), the mechanism can provide a
certain degree of protection.
The target audience (customers) are php coders. The licensing
mechanism comes as ionCube obfuscated/encoded bytecode. In
order to maintain the provided level of protection, the customer
also has to protect its code by ionCube[1] or Zend[2] (or similar
products).
Since both these programs also provide a licensing mechanism,
the one provided by the OP may be rendered obsolete I am afraid.
structure
Based on the IP address of the server (and/or MAC address), a license
file is issued. The license file is tested for integrity and validity
using a MD5-mechanism with salting, which looks reasonable. However,
the encryption key and the salt is part of the software (as it is
obviously always without hardware dongles). As a side note, one might
consider some asymmetric crypto-systems (RSA or similar) to check
for integrity.
However, I (as others) do not bother trying to modify the license file
or create fake ones. Rather, I would change the application in order not
to test the validity, but simply to "allow always" (or often simpler:
"allow if not valid" )
security of ionCube / Zend et al.
It seems to boil down to the security of ionCube / Zend et al.
Their main purpose actually is "source code protection", ie.
to prevent obtaining the original php source code. Obtaining the
source code can be, considering java or .net-applications
(let's not discusss code obfuscation), extremely simple.
Their current approach is to obfuscate the source code, pre-compile
it to some bytecode, and encode it. Anyone familiar with runtime
encryption (ie any ordinary 'cracker' nowadays) will be able to
obtain analysable opcode[3].
However, since the effort for the described process usually is quite
high, it is not reasonable, from an economical point of view, to
actually do it... I remember having read something about reconstructing
source code from Zend's OpCode a few years ago, similar to java
or .net applications. I am convinced that nowadays it is harder -
but as always, the whole security industry is action and reaction.
Can I provide a conclusion? No, I can't. The customer has to provide,
at least a part of his php "application" in ionCube, Zend et al.
bytecode (that software costs money in order to be able to encode)
in order to make the licensing mechanism of the OP not embarassingly
avoidable. After that it is a question of how simple it is or not to
modify that bytecode - either of the customers applications or the
licensing mechanism of the OP.
Since the encryption key and the salt is part of the software,
it is in principle possible to create fake license files. Maybe even
simpler than to modify the bytecode. I have not checked though,
how easy it might be to extract strings from ionCube/Zend.
Cheers
[1] http://www.ioncube.com/
[2] http://www.zend.com/en/products/guard/
[3] http://www.derickrethans.nl/vld.php
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Similar Threads
-
By mohaughn in forum Microsoft Security Discussions
Replies: 1
Last Post: August 9th, 2005, 07:37 PM
-
By SDK in forum Miscellaneous Security Discussions
Replies: 0
Last Post: December 1st, 2004, 12:45 AM
-
By apollovega in forum Newbie Security Questions
Replies: 41
Last Post: July 29th, 2004, 04:21 AM
-
By tampabay420 in forum Programming Security
Replies: 2
Last Post: February 14th, 2003, 02:36 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 9th, 2002, 09:21 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|