examine the security of my code
Results 1 to 10 of 10

Thread: examine the security of my code

  1. #1
    Junior Member
    Join Date
    May 2007
    Posts
    1

    Exclamation examine the security of my code

    Hi,

    I wrote a license generator and validator for my PHP software, but before releasing my software in public I want experts to examine the security of the license by trying to fake or break the license. anyone interested in helping me for this, please pm me your email that I can send you my script to discover the bugs and secururity holes. I would give credits to people who report the issues.

    Best Regards,

  2. #2
    Junior Member BabyNet's Avatar
    Join Date
    Oct 2003
    Location
    Underground base in the mountains.
    Posts
    18
    What type of software is it? Is it a game? Why not crack the license yourself? Why ask some else to do it for you? If I or anyone should do it do we get paid? Are you sure it isn't some else's license you want to crack?
    Salmos 23:4 Aunque ande en el valle de sombra profunda, no temo nada malo, porque tu estas conmigo; tu vara y cayado son las cosas que me consuelan.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Bollix!

    If micro$haft cannot protect their products, how the hell can you?

    Also, if I had a way, I would be a billionaire, not handing stuff out to lusers?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Senior Member isildur's Avatar
    Join Date
    Feb 2003
    Posts
    166
    Having this as your first post may make some suspicious as to your motives. Just a thought.

    I figured on at least 3 more posts before I ask how to become a leet haxor.
    Only trust Pipe-smoking Penguins.

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    More info please..

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    AndreF,

    the answer to your question is easily given: Quite a few people,
    myself included, would be able to break the protection - even
    without knowing how you implemented it in detail. Nihil
    pointed this out in his own fashion


    It is a matter of revenue and expense - the target audience
    und the market penetration. Except you really have a killer
    application, which may be the case, you have to realise that
    you and your software are one of thousands out there - most likely,
    nobody will take the effort to "break" your protection - in
    particular, if your target audience are companies, they will
    easily pay a few (hundred) bucks, if the software is worth the
    money.
    If a crack for your software is available - that's great as
    well - use it for marketing purposes!



    An example - we are developing and/or selling software
    to the government (costs a bit more than a few hundred bucks).
    We do have a licensing mechanism, but it could be easily broken.
    We do have such a thing because of the following two points:


    1. The government must make sure that they are not violating
    licensing terms. For example they are buying 6 floating licenses
    for module A - it must be technically ensured that no more than
    6 of these licenses can be used at the same time. If your software
    cannot provide such a mechanism, your software will not be bought.
    An implementation of licensing terms enforcement by regulations never
    works.


    2. If the customer (e.g. the government) is breaking the technical
    licensing mechanism, it must be done by intention (it cannot be done by
    accident). This often is sufficient to succesfully settle a lawsuit.


    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  7. #7
    Junior Member
    Join Date
    May 2007
    Posts
    1
    Hmmm, such nonsense answers I got here.

    No, this is not a game this is a standalone license generator/validator that I can give away to public that users can integrate it with their software if they wish to offer their softwares with license. But before I give it away I just wish some good experts test its security that I can make sure if this is enough hack safe or reliable.

    If you wish to get my script, give me your email that I can send it to you, if you wish not, then don't waste your time by giving nonsense answers like the one by BabyNet.
    Last edited by AndreF; December 19th, 2007 at 06:42 PM.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Ok.. Maybe some "expert" advice.. Nothing is "hack safe"
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Just post the script here, and I'll give it a go. Or PM me the script and I'll post it here.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi


    preliminaries

    I had a glance at the licensing mechanism. Although
    the following argumentation certainly has to be taken
    with a grain of salt (and I may have misunderstood
    something completely), the mechanism can provide a
    certain degree of protection.


    The target audience (customers) are php coders. The licensing
    mechanism comes as ionCube obfuscated/encoded bytecode. In
    order to maintain the provided level of protection, the customer
    also has to protect its code by ionCube[1] or Zend[2] (or similar
    products).


    Since both these programs also provide a licensing mechanism,
    the one provided by the OP may be rendered obsolete I am afraid.



    structure

    Based on the IP address of the server (and/or MAC address), a license
    file is issued. The license file is tested for integrity and validity
    using a MD5-mechanism with salting, which looks reasonable. However,
    the encryption key and the salt is part of the software (as it is
    obviously always without hardware dongles). As a side note, one might
    consider some asymmetric crypto-systems (RSA or similar) to check
    for integrity.


    However, I (as others) do not bother trying to modify the license file
    or create fake ones. Rather, I would change the application in order not
    to test the validity, but simply to "allow always" (or often simpler:
    "allow if not valid" )



    security of ionCube / Zend et al.


    It seems to boil down to the security of ionCube / Zend et al.
    Their main purpose actually is "source code protection", ie.
    to prevent obtaining the original php source code. Obtaining the
    source code can be, considering java or .net-applications
    (let's not discusss code obfuscation), extremely simple.

    Their current approach is to obfuscate the source code, pre-compile
    it to some bytecode, and encode it. Anyone familiar with runtime
    encryption (ie any ordinary 'cracker' nowadays) will be able to
    obtain analysable opcode[3].


    However, since the effort for the described process usually is quite
    high, it is not reasonable, from an economical point of view, to
    actually do it... I remember having read something about reconstructing
    source code from Zend's OpCode a few years ago, similar to java
    or .net applications. I am convinced that nowadays it is harder -
    but as always, the whole security industry is action and reaction.


    Can I provide a conclusion? No, I can't. The customer has to provide,
    at least a part of his php "application" in ionCube, Zend et al.
    bytecode (that software costs money in order to be able to encode)
    in order to make the licensing mechanism of the OP not embarassingly
    avoidable. After that it is a question of how simple it is or not to
    modify that bytecode - either of the customers applications or the
    licensing mechanism of the OP.
    Since the encryption key and the salt is part of the software,
    it is in principle possible to create fake license files. Maybe even
    simpler than to modify the bytecode. I have not checked though,
    how easy it might be to extract strings from ionCube/Zend.


    Cheers


    [1] http://www.ioncube.com/
    [2] http://www.zend.com/en/products/guard/
    [3] http://www.derickrethans.nl/vld.php
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  2. A guide to proactive network security
    By SDK in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: November 30th, 2004, 11:45 PM
  3. Ethical Hacker Certification
    By apollovega in forum Newbie Security Questions
    Replies: 41
    Last Post: July 29th, 2004, 04:21 AM
  4. C++ portability guide
    By tampabay420 in forum Programming Security
    Replies: 2
    Last Post: February 14th, 2003, 01:36 PM
  5. NEWS: This weeks security news. 10/9/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 9th, 2002, 09:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •