Related
PHP - Apache with Codeigniter
JS - typical with jQuery and in house lib
The Problem: Determining (without forcing a download) a user's PC ability &/or virus issue
The Why: We put out a software that is mostly used in clinics, but can be used from home, however, we need to know, before they go to our mainsite, if their pc can handle the enormities of our web-based, browser-served software.
Progress: So far, we've come up with a decent way to test dl speed, but that's about it.
What we've done: In php we create about a 2.5Gb array of data to send to the user in a view, from there the view calculates the time it took to get the data and then subtracts the php benchmark from this time in order to get a point of reference of upload/download time. This is not enough.
Some of our (local) users have been found to have "crappy" pc's or are virus infected and this can lead to 2 problems. (1)They crash in the middle of preforming task in our program, or (2) their virus' could be trying to inject into our js thus creating a bad experience that may make us look bad to the average (uneducated on how this stuff works) user, thus hurting "our" integrity.
I've done some googling around, but most plug-ins or advice forums/blogs i've found simply give ways to benchmark the speed of your JS and that is simply not enough. I need a simple bit of code (no visual interface included, another problem i found with one nice piece of js lib that did this, but would take days to remove all of the authors personal visual code) that will allow me to test the following 3 things:
The user's data transfer rate (i think we have this covered, but if better method presented i won't rule it out)
The user's processing speed, how fast is the computer in general
possible test for infection via malware, adware, whatever maybe harmful to the user's experience
What we are not looking to do: repair their pc! We don't care if they have problems, we just don't want to lead them into our site if they have too many problems. If they can't do it from home, then they will be recommended to go to their nearest local office to use this software "in house" so to speak.
Further Explanation
We know your can't test the user-side stuff with PHP, we're not that stupid, PHP is mentioned because it can still be useful in either determining connection speed or in delivering a script that may do what we want. Also, this is not a software for just anyone on the net to go sign up and use, if you find it online, unless you are affiliated with a specific clinic and have a login name and what not, your not ment to use the sight, and if you get in otherwise, it's illegal. I can't really reveal a whole lot of information yet as the sight is not live yet. What I can say, is it mostly used by clinics/offices for customers to preform a certain task. If they don't have time/transport/or otherwise and need to do it from home, then the option is available. However, if their home PC is not "up to snuff" it will be nothing but a problem for them and make the 2 hours task they are meant to preform become a 4-6hour nightmare. Thus the reason, i'm at one of my fav quest sights asking if anyone may have had experience with this before and may know a good way to test the user's PC so they can have the best possible resolution, either do it from home (as their PC is suitable) or be told they need to go to their local office. Hopefully this clears things up enough we can refrain from the "sillier" answers. I need a REAL viable solution and/or suggestions, please.
PHP has (virtually) no access to information about the client's computer. Data transfer can just as easily be limited by network speed as computer speed. Though if you don't care which is the limiter, it might work.
JavaScript can reliably check how quickly a set of operations are run, and send them back to the server... but that's about it. It has no access to the file system, for security reasons.
EDIT: Okay, with that revision, I think I can offer a real suggestion - basically, compromise. You are not going to be able to gather enough information to absolutely guarantee one way or another that the user's computer and connection are adequate, but you can get a general idea.
As someone suggested, use a 10MB-20MB file and several smaller ones to test actual transfer rate; this will give you a reasonable estimate. Then, use JavaScript to test their system speed. But don't just stick with one test, because that can be heavily dependent on browser. Do the research on what tests will best give an accurate representation of capability across browsers; things like looping over arrays, manipulating (invisible) elements, and complex math. If there is a significant discrepancy between browsers, then use different thresholds; PHP does know what browser they're using, so you can give the system different "good enough" ratings depending on that. Limiting by version (like, completely rejecting IE6) may help in that.
Finally... inform the user. Gently. First let them know, "Hey, this is going to run a test to see if your network connection and computer are fast enough to use our system." And if it fails, tell them which part, and give them a warning. "Hey, this really isn't as fast as we recommend. You really ought to go down to the local clinic to perform this task; if you choose to proceed, it may take a lot longer than intended." Hopefully, at that point, the user will realize that any issues are on them, not on you.
What you've heard is correct, there's no way to effectively benchmark a machine based on Javascript - especially because the javascript engine mostly depends on the actual browser the user is using, amongst numerous other variables - no file system permissions etc. A computer is hardly going to let a browsers sub-process stress itself anyway, the browser would simply crash first. PHP is obviously out as it's server-side.
Sites like System Requirements Lab have the user download a java applet to run in it's own scope.
Is there any way that you may create a puzzle of three pieces with your code that you allows you to have an encrypted string, a function built specifically for that string and only for that one, (string that in its decrypted form is actually code/instructions to execute). And the third and most important, the final piece would be the context that makes the execution of function possible, and that environment state must be unforgeable. So the function to be executed on the matching string only one time, only one environment state, and after that to expire. It must be as a perfect clock mechanism that even only one piece that is missing to make it "un...tickable" (unable to tick, as in "to function", of course, because every part is vital).
I am speaking about script languages here, where exists something like eval, but it can be applied as a general technique.
Using some kind of "domino" effect based of all kinds of memory states, and variables, random, or not, you could create something similar to a "leak effect" letting bits of your code in a structured (but hidden) place, so that at the end, using a strange tool as a "code funnel" all to arrange in an execution flow.
As I do not know of anything like this, my words are made-ups in order to be able to give then any kind of readable and understandable form.
My question is exactly about this... is it possible? Is there any help I can get? As any ideas somewhere? Because I cannot find anything right now that can hold such an effect.
And of course you might find no reason for me to ask for such a thing, as you could say that no one is interested in my code, or I suffer of paranoia. But still consider it might be a reason out there. No, it surely is a reason for me wanting to know this.
And please don't hush and jump to conclusions like "it was specified clearly that this is not a discussion forum", as this is a problem I am facing with some urgent need for a solution. And as I have few experience about a lot of things, including serious math, and a solid algorithmic thinking, I am in a cry for help. So I thank those who will give any consideration to this matter.
This is essentially impossible, at a very fundamental level.
You want to give someone some information (your code). You want them to be able to execute the code once, in one particular state (that you don't define very well). But you don't want them to be able to inspect that code, or execute it under other circumstances. Impossible.
A program on that person's machine (that will execute the code) must be able to inspect the code, in order to be able to execute it. So other programs on that machine will also be able to inspect the code.
You can encrypt your code, so that arbitrary programs can't inspect it, and you regain control. But the program intended to execute the code still needs to inspect it, so you'll have to somehow get the information it needs to decrypt the code.
But now you're right back to your original problem: You some information (the decryption key), which you want to give the user for one particular use (decrypting and running your code under only the circumstances you specify), and not for any others.
More interestingly, you could instead encrypt your code with a hash value derived from the parts of the environment you want to check (how exactly you derive the key is impossible to say without knowing what you want to check). Then, if the user (or a program executing your code on their behalf) wants to inspect the code, it will have to follow the same process of deriving a hash value from the environment and have the correct environment. But the user could arrange to collect the hash value from that environment and keep it, allowing them to inspect your code whenever they want.
Plus, I have no idea what you could possibly check that actually guarantees the correct environment. If the program is supposed to check that it is correctly running itself (with no modifications to spy on your code) before decrypting the secret part of itself and running that, then a spy can easily pull out the encrypted stuff, worked out from the (unencrypted) checking code what computations are done to check the environment, and then do their own calculations based on the "correct" environment rather than the one that actually exists.
All you can do, in the end, is make the process of recovering your top secret code more annoying, so that it de-motivates from bothering. Most people will never bother to look at your code anyway; they just don't care. Most of the remaining ones will give up at the slightest resistance (though it may put them off using your software). The ones who are still trying after that... there's always a chance (if your secret code is really that valuable/interesting) that there will be sufficiently motivated people who will get around whatever you do (unless you just never give anyone your code in the first place). So my inclination is to just put some small easy effort into obscuring your secret code, and don't worry about achieving perfect security, because it's impossible.
You could simply encrypt the code using a symmetric encryption. Encrypt it using a random key, store that key on the computer, and then include in the encrypted code a part that deletes that key from memory when the code is run. Of course it would be relatively easy for someone to copy the key before it was deleted and restore it to memory later, but you could put it somewhere obscure, and I think no matter what you do someone could restore the computer to an earlier state (using backup software).
#Ben, interesting presentation, I believe that I was thinking about this from the very moment I understood what can be done, and what cannot be done. I thought of every possible situation you mention, and even more, indeed it seems there is no way. Maybe I should limit myself at just making it as much as a headache as I can. Not only that is a super-secret code, as you named it, but I have another intention in hiding it, it's that, pardon my lack of modesty, it really is an interesting code, and I really want to filter those to see it, if it takes a genius to make it from A to C without going through B, and it must take another to figure out how. I though it was my lack of experience that kept me down with is unsolvable problem. But still, I am always put in front of such seeming impossible situations, and I usually raise hell to find the solution, I manage it just fine. But now it just that I cannot surrender.
I might just have known the answer since the beginning, that no matter how much you try it can't be done, and of course it is easy to find out why, because it is not normal, or correct, it must depend on your knowledge and experience the limit of what you are creating. And with that in mind it is obviously why there must be a way someone better, and surely there will be someone better, than you to overcome you. Even if this is, for my at least, subjectively speaking, such troublesome. Well then, I guess I'll give my best to lessen those to know my super-secret code. After all even god is great puzzle maker.
Anyway I highly appreciate your answer.
P.S. Sorry for the late answer, but as I could not answer my question for 8 hours, I had to wait, and after that I couldn't be able to find any avaible time to do it.
Disclaimer: Similar questions has been asked a number of times on SO, however this question is much more specific, and has not been adequately addressed so far.
We're developing a new packaged software, which, for business security reasons, must run on our customer's server, in PHP. The software is sold with a per-user end-license; price range is within $20-80 per user, target market is small (and web-savy) consultancies, and IT agencies.
To discourage piracy (eg. removing the user-license enforcement), we'd like to maximize the protection of the PHP code in any means technologically available, which does not inconvenience the user.
Let's break this down:
does not inconvenience the user: no additional server-side installs (no zend decoder, or other binaries). Has to run on a plain-vanilla shared PHP host out-of-the-box.
Maximize the protection: breaking the protection has to outweigh the cost of buying an additional license. That is, it has to take at least 3-5 working days for a professional hacker to remove the user license protection.
Any means technologically available: might call home, might use high-end crypto, might implement a c64 emulator.
To pro-actively address the so far highest-voted non-solutions:
NOT looking for perfect obfuscation, just extremely hard ones (defined as: have to take at least 3-5 working days to decrypt), OR other anti-piracy methods
NOT looking for "black-box" software packages, which I don't know how they work, and can't determine whether it fits our purpose; looking for algorithmic ,and out-of-the-box ideas.
NOT looking for license/law-side protection, we already have that covered.
We DO know, that given enough time, and focus, all obfuscation will be hacked sooner or later; we merely want this not to be the economical solution.
Given the above constraints, what methods, or ideas would you use to maximize anti-piracy measures?
Bounty-hunt: point goes for the hardest algorithmic method to reverse-engineer the code, given the constraints above.
Update / Bounty-hunt: I've accepted Ira Baxter's answer, mostly because the rest failed to answer the core question, and attempted to question the underlying assumptions (business, closed source, yadda yadda). Thanks all!
I think what you want to do is to transform the code algorithmically, to obfuscate not only what is executed, but also to obfuscate the data structures. We assume we start with a clean version of the program, produced by the developer. He always works wih the clean version. Obfuscation produces the to-ship version. Good obfuscation will produce a to-ship version with exactly the same functionality as the original, so no further testing is (arguably) needed.
For control flow scrambling, the idea is to take the nicely written code you have at the start, and push it through transformations that make static (and human) analysis of the decisions that control the flow difficult by multiplying the set of assumptions that have to analyzed. For instance, if you have two pointers, and store a value through one, can it affect the value seen by the other? Depending on whether the pointers are aliased on not, you can get two different answers. Now take N pointers, each of which may be aliased; you get 2^N possible aliasing relations. If the reader doesn't know the exact combination, he won't be able to determine if a decision might be true, false or conditional. Of course, the tool that generates this produces conditionals whose outcome it knows, because it designs (generates) the pointer rat's nest to produce a specific outcome.
See Code Obfuscation Literature Survey (not my paper), which discusses a variety of control flow and data flow obfuscation. This is likely not the most recent summary of what is possible, but its pretty instructive. You should note doing this kind of obfuscation has some impact on execution time.
What the papers on this topic make clear is that control and data flow obfuscated programs are extremely hard for static analyzers to "understand"; the papers provide/reference demonstrations of the algorithmic complexity of processing such obfuscated programs.
Now, you might argue that people aren't static analyzers and therefore don't suffer the same limitations. You might be right; Roger Penrose famously argues that people do not have the same constraints as Turing machines; the argument isn't settled by a long shot. But the entire foundation of encryption/hashing technology is built on essentially the same kind of computational complexity arguments. And to date, nobody has proven smart enough to crack these technologies in ways
that can be used in daily life by theives (good thing, or your bank accounts would be empty).
To do this to a PHP program, you need tools that can parse the PHP code, and carry out such transformations. Our DMS Software Reengineering Toolkit has robust PHP parsers, and can apply very complex transformations to code. To do this really well, you want to apply the transformations globally across all your code, not just on a file-by-file basis. We don't have this kind of obfuscation transformation implemented on PHP, but if you really wanted to do it, this would be the way. We have applied complex transformations to PHP programs for other commercial products that we sell.
When you are all done, ideally you'd compile this result to machine code, say using the HipHop compiler. (Just compiling would defeat some folks, but not the serious software engineers).
EDIT: Obfuscation != AntiPiracy is a theme in other answers. So how does obfuscation help?
First you need to deal with the anti-piracy issue. The obvious things to do are:
Add copyright comments to each file. These serve as warnings to theives. Not good ones.
Add copyright strings in various places and print them out occasionally;
these will end up in memory and play a roleif a pirate steals the code; he stole this string, too.
Add a string to your application saying, "licensed to ". This makes
your customer unenthusiastic about letting it be stolen.
Add a check to your application that it is running on the intended customer's machine.
(Since your app is intended to be very cheap, you'll probably need to automate
a registration process)
Have the application phone home with its machine ID occasionally.
Now, these steps prevent someone (legally and technically) from stealing your code.
If this is all you have, an unfazed pirate will simply remove the technical checks and its stolen.
It is very hard to prevent somebody from copying the bit stream that makes up
your product; computers are far too good at copying.
So your goal is to arrange for it to be hard for him to derive
value if he does, and that's where obfuscation comes in.
If the code is sufficiently obfuscated, he will have a difficult time locating the license check
and phone home mechansisms to disable them. (I suggest several checks, none of them always called, to make it hard for the theif to tell when he is successful.).
The obfuscation, well done, should protect the printing of the original
owner's name, which means the original owner will have some interest in prevent it from being
stolen as you'll name him along with pirate in any lawsuit.
If they defeat the licenses, copyright printing, and phone-home mechanisms,
and simply want to run it in the back room without telling you, you might be stuck.
(For $80.00, I can't imagine why they'd go to all this trouble just for this effect).
But many thieves want to modify the software to "improve" it, especially if they want your market. Serious obfuscation will prevent them for doing this; it will even
make it hard for them to add thier own license controls.
That limits the value pretty severely.
They may simply steal it and release it to world for free; your hope here is
the applicaton is hard to crack. If they succeed, your only good defense
is a continuing stream of upgrades that licensed owners get.
Obfuscation is a key to successful piracy defense, IMHO.
Obfuscation != Anti-piracy For instance you could have a heavily obfuscated class, but I can use reflection to see all methods that this class implements. I can then extend this class and override any methods that I don't like. Are you storing a secret? Because any secret value can be pulled from memory using a debugger.
3-5 days? Even with Zend-Guard it takes 3-5 seconds to break using some open source tool. Most obfuscation tools are very primitive and easy to break.
I'm sorry but I don't think there is a good solution for this.
The best anti piracy method is no method.
If you don't want to use tools such as zend, then you are better off doing absolutely nothing.
Take it from me you can waste more time and lose sales trying to stop pirates. you will only hurt yourself. Hey they don't care and its good fun, the harder you make it the more satisfaction they get in doing it. and once its done it will be available for all via a torrent. so no-one needs to repeat the effort.
Make a good application. make it work well. give Fantastic service and the customers you want will gladly pay. those customers you don't want will NEVER pay so don't waste time on them. And guess what, they actually become good advertising. people see your software on more sites they come looking for it.
So in effect you are getting free advertising.
So don't stress, don't waste your time and don't blame pirates if your software fails. blame yourself because you got too distracted trying to do the impossible
I wanted to add a little bit of my personal experience.
Back in the 90's I spent many months creating encryption techniques to reduce/prevent pirating of a heavily pirated piece of software, in the end I 'mostly' succeeded.
I used custom encryption, junk insertion, random number generators, cross module CRC checking, blah blah blah.
I used to hang out in the news group devoted to hacking my software and others like it and even struck up conversations. one polite fellow said "why are you wasting your time we do this for fun". but I was hooked. it was a competition.
If I had spent the time and effort on improving the software instead, I would have earned 10x the amount I thought I had lost to piracy.
It was a fools victory.
I thought about this a lot, and what you are asking is essentially impossible. You can obfuscate to no end and people will still steal your software. There is little you can do about it. If you write in code to call home, someone will strip it out and just put true in instead. Your best bet is to write quality software so people want to buy it. It's either that or use a commercial solution like ionCube or Zend.
Only a few things can really work. The most basic logic I can think of that would be effective (since this market sounds like it's fairly controlled, and finite) would be to use something similar to a licensing server, but with a two-way communication channel (that you can encrypt etc.. etc..).
Now, of course you can have someone disable that communication channel, but between the coding you will add to disable the software, and the fact that your company will be able to follow up with the client since you will know exactly who it is that is "down" that will help.
The third part of the logic, is for each license that is given out to play a role in generating the "checks" that will occur between the software and your licensing server. This means you generate, on-premise, unique hash codes that are used as part of the answer your software send back to the server. That pretty much rules out the hacking, because the hacker would have to know what algorith you are using to generate the licensing (since it is pre-generated, there is no logic to use to decipher it) and the hacker would have to feed you a licensing key.
The fourth step, optionally, would be to push updates to clients to refresh the security mechanisms you have in place and run "tamper" checks on your code, possibly periodically feed some sort of hash to be used in the logic your software uses to connect to the licensing server.
This still isn't perfect, someone "will" be able to clone a production machine, circumvent/redirect the licensing (and you won't know since it will be a copy) and try to work away at the check that you have in your code which require a license (as someone above mentioned, set all the logic to "True")... but you could definitly spend the time putting checks and encryption on your licensing system and make it a time-consuming and "risky" process. Unlesss.. as a final touch... you can have some deliverable from your product generated by your server (none of the code is in what the client has) and pushed to the software that has this licensing mechanism in place.. but i don't know how possible that is.
Artificial code bloat
By using post processors to automatically bloat the code and insert logic multipliers you make the code hard to modify
I use tags in the original source to indicate the type of code in each method and which code multiplier to use. Randomisers can help too, as each release looks very different
The code bloat is achieved by a variety of processes. e.g. repeating and random fiddling of variables before and after they are officially in scope. Lots of extra logic steps that will never get followed. Breaking single statements into many random small steps. Interlace these with as many other statements as possible as long as the final step is in the correct order. etc etc
The final and most important part of this process is to interlace key generation and call home processes through this mess, and to be part of this mess (remember the "random fiddling of variables before and after they are officially in scope") so that the time taken to remove the key generation and call home become unwieldy
The call home server has to act like a rolling code remote control so while the attacker might discover the call home functions, taking them out will result in incorrect initialisation values for general variables in general methods, and in as many cases as you can work with
Over time you can build the general purpose code re-parser, and a library of functions to mess the code up. Keep adding the code mess library to improve the obfuscation level
You need to have a well covering unit and integration test library to validate the code after being messed up
I have not done this with PHP, but with other languages with similar constraints as PHP
Note: This technique works fine for complex scientific software where there is large amounts of cryptic logic and maths anyway. It may not work so well for typical web sites like CMS's unless your code multipliers are very convincing
If I get this right, why not invest in a server to be delivered within the cost of the application, a server which can be placed at the customer, with only one port opened for http access, I mean with a $1000 you can get a machine that can work as a safe for your software. If anyone attempts to hack into it you will know.
Another solution might be:
Currently I am working for a huge company that has aprox 350 selling points(shops) all over the country. As we can not rely on internet connection 100% we have a server at each shop. This server handles the business required for actual selling and it is linked to a local database. The rest of the stuff sits at the head-office server. Now, the clerks have computers in front of them, and all these computers work with the application hosted on the local server, the catch on the local server is that a registry which knows if a certain service is placed locally (on the same machine) or remote (at the head office) and executes the call as required (over http from remote location or direct call from local service). Services can be placed anywhere (local or remote) and all one needs to do is to configure their location in the registry by simply entering one of the keywords : local,remote,application (application keyword means that the service is first called from remote and if it fails it is called locally). This way you can make an acceptable compromise. Highly necessary stuff can sit locally and the rest of the business logic can reside on your server where nobody can touch it.
The short answer is no, there is no way to obfuscate code in such a complex manner that it takes days to crack. The simple explanation: obfuscation is a two way process. It can be done and undone. If a computer can do it, a determined person can do it too.
Instead of wasting so much time on protecting your code, why not take the hint from the popular TV show 24 (side note: Should have never been canceled!). To ensure scripts weren't stolen or revealed to the public, they watermarked each with a number specific to cast member, director, producer, etc. You can do something similar with you scripts by "watermarking" each PHP file. This can be something as simple as changing the name of the variable to reflect a client ID or something as complex as spreading identifying characters over multiple variable and function values/names. Try working this identifier and/or parts of it into as many inconspicuous places in your scripts as possible. Only you can know the exact combination that creates the identifying information. This way if code is leaked you can sue the responsible party.
Just a suggestion, you might just want to add needed lines of code that don't really do anything, except it looks like it.
Possible reasons:
1) so the user can't figure out the code and "issue himself more licenses" or other stuff that is commercially sensitive to you
2) so the user can't "just make a tiny change" and break what he doesn't understand, then tell you he didn't change anything and expect you to fix it (sure, you can make him pay, but it's easier to avoid the hassle in the first place)
3) so the customer can't take some of your software and use it do develop new products
4) you are embarrassed to let your uncommented spaghetti code be seen ;-)
5) any more?
What do you generally do? And how do you do it?
If hosting the php code on your servers is not an option, the best thing is to simply deliver the source code with a restrictive license and accept the risks you outlined above. If the user "issues more licenses" and it violates your terms, you can pursue legal actions.
On the receiving end, I have purchased PHP software that was ofsucated/encoded with ionCube PHP Encoder (http://www.ioncube.com/). It required adding an additional server component and including effectively closed-source code no our servers, neither of which our IT team was happy about. But it prevented us from fiddling with the source as you are attempting.
I deliver it as is. End-users expect to be able to edit the code whether it's free or commercial. Most of them aren't pirates, so getting in their way will just hurt your business (less happy customers = less positive mentions and referrals). The pirates will steal your software whether you obfuscate/encode it or not, anyway.
If a client breaks my code and try to pin it on me I offer to restore the code to the last known working configuration. This usually ends the conversation because they know it was a modification they made.
Seems like an unnecessary precaution to me. Even if you obfuscate it it can still be redistributed. As a developer, piracy is a known risk and the best way to avoid it is to release software that is open source. :)
I would seriously think twice about doing business with a developer in the future if I purchased a script that was obfuscated (making it difficult for me to make changes). I mean.. what PHP script needs ZERO modification to get it to do exactly what you want it to?
Concerning point #2:
You can always generate a hash of your deliverables. Very simple method: generate an md5 hash using the source files as input. If you suspect tampering when receiving a support call, simply hash the deployed files to figure out if your client has tampered with the code and tries to get you to fix their mess.
This is non-intrusive (you just hash before you deliver, and keep the hashes in your files) and a quite safe way to check the contents of your files.
No one has addressed that delivering the licensing source allows customers to switch it off and have unlimited licences. That is my main concern
About 4 years ago I used a php product called amember pro, it is a membership script which has plugins for lie 30 different payment processors, it was an easy way to set up an automated membership site where users would pay a payment and get access to a certain area.
The script used ioncube http://www.ioncube.com/sa_encoder.php to prevent non-paying users from using the script, it requered that you register the domain that the script would be used on, you were then given a key to enter into the file that would make the system/script work.
Now I am wanting to know how to do such a task, I know ioncube encoder just makes it hard to see the code, in the script I mention, they would just have a small section at the tp of 1 of the included pages that was encrypted and without that part of the code it would break and in addition if the owner of the script did not put you domain in the list and give you a valid key it would not work, also if you tried to use the script on a different domain it would not work.
I realize that somewhere in the encrypted code that is must of sent you key to there server and checked that it was valid for the domain name it is on, or possibly it did not even do that, maybe the key would just verify that it matched the domain the script was on, that more likely what it did.
Here is where the real question is, How would you make a script require the portion that is encrypted? If I made a script and had a small encrypted part at the top, it would seem a user would be able to easily just remove the encrypted part and figure out what the non encrypted part is doing and fix it to work. Any ideas?
fever has a similar model, you sign up, download the software (also PHP), then get an activation key. You can see how it works in the demo video (towards the end).
If you're giving away the source code, there's no way you can prevent someone with programming knowledge from patching out whatever copy protection / security you put in.
One thing I can think of is distributing a C/C++ compiled program or extension that the PHP app calls in to to verify the license. That compiled part could then phone home, etc. Even that could be easily circumvented though.
You can see some other ideas in these similar questions:
Code obfuscator for php?
Best solution to protect PHP code without encryption
Basically if you're giving away the code you're in an arms race with putting increasingly complex copy protection, which can always be broken in the end. You'll have to decide how much effort is worth it. I personally wouldn't invest much effort.
Not a perfect way of doing it, however you could use an encoder to hide the code and make it call a page on your server that returns a value that is difficult to forge. It would be server intense, but could do what you want. You would want to do something where time was involved. Updating the code so often.
I have seen it done multiple ways. Just about any software method you think of can be bypassed if somebody is interested enough to work at it. We use ioncube to encrypt our non-hosted products and back it up with a USB hardware dongle. Can it be cracked? Yes. But, people are basically honest. I think the thing to do to keep people paying for the script is to make it a pain to crack and release frequent updates with new features that people won't want to wait for. If your price isn't too high, people will just decide to pay for it instead of cracking.