Subject: | Well, i think it's a nice little... |
Summary: | Package rating comment |
Messages: | 8 |
Author: | tchibomann |
Date: | 2008-07-06 14:54:03 |
Update: | 2008-07-07 13:40:00 |
|
|
|
tchibomann rated this package as follows:
Utility: | Insufficient |
Consistency: | Good |
Documentation: | Sufficient |
Examples: | Sufficient |
|
tchibomann - 2008-07-06 14:54:04
Well, i think it's a nice little script, but it's not really safe. Anyone who knows enough about PHP can de-obfusecate an obfusecated script whithout any problems. You can only prevent viewing the sourcecode by beginners and normal webusers - not "professionals" and hobby-programmers. And that's, what an obfusecator should do: prevent viewing the sourcecode by anyone. Base64 is really not the right way i think.
Arsalan Emamjomehkashan - 2008-07-06 23:14:33 - In reply to message 1 from tchibomann
is there anything that you cant decode? for example you can easily decode all these "Zend, ionCube, SourceGuardian, phpcipher, codelock, or SourceCop"
tchibomann - 2008-07-07 01:00:48 - In reply to message 2 from Arsalan Emamjomehkashan
yes, i know that. decoding zend and other encrypted scripts is possible. bad thing i think.
but - i think it could be possible to create an own encryption algorythm with "personalized" md5-keys.
Okay, p.e. you've programmed a CMS and you want to sell it. You sell it nearly complete - but one really important function is missing: Your own encryption-decoder with a custom encryption-key. The cms won't work without this function.
Now, some of your CMS-Files are encrypted with a per buyer encryption function, include an uniqe identcode like a MD5 checksum with personal data of the buyer. After that, the files have to be encrypted with base64. A request-function of your cms get the unique MD5-Checksum of the base64-encrypted files (if the user changed this files, they will have an other md5 checksum as the original files!) and send them with an personal idcode to a script, which is located on your server. This script checks the id and the md5-code of the encrypted cms files if they are stored in the database and if they are correct. If they are, the CMS will get the important decryption function, eval it and work fine. If one thing is wrong, the CMS will not work and your script on your server will inform you, that there is someone, who probably use your script illegally and send you all informations about it.
Strange thoughts i think and really complicated, but not as easy to crack like an only base64-encrypted script with no other checks.
the really big penalty of this method is the request to an other server as where the cms is hostet. Could be slow down rendering the site. But if it's hosted on the same machine it will hopefully be a nice method to save your own work...
I hope you could understand my text. I'm from germany, english is not really my favorite language :)
Arsalan Emamjomehkashan - 2008-07-07 01:13:49 - In reply to message 3 from tchibomann
that's a good idea but the only problem is the performance of your script
tchibomann - 2008-07-07 12:12:39 - In reply to message 4 from Arsalan Emamjomehkashan
yep right. because of this i haven't tested it yet. but we'll see, maybe i test this someday because i'm programming my own cms. if it needs too much performance for bigger sites i'll think about again.
maybe it's an other cool idea to hide a custum string in a bigger script, which noone can identify as an identcode. This "useless" string or function would result in an unique MD5-checksum of the file. Any buyer is stored with Identcodes and MD5-Checksums in a database. Maybe you can use a simple "backdoor" in your script with a custom passwordprotected request to check out the checksum unbeknownst to the script user. If someone has stolen this script and you find it running on a webspace or at rapidshare, emule or something else, you might be able to locate the original buyer, who might share your script.
would be faster then my first idea, but might be easier to crack...
Arsalan Emamjomehkashan - 2008-07-07 12:54:50 - In reply to message 5 from tchibomann
they can easily crack it because even they crack Huge scripts like Vbulletin and they can't do anything about it
also i am programming my own CMS too so i will contact you about it
Arsalan Emamjomehkashan - 2008-07-07 12:59:45 - In reply to message 5 from tchibomann
i wasn't able to find your email address
mail me at arsalan1991@gmail.com if you want to share some ideas about cms
tchibomann - 2008-07-07 13:40:00 - In reply to message 7 from Arsalan Emamjomehkashan
use tchibomann[aT]esgn[d0t]eu ;)
|