Wednesday, April 25, 2012

Challenge: maximize cost of obfuscation"s reverse engineering


Disclaimer: Similar questions has been asked a number of times on SO, however this question is much more specific, and has not been adequately addressed so far.



We're developing a new packaged software, which, for business security reasons, must run on our customer's server, in PHP. The software is sold with a per-user end-license; price range is within $20-80 per user, target market is small (and web-savy) consultancies, and IT agencies.



To discourage piracy (eg. removing the user-license enforcement), we'd like to maximize the protection of the PHP code in any means technologically available, which does not inconvenience the user.



Let's break this down:





  • does not inconvenience the user: no additional server-side installs (no zend decoder, or other binaries). Has to run on a plain-vanilla shared PHP host out-of-the-box.





  • Maximize the protection: breaking the protection has to outweigh the cost of buying an additional license. That is, it has to take at least 3-5 working days for a professional hacker to remove the user license protection.



  • Any means technologically available: might call home, might use high-end crypto, might implement a c64 emulator.



To pro-actively address the so far highest-voted non-solutions:





  • NOT looking for perfect obfuscation, just extremely hard ones (defined as: have to take at least 3-5 working days to decrypt), OR other anti-piracy methods





  • NOT looking for "black-box" software packages, which I don't know how they work, and can't determine whether it fits our purpose; looking for algorithmic ,and out-of-the-box ideas.





  • NOT looking for license/law-side protection, we already have that covered.





  • We DO know, that given enough time, and focus, all obfuscation will be hacked sooner or later; we merely want this not to be the economical solution.





Given the above constraints, what methods, or ideas would you use to maximize anti-piracy measures?



Bounty-hunt: point goes for the hardest algorithmic method to reverse-engineer the code, given the constraints above.



Update / Bounty-hunt: I've accepted Ira Baxter's answer, mostly because the rest failed to answer the core question, and attempted to question the underlying assumptions (business, closed source, yadda yadda). Thanks all!


Source: Tips4all
Post by On
Tags , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)