从 PHP 获取计算机唯一 ID

Question

I've created an application using PHP and I'm going to sell it to my local market. I will personally be going to their locations to install/configure Apache & MySQL as well as installing my own code.

I would like a security system so that if anyone attempts to copy my code to an unauthorized machine, it won't run.

I know no one can prevent reverse engineering an application. even.exe (binary) files are cracked and with PHP (source code) anyone can do.

In my country those reverse engineers are really hard to find, so I would like to propose minimal security options like:

1) Create class (say, Navigation ) which identifies system information like CPU ID, Computer name or any combination of hardware ID to make a UNIQUE_ID and matches with my given UNIQUE_ID (to the individual to whom I sold the application). If it's valid, it returns the navigation menu. Otherwise it will simply destroy the database and halt the execution by throwing an exception, maybe like:

class Navigation {

    public function d() {
        return current system UNIQUE_ID;
    }

    public function get() {
        $a = file_get_contents('hash');
        $c = $this->d();
        if (crypt($c) != $a) {
            //destory database
            throw new Exception('');
        } else {
            return "<ul><li><a>home</a></li></ul>"; //navigation menu
        }
    }

}

2) Then during the installation process I'll change system UNIQUE_ID in "hash" file, create an object, and save it into a file (nav.obj):

(install.php)

<?php
      $a=new Navigation;
      $out=serialize($a);
      file_put_contents('nav.obj', $out);

3) in header.php (which gets included in every file):

<?php
     $menu=file_get_contents('nav.obj');
     $menu=unserialize($a);
     echo $menu->get();
 ?>

I know this method isn't full proof, but I'm pretty sure that around 60% of PHP developers won't be able to crack it!

Now I only need to get current system UNIQUE_ID.

Answer 1

I have created this function to get an unique ID based on hardware (Hard disk UUID). It is possible to use different resources like machine names, domains or even hard disk size to get a better approach depending on your needs.

 function UniqueMachineID($salt = "") {
    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
        $temp = sys_get_temp_dir().DIRECTORY_SEPARATOR."diskpartscript.txt";
        if(!file_exists($temp) && !is_file($temp)) file_put_contents($temp, "select disk 0\ndetail disk");
        $output = shell_exec("diskpart /s ".$temp);
        $lines = explode("\n",$output);
        $result = array_filter($lines,function($line) {
            return stripos($line,"ID:")!==false;
        });
        if(count($result)>0) {
            $result = array_shift(array_values($result));
            $result = explode(":",$result);
            $result = trim(end($result));       
        } else $result = $output;       
    } else {
        $result = shell_exec("blkid -o value -s UUID");  
        if(stripos($result,"blkid")!==false) {
            $result = $_SERVER['HTTP_HOST'];
        }
    }   
    return md5($salt.md5($result));
}


echo UniqueMachineID();

Answer 2

As per http://man7.org/linux/man-pages/man5/machine-id.5.html

$machineId = trim(shell_exec('cat /etc/machine-id 2>/dev/null'));

EDIT for Tito:

[ekerner@**** ~]$ ls -l /etc/machine-id
-r--r--r--. 1 root root 33 Jul  8  2016 /etc/machine-id

EDIT 2 for Tito: Some things to consider and scenarios:

Is the user allowed to get a new machine? Id guess yes. Or run on multiple devices? Sounds like the machine could be irrelevant in your case?

If its user only (no machine restrictions) then Id go for a licencing service (relies on network). There are many services for this: Google Play (for Android apps) is a good example: https://developer.android.com/google/play/licensing/index.html MS and Apple have similar services. However just search the web for the term "Software Licensing Service" or "Cloud Based Software Licensing Service".

If its user + single device, then youll need to pass up the device id to whatever service you use or make , then allow the machine id to be updated, but not allow revert to previous machine id (would mean multiple devices). However said services will give you the client code which should take care of that if its a requirement.

Two scenarios from experience: 1: User on any device: we simply made an API in the cloud (in a website) and a login screen in the app, when the user logged in it authenticated via the API and kept a token, and whenever the device was connected to the net the app would query the API and update the login and/or token. You could alternatively have the login screen in the purchase (like maybe they already logged into a site to purchase), generate a key and pack it with or bind it into the app.

2: User plus machine: Same thing except when the API is queried the machine id is passed up. The machine ID can change as many times as the user updates their device, but we kept a record of machine ids and made to ban rule on: if we saw an old (previously used) machine id then a certain amount of time had to have passed. Thus allowed the user to break their machine and pull out an old one.

Also to consider if you make one, how will you stop the app from working? Ppl are pretty clever it will need to be core compiled.

However that all being said, the various licensing services are pro at this and can cater for most needs. Plus in their experience theyve already overcome the security pitfalls. Id name one that I like except its yours to search out.

Nice if you can come on back with and positive or negative outcomes from your trails.

Answer 3

function getMachineId() {
    $fingerprint = [php_uname(), disk_total_space('.'), filectime('/'), phpversion()];
    return hash('sha256', json_encode($fingerprint));
}

This will get a probably-unique id based on a hash of:

1. The server's OS, OS version, hostname, and architecture.
2. The total space (not free space) on the drive where the php script is.
3. The Unix timestamp creation time of the computer's root file system.
4. The currently installed PHP version.

Unlike the other answers it doesn't depend on shell_exec() being enabled.