# ๐Ÿท CHAOSAPI Permanent Watermark Watermark sistem yang **tidak bisa dihapus tanpa merusak aplikasi**. ## ๐ŸŽฏ Cara Kerja Setiap kali aplikasi boot (di `AppServiceProvider::boot()`), `ChaosApi::enforceOrDie()` dipanggil. Method ini melakukan: 1. **Self-check** โ€” file `ChaosApi.php` sendiri harus punya string `CHAOSAPI` & `Powered by ChaosAPI` 2. **Constant integrity** โ€” `ChaosApi::SIGNATURE === 'CHAOSAPI'` & `ChaosApi::COPYRIGHT === 'Powered by ChaosAPI'` 3. **Protected files check** โ€” 5 file critical wajib mengandung kedua string tersebut Kalau **salah satu** check gagal โ†’ throw `RuntimeException` โ†’ aplikasi mati. ## ๐Ÿ“‹ File yang Dilindungi ``` app/Services/Watermark/ChaosApi.php โ† class watermark app/Helpers/global.php โ† helper functions config/app.php โ† app config bootstrap/app.php โ† bootstrap app/Providers/AppServiceProvider.php โ† service provider ``` ## ๐Ÿ›ก Skenario Pertahanan | Skenario Attack | Hasil | |-----------------|-------| | Hapus comment `CHAOSAPI` di `config/app.php` | โŒ App fatal error | | Hapus comment di `bootstrap/app.php` | โŒ App fatal error | | Ubah `SIGNATURE = 'CHAOSAPI'` โ†’ value lain | โŒ App fatal error (constant check) | | Hapus method `enforceOrDie()` call di Provider | โŒ Provider syntax error / class load error | | Hapus class `ChaosApi.php` | โŒ Class not found, app fail | | Comment seluruh isi `ChaosApi::verify()` | โŒ Class file masih harus contain CHAOSAPI | | Ganti `'CHAOSAPI'` โ†’ `'X'` di semua 5 file | โŒ Self-check di ChaosApi.php fail | **Satu-satunya cara legitimate**: jangan hapus apapun. ## ๐Ÿงช Test Bukti ```bash # Test 1: Hapus dari config sed -i 's|CHAOSAPI ยท Powered by ChaosAPI|REMOVED|' config/app.php curl -I https://yourdomain.com # โ†’ 503 / 302 / fatal error # Test 2: Ubah SIGNATURE constant sed -i "s|SIGNATURE = 'CHAOSAPI'|SIGNATURE = 'X'|" app/Services/Watermark/ChaosApi.php curl -I https://yourdomain.com # โ†’ fatal error # Test 3: Hapus class file sepenuhnya rm app/Services/Watermark/ChaosApi.php curl -I https://yourdomain.com # โ†’ Class not found error ``` ## ๐Ÿ”ง Detail Teknis ### `enforceOrDie()` Logic ```php public static function enforceOrDie(): void { if (! self::verify()) { throw new \RuntimeException( 'Application integrity check failed. Watermark verification error #' . substr(self::fingerprint(), 0, 6) ); } } ``` Pesan error sengaja **tidak mengungkap** file mana yang fail โ€” supaya attacker harus debug satu per satu. ### `verify()` Multi-Layer ```php // Layer 1: Self-check strpos($self, 'CHAOSAPI') !== false && strpos($self, 'Powered by ChaosAPI') !== false // Layer 2: Constant check self::SIGNATURE === 'CHAOSAPI' && self::COPYRIGHT === 'Powered by ChaosAPI' // Layer 3: Protected files (5 file) foreach (PROTECTED_FILES as $file) { require strpos === both strings exist } ``` ## โš ๏ธ Catatan Penting ### Untuk Anda (Vendor) - **Jangan hapus** comment CHAOSAPI di file manapun saat development - **Saat update** project, pertahankan watermark di file baru yang Anda tambahkan - Watermark ini **digabung dengan License Server** โ†’ double protection ### Untuk Buyer (Calon Reseller) Kalau attacker mencoba: 1. Search/replace "CHAOSAPI" di seluruh codebase โ†’ app langsung fatal 2. Comment `enforceOrDie()` call โ†’ file Provider akan terlihat tampered 3. Bypass via override class โ†’ Composer autoload tetap pakai versi original ## ๐Ÿ”„ Kombinasi dengan License Server ``` Layer 1: Watermark CHAOSAPI โ† static deterrent (tidak bisa dihapus) Layer 2: License Server Validation โ† runtime kill switch (revoke kapan saja) Layer 3: Server Fingerprint Lock โ† hardware binding Layer 4: Domain Lock โ† URL binding ``` Kalau attacker bypass Layer 1 (sangat sulit), dia masih kena Layer 2-4. ## ๐Ÿ“Š Verify Watermark Active ```bash # Cek dari CLI bahwa watermark aktif php artisan tinker --execute='echo \App\Services\Watermark\ChaosApi::verify() ? "WATERMARK OK" : "WATERMARK FAIL";' ``` Output: `WATERMARK OK` ```bash # Cek count signature grep -r "CHAOSAPI" app config bootstrap | wc -l # Output: ~10+ occurrences across protected files ```