Jump to content


Windows Server 2012

- - - - -

How to protect PHP script


  • Please log in to reply
5 replies to this topic

#1 Patrickz

Patrickz

    Topgun

  • Topgun
  • 2627 posts

Posted 16 June 2004 - 05:11 PM

How to protect PHP script

Why you need to project your script?
Imagine you are a developer, and you have developed a project and delivery demo or product to your clients; How to make sure your client will not modify the source code? Have much reason to project your script such as for security reason (prevent someone find security holes), etc And important reason is because there is our intellectual copyright.

How it work?
On php encoder market, it have two licenses, one is Open source and Commercial software.

Normally, Encoder will convert your plain text (PHP Source code) to encoder format. The encoder format may be generated by Obfuscator Techniques and most commercial encoder has converted to byte-code also.
Some encoders not only encode the php source code, but they can encode HTML or Javascript also.

However, I would like to say it cannot 100% projection! If we can compile we can decompile, if we can encode we can decode also. Example we have a php file that encode by obfuscation + compile techniques. Someone can decompile byte code to obfuscate code, obfuscation is PHP source code but it hard to understand (I will talk about it below). If someone want to modify this code, may be re-coding is faster more than modify obfuscate code.


Encoding Technical
As we talk on above. Most encoder use two techniques: Obfuscation and Compile technical. Whats it? Lets go!

Obfuscation Techniques
Obfuscation is the process for making source code hard for reverse-engineer or human unreadable.

Normally, Obfuscation will remove comment, Line break and change variable name, function name, class name. Consider following the examples.

PHP source code
<?
// do the cooking
function cookMeDinner($fish,$chips,$peas){
$the_dish=$fish." is battered, ".$chips." are soggy and ".$peas." are mushy";
return $the_dish;
}

// send the ingredients
$dinner=cookMeDinner("Cod","french fries","garden peas");

// serve up the dish
echo $dinner;
?>
This is simple PHP Script. It contains comment, function and variable.

Obfuscate source code
POBS encoder
<?
function Feddfa8e2($V83e4a96a,$V19136e39,$V57407fc2){$V7ed731b7=$V83e4a96a." is battered, ".$V19136e39." are soggy and ".$V57407fc2." are mushy";return $V7ed731b7;}$Vad5acdfa=Feddfa8e2("Cod","french fries","garden peas");echo $Vad5acdfa;?>
I use an open source obfuscator name POBS to obfuscate above source code. See! It is hard to understand, human unreadable.

Consider the variable and function name. It have changed from cookMeDinner() to Feddfa8e2(). Also the variable name, $dinner changed to $Vad5acdfa. I have more examples, lets review a commercial product name SourceGuardian

Edited by Patrickz, 16 June 2004 - 05:13 PM.


#2 Patrickz

Patrickz

    Topgun

  • Topgun
  • 2627 posts

Posted 16 June 2004 - 05:16 PM

SourceGuardian encoder
<?php /*SourceGuardianII*/
if(!function_exists("ixed_pass")){$ixed_file="ixed.".strtolower(substr(php_uname(),0,3)).".".phpversion().".pxp";$ixed_cwd=getcwd();if($ixed_cwd[1]==":")$ixed_cwd=substr($ixed_cwd,2);$ixed_try=str_repeat("../",12).$ixed_cwd."//";while((strlen($ixed_try)>0) && !function_exists("ixed_pass")){$ixed_try=substr($ixed_try,0,strlen($ixed_try)-1);@dl($ixed_try."ixed/".$ixed_file);}}if(!function_exists("ixed_pass")){echo('PHP script <B>'.__FILE__.'</B> is protected by <A HREF="http://www.sourceguardian.com/">SourceGuardian</A> and requires file <B>'.$ixed_file.'</B>.<BR>Please read <A HREF="http://www.sourceguardian.com/ixeds/">SourceGuardian protected scripts manual</A>.');exit;}include(ixed_pass("2T0",'62kopZxUhPrb8QnKPj8di2A1sGpI3LeGf1mJECdt6dhi43urpA0O07g20zpxP2UdtOHxIDqsE4bQ
nDj3cMFkIJaO-QxP2GVc3mzylDEDKkty9y4yw7bWlLqgTHhCtIWkxAeO+0IY0Gx2s1eG1SoxH5QAcODiQYUfsGnMk7d1t
VjPcspyIwtN7e19ohHYhCExGg8JqyLGgSXJkDohTI0SEHGABQq2YkBYXdqGgeyvcTsNLApQqyGOEipr9
e
t1zVjjL2CiYSdi4Esp6amHcuIKEUb4COFAbi-BdHWHEHpeAl8O3eq3ML2O-QcWhu9dswTwg7pAGRNAbiUWskrGtaswTGjj-5uiYLoi446q9IlptxeMlD36dW-djyDiRZ5qx48ff2EUFbYx0dq2NoQoss0H06gqXQ9Bjisdsi42Uji-UnfMnXkOd9NMUJOyLO4WjUwofyrYE-d2LAR-8iU5cUYIsEpgLBiEnzPM0NpO43WpGk1x030mqgqujmi1o2LltG7XheoMnOhOsCJ0UN2yHxJuc8V-81TTjSsSY0MK3yExYwjL49fyPSlDIDG18yOiyGMUtrt3qgz-0jg3KaXIiy+kpS+u0BbP+B0OdUz0V+f2WkJZhKaFjmaCg7kBEMMJ82UA9+h+93t0-J6i9HKBBWpyUWl2uquLfTWMg64FUwMPSOxzEAlU4lalD+jmJAKAtx92I5dNaGl4tja0k5YHEM0dJO4fw
Rq+Q6bmGc3xNFU0cwpi'));?>
Wow! SourceGuardian can obfuscate my source code better than PODS (Of course! It is commercial software!). Code above, just only obfuscate a php source code, but in fact SourceGuardian can compile to byte code. Assume the byte code have been decompile or reverse engineer. Source code will hard to understand.



Compile Techniques
The word of compile is mean compile to byte code encryption. This way needs engine (or loader) to reverse to PHP source code. Most commercial encoder use both Obfuscation and Byte-code encryption techniques.

#3 Patrickz

Patrickz

    Topgun

  • Topgun
  • 2627 posts

Posted 16 June 2004 - 05:16 PM

ѧɼ´չФѺ  ͤйӴСѹѺ :)

#4 iWat

iWat

    Topgun

  • Topgun
  • 3284 posts

Posted 16 June 2004 - 09:05 PM

ФѺ: Zend Encoder™ - The Industry Standard in PHP Software Protection

ѹµѧ 555

#5 Patrickz

Patrickz

    Topgun

  • Topgun
  • 2627 posts

Posted 17 June 2004 - 11:01 AM

yes, quite expensive  :(
In fact I have product compare, but I can't post it on, I would like to use table.
Can I post as HTML on  Draft Articles & Blogs forum? Is it possible?

#6 Patrickz

Patrickz

    Topgun

  • Topgun
  • 2627 posts

Posted 24 June 2004 - 05:13 PM

more :
http://www.patrickz......r Compare.htm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users