PHP Code Protector Rather than going Zend Encoder way where interpreter requires yet another module installed on server, I have decided to write a simple PHP Code protecting script that supports all versions of PHP. This script Protects, and does Level 2 obfuscation after encryption, as well as reduces the code size for large files. Features: Shuffles the code and makes it almost unreadable Reduces file size if necessary Hides all function calls and variables Supported by all versions of PHP Feature not yet added: Embedded PHP tags are not supported. It is yet Beta and will finally come up as Windows Applciation. Application: http://www.scriptbaba.com/php-protect/ You supply the php file and it let's you downlaod the encrypted version of file. Secondly I would like you guys to try breaking the code, if it is breakabke by nomal users then ofcourse we will move on to next method. Besides, I know there are many other scripts already exist on web, but this application intends to end up as Desktop Appliation finally for bulk encryption. regards
Haha, I just tried that, and of course, almost all of the code is just printed out. Nothing can be truly protected.
Please check again. It is more secure now. Replacement of eval with print now does not print out the code. regards
to decrypt: - first off, make it easier to read. throw it in http://www.phpformatter.com - scroll to the bottom and change eval(...); to echo ...; - execute the script. it should print eval(EVAL(...crap...)); - replace eval(...); with the echo'd eval(EVAL(...crap...)); - replace eval(EVAL(...crap...)); with echo ...crap...; - execute the script and there's our code leak. The problem is that it's too easy to modify the code since PHP is interpretted source code. No matter what, there's always a way to see the code, because we can always replace the eval() with echo. This is why zend is such a popular protection, because it's compiled into bytecode, which is much harder to read and modify to the average user. Not that it'll stop professional reverse engineers from getting to your code, but at least it requires a higher skill-level to break it. A better course of action would be to obscure the code. - Replace all variable names, function names, etc with garbage (ex: $test -> $q34235jsdr4__34523). - Encrypt all strings. It would be better to make your own, but simply replacing all strings with base64_decode("base64 encoded string here") would do wonders for obfuscation. - Replace hard-coded numbers with math formulas. (instead of $x = 69; maybe something like $x = 1404 ^ 1337;) - I think a recent version of PHP (5.3) now has a goto command. This would be great for turning scripts into spaghetti code. Just a few ideas. Everything is breakable, but the more of a pain in the ass you make it to reverse engineer, the better. Also, when running your crypted code, I get this error: Warning: Unexpected character in input: '\' (ASCII=92) state=1 because of this: "$\" edit: lol. I found an old simple script 'protector' I made a while ago. Just as easy to break as yours though. ;P http://pastebin.ca/190543
Thanks for taking time to write all details. Actually an advanced developer can break anything. I can break ioncube and zend code even if it is bytecode or whatever, try yourself load the php extension using LoadLibrary windows api and find addresses of the functions used to decode the bytecode, try it am sure you will do it within an hour. Many have done this to use GD shared library with windows applications. Current protection is to avoid moderate level developers and thieves not the advanced level developers (like you). And ofcourse whatever level of shuffling the code you use, after all it is interpreter and final code will be decryptable. I already have palnned obfuscation functions, and renaming of variables. Thanks for suggestion of converting numbers to formulas. Am not sure about goto jump statement in php 5 as it has been in C and C++ since long. Secondly, it was just an idea, the major applciation will be a desktop applciation doing the custom encryption using custom fast agorithm. php extension has already been built that decodes it. Same way as the ioncube does. But yet if one breaks your shared library to assembly code and gets the idea what actually is going behind it, you are lost. Thanks for link btw regards
Base64 encoding is easy to decode. Why not throw in more loops in your encoder?, it will make the code more confusing to decode.
I believe the most you can do is just change variable names into meaningless. Other kind of attempts will be easily decoded.
All encoding can be decoded. Even ioncube @Vooler. Heres some loops. (although easily decodable, still effective) base64_encode($CODE) gzdeflate($CODE) strrev(base64_encode($CODE)) str_rot13($CODE) base64_encode(str_rot13($CODE)) strrev(base64_encode(str_rot13($CODE))) strrev(str_rot13(base64_encode($CODE)))