Protect your php project

OK, so I've finally got around to putting this online. Firstly, maybe a few points to note...

This application uses a command line interface. You need to run it via a command such as:
phpcli.exe -n build_release_cli.php

Also, it uses a configuration file to determine what files, functions, classes, constants etc. to obfuscate (or not). Edit BASE.phpbuster.config.php (following the notes) then rename it to phpbuster.config.php before running.

Once you run the command line application, it will ask you a series of questions. Essentially the code obfuscates your project bit by bit. I *hated* the fact that other obfuscators would do all or nothing in one fell swoop. So for each question that you answer 'yes' to, the program will basically create a new directory under a new 'Release' directory and then 'reobfuscate' the project according to your answer. You'll end up with a number of different directories that basically evolve through the obfuscation.

Great for doing your own checking!

Just a few other points: don't try anything 'runtime'. Variable variables, call_user_func and so on. Also, don't attempt to use globals from forms (ie. make sure your code isn't using 'register globals'): it will obfuscate the variable not a problem, but it won't obfuscate the 'source' field name.

Oh yeah, a link You can download it from here. On that page there is a link to an issue tracker that has been set up for it, as well as a forum page. Excuse the name of the thing... I couldn't think of anything

Hopefully it's of use to you!

 

i don't have much experience with encoders, do any of them just allow the use of the php bytecode generated from the parser? it'd be improbable to reverse the bytecode to obtain usable source, and less easy than decoding obfuscated code

 

I believe that's what most of them do, but they also wrap in licence stuff etc. so each encoder needs its own decoder... which is where I have the problem. The number of encoders will only increase, meaning that the number of different decoder extensions that a host will need will increase, too.

Like I say, I was just sick of having to try and support customers who were on hosts that didn't support whichever encoder I wanted to use.

I agree that it would be harder to reverse the bytecode, but then I would guess that it's just a matter of tweaking your version of PHP to do what is essentially a brain dump, yeah? You could make PHP dump what it saw as the script and you'd almost be at the same level as the output from an obfuscator, I would guess...

 

Sourceguardian provides no protection to source, as a decryptor for the same is already released in public. But still its good to use some encryptor as it has better chances...

 

From what I have read ionCube is one of the better ones. What does Zend do ionCube does not?

 

I believe the biggest difference is the price

Jan

 

Zend should have greater compatibility with servers. Ioncube requires special loaders, which, although free, have to either be installed on the server or PHP has to be configured to allow "runtime loading". Runtime loading means using the dl() function to grab the loaders 'on the fly'. All of this happens in the blink of an eye are I haven't noticed any problems with speed.

However, I have seen an increase in the number of servers that are (1) not configured for runtime loading (2) run by hosts that have not and will not install ioncube loaders (3) run by hosts that will not change php.ini to allow runtime loading.

When this happens, Ioncube encoded files just flat won't work on that particular server with that particular host.

Zend, on the other hand, is supposed to work on any server running php with Zend Accelerator, which appears to be most servers. Again, depending on the success of your project you have to weigh your options and how much tech support you want to give on the back end.

Many, many software distributors allow buyers to see the source code (not called open source, that's different) and factor theft into their price instead of toying with backend support of loaders and the like.

 

Excellent comparison! Although, using ioncube, I've found the opposite to be true in that more hosts are allowing ioncube due to the ease of configuring and more ppl are using ioncube due to the cost factor. Of mabey 300 scripts I've installed using ioncube, I've run into 2 hosts that didn't have it configured. The ioncube loaders don't have to be installed by the host (they can be included with the encoded script) so the host simply makes a change in php.ini and it's configured.

Either way, I'm more than a little sceptical about a scipt that is supposed to run on every server Still, I don't have any real experience with working on zend encoded scripts so I can't really say if it does or not.

best,

Jan