[olug] PHP obfuscators / compilers?

Lou Duchez lou at paprikash.com
Thu Oct 25 15:24:06 UTC 2012 

Well, I may not have any formal results any time soon, if ever.  This 
has mostly been an exploratory thing: the question came up of whether we 
can deploy an application written in PHP to client servers with 
reasonable safeguards against piracy.  The app in question isn't fully 
constructed either, since part of the issue was whether to even continue 
with PHP if we can't make it secure.

That said, based on some testing of ionCube, I say it's a go.  The 
(incomplete) app seems to run without any hassles when ionCubed. I can't 
speak to the breadth and depth of ionCube's ability to handle PHP, since 
I tend to stick to vanilla code and I don't slap in extensions left and 
right; so I can say that it seems to handle vanilla code just fine.  It 
actually gave me some compiler warnings of some deprecated syntax which 
I was more than happy to correct, so thanks ionCube!

For each original PHP file you supply, ionCube creates an encoded PHP 
file with the same name but in whatever output directory you tell it.  
The encrypted ionCube PHP files each look something like this:

---

<?php //004ff
// IONCUBE ENCODER 7.0 EVALUATION
// THIS LICENSE MESSAGE IS ONLY ADDED BY THE EVALUATION ENCODER AND
// IS NOT PRESENT IN PRODUCTION ENCODED FILES

if(!extension_loaded('ionCube 
Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.
substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_i
l_exec')){return 
_il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirnam
e(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\'
,'/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i-
-){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(func
tion_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is 
corrupted.\n");}if(function_exists('_il_exec')){
return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> 
requires the ionCube PHP Loader '.basename($__ln)
.' to be installed by the website operator. If you are the website 
operator please use the <a href="http://www.ionc
ube.com/lw/">ionCube Loader Wizard</a> to assist with 
installation.');exit(199);
?>
HR+cPm4UcEN0/c3AYQGDnZSNlIr1Zj7EuYkePeki67ZS89yGiP0RWwVPy7tLzsk9wowS9Kb55LEr
RQJN4wKOHB3qaMdLrvyj3qMD5avc4ZC0VxRO39+J8Dd7EeT25CV/Xq5cM6wix3T01O5n0zxd1BUo
UYHiNRK+EQhW5oJo0iE2aHbAMW24TbhTO3IYq/76qv9o2GUqklq68kNe3p4F177aWDtwbJf3Ds5H
3EuW6i0ALEbveEqkxp4mt8U8WJwnP9f9APTKZNAXexjTuFIX9N2ByANCXz0gp7PnKIHveskK2ee4
iIVzcho80bBGFYI0X1DEw1DSSvSsZwLOtH5wUCj2d3/0WQ1trvhctNEodCmWVBuYs5IW6tJHiLpU
g3MXRK4Emhs4bSE22LLqQBiVA9DL

---

(I put in some line breaks because I'm not a monster.)

The Web server is able to make use of this mess because I added a line 
to /etc/php.ini to point it to the ionCube Loader -- very little server 
configuration required, and I'm told there's even a way to do it without 
editing php.ini.  But since I have control over the server, I did it the 
easy way.  By the way, the ionCube Loaders are free, so the only thing 
you need to pay for is the ionCube encoder -- basically you need to pay 
for the development end, not the deployment end.

Based on how this works, I'm reasonably confident you could develop and 
encode your PHP on Windows, and then upload the encoded PHP files to a 
Linux server, or the other way around.  I mean, if you wanted to.

One other thing: since ionCube isn't compiling all your PHP into a 
single file, and is instead preserving the structure of individual PHP 
files, I discovered you can mix and match encoded and normal PHP files.  
So for example, if you've got a settings.php file which contains 
server-specific settings, you can keep that as a normal PHP file for 
easy maintenance, and encode everything else. Seems to be perfectly 
happy to run like that.




> Well said, clear code is dependent on the programmer, not the language.
>
> I've not had to "protect" any php in that fashion, so I would be interested
> if you would let us know what you decided on and how it worked out for you.
>
> Best,
>
> Jeff
>
> On Wed, Oct 24, 2012 at 10:37 AM, Lou Duchez <lou at paprikash.com> wrote:
>
>> Not the way I write, baby!
>>
>> I'm sort of leaning towards ionCube at this point, though it looks like
>> its competitors are Zend Guard and HipHop.
>>
>>
>>
>>   Isn't php self obfuscating?   wink ;^)
>>> -Jeff
>>>
>>>
>>>
>>> On Tue, Oct 23, 2012 at 2:07 PM, Lou Duchez <lou at paprikash.com> wrote:
>>>
>>>   Anyone have any experiences with PHP obfuscators or compilers they want
>>>> to
>>>> share?  What works, what doesn't work, any gotchas?
>>>>
>>>>
>>>> ______________________________****_________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/****mailman/listinfo/olug<https://lists.olug.org/**mailman/listinfo/olug>
>>>> <https://**lists.olug.org/mailman/**listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>>   ______________________________**_________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>
>> ______________________________**_________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>
>
>

More information about the OLUG mailing list