Tools for PHP obfuscation
We have developed a PHP application and is about to be released. And we want to obfuscate our PHP source before selling it, thus, I have evaluated different product that aimed in performing this kind of activity, I have selected to check out the following products.
ByteRun Protector for PHP is first mentioned in PHPArch, a nice review is given and steps by steps procedure in illustrating on how PHP codes can be encoded are shown. It has provided a windows only GUI interface for the user to select the projects folder and where the encoded file should put into.
The encoding comes with 3 level of security and only the PHP encoded in level “weak” can be executed with the original loader. The rest of the 2 can only operate under the loader provided. The encoding process is painless and you can encode the script with different parameter, such as expiration date for execution and domain checking. All these configuration can be saved as a “project” and you can execute individual project at anytime, to ensure the deliverable will always be encoded under the same setting.
There are very little documentaion on how the deployment should be done, upon copying the encoded scripts to the execution platform, I have added the corresponding extension as instructed and upon execution, segmentation fault is resulted.
I have sent an email to the support but no reply from them so far. The only help I can help is a single page of html indiciating I should make sure the loader is properly loaded but it just doesn’t seems to work.
I have high hope on this product as they critized heavily on competiting product like those by Zend, also, they declare the PHP is obfuscated (note the different between this and encoding) and could not be reverse engineered by any decompiler available. They even claimed that, the obfuscated PHP scripts can be executed in regular loader, no customized loader will be needed.
The encoding process is performed in command prompt, there is a bunch of argument one can (or has to) pass into the encoding command. You have to specify which of the file (or files you listed in a project file) together with what do you want to do with it, to ease the customization, a very primitive has been provided for the user to create the project file. The building process is scriptable and can easily be merged into the building process.
I have spent hours trying to figuring out on how could I obfuscate my code to no avail, maybe I am too old in typing command? The only documents I got is some html pages, which resemble very closely to a typical “how-to” document, i.e. with a lot of word but you cannot easily follow through. I have finally given up and moved on to the next product.
The trial version of PHP Encoder from ionCube contains a command-line encoder (again?!), the loader and a user guide (finally!). I have followed through the user guide, and fires up the encoder (they have 2 encoders, for PHP4 and PHP5 respectively) which I only need to specify the source and output folder location.
The product has 3 different level which differs in function, like the Pro version allows the generation of time limiting license while the Cerberus version can limit the execution of the script to a certain MAC address only.
Like PHP Thicket Obfuscator, the command line execution allow us to integrate the encoding process easily into our build process. The encoder can execute on various platform like linux and windows but the licesne will be bound to a particular MAC address.
I have copied the whole set of encoded PHP, as well as those provided by the program for loader verification to my testing machine. I fired up the testing script and it shows the steps that I need to take in order to have my encoded script to operate properly.
I have modified the php.ini as instructed, and copied the loader to a particular location and reload the testing script. It reports I am fine and then, I moved on to check my program.
Ta-da, everything just works!
I logged in and start to wander around, every functions just work like before. Then, I opened the encoded script in text editor and noticed nothing that I can understand. :)
My decision is very apparent, I would propose to use ionCube PHP Encoder for our project.
- ByteRun Protector for PHP
- PHP Thicket Obfuscator
- PHP Encoder
ByteRun Protector for PHP
Encoding process
ByteRun Protector for PHP is first mentioned in PHPArch, a nice review is given and steps by steps procedure in illustrating on how PHP codes can be encoded are shown. It has provided a windows only GUI interface for the user to select the projects folder and where the encoded file should put into.
The encoding comes with 3 level of security and only the PHP encoded in level “weak” can be executed with the original loader. The rest of the 2 can only operate under the loader provided. The encoding process is painless and you can encode the script with different parameter, such as expiration date for execution and domain checking. All these configuration can be saved as a “project” and you can execute individual project at anytime, to ensure the deliverable will always be encoded under the same setting.
Deployment
There are very little documentaion on how the deployment should be done, upon copying the encoded scripts to the execution platform, I have added the corresponding extension as instructed and upon execution, segmentation fault is resulted.
I have sent an email to the support but no reply from them so far. The only help I can help is a single page of html indiciating I should make sure the loader is properly loaded but it just doesn’t seems to work.
PHP Thicket Obfuscator
I have high hope on this product as they critized heavily on competiting product like those by Zend, also, they declare the PHP is obfuscated (note the different between this and encoding) and could not be reverse engineered by any decompiler available. They even claimed that, the obfuscated PHP scripts can be executed in regular loader, no customized loader will be needed.
Encoding process
The encoding process is performed in command prompt, there is a bunch of argument one can (or has to) pass into the encoding command. You have to specify which of the file (or files you listed in a project file) together with what do you want to do with it, to ease the customization, a very primitive has been provided for the user to create the project file. The building process is scriptable and can easily be merged into the building process.
I have spent hours trying to figuring out on how could I obfuscate my code to no avail, maybe I am too old in typing command? The only documents I got is some html pages, which resemble very closely to a typical “how-to” document, i.e. with a lot of word but you cannot easily follow through. I have finally given up and moved on to the next product.
PHP Encoder
Encoding process
The trial version of PHP Encoder from ionCube contains a command-line encoder (again?!), the loader and a user guide (finally!). I have followed through the user guide, and fires up the encoder (they have 2 encoders, for PHP4 and PHP5 respectively) which I only need to specify the source and output folder location.
The product has 3 different level which differs in function, like the Pro version allows the generation of time limiting license while the Cerberus version can limit the execution of the script to a certain MAC address only.
Like PHP Thicket Obfuscator, the command line execution allow us to integrate the encoding process easily into our build process. The encoder can execute on various platform like linux and windows but the licesne will be bound to a particular MAC address.
Deployment
I have copied the whole set of encoded PHP, as well as those provided by the program for loader verification to my testing machine. I fired up the testing script and it shows the steps that I need to take in order to have my encoded script to operate properly.
I have modified the php.ini as instructed, and copied the loader to a particular location and reload the testing script. It reports I am fine and then, I moved on to check my program.
Ta-da, everything just works!
I logged in and start to wander around, every functions just work like before. Then, I opened the encoded script in text editor and noticed nothing that I can understand. :)
My decision is very apparent, I would propose to use ionCube PHP Encoder for our project.