Sign in to follow this  
streamer

[web] PHP encoder

Recommended Posts

Hi I want to encode PHP files, making files unreadable. Which PHP encoder is the best buy considering options/price? thanks in advance

Share this post


Link to post
Share on other sites
The term you're looking for is an "obfuscator." Here are some Google results for you.

However, it's pretty uncommon to have to obfuscate server-side code. Are you delivering your PHP code to a client that you don't want to be able to read the source code?

Share this post


Link to post
Share on other sites
Quote:
Original post by BeanDog
The term you're looking for is an "obfuscator." Here are some Google results for you.

However, it's pretty uncommon to have to obfuscate server-side code. Are you delivering your PHP code to a client that you don't want to be able to read the source code?


No, I'm familiar with obfuscator term, and maybe I did wrote the bad word. I need encrypter, that will be totally unreadable and impossible to reverse the whole code to normal. Obfuscators are however hard to read but not impossible to revers engineer.

Also it is a plus if it can handle javascripts too...

Share this post


Link to post
Share on other sites
Quote:
Original post by streamer
Quote:
Original post by BeanDog
The term you're looking for is an "obfuscator." Here are some Google results for you.

However, it's pretty uncommon to have to obfuscate server-side code. Are you delivering your PHP code to a client that you don't want to be able to read the source code?


No, I'm familiar with obfuscator term, and maybe I did wrote the bad word. I need encrypter, that will be totally unreadable and impossible to reverse the whole code to normal. Obfuscators are however hard to read but not impossible to revers engineer.

Also it is a plus if it can handle javascripts too...
As far as I'm aware it's impossible to do that. PHP needs to be able to run the code, and as such you can always just reverse-process it.

Why do you need to do this anyway?

Share this post


Link to post
Share on other sites
The main problem is that our company is delivering complete servers with code for a good money. Nowadays it is pretty easy to clone a complete hard disks and make another server of it, and we don't want to something like that happen. Many people can access the hard disks, and complete machine also. There is slight possibility that some other users can access and change php code too. That's why I need some very GOOD protection to protect code we have written.
In this case if I can encode/encrypt a complete code, some piece if code in PHP can be wrote to bind code to that particular server via ip.

But if there is any other option of doing the same thing, I am open for any advice you guys can think off.

thanks

Share this post


Link to post
Share on other sites
Quote:
Original post by Evil Steve
Quote:
Original post by streamer
Quote:
Original post by BeanDog
The term you're looking for is an "obfuscator." Here are some Google results for you.

However, it's pretty uncommon to have to obfuscate server-side code. Are you delivering your PHP code to a client that you don't want to be able to read the source code?


No, I'm familiar with obfuscator term, and maybe I did wrote the bad word. I need encrypter, that will be totally unreadable and impossible to reverse the whole code to normal. Obfuscators are however hard to read but not impossible to revers engineer.

Also it is a plus if it can handle javascripts too...
As far as I'm aware it's impossible to do that. PHP needs to be able to run the code, and as such you can always just reverse-process it.

Why do you need to do this anyway?


You're wrong there is one encrypter I am aware of. It is PHP source guardian. It is made as PHP extension, and it fully encrypts the php code. But I would like to know if there is any other piece of software that can do better. Source Guardian cannot handle for example javascripts.

Share this post


Link to post
Share on other sites
Quote:
Original post by streamer
You're wrong there is one encrypter I am aware of. It is PHP source guardian. It is made as PHP extension, and it fully encrypts the php code. But I would like to know if there is any other piece of software that can do better. Source Guardian cannot handle for example javascripts.
Actually, he's right. PHP source guardian can decrypt your PHP source, therefore it is possible for your source code to be decrypted. You can't have PHP code which is impossible to read, otherwise you can't execute that code.

An alternative would be to convert the PHP source to some other programming language, which would mean that the end result is perfectly readable and executable, but it cannot be reverse-transformed into PHP code. Sadly, because of the dynamic and reflexive nature of PHP, this is next to impossible.

Share this post


Link to post
Share on other sites
Quote:
Original post by Konfusius
Does this help you? http://www.zend.com/en/products/guard/


Thanks I will download it and take a look at it.

Share this post


Link to post
Share on other sites
Since the code eventually has to be read & executed by the PHP engine, it's logically not possible to make the code "impossible to read".

Since you're selling the software, your best bet is to make it part of the license agreement that reverse engineering is not allowed and then you've got legal protection, rather than technical protection.

Also, depending on which country you're selling the software from, using a "simple" obfuscator might be enough to have the source code protected under the DMCA.

My personal opinion, however, is that you've got to trust your end-users at some point anyway. If they're paying for your software, it's unlikely that they'd bother trying to reverse engineer the code anyway since it's already working (that implies that you need to provide good enough support for them when it doesn't work that they want to keep paying you).

Share this post


Link to post
Share on other sites
Quote:
Original post by Codeka
My personal opinion, however, is that you've got to trust your end-users at some point anyway. If they're paying for your software, it's unlikely that they'd bother trying to reverse engineer the code anyway since it's already working (that implies that you need to provide good enough support for them when it doesn't work that they want to keep paying you).


True in some cases, false in some others. We are off course providing 24h support with very fast responses. And they are satisfied. Customers are also paying monthly fee, which will be very high in the future (depends on they income), but they are also making the money on our software.

When we will get on that point that they need to pay a lot of dollars per month, I'm pretty sure that some of our customers will try to fake they income, just to pay us smaller amount. Or try to clone machine and put it on another place.

Unfortunately when the money is the case, lot of people don't play straight. And this I'm speaking from experience. 200$ plus is 200$ plus, even if they have i.e. 50k income per month. Off course always there are honest people that plays by the rules, but majority aren't that type.


Share this post


Link to post
Share on other sites
Since you're delivering complete servers, why not simply encrypt the entire hard drive? And simply check on startup that the machine is a genuine machine and not some whitebox with a cloned hard drive.

Out of curiosity: What kind of service do your servers provide? What do they do?

Share this post


Link to post
Share on other sites
The reason that source guardian works is because it runs as a process of php, the code is encrypted in the document and source guardian decrypts it and sends it to the server.

The problem with publicly available products like that is that anyone that has source guardian can run your code.

If you are looking for an out of the box solution then you will have to live with this limitation.

On the other hand you are building a complete server. So why not just write your own encryptor and corresponding server side decryptor? This seems to be the best solution to your problem.

Share this post


Link to post
Share on other sites
Quote:
Original post by Feralrath
The problem with publicly available products like that is that anyone that has source guardian can run your code.


This doesn't really matter. If the code cannot be listed and changed, in the code it can be embedded that it is bind to one particular ip.

Quote:
On the other hand you are building a complete server. So why not just write your own encryptor and corresponding server side decryptor? This seems to be the best solution to your problem.


This is also solution I have think off, only problem is the time. It can't be done fast, and I need asap.

Quote:
Original post by Sander
Since you're delivering complete servers, why not simply encrypt the entire hard drive? And simply check on startup that the machine is a genuine machine and not some whitebox with a cloned hard drive.


Pretty nice thought. I have now implemented something similar. But how can I encrypt a whole hard disk?

Share this post


Link to post
Share on other sites
How about something simple AND free like bcompiler? Just convert all your files to bytecode, add the bcompiler extension to the PHP installation and you're done. To my knowledge there is no easy way to convert Zend bytecode back to PHP source code.

Share this post


Link to post
Share on other sites
Quote:
Original post by streamer
Quote:
Original post by Feralrath
The problem with publicly available products like that is that anyone that has source guardian can run your code.


This doesn't really matter. If the code cannot be listed and changed, in the code it can be embedded that it is bind to one particular ip.
If the code can be run, it can be listed. That is the nature of interpreted or (to a lesser degree) bytecode-compiled languages.

Quote:
Quote:
On the other hand you are building a complete server. So why not just write your own encryptor and corresponding server side decryptor? This seems to be the best solution to your problem.


This is also solution I have think off, only problem is the time. It can't be done fast, and I need asap.
It's also not useful. If the code can be run, it can be listed.

Quote:
Quote:
Original post by Sander
Since you're delivering complete servers, why not simply encrypt the entire hard drive? And simply check on startup that the machine is a genuine machine and not some whitebox with a cloned hard drive.


Pretty nice thought. I have now implemented something similar. But how can I encrypt a whole hard disk?
You can use plenty of off-the-shelf tools for it. It won't help, though, since if the code can be run, it can be listed. Are you starting to see the theme?

[Edited by - Sneftel on October 22, 2008 8:06:59 AM]

Share this post


Link to post
Share on other sites
Quote:
It won't help, though, since if the code can be run, it can be listed.


It really depends. If the server is appliance-like (no shell/root access to the server, just a webinterface to configure it) then it becomes a whole lot harder. Especially if you can prevent physical access by using the case monitors to trigger some program that prevents the harddrive from being decrypted (i.e. encrypt the drive decryption key with the supplier public key so that only the supplier can make restore the hard drive).

It won't make it impossible to get at the code, but impractical enough.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this