Professional Email Management | Anti-Spam | Email Virus scanning | Email Approval Processes | Email Archiving

Smoking toooooo much PHP

Tuesday 13 September 2005

Code encryption = funny solutions

Someone just emailed me to comment on something called phpcodelock, (google for it, I'm not going to advertise stupid products)..

It's always funny to see people try and encypt PHP source (or javascript/html for that matter.) As the reality is, encyption is only any good when the end user doesnt get hold of all the keys to open the door.

I've no idea how exactly the product above works (but I'm 100% sure it's not really going to work beyond a superficial look). But it looks similar to another funny effort I saw the other day. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.. = a quick preg while loop on the code solved that one..

So to try and stop stupid people spending (or losing their) money on stupid products, here's a hackers guide to reading encypted PHP code

Step 1: open up the php source code (the one you download from php.net), look for any of the zend engine that parses PHP source, and stick a big printf() ( optionally to a file somewhere..) just before it's parsed.!!!!!!

Opps - that's it (there is only one step!) - almost all encryption methods fall foul of this.!!

Actually the reason someone asked me was because I hacked the apc source into bcompiler quite a few years ago, and since then Val Khokhlov has been doing an excellent job, fixing all my bugs, adding features and making it work with PHP5.

bcompiler does work to some degree as a encyption technique, as you would have great difficulty resurecting the original source code from the opcodes (although you could get something resembling the source out, with alot of work...).

But really, why bother... that's what copyright is for.!! The only justification I can imagine (having seen the crap hidden behind this stuff) is to hide away some horrifically bad code, that the Author was so embarressed to show to the world..

Posted by alan in at 06:09:04

Comments

I agree and disagree
I disagree with the comment about that is what copyright is for. Most of the smaller players do not have the money or the time to pursue people that have either stolen source code or modifed it when they could not have written it themselves.

While I like producing both types of source (open and encoded) there are reasons for both.

What I agree with is how some people buy products that have extremely wrong techniques about encoding a script. Instead of getting into byte code they just obscure it. Then it is a 5 minute process to have all of the source code in your hands.

#1 - Mike Willbanks ( Link) on 13 Sep 2005, 20:43 Delete Comment

How PHPCodeLock works
I had a quick look (downloaded the trial), and it took me about 5 minutes to crack. Let's just say that your example (base64, eval) wasn't far off.

They took a few counter-measures (such as hiding the decryption algo), but armed with a good editor and PHP knowledge, it's extremely easy.

#2 - Joe ( Link) on 13 Sep 2005, 21:36 Delete Comment

___
In fact isnt useful to protect your wood-house above the tree with bullet-proof windows and armour-plated doors... because its only a wood-house over a tree... this is why after trying in all the ways to encrypt the code of my "precious" framework i reached your same point of view. And now my code is (nearly) clear.
Making "translucid-box" with a client-side clear code is useless. Two solutions i adopt are: remote activation/download of a part of code (just for statistic usage) or making a php_somewhat extension that keep the key to run in certain server.

I think a good way to protect your code (if its not an open-project) is to make a well formed 20pages contract of utilization/copyrights and to require the sign of your client :-)

#3 - michele ( Link) on 13 Sep 2005, 22:21 Delete Comment

ioncube
What about ioncube? I was considering buying this :)

#4 - jason ( Link) on 13 Sep 2005, 22:39 Delete Comment

comment
Oh well. Security through obscurity. :)

Though, I don't understand how bcompiler qualifies as encryption, in this case, all C and java compilers offer encyption, hehe :)

#5 - Geoffrey Lee ( Link) on 14 Sep 2005, 12:57 Delete Comment

Extremely Easy to Crack
2 seconds...

change...
eval(gzinflate(base64_decode(

to...
echo(gzinflate(base64_decode(

Hello Code!

#6 - tdPro ( Link) on 04 Nov 2005, 12:12 Delete Comment

Recovery Zend ioncube sourceguardian code
Is not really this solution ;)
you have to decode zend Loader -->opcode -->sourcecode
Ioncube Loader--->opcode--->sourcode

for more info
http://www.phprecovery.com

#7 - PhpRecovery ( Link) on 04 Dec 2005, 19:40 Delete Comment

base64_decode
simple techniques...

replace eval's with print's/echo's, etc.

a)
$decoded = base64_decode($string);

b)
$decoded = gzinflate(base64_decode);

Most code encoded with base64_encode, gzdeflate, etc. work against the average end user.

#8 - Shizzle ( Link) on 09 Dec 2005, 13:57 Delete Comment

whoops
typo,

b)
$decoded = gzinflate(base64_decode($string));

:-D

#9 - Shizzle ( Link) on 09 Dec 2005, 14:07 Delete Comment

Vulcan Opcode dumper
Well I saw an Opcode dumper (Vulcan)
But how do You map the Opcode back to php source ?

Ref:http://blog.php-security.org/archives/14-PHP-Encoders-Protection-where-are-you.html

#10 - JurgenD ( Link) on 18 Dec 2005, 23:22 Delete Comment

Decoding eval(gzinflate())
<code>
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";

echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);

echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}

echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
</code>

#11 - JurgenD ( Link) on 19 Dec 2005, 01:27 Delete Comment

Mr.
Hi, I am findin your posts very interesting. I am about to purchase the IonCube PHP encoder. I was going to protect my php code with it. So if I did use the latest vrsion would the likes of phprecovery and others be able to decode it and dit my php source script. How exactly do they do this. Ioncube seam to think they it can't be done. I have an example script encoded and would like to try and decode it myself to see how easy it would be. Thanks

#12 - Glav ( Link) on 18 Mar 2006, 00:12 Delete Comment

IPRED and DMCA
I think you may have forgetten an important point. Both EU and USA have laws that forbid you to unencrypt source code if it has been implemented to protect copyright (unless you are trying to make the code run on another device - which is unlikely given you have source to PHP itself - you should port PHP and I think a judge would agree).

Europe calls their law `The Intellectual Property Rights Enforcement Directive' of 2004 (IPRED). USA calls their law `The Digital Millennium Copyright Act' of 1998 (DMCA).

Now...

Yes, it is trivial to unencrypt many of the methods talked about. But if you do so, you make yourself a *huge* target for a lawsuit - much more so than a simple copyright infringement. The penalties are much more severe (and can include jail time).

#13 - Jamie ( Link) on 17 Apr 2006, 19:42 Delete Comment

And?
How is anyone outside of the site owner going to prove that you've decoded the source of a PHP script unless you pirate it?

As a PHP contractor I've encountered scripts like these all the time and it is indeed trivial to decrypt them. It's simply an annoyance though when one needs to make some code-level change in order to, for example, make a module work with a new version of X-Cart.

Your source really isn't that valuable. Hate to burst your bubble, but very few people care about your code other than those that legitimately need to edit it.

#14 - Spoom ( Link) on 21 Oct 2006, 05:44 Delete Comment

Codelock v2 != Useful
Nice ad, it's crap.

I broke codelock V2 by hand for fun.

Sure you have to use Base64 more than once to get the outright source. Running the sourge though layer after layer of base64 decodes doesn't equal encryption or security.

It's silly easy to open.

My reason? To fix crappy code that was released into the public domain "to use any way you want" so way run it through this? The basic principle was good, the exicution was horrid.

#15 - Rip ( Link) on 29 Jan 2007, 15:52 Delete Comment

IPRED and DMCA Missed the point
Yes, the US and EU have laws protecting copyrighted software, however, most commonly freelancers are legally "work-for-hire" meaning they are selling their IP to the contractor. Hence, it is - in this case - the owner of the copyright, that wants to decrypt HIS own code... The fact that he did not personally type it is completely moot.

Additionally, not only do most freelancers work with no or little contract protecting/preserving IP and copyright, but again, most that do, do not own the code or IP.

#16 - Bob Jones ( Link) on 22 Mar 2008, 09:24 Delete Comment

Futile Attempt
The thing is, copyright owners are in a difficult position. They may have invested time and money into their websites, and have to try something to protect themselves. This is the only option open, so they have to try it. On the same page as an encrypted code will be a copyright warning. Anyone decrypting this code will be doing so illegally.
It is then down to the honesty of the developer whether he persues the decision to decrypt valuable work. Even if the code is crap, it still deserves respect.

#17 - Richard ( Link) on 01 Jul 2008, 20:51 Delete Comment

Works on nested encodes, too:
//1) Add this function to your code
//2) Find/replace "eval(" to "haxeval("
//3) Run script and see obfuscated code
//4) Enjoy

function haxeval($str){

$pattern = '/eval/';
$replacement = 'haxeval';
$result = preg_replace($pattern, $replacement, $str);
echo $result;
return eval($result);

}

#18 - Anonymous ( Link) on 09 Dec 2008, 13:20 Delete Comment

unfair
well i have read your commets and I m a bit anoyed. I paid to buy a website (nevals.co.uk) and whe I tried to move servers the guy who desiged it would not give me the unencrypted version so its worthless to me. I had asked for the files with out the ioncube stuff and he told me to beat it! 2k for a website I cant change. Who owns the copyright ayway? I paid for the work should it not be me??

#19 - neil ( Link) on 15 Dec 2008, 20:30 Delete Comment

I ll own u
well my comment for the guy up their
@IPRED and DMCA Missed the point

do no cares about your law crap, and it their aren't gonna use it to do illegal thing plus it isn't like their downloading mp3 or something, their are decoding it their own source code .

#20 - Bi1ch please gtfo ( Link) on 01 Aug 2009, 01:42 Delete Comment

Software is generally licensed, not sold
@neil

As a developer I can tell you that any software that I write for clients is licensed, not sold. I own the IP and copyright forever, no matter what you paid for the license to use it or my services.

I don't know of one developer who does differently, other than the poor souls who allow themselves to work for hire.

Think of it this way. You probably have a computer that runs Micro$oft Windows. You paid for that. Now, who owns the software, you or Micro$oft? (If you think its you, read the license)

#21 - Backslider ( Link) on 02 Jan 2010, 13:58 Delete Comment

Easy?
I have seen a bunch of people here say "I decoded ___ and it was easy" - how about sharing HOW? Because without this you are just blowing hot air. Show me results, or STFU.

#22 - Darkstar ( Link) on 20 Jan 2010, 03:21 Delete Comment

Add a comment (requires javascript!)

Name
Email
Homepage
Comment Title
Comment
	Don't bother spamming, I will just delete the comments

Contact me at alan@akbkhome.com