AKBK home - Smoking toooooo much PHP - Code encryption = funny solutions

Tuesday 13 September 2005

Code encryption = funny solutions

Someone just emailed me to comment on something called phpcodelock, (google for it, I'm not going to advertise stupid products)..

It's always funny to see people try and encypt PHP source (or javascript/html for that matter.) As the reality is, encyption is only any good when the end user doesnt get hold of all the keys to open the door.

I've no idea how exactly the product above works (but I'm 100% sure it's not really going to work beyond a superficial look). But it looks similar to another funny effort I saw the other day. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.. = a quick preg while loop on the code solved that one..

So to try and stop stupid people spending (or losing their) money on stupid products, here's a hackers guide to reading encypted PHP code

Step 1: open up the php source code (the one you download from php.net), look for any of the zend engine that parses PHP source, and stick a big printf() ( optionally to a file somewhere..) just before it's parsed.!!!!!!

Opps - that's it (there is only one step!) - almost all encryption methods fall foul of this.!!

Actually the reason someone asked me was because I hacked the apc source into bcompiler quite a few years ago, and since then Val Khokhlov has been doing an excellent job, fixing all my bugs, adding features and making it work with PHP5.

bcompiler does work to some degree as a encyption technique, as you would have great difficulty resurecting the original source code from the opcodes (although you could get something resembling the source out, with alot of work...).

But really, why bother... that's what copyright is for.!! The only justification I can imagine (having seen the crap hidden behind this stuff) is to hide away some horrifically bad code, that the Author was so embarressed to show to the world..

Posted by alan in at 06:09:04

I agree and disagree
I disagree with the comment about that is what copyright is for. Most of the smaller players do not have the money or the time to pursue people that have either stolen source code or modifed it when they could not have written it themselves.

While I like producing both types of source (open and encoded) there are reasons for both.

What I agree with is how some people buy products that have extremely wrong techniques about encoding a script. Instead of getting into byte code they just obscure it. Then it is a 5 minute process to have all of the source code in your hands.

#1 - Mike Willbanks ( Link) on 13 Sep 2005, 20:43 Delete Comment

___
In fact isnt useful to protect your wood-house above the tree with bullet-proof windows and armour-plated doors... because its only a wood-house over a tree... this is why after trying in all the ways to encrypt the code of my "precious" framework i reached your same point of view. And now my code is (nearly) clear.
Making "translucid-box" with a client-side clear code is useless. Two solutions i adopt are: remote activation/download of a part of code (just for statistic usage) or making a php_somewhat extension that keep the key to run in certain server.

I think a good way to protect your code (if its not an open-project) is to make a well formed 20pages contract of utilization/copyrights and to require the sign of your client :-)

#3 - michele ( Link) on 13 Sep 2005, 22:21 Delete Comment

Decoding eval(gzinflate())
<code>
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";

echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);

echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}

echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
</code>

#11 - JurgenD ( Link) on 19 Dec 2005, 01:27 Delete Comment

IPRED and DMCA
I think you may have forgetten an important point. Both EU and USA have laws that forbid you to unencrypt source code if it has been implemented to protect copyright (unless you are trying to make the code run on another device - which is unlikely given you have source to PHP itself - you should port PHP and I think a judge would agree).

Europe calls their law `The Intellectual Property Rights Enforcement Directive' of 2004 (IPRED). USA calls their law `The Digital Millennium Copyright Act' of 1998 (DMCA).

Now...

Yes, it is trivial to unencrypt many of the methods talked about. But if you do so, you make yourself a *huge* target for a lawsuit - much more so than a simple copyright infringement. The penalties are much more severe (and can include jail time).

#13 - Jamie ( Link) on 17 Apr 2006, 19:42 Delete Comment

And?
How is anyone outside of the site owner going to prove that you've decoded the source of a PHP script unless you pirate it?

As a PHP contractor I've encountered scripts like these all the time and it is indeed trivial to decrypt them. It's simply an annoyance though when one needs to make some code-level change in order to, for example, make a module work with a new version of X-Cart.

Your source really isn't that valuable. Hate to burst your bubble, but very few people care about your code other than those that legitimately need to edit it.

#14 - Spoom ( Link) on 21 Oct 2006, 05:44 Delete Comment