1

After PHP code is encoded using a third-party encoder (IonCube, Zend Guard). What about using reflection with the encoder? Doesn't that give a lot of the code away?

As far as I know, these encoders have an expiration date. Code encoded with older versions is bound to be cracked at some point.

My solution was to encode the code AFTER having it obfuscated (custom written obfuscator). Everything is minified into a single file and obfuscated. Anything beyond the native PHP functions/variables is gibberish.

This way, if at some point the code is decoded, the result will be a messy, mind-numbing code.

The code is distributed, each client has a copy and it sits on their own LAMP server.

There is no need to worry about debugging, the code is overwritten each time a new release is made.

Of course there are a lot of compromises here. The obfuscation limits coding techniques/use of a framework.

So, how would you rate the safety of the code? Is obfuscation worth it?

If not, are there any alternatives? What would you consider an optimal solution?

Thanks,
Fouad

Improve this question
10
  • 1
    Has been asked 1000s of times and the answer is always the same. What you are doing is pretty much useless for anyone serious about obtaining code. Commented Sep 11, 2014 at 10:17
  • Direct access to the .php files = direct access to source. Even if it's encoded or w/e you want, as long as the machine can run it, it can be reversed back to clean code. Commented Sep 11, 2014 at 10:23
  • True, but there the resulting code is not that clean, hence the obfuscation.. the whole thing is one file of gibberish code... Commented Sep 11, 2014 at 10:26
  • What is your goal with this in the first place? Why obfuscate the code? What are you trying to protect from whom? Commented Sep 11, 2014 at 10:44
  • 1
    Presumably you're selling this software to your clients. Instead of treating them as pirates by default, treat them as customers. Your best weapon here is a contract which clearly states what they may or may not do with the software; not to obfuscate the code which doesn't really protect anything anyway. Commented Sep 11, 2014 at 10:54

1 Answer 1

Reset to default
7

After PHP code is encoded using a third-party encoder (IonCube, Zend Guard). What about using reflection with the encoder? Doesn't that give a lot of the code away?

It's more nuanced than that. The public code (function names, global variables, etc) that are designed to be interacted will all be public.

As far as using reflection, it's not that hard to disable reflection for an internal function/class (which is what they would do). This wouldn't necessarily error, but it could return garbage. Since the encoders have access to C, assume they can do anything they want.

Well, not anything. At some point, the code still needs to be executed. And to be executed, it needs to have an opcode array. The opcode array lists every operation in every function.

And since reversing from opcodes into PHP code isn't difficult, encoders are basically little more than obfuscators once run in a valid environment.

The value-add that an encoder can do is encrypting the opcode so that you can't run it on a non-licensed server. But once you can run the code you can do whatever you want with it.

Code encoded with older versions is bound to be cracked at some point.

No. Code with all versions can be cracked. All it needs is the ability to be executed.

My solution was to encode the code AFTER having it obfuscated (custom written obfuscator). Everything is minified into a single file and obfuscated. Anything beyond the native PHP functions/variables is gibberish.

That's exactly what the encoder does anyway. Except for the public code (designed to be interacted with or extended by developers), the rest is just pointers. All naming information is lost. So obfuscating it yourself isn't necessary.

So, how would you rate the safety of the code? Is obfuscation worth it?

The question you haven't answered is who you are trying to protect the code from.

Are you concerned about someone using your code unlicensed? If so, no encoder can protect you. Because all the user needs to do is dump the opcodes and they can have the code (without variable names, but they don't need that to run it). It's not as trivial as that, but it's 100% doable.

Are you concerned about someone modifying your code? Well, they can get the code anyway... So...

Are you concerned about someone looking into the code to find things? Like security vulnerabilities? Well, they can do that anyway. And trying to obfuscate it is not going to help.

Are you concerned about the average user making modifications? Then encoding will prevent that.

If not, are there any alternatives?

The alternative is licensing. You don't need to hide the code to protect it. License it under a restrictive commercial license. And use the legal system to go after anyone who steals or breaks the license. This is about the only effective way of protecting software.

What would you consider an optimal solution?

Not encoding, that much I can tell you :-)

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

LOL thanks ircmaxell for the insights :) Ok so an encoder would help, but doesn't mean it's not crackable, that's fair enough. The idea for obfuscation came to mind when I found this: decry.pt you upload a file, get the decoded PHP file in plain and clear text... It worked for older versions of IonCube... So as an extra measure of precaution I decided to obfuscate the basic PHP code before encoding it. This way I protect it from the average developers if at some point cracking ioncube was this easy.
Licensing is unfortunately not an option. They will steal it in a heartbeat. The law can't protect me from a clients miles away. What about moving some of the business logic to the cloud? (already working on it) Internet availability is not an issue.
@f.farah Obfuscating PHP code before encoding so that it merely looks different will not achieve anything unless it makes functional changes to the code. Remember that source code is gone with compiled encoding, and "decoding" sites work by recreating what the source code could have been by decompiling the compiled code. Encoders such as ionCube compile the code incorrectly, as if your source was functionally different so making accurate reversing rather harder, but ultimately any technique can be reverse engineered and understood. Disclosure: I am associated with ionCube.
@Nick Hi Nick thanks for the info, have you seen decry.pt? it works on earlier versions of ionCube, it returns the original source code as it is, no re-creation there, I've tried it myself. From your comment I assume that in the current version of ionCube this is not possible anymore, is that right? I've seen a --obfuscate flag in the encode command, is that required?
@f.farah Yes; we know that site and have a copy of their PHP and C sources. Original PHP is not returned because files are always compiled, but PHP bytecode is high level and quite easy to decompile. Along with a non-standard compiler and executor, protection tools aim to make the bytecode hard to find and work with. Some new techniques in ionCube 9 change the game, but as long as a runtime environment can be observed, total protection can never be assured. Even so, increased revenue from "happy to pay" customers with an effective licensing scheme is likely vs. distributing unlicensed code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.