PHP Code Encryption Optimization or Obfuscation

When you want to hide your code from people who may steal it, but you still want to release your script so that other people can use it, there are several main techniques you can use.

There’s the Zend Optimizer, IonCube / Loader, and then there’s simple obfuscation or encryption within your code. I’ve used the easiest and most compatible method of the last concept, with reasonably good success – at least for my tastes, considering that the script was really not a big deal.

However, while I knew the “encryption” is not unbreakable, I had little or no idea as to how you could actually go about reverse engineering this code such that you could view the source.

Then I got this email:

I repalced eval with echo htmlentities and source code
was available – and I thought I dont have to mail you
at all !

You might not understand what this means, but to me: it’s quite interesting.

OK, here’s another, clearer explanation / version:

I replaced yoru eval() function with print() and printed the source of your code onto the page. Heh. thanks anyways!

D’oh! Maybe it’s not as good as I’d imagined.

2 Responses to “PHP Code Encryption Optimization or Obfuscation”

  1. Sinica says:

    You should think to a real obfuscator like the one from semantic design or Obfusc (obfusc.com) They replace user indetifiers with nonsense names. It isharder to do corectly but is not reversible as with encoderes.
    An aditional encoder as you used is good too,but offer little protection for somebody that is dedicated to see your code :)
    I recomand Obfusc, it is my tool and i’m produd of it:)

  2. Jay says:

    I have to agree with Sinica, Obfusc appears to be a very kool program that not only scrambles variables and so on but also encrypts the code…

    I have to also warn people off codelock.co.nz (script name PHP CodeLock) there are manyproblems with this software the main one being they also use the eval() but the biggest problem that has not been address since its development (2007) is ragardless if your php script uses the deprecated function eregi() – codelock does use it and inbeds it into your encrypted scripts so be warned… many servers with the new php version will not run any of the scripts because of the deprecated function eregi()

    Some of the hardcore encryption methods – such as Zend Optimizer, IonCube / Loader are very expensive and may been additional items to be installed on the server for both you and customers who use your scritps so take care again :)

    For the cash Obfusc appears to be a stong contender, not many crackerz out there would want to spend time decrypting the script and then trying to figure out the obfuscation to reverse engineer it lol

    I guess you have to way up the pros and cons – like how much are you selling your scripts for… if you sell scripts at say $50 each then it makes no sence to spend a packet on Zend Optimizer or IonCube – this is just overkill and a waste of your hard earn cash

    :)

Leave a Reply