Topic: Protect php source code

[o3d]

Does any one have a better idea to protect PHP files so that you can distribute a 'release' without the customer being able to read the source files. There are tools on the internet which costs money, BUT your are dependant on their software and if its not open source, its not trustworthy.

What I've done so far is writing an ISAPI DLL in borland cpp and installed it under iis6. Basically you call this isappi dll and it decrypts the encrypted php files and executes them respectively. It is thread safe (as is php). There are other methods available on the net that you use to encrypt your pages, BUT the decryption algorithm is found in your main php file and duh, if you can read the main file, you can easily decrypt all other files, so that is a bad idea. Any other ideas? Possibly to write a PHP extension perhaps but I have not been able to get that working on borland cpp.

[fert]

you can compile php into byte code.

[worldworld]

Try PHP Encoder to protect, encrypt and encode your PHP source code assets. Includes encryption, protection, security and obfuscation. More details are here..

[dr4g]

In the mean time i will google.
However, how would one compile into byte code.
And if someone has the byte code, are they able to reverse engineer it into PHP source.
Thanks.

[JustinMs66@hotmail.com]

i was going to create a topic on this myself. good thing i searched first ;-)
i am bumping this because i have a question:

is there a way to encrypt your php code without paying for a program that does it?

[thorpe]

is there a way to encrypt your php code without paying for a program that does it?

Write your own. I don't think there is currently any free php encrypting softwares.

[o3d]

To encrypt php source files is not the problem, the problem is that when you decrypt your php files in an extension library you will have to parse the decrypted php code to a script to be eval'ed.

sometin like this:
<?PHP
dl('cryptor.so');
eval(decryptFile('myEncryptedFile.php'));
?>

Should you want to sell this code to a customer, they can easily just echo the contents of decryptFile('filename'); and view the source. So this was a bad idea to start off with.

My next challenge is going to be to try and modify the Zend Engine to be able to accept either a normal php file or an encrypted php file. By doing this i should be able to give a customer a new php library as well as encrypted files which would not interfere with his current php files. Please give me your thoughts on this.

[phpmadman]

I have been trying to decode using base64 but was unsucessful.  What is the proper way to decode base64.  Here is the file I am trying to decode.

<?php $_F=__FILE__;$_X='P0Q+P1lUWQ0gdSoJdElySy1JeEtjWXctS31Hb3pZVFkJKnUNIElySUljdkdfSXd9S3coKTsNIA0gY0d4MXQucigndElySy1JeEtjWXctSVR9S3IuemNHeHpZVFknKTsNIA0gJC5zLUR9Li5fS31Hb2NHaigkX008TmgzJ2NCfWpyYy4nUiw2JF9NPE5oMyd9MXN0QmMuJ1IsNiRfTTxOaDMnS31Hb0p9MXRyJ1IpOw0gDSANID9E';$_D=strrev('edoced_46esab');eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YL Cd1VzVQOFZrb2xjSFFTWHkyRm0gNFJ0Cnc8MGhiM11nSmpwRT ZNZjc9VT5LTGlBR3hhMXo5WmRldltuTy5zWVRESU57Q31CcXI vJywnL0QwNTN4Mms5aVZNezdacTRHCkpddUF0T0JUNltFSHZn S1ggUH04akw8cj15MW5jUWwuTndXVW9SSUZkYnBoPnNTWXphb UNlZicpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi 4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

[SpireLink]

I wlunder why do you want to release an encrypted software? IMHO I would realase it open so the users will be able to develope plugins to the software that could be used as a feature in the next release just like what vBulletin did, but in the other hand protect the copyrights of the orginal code ..

[d.shankar]

I wlunder why do you want to release an encrypted software? IMHO I would realase it open so the users will be able to develope plugins to the software that could be used as a feature in the next release just like what vBulletin did, but in the other hand protect the copyrights of the orginal code ..

Hello SpireLink.. Actually the author of the topic is trying to create something more secure .. so such things have to be encrypted inorder to protect from other users..

Will this help ??

Original Code -> Base64 Encode -> DES Encrypt -> Encrypted Code [Encryption Process]

Encrypted Code -> DES Decrypt -> Base 64 Decode -> Original Code [Decryption Process]

[o3d]

Hi d.shankar,

The problem i'm still having is at some point, you will have to eval your decrypted code. At this point, any person with some php sense would be able to just echo whatever is sent to the eval function and that would be clear php text (except in obfuscation ofcourse, but can be interprete still).

What needs to be done is to modify the zend file parser process to accept two types of files, clear text php and encrypted php files (which can be identified by a possible fixed header in the encrypted file). Unfortunately this envolves serious understanding about zend (which i don't have, but am learning very quickly). You will need to give a custom php-release for each customer who will then be able to interpret your encrypted php code.

Will keep everybody updated as to my progress, but it's going slow, so anyone with more experience are welcome to help.

[d.shankar]

If you have found the solution to your problem do come and post here o3d.
So it will be really helpful.

[helraizer]

*bump*

Unless someone got access to the actual file, they can't view the php source code anyway, so why need to encrypt it, or does it mean HTML as well?

[SyncViews]

I think the problem is he doesn't want the files to be based on his site but to be "sold" to the customers (like when you buy software you get an .exe quite often which is really hard to reverse engineer and you will never get the exact source code out of it).

[devreflex2004]

If it will be possible, it will be a good news for the freelancers, so that the client cant go away without paying, because he has to come back for paying, whenever he needs enhancement.

[miracle_potential]

Wow over 30 days since the last post!

I'm very interested in encrypting my PHP code as well as you say to prevent a client from buying and just editing it themselves.

Only software I know that does this is Zend. I will look into it though and let you all know 

[keeB]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

[miracle_potential]

I see your point but when your programming a piece of software fair gain to anyone doing what Smarty did and stuff but strict web applications being sold as software would be good to encrypt it I mean you dont get the source for the games you buy do ya

As a vendor it interests me to protect my work from code thieves too

 

[br0ken]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

Unfortunately not everyone thinks like you do my friend. A few years ago in my student days I developed an eCommerce client for a company. After a few months of providing support they found someone who would do it for much cheaper so cut ties with me and kept the software. Now days I include a self-destruct sequence in all my code just incase that happens again!

I'm totally new to PHP code encryption so if any one could point out some good tutorials or concepts I should learn about that would be great! If I do get anything I'll post it here.

[keeB]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

Unfortunately not everyone thinks like you do my friend. A few years ago in my student days I developed an eCommerce client for a company. After a few months of providing support they found someone who would do it for much cheaper so cut ties with me and kept the software. Now days I include a self-destruct sequence in all my code just incase that happens again!

I'm totally new to PHP code encryption so if any one could point out some good tutorials or concepts I should learn about that would be great! If I do get anything I'll post it here.

I think thats ultimately your fault. Or, I have a different/better sense of business. If you planned on having a managed service you would get in to contract for product fee + support for X period. If you didn't plan on having a managed service, the price of your software should go up. If they come to you for more business, awesome. If they don't, you should have still made money.

I'll let you guys play in your sandbox, though.

[un00]

*bump*

Unless someone got access to the actual file, they can't view the php source code anyway, so why need to encrypt it, or does it mean HTML as well?

I think he means his HTML/CSS

[iFX]

use your logic brotha,
its quite easy

[azrael_valedhel]

To encrypt php source files is not the problem, the problem is that when you decrypt your php files in an extension library you will have to parse the decrypted php code to a script to be eval'ed.

sometin like this:
<?PHP
dl('cryptor.so');
eval(decryptFile('myEncryptedFile.php'));
?>

Should you want to sell this code to a customer, they can easily just echo the contents of decryptFile('filename'); and view the source. So this was a bad idea to start off with.

My next challenge is going to be to try and modify the Zend Engine to be able to accept either a normal php file or an encrypted php file. By doing this i should be able to give a customer a new php library as well as encrypted files which would not interfere with his current php files. Please give me your thoughts on this.

Well, you can do the call with call_user_function() inside the extension to decipher the file, and zend_eval_string() to run the code, so no echo there.

[btherl]

There's a fundamental problem in that the code must be decrypted on the customer's machine.  So it's a question of how well you can obfuscate the process, rather than making it impossible for the customer to access unencrypted code.

Distributing compiled code (in the way that Xcache and APC store compiled code) will go some way to obfuscating.  That means the customer has to reverse engineer the code to get source without variable names, and possible with incorrect structure as well (due to optimizations or ambiguous object code).

Then if you're serious you can have code which decrypts code which decrypts the real program.  That's the kind of thing programmers would do on the old Apple II and similar PCs to stop people copying their games.  Rarely will people have the knowledge and time to go through two layers, only to find that they get compiled code that they have to decompile.

Then you can go extreme and write your own self-modifying assembly code to decrypt the program .. that will drive people crazy   Even when they view that code, they can't see what it really does until they run it (or simulate running it).

These are all obfuscation ideas, because that's what you need here, rather than foolproof encryption.


keeB, you're making the assumption that your clients know what's best for them

[Markh789]

This is why I'm trying to learn how to make PHP Extensions
I want to do the same thing, though using an algorithm like IonCube dose

[keeB]

keeB, you're making the assumption that your clients know what's best for them

Isn't it my job as a vendor to advise my clients when buying my software? As I said, if you're smart you lose nothing. Drop the price in lieu of a support contract, or increase the price for a 1-off.

Win win.

[448191]

If you're going to make a PHP extension, make one that includes a function for compiling a php string to opcodes (e.g. opcode_compile()), and a function that can execute a string containing opcodes (e.g. opcode_eval()).

Should be a mayor performance booster.

Now THAT I would have interest in.

EDIT: Apparently, something already exists: http://nl.php.net/manual/en/intro.bcompiler.php. Supposedly not stable though.

[techcone]

@devreflex2004

Same problem , once client just ran away taking my script and not paying any money too

Original Code -> Base64 Encode -> DES Encrypt -> Encrypted Code [Encryption Process]

Encrypted Code -> DES Decrypt -> Base 64 Decode -> Original Code [Decryption Process]

I will try to use this .

[keeB]

How that ever happens is beyond me .. ;x

[hamza]

Password protection on every file and folder.Is also gøod idea.

[o3d]

finally! i might have some good news for some here. i created a whole project to encrypt/decrypt php files. i currently use it on my production rig.

some minor knowledge of php extension compiling is necessary so i would suggest getting the book "Extending And Embedding PHP".

http://www.phphideit.org

[corbin]

Hrmmm interesting.  I plan on checking it out later.

[o3d]

Check out v2. It now includes a date expiry feature where you can specify a date (optional). When the encrypted script gets executed after this date the php extension will return with an expiry error. Php programmers will now have more control over their software. If you're not sure if a customer will pay, then give them e.g. a 1 month trial.

I would appreciate any criticism and suggestions regarding this project.

[corbin]

Ooo nifty.  I'll check it out later tonight.

[peterjc]

I am interested about the PHP hideit.  I am using windows actually.  can php hideit work on windows? I download the version 2 and use the hide.exe and may be encrypt successfully.  But i think to run the file correctly, we need the php extension(.dll) right? How to compile the php extenstion?


By the way. anyone here know how to compile php file into binary instead of encode or encrypt it?

Thank

[o3d]

I am interested about the PHP hideit.  I am using windows actually.  can php hideit work on windows? I download the version 2 and use the hide.exe and may be encrypt successfully.  But i think to run the file correctly, we need the php extension(.dll) right? How to compile the php extenstion?


By the way. anyone here know how to compile php file into binary instead of encode or encrypt it?

Thank

check this link http://forums.opensuse.org/programming-scripting/394951-compile-php-script-how.html as well as this http://en.wikipedia.org/wiki/PHP.

It basically says that you can use zend's closed-source solution Zend optimizer (http://www.zend.com/products/guard/optimizer/) to compile your scripts so that some performance gains can be achieved. I however doubt that you will notice any performance enhancement over a few hundred nano seconds. But this might be a solution to your question. Wrt your question about the windows version, you'll need microsoft visual c or studio to build your extension. There are quite a few microsoft tutorials on the web. Let me know if you get it compiled so I can put it on the php hide it site 

[jcostello]

if its not open source, its not trustworthy.

I hope you realize the irony here.

[WatsonN]

I know this is an OLD topic but br0ken how exactly did you construct a self-destruct sequence in your code?
That sounds interesting.