Topic: Protect php source code

[miracle_potential]

Wow over 30 days since the last post!

I'm very interested in encrypting my PHP code as well as you say to prevent a client from buying and just editing it themselves.

Only software I know that does this is Zend. I will look into it though and let you all know 

[keeB]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

[miracle_potential]

I see your point but when your programming a piece of software fair gain to anyone doing what Smarty did and stuff but strict web applications being sold as software would be good to encrypt it I mean you dont get the source for the games you buy do ya

As a vendor it interests me to protect my work from code thieves too

 

[br0ken]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

Unfortunately not everyone thinks like you do my friend. A few years ago in my student days I developed an eCommerce client for a company. After a few months of providing support they found someone who would do it for much cheaper so cut ties with me and kept the software. Now days I include a self-destruct sequence in all my code just incase that happens again!

I'm totally new to PHP code encryption so if any one could point out some good tutorials or concepts I should learn about that would be great! If I do get anything I'll post it here.

[keeB]

I think it's pretty useless.

If you write anything of any value, it would come with a support contract.

From a business perspective, it makes so much more sense to pay the creator than to pay someone who works for me to:
a) learn the framework/code and
b) confident enough not to break anything when making an update.

As an employee, I don't want that responsibility, either. I would much rather have the vendor support the product because he is liable for breaking old functionality and ensuring proper cycles are invested in the new stuff

Unfortunately not everyone thinks like you do my friend. A few years ago in my student days I developed an eCommerce client for a company. After a few months of providing support they found someone who would do it for much cheaper so cut ties with me and kept the software. Now days I include a self-destruct sequence in all my code just incase that happens again!

I'm totally new to PHP code encryption so if any one could point out some good tutorials or concepts I should learn about that would be great! If I do get anything I'll post it here.

I think thats ultimately your fault. Or, I have a different/better sense of business. If you planned on having a managed service you would get in to contract for product fee + support for X period. If you didn't plan on having a managed service, the price of your software should go up. If they come to you for more business, awesome. If they don't, you should have still made money.

I'll let you guys play in your sandbox, though.

[un00]

*bump*

Unless someone got access to the actual file, they can't view the php source code anyway, so why need to encrypt it, or does it mean HTML as well?

I think he means his HTML/CSS

[iFX]

use your logic brotha,
its quite easy

[azrael_valedhel]

To encrypt php source files is not the problem, the problem is that when you decrypt your php files in an extension library you will have to parse the decrypted php code to a script to be eval'ed.

sometin like this:
<?PHP
dl('cryptor.so');
eval(decryptFile('myEncryptedFile.php'));
?>

Should you want to sell this code to a customer, they can easily just echo the contents of decryptFile('filename'); and view the source. So this was a bad idea to start off with.

My next challenge is going to be to try and modify the Zend Engine to be able to accept either a normal php file or an encrypted php file. By doing this i should be able to give a customer a new php library as well as encrypted files which would not interfere with his current php files. Please give me your thoughts on this.

Well, you can do the call with call_user_function() inside the extension to decipher the file, and zend_eval_string() to run the code, so no echo there.

[btherl]

There's a fundamental problem in that the code must be decrypted on the customer's machine.  So it's a question of how well you can obfuscate the process, rather than making it impossible for the customer to access unencrypted code.

Distributing compiled code (in the way that Xcache and APC store compiled code) will go some way to obfuscating.  That means the customer has to reverse engineer the code to get source without variable names, and possible with incorrect structure as well (due to optimizations or ambiguous object code).

Then if you're serious you can have code which decrypts code which decrypts the real program.  That's the kind of thing programmers would do on the old Apple II and similar PCs to stop people copying their games.  Rarely will people have the knowledge and time to go through two layers, only to find that they get compiled code that they have to decompile.

Then you can go extreme and write your own self-modifying assembly code to decrypt the program .. that will drive people crazy   Even when they view that code, they can't see what it really does until they run it (or simulate running it).

These are all obfuscation ideas, because that's what you need here, rather than foolproof encryption.


keeB, you're making the assumption that your clients know what's best for them

[Markh789]

This is why I'm trying to learn how to make PHP Extensions
I want to do the same thing, though using an algorithm like IonCube dose

[keeB]

keeB, you're making the assumption that your clients know what's best for them

Isn't it my job as a vendor to advise my clients when buying my software? As I said, if you're smart you lose nothing. Drop the price in lieu of a support contract, or increase the price for a 1-off.

Win win.

[448191]

If you're going to make a PHP extension, make one that includes a function for compiling a php string to opcodes (e.g. opcode_compile()), and a function that can execute a string containing opcodes (e.g. opcode_eval()).

Should be a mayor performance booster.

Now THAT I would have interest in.

EDIT: Apparently, something already exists: http://nl.php.net/manual/en/intro.bcompiler.php. Supposedly not stable though.

[techcone]

@devreflex2004

Same problem , once client just ran away taking my script and not paying any money too

Original Code -> Base64 Encode -> DES Encrypt -> Encrypted Code [Encryption Process]

Encrypted Code -> DES Decrypt -> Base 64 Decode -> Original Code [Decryption Process]

I will try to use this .

[keeB]

How that ever happens is beyond me .. ;x

[hamza]

Password protection on every file and folder.Is also gøod idea.