Author Topic: Online PHP Obfuscator (Read 4560 times)

lococobra · « **on:** July 13, 2007, 03:01:52 PM »

Thanks to your guy's help... I was able to get all that nasty regex stuff to work, and now...

PHP Obfuscator V.0.9 By Trappar is online!

The only way I've tested it is with the following options checked:
• Obfuscate variable names
• Remove strings from context
• Remove function names from context

So perhaps try different combinations... I'm guessing something's going to fail if for instance... you enable "Remove function..." but not "Remove strings..." and one of your functions is "file" and one of your strings contains the word "file".

Give it a shot, I think the code is pretty good... especially if you enable all the options. Just make sure you don't throw in anything that's not php!

lococobra · « **Reply #1 on:** July 13, 2007, 05:57:28 PM »

Up to version 0.9.2
Fixed problems:
• Accidental removal of whitespace in strings
• Accidental removal of whitespace around logical operators/special words: as|and|or|xor

lococobra · « **Reply #2 on:** July 14, 2007, 03:11:18 PM »

*Bump* Someone mind testing this?

source · « **Reply #3 on:** July 14, 2007, 04:15:36 PM »

I dont understand.. how would this be useful?

If you're changing a variable name thats... pointless?

lococobra · « **Reply #4 on:** July 14, 2007, 09:05:13 PM »

Try doing some research next time before making an ass out of yourself.

http://en.wikipedia.org/wiki/Obfuscated_code

source · « **Reply #5 on:** July 14, 2007, 10:18:31 PM »

again: whats the point of this, instead of linking me to wikipedia which means NOTHING. because it still doesn't answer my question.

WHAT IS THE POINT OF THIS: CHANGING A VARIABLE NAME?

lococobra · « **Reply #6 on:** July 14, 2007, 10:41:40 PM »

Quoted from the first paragraph of the link I gave you

"Macro preprocessors are often used to create hard to read code by masking the standard language syntax and grammar from the main body of code."

AKA...
It makes the code harder to read because $userPassword is easier to read than $xRY

This is to protect your code from devious people who try to steal and modify it, then claim it was their own creation.

source · « **Reply #7 on:** July 14, 2007, 10:52:54 PM »

anyone with any programming skill will be able to figure out what the variable is for.

lococobra · « **Reply #8 on:** July 14, 2007, 11:09:54 PM »

Once I'm done with coding the php obfuscator, I'll give you one of it's outputs and we'll see if you can figure out what it does or not.

But for now... just as an example, here's the output of what I'd consider a pretty non-effective php obfuscator.

Tell me what this code does...

Code: [Select]


<?if(isset($_GET['aajs'])){  header('Content-Type: text/javascript');?>var f;var k=m();function m(){if(typeof XMLHttpRequest!='undefined'){return new XMLHttpRequest();}try{return new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try{return new ActiveXObject("Microsoft.XMLHTTP");}catch(e){}}return false;};function ajaxCall(r,j,o){if(document.getElementById('ajaxer').innerHTML=='Ajax by ajaxer.v.1.2'){f="ret_"+j;f=f.replace("ajax_","");d=j;for(i=2;i<arguments.length;i++){n=arguments[i].replace('^',':&ca&:');d+='^'+n;}d=r+'?aacall='+encodeURIComponent(d);k.open("GET",d,true);k.onreadystatechange=l;k.send(null);}};function l(){if(k.readyState==4){if(k.status==200){var c=k.responseText;var g=new Array();if(c.search('<body>')!= -1){g=c.split('<body>');c=g[1];}if(c.search('</body>')!= -1){g=c.split('</body>');c=g[0];}c=c.replace(/\n/gi,"\\n");c=f+'("'+c+'");';eval(c);}else{if(k.status!=0)alert('There was a problem with the request.');}}}<?exit;}if(isset($_GET['aacall'])){header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");header("Cache-Control:no-store,no-cache,must-revalidate");$R7633668866BAA355046277DB052802D1=explode('^',urldecode($_GET['aacall']));if((strpos($R7633668866BAA355046277DB052802D1[0],'ajax')!==FALSE)&&(strpos($R7633668866BAA355046277DB052802D1[0],'$')===FALSE)){if(count($R7633668866BAA355046277DB052802D1)>1){$RFD72CDF4D642A09A9584BEFCAE1E3901=$R7633668866BAA355046277DB052802D1[0]."(";for($RA16D2280393CE6A2A5428A4A8D09E354=1;$RA16D2280393CE6A2A5428A4A8D09E354<count($R7633668866BAA355046277DB052802D1);$RA16D2280393CE6A2A5428A4A8D09E354++){$R2779E0D347183D4A2DB54462481A119A=str_replace(':&ca&:','^',$R7633668866BAA355046277DB052802D1[$RA16D2280393CE6A2A5428A4A8D09E354]);$RFD72CDF4D642A09A9584BEFCAE1E3901.="'".str_replace('\'','\\\'',stripslashes($R2779E0D347183D4A2DB54462481A119A))."',";}$RFD72CDF4D642A09A9584BEFCAE1E3901=substr($RFD72CDF4D642A09A9584BEFCAE1E3901,0,strlen($RFD72CDF4D642A09A9584BEFCAE1E3901)-1).');';}else $RFD72CDF4D642A09A9584BEFCAE1E3901=$R7633668866BAA355046277DB052802D1[0].'();';eval($RFD72CDF4D642A09A9584BEFCAE1E3901);}else echo'Invalid ajax request';exit;}function callJS(){$R076717F69D409259123CEEB7BF5199C8 = substr(__FILE__,1);$RBAB9B407390B80607957164370BE6A3C=substr($_SERVER['SCRIPT_FILENAME'],1);$RE9F06793F8BF0D7E8201B73A7DFBAAB3=substr_count($R076717F69D409259123CEEB7BF5199C8,'/');for($RA16D2280393CE6A2A5428A4A8D09E354=0;$RA16D2280393CE6A2A5428A4A8D09E354<=$RE9F06793F8BF0D7E8201B73A7DFBAAB3;$RA16D2280393CE6A2A5428A4A8D09E354++){if(substr($R076717F69D409259123CEEB7BF5199C8,0,strpos($R076717F69D409259123CEEB7BF5199C8,'/'))==substr($RBAB9B407390B80607957164370BE6A3C,0,strpos($RBAB9B407390B80607957164370BE6A3C,'/'))){$R076717F69D409259123CEEB7BF5199C8=substr($R076717F69D409259123CEEB7BF5199C8,strpos($R076717F69D409259123CEEB7BF5199C8,'/')+1);$RBAB9B407390B80607957164370BE6A3C=substr($RBAB9B407390B80607957164370BE6A3C,strpos($RBAB9B407390B80607957164370BE6A3C,'/')+1);}if(strpos($R076717F69D409259123CEEB7BF5199C8,'/')===FALSE)break;}echo'<script language="JavaScript" type="text/javascript" src="./'.$R076717F69D409259123CEEB7BF5199C8.'?aajs=true"></script>'."\n";}?>

keeB · « **Reply #9 on:** July 15, 2007, 12:21:56 AM »

locobra, don't let source get to you, he's obviously misinformed

I'm very interested in testing this out for you, but the onfuscator is OFFLINE!

chronister · « **Reply #10 on:** July 15, 2007, 12:38:37 AM »

not to be a naysayer or anything, but what is the point of obsfucating php code. Since it is handled on the server... to the best of my knowledge, there is no way for a person to get your php code unless they have ftp access to your server.

am I wrong here?

I am not trying to belittle the work you have done here as it's more than I could do, I am asking more for learning purposes.

What is the benefit of this?

Thanks,

Nate

keeB · « **Reply #11 on:** July 15, 2007, 12:58:26 AM »

chronister -- what if you develop on a common framework and sell it to companies with a support contract...

many more ideas come to mind..

chronister · « **Reply #12 on:** July 15, 2007, 01:02:54 AM »

ok... I can see that...

Never thought of it like that

thanks

lococobra · « **Reply #13 on:** July 15, 2007, 01:13:31 AM »

I'm mainly developing this to obfuscate an AJAX handler that I've developed, and also because most the ones I found previously did not meet my expectations. I'm having some problems with the code at the moment because of a new feature I'm trying to add... but I'll get it back online ASAP.

New feature: String obfuscation using escape sequences.

Hopefully up within an hour and a half >_>

source · « **Reply #14 on:** July 15, 2007, 01:31:15 AM »

I was not trying bash your work you attacked me first by calling me an "ass"...

asking a question and getting called an ass and attacked shows something about you.

News:

Author Topic: Online PHP Obfuscator (Read 4560 times)

lococobra

Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

source

Re: Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

source

Re: Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

source

Re: Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

keeB

Re: Online PHP Obfuscator

chronister

Re: Online PHP Obfuscator

keeB

Re: Online PHP Obfuscator

chronister

Re: Online PHP Obfuscator

lococobra

Re: Online PHP Obfuscator

source

Re: Online PHP Obfuscator