SitePoint Sponsor

User Tag List

Page 3 of 5 FirstFirst 12345 LastLast
Results 51 to 75 of 111
  1. #51
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Houston
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bgardner333
    Ah, but the zend encoder can be cracked as well (and as far as the whole
    encoding thing, I realize that there is no way to be really secure using a PHP include, as the PHP include is just gzipped/base64'd 20+ times.

    That is why I am writing a PHP extension module (dynamically loadable, of course) to address these issues. People can then customize their encryption methods.
    Actually zend encoder cannot be cracked...sorta Since it is converted into bytecode, php doesn't need to interpret and compile it. PHP directly runs that code. You will never be able to reverse engineer the code to the way it was first written...ever... its simply not possible. It is possible to product some code that would work the same but it would be highly cryptic and unreadable. You wouldn't be able to feed it directly into php... you would have to be able to interpret php's high level constructs.

    Your method can easily be reverse engineered to produce the original source code without any advanced programming knowlege. It can be done directly with a 1 line php statement. It may deter noob php programmers but isn't suitable for the professional world because:

    1) Easily reverse engineered. No way to truly protect it using your method.
    2) Increases runtime significantly. Probably over 100% in most cases. Zend optimizer actually speeds execution up over 7 times

    It is a cool experiment in php but you should warn users that it can be bypassed and professional solutions should utilize zend encoder.

    The php module could help but not if you use the same method as you are doing now. You would have to convert it to some type of proprietary binary format. Problem is, your project is open source... so that makes it easier to reverse engineer.

    The only way to make it hard to reverse engineer is to bypass the php interpreter and feed it bytcode directly.

    Cool experiment... just put a notice on the site that it can be reverse engineered and shouldn't be used in a professional environment

  2. #52
    SitePoint Evangelist Daijoubu's Avatar
    Join Date
    Oct 2002
    Location
    Canada QC
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, the Zend optimizer slow down more than speeds up
    The time it takes to "optimize" your code out weight the benefits (gain)

    The Zend Accelerator/PS is another story though...
    Speed & scalability in mind...
    If you find my reply helpful, fell free to give me a point

  3. #53
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Houston
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Daijoubu
    Actually, the Zend optimizer slow down more than speeds up
    The time it takes to "optimize" your code out weight the benefits (gain)

    The Zend Accelerator/PS is another story though...
    heh.. thats not true at all. Zend encoder encodes php into bytecode before you publish to the web. Optimizer runs the bytecode that is already encoded. You will usually see a small increase in speed (30-40%) using only zend encoder/optimizer. Zend Performance Suite (which i also have) gives me an average of 10 - 20X increase in speed.

    The biggest time is the actual compiling/interpretation of the php into byte code. (Roughly half of the execution time) Zend optimizer doesn't need to compile the encoded byte code. This is how you get the speed increase.

    Performance suite will cache frequently used php code so there is no interpretation step either... it can also cache output and a whole lot of other stuff... thats where you get the HUGE increase in speed.

    -----

    granted it might be slower if your php files are not encoded and can't be optimized by zend optimizer... then you would get the overhead but none of the benefits... but if you encode your php files then it will always be faster... or at least never slower

  4. #54
    SitePoint Evangelist Daijoubu's Avatar
    Join Date
    Oct 2002
    Location
    Canada QC
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was talking about non-encoded script
    Speed & scalability in mind...
    If you find my reply helpful, fell free to give me a point

  5. #55
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Houston
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Talking

    Quote Originally Posted by Daijoubu
    I was talking about non-encoded script
    k :-D

  6. #56
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by JClawson
    Cool experiment... just put a notice on the site that it can be reverse engineered and shouldn't be used in a professional environment
    Take a look at CodeLock, it's commercial, easily reversed and doesn't have that message anywhere telling it's customers that it can be easily reversed.
    They do hovever point out that reverse engineering the code is illegal and include ainfo to that effect.
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  7. #57
    Web developer Carl's Avatar
    Join Date
    Sep 2003
    Location
    sweden
    Posts
    320
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm,

    I am interested in just how easy the reversing is. Anyone want to give it a try with some simple code that I have encrypted??

  8. #58
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Carl
    Hmm,

    I am interested in just how easy the reversing is. Anyone want to give it a try with some simple code that I have encrypted??
    Put it up here.
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  9. #59
    Web developer Carl's Avatar
    Join Date
    Sep 2003
    Location
    sweden
    Posts
    320
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, The lines are really long so as to not break the forum I will use " <-continued-> " as a break.

    freelock.php
    Code:
    <?php @eval(gzinflate(base64_decode('nVNRb9owEH4mv+KkRiKoZe2kqS+Mh25KO7SqVATxsKqKH<-continued->
    OcCVi0bOQ4MEP99FxzSQGk3zZKV+O77vnx353hnHy6PNtw
    <-continued->
    axHvNX2CguCxShMXnT1cJ7NPJCr4ZwRTcMZMqNOBWlf5I3M9IWZJyzLgVC4Q+tFftHlxe5hrsjFlYIrwovQRhQeTApEGWrk
    <-continued->
    A4H6nnZYUiplbAWY5xvmTzwBdqXtgObDyATBs69696vviaWyNR7dMUOT93IACRBWhwGrSfWHf93L5wmCdfPHdKSAvg
    <-continued->
    NUIeScnqYj5HEzSQPa+1BZQ5NuRuur/+UU7q5Xtymy2ZLLdBWxhVkXvetlF+XiTJymL+P9X7nExok1bJjS+25dcp3O3DdflW
    <-continued->
    xwnIZyTKCfBXTylynWL8WzKLB74qzuvIjt13Tgrl3Ii5DXz3dFJTqRMmwS9Iai1FUtqqAOT10EHFKyE0oZoC/d2tq7tRs6drob
    <-continued->
    IdNSGn119iJ1cLuR5UMzrinmYcN82FD4utfwlTqGatLVp1uT/G48c4CkeTcBRPbkbRhYs8DqNx83wXjt+kbwf34T4QPkx2+dI
    <-continued->
    XvNH/Phz+HIRNgSiMosHwoeK0kM804ILJ4PSEylvklcX9AQ=='))); ?>
    header.php
    Code:
    <?php 
    $use_zlib="y";
     if(!file_exists("freelock.php")) {
     echo "freelock not found - exiting";
     exit; }
    ?>
    <?php include_once("freelock.php");?>
    <?php $s1 =":1oWqsXsq7lwORn^igQpOnJ9jQvI]]qZRryw^}
    <-continued->
    o|OVpry;xOZ|zYQQWYRu_x[MjqwkVh?nx<Oh|<MN|Gsn1gKPSw>~]}shyg9hNgjR^{WomlI?
    <-continued->
    MG=hU};hWnGPiw}XKzO=^`W<1U~kN5Q=^1Olq[MV:jVjoMmYksM`mN7lm9W_tW:ggCC";?>
    <?php freelock_run($s1); ?>
    
    <a href="header.php?test=thisshows">test</a>
    
    <form action="header.php" method="POST">
    <input name="test" type="text">
    <input name="send" type="submit">
    </form>
    
    <p>Test $ variables:</p>
    <?php $s1 ="{1jO{ORpXyM^|rh|{gXu`67|gvmgxnmpQP|k_MMQ;^RqvMS1_ySpoqluIWqsXsq7mg<txzYQ
    <-continued->
    QWYMuqoMQG]w}NUQUwZyMWo}pmso{g";?>
    <?php freelock_run($s1); ?>
    I am putting up some text file in case the forum messes up the code

    http://www.heroforhire.net/ex/freelock.txt

  10. #60
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    5 minutes later, here's header.php:

    PHP Code:
    <?php /* don't really need this include anymore ;)
     $use_zlib="y";
     if(!file_exists("freelock.php")) {
      echo "freelock not found - exiting";
      exit; 
     }
    */ 
    ?>
    <?php
    print "\$HTTP_GET_VARS:".$HTTP_GET_VARS["test"]."<br>";
    print 
    "\$_GET:".$_GET['test']."<br>";
    print 
    "\$HTTP_POST_VARS:".$HTTP_POST_VARS["test"]."<br>";
    print 
    "\$_POST:".$_POST['test']."<br>";
    print 
    $test."<br>";
    print 
    "\$HTTP_SERVER_VARS:".$HTTP_SERVER_VARS["DOCUMENT_ROOT"] . "<br>";
    print 
    "\$_SERVER:".$_SERVER['DOCUMENT_ROOT'] . "<br>";
    ?>
    <a href="header.php?test=thisshows">test</a>
    <form action="header.php" method="POST">
    <input name="test" type="text">
    <input name="send" type="submit">
    </form>
    <p>Test $ variables:</p>
    <?php
    $text1 
    "Some text test";
    $text2 "Carl McDade";
    print 
    $text1."<br>";
    print 
    $text2."<br>";
    print 
    "$text1<br>";
    print 
    "$text2<br>";
    ?>
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  11. #61
    SitePoint Evangelist Daijoubu's Avatar
    Join Date
    Oct 2002
    Location
    Canada QC
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    lol...
    replace eval with echo
    Speed & scalability in mind...
    If you find my reply helpful, fell free to give me a point

  12. #62
    <?php echo"GiroPets"; ?> giropets's Avatar
    Join Date
    Jul 2003
    Location
    United States
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Heh, this is what I use :

    Online version that's free. You can unencrypt it though, (It is possible), but it'll scare away the hackers if you put something on the header part of it 'Go away - All encrypted'

    http://richard.fairthorne.is-a-geek...._obfuscate.php

    Have fun, all.

    - Mike.

  13. #63
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, I use a system similiar to this, but modified. It's based on the "Treachorous Strength" mode that this script has and it's not easy to decrypt. Much more difficult than the others.

    Quote Originally Posted by giropets
    Heh, this is what I use :

    Online version that's free. You can unencrypt it though, (It is possible), but it'll scare away the hackers if you put something on the header part of it 'Go away - All encrypted'

    http://richard.fairthorne.is-a-geek...._obfuscate.php

    Have fun, all.

    - Mike.
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  14. #64
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I get the following error:
    Call to undefined function: gzinflate()

    I am using greater than 4.0.4... how do I install the module or wahtever?
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter

  15. #65
    Web developer Carl's Avatar
    Join Date
    Sep 2003
    Location
    sweden
    Posts
    320
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm, same error here with 0.9.1.0 but 0.8 works fine. There is something wrong in the changes in between.

  16. #66
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    London
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    These scripts are a fun to play with, but...

    Scripts to hide source code such as this can be fun to write and a novelty to use, but to all users, please be aware of the limitations and the pros-and-cons to both approaches. I'll cover them here, and you may find some surprises.

    As has been said elsewhere, it's trivially easy to get source back from these systems because they have the fundamental flaw of encoding source, and more to the point, restoring source at runtime. You can try to hack the files, and this may be easy enough, but it might break license agreements and take more effort than is actually necessary. All that is necessary is to put a printf statement into the C routine that compiles strings inside the PHP engine. Recompile PHP CLI and bingo!, you have a generic script decoding engine. This will work for all source based systems including codelock and the ones described here.

    To provide a balanced view, it can be an advantage of source based systems that they typically require no platform dependent decoding engine, however this is probably a minor benefit when considering the downside of it being trivial to restore the original code from your scripts.

    So as has been written already, the way to go is to use a compiled code engine such as Zend, ours, or even a free one such as mmcache, although being opensource and unsupported is a downside there. Someone commented on Zend being hacked. We too have heard that some Russians reverse engineered some Zend compiled code from modernbill scripts, but it took many weeks to recreate what source may have looked like for one or two files. Even after doing this, there could easily have been errors in the recreation, and it could not be considered to be a success. They also tried to hack ionCube files, but go nowhere at all as they couldn't get at the compiled code stream, and so went back to the Zend files. I'm sure that they gave up after a while.

    So, why is compiled code encoding so good?

    The reason is two fold. The first reason is because the input to the encoding engine, and hence the output of the decoding process, is binary data and already pretty secure. The compiled code is obscure, is not source code, and would require a detailed knowledge of the PHP engine and compiler in order to be able to recreate what the source code could have been like. A second and equally important reason is that compiled code is retored *and* executed inside a closed source component. This makes the compiled code hard to get at, and keeps it away from the opensource execute() routine inside PHP. In other words, if a hacker tries to breakpoint on execute() to single step through the compiled code, they'll be disappointed because it's not called.

    Are there any other benefits to compiled code and problems with source tools?

    Sure. The main one is performance. Source based encoding systems only add overhead to the decoding process. For trivial scripts this may not matter, but for proper applications this can be a killer. Because of the reliance on eval(), it may also be the case that using an accelerator will not help in these cases.
    Compiled code systems parse and compile the code even before encoding, and at runtime these steps don't need to be performed again. It's the elimination of these steps that is the key to accelerators such as mmcache and phpa, and even though decoding compiled code protected files adds overhead, the end result can still be that there's a net performance gain because of the inherent acceleration in the process. We have a benchmarks page at

    http://www.ioncube.com/benchmarks.php

    It's a little old, but still valid none the less as a broad indicator.

    So in conclusion and to paraphrase a popular saying, "you don't get what you don't pay for", and the buyer/user should proceed with eyes wide open, and be ready to ask plenty of questions of the provider of any solution that they're trusting their future livlihood to.

    For the professional developer that has made a significant investment in time and money to develop an application, and where there is significant financial risk from having code stolen or license agreements broken, a compiled code solution is the only way to go. Such tools are not expensive, and almost nothing if using a pay as you go online encoding solution. Overall they give great value.

    For the person dabbling with protection, wanting to hide scripts but where the downside of a negative performance impact and real risk of having those scripts undone is not really an issue, then a source based approach is fine, and possibly the cheapest way to go.

    ionCube

  17. #67
    SitePoint Member
    Join Date
    Sep 2004
    Location
    60089
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by giropets
    Heh, this is what I use :

    Online version that's free. You can unencrypt it though, (It is possible), but it'll scare away the hackers if you put something on the header part of it 'Go away - All encrypted'

    http://richard.fairthorne.is-a-geek...._obfuscate.php

    Have fun, all.

    - Mike.
    Actually, I have used that code to make my own decoder/encoder. Go to http://www.ajblog.info/signup.php to signup for it. You can then go to http://www.ajblog.info/encoder for the actual encoder. Of course, I went the extra step and added decoding functions

    The only way this can be really tricky is if you do Rediculous strength, with an odd number, like 57. No one would guess that, and it would take anyone a really long time to figure it out, so you'd be pretty safe... Enjoy!

  18. #68
    SitePoint Enthusiast Adam E's Avatar
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    91
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    nice!
    Adam

  19. #69
    SitePoint Enthusiast mrobinson's Avatar
    Join Date
    Aug 2004
    Location
    New York, NY, USA
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bgardner333
    Ah, but the zend encoder can be cracked as well (and as far as the whole
    encoding thing, I realize that there is no way to be really secure using a PHP include, as the PHP include is just gzipped/base64'd 20+ times.

    That is why I am writing a PHP extension module (dynamically loadable, of course) to address these issues. People can then customize their encryption methods.
    A few months ago I developed a script encoding system along the same lines (completely written in PHP). I even used gzip/base64 to obscure the code as you describe (although to limit performance degredation I only did this 3 times). I even went as far as to work on an extension module (quite a learning curve with no C experience).

    I quickly decided that I wouldn't develop it further. Unfortunately, regardless of the encoding method used it will need to be decoded and evaluated at some point. As has already been suggested this is the weakness (You beat me to it Daijoubu, read "replace eval with echo").
    I also found script performance was affected (expecially if there were many included files).

    This encoding method will put off most casual viewers and novices, but anyone serious about PHP could find a way around it (IMO).

    I'm not saying that this encoding method cannot be successful, but be aware of it's limitations.

    For any serious work I would want my code compiled (and I lean towards IonCube).

  20. #70
    SitePoint Enthusiast
    Join Date
    Jul 2004
    Location
    Vlak
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why doesnt you script work with my file?

    <?php eval(gzinflate(base64_decode('FZdFEqxaFkWnUr3/X9DALaqFu0OS0KnA3Z3RV74RQNyzbRVn0v9bvc1Y9sle/JsmW0Fg/8uLbMqLf/8R4wJet9gYJveMUyv+XqQxm4IUDzGytcpbhnEJxpgaorpO1OWyJMuR2jdKoZ/XDmOZLigKeTYOIIFHm5MHOAvwlr3wfAKo3qQdeqsz90vx066x5hrjmxHNuzY36ADbSu9u9bLa/GmrfSDty7EGyOTu7sMNujMLxwzJ5eatY97JFUvCoKAh6wehb1+ESb8Aq6dpHooXvJPH0dVmhlkUMmMl6L0CxNVTeExkjbu5CW8wxzRc59ykFtS18NzqZ3OpcVbLEUDZh9z6bNSrfVGcEZK3umemoGs79nS8Y1uBrBAs/FzQB91VfDCaZe4q1slPVwSWCiasLC6348v5e7F6J1boRaRagOwjASXmnDtrxC4+wTkXqYKjI8Mw6mcTcQsv7lgG9d22HfAQsGmDKWtkcgccXAi7gB2KiZUXtN1lYne2djexhhGuncM0cA9KVGoZYK7UknUf9SsufDB+irsizalS3AZvautY3omHxUfslVjAYgShNFW/G/2VBceVbZU+DXbsblbqbkbavlcPlEnmqWiOJqnElT0WHL1FDnYQkRoOIh5i81AsX021unLQtYxuPk2YPl2PNB2c4t754g9iF8YYvtqbshOC3edWZlelw/vFXLxngByE+pzRhdol51swleF5YUznTJqA1WyVJbit3K3n+beui+OnCOvjVuFXONY0e6wpuE9QE/MNmid7VYsCUsTiTT3YQAOx6DM2t5lGufBQR+s9iO7+2VXVokbZbDT8AIUzGIwZc9yZf2cMfz2ypiaTsianAI7Y5j6m94oEB0C8/4nmFvy26JYTDWjQ1lgdEwrl7GaRVBFeQ/mEr0IGqAba1RVWUJUe0SMxrVucAS1Jx1A44Ef6CNJQzlKNj3DOlQ7FbNt86ElQ9u6C4p6/Iia2952at6oZeTZozreKfmZxlg8Vutf4rjCrhKthvkUWR3Z+eaYEH74fbglH5WTl3MbPVg6+i8nqQoFfLvB2Sx5pstL0INCrVzSkksx6qsok9GO2W6S4AI20Hj8ZYYPFglXi2fZB1y/Q5mkTvjbIN6Q/7IehvuoGTViROd3l1SnrGks0K8bkvMGDfRhz72Ge4oTBKaVqbmgX/viYo6qQ4ZiOphApC9+dyYa62+s+m4VV8MrkK29L9jBukZxzmjam89NCa/WD0dE7jgCMxL/+Lt5aTeAiz5C+MRK58kb4sx4yoEofBp0x6ZFtcXwekuaKG6CoqCKZWLtzLNE1vsJ2adKONLTu73YGbiHzEHkDlsHekhBvrZMHSVFazXiIa91u4jHf9Bd8BTL8jH3Es2AQjQhHu9Ln0ygR0k6Ui6ixDvjilNzYN197D/6ihPG8rThHKagLQfb3xSDkJOAA2ipi9+T0da0KDt9culWSXE4xFBd9jngwQEJDjFb6PcJQrcTzcii5wNQkU60oZxZ9YNVPgbi03UPLALpxsdDi7Xmg87PtkvQfkAoUd0q3Hf+ddcVGUtYzE7fgHNQL+lLK1y3oOE8hgVBdkcpUQ2s3rhnrceKvEih0l6FO2T6z/U4+T3YG0wSeBW5K8vnLAqVeuNJADbzJ1WOn48S2dmQvBjPfI5U2vB67dFkpTJcOh4+0VQCoNpXQcUzTzatO3Jq2LprFhkLnxOzPKHOadVK8GFBj+c+HsFltOx5US4vj+VQJI95GMvzMKmuzMrSCBhPIamrGu6rai/foY9pHRGFviKJp++zCVHgy3C/GoOiMoh01hyx4i9xuhhQRigHnl81+Nlv6yh85EC4HtRMieNpSJQCdgiqr0HELDzPFbNiLHC3AZqbNBbFFGAHre/kuI95Y8idlOvmgvp2Uef7BgZICLLfKRpz6uSMbbbsmUKaDPUtIVRK0UcIo2m/OA2xRr8v8m9u0UmATj4EhQtOAzmHkNHER/IxfQ7S+caLPGhaC/Jknkd8kaQvT6opv8YAtLi8i1hyfV9ytFl19nW/D0LyYjOn0UosUpB6wWpKYwi1Ze3VSuJDUWj4kRmMOlBx30Ak+MevFT8rX6CJqExihQsxv6PJtvDprkw9+FJe+XZkj4mViEOJV6HpvG2QsKPMnLWolVehQEps32jFpYNdds6P5p7xUbzZaprMj8FPn/UjJdhjdu2+vU5hoqOAm4cwk/i1nyq80beccTsVdZyPYoWaDIvi4BH1HfK1x42UAQj1mf9Xxa7pEsRI3y1iMiCxxa7w8lr3azUyIuQwh2PnTgCcK2UyFmiQ70fhhl/hAnbmeR3e7Nor6jXs6HPGfTcVu/MnIfr/flOJl1EU8Z+qS7uEc1BYdqNBFxnm4pVIy0LakfNt7TAVMTaxTEDSMkzi5hLhYbGmqWUyTgUuDXjv15zwRi5zVsxim7aHPLlRTuk0BkzvakSaJdRXDbE9XY8W+eDDFBbBbR/8lyotrJauBNJj6SpIM+dTYgSVE0R5jpuaHsy7jk74hovpKUbfnA8uinpsGuQVOsaQyeAZYFNYG5SmeI8QHGvGo6Es1bDHYBoeg6ohftHN81gSfD9yycIK2FzgE68XKS2hY6xRwZQQVZZ/hRHmUzGTk6Wju02SSA/1s6SaRnh7z7vuCJcfiuVvs2Md+DwMuiesNnLAGIQTGeZZt1qkOI4BKT4BviTU7rcjQ6YOv8dKYQOM9bA738e9eFmnkX232tjtJZtAjqVAebHuFYYFsNRG/Eq7m5WvK7KLdsxVaUjtl6u+lYbjyIIL/21k7WsWSdlOgCau1oiJyRK8+Enlk/P32gs+21w4gAUNeu8xmaIV9eGTlrLtIsdZLJuh3xfk9vIe0m0eGozwMDI/EvU3Djg3v4Nwty51vfb8OGX6Zo7I7tVZlRcdbV3C5jw7i5Y4HV7wOTgjqf+3/hPQ0eBggYkPG0x55LJqSR1IisoKJ7op6LUj3qFkbTuUsSmc0lz5qHs+L9LjEBAxnnjgV2gvq2JWf/EyFLimm0vFKbH4sEktx3ox6c+dG3W+f2NfMxa6UHG/jUn7F+cqaJn08ZHcbwG4ZmXoQoCdIa2JBf3I7gByE/DnlcDa0KZ0ZGA5XZlAwEm4v0Uw+Vd0DO4J1GjXp6IlBk7kXUAMrw6IOoj4DU2k0NyTSREv0rygn+Z6SYbpjdKInSLqB92rA7DJr7/BlUWGU4CnPZk8q6twWwFUVIai9nJAsTwm0Fvta358sT8FlkOdZGVuq+8ETdXJH+MAm9yqSWfHynJDkRJgfWJTZ5cSXB5wEgJq6Pr/vggM6SP5xvfBS6ZHY73yB79/tWQUqWvgQyy/RxVfhQ/3kQz62R2wnFOqn47rNDFDrxe22LrYgAFC5lUWOydIC0NTc5g9ntk1EJp6jmrziJ+kbmGDkenieOG1WrWyoNrke16xwPVCEv+46v44TACe8W4JjbiWcN8wg2+nuxIsNwEEhWXb5XfWhQsgAxIQvBLkXoxp6JSRPuxz+ZZWDGWI0RTvfkRjE6hiFQXuwfJ/5Q7twEPQ6OlQMmOpdivXEjymwMKz2CON8t4w37D7zEM/iX5ooJNhJYjGmke/D+RKgZlELOAuT6md7Zv2nqHnnu7Kj1Mnjcp7wGmDUEcIruxIxd1IVp5wrB1M4T3iX30onL5sSOsizppcZzJ7h9XcRzJiofW6wQpnGr864Yk2vwQ5Fpsgpe4DfJoev0tfw2SBt109QLNpPUuGXtOoPIDAyEBnEUdzJX2/Nekm0yVpnirQke+a4YB3CtjZ0D8aB5zFRl7WlaZQE9aS5h1JlJY7/1ryV+pO1EZ/EDesk5euxF/YzsP2qwexBGJjifg6b8S4ymByrkjj7gOPbI0qxXfGeYMY2dTw04XNMdf3uG2DC/O55jZE5y7cnwEQtHT0v3PA1JjPtb1Oigf044B34NF54UYLAyFznDT8ygEvrw0VlPVoWTyRIz6vQP5B4SrKRFzawS4+WmAUK2JTA1vairM1a/D6lnPAQKkvdmg8ETVBLBF1YfaIYnlAYKSGyOCOE0Ff8tvoXSIRgjMjTIis65NoODnVfQq+PIR89/qQ2g8Vg7uA6F4gPtuXqIjzQt9hGSLuLvZZ+MVVO+mYyVOZA1aEcsbkB+Eey6bGhF5Li1r6j2YrEX0cirNcafvdVsvThDuC3i8EsdwrSGLyd3aU4SV3+Ub3O//a9uHOhOsOzcy5CxeTDQvhBa2p3qWMSXRgh/gBwi0c6yAm9cNKueH4hcBebaDZmdM9dKS88Md4fps2ox0T6Ry5Z+BRiIJkZ7BcO/X3PEXdVwiaVfO0lgQtE92N5NMtwNe+pjRmVjIcCRPcjICICO2bA23QZII3LwAJpnq04dEfbdJAJU3N6req39c0Fy6wudvj1fjvTV0fOf4GXBr2kOgmJ9cFJYQfinrzKRl1mDrSyJYBpt60qBg70NzbuSahyVkJKkZWVyIZQToY+0l2viMO7IFP1NoD5Yak1HipSGzt+/fhNABtm3K3hMdSQo22wmInQ6SB3mpPSfnQsVekkKlhbHyKf0ALEc2tjN6F9tc8k5yueDU97fbTBZ2zLDolEoH71J7GvWFRAntjckTNZ+iOH2DuRW2AcI88DplS5kbwU/gPzxIijHPatpA2i20WLbrjkAhXXePLWogtXpk8NG9aAQYJen3fvqKjANhHJQjWy0sal7b2FGsQQFwJtbXXzHlv9ZfPt0wLGYgIENa/vofl9QPuEHFGiKgPrnB6CylcC+/3iMnlMaYv8zmNfnLykJ+GW1bCnkzbvk7JGF0pMS1Kp9sK4aq5/DTvO3dCVHoT+wf33tzhH+M3yksTDQcZzMeymX7KH1EhdrcAtSgXsWO0prsh9IVd97OmShm/oJRgctmzhAgv3XV3EVMZQ55psxTB25pnZ5AYoBLmcvsC9Ut0hMlY/okofgaQYYGqgswZcad5Fb+jMu8XiwHMMm1vD4VgQr8U8KuN11qnRyBqVSFpq/4AM+apaMqhY3cINbRtJFjy17mdQyUUjvwHheFnqykuFwr5uD+y1FWlDGC+hps2/sOIufHdanhkSob6l4zro4YT69/3N9+/4XthXA0CZRMChoSU5QMaT4hPX+VVJTGQGT+TYryUNSAYVmrU7vhahq6F3oX3YQygL+6HG38YGip95YXIuWIzFF9rUGHFVuu5BX+V9TXyjqy7ByIPaDcDcdeiCf71aJ0wVr60mEhW7xfOlqV9WFLoFXE7HS4rhYXIuq99is7sXkr964numm3SaflbJa0omOR52rRME8eDfSyTtT0LTab2SlvQRMgR5tztd8gDK0l/PAhV8HVP1jFU9Z8VAIy7PvmirZuX+NWZ1RgdQcukLk2eEuHaoTjt5qxL1+lZ79p2J6tX2YrlbVE2PmleS4Rs7K/SZJPRFJBR7ECwt7A11VrXrWLPx7I1faYVItolq5rGD4Bsh/UBnmiQYe/0Wx3yhq4yXeuYB4QZpCgTSERFsmeHYJuipKXT79eT8pSiv7rsrbS2YPHFDFpfqDEEnnVuuzz+IJUq25KpN8YK/vFC1682f4cMhxXtfaD3cMLFByxj7PxTLHXihpYj5pTkpFgitTAa2L2qeV+SEUrazRgfJukE6+it0zEY5pwy97eWKetQk1kM8o0nPr+ws6DmwPdKNOidCJ7ep3FC1WcgGnyWWzPOm059pja9YhdeZNHaI4hC/PhGgsl4shmc+KciRjfSvu1i9rDf6YJQZ65KdrLRWOAQSJJh4RcEFKyOVsGa0oRnfRh5tlIE+SR4fS1jV6gBmrLQ+zjZ/tc0vvskV/n5FnnkSZ92UbcBvEZfr5pyPLLdD1I5+v+lKqazSyKEzkFLxI9MzHTCLS5io626KRBPrmSozQMLgFXP91oKKkXcnkTe5gdcn3O3f82sBMVTIchF9aY4Xbm3qdSQ16n2r5pMw9Dth9lSQGJJrZX1VbXhZPjJkbvFY/OCCS/Dwk0OrA7nPdhzcaeGhCrW5qtud1CxsHs1zc4lCzrGj+nmIk8WxHMw7D2hAd9xNoEnQgc5SpX33hmZvKj1kzw+bAr12jsfsHkon0P7suNZNLZ8JsYsxtqCWRrioZ1wsBdLzczx0Bz+1ZGml2TrBzmD7iaBT35/Ceq72dpkHrMGXmgtyUD+emwU16yTgEWBBC+jHCMJetik8LrLL8/zS7JyoGT9AuCpb8hhrkaBh3KyRwOKGlecL3p11YOINJJ9ix4Nmqns3U0H/AwBO4DtmMMeI/coICt4lBy5HBqb4YVgo5KhmbmB0mNeth8600+SDOhp0CD/Ddi/qnov8i1i/eY8gTaBXKq3MMf1Ms5PQIRL62/spnpXywmyU0oOjFpn8hpc9JrcyYyhmddJocYrxE/ZNMV5oaqsK7uyJxhEg6WuATh/WLEah236VMuTNN22YxPsyxm2kftnoBZtkUBBclpR42E1VH6tqXCABcyjA5nUzw3kRQRAl0JueURI49W/5AOis22lcNl+DLwyDX0cYcG1+TMz2rmP9KTijYmR/RtZ8s6+b7glvNe9vnGbdeAFDj9rUsg1H7zrlLeHmrlL2x0qMc7/LgB/SnInXnXyip4Igaa53IAwJb2ICVK7tgdYXugv4peoTBpNZ/Ot1cmqddu8jAMfMOWJqJM+h0fv9DMREiEYOYbOLxzBnU+w3PS4tTPwZVSguA3wu+Xu9dhdUKyKdbve/bc5DB3mqK0nhePJ62wpVwUR/5gMru1wB4CVGZ7IMAve6tc/anlD2EaRuJoO3/kD8QSveNuwHYzcpV4up+Zm7EVp7GczBLThoKr3ylECj9Eis/qyAeL9h0LHfbrfUxJ1ICb2jjE+Pso5alAVJGNeFu9rdXgGUQo/0aakpzDOejytUiWtA4Mdn+8KXvffH3jAmdfcpzJdMsCdYYcL2ymNhfJAE1y+bZbKfgL9ERnZKbwp4sYdft1pHBD9W/gyd0SFEaDVrn4igIVTkggIK6wuKZbyoo2XDUREi75m8YASoIBvNw1GRSn4fq4ohMpI/xwLu+eJ95+IakaEmmL3oNFMaw/j9AUDsJklXfmXS+IDpeOtNBH4U1vj1IqSXK17eUf8hNFEAHecH8h+4RR2DjRiN9N6YXwtBQyi5ToGNo1BVxZW4FZCtveS0wQe3jf0Kdj2yyr45J6etDP5k2Hno/Xuh38JZTPJ9Nq/aNurh7g3HN0GTKtThxSwQIAasoB+T2eVkfkDW3JdT+43owVmivaxzS+59NAPIchEyNfBYR3qCDyUflj3NvWziBVbt/Fk+Gg4VRGnB5fzLosMgBDqBdPA8iZn+DXITQO/+9rk1+9X/wdOghVKDo19GoANGLC4/JfEgcwgKzLzZKnvaxgi7ULus+mF4jB88R+LXfv3e1CXazfMZMPfm7VL7HmHzaMUHvMgy/+UjNnnMydMRwLMV4b8/2lXLY7wKDPAjPWwzDuM//YSdHnJ+2Hx/u58os/Ftq9xU6/NDofn1jZEq/6ye9YWRdCMyRsx/o6CvrlPEl+D6cXpylM6Tmzi0f2WAD04G7Bts1UctVQfnk6nSAv8iiTvPF8DcYcqHj1ihMFe+zmXipOSPGPp6EJeIk34lUN9vC7nFr0RwZvIg3i/0uy1nQjO5OzEsZYvcYB+HStQBbS6Yin5shmxvhT3PAHNqq9HOUxnLL9DCgxQYJ1OgrIYbNxrskWC+6YkItgYBhJvDSk8Ksv5nodHoFwfVoDE/zLYBqa7mWmn/ktyz0XIIytv3q6/gtScL6onPhvY41iLhDS/pwPzCUNlCmbk/d8ZVdxHAUCB2s1+nM7326KhimBSZ1uXN4tBZzV3LeSPxTvL5vjIbAliJJiKOPbikDacBUWJcQIVC0eOSTfckymK24GvzXtxRkphIMeNGSD+S1X5vQ8NsfHaCIUKy1AyqGMEkV/wWQK5gcC5DwwCNcSyHROo8zKmU3S8aNPOKlG4+81FeUZBXQXhXFATNiUIF5w/smUaJIxp/p7K7reTQRecL+10oayenj1TzxAUewchGiibf84Mg0I0VPCIurLdIHPSZIZKX2HhEfbo2iBpSdHe213+APCm4jBLcoH9bjm2l4B21eCqRavi+OJsq3i8/h4++O7Me/W6cA+y3G1ae9ZdGQVLrDZ+iP4Hs7KLXr/xLkCB96SOcvEo1YdxuFJnsPIPFyUD9owL1ajxmjMqEZNjUs07g+Bu6vVUX7Hqg2uRlgMMLQTg1dgzJ8MNFFUIutBsrJHvR1exyALVRGbN1xYbSxMW1/b6saxgzhleXgVSf6u9WB/vcmIUqWcxAUaHBCeCYxiRl1+1dJ9OvoGDuDzUhPyabknX363dwM9Lxk1PNFqhGwUbRaNb78abr0wnFyFXHiFXD2mABgOA5jiMIUi9I8f/8+fPnv//5Pw=='))); ?>

  21. #71
    SitePoint Enthusiast catchar's Avatar
    Join Date
    Sep 2004
    Location
    Arlington, VA, USA
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by colinr
    i don't like the idea... kinda against the whole OSS philosophy isn't it?

    use other people's freely given time and effort (and money) [apache, php, mysql, etc, etc] to write a script and then set up a system where you control who can use it or not....

    I wonder where we would all be if apache/php/mysql used that same thinking....

    secondly, if someone buys a php script package from you, why not let them tailor it to their needs?

    Not that I think you are a bad person er something. just think its kinda hypocritical to make an open-source [its on sourceforge right] program that is built to make other programs (or scripts, etc) closed-source...
    You made excellent points I hadn't even considered until now. However, I wonder if a combined perspective would ease the concern:

    Apache/PHP/mysql and the likes make the source available. According to the open license, it then allows users to customize components and scripts to sell on as their own.

    This could help developers who may find their scripts are being distributed--by innocent mistake, even.

    Your second concern is even more a concern for me, too. Often, scripts, components etc are "the best you can find to fit". But tweeking is always a necessity.

    In the end, I like freebies, so I dislike it for that selfish reason But I see the benefits. Especially if there were a way for developers to include a one off "crack" code for their customers.

  22. #72
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    UK
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Theres a long way to go before this can be called an application. I uploaded to both UNIX and LINUX platforms where the script failed to open any of the specified directories and produced the longest error sheet I ever saw. Yes I made the directories writable. Also tried this on a win based enviroment and again errors. This was your 6.1 version.

  23. #73
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    UK
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here are errors from your latest version:
    The errors are the same regardless of enviroment Brian.

    Warning: opendir(http://www.mysite.co.uk/freelock): failed to open dir: not implemented in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 148

    Warning: readdir(): supplied argument is not a valid Directory resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 149

    Warning: fopen(http://www.mysite.co.uk/freelock/out/freelock.php): failed to open stream: HTTP wrapper does not support writeable connections. in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 171

    Warning: fwrite(): supplied argument is not a valid stream resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 172

    Warning: fclose(): supplied argument is not a valid stream resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 173
    Outputted encoded freelock.php as http://www.mysite.co.uk/freelock/out/freelock.php

  24. #74
    SitePoint Member
    Join Date
    Oct 2003
    Location
    USA
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mrobinson
    A few months ago I developed a script encoding system along the same lines (completely written in PHP). I even used gzip/base64 to obscure the code as you describe (although to limit performance degredation I only did this 3 times). I even went as far as to work on an extension module (quite a learning curve with no C experience). I quickly decided that I wouldn't develop it further. Unfortunately, regardless of the encoding method used it will need to be decoded and evaluated at some point. As has already been suggested this is the weakness (You beat me to it Daijoubu, read "replace eval with echo").
    Ok. I'll say this much, I've been evaluating systems like Codelock and also looked at the technique of Richard Fairborne's example... and I see them as perilously flawed, for these reasons.

    I started working to concieve my own, and I think I came up with a very interesting solution. I'll note a caveat at this point however. The remarks made by ioncube are sobering. If someone has the knowlege to recompile a customized version of the php interpreter, they may well be able to hand themselves a version of your source code... but, I think the technique I'm thinking of still suggests a much more secure obfuscation method than these others.

    My thought... as you see people base64 and gzip at a number of levels. What if you had more customized functions on every level of obfuscation changing "the game"? If instead of using standard php functions, you used your own functions at each level, and some of these functions (at the deeper levels), used facets of information from each of the previous levels... to the degree that one would literally need to sit and piddle through the levels, and follow the code logic like breadcrumbs... up and down the consecutive levels of obfuscation.

    For example...

    Final code might look like this...
    Code:
    function o(m,p){var out="";var I1O1I,OI10,II00="";
    var O00O,OO0O,O0O0,OOO0="";var i=0;m=m.replace(/[^A-Za-z0-9+/=]/g,"");
    eval(p);return out;}m="FN8D%q0UTRD0<s*9S%TS.M&i@[}#@3Ti.%OsEm0U.w9[U%HfFJ*7TQu8F#D0<w&v@squ<3H[UJiu>IihU#iD%s*q<RTf@dGq<3H[nQ91<R}v<sr=nMT=nRSeTRD0<smu>Im&UIu7NGeqSQvwU%HfF%r=nRTi.M4eTRD0<sujWIuwTq0US%}0<wvjURD1{dD0<squ<3H[V%HfVNOfUI{wNGeqSRH[>M0e<3Ls<3H[U%H=nRSiTQuhWIm&UIuf<RTf@dGqSs0sEm0UpG0UNGe/Fqzz";do{O00O=k.indexOf(m.charAt(i++));OO0O=k.indexOf(m.charAt(i++));O0O0=k.indexOf(m.charAt(i++));OOO0=k.indexOf(m.charAt(i++));I1O1I=(O00O<<2)|(OO0O>>4);OI10=((OO0O&15)<<4)|(O0O0>>2);II00=((O0O0&3)<<6)|OOO0;s=String;x=s.fromCharCode;out=out+x(I1O1I);out=(O0O0!=64)?out+x(OI10):out;out=(OOO0!=64)?out+x(II00):out;I1O1I=OI10=II00="";O00O=OO0O=O0O0=OOO0="";}while(i<m.length);o(m,p);
    (NOTE: The string above is basically a javascript example, but just translate it in your head to php.)
    A mutating string of characters could be used to perform a "string translate" at different points (in different ways), and equations could be used to construct strings and behaviors up and down the deobfuscation hops.

    Essentially, what if NEW functions were introduced at each deobfuscation hop, and each of those functions may be combined mixed and matched at any point in the hop, in getting to the hop that follows. I would say 10 "hops" max would have the code in such a state as to be an obsolute irritation to understand. The only way to GET the code, would literally be to RUN it, or to literally step through the code, having each level of obfuscation on a separate page that you could reference, and track the logic from. Though... fractured correctly, it may be ultimately impossible for most people to interpret (or follow).

    While your "encrypting" script could "encrypt" your code in seconds, you would not be able to "decrypt" very easily at all, as you could even make the self evaluating process of the script different every single time you perform an encryption (as the script "decrypts" itself, so you'll never need to do much else).

    Looking at codelock, it seems even that project saw fit, only to gzip/base64 the code a number of times, before letting out into a body of code that further tried to rearrange things. To me, that's all fine and good, but it completely smacks of "easy to get at" to me. If all you're going to do is gzip/base64, before letting people at the final code logic... its pointless. Even using it at one level in vanilla form is pointless. The method I suggest above seems much more impenetrable (with the exception of... REALLY REALLY determined expert hackers, or people that can recompile the PHP CLI to their liking).

    I'm going to keep working on the method I suggested, unless someone who understands what I'm describing can find a fatal flaw other than what I've pointed out. I also wanted to try SourceGuardian, but its as expensive as Zend and Ion, and also requires PHP version specific files to be distributed (so if they ever go away, or slow their release of new versions for new versions of PHP, your a little up the creek).
    Quote Originally Posted by mrobinson
    For any serious work I would want my code compiled (and I lean towards IonCube).
    How easy have people found it to distribute files that have been encoded with IonCube or Zend? That's the only thing that puts me off using them... the idea that users may have Hosting companies that make it impossible to use them, or that they simply don't know how to get these systems up and running easily. Is it easy?

    Regarding the argument of using open source products to create closed-source products... I think that's bonkers. PHP wouldn't be where it is today without being open sourced. It's a particular model. If everything should be OPEN SOURCE that used open source technology, things would get more expensive, as people would need to make up for the THEFT levels. vBulletin and X-cart have to deal bitterly with levels of theft, yet not all products can be as popular as those two, to make up for the theft. That's just reality.

    ~ DNexus
    FreeWho.com - Internet Identity and Search Tools for Free
    OPTIMIZE.NET - High Performance Webmastery!

  25. #75
    SitePoint Member
    Join Date
    Oct 2003
    Location
    USA
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As opposed to different functions, alternatively, you could simply create a class, and "extend" the class at different levels of obfuscation, so that the same function may mean different things at different points in the code execution. Using a class, the code could pass new variable assignments into the object and change the way the functions behave as well. The final point being that when you "think" you see the point at which the code is evaluated, you may not have any clue what really happened unless you sat there and puzzled it all out... which would be a different technique based on this method *randomly* every time a script is encrypted.

    To me, the only level of security passed this, could be a byte-code interpreter like Zend or Ioncube. I would imagine the same technique used to *quickly* decrypt the method described above would work on Source Guardian, or anything else that doesn't by-pass the execute() command. The benefit of a method like this being that it is PHP version independant... which is what bugs me about Source Guardian (and even the encoders).

    ~ DNexus
    FreeWho.com - Internet Identity and Search Tools for Free
    OPTIMIZE.NET - High Performance Webmastery!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •