SitePoint Sponsor

User Tag List

Page 4 of 5 FirstFirst 12345 LastLast
Results 76 to 100 of 111
  1. #76
    SitePoint Member j8vy's Avatar
    Join Date
    Nov 2004
    Location
    Mchenry, IL (USA)
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Decrypting files

    Is anyone interested in helping me with a couple of files encrypted with codelock?

    I have read the posts above, but I can not seem to find any eval() statements and I do not own the web server so adding 'printf' to the C routine that compiles PHP runtime files is also out the window.

    I appreciate your help in this matter. I can also post the files for download as .txt files if that is necessarey. One of them may be too long for the forum.

    P.S. I am not trying to steal anyones code, and I am not trying to redistribute any
    code illegally or anything. I am just trying to customize this program so that it
    will work for me. Thanks again.

    -j8vy

  2. #77
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    first of all, adding printf to the C routine isn't for codelock.
    Look at codelock.php, that's where you'll find the eval statement.
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  3. #78
    SitePoint Member j8vy's Avatar
    Join Date
    Nov 2004
    Location
    Mchenry, IL (USA)
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    It is encoded

    Ah, but it is encoded as well. You may view it here:

    My codelock.php file

    Regards,
    -j8vy

  4. #79
    SitePoint Enthusiast mrobinson's Avatar
    Join Date
    Aug 2004
    Location
    New York, NY, USA
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    codelock.php is indeed 'encoded', however towards the end of the code block you'll find something of the form:
    PHP Code:
    eval($abcde); 
    (you might have to scroll a long way to the right!)
    Now if you were to edit codelock.php and replace the eval with an echo, e.g.
    PHP Code:
    echo($abcde); 
    I suspect that all your protected code would be laid bare for all to see.
    Even though I have my suspicions I must add that "Reverse engineering is illegal and strictly prohibited"

    As I said in my earlier post, this method of code obfuscation is only going to stop the casual observer. Anyone with a bit of PHP knowledge can work through it. It doesn't matter how complex or offputting the encoding is, if changing a mere 4 characters renders it almost useless I'd be more than a little sceptical.


    DNexus - I've not distributed much code so far (I'm still fairly new to PHP), but my choice in Web host was made with ionCube in mind.

  5. #80
    SitePoint Member j8vy's Avatar
    Join Date
    Nov 2004
    Location
    Mchenry, IL (USA)
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mrobinson
    Even though I have my suspicions I must add that "Reverse engineering is illegal and strictly prohibited"
    I want to be extremely clear with everyone. I am not stealing code here. This PHP program that I am working on is a reciprocal link exchange management program, and it of course has a "spider" built in to it which goes out and checks the other persons web site to see if they are linking back to you at specified intervals based on a cron job.

    Here is the problem, if someone links to me using the following, the spider will still think it is ok (e.g <a href="admin@my-domain.com">My Anchor Text</a>) which is just another way for people to cheat other people out of the PR that is supposed to be passed during a reciprocal link exchange. It is dirty but it happens. Also, you have to give the spider the exact url of the page that their recp link is on, or it won't be able to find it. I want to just enter the domain name, and it should be able to crawl their entier site, like Jayde.com does when you get listed in their directory. I noticed in my logs that their spider crawled my entire site and effectively built a sitemap from it ...

    So I obviously need to work on this spider abit, and I don't think that the guy that I (legally bought the software from, by the way) will care if I improve his spider. Especially since I am not trying to resell it. I just want it to work properly for me. Why does everything have to be evil, I ask?

    You may want to know why I don't just have him fix his own software? ... I'll tell you very quickly. Becuase he is only "a" guy working from his home!. He wrote this software, put up a website, and the stuff is selling, but as you can imagine, now he can't keep up with the support, or upgrades, so ho told me that I would just have to do what I could and wait for the next release. Of course I just can't do that ... Besides, I figure when I get it fixed, I'll just give the "new and improved" code back to him so he can included it in the program. It needs to be for his future customers anyway!

    I am an affiliate marketer, and I am already promoting this product, so it doesn't really make any sense for me to try to steal it since he already has my name, address & SSN, etc. for affiliate payments tax purposes

    Anyway ..., to the issue at hand. the `echo' cmd didn't exactly work ... It just makes the code have even more lines of obfuscation ... Maybe I didn't do it right, but all that I did was changed the `eval' like you said, then executed the script. It just spits out more stuff ... Let me know your thoughts.

    Thanks again for all of your help.

  6. #81
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    codelock.php is encoded, once you change eval to echo, you still have to make the same switch to the echoed code to get rid of the evals
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  7. #82
    SitePoint Member
    Join Date
    Oct 2003
    Location
    USA
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by j8vy
    Anyway ..., to the issue at hand. the `echo' cmd didn't exactly work ... It just makes the code have even more lines of obfuscation ... Maybe I didn't do it right, but all that I did was changed the `eval' like you said, then executed the script. It just spits out more stuff ... Let me know your thoughts.
    Good for codelock then. That was my idea. If the "eval" simply returns more lines of obfuscation and requires the person to keep weeding through lines trying to find the white rabbit, you're essentially SCREWED, unless you... keeping... following the white rabbit, and see how deep the wormhole goes. Worse, if like my idea, the functions and trails are modified INTO themselves at every iteration. If they did their job, you're looking at simply emailing the script author and requesting a change. Simply as that.

    ~ DNexus
    FreeWho.com - Internet Identity and Search Tools for Free
    OPTIMIZE.NET - High Performance Webmastery!

  8. #83
    Freelance Web Guy freekrai's Avatar
    Join Date
    May 2003
    Location
    Penticton,BC
    Posts
    400
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    actually, once you do the first eval to echo switch, there's only one other switch to make to the code and it's done.
    Roger Stringer
    DBStract - Build a database - Gather data - View it from every angle
    Other Sites: [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ]


  9. #84
    SitePoint Member j8vy's Avatar
    Join Date
    Nov 2004
    Location
    Mchenry, IL (USA)
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello,
    I just wanted to say thanks to everyone for their assistance. I guess that I will just have to wait for the owners assistance in upgrading the program.

    I just feel like that would be best after looking at it more. Thanks again.

    -j8vy

  10. #85
    SitePoint Member
    Join Date
    Oct 2003
    Location
    USA
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by freekrai
    actually, once you do the first eval to echo switch, there's only one other switch to make to the code and it's done.
    And then again, probably not. If you think through this stuff, you can generally circumvent the obvious.

    ~ DNexus
    FreeWho.com - Internet Identity and Search Tools for Free
    OPTIMIZE.NET - High Performance Webmastery!

  11. #86
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    kinda against the whole OSS philosophy isn't it?
    You wait until you've spend 9 months+ on a project and I bet you, you'll be wanting your scripts to be encrypted - if you want to make a living that is

    I wouldn't for the life of me release the API that I've developed over the last 18 months, and I make damn sure I protect my property first before I let a client near it.

    If they're not happy with that then tough for them, or if I feel I cannot trust the client, then tough again.

    The cost of Zend Encoder is expensive but it is worth it if you want to make a living nowadays

  12. #87
    SitePoint Member
    Join Date
    May 2005
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Page moved, now it is at http://scripts.freshstartup.biz/demo/obfuscate.php

    But it always get me "Call to undefined function: gzinflate()".

    So I found another free online encoder at: http://www.byterun.com/free-php-encoder.php

    It works ok, but have no IP locking. Please can anyone help me to add this function to already encoded script?

  13. #88
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Malaysia
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here are things that have been mentioned, but in an easier form.

    These so called encryption methods are useless. When you run it, it will decrypt itself for the original codes. Then these original codes will be sent to the PHP interpreter, which will compile and execute them.

    It doesn't matter how many steps that you obfuscate or encrypt it, you can always get the source at the point just before PHP interpreter gets it because PHP only understand proper codes.

    The worst of all, every single execution will leads to many decryption function calls, depending on how "strong" the encryption is. It will be a huge performance hit.


    kinda against the whole OSS philosophy isn't it?
    I agree with Dr Livingston. There are many developers out there who code for a living, including myself of course.

    I'm a University student who has very little time to work but spent months on a project with hope that it will bring in some real income soon. I will definitely get an encoder like Zend or ionCube to protect my source.

    In this case, it is wrong that I use PHP (OSS) to make commercial products?

    For stuff that I develope out of my free time, I'll be happy to share it around and support open-source.

  14. #89
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Redo7
    But it always get me "Call to undefined function: gzinflate()".
    You need to have GZLIB enabled on your server to run.

  15. #90
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Redo7
    ..... but have no IP locking. Please can anyone help me to add this function to already encoded script?

    Just add a condition to check for the IP that you want to "license" your code for. Then after you have that coded in, Encode the script.

    And as for the whole OSS thing....I do that to my scripts so I know who has it and who I will provide support for. Also, I hate it when ppl remove the link from my scripts. So this way I can keep track of who is being "compliant" and who isn't.

    Already had two websites closed by webhosts...all because of a link...

  16. #91
    SitePoint Member
    Join Date
    Oct 2005
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Cool

    I think it is a shame that this project has got forgotten, PHP is becomming more popular, and is heavily used in 3G content Delivery for both Streaming and static content delivery. I would like to encrypt the code, because it is better than Obvuscating it. a CGI would be great, but at least this straight forward method is simple and doesnt require any modification.
    Though I dont seem to be able to get it to work, I get an error on line 1, not able to find the freelock_run function!!

  17. #92
    SitePoint Member
    Join Date
    Jan 2006
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    About the codelock thingy, get the function frm codelock.php or so and use it to decrypt ur project. Chage some code in it and u should be able to do it.

    About the freelock, I tried it oledi. There r bugs..bugs dealing wif var from other files. I use it to encode my CMS and I found out the whole things got screwed up. The eval() is in the freelock_run function which wont deal with global scope properly.

    I've created my own PHP encryptor which will works on most php code. I test it on my CMS and it works fine. Its more secure than freelock as u can't decrypt it in few minutes time.

    Zorex PHP CryptZ
    Last edited by zorex; May 16, 2006 at 05:41.

  18. #93
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by zorex
    Its more secure than freelock as u can't decrypt it in few minutes time.

    how so?
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter

  19. #94
    SitePoint Member
    Join Date
    Jan 2006
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what u think about the freelock.php? Encoded? Anyone with basic PHP knowledge can decode it easily...

    from freelock.php change the @eval() to echo to get the function.

    $freelock_active = 'y';
    function case_swap($input) {
    for($i=0;$i<strlen($input);$i++) {
    if(ereg('[a-z]',$input[$i])) {
    $input[$i] = strtoupper($input[$i]);
    } else if(ereg('[A-Z]',$input[$i])) {
    $input[$i] = strtolower($input[$i]);
    } else {}
    }
    return $input;
    }

    function subbytes($input) {
    for($i=0;$i<strlen($input);$i++) {
    $c = ord($input{$i});
    $c -= 6;
    $input{$i} = chr($c);
    }
    return $input;
    }

    function mcrypt_dec($input,$cipher,$mode = 'cbc') {
    if(!extension_loaded('php_mcrypt.'.PHP_SHLIB_SUFFIX)) { dl('php_mcrypt.'.PHP_SHLIB_SUFFIX); }
    $key = substr($input,strlen($input)-48,16); $iv = substr($input,strlen($input)-32,32); $input = substr($input,0,strlen($input)-48); $td = mcrypt_module_open($cipher,'',$mode,'');
    mcrypt_generic_init($td,$key,$iv);
    $plaintext = mdecrypt_generic($td,$input);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return chop($plaintext);
    }

    function decode_xlate($input) {
    global $use_mc;
    if($use_mc != 'y') {
    return case_swap(subbytes($input));
    } else { return $input; }
    }

    function decode_script($script) {
    global $use_zlib;
    global $use_mc;
    if($use_zlib == 'y') {
    $script = gzinflate(base64_decode($script));
    } else {
    $script = base64_decode($script);
    }
    if($use_mc == 'y') {
    $script = mcrypt_dec($script,'rijndael-256');
    }
    if($use_mc != 'y') { $script = decode_xlate($script); }
    return $script;
    }

    function freelock_run($script) {

    echo decode_script($script);//lol change the eval() to echo then run the encrypted script. All the code will come out.
    }

    paste this piece of code into all the freelock.php then everything will be done.

  20. #95
    SitePoint Member
    Join Date
    May 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ioncube
    The reason is two fold. The first reason is because the input to the encoding engine, and hence the output of the decoding process, is binary data and already pretty secure.
    ionCube

    Hi ionCube, I ran across this thread while searching on Google.com

    You stated earlier that you can stick a printf in the php source code.

    Well somebody can just as easily disassemble your ioncube .so shared object file and stick a jmp instruction at an arbitrary point that jumps to new opcodes at the end of the .so file that the person has tacked on. There they can steal the stack data, whatever it may be and view it.

    They can even use that technique to stick a printf, or as much code as they like, and jmp back or even call/ret though it would clear the stack frame to a new level.
    (If not to steal the code verbatim, at least to take the decrypted compiled code then to disassemble it)

    I write lots of php code, and I'd say it's far better idea to have a good relationship with customers and not to support pirated software. Some companies love pirating(Micro$oft) and use it as a marketing tool. But those companies are very irresponsible.

    I think the GNU method, even with software you sell is the best method. Remember Richard Stallman and the printer. Encoding software is not a good method, good relationships and respect for people is a good method.

  21. #96
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    London
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi

    Thanks for contributing!

    Quote Originally Posted by beercosoftware
    You stated earlier that you can stick a printf in the php source code.

    Well somebody can just as easily disassemble your ioncube .so shared object file and stick a jmp instruction at an arbitrary point that jumps to new opcodes at the end of the .so file that the person has tacked on. There they can steal the stack data, whatever it may be and view it.
    Hehe, not at all. Firstly, the skill set required is entirely different. Changing the source code of the PHP engine is easy to do with a text editor, and most C programmers of a moderate skill level would be able to identify a likely point to target, add a printf statement, recompile PHP CLI and see what they get with their modified PHP engine. In contrast, and aside from the fact that the execution engine in our Loader uses non-standard opcodes plus a number of other techniques, and that opcodes absolutely cannot simply be "tacked on" at all, understanding anything at all about what happens at the machine code level inside complex software such as the Loader takes many hours of painstaking work, never mind locating relevant portions of machine code, and patching machine code programs is an entirely different game.
    If not to steal the code verbatim, at least to take the decrypted compiled code then to disassemble it
    This would be potentially possible if ionCube compiled code were simply standard compiled code, but this isn't the case, and by necessity, Encoder 6.5 is in a totally different league and ballpark to where your mindset is operating. All other compiled code products evidently do have this weakness, and you don't need to resort to trying to patch binaries at the machine code level as by using mechanisms already in PHP it's possible to access bytecodes and use tools such as VLD on them.

    Remember Richard Stallman and the printer. Encoding software is not a good method, good relationships and respect for people is a good method.
    I saw Stallman at Cambridge (UK) back in the 80's, and he's an entertaining speaker, but with the realities of this industry, encoding is not only a good method, it can be essential. There are actually many reasons why people encode scripts, and protecting products is just one of them. Aware of the inherent security problems on many shared servers in particular, encoding to protect ones scripts from hackers is a growing area. Some companies even encode scripts to protect them from their own employees making unauthorised changes, and to enforce changes to go through the change control and UAT team. Considering the software product market, encoding can be a vital part of a successful business strategy. Whilst many companies using the Encoder will encode their purchased products, some only protect their evaluation copies, and are still highly successful. In an ideal world where everyone was trustworthy, giving away eval copies in source form would be no problem. However, with getting the latest version being simply a case of redownloading an eval, the reality is that this would hurt revenue greatly as it's been shown that a large proportion of downloadees would simply continue to use an eval version instead of purchasing.

    One example is x-cart. Manufacturers of the extremely successful shopping cart product, they began encoding their evaluations and soon reported to us a 500% increase in sales. Not just paying for itself almost instantly, the Encoder was effectively generating revenue for their business, and such an increase would allow any growing company to then invest more in support and future development, further benefitting customers and increasing revenue to fuel business growth still further. Like a bonfire, a business needs a good start and grounding for it to take hold and become self sustaining. Trying to get started when most of your potential sales are being lost would be an uphill struggle, and could quite possibly cause a new business to fizzle out.

    For sure, encoding is not appropriate for every situation, and even if embracing the principle, applying it blindly to every possible file may be both unnecessary and counter productive. However, putting ones thinking cap on and using such tools intelligently and as part of an overall business strategy can be crucial to the long term success and longevity of the product being protected, and ultimately benefitting both producer and consumer alike.
    Last edited by ioncube; May 12, 2006 at 09:11.
    Protection for PHP scripts - ionCube PHP Encoder
    Create Web Application Installers - ionCube Package Foundry

  22. #97
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by zorex
    what u think about the freelock.php? Encoded? Anyone with basic PHP knowledge can decode it easily...

    from freelock.php change the @eval() to echo to get the function.

    $freelock_active = 'y';
    function case_swap($input) {
    for($i=0;$i<strlen($input);$i++) {
    if(ereg('[a-z]',$input[$i])) {
    $input[$i] = strtoupper($input[$i]);
    } else if(ereg('[A-Z]',$input[$i])) {
    $input[$i] = strtolower($input[$i]);
    } else {}
    }
    return $input;
    }

    function subbytes($input) {
    for($i=0;$i<strlen($input);$i++) {
    $c = ord($input{$i});
    $c -= 6;
    $input{$i} = chr($c);
    }
    return $input;
    }

    function mcrypt_dec($input,$cipher,$mode = 'cbc') {
    if(!extension_loaded('php_mcrypt.'.PHP_SHLIB_SUFFIX)) { dl('php_mcrypt.'.PHP_SHLIB_SUFFIX); }
    $key = substr($input,strlen($input)-48,16); $iv = substr($input,strlen($input)-32,32); $input = substr($input,0,strlen($input)-48); $td = mcrypt_module_open($cipher,'',$mode,'');
    mcrypt_generic_init($td,$key,$iv);
    $plaintext = mdecrypt_generic($td,$input);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    return chop($plaintext);
    }

    function decode_xlate($input) {
    global $use_mc;
    if($use_mc != 'y') {
    return case_swap(subbytes($input));
    } else { return $input; }
    }

    function decode_script($script) {
    global $use_zlib;
    global $use_mc;
    if($use_zlib == 'y') {
    $script = gzinflate(base64_decode($script));
    } else {
    $script = base64_decode($script);
    }
    if($use_mc == 'y') {
    $script = mcrypt_dec($script,'rijndael-256');
    }
    if($use_mc != 'y') { $script = decode_xlate($script); }
    return $script;
    }

    function freelock_run($script) {

    echo decode_script($script);//lol change the eval() to echo then run the encrypted script. All the code will come out.
    }

    paste this piece of code into all the freelock.php then everything will be done.
    Wow, nice work

  23. #98
    SitePoint Member
    Join Date
    May 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ioncube
    Hi

    Thanks for contributing!

    Hehe, not at all. Firstly, the skill set required is entirely different. Changing the source code of the PHP engine is easy to do with a text editor, and most C programmers of a moderate skill level would be able to identify a likely point to target, add a printf statement, recompile PHP CLI and see what they get with their modified PHP engine. In contrast, and aside from the fact that the execution engine in our Loader uses non-standard opcodes plus a number of other techniques, and that opcodes absolutely cannot simply be "tacked on" at all, understanding anything at all about what happens at the machine code level inside complex software such as the Loader takes many hours of painstaking work, never mind locating relevant portions of machine code, and patching machine code programs is an entirely different game.This would be potentially possible if ionCube compiled code were simply standard compiled code, but this isn't the case, and by necessity, Encoder 6.5 is in a totally different league and ballpark to where your mindset is operating. All other compiled code products evidently do have this weakness, and you don't need to resort to trying to patch binaries at the machine code level as by using mechanisms already in PHP it's possible to access bytecodes and use tools such as VLD on them.
    Non-standard opcodes eh?

    I've been programming assembly for a few years, and I have several versions of the intel manuals, as well as sparcIII and PPC.

    What non-standard opcodes are we talking about here, and what's to stop you from disassembling and putting a jump instruction in an arbitrary point to jump to a new address at the end of the code section?

    I'm assuming you're doing some kind of checksum in the code that will die if it's not met. Don't fool yourself, that's not going to stop anybody.

    As for shared servers, that's why most software that allows sharing, operate sites in a chroot environment, so people can't simply use php or perl to launch a shell script with exec() or `sh script.sh` in perl. Apache has exec wrappers and ssh will chroot to the virtual site on most modern server sharing software.

    In my experience customizing php software for certain customers, most of the time when scripts are encoded, the customer will need to have it customized and the company that had encoded the script simply turns over the un-encoded version for customization anyway.
    Not many people will use a php script verbatim even with Smarty templates or so forth. And that's one of the wonderful things about php.

    I think that bytecode optimization, such as mono, and java is great, but that encoding is simply not necessary, and it hinders people who actually pay good money for the software the freedom to change it to suite their own environment.

    I'm also not saying anybody that does have the skills should crack your encoder, or Zend's simply to say "hahaha, I did it", such as they do with various video game protections or Aladdin HASP keys. They've pretty much done it all, even to Microsoft, but I think that a person creating php or perl software should consider the benefits of the freedom to modify software for it's customers.

  24. #99
    SitePoint Member
    Join Date
    May 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ioncube, I think you may be talking about functionality such as aspack,peprotect,ect....

    http://www.aspack.com/

    Standard stuff to stop disassembly. This software is a joke, and the methods are also a joke. Especially on Linux, it's extremely easy to simply pull the data, code, and other sections out of the memory after they are completely loaded into the process.

    On windows it's a bit more difficult, but who uses windows right? haha...

  25. #100
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    London
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by beercosoftware
    ioncube, I think you may be talking about functionality such as aspack,peprotect,ect....

    http://www.aspack.com/

    Standard stuff to stop disassembly. This software is a joke, and the methods are also a joke. Especially on Linux, it's extremely easy to simply pull the data, code, and other sections out of the memory after they are completely loaded into the process.
    We're not talking about that.

    Broadly speaking, here is some of the range of different PHP security, or non-security, systems, and where we fit in.

    1. Code is plain source. No security of course.

    2. Plain source wth obfuscation. No security either. Code is still executable and copyable, and can be deobfuscated with tools to a sufficient level to be understandable and modifiable.

    3. Source code hiding. Take your pick on the technique, but methods such as gzinflate/gzdeflate, base64 encoding and character replacement are common, with restored source being processed with eval(). Effective against casual modification to source, but a flawed technique that is easily reversed. Enquiring minds will produce a script to actually reverse the encoding process, and others would simply modify the PHP engine to print out the restored source that is passed into eval(). The latter approach is the general solution. Restored source is easily obtained, and so ultimately the solution is no better than technique 2 or 1.

    4. Compiled code with custom decoder and standard execution engine. Similar to Java and many other languages, PHP source is compiled prior to execution into bytecodes "opcodes" for execution by a virtual machine. This process removes all sourcecode, and the compilation process is a translation to a new language, albeit a simple and not particularly efficient one by a low grade compiler. This process, which is also capitalised upon in accelerator systems for PHP, lends itself to the basis of an effective code protection system. The compiled code is not easily understandable by the vast majority of people, even if disassembled by a tool such as VLD, and due to how the PHP engine works, is effectively not editable to any useful extent without a sophisticated custom tool.

    The use of the standard execution engine does permit opcode discovery and mandate standard opcodes, and a tool such as VLD or a decompiler could be used to assist in recreating what source code could have been. Unlike Java, where decompilers are common, no decompilers are known to exist in the wild yet for PHP, some sites claim to offer decompiler services.

    5. Standard compiled code and closed source executor. At this level, things are more serious, keeping opcodes away from the main execution engine. This can be effective, but the potential for discovering decoded opcodes in memory does exist.

    6. Non-standard compiled code and closed source executor. Without imposing too many compromises on the overall system for the end user, this is the preferred mechanism. At this level, not only is compiled code processed with a closed source executor, but the compiled code is non-standard in some way or other. For a hacker, the challenge here is increased as if implemented well, it should not only be difficult to obtain the compiled code, it will be even less easy to know how to relate the compiled opcodes to source code constructs due to the format deviating from the "published" standard. A good solution at this level will also employ other techniques to frustrate attempts to analyse the compiled code format.

    The latest ionCube 6.5 system is an advanced implementation of ideas at level 6 plus some others not mentioned. Given that the holy grail of total security doesn't exist, and that even with a level 6 system the possibility of opcode discovery and decompilation still exists in theory, complementing this with other techniques that may prevent reconstruction of accurate or working code even if a decompiler is used would be a further challenge for hackers to work through.

    Beerco's point about customers needing to modify code is a fair one, and whilst there are plenty of scenarios where the end user would not need to modify the code and where encoding is highly desirable, there are cases where the end user will want to and should be able to. In general, providing an entire evaluation of a commercial product in source form is never a good idea unless you have other protection in place such as NDA's, and it's rarely required (there are some cases where it might be a pre-sales requirement but this isn't the norm), but after that, each vendor should decide what's best for their case. Providing at least some parts of a product in source form may be crucial to its success, but every case is different.
    Protection for PHP scripts - ionCube PHP Encoder
    Create Web Application Installers - ionCube Package Foundry


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •