lol…
replace eval with echo 
Heh, this is what I use :
Online version that’s free. You can unencrypt it though, (It is possible), but it’ll scare away the hackers if you put something on the header part of it ‘Go away - All encrypted’
http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php
Have fun, all.
- Mike.
Actually, I use a system similiar to this, but modified. It’s based on the “Treachorous Strength” mode that this script has and it’s not easy to decrypt. Much more difficult than the others.
I get the following error:
Call to undefined function: gzinflate()
I am using greater than 4.0.4… how do I install the module or wahtever?
Hmm, same error here with 0.9.1.0 but 0.8 works fine. There is something wrong in the changes in between.
Scripts to hide source code such as this can be fun to write and a novelty to use, but to all users, please be aware of the limitations and the pros-and-cons to both approaches. I’ll cover them here, and you may find some surprises.
As has been said elsewhere, it’s trivially easy to get source back from these systems because they have the fundamental flaw of encoding source, and more to the point, restoring source at runtime. You can try to hack the files, and this may be easy enough, but it might break license agreements and take more effort than is actually necessary. All that is necessary is to put a printf statement into the C routine that compiles strings inside the PHP engine. Recompile PHP CLI and bingo!, you have a generic script decoding engine. This will work for all source based systems including codelock and the ones described here.
To provide a balanced view, it can be an advantage of source based systems that they typically require no platform dependent decoding engine, however this is probably a minor benefit when considering the downside of it being trivial to restore the original code from your scripts.
So as has been written already, the way to go is to use a compiled code engine such as Zend, ours, or even a free one such as mmcache, although being opensource and unsupported is a downside there. Someone commented on Zend being hacked. We too have heard that some Russians reverse engineered some Zend compiled code from modernbill scripts, but it took many weeks to recreate what source may have looked like for one or two files. Even after doing this, there could easily have been errors in the recreation, and it could not be considered to be a success. They also tried to hack ionCube files, but go nowhere at all as they couldn’t get at the compiled code stream, and so went back to the Zend files. I’m sure that they gave up after a while.
So, why is compiled code encoding so good?
The reason is two fold. The first reason is because the input to the encoding engine, and hence the output of the decoding process, is binary data and already pretty secure. The compiled code is obscure, is not source code, and would require a detailed knowledge of the PHP engine and compiler in order to be able to recreate what the source code could have been like. A second and equally important reason is that compiled code is retored and executed inside a closed source component. This makes the compiled code hard to get at, and keeps it away from the opensource execute() routine inside PHP. In other words, if a hacker tries to breakpoint on execute() to single step through the compiled code, they’ll be disappointed because it’s not called.
Are there any other benefits to compiled code and problems with source tools?
Sure. The main one is performance. Source based encoding systems only add overhead to the decoding process. For trivial scripts this may not matter, but for proper applications this can be a killer. Because of the reliance on eval(), it may also be the case that using an accelerator will not help in these cases.
Compiled code systems parse and compile the code even before encoding, and at runtime these steps don’t need to be performed again. It’s the elimination of these steps that is the key to accelerators such as mmcache and phpa, and even though decoding compiled code protected files adds overhead, the end result can still be that there’s a net performance gain because of the inherent acceleration in the process. We have a benchmarks page at
It’s a little old, but still valid none the less as a broad indicator.
So in conclusion and to paraphrase a popular saying, “you don’t get what you don’t pay for”, and the buyer/user should proceed with eyes wide open, and be ready to ask plenty of questions of the provider of any solution that they’re trusting their future livlihood to.
For the professional developer that has made a significant investment in time and money to develop an application, and where there is significant financial risk from having code stolen or license agreements broken, a compiled code solution is the only way to go. Such tools are not expensive, and almost nothing if using a pay as you go online encoding solution. Overall they give great value.
For the person dabbling with protection, wanting to hide scripts but where the downside of a negative performance impact and real risk of having those scripts undone is not really an issue, then a source based approach is fine, and possibly the cheapest way to go.
ionCube
Actually, I have used that code to make my own decoder/encoder. Go to http://www.ajblog.info/signup.php to signup for it. You can then go to http://www.ajblog.info/encoder for the actual encoder. Of course, I went the extra step and added decoding functions 
The only way this can be really tricky is if you do Rediculous strength, with an odd number, like 57. No one would guess that, and it would take anyone a really long time to figure it out, so you’d be pretty safe… Enjoy!
nice!
A few months ago I developed a script encoding system along the same lines (completely written in PHP). I even used gzip/base64 to obscure the code as you describe (although to limit performance degredation I only did this 3 times). I even went as far as to work on an extension module (quite a learning curve with no C experience).
I quickly decided that I wouldn’t develop it further. Unfortunately, regardless of the encoding method used it will need to be decoded and evaluated at some point. As has already been suggested this is the weakness (You beat me to it Daijoubu, read “replace eval with echo”).
I also found script performance was affected (expecially if there were many included files).
This encoding method will put off most casual viewers and novices, but anyone serious about PHP could find a way around it (IMO). :xeye:
I’m not saying that this encoding method cannot be successful, but be aware of it’s limitations.
For any serious work I would want my code compiled (and I lean towards IonCube).
Why doesnt you script work with my file?
<?php eval(gzinflate(base64_decode(‘FZdFEqxaFkWnUr3/X9DALaqFu0OS0KnA3Z3RV74RQNyzbRVn0v9bvc1Y9sle/JsmW0Fg/8uLbMqLf/8R4wJet9gYJveMUyv+XqQxm4IUDzGytcpbhnEJxpgaorpO1OWyJMuR2jdKoZ/XDmOZLigKeTYOIIFHm5MHOAvwlr3wfAKo3qQdeqsz90vx066x5hrjmxHNuzY36ADbSu9u9bLa/GmrfSDty7EGyOTu7sMNujMLxwzJ5eatY97JFUvCoKAh6wehb1+ESb8Aq6dpHooXvJPH0dVmhlkUMmMl6L0CxNVTeExkjbu5CW8wxzRc59ykFtS18NzqZ3OpcVbLEUDZh9z6bNSrfVGcEZK3umemoGs79nS8Y1uBrBAs/FzQB91VfDCaZe4q1slPVwSWCiasLC6348v5e7F6J1boRaRagOwjASXmnDtrxC4+wTkXqYKjI8Mw6mcTcQsv7lgG9d22HfAQsGmDKWtkcgccXAi7gB2KiZUXtN1lYne2djexhhGuncM0cA9KVGoZYK7UknUf9SsufDB+irsizalS3AZvautY3omHxUfslVjAYgShNFW/G/2VBceVbZU+DXbsblbqbkbavlcPlEnmqWiOJqnElT0WHL1FDnYQkRoOIh5i81AsX021unLQtYxuPk2YPl2PNB2c4t754g9iF8YYvtqbshOC3edWZlelw/vFXLxngByE+pzRhdol51swleF5YUznTJqA1WyVJbit3K3n+beui+OnCOvjVuFXONY0e6wpuE9QE/MNmid7VYsCUsTiTT3YQAOx6DM2t5lGufBQR+s9iO7+2VXVokbZbDT8AIUzGIwZc9yZf2cMfz2ypiaTsianAI7Y5j6m94oEB0C8/4nmFvy26JYTDWjQ1lgdEwrl7GaRVBFeQ/mEr0IGqAba1RVWUJUe0SMxrVucAS1Jx1A44Ef6CNJQzlKNj3DOlQ7FbNt86ElQ9u6C4p6/Iia2952at6oZeTZozreKfmZxlg8Vutf4rjCrhKthvkUWR3Z+eaYEH74fbglH5WTl3MbPVg6+i8nqQoFfLvB2Sx5pstL0INCrVzSkksx6qsok9GO2W6S4AI20Hj8ZYYPFglXi2fZB1y/Q5mkTvjbIN6Q/7IehvuoGTViROd3l1SnrGks0K8bkvMGDfRhz72Ge4oTBKaVqbmgX/viYo6qQ4ZiOphApC9+dyYa62+s+m4VV8MrkK29L9jBukZxzmjam89NCa/WD0dE7jgCMxL/+Lt5aTeAiz5C+MRK58kb4sx4yoEofBp0x6ZFtcXwekuaKG6CoqCKZWLtzLNE1vsJ2adKONLTu73YGbiHzEHkDlsHekhBvrZMHSVFazXiIa91u4jHf9Bd8BTL8jH3Es2AQjQhHu9Ln0ygR0k6Ui6ixDvjilNzYN197D/6ihPG8rThHKagLQfb3xSDkJOAA2ipi9+T0da0KDt9culWSXE4xFBd9jngwQEJDjFb6PcJQrcTzcii5wNQkU60oZxZ9YNVPgbi03UPLALpxsdDi7Xmg87PtkvQfkAoUd0q3Hf+ddcVGUtYzE7fgHNQL+lLK1y3oOE8hgVBdkcpUQ2s3rhnrceKvEih0l6FO2T6z/U4+T3YG0wSeBW5K8vnLAqVeuNJADbzJ1WOn48S2dmQvBjPfI5U2vB67dFkpTJcOh4+0VQCoNpXQcUzTzatO3Jq2LprFhkLnxOzPKHOadVK8GFBj+c+HsFltOx5US4vj+VQJI95GMvzMKmuzMrSCBhPIamrGu6rai/foY9pHRGFviKJp++zCVHgy3C/GoOiMoh01hyx4i9xuhhQRigHnl81+Nlv6yh85EC4HtRMieNpSJQCdgiqr0HELDzPFbNiLHC3AZqbNBbFFGAHre/kuI95Y8idlOvmgvp2Uef7BgZICLLfKRpz6uSMbbbsmUKaDPUtIVRK0UcIo2m/OA2xRr8v8m9u0UmATj4EhQtOAzmHkNHER/IxfQ7S+caLPGhaC/Jknkd8kaQvT6opv8YAtLi8i1hyfV9ytFl19nW/D0LyYjOn0UosUpB6wWpKYwi1Ze3VSuJDUWj4kRmMOlBx30Ak+MevFT8rX6CJqExihQsxv6PJtvDprkw9+FJe+XZkj4mViEOJV6HpvG2QsKPMnLWolVehQEps32jFpYNdds6P5p7xUbzZaprMj8FPn/UjJdhjdu2+vU5hoqOAm4cwk/i1nyq80beccTsVdZyPYoWaDIvi4BH1HfK1x42UAQj1mf9Xxa7pEsRI3y1iMiCxxa7w8lr3azUyIuQwh2PnTgCcK2UyFmiQ70fhhl/hAnbmeR3e7Nor6jXs6HPGfTcVu/MnIfr/flOJl1EU8Z+qS7uEc1BYdqNBFxnm4pVIy0LakfNt7TAVMTaxTEDSMkzi5hLhYbGmqWUyTgUuDXjv15zwRi5zVsxim7aHPLlRTuk0BkzvakSaJdRXDbE9XY8W+eDDFBbBbR/8lyotrJauBNJj6SpIM+dTYgSVE0R5jpuaHsy7jk74hovpKUbfnA8uinpsGuQVOsaQyeAZYFNYG5SmeI8QHGvGo6Es1bDHYBoeg6ohftHN81gSfD9yycIK2FzgE68XKS2hY6xRwZQQVZZ/hRHmUzGTk6Wju02SSA/1s6SaRnh7z7vuCJcfiuVvs2Md+DwMuiesNnLAGIQTGeZZt1qkOI4BKT4BviTU7rcjQ6YOv8dKYQOM9bA738e9eFmnkX232tjtJZtAjqVAebHuFYYFsNRG/Eq7m5WvK7KLdsxVaUjtl6u+lYbjyIIL/21k7WsWSdlOgCau1oiJyRK8+Enlk/P32gs+21w4gAUNeu8xmaIV9eGTlrLtIsdZLJuh3xfk9vIe0m0eGozwMDI/EvU3Djg3v4Nwty51vfb8OGX6Zo7I7tVZlRcdbV3C5jw7i5Y4HV7wOTgjqf+3/hPQ0eBggYkPG0x55LJqSR1IisoKJ7op6LUj3qFkbTuUsSmc0lz5qHs+L9LjEBAxnnjgV2gvq2JWf/EyFLimm0vFKbH4sEktx3ox6c+dG3W+f2NfMxa6UHG/jUn7F+cqaJn08ZHcbwG4ZmXoQoCdIa2JBf3I7gByE/DnlcDa0KZ0ZGA5XZlAwEm4v0Uw+Vd0DO4J1GjXp6IlBk7kXUAMrw6IOoj4DU2k0NyTSREv0rygn+Z6SYbpjdKInSLqB92rA7DJr7/BlUWGU4CnPZk8q6twWwFUVIai9nJAsTwm0Fvta358sT8FlkOdZGVuq+8ETdXJH+MAm9yqSWfHynJDkRJgfWJTZ5cSXB5wEgJq6Pr/vggM6SP5xvfBS6ZHY73yB79/tWQUqWvgQyy/RxVfhQ/3kQz62R2wnFOqn47rNDFDrxe22LrYgAFC5lUWOydIC0NTc5g9ntk1EJp6jmrziJ+kbmGDkenieOG1WrWyoNrke16xwPVCEv+46v44TACe8W4JjbiWcN8wg2+nuxIsNwEEhWXb5XfWhQsgAxIQvBLkXoxp6JSRPuxz+ZZWDGWI0RTvfkRjE6hiFQXuwfJ/5Q7twEPQ6OlQMmOpdivXEjymwMKz2CON8t4w37D7zEM/iX5ooJNhJYjGmke/D+RKgZlELOAuT6md7Zv2nqHnnu7Kj1Mnjcp7wGmDUEcIruxIxd1IVp5wrB1M4T3iX30onL5sSOsizppcZzJ7h9XcRzJiofW6wQpnGr864Yk2vwQ5Fpsgpe4DfJoev0tfw2SBt109QLNpPUuGXtOoPIDAyEBnEUdzJX2/Nekm0yVpnirQke+a4YB3CtjZ0D8aB5zFRl7WlaZQE9aS5h1JlJY7/1ryV+pO1EZ/EDesk5euxF/YzsP2qwexBGJjifg6b8S4ymByrkjj7gOPbI0qxXfGeYMY2dTw04XNMdf3uG2DC/O55jZE5y7cnwEQtHT0v3PA1JjPtb1Oigf044B34NF54UYLAyFznDT8ygEvrw0VlPVoWTyRIz6vQP5B4SrKRFzawS4+WmAUK2JTA1vairM1a/D6lnPAQKkvdmg8ETVBLBF1YfaIYnlAYKSGyOCOE0Ff8tvoXSIRgjMjTIis65NoODnVfQq+PIR89/qQ2g8Vg7uA6F4gPtuXqIjzQt9hGSLuLvZZ+MVVO+mYyVOZA1aEcsbkB+Eey6bGhF5Li1r6j2YrEX0cirNcafvdVsvThDuC3i8EsdwrSGLyd3aU4SV3+Ub3O//a9uHOhOsOzcy5CxeTDQvhBa2p3qWMSXRgh/gBwi0c6yAm9cNKueH4hcBebaDZmdM9dKS88Md4fps2ox0T6Ry5Z+BRiIJkZ7BcO/X3PEXdVwiaVfO0lgQtE92N5NMtwNe+pjRmVjIcCRPcjICICO2bA23QZII3LwAJpnq04dEfbdJAJU3N6req39c0Fy6wudvj1fjvTV0fOf4GXBr2kOgmJ9cFJYQfinrzKRl1mDrSyJYBpt60qBg70NzbuSahyVkJKkZWVyIZQToY+0l2viMO7IFP1NoD5Yak1HipSGzt+/fhNABtm3K3hMdSQo22wmInQ6SB3mpPSfnQsVekkKlhbHyKf0ALEc2tjN6F9tc8k5yueDU97fbTBZ2zLDolEoH71J7GvWFRAntjckTNZ+iOH2DuRW2AcI88DplS5kbwU/gPzxIijHPatpA2i20WLbrjkAhXXePLWogtXpk8NG9aAQYJen3fvqKjANhHJQjWy0sal7b2FGsQQFwJtbXXzHlv9ZfPt0wLGYgIENa/vofl9QPuEHFGiKgPrnB6CylcC+/3iMnlMaYv8zmNfnLykJ+GW1bCnkzbvk7JGF0pMS1Kp9sK4aq5/DTvO3dCVHoT+wf33tzhH+M3yksTDQcZzMeymX7KH1EhdrcAtSgXsWO0prsh9IVd97OmShm/oJRgctmzhAgv3XV3EVMZQ55psxTB25pnZ5AYoBLmcvsC9Ut0hMlY/okofgaQYYGqgswZcad5Fb+jMu8XiwHMMm1vD4VgQr8U8KuN11qnRyBqVSFpq/4AM+apaMqhY3cINbRtJFjy17mdQyUUjvwHheFnqykuFwr5uD+y1FWlDGC+hps2/sOIufHdanhkSob6l4zro4YT69/3N9+/4XthXA0CZRMChoSU5QMaT4hPX+VVJTGQGT+TYryUNSAYVmrU7vhahq6F3oX3YQygL+6HG38YGip95YXIuWIzFF9rUGHFVuu5BX+V9TXyjqy7ByIPaDcDcdeiCf71aJ0wVr60mEhW7xfOlqV9WFLoFXE7HS4rhYXIuq99is7sXkr964numm3SaflbJa0omOR52rRME8eDfSyTtT0LTab2SlvQRMgR5tztd8gDK0l/PAhV8HVP1jFU9Z8VAIy7PvmirZuX+NWZ1RgdQcukLk2eEuHaoTjt5qxL1+lZ79p2J6tX2YrlbVE2PmleS4Rs7K/SZJPRFJBR7ECwt7A11VrXrWLPx7I1faYVItolq5rGD4Bsh/UBnmiQYe/0Wx3yhq4yXeuYB4QZpCgTSERFsmeHYJuipKXT79eT8pSiv7rsrbS2YPHFDFpfqDEEnnVuuzz+IJUq25KpN8YK/vFC1682f4cMhxXtfaD3cMLFByxj7PxTLHXihpYj5pTkpFgitTAa2L2qeV+SEUrazRgfJukE6+it0zEY5pwy97eWKetQk1kM8o0nPr+ws6DmwPdKNOidCJ7ep3FC1WcgGnyWWzPOm059pja9YhdeZNHaI4hC/PhGgsl4shmc+KciRjfSvu1i9rDf6YJQZ65KdrLRWOAQSJJh4RcEFKyOVsGa0oRnfRh5tlIE+SR4fS1jV6gBmrLQ+zjZ/tc0vvskV/n5FnnkSZ92UbcBvEZfr5pyPLLdD1I5+v+lKqazSyKEzkFLxI9MzHTCLS5io626KRBPrmSozQMLgFXP91oKKkXcnkTe5gdcn3O3f82sBMVTIchF9aY4Xbm3qdSQ16n2r5pMw9Dth9lSQGJJrZX1VbXhZPjJkbvFY/OCCS/Dwk0OrA7nPdhzcaeGhCrW5qtud1CxsHs1zc4lCzrGj+nmIk8WxHMw7D2hAd9xNoEnQgc5SpX33hmZvKj1kzw+bAr12jsfsHkon0P7suNZNLZ8JsYsxtqCWRrioZ1wsBdLzczx0Bz+1ZGml2TrBzmD7iaBT35/Ceq72dpkHrMGXmgtyUD+emwU16yTgEWBBC+jHCMJetik8LrLL8/zS7JyoGT9AuCpb8hhrkaBh3KyRwOKGlecL3p11YOINJJ9ix4Nmqns3U0H/AwBO4DtmMMeI/coICt4lBy5HBqb4YVgo5KhmbmB0mNeth8600+SDOhp0CD/Ddi/qnov8i1i/eY8gTaBXKq3MMf1Ms5PQIRL62/spnpXywmyU0oOjFpn8hpc9JrcyYyhmddJocYrxE/ZNMV5oaqsK7uyJxhEg6WuATh/WLEah236VMuTNN22YxPsyxm2kftnoBZtkUBBclpR42E1VH6tqXCABcyjA5nUzw3kRQRAl0JueURI49W/5AOis22lcNl+DLwyDX0cYcG1+TMz2rmP9KTijYmR/RtZ8s6+b7glvNe9vnGbdeAFDj9rUsg1H7zrlLeHmrlL2x0qMc7/LgB/SnInXnXyip4Igaa53IAwJb2ICVK7tgdYXugv4peoTBpNZ/Ot1cmqddu8jAMfMOWJqJM+h0fv9DMREiEYOYbOLxzBnU+w3PS4tTPwZVSguA3wu+Xu9dhdUKyKdbve/bc5DB3mqK0nhePJ62wpVwUR/5gMru1wB4CVGZ7IMAve6tc/anlD2EaRuJoO3/kD8QSveNuwHYzcpV4up+Zm7EVp7GczBLThoKr3ylECj9Eis/qyAeL9h0LHfbrfUxJ1ICb2jjE+Pso5alAVJGNeFu9rdXgGUQo/0aakpzDOejytUiWtA4Mdn+8KXvffH3jAmdfcpzJdMsCdYYcL2ymNhfJAE1y+bZbKfgL9ERnZKbwp4sYdft1pHBD9W/gyd0SFEaDVrn4igIVTkggIK6wuKZbyoo2XDUREi75m8YASoIBvNw1GRSn4fq4ohMpI/xwLu+eJ95+IakaEmmL3oNFMaw/j9AUDsJklXfmXS+IDpeOtNBH4U1vj1IqSXK17eUf8hNFEAHecH8h+4RR2DjRiN9N6YXwtBQyi5ToGNo1BVxZW4FZCtveS0wQe3jf0Kdj2yyr45J6etDP5k2Hno/Xuh38JZTPJ9Nq/aNurh7g3HN0GTKtThxSwQIAasoB+T2eVkfkDW3JdT+43owVmivaxzS+59NAPIchEyNfBYR3qCDyUflj3NvWziBVbt/Fk+Gg4VRGnB5fzLosMgBDqBdPA8iZn+DXITQO/+9rk1+9X/wdOghVKDo19GoANGLC4/JfEgcwgKzLzZKnvaxgi7ULus+mF4jB88R+LXfv3e1CXazfMZMPfm7VL7HmHzaMUHvMgy/+UjNnnMydMRwLMV4b8/2lXLY7wKDPAjPWwzDuM//YSdHnJ+2Hx/u58os/Ftq9xU6/NDofn1jZEq/6ye9YWRdCMyRsx/o6CvrlPEl+D6cXpylM6Tmzi0f2WAD04G7Bts1UctVQfnk6nSAv8iiTvPF8DcYcqHj1ihMFe+zmXipOSPGPp6EJeIk34lUN9vC7nFr0RwZvIg3i/0uy1nQjO5OzEsZYvcYB+HStQBbS6Yin5shmxvhT3PAHNqq9HOUxnLL9DCgxQYJ1OgrIYbNxrskWC+6YkItgYBhJvDSk8Ksv5nodHoFwfVoDE/zLYBqa7mWmn/ktyz0XIIytv3q6/gtScL6onPhvY41iLhDS/pwPzCUNlCmbk/d8ZVdxHAUCB2s1+nM7326KhimBSZ1uXN4tBZzV3LeSPxTvL5vjIbAliJJiKOPbikDacBUWJcQIVC0eOSTfckymK24GvzXtxRkphIMeNGSD+S1X5vQ8NsfHaCIUKy1AyqGMEkV/wWQK5gcC5DwwCNcSyHROo8zKmU3S8aNPOKlG4+81FeUZBXQXhXFATNiUIF5w/smUaJIxp/p7K7reTQRecL+10oayenj1TzxAUewchGiibf84Mg0I0VPCIurLdIHPSZIZKX2HhEfbo2iBpSdHe213+APCm4jBLcoH9bjm2l4B21eCqRavi+OJsq3i8/h4++O7Me/W6cA+y3G1ae9ZdGQVLrDZ+iP4Hs7KLXr/xLkCB96SOcvEo1YdxuFJnsPIPFyUD9owL1ajxmjMqEZNjUs07g+Bu6vVUX7Hqg2uRlgMMLQTg1dgzJ8MNFFUIutBsrJHvR1exyALVRGbN1xYbSxMW1/b6saxgzhleXgVSf6u9WB/vcmIUqWcxAUaHBCeCYxiRl1+1dJ9OvoGDuDzUhPyabknX363dwM9Lxk1PNFqhGwUbRaNb78abr0wnFyFXHiFXD2mABgOA5jiMIUi9I8f/8+fPnv//5Pw==’))); ?>
You made excellent points I hadn’t even considered until now. However, I wonder if a combined perspective would ease the concern:
Apache/PHP/mysql and the likes make the source available. According to the open license, it then allows users to customize components and scripts to sell on as their own.
This could help developers who may find their scripts are being distributed–by innocent mistake, even.
Your second concern is even more a concern for me, too. Often, scripts, components etc are “the best you can find to fit”. But tweeking is always a necessity.
In the end, I like freebies, so I dislike it for that selfish reason But I see the benefits. Especially if there were a way for developers to include a one off “crack” code for their customers.
Theres a long way to go before this can be called an application. I uploaded to both UNIX and LINUX platforms where the script failed to open any of the specified directories and produced the longest error sheet I ever saw. Yes I made the directories writable. Also tried this on a win based enviroment and again errors. This was your 6.1 version.
Here are errors from your latest version:
The errors are the same regardless of enviroment Brian.
Warning: opendir(http://www.mysite.co.uk/freelock): failed to open dir: not implemented in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 148
Warning: readdir(): supplied argument is not a valid Directory resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 149
Warning: fopen(http://www.mysite.co.uk/freelock/out/freelock.php): failed to open stream: HTTP wrapper does not support writeable connections. in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 171
Warning: fwrite(): supplied argument is not a valid stream resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 172
Warning: fclose(): supplied argument is not a valid stream resource in /home/e/p/mysite/public_html/freelock/freelockenc.php on line 173
Outputted encoded freelock.php as http://www.mysite.co.uk/freelock/out/freelock.php
Ok. I’ll say this much, I’ve been evaluating systems like Codelock and also looked at the technique of Richard Fairborne’s example… and I see them as perilously flawed, for these reasons.
I started working to concieve my own, and I think I came up with a very interesting solution. I’ll note a caveat at this point however. The remarks made by ioncube are sobering. If someone has the knowlege to recompile a customized version of the php interpreter, they may well be able to hand themselves a version of your source code… but, I think the technique I’m thinking of still suggests a much more secure obfuscation method than these others.
My thought… as you see people base64 and gzip at a number of levels. What if you had more customized functions on every level of obfuscation changing “the game”? If instead of using standard php functions, you used your own functions at each level, and some of these functions (at the deeper levels), used facets of information from each of the previous levels… to the degree that one would literally need to sit and piddle through the levels, and follow the code logic like breadcrumbs… up and down the consecutive levels of obfuscation.
For example…
Final code might look like this…
function o(m,p){var out="";var I1O1I,OI10,II00="";
var O00O,OO0O,O0O0,OOO0="";var i=0;m=m.replace(/[^A-Za-z0-9+/=]/g,"");
eval(p);return out;}m="FN8D%q0UTRD0<s*9S%TS.M&i@[}#@3Ti.%OsEm0U.w9[U%HfFJ*7TQu8F#D0<w&v@squ<3H[UJiu>IihU#iD%s*q<RTf@dGq<3H[nQ91<R}v<sr=nMT=nRSeTRD0<smu>Im&UIu7NGeqSQvwU%HfF%r=nRTi.M4eTRD0<sujWIuwTq0US%}0<wvjURD1{dD0<squ<3H[V%HfVNOfUI{wNGeqSRH[>M0e<3Ls<3H[U%H=nRSiTQuhWIm&UIuf<RTf@dGqSs0sEm0UpG0UNGe/Fqzz";do{O00O=k.indexOf(m.charAt(i++));OO0O=k.indexOf(m.charAt(i++));O0O0=k.indexOf(m.charAt(i++));OOO0=k.indexOf(m.charAt(i++));I1O1I=(O00O<<2)|(OO0O>>4);OI10=((OO0O&15)<<4)|(O0O0>>2);II00=((O0O0&3)<<6)|OOO0;s=String;x=s.fromCharCode;out=out+x(I1O1I);out=(O0O0!=64)?out+x(OI10):out;out=(OOO0!=64)?out+x(II00):out;I1O1I=OI10=II00="";O00O=OO0O=O0O0=OOO0="";}while(i<m.length);o(m,p);
(NOTE: The string above is basically a javascript example, but just translate it in your head to php.)
A mutating string of characters could be used to perform a “string translate” at different points (in different ways), and equations could be used to construct strings and behaviors up and down the deobfuscation hops.
Essentially, what if NEW functions were introduced at each deobfuscation hop, and each of those functions may be combined mixed and matched at any point in the hop, in getting to the hop that follows. I would say 10 “hops” max would have the code in such a state as to be an obsolute irritation to understand. The only way to GET the code, would literally be to RUN it, or to literally step through the code, having each level of obfuscation on a separate page that you could reference, and track the logic from. Though… fractured correctly, it may be ultimately impossible for most people to interpret (or follow).
While your “encrypting” script could “encrypt” your code in seconds, you would not be able to “decrypt” very easily at all, as you could even make the self evaluating process of the script different every single time you perform an encryption (as the script “decrypts” itself, so you’ll never need to do much else).
Looking at codelock, it seems even that project saw fit, only to gzip/base64 the code a number of times, before letting out into a body of code that further tried to rearrange things. To me, that’s all fine and good, but it completely smacks of “easy to get at” to me. If all you’re going to do is gzip/base64, before letting people at the final code logic… its pointless. Even using it at one level in vanilla form is pointless. The method I suggest above seems much more impenetrable (with the exception of… REALLY REALLY determined expert hackers, or people that can recompile the PHP CLI to their liking).
I’m going to keep working on the method I suggested, unless someone who understands what I’m describing can find a fatal flaw other than what I’ve pointed out. I also wanted to try SourceGuardian, but its as expensive as Zend and Ion, and also requires PHP version specific files to be distributed (so if they ever go away, or slow their release of new versions for new versions of PHP, your a little up the creek).
How easy have people found it to distribute files that have been encoded with IonCube or Zend? That’s the only thing that puts me off using them… the idea that users may have Hosting companies that make it impossible to use them, or that they simply don’t know how to get these systems up and running easily. Is it easy?
Regarding the argument of using open source products to create closed-source products… I think that’s bonkers. PHP wouldn’t be where it is today without being open sourced. It’s a particular model. If everything should be OPEN SOURCE that used open source technology, things would get more expensive, as people would need to make up for the THEFT levels. vBulletin and X-cart have to deal bitterly with levels of theft, yet not all products can be as popular as those two, to make up for the theft. That’s just reality.
~ DNexus
As opposed to different functions, alternatively, you could simply create a class, and “extend” the class at different levels of obfuscation, so that the same function may mean different things at different points in the code execution. Using a class, the code could pass new variable assignments into the object and change the way the functions behave as well. The final point being that when you “think” you see the point at which the code is evaluated, you may not have any clue what really happened unless you sat there and puzzled it all out… which would be a different technique based on this method randomly every time a script is encrypted.
To me, the only level of security passed this, could be a byte-code interpreter like Zend or Ioncube. I would imagine the same technique used to quickly decrypt the method described above would work on Source Guardian, or anything else that doesn’t by-pass the execute() command. The benefit of a method like this being that it is PHP version independant… which is what bugs me about Source Guardian (and even the encoders).
~ DNexus
Is anyone interested in helping me with a couple of files encrypted with codelock?
I have read the posts above, but I can not seem to find any eval() statements and I do not own the web server so adding ‘printf’ to the C routine that compiles PHP runtime files is also out the window.
I appreciate your help in this matter. I can also post the files for download as .txt files if that is necessarey. One of them may be too long for the forum.
P.S. I am not trying to steal anyones code, and I am not trying to redistribute any
code illegally or anything. I am just trying to customize this program so that it
will work for me. Thanks again.
-j8vy
first of all, adding printf to the C routine isn’t for codelock.
Look at codelock.php, that’s where you’ll find the eval statement.
codelock.php is indeed ‘encoded’, however towards the end of the code block you’ll find something of the form:
eval($abcde);
(you might have to scroll a long way to the right!)
Now if you were to edit codelock.php and replace the eval with an echo, e.g.
echo($abcde);
I suspect that all your protected code would be laid bare for all to see. 
Even though I have my suspicions I must add that “Reverse engineering is illegal and strictly prohibited”
As I said in my earlier post, this method of code obfuscation is only going to stop the casual observer. Anyone with a bit of PHP knowledge can work through it. It doesn’t matter how complex or offputting the encoding is, if changing a mere 4 characters renders it almost useless I’d be more than a little sceptical.
DNexus - I’ve not distributed much code so far (I’m still fairly new to PHP), but my choice in Web host was made with ionCube in mind.
I want to be extremely clear with everyone. I am not stealing code here. This PHP program that I am working on is a reciprocal link exchange management program, and it of course has a “spider” built in to it which goes out and checks the other persons web site to see if they are linking back to you at specified intervals based on a cron job.
Here is the problem, if someone links to me using the following, the spider will still think it is ok (e.g <a href="admin@my-domain.com">My Anchor Text</a>) which is just another way for people to cheat other people out of the PR that is supposed to be passed during a reciprocal link exchange. It is dirty but it happens. Also, you have to give the spider the exact url of the page that their recp link is on, or it won’t be able to find it. I want to just enter the domain name, and it should be able to crawl their entier site, like Jayde.com does when you get listed in their directory. I noticed in my logs that their spider crawled my entire site and effectively built a sitemap from it …
So I obviously need to work on this spider abit, and I don’t think that the guy that I (legally bought the software from, by the way) will care if I improve his spider. Especially since I am not trying to resell it. I just want it to work properly for me. Why does everything have to be evil, I ask?
You may want to know why I don’t just have him fix his own software? … I’ll tell you very quickly. Becuase he is only “a” guy working from his home!. He wrote this software, put up a website, and the stuff is selling, but as you can imagine, now he can’t keep up with the support, or upgrades, so ho told me that I would just have to do what I could and wait for the next release. Of course I just can’t do that … Besides, I figure when I get it fixed, I’ll just give the “new and improved” code back to him so he can included it in the program. It needs to be for his future customers anyway!
I am an affiliate marketer, and I am already promoting this product, so it doesn’t really make any sense for me to try to steal it since he already has my name, address & SSN, etc. for affiliate payments tax purposes 
Anyway …, to the issue at hand. the echo' cmd didn't exactly work ... It just makes the code have even more lines of obfuscation ... Maybe I didn't do it right, but all that I did was changed the eval’ like you said, then executed the script. It just spits out more stuff … Let me know your thoughts.
Thanks again for all of your help.