PHP Encoders

Re: PHP Encoders


"Jerry" <eagleflyer2@ly cos.com> wrote in message
news:cthkrv0aj0 h0cu04g592rr6bh qfdn29kpk@4ax.c om...[color=blue]
> Hi there !
>
> I am curretly looking for suitbale solutions for encoding PHP scripts
> after developing a couple of comercial applications in PHP.
>
> Has anybody made any experience with several encoders like IONCUBE,
> SOURCEGUARDIAN, ZEND, etc... so far?[/color]

You might consider

[color=blue]
> I just tested an evaluation copy of IONCUBE's php encoder which worked
> pretty fine. Runtime decoding is really fast and easy to implement.
> Has anybody some deeper insight into this issue?[/color]

Ours doesn't have any runtime decoder at all; no need to change
the target server at all. But folks might rightfully accuse us of being
biased since we
are a vendor. So I'll otherwise stay mum on the topic, and let
the community have its say.

-- IDB

Re: PHP Encoders

Hi Ira:

Many thanks for your tip. In fact I already came across your website
once. Please feel free to comment as much as you like. I am thankful
for every little bit of info I could get. I will be frank with you:

I have always been a little bit reluctant to use obfuscators since the
source code does not actually disappear and it should not be too
difficult to find the correct patterns and algorythms to map and
restore the scrambled code. One could possibly write a good piece of
code that would do exactly that.

Instead the e.g. ioncube encoder really encodes the scripts and
requires only one file (the "runtime-loader") to be uploaded along
with the encrypted scripts onto the server to make the scripts
executable. Since the scripts run as a compiled application they are
even faster than unencrypted PHP scripts. So, this seems an
interesting alternative to me.
Costs: Your obfuscator costs US$150.00. The ioncube encoder starts at
US$199.00 Personally, I find it's worth the difference.

What is your take on that?
Thank you for your help and opinion.

Jerry

P.S. NO, I'm in no way affilated with ioncube. It's just the software
which I had a chance to test so far. :-)


On Tue, 18 Nov 2003 16:53:21 -0600, "Ira Baxter"
<idbaxter@semde signs.com> wrote:
[color=blue]
>
>"Jerry" <eagleflyer2@ly cos.com> wrote in message
>news:cthkrv0aj 0h0cu04g592rr6b hqfdn29kpk@4ax. com...[color=green]
>> Hi there !
>>
>> I am curretly looking for suitbale solutions for encoding PHP scripts
>> after developing a couple of comercial applications in PHP.
>>
>> Has anybody made any experience with several encoders like IONCUBE,
>> SOURCEGUARDIAN, ZEND, etc... so far?[/color]
>
>You might consider
>http://www.semdesigns.com/Products/O...bfuscator.html
>[color=green]
>> I just tested an evaluation copy of IONCUBE's php encoder which worked
>> pretty fine. Runtime decoding is really fast and easy to implement.
>> Has anybody some deeper insight into this issue?[/color]
>
>Ours doesn't have any runtime decoder at all; no need to change
>the target server at all. But folks might rightfully accuse us of being
>biased since we
>are a vendor. So I'll otherwise stay mum on the topic, and let
>the community have its say.
>
>-- IDB
>
>[/color]

Re: PHP Encoders

Jerry wrote:[color=blue]
> I have always been a little bit reluctant to use obfuscators since the
> source code does not actually disappear and it should not be too
> difficult to find the correct patterns and algorythms to map and
> restore the scrambled code. One could possibly write a good piece of
> code that would do exactly that.[/color]

Same here. In fact, the first step for this process would be to use
something like:


Allowing the code to be easier to read and in a consistent format,
making it easier to write a script for the rest.

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Re: PHP Encoders

Jerry <eagleflyer2@ly cos.com> wrote in message news:<cthkrv0aj 0h0cu04g592rr6b hqfdn29kpk@4ax. com>...[color=blue]
> Hi there !
>
> I am curretly looking for suitbale solutions for encoding PHP scripts
> after developing a couple of comercial applications in PHP.
>
> Has anybody made any experience with several encoders like IONCUBE,
> SOURCEGUARDIAN, ZEND, etc... so far?[/color]

Did you try http://pobs.mywalhalla.net/ ?

---
"One who mix sports and patriotism is a barbarian"
Email: rrjanbiah-at-Y!com

Re: PHP Encoders

"Jerry" <eagleflyer2@ly cos.com> wrote in message
news:t37mrvs5ot h98femkgj9t52sg qkc6ipt37@4ax.c om...
[color=blue]
> I have always been a little bit reluctant to use obfuscators since the
> source code does not actually disappear and it should not be too
> difficult to find the correct patterns and algorythms to map and
> restore the scrambled code. One could possibly write a good piece of
> code that would do exactly that.[/color]

I don't know what you mean by "restore the scrambled code" after
obfuscation. The comments are gone, so no tool or person
can restore them without essentially simply guessing.
The identifier names are meaningless, and restoring them
to something sensible means you pretty have much have
to understand what the code is doing in order to choose
a good name.

So I don't think you can write a "tool" to do this at all.
(Another poster observed that you *can* use a tool
to reformat obfuscated text so its block structure is visible.
Our tool also can format and so can be used for that purpose too,
but the real value in the obfsucation is the removal of comments
and scrambling of names).

If you have a really small applicaiton, obfuscation won't "hide"
it very well. If you have a really big application, in our opinion,
the number of names that have to regenerated becomes pretty
daunting for would-be reverse-engineer.
[color=blue]
> Instead the e.g. ioncube encoder really encodes the scripts and
> requires only one file (the "runtime-loader") to be uploaded along
> with the encrypted scripts onto the server to make the scripts
> executable. Since the scripts run as a compiled application they are
> even faster than unencrypted PHP scripts. So, this seems an
> interesting alternative to me.[/color]

"Encoding" the script doesn't prevent reverse engineering.
It just raises the effort level required to decode it.
(I'll cheerfully admit it raises it somewhat higher than
obfuscated source.)

Ultimately, if somebody wants to reverse engineer your code,
they can. So the real question is, what's enough protection?
Most people don't use a bank vault locks on their front door.
Deadbolts are good enough for the majority.
[color=blue]
> Costs: Your obfuscator costs US$150.00. The ioncube encoder starts at
> US$199.00 Personally, I find it's worth the difference.[/color]

OK. Everybody makes their choice.

We chose to provide source obfuscation because while
you may have a customer for your PHP source code,
you can't always tell your customer what he must run on his server.
Of course, if your customer *wants* to run with a PHP compiler,
he can do that with obfuscated source, too, but now
it is his choice, not yours.
[color=blue]
> What is your take on that?
> Thank you for your help and opinion.
>
> Jerry[/color]


--
Ira D. Baxter, Ph.D., CTO 512-250-1018
Semantic Designs, Inc. www.semdesigns.com

Re: PHP Encoders


"Justin Koivisto" <spam@koivi.com > wrote in message
news:m5Mub.1063 $Uz.32494@news7 .onvoy.net...[color=blue]
> Jerry wrote:[color=green]
> > I have always been a little bit reluctant to use obfuscators since the
> > source code does not actually disappear and it should not be too
> > difficult to find the correct patterns and algorythms to map and
> > restore the scrambled code. One could possibly write a good piece of
> > code that would do exactly that.[/color]
>
> Same here. In fact, the first step for this process would be to use
> something like:
> http://www.tote-taste.de/X-Project/beautify/
>
> Allowing the code to be easier to read and in a consistent format,
> making it easier to write a script for the rest.[/color]

X-Project/beautify explicitly claims it doesn't work on
all code. If you used it on obfuscated code, and it damaged
it, you'd have a heck of time understanding the result.

If you insist on this, you could use:

This does work for all PHP constructs, by virtue of being
a full PHP parser.

Having made the code nicely indented, however, you still have to guess
at whatever comments were lost, and you still have to reinvent meaningful
names for all the variables and functions. For tiny programs, you
can probably do this. For a program with several hundred variables
(how big are yours?) this is actually an immense amount of work.

And you can't "automate" the reconstruction of the comments or
the variable names. So this doesn't strike me as a great
deal of help. YMMV.

--
Ira D. Baxter, Ph.D., CTO 512-250-1018
Semantic Designs, Inc. www.semdesigns.com