Solved

PHP obfuscator

Posted on 2004-09-01
12
1,105 Views
Last Modified: 2007-12-19
hello experts,

i am urgently in need of something to obfuscate my php-scripts. best would be a little application i can give a certain php-script, that generated a new file and puts it down.

i have tried POBS, but it did not fit my needs. first i need a webserver (sometimes uncomfortable). next problem - i did not divide php-scripting and html in older scripts. if i have to show something to the user, i have sections in my php-code where i use print "html html html".$aPhpVariable."and so on with html"; - POBS gets confused with it. also POBS cuts the backslash from \n in my print(s).

so next the features the obfuscator should have:
-take a file or a piece of code and produce a running piece of obfuscated code (unreadable for other programmers - that do not have weeks of time...;)
-free tool
-binary file for windows-pc (that would be most comfortably - in case of emergency also other - for example php running on webserver, online, ...)
(-perhaps as a gimmick producing optimized code)
(-if it is also able to obfuscate other languages too...;)

it would be great, if you could show me some tools achieving these aims.

thank you very much in advance
0
Comment
Question by:kolpdc
12 Comments
 
LVL 25

Expert Comment

by:Squinky
ID: 11953734
I use Turck mmcache - turck-mmcache.sourceforge.net. It usually works in conjunction with a web server for acceleration purposes, but it also builds command line tools for separately producing bytecode compiled (effectively obfuscated) PHP. It also optimizes. And it's free. The main site doesn't host a binary, but you should be able to compile it, or possibly find a binary that someone else has compiled, though note that it gets very firmly attached to particular builds of PHP.

This kind of thing is very specific to PHP, so I doubt you'll find a product that supports more than one language.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 11953859
I just noticed that it links to http://phpcoder.shadonet.com/ phpcoder is a web-based front-end to the mmcache encoder, and allows you to encode scripts remotely. What's more you can use turckloader, which will run encoded scripts without having to have a full install of mmcache. Encoded scripts are also compatible with other accelerators, such as Zend encoder.

I've had some trouble with mmcache under PHP 5.0.1, but it's been flawless on 4.3.8.

I think that pretty much covers all you asked for!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11954260
kolpdc,

I followed your link here from the Networking TA. While I don't have an answer to your Question, it would probably be helpful to other Experts if you stated here what about Squinky's proposals fails to meet your requirements. Experts are, well, experts, not mindreaders. Unless you say something, anyone else coming here is not going to know why previous Comments are not what you're looking for. Heck, Squinky might even have the solution, if you'll say why the Comments so far are not what you need.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961094
hello psicop, yes - no problem. i had to take a look for a little amount of sleep ;). i'll check this now.

squinky, i took a look for turck mmcache for php. generally that sounds great, but the page seems to tell me, that i'll have to install mmcache within the webserver. did i understand this right? mmcache compiles the code and stays itself somewhere in memory of the webserver to execute the code when required? a kind of accelerator? generally that would do the job better than hoped for, but i have one little problem: i'm dependent of my isp - so i do not have more access to the webserver then normal ftp. if i misunderstood the way of working of mmcache - please correct me.

so if i am only able to upload/download some files to the webserver, i think, i need a tool, that somehow crypts my php-code. it does not have to be compiled somehow so it is optimized/accelerated (would be nice side-effect;). my problem would be solved, if i could hand one of my php-scripts to a tool and receive a working php-script i am not able to reconstruct to an understandable code in reasonable time.

i thought of building a tool myself (strip comments, rename all functionnames, rename function-internal variables, rename global variables, strip linebreak, ...), but i do lack the time at the moment. if somewhen i should do it, i'll make it freeware ;).

could i give you a little more information about my requirements?
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961116
squinky, turck mmcache sounds great - but i am not able to modify the apache-server. so this won't work, i think.
0
 
LVL 6

Assisted Solution

by:merwetta1
merwetta1 earned 50 total points
ID: 11961246
Have you looked at Code Obfuscator?
http://www.hotscripts.com/Detailed/10841.html
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 25

Expert Comment

by:Squinky
ID: 11961567
OK, in that case you can only do fairly trivial obfuscation, like that link offers. One thing I'm not quite clear on is why you're particularly worried about protecting your source on your ISP's server. No other users should be able to access your source files (especially if they have similar privileges to you), and it will not be visible through normal web pages anyway, so where's the need for obfuscation?

Any decent PHP pretty-print routine will resurrect code obfuscated in this way without any great user ability, so any protection really is trivial.

If you're distributing PHP code commercially, requiring something like turckloader isn't unusual.

If you're really that concerned about it, perhaps you should change to a better ISP? There will be plenty that offer Zend or mmcache.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961607
merwetta1, following your link i found an online-tool doing a real great job:

Richard Fairthorne's Code Obfuscator
http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php?

it works with only cut and paste and produces a very compressed and WORKING code. great thing i could recommend. was it the tool you ment?
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961678
squinky, i built a big portalside providing free informations on anything around a touristic region with some friends several years ago. when it became to timeconsuming, i changed some parts of the page (like event-calendar, ...) to dynamic php-scripts to reduce time-consumption. unfortunately people change and have very good reasons to believe that one of the guys is using my scripts for his own (commercial) purposes. we both have access to the webspace...

have you had a look at the above link? if not, take a little (or big) piece of code, paste it, push the button and take a look at the result. works really great...
0
 
LVL 25

Accepted Solution

by:
Squinky earned 450 total points
ID: 11961813
Hm, it doesn't really work very well. It doesn't actually do any code-level obfuscation at all. It just applies about 12 rounds of gzip and base64_encode to the script which took me all of 2 minutes to undo (since the approach it uses for obfuscation is nicely self-documenting!), and now I know what it's doing, I could write a scritp to undo all fiels that it had been applied to. The code it generates is also slightly invalid, and won't work with short tags turned off. The main effect of this script is to make it run slower and increase server load. I really wouldn't recommend it.

My suggestion to you if you're having trouble like that, is stop working with them, host your scripts somewhere that they don't have access to them - you could even put them on a different server and have it all still work. Or cut them off and don't allow them access to your web space. Get your ISP to make you a subdirectory that only you have access to. Any of these would be a far more effective and efficient solution.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11962318
yes, you're right. in betweentime i use separated webspaces where this special person does not have access to. so normally i'm in no need of obfuscation. but this old portal is still working and telling the guy that i do not trust him anymore (i have very good reasons) would result in very big arguments and a portal sold for 500 bucks that i would not like to sell for 10.000 (not at all!).

in case of the "zip"-tool, you're right. but in first instance it fits my needs. i do not think, that there are geniuses at the other end. if so, i will have to take a look for another tool. or finally i will write a tool myself, absolutely fitting my needs. if i would have time to spend (at all), i would do it... ;)

i thank you very much for your help. if you still have any other suggestions, please post'em so i can take a look at them.
i will split points on both of you. thanks a lot.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11972298
if someone of you likes to get 80 points extra go to http://www.experts-exchange.com/Security/Q_21115352.html and give me an answer so i can give you the points. else i'll get them refunded.
have fun.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now