• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1155
  • Last Modified:

PHP obfuscator

hello experts,

i am urgently in need of something to obfuscate my php-scripts. best would be a little application i can give a certain php-script, that generated a new file and puts it down.

i have tried POBS, but it did not fit my needs. first i need a webserver (sometimes uncomfortable). next problem - i did not divide php-scripting and html in older scripts. if i have to show something to the user, i have sections in my php-code where i use print "html html html".$aPhpVariable."and so on with html"; - POBS gets confused with it. also POBS cuts the backslash from \n in my print(s).

so next the features the obfuscator should have:
-take a file or a piece of code and produce a running piece of obfuscated code (unreadable for other programmers - that do not have weeks of time...;)
-free tool
-binary file for windows-pc (that would be most comfortably - in case of emergency also other - for example php running on webserver, online, ...)
(-perhaps as a gimmick producing optimized code)
(-if it is also able to obfuscate other languages too...;)

it would be great, if you could show me some tools achieving these aims.

thank you very much in advance
2 Solutions
Marcus BointonCommented:
I use Turck mmcache - turck-mmcache.sourceforge.net. It usually works in conjunction with a web server for acceleration purposes, but it also builds command line tools for separately producing bytecode compiled (effectively obfuscated) PHP. It also optimizes. And it's free. The main site doesn't host a binary, but you should be able to compile it, or possibly find a binary that someone else has compiled, though note that it gets very firmly attached to particular builds of PHP.

This kind of thing is very specific to PHP, so I doubt you'll find a product that supports more than one language.
Marcus BointonCommented:
I just noticed that it links to http://phpcoder.shadonet.com/ phpcoder is a web-based front-end to the mmcache encoder, and allows you to encode scripts remotely. What's more you can use turckloader, which will run encoded scripts without having to have a full install of mmcache. Encoded scripts are also compatible with other accelerators, such as Zend encoder.

I've had some trouble with mmcache under PHP 5.0.1, but it's been flawless on 4.3.8.

I think that pretty much covers all you asked for!

I followed your link here from the Networking TA. While I don't have an answer to your Question, it would probably be helpful to other Experts if you stated here what about Squinky's proposals fails to meet your requirements. Experts are, well, experts, not mindreaders. Unless you say something, anyone else coming here is not going to know why previous Comments are not what you're looking for. Heck, Squinky might even have the solution, if you'll say why the Comments so far are not what you need.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

kolpdcAuthor Commented:
hello psicop, yes - no problem. i had to take a look for a little amount of sleep ;). i'll check this now.

squinky, i took a look for turck mmcache for php. generally that sounds great, but the page seems to tell me, that i'll have to install mmcache within the webserver. did i understand this right? mmcache compiles the code and stays itself somewhere in memory of the webserver to execute the code when required? a kind of accelerator? generally that would do the job better than hoped for, but i have one little problem: i'm dependent of my isp - so i do not have more access to the webserver then normal ftp. if i misunderstood the way of working of mmcache - please correct me.

so if i am only able to upload/download some files to the webserver, i think, i need a tool, that somehow crypts my php-code. it does not have to be compiled somehow so it is optimized/accelerated (would be nice side-effect;). my problem would be solved, if i could hand one of my php-scripts to a tool and receive a working php-script i am not able to reconstruct to an understandable code in reasonable time.

i thought of building a tool myself (strip comments, rename all functionnames, rename function-internal variables, rename global variables, strip linebreak, ...), but i do lack the time at the moment. if somewhen i should do it, i'll make it freeware ;).

could i give you a little more information about my requirements?
kolpdcAuthor Commented:
squinky, turck mmcache sounds great - but i am not able to modify the apache-server. so this won't work, i think.
Have you looked at Code Obfuscator?
Marcus BointonCommented:
OK, in that case you can only do fairly trivial obfuscation, like that link offers. One thing I'm not quite clear on is why you're particularly worried about protecting your source on your ISP's server. No other users should be able to access your source files (especially if they have similar privileges to you), and it will not be visible through normal web pages anyway, so where's the need for obfuscation?

Any decent PHP pretty-print routine will resurrect code obfuscated in this way without any great user ability, so any protection really is trivial.

If you're distributing PHP code commercially, requiring something like turckloader isn't unusual.

If you're really that concerned about it, perhaps you should change to a better ISP? There will be plenty that offer Zend or mmcache.
kolpdcAuthor Commented:
merwetta1, following your link i found an online-tool doing a real great job:

Richard Fairthorne's Code Obfuscator

it works with only cut and paste and produces a very compressed and WORKING code. great thing i could recommend. was it the tool you ment?
kolpdcAuthor Commented:
squinky, i built a big portalside providing free informations on anything around a touristic region with some friends several years ago. when it became to timeconsuming, i changed some parts of the page (like event-calendar, ...) to dynamic php-scripts to reduce time-consumption. unfortunately people change and have very good reasons to believe that one of the guys is using my scripts for his own (commercial) purposes. we both have access to the webspace...

have you had a look at the above link? if not, take a little (or big) piece of code, paste it, push the button and take a look at the result. works really great...
Marcus BointonCommented:
Hm, it doesn't really work very well. It doesn't actually do any code-level obfuscation at all. It just applies about 12 rounds of gzip and base64_encode to the script which took me all of 2 minutes to undo (since the approach it uses for obfuscation is nicely self-documenting!), and now I know what it's doing, I could write a scritp to undo all fiels that it had been applied to. The code it generates is also slightly invalid, and won't work with short tags turned off. The main effect of this script is to make it run slower and increase server load. I really wouldn't recommend it.

My suggestion to you if you're having trouble like that, is stop working with them, host your scripts somewhere that they don't have access to them - you could even put them on a different server and have it all still work. Or cut them off and don't allow them access to your web space. Get your ISP to make you a subdirectory that only you have access to. Any of these would be a far more effective and efficient solution.
kolpdcAuthor Commented:
yes, you're right. in betweentime i use separated webspaces where this special person does not have access to. so normally i'm in no need of obfuscation. but this old portal is still working and telling the guy that i do not trust him anymore (i have very good reasons) would result in very big arguments and a portal sold for 500 bucks that i would not like to sell for 10.000 (not at all!).

in case of the "zip"-tool, you're right. but in first instance it fits my needs. i do not think, that there are geniuses at the other end. if so, i will have to take a look for another tool. or finally i will write a tool myself, absolutely fitting my needs. if i would have time to spend (at all), i would do it... ;)

i thank you very much for your help. if you still have any other suggestions, please post'em so i can take a look at them.
i will split points on both of you. thanks a lot.
kolpdcAuthor Commented:
if someone of you likes to get 80 points extra go to http://www.experts-exchange.com/Security/Q_21115352.html and give me an answer so i can give you the points. else i'll get them refunded.
have fun.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now