Solved

PHP obfuscator

Posted on 2004-09-01
12
1,116 Views
Last Modified: 2007-12-19
hello experts,

i am urgently in need of something to obfuscate my php-scripts. best would be a little application i can give a certain php-script, that generated a new file and puts it down.

i have tried POBS, but it did not fit my needs. first i need a webserver (sometimes uncomfortable). next problem - i did not divide php-scripting and html in older scripts. if i have to show something to the user, i have sections in my php-code where i use print "html html html".$aPhpVariable."and so on with html"; - POBS gets confused with it. also POBS cuts the backslash from \n in my print(s).

so next the features the obfuscator should have:
-take a file or a piece of code and produce a running piece of obfuscated code (unreadable for other programmers - that do not have weeks of time...;)
-free tool
-binary file for windows-pc (that would be most comfortably - in case of emergency also other - for example php running on webserver, online, ...)
(-perhaps as a gimmick producing optimized code)
(-if it is also able to obfuscate other languages too...;)

it would be great, if you could show me some tools achieving these aims.

thank you very much in advance
0
Comment
Question by:kolpdc
12 Comments
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11953734
I use Turck mmcache - turck-mmcache.sourceforge.net. It usually works in conjunction with a web server for acceleration purposes, but it also builds command line tools for separately producing bytecode compiled (effectively obfuscated) PHP. It also optimizes. And it's free. The main site doesn't host a binary, but you should be able to compile it, or possibly find a binary that someone else has compiled, though note that it gets very firmly attached to particular builds of PHP.

This kind of thing is very specific to PHP, so I doubt you'll find a product that supports more than one language.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11953859
I just noticed that it links to http://phpcoder.shadonet.com/ phpcoder is a web-based front-end to the mmcache encoder, and allows you to encode scripts remotely. What's more you can use turckloader, which will run encoded scripts without having to have a full install of mmcache. Encoded scripts are also compatible with other accelerators, such as Zend encoder.

I've had some trouble with mmcache under PHP 5.0.1, but it's been flawless on 4.3.8.

I think that pretty much covers all you asked for!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11954260
kolpdc,

I followed your link here from the Networking TA. While I don't have an answer to your Question, it would probably be helpful to other Experts if you stated here what about Squinky's proposals fails to meet your requirements. Experts are, well, experts, not mindreaders. Unless you say something, anyone else coming here is not going to know why previous Comments are not what you're looking for. Heck, Squinky might even have the solution, if you'll say why the Comments so far are not what you need.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 4

Author Comment

by:kolpdc
ID: 11961094
hello psicop, yes - no problem. i had to take a look for a little amount of sleep ;). i'll check this now.

squinky, i took a look for turck mmcache for php. generally that sounds great, but the page seems to tell me, that i'll have to install mmcache within the webserver. did i understand this right? mmcache compiles the code and stays itself somewhere in memory of the webserver to execute the code when required? a kind of accelerator? generally that would do the job better than hoped for, but i have one little problem: i'm dependent of my isp - so i do not have more access to the webserver then normal ftp. if i misunderstood the way of working of mmcache - please correct me.

so if i am only able to upload/download some files to the webserver, i think, i need a tool, that somehow crypts my php-code. it does not have to be compiled somehow so it is optimized/accelerated (would be nice side-effect;). my problem would be solved, if i could hand one of my php-scripts to a tool and receive a working php-script i am not able to reconstruct to an understandable code in reasonable time.

i thought of building a tool myself (strip comments, rename all functionnames, rename function-internal variables, rename global variables, strip linebreak, ...), but i do lack the time at the moment. if somewhen i should do it, i'll make it freeware ;).

could i give you a little more information about my requirements?
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961116
squinky, turck mmcache sounds great - but i am not able to modify the apache-server. so this won't work, i think.
0
 
LVL 6

Assisted Solution

by:merwetta1
merwetta1 earned 50 total points
ID: 11961246
Have you looked at Code Obfuscator?
http://www.hotscripts.com/Detailed/10841.html
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11961567
OK, in that case you can only do fairly trivial obfuscation, like that link offers. One thing I'm not quite clear on is why you're particularly worried about protecting your source on your ISP's server. No other users should be able to access your source files (especially if they have similar privileges to you), and it will not be visible through normal web pages anyway, so where's the need for obfuscation?

Any decent PHP pretty-print routine will resurrect code obfuscated in this way without any great user ability, so any protection really is trivial.

If you're distributing PHP code commercially, requiring something like turckloader isn't unusual.

If you're really that concerned about it, perhaps you should change to a better ISP? There will be plenty that offer Zend or mmcache.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961607
merwetta1, following your link i found an online-tool doing a real great job:

Richard Fairthorne's Code Obfuscator
http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php?

it works with only cut and paste and produces a very compressed and WORKING code. great thing i could recommend. was it the tool you ment?
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11961678
squinky, i built a big portalside providing free informations on anything around a touristic region with some friends several years ago. when it became to timeconsuming, i changed some parts of the page (like event-calendar, ...) to dynamic php-scripts to reduce time-consumption. unfortunately people change and have very good reasons to believe that one of the guys is using my scripts for his own (commercial) purposes. we both have access to the webspace...

have you had a look at the above link? if not, take a little (or big) piece of code, paste it, push the button and take a look at the result. works really great...
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 450 total points
ID: 11961813
Hm, it doesn't really work very well. It doesn't actually do any code-level obfuscation at all. It just applies about 12 rounds of gzip and base64_encode to the script which took me all of 2 minutes to undo (since the approach it uses for obfuscation is nicely self-documenting!), and now I know what it's doing, I could write a scritp to undo all fiels that it had been applied to. The code it generates is also slightly invalid, and won't work with short tags turned off. The main effect of this script is to make it run slower and increase server load. I really wouldn't recommend it.

My suggestion to you if you're having trouble like that, is stop working with them, host your scripts somewhere that they don't have access to them - you could even put them on a different server and have it all still work. Or cut them off and don't allow them access to your web space. Get your ISP to make you a subdirectory that only you have access to. Any of these would be a far more effective and efficient solution.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11962318
yes, you're right. in betweentime i use separated webspaces where this special person does not have access to. so normally i'm in no need of obfuscation. but this old portal is still working and telling the guy that i do not trust him anymore (i have very good reasons) would result in very big arguments and a portal sold for 500 bucks that i would not like to sell for 10.000 (not at all!).

in case of the "zip"-tool, you're right. but in first instance it fits my needs. i do not think, that there are geniuses at the other end. if so, i will have to take a look for another tool. or finally i will write a tool myself, absolutely fitting my needs. if i would have time to spend (at all), i would do it... ;)

i thank you very much for your help. if you still have any other suggestions, please post'em so i can take a look at them.
i will split points on both of you. thanks a lot.
0
 
LVL 4

Author Comment

by:kolpdc
ID: 11972298
if someone of you likes to get 80 points extra go to http://www.experts-exchange.com/Security/Q_21115352.html and give me an answer so i can give you the points. else i'll get them refunded.
have fun.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question