Thread: PHP Obfuscation: Complete waste of time?
View Single Post
Old 08-08-2006, 04:26 AM   #8 (permalink)
jgestiot
Registered User
 
Join Date: Aug 2006
Posts: 8
jgestiot is on a distinguished road
Quote:
Originally Posted by morpheuz
I've been doing my homework on this topic and all of the advice says drop it and just look into a commercial solution for protecting scripts, but I'm not sure I should do it. Part of the reason I have a hard time leaving obfuscation alone is because I think I can come up with a way to make it <_<... >_>...worthwhile (I know, silly). The end result would always be reversible I understand, but I still think some fun can be had, like making the decode process so annoying and such a cumbersome task that most would just give up at the mere thought of unscrambling your efforts. ^_^ I'll probably end up getting the ioncube encoder or something of the such anyway, and as foolish as security by obscurity may be I must say the idea of obfuscating scripts with the many ways to go about it is mighty intriguing to me.
I did the same kind of homework and ended up writing my own obfuscator. I didn't want an expensive commercial tool but something that could cause sufficient pain for the potential thief. I have put a version of my obfuscator online at http://www.dailycorner.com/rope/rope_online.php .

While developing the ROPE (Recursive Obfuscating PHP Engine) I also learnt about writing code conducive to good obfuscation. Since my obfuscator had a feature that would also obfuscate the name of the files (why have require_once("class.kernel.php") when you can have require_once("_f1ec866c92b67592")...), I started to write code that had many included files. Not too many, but enough for anyone not to know where to start. After all, it is silly to obfuscate your code but give a clue as to what your code does in the way the files are named (main_engine.php,settings.php, combat.php, highscores.php, you get the drift.)

Once you have obfuscated all the function names, class names, variables and converted strings and numbers to hexadecimal, you have done enough to put anyone off. For the majority of PHP coders out there, a true obfuscator (not one of those monsters that convert your code adding unpacking functions) is the right solution.

To facilitate debugging, I have a pseudo-obfuscation feature on ROPE that actually obfuscate the code while keeping it readable to humans. Try working out what that means
jgestiot is offline   Reply With Quote