PHP Obfuscation: Complete waste of time?

[sde]

both of these products support obfuscation.

http://www.zend.com/products/zend_guard
http://www.ioncube.com/

Quote:

How do you recreate the original source code if everything meaningful has been one-way encrypted?

i don't know, you'll have to ask the people who do it. also, wouldn't you consider encryption different than obfuscation?

[jgestiot]

Quote:

Originally Posted by sde

both of these products support obfuscation.

http://www.zend.com/products/zend_guard
http://www.ioncube.com/

i don't know, you'll have to ask the people who do it. also, wouldn't you consider encryption different than obfuscation?

It's funny, you're posting links and talking to me like I know nothing. I have been on this for a year now. I know all the obfuscation/encoding products on the market and whenever possible I have tried them. The key to good obfuscation is not just to have a good obfuscator but also to know how to write code for good obfuscation. And by the way, ROPE has obfuscating features that many products do not have. Like the obfuscation of filenames. Everything counts.

There are a lot of people who say that scripts can be reverse engineered but I have not found one who would take up the challenge. Any takers?

[jgestiot]

Quote:

Originally Posted by sde

so you are just obsfucating function names?

I obfuscate function names, variables, classes, strings, numbers, file names, define(), require_once() and include() and so on.

Here is class obfuscated with ROPE:

class _f494a5740f6f626d {
var $_d5af1f610a12434c;
var $_cbd3e5f683ece543 = "[";
var $_5bcd1aafb4f0b0ae = "]";
var $_9557b12de1a4b9e2 = ">";
var $_4d23e841d8e88041;
var $_8e1db4d207d5a824;
var $_0382a6dd992239d4;
var $_3d8abf7d80270918;
var $_b915dcba1566493b;
var $_f288d1412bd71bd3;
var $_66e64f6c3677d0c5;
var $_4c3ca7e2ce5550f1;
var $_a6130a21d7d578d8;
var $_d777f385d3dfec88;

function _f494a5740f6f626d()
{
$_d777f385d3dfec88 = array();
$this->_6266ee937d97f812();
}

function _37f0136aa3ffaf14()
{
}

function _6266ee937d97f812()
{
$this->_8e1db4d207d5a824 = 0x0;
$this->_0382a6dd992239d4 = 0x0;
$this->_3d8abf7d80270918 = 0x0;
$this->_a6130a21d7d578d8 = 0x0;
}

function _daeeeba9b4a4c5eb($_c6e0b8a9c15224a8, $_063c1608d6e0baf8)
{
$this->_d777f385d3dfec88[$_c6e0b8a9c15224a8] = $_063c1608d6e0baf8;
}

function _e40063e25753005c($_45cffe084dd3d20d)
{
$_e0bdcbddccca4d66 = strpos($_45cffe084dd3d20d, $this->_cbd3e5f683ece543, $this->_8e1db4d207d5a824);
if ($_e0bdcbddccca4d66 === false)return 0x0;
$this->_0382a6dd992239d4 = $_e0bdcbddccca4d66;
$_e0bdcbddccca4d66 = strpos($_45cffe084dd3d20d, $this->_5bcd1aafb4f0b0ae, $this->_8e1db4d207d5a824 + $this->_8e1db4d207d5a824 + $this->_0382a6dd992239d4);
if ($_e0bdcbddccca4d66 === false)return 0x0;
$this->_3d8abf7d80270918 = $_e0bdcbddccca4d66;

$_a86c157ee9713c34 = $this->_8e1db4d207d5a824;
$_6c4ce156d33384c5 = 0x64;

while (0x1) {
$_e0bdcbddccca4d66 = strpos($_45cffe084dd3d20d, $this->_cbd3e5f683ece543, $_a86c157ee9713c34);

if ($_e0bdcbddccca4d66 === false)break;
if ($_e0bdcbddccca4d66 >= $this->_3d8abf7d80270918)break;
$_a86c157ee9713c34 = $_e0bdcbddccca4d66 + 0x1;
$_6c4ce156d33384c5--;
if ($_6c4ce156d33384c5 == 0x0)break;
}
if ($_a86c157ee9713c34) {
$_a86c157ee9713c34--;
$this->_0382a6dd992239d4 = $_a86c157ee9713c34;
} else $this->_8e1db4d207d5a824 = $this->_3d8abf7d80270918;

$this->_b915dcba1566493b = substr($_45cffe084dd3d20d, $this->_0382a6dd992239d4 + 0x1, $this->_3d8abf7d80270918 - $this->_0382a6dd992239d4-0x1);

return 0x1;
}

function _50cca126108b8c44()
{
$this->_f288d1412bd71bd3 = 0x0;
$this->_4c3ca7e2ce5550f1 = "";

$_d801aa532c1cec3e = strpos($this->_b915dcba1566493b, $this->_9557b12de1a4b9e2);

if ($_d801aa532c1cec3e)$this->_4c3ca7e2ce5550f1 = substr($this->_b915dcba1566493b, 0x0, $_d801aa532c1cec3e);
else {
$this->_4c3ca7e2ce5550f1 = trim($this->_b915dcba1566493b);
return 0x0;
}

$this->_66e64f6c3677d0c5 = split("\x7c", substr($this->_b915dcba1566493b, $_d801aa532c1cec3e + 0x1));

$this->_f288d1412bd71bd3 = sizeof($this->_66e64f6c3677d0c5);

return $this->_f288d1412bd71bd3;
}

function _72f06f30e2877a2d()
{
$_4a88417b3d0170d7 = $this->_d777f385d3dfec88[$this->_4c3ca7e2ce5550f1];

if ($this->_f288d1412bd71bd3) {
$_2942a04780e223b2 = 0x1;
while ($_2942a04780e223b2 < 0x32) {
$_b8dc71df23110196 = "\x5f\x70" . $_2942a04780e223b2 . "\x5f";

if (strstr($_4a88417b3d0170d7, $_b8dc71df23110196)) {
$_4a88417b3d0170d7 = str_replace($_b8dc71df23110196, $this->_66e64f6c3677d0c5[$_2942a04780e223b2-0x1], $_4a88417b3d0170d7);
} else {
break;
}
$_2942a04780e223b2++;
}
} else {
}

return $_4a88417b3d0170d7;
}

function _c4d1eb36b22d1972($_35ed7e9f07f740ab)
{
$_81ff09422ad9d637 = 0x2710;
$this->_d777f385d3dfec88 = array();
$_6eba1e1e34327985 = fopen ($_35ed7e9f07f740ab, "\x72");
if ($_6eba1e1e34327985) {
while (!feof ($_6eba1e1e34327985) && $_81ff09422ad9d637--) {
$_cf32fb218dd531e2 = fgets($_6eba1e1e34327985, 0x1000);

if ($_cf32fb218dd531e2) {
$_e0bdcbddccca4d66 = strpos($_cf32fb218dd531e2, "\x3d");
$_a8db4c996d8ed828 = trim(substr($_cf32fb218dd531e2, 0x0, $_e0bdcbddccca4d66));

$this->_d777f385d3dfec88[$_a8db4c996d8ed828] = trim(substr($_cf32fb218dd531e2, $_e0bdcbddccca4d66 + 0x1));
}
}
fclose ($_6eba1e1e34327985);
}
}

function _1407b18c5a9dd810($_45cffe084dd3d20d)
{
$this->_6266ee937d97f812();

while (0x1) {
if ($this->_e40063e25753005c($_45cffe084dd3d20d)) {
if (!$this->_50cca126108b8c44()) {
} else {
}
} else break;

$_a6130a21d7d578d8 = $this->_72f06f30e2877a2d();

$_a1585a864d9e6762 = substr($_45cffe084dd3d20d, 0x0, $this->_0382a6dd992239d4);

$_a1585a864d9e6762 .= $_a6130a21d7d578d8;

$_a1585a864d9e6762 .= substr($_45cffe084dd3d20d, $this->_3d8abf7d80270918 + 0x1);

$_45cffe084dd3d20d = $_a1585a864d9e6762;
}

$_45cffe084dd3d20d = str_replace("\x7b\x6f\x7d", $this->_cbd3e5f683ece543, $_45cffe084dd3d20d);
$_45cffe084dd3d20d = str_replace("\x7b\x63\x7d", $this->_5bcd1aafb4f0b0ae, $_45cffe084dd3d20d);

return $_45cffe084dd3d20d;
}

function _455b637e1af9c8c0(&$_582dec943ff7b743, $_a08769cdcb26674c)
{
$_582dec943ff7b743[$_a08769cdcb26674c][_54e57f26c5bf6036] = $this->_1407b18c5a9dd810($_582dec943ff7b743[$_a08769cdcb26674c][_54e57f26c5bf6036]);
}
}

Once you've worked out this one, you have another 45 to crack the application.

[sde]

wow, you're pretty defensive. just trying to have a conversation. you said those were encoders and you were doing obfuscation, which lead me to believe that by saying they were not a comparison to what you do, that they don't use obsfuscation.

you also did not address my obsfuscation vs encryption question.

[teknomage1]

Looks easier to read than assembly, and assembly isn't that hard to read. What's the point?

[jgestiot]

Quote:

Originally Posted by sde

wow, you're pretty defensive. just trying to have a conversation. you said those were encoders and you were doing obfuscation, which lead me to believe that by saying they were not a comparison to what you do, that they don't use obsfuscation.

you also did not address my obsfuscation vs encryption question.

Which part of my response was defensive?

I'm not trying to prevent anyone to crack my code by applying encryption, I am trying to deter them by making it so time-consuming it is not worth it. This is why I not only obfuscate sensitive code, I actually write the application so that it is obfuscator-friendly.

Now, I don't get your overall point. Are you saying that if you have the possibility to make it difficult for others to steal your code, you shouldn't just because they can invest a huge amount of time and eventually break it open?

Another thing that you are not addressing here, is what sort of source code will you have when you have "cracked it". What names will you have to replace the functions, variables, classe names and others.

Have you ever developed large applications and maintained them over several years? If you have, you will understand how useless the code is once all comments have been removed and everything meaningful such as the defines used in case/switch have been replace with ridiculous names. How inviting is that code? I'd rather see USER_SETTINGS than something like _b915dcba1566493b. How well could the code stolen from you be maintained and commercialised by somebody else?

I repeat my yet unanswered question here: Why would you not obfuscate?

[jgestiot]

Quote:

Originally Posted by teknomage1

Looks easier to read than assembly, and assembly isn't that hard to read. What's the point?

So if it is easier to read, you should have no trouble telling me what the class does. Once you work out what it does and how to use it, tell me how long it took you and how long it would have taken you to write the same stuff in the first place.

[teknomage1]

It looks to me like a sloppily coded tokenizer with too much state global to the object. I'm going to give you the benfit of the doubt and assume that some of that is from the obfuscation, but still. You should really read some books on coding.

[DJMaze]

Some string replaces in minutes and your obfuscated code looks like:

PHP Code:

<?php

class func1 {
    var $var1; // 1 occurence
    var $var2 = "["; // 4 occurences
    var $var3 = "]"; // 3 occurences
    var $var4 = ">"; // 2 occurences
    var $var5; // 1 occurence
    var $var6; // 7 occurences
    var $var7; // 8 occurences
    var $var8; // 7 occurences
    var $var9; // 8 occurences
    var $var10; // 5 occurences
    var $var11; // 4 occurences
    var $var12; // 5 occurences
    var $var13; // 4 occurences
    var $var14; // 6 occurences

    function func1() // 2 occurences
    {
        $var14 = array();
        $this->func3();
    } 

    function func2() // 1 occurence
    {
    } 

    function func3() // 3 occurences
    {
        $this->var6 = 0;
        $this->var7 = 0;
        $this->var8 = 0;
        $this->var13 = 0;
    } 

    function func4($arg1, $arg2) // 1 occurence
    {
        $this->var14[$arg1] = $arg2;
    } 

    function func5($arg1) // 2 occurences
    {
        $int2 = strpos($arg1, $this->var2, $this->var6);
        if ($int2 === false)return 0;
        $this->var7 = $int2;
        $int2 = strpos($arg1, $this->var3, $this->var6 + $this->var6 + $this->var7);
        if ($int2 === false)return 0;
        $this->var8 = $int2;

        $int5 = $this->var6;
        $int6 = 0x64;

        while (1) {
            $int2 = strpos($arg1, $this->var2, $int5);
            if ($int2 === false)break;
            if ($int2 >= $this->var8)break;
            $int5 = $int2 + 1;
            $int6--;
            if ($int6 == 0)break;
        } 
        if ($int5) {
            $int5--;
            $this->var7 = $int5;
        } else $this->var6 = $this->var8;

        $this->var9 = substr($arg1, $this->var7 + 1, $this->var8 - $this->var7-1);

        return 1;
    } 

    function func6() // 2 occurences
    {
        $this->var10 = 0;
        $this->var12 = "";
        $int4 = strpos($this->var9, $this->var4);
        if ($int4)$this->var12 = substr($this->var9, 0, $int4);
        else {
            $this->var12 = trim($this->var9);
            return 0;
        } 
        $this->var11 = split("|", substr($this->var9, $int4 + 1));
        $this->var10 = sizeof($this->var11);
        return $this->var10;
    } 

    function func7() // 2 occurences
    {
        $val1 = $this->var14[$this->var12];
        if ($this->var10) {
            $int3 = 1;
            while ($int3 < 0x32) {
                $str1 = "_p" . $int3 . "_";
                if (strstr($val1, $str1)) {
                    $val1 = str_replace($str1, $this->var11[$int3-1], $val1);
                } else {
                    break;
                } 
                $int3++;
            } 
        } else {
        } 
        return $val1;
    } 

    function func8($filename) // 1 occurence
    {
        $int1 = 0x2710;
        $this->var14 = array();
        $fp = fopen ($filename, "r");
        if ($fp) {
            while (!feof ($fp) && $int1--) {
                $data1 = fgets($fp, 0x1000);
                if ($data1) {
                    $int2 = strpos($data1, "=");
                    $word = trim(substr($data1, 0, $int2));
                    $this->var14[$word] = trim(substr($data1, $int2 + 1));
                }
            }
            fclose ($fp);
        }
    }

    function func9($arg1) // 2 occurences
    {
        $this->func3();
        while (1) {
            if ($this->func5($arg1)) {
                if (!$this->func6()) {
                } else {
                } 
            } else break;
            $var13 = $this->func7();
            $tmp = substr($arg1, 0, $this->var7);
            $tmp .= $var13;
            $tmp .= substr($arg1, $this->var8 + 1);
            $arg1 = $tmp;
        } 
        $arg1 = str_replace("{o}", $this->var2, $arg1);
        $arg1 = str_replace("{c}", $this->var3, $arg1);
        return $arg1;
    } 

    function func10(&$arg1, $arg2) // 1 occurence
    {
        $arg1[$arg2]['key1'] = $this->func9($arg1[$arg2]['key1']);
    } 
}

[DJMaze]

Quote:

Originally Posted by jgestiot

Have you ever developed large applications and maintained them over several years? If you have, you will understand how useless the code is once all comments have been removed and everything meaningful such as the defines used in case/switch have been replace with ridiculous names. How inviting is that code? I'd rather see USER_SETTINGS than something like _b915dcba1566493b. How well could the code stolen from you be maintained and commercialised by somebody else?

I repeat my yet unanswered question here: Why would you not obfuscate?

You ever tried to crack a PE file? If people can read PE why obfuscate?

To answer your question: To me obfuscation only makes it harder for noobs not for me nor my fellow hackers.

[toe_cutter]

Quote:

Originally Posted by DJMaze

You ever tried to crack a PE file? If people can read PE why obfuscate?

To answer your question: To me obfuscation only makes it harder for noobs not for me nor my fellow hackers.

That is the idea. Why lock the doors on your house or car? If someone wants in they will get in. The idea is to keep at least the causual observer from snooping. Also, like he said is it worth your time and money to try and reverse engineer the code?

He never said it couldn't be reversed, he just said it would make it difficult.

[sde]

it's been a while since i visited this thread

Quote:

Originally Posted by jgestiot

Why would you not obfuscate?

i like the ability to shell in and edit code on the fly. my server is pretty secure and i'm not worried about intrusion. it's the same principle. if someone wants in that bad, they will probably get to it.

i would have a different opinion on distributed software. i'd definately obsfucate/encode in that case.

Quote:

Originally Posted by jgestiot

Finally, those who say obfuscated code can be reverse-engineered have never tried it!

Quote:

Originally Posted by jgestiot

It's a fact that it is very difficult (i.e. impossible) for someone skilled to reverse engineer the code

Quote:

Originally Posted by jgestiot

There are a lot of people who say that scripts can be reverse engineered but I have not found one who would take up the challenge. Any takers?

These points seem to be invalid now. I dunno though, he hasn't responded since DJM posted that code.

[akmalx]

Quote:

Originally Posted by DJMaze

You ever tried to crack a PE file? If people can read PE why obfuscate?

To answer your question: To me obfuscation only makes it harder for noobs not for me nor my fellow hackers.

lol i cracked PE. and i also made a tool to help reverse engineer obfuscated code, by making them looks like var1func1,.. (same as yours) and keep the line number and filename in database to track them. obfuscate and encode is the same in terms of crackability. the only things is obfuscate made php looks less advance since you can't call user methods on the fly on some cases. but its still a good idea for less complicated apps.