PHP Obfuscation: Complete waste of time?

[morpheuz]

I've been doing my homework on this topic and all of the advice says drop it and just look into a commercial solution for protecting scripts, but I'm not sure I should do it. Part of the reason I have a hard time leaving obfuscation alone is because I think I can come up with a way to make it <_<... >_>...worthwhile (I know, silly). The end result would always be reversible I understand, but I still think some fun can be had, like making the decode process so annoying and such a cumbersome task that most would just give up at the mere thought of unscrambling your efforts. ^_^ I'll probably end up getting the ioncube encoder or something of the such anyway, and as foolish as security by obscurity may be I must say the idea of obfuscating scripts with the many ways to go about it is mighty intriguing to me.

Quick question. Would storing the source to php files in a MySQL database provide any form of relief from script theft?

[DJMaze]

1. PHP is serverside
2. If they have the source they also have your database
3. so why bother?

[sde]

are you talking about distributing your php software, or are you worried about people hacking into your server and stealing your code?

[teknomage1]

Considering most people never even use ready made libraries since it takes a while to figure out how to use them, I doubt anyone actually steals code. Quicker and cheaper (and less of a bleeping headache) to just write something new for sure.

[morpheuz]

Quote:

Originally Posted by DJMaze

1. PHP is serverside
2. If they have the source they also have your database
3. so why bother?

Thanks. I was already skeptical about that doing anything since shared hosting setups can't seem to prevent other clients on the server from snooping around.

Quote:

Originally Posted by sde

are you talking about distributing your php software, or are you worried about people hacking into your server and stealing your code?

Mainly something like the latter.

Quote:

Originally Posted by teknomage1

Considering most people never even use ready made libraries since it takes a while to figure out how to use them, I doubt anyone actually steals code. Quicker and cheaper (and less of a bleeping headache) to just write something new for sure.

I definitely agree with that last part, better to do it yourself. A lot of php scripts are poorly written because they weren't made with security in mind. And when they are, the techniques are dated never updated. I had to clean up some classified app I purchased ($700 USD) months ago that used poor session handling, allowed same logins from different machines at the same time, stored plain text passwords and had a ton of SQL injection and XSS vulnerabilities to boot. If I wasn't paranoid I would've used it as is, but still unsettled I saught security, googled and read a lot (****, I'm still reading). If I had known beforehand... I've since scrapped using this app altogether and am writing something I can live with that's more efficient, uses current security practices, and that I can use with a merchant account. Even when I'm done, I'll probably get it audited just in case I missed some things.

There are thieves out there..

Don't know if you guys know this, but there are entire forum communities revolved around acquiring and then reverse engineering (to redistribute freely) commercial php apps. Many who benefit from this practice are noobs and even they get well versed in removing all of the script author's fingerprints by the providers. Terrible. They then use it out of the box. Once they completely change the appearance and the filenames you're almost in no man's land. I imagine even if you write something that isn't for sale, but would like to keep it to yourself and profit from, and it's a nice piece of code that gets attention - that you're likely to become a target for theft too.

And it's not like I really care about copycat scripts, as long as the copycat's efforts are their own...no harm, no foul.

Anywho, my curiosity has been satisfied here. I'll use pobs and then the ioncube encoder to wrap things up when I'm finished. I wanted to read others comments on this instead of just entertaining the cheap thoughts in my head.

[sde]

Quote:

Thanks. I was already skeptical about that doing anything since shared hosting setups can't seem to prevent other clients on the server from snooping around.

you're using the wrong host then. it's easy for a share hosting service to prevent clients from snooping around eachother's disk space.

if you're scripts are that critical and you are that concerned, then don't host them on a share hosting service at all.

if you don't have any other choice and you are still concerned, use ioncube.

personally i'd only use ioncube ( and do ) if i was distributing php software that did need to be protected.

[DJMaze]

Something that is encoded has to be decoded to get it up and running or else it won't work.
That's why people can reverse-engineer any software from C/C++ to PHP.

If you're that scared you shouldn't distribute any software online, only sell and install it yourself.
That way, when it becomes public, you can sue one of your clients.

[jgestiot]

Quote:

Originally Posted by morpheuz

I've been doing my homework on this topic and all of the advice says drop it and just look into a commercial solution for protecting scripts, but I'm not sure I should do it. Part of the reason I have a hard time leaving obfuscation alone is because I think I can come up with a way to make it <_<... >_>...worthwhile (I know, silly). The end result would always be reversible I understand, but I still think some fun can be had, like making the decode process so annoying and such a cumbersome task that most would just give up at the mere thought of unscrambling your efforts. ^_^ I'll probably end up getting the ioncube encoder or something of the such anyway, and as foolish as security by obscurity may be I must say the idea of obfuscating scripts with the many ways to go about it is mighty intriguing to me.

I did the same kind of homework and ended up writing my own obfuscator. I didn't want an expensive commercial tool but something that could cause sufficient pain for the potential thief. I have put a version of my obfuscator online at http://www.dailycorner.com/rope/rope_online.php .

While developing the ROPE (Recursive Obfuscating PHP Engine) I also learnt about writing code conducive to good obfuscation. Since my obfuscator had a feature that would also obfuscate the name of the files (why have require_once("class.kernel.php") when you can have require_once("_f1ec866c92b67592")...), I started to write code that had many included files. Not too many, but enough for anyone not to know where to start. After all, it is silly to obfuscate your code but give a clue as to what your code does in the way the files are named (main_engine.php,settings.php, combat.php, highscores.php, you get the drift.)

Once you have obfuscated all the function names, class names, variables and converted strings and numbers to hexadecimal, you have done enough to put anyone off. For the majority of PHP coders out there, a true obfuscator (not one of those monsters that convert your code adding unpacking functions) is the right solution.

To facilitate debugging, I have a pseudo-obfuscation feature on ROPE that actually obfuscate the code while keeping it readable to humans. Try working out what that means

[toe_cutter]

Quote:

Originally Posted by jgestiot

To facilitate debugging, I have a pseudo-obfuscation feature on ROPE that actually obfuscate the code while keeping it readable to humans. Try working out what that means

Isn't the whole idea of obfuscation to make it so that it isn't readable by humans, so if you can read it then it isn't obfuscated. This is of course agruing symantics.

I was going to ask how you debug your obfuscated code? Do you keep a hash table or anything?

Toe

[jgestiot]

Quote:

Originally Posted by toe_cutter

Isn't the whole idea of obfuscation to make it so that it isn't readable by humans, so if you can read it then it isn't obfuscated. This is of course agruing symantics.

I was going to ask how you debug your obfuscated code? Do you keep a hash table or anything?

Toe

My obfuscator has an intermediate feature that modifies each of the names to be obfuscated with a name that is close to the original thus making debugging easier. Once you are satisfied that the code runs fine, you change the switch and fully obfuscate your code.

There is no need for a hash table. The code is easily debugged. Here is an example:

Original

<?php

function MyFunction()
{

}

MyFunction();

?>

Intermediate

<?php

function _myfunction_()
{

}

_myfunction_();

?>

Obfuscated

<?php

function _61351cc022061c94()
{

}

_61351cc022061c94();

?>

As you can see, it makes sense to debug the intermediate version.

[sde]

so you are just obsfucating function names?

i hadn't really spent time reading this thread, but i do see some mis-conceptions.

it is completely possible to prevent users on a shared host from snooping around other user's directories by jailing the users to their own root directories.

now if you knew the path to a peticular file in another user's web root, you may be able to use PHP to read that file. you probably could not do this logged into the shell as your own user, but you could execute it through the browser which then makes the 'apache' or whatever the http server user is to access the file. that user surely has permissions to read the file.

PHP safe mode will prevent this cross directory reading, however safe mode also limits you in other areas. ultimately it would depend on if you mind using a host that restricts users to safe mode.

ultimately if you're worried about your code being stolen, you should just use a dedicated server, or a virtual dedicated server.

[DJMaze]

Why steal your code? You already said that when you buy something for $700 it is still crap, so what makes your code superior?
All code has bugs and issues, if you coded without any you would have been millionair.

In my opinion you shouldn't worry about your code, you should worry about the server. It is more harmfull that people steal your customer's creditcard numbers then your code. Why crack a server to steal PHP files if you can get email addresses and creditcards?

[jgestiot]

Quote:

Originally Posted by DJMaze

Why steal your code? You already said that when you buy something for $700 it is still crap, so what makes your code superior?
All code has bugs and issues, if you coded without any you would have been millionair.

In my opinion you shouldn't worry about your code, you should worry about the server. It is more harmfull that people steal your customer's creditcard numbers then your code. Why crack a server to steal PHP files if you can get email addresses and creditcards?

You may not worry about your code but I worry about mine and many worry about theirs. Perhaps your code is not worth worrying about. I am not suggesting that you do not write well but the type of application you write may not be that sensitive after all. If you write an application and already 500 of that type already exist and 200 are distributed freely, you are right: why worry? This is why I do not obfuscate everything that I do.

However, when I write a major application, I re-use a framework that has taken me a long time to develop. This framework uses an architecture that is unique and I am not prepared to see it distributed freely around the web right now.

As to credit card numbers, you never store them straight on the server. It's that simple. And of course, if you need to store credit card numbers, you must apply a method of obfuscation or encryption on the credit card numbers and of course, you will need your PHP code obfuscated to hide the method used.

I don't really understand the argument of those who say "why obfuscate your PHP code?" ... The real question is: why wouldn't you? If it takes 30 seconds to create an obfuscated version of your code ready for upload, why would you upload the non-obfuscated version if your application is sensitive?

If you make your living from developing PHP applications, you are competing with others. You need to invest a lot of time and money in development. Why should you hand out the source to one of your competitors who is going to charge half the rate doing the same job?

Finally, those who say obfuscated code can be reverse-engineered have never tried it! My code is already hard to understand before it is obfuscated, nobody could understand it afterwards without comments and meaningful class, function and variable names. No chance! It is not because something can be theoretically done that it can also be practically done. Not in this case.

Obfuscation works by deterrence. The person who is capable of de-obfuscating your code has the skills to write the same code in half the time so it is not worth his time stealing it. This is why obfuscation is in my opinion very effective.

[sde]

I won't link them here, but there are services available who will un-encode files that were encoded by Zend Optimizer and IonCube Encoder. generally they charge between $1 and $5 dollars per script.

Zend and IonCube are companies who put a lot more R&D hours into an encoding product than 1 person could do by themself. If their encoding/obsfucation can be reverse engineered, then it's safe to say that yours probably can too. For anyone to say otherwise would be quite ignorant.

I understand your comments about a deterrant, but if it is that important for someone not to see your code, you should have your own dedicated server overseen by a trusted and skilled aministrator.

If your code is distributed, then you should definately encode it somehow, .. but to think it's going to be difficult for someone skilled to reverse engineer is nieve.

[jgestiot]

Quote:

Originally Posted by sde

I won't link them here, but there are services available who will un-encode files that were encoded by Zend Optimizer and IonCube Encoder. generally they charge between $1 and $5 dollars per script.

Zend and IonCube are companies who put a lot more R&D hours into an encoding product than 1 person could do by themself. If their encoding/obsfucation can be reverse engineered, then it's safe to say that yours probably can too. For anyone to say otherwise would be quite ignorant.

Mine is an obfuscator, not an encoder. You cannot recreate the original source code from the obfuscated version. Encoding can always be cracked.

Quote:

Originally Posted by sde

I understand your comments about a deterrant, but if it is that important for someone not to see your code, you should have your own dedicated server overseen by a trusted and skilled aministrator.

Anyone can see my code. What is important to me is for somebody not to understand it, take it and sell it or develop it further outside my control. There are no safe servers and the trusted skilled administrator is less reliable than a good obfuscator. Even if I had the box on my desk, I would obfuscate the code. Servers broken into.

Quote:

Originally Posted by sde

If your code is distributed, then you should definately encode it somehow, .. but to think it's going to be difficult for someone skilled to reverse engineer is nieve.

It's a fact that it is very difficult (i.e. impossible) for someone skilled to reverse engineer the code and the point I made in my last post was that it would not be worth the person's time. How do you recreate the original source code if everything meaningful has been one-way encrypted?