Protecting Php Code

[redarrow]

Look the whole thing was about protecting a page, not hacking, was just mention as i said he does not understand Apache so he said he a hacker.

 

that was all.

 

no one should hack or crack, it illegal we all no that, but at the same time it not illegal to speak about, as long as it not put in practice, that my thort on the matter.

[mentalist]

This thread is technically about protecting proprietary code and not hacking / cracking, maybe only insofar as a last line of defence. But as 'they' say, protection through obscurity is no protection at all, look at microsoft.

[Daniel0]

You cannot really protect PHP code anyway. The PHP interpreter needs it in plain text, so theoretically you should be able to just grab it from memory while it's running. You'll have to rely on laws regarding protection of IP and take people to court if they violate your rights instead.

[Yacoby]

You'll have to rely on laws regarding protection of IP and take people to court if they violate your rights instead.

Which given that he said he is uploading the files to another persons server without authorization, isn't going to be a good idea.

[premiso]

In the lines of this threads topic. Not that I agree with actually going out and finding exploits in code, if your php server is coded properly you should have nothing to worry about.

 

It is the persons choice to risk attempting to access a site they should not. Eventually they will get caught and or reported. But yea. Him posting his code allows you to look at it and use it to make your server more secure.

 

As far as the OP's question. It is impossible, as Daniel0 described. It is more or less a "flaw" of the php system. If you do not want your code out, do not put it on someone elses server. Simple as that. It is up to you who gets your script. By actively putting it on others systems you have no reason to access or do it to, is asking for it to be used in a bad way.

 

I can see, from a security profession stand point, to use it on "customers" site to test if they are vulnerable. As far as just going to random peoples site, that is just stupid.

[Daniel0]

It is more or less a "flaw" of the php system.

 

Or generally any scripting language.

[corbin]

I don't think I would even consider that a flaw.  The whole plain text being compiled each run thing is kind of what makes a scripting language a scripting language.  (Perhaps "interpreted scripting language" would be better to say...  Hrmmm... I don't know the right term for it lol.)

[phil88]

A way to do it that I can think of would be to write a PHP compiler that compiles PHP code into binary/assembly that can be executed without the need for the PHP interpreter.

 

This way, the source, plain-text files wouldn't need to be on the server as the compiled code could be executed rather than the source-code being interpreted.

 

Of course, writing a PHP compiler would be a ridiculous task - if it's even realistically possible. There might even be compilers available on the internet somewhere. I neither know nor particularly care. If you're going through that much effort, you're using the wrong programming language. Use a language that is meant to be compiled rather than interpreted.

 

 

Actually, I just did a quick google. It would seem that there is indeed a relatively reliable PHP Compiler out there. Give that a look.

[mentalist]

Do you mean something like this...bcompiler

As far as I see it makes php a bit like python or java where it pre-compiles into byte code, this also increases the speed of execution (from go, not in comparison).

[mentalist]

Is this a fill in the gaps game?

 

S_DLA_S Th3 1r4Q1 Cr4Ck3r

 

=

 

sadlams

[redarrow]

dan said this.

so theoretically you should be able to just grab it from memory while it's running.

 

can anybody give a example, of php grabbing info from the memory, and seeing the php code

while it encrypted, and shown from the memory decrypted?

 

like dan said.

 

[corbin]

redarrow, obviously no one is going to do that just for kicks and giggles since it would take more than 30 seconds.

 

 

But it's definitely possible.  To parse PHP, it has to be in plain text at some point in time.  Get a debug version of PHP, set some steps right before the parsing step, feed it a file and while it's paused, get the plain text out of memory.  (It's more difficult than it sounds, but for someone who knew what he was doing [not me] it would take like 20 minutes tops.)

[redarrow]

corbin can you kindly tell me, if that a way that these decrypting web sites decrypt php pages.

 

thanks for your time.

 

if you got a link can not find one on this issue post it please thanks mate.

[corbin]

No, that's probably not how those decrypting websites function.  They have probably just reversed the algorithms.

 

 

And I don't know of a link.  Not everything can be found via google ;p.  I doubt many people have been determined enough to dig around in PHP's allocated memory to find a script being executed, especially when decryptors exists for like $1.

[Yacoby]

I doubt many people have been determined enough to dig around in PHP's allocated memory to find a script being executed, especially when decryptors exists for like $1.

And the fact that it would just be easier to edit the PHP source to dump the executed script to stdout

[corbin]

I doubt many people have been determined enough to dig around in PHP's allocated memory to find a script being executed, especially when decryptors exists for like $1.

And the fact that it would just be easier to edit the PHP source to dump the executed script to stdout

 

 

Hrmmm....  Yeah.  I didn't think about that one at all.  Nice!

[phil88]

Do you mean something like this...bcompiler

As far as I see it makes php a bit like python or java where it pre-compiles into byte code, this also increases the speed of execution (from go, not in comparison).

I was more thinking of compiling straight to binary rather than byte code - but the same principle applies to both.

[mentalist]

Do you mean something like this...bcompiler

As far as I see it makes php a bit like python or java where it pre-compiles into byte code, this also increases the speed of execution (from go, not in comparison).

I was more thinking of compiling straight to binary rather than byte code - but the same principle applies to both.

 

In either byte or binary it'd be no more safe, just not in standard php...

Everything spoken about in this thread are layers of abstraction and obscurity and not actual protection.

As phil88 states, if you want that extra protection choose a different language, even probably interpreter, but even if you do encrypt it then you'll need to include the D key somewhere on the public server, so your just chasing your tail round and round and round and ...

 

Is there any language, compiled binaries, etc... that are safe from decompiling, even metamorphic viruses and their delivery systems are detectable and require to carry their decryption key...

[premiso]

I don't think I would even consider that a flaw.  The whole plain text being compiled each run thing is kind of what makes a scripting language a scripting language.  (Perhaps "interpreted scripting language" would be better to say...  Hrmmm... I don't know the right term for it lol.)

 

Yea, that is why I said "flaw", attempting to emphasize lack of a better word. It really is not a flaw more as how it is designed. But given that it does have to be interpreted, means that you really cannot secure any script written for PHP or hide it's source from anyone. It really is not a flaw as much as how it is designed/needed to be done.

 

[corbin]