Question time

[canadabeeau]

I am building my own method of PHP obfuscating (or plan to), as I know what I want but cant find something to totally fit the requirements. Now my problem is I don't exactly know how PHP obfuscating works. Is it (basically) just encrypting all the code in md5 (as an example) and the server decrypts it?

[canadabeeau]

or have I got this completely wrong and can someone put me on the correct path, where do I start?

[premiso]

Well for me, I have no clue what your ultimate goal is of obfuscating with PHP. Can you elaborate more on what you want to input and the output you expect out?

 

What are you trying to hash up with MD5 and send? And just a note MD5 is a hash method and not an encryption method. But yea. please elaborate on what you are trying to do with examples etc and I bet you will find the help more plentiful.

[canadabeeau]

I was using md5 as an example, as I said.

Anyway I have a PHP project I now want to obfuscate, now I want to build my own obfuscate method, I have figured out how I can get the files to obfuscate by passing them through a PHP script and downloading the file at the end (so I would upload index.php and the script would obfuscate it then give me a link to download index.php obfuscated) anyway that not the problem, how do you do the obfuscate part, is it a series of functions, that goes replace all instances of "if" with 525Z and maybe echo with 8955Y??? or does it do more like md5 hash and do the whole think letter by letter (kind of).

 

Second how do I make the server un-obfuscate so it will run on the server? Premiso if this is not clear enough let me know please

and I forgot before, thanks for all help in advance

[canadabeeau]

Can someone please guide me in the correct direction

[optikalefx]

what is the purpose here?  PHP code is invisible to the end user.... Generally you just replace variable names with single letters and get rid of ALL white space in the code.

[canadabeeau]

OPTIKALEFX I am obfuscating for people (webamsters) installing it, prevent them from modifying the code

[laffin]

You are speaking of encryption. not obfusciation.

Obfusciated code is unreadable to human eyes, but still executable code.

encrypted code, isnt executable without a decrypter module

 

there are plenty of encryptors out there, Zend has one (Zend Guard).

and plenty of obfusciators, like this one see bottom for example of obfusciated code.

[oni-kun]

OPTIKALEFX I am obfuscating for people (webamsters) installing it, prevent them from modifying the code

 

Above poster was correct, I personally like Zend Guard myself. Obfuscating is pointless, any level can , granted easily be unobfuscated.

[canadabeeau]

Okay someone tell me what I am trying to build based on these conditions,

I want the code so a human (webmaster installing the program) cannot read the code or alter it in any way (because they cant read it)

Then I want to build my own opensource version so how would I go about making the server read the code? I know how I could obfuscate it (or encrypt) but how do I get the server to do the reverse?

[canadabeeau]

Okay so the answer is ENCRYPTION not OBFUSCATION, how do I get the server to decrypt y custom encryption?

[laffin]

Without a binary encryptor/decryptor, its kinda pointless.

Binary as in php modules (.so or .dll) which are written in C/C++

Why is it pointless? well if your writing your encryptor in php, that means you have to have a decryptor for it, if its done in php, guess what? a quick rewrite and they got the code.

Obfusciating is ok, but its still executable, a good programmer, with a good set of tools, may not reproduce the code exactly. But they will get the code.

Best bet is to use those encryptors (Zend Gaurd), IonCube or whatever that your server can install (Zend Guard is popular, and many already have it installed).

 

[canadabeeau]

I want to write my own I just need to know how to rig the server to decrypt the code (I will not be encrypting it to binary instead a custom string shall do it) so how do I get the server to decrypt it.

 

For example the file is

<?php echo "Hello";?>

encrypted it is

<?php  echo "\110\145\x6c\x6c\x6f";?>

(as a very loose example)

 

How do I get the server to decrypt the code??

 

Any help would be greatly appreciated as always.....

[canadabeeau]

What about something like this (http://www.devshed.com/c/a/PHP/PHP-Encryption-and-Decryption-Methods/) and use a different custom function other than 64 (so design my own and have it include from my server to their page. Would this work or can they easily hack it?

 

I really want to build this as you can probably tell,

[oni-kun]

What about something like this (http://www.devshed.com/c/a/PHP/PHP-Encryption-and-Decryption-Methods/) and use a different custom function other than 64 (so design my own and have it include from my server to their page. Would this work or can they easily hack it?

 

I really want to build this as you can probably tell,

 

Hmm..

eval(gzinflate(base64_decode('FZfHDoTYEUV/ZXYzIxbkJFseAU1qcg4bi9TknPl64z0SUK/
evef8859///NHcSTdX+VTD78u2Yq/0mQtCOy/
eZGNefHXn0L8kz5jKAueDcZhVNSnh9+OYd6flsK+PCKjqtEnIJoRtF3TO+
GH4UyCIED/st8VD9APjg8Nj+m1ysH0OIjnWTbNnIa+
P4Xyh7gC3XsCCgIOdqVtDlCOaQsau4uAKCI+
aEQxXEg96A4GpOsr85SHX9FcHSL6R+h57gJZzBE872FRE6v7vNdZpzaBU+
GYWOpCnDOMU5n16lgPBE3Qh5ejKZqYA7YSRf3y'))); ?>

 

var_dump(gzinflate(base64_decode('FZfHDoTYEUV/ZXYzIxbkJFseAU1qcg4bi9TknPl64z0SUK/
evef8859///NHcSTdX+VTD78u2Yq/0mQtCOy/
eZGNefHXn0L8kz5jKAueDcZhVNSnh9+OYd6flsK+PCKjqtEnIJoRtF3TO+
GH4UyCIED/st8VD9APjg8Nj+m1ysH0OIjnWTbNnIa+
P4Xyh7gC3XsCCgIOdqVtDlCOaQsau4uAKCI+
aEQxXEg96A4GpOsr85SHX9FcHSL6R+h57gJZzBE872FRE6v7vNdZpzaBU+
GYWOpCnDOMU5n16lgPBE3Qh5ejKZqYA7YSRf3y'))); ?>

 

See how easy it is to get the code from that 'encryption' ? Base64 part is even easier, That's one of the most simple examples you can come across, Any programmer will be able to defeat this.

 

You'll need to either buy an obfuscation program, such as SourceCop, or use an aformentioned solution such as Zend Guard.

[canadabeeau]

I was thinking of using my own encryption string NOT base64, so could that work or still easily hackable.

I just want to say I do NOT want to buy a PHP encryptor, I want to build my own so that is why I need and want this advice on how I can build my own

[oni-kun]

I was thinking of using my own encryption string NOT base64, so could that work or still easily hackable.

I just want to say I do NOT want to buy a PHP encryptor, I want to build my own so that is why I need and want this advice on how I can build my own

 

What do you mean? If you build one you have to give them the code that will decrypt it, thus they will be able to know the original code. If you REALLY want to make something simple... Than you can look at a function such as:

function encrypt($string, $key) {
$result = '';
for($i=0; $i<strlen($string); $i++) {
	$char = substr($string, $i, 1);
	$keychar = substr($key, ($i % strlen($key))-1, 1);
	$char = chr(ord($char)+ord($keychar));
	$result.=$char;
}
return $result;
}
print_r(encrypt('<?php..zzzzzzzzzzz... ?>', 'mysite.com');

Then use that code to encrypt your document, and provide them with the 'decrypter':

function decrypt($string, $key) {
$result = '';
for($i=0; $i<strlen($string); $i++) {
	$char = substr($string, $i, 1);
	$keychar = substr($key, ($i % strlen($key))-1, 1);
	$char = chr(ord($char)-ord($keychar));
	$result.=$char;
}
return $result;
}

eval(decrypt('xxxxxxx(randomobfuscatedstringxxxxxxxxx', 'mysite.com')); //preobfuscated string

 

Just an example, but again, It's either a chance they'll get your code, or write your own module/Use free ZendGaurd.

[canadabeeau]

oni-kun I think you just gave me the wording I was looking for, I want to build my own PHP encrypt/decrypt module so basically they place a dll in their web root or something and then decrypt the code.

Basically I want to make my own Zend Guard (but with lost of customizing, I just need to get the base made which is what I am asking about)

[oni-kun]

oni-kun I think you just gave me the wording I was looking for, I want to build my own PHP encrypt/decrypt module so basically they place a dll in their web root or something and then decrypt the code.

Basically I want to make my own Zend Guard (but with lost of customizing, I just need to get the base made which is what I am asking about)

 

Then this is out of scope for this forum, It's an Apache/C++ question. Learn how to compile Apache and a module, and code your own:

http://httpd.apache.org/docs/2.0/

[canadabeeau]

oni-kun the only problem being I some of my clients (through out sourced web hosting) may not have access to the Apache modules folder (am I able to somehow place the module outside the module folder of Apache), and would a person not be able to read the module file and be able then to decrypt the script? or not?

[canadabeeau]

Okay, I am going to look at making my own Apache module now so thanks to everyone, if anyone thinks this is the wrong way to go about it give me a post or PM