Debugging and IonCube

Debugging and IonCube

am 02.09.2005 04:00:59 von Louise Johnson

Dear readers,

I have just been at
http://www.ioncube.com/

which is a company that clames their product can protect PHP scripts from
being read by others, because it turns the PHP scripts into bytecode.

I am fairly new to PHP, but won't a debugger reveal the original PHP
code, when it is executed?

Lots of love,
Louise

Re: Debugging and IonCube

am 02.09.2005 11:52:29 von Nick

Hi Louise

Louise Johnson wrote:
> Dear readers,
>
> I have just been at
> http://www.ioncube.com/
>
> which is a company that clames their product can protect PHP scripts from
> being read by others, because it turns the PHP scripts into bytecode.
>
> I am fairly new to PHP, but won't a debugger reveal the original PHP
> code, when it is executed?
>
> Lots of love,
> Louise

A good question. The answer is "no" for two reasons. Firstly, as there
is no source code in the encoded files, even if the bytecodes were
displayed in a nice disassembly form, this is at a much lower and more
obscure level than source code and so not particularly revealing.
Secondly, execution of encode files isn't performed by the usual
executor, but a closed source one inside the Loader. Debuggers will not
be able to satisfactorily interract with the executor inside the
Loader, and some debuggers, such as the Zend one, fail to install when
other extensions are installed.

ionCube :)

Re: Debugging and IonCube

am 02.09.2005 12:34:54 von Louise Johnson

Hi IonCube Nick =)

> A good question. The answer is "no" for two reasons. Firstly, as there
> is no source code in the encoded files, even if the bytecodes were
> displayed in a nice disassembly form, this is at a much lower and more
> obscure level than source code and so not particularly revealing.
> Secondly, execution of encode files isn't performed by the usual
> executor, but a closed source one inside the Loader. Debuggers will not
> be able to satisfactorily interract with the executor inside the
> Loader, and some debuggers, such as the Zend one, fail to install when
> other extensions are installed.

But won't the bytecode have to be passed to PHP at some point?

This is at least the impression I get from looking at this figure:

http://gubed.mccabe.nu/?/article/articleview/Documentation/1 460&themex=public

Lots of love,
Louise

Re: Debugging and IonCube

am 02.09.2005 13:12:36 von Nick

Hi Lousie

Not for execution as the Loader has its own executor, partly for
security reasons. There are hooks inside PHP for both compile and
execution so that extensions can augment the standard behaviour of PHP.
A further point is that both our product and Zend Optimiser have made
use of non-standard opcodes, and even if a debugger were able to access
the compiled code, the results could be undefined.

PHP being OpenSource certainly does limit the extent to which security
is available, however in terms of protecting source, restricting
execution to particular machines with license files, offering time
expiry of scripts etc., a solid compiled code solution can none the
less be highly effective and of great value to developers and website
owners looking to guard against tampering with code.

Nick

Re: Debugging and IonCube

am 02.09.2005 14:46:42 von Louise Johnson

> Not for execution as the Loader has its own executor, partly for
> security reasons. There are hooks inside PHP for both compile and
> execution so that extensions can augment the standard behaviour of PHP.

But when it have been executed, won't it have to be passed to the PHP
server?

> A further point is that both our product and Zend Optimiser have made
> use of non-standard opcodes, and even if a debugger were able to access
> the compiled code, the results could be undefined.

Does IonCube then require a special version of PHP that understands these
upcodes?

> PHP being OpenSource certainly does limit the extent to which security
> is available, however in terms of protecting source, restricting
> execution to particular machines with license files, offering time
> expiry of scripts etc., a solid compiled code solution can none the
> less be highly effective and of great value to developers and website
> owners looking to guard against tampering with code.

Yes, IonCube seams like a pretty good option to have in mind, when these
things are needed.

Love,
Louise

Re: Debugging and IonCube

am 02.09.2005 16:44:29 von Nick

There is a Loader component that handles execution. Of course any
function calls to standard PHP functions will call PHP. The Loader,
like Zend Optimiser, is an extension to PHP that handles the decoding
and execution of the encoded files. It interracts with PHP, and extends
PHP's functionality. In the case of the Loader, it can be installed
either in the php.ini file, or in many cases, dynamically when needed.
This has the advantage that no changes to the php.ini file are
required, and so is ideal for shared servers. Typically a developer
will encode their application, and then either bundle Loaders with the
application, or produce a product installer using the ionCube installer
creator system, (IPF). The advantages of an installer are a much more
professional way for customers to install products, as an installer is
always much better than a raw zip file with a bunch of files, and that
the installer will automatically deploy scripts to the remote server,
install Loaders (so no Loaders needed to be included with the package),
run post install scripts etc.

Nick