Simple code obfuscation

Simple code obfuscation

am 08.02.2010 20:32:54 von Brian Dunning

Hey all -

I'm selling a custom PHP solution to FileMaker users. It uses =
FileMaker's PHP API, so everyone who has FileMaker Server is already set =
up to use it, but very few of them have any knowledge of how to set up a =
server or do anything PHP related. But I do want to add some level of =
code obfuscation to prevent them from making simple changes to my code =
that allow them to exceed the privileges they've purchased.

I've looked at custom code encryption services like Ioncube and =
phpCipher, but in my estimation, deploying the needed server-side code =
for these is going to be beyond the capabilities of a large segment of =
my customers. I would rather have a few customers cheat me than offer a =
product that most customers are unable to figure out how to run.

So I was thinking of doing something like base64_encoding the crucial =
chunk of my code (maybe 20 lines worth) and using =
eval(base64_decode($that_content)) to run it. I figure that will scare =
away most of the customers who might be able to edit my code. Can anyone =
suggest something that goes one better?

- Brian=

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 09.02.2010 00:13:50 von Richard Quadling

On 8 February 2010 19:32, Brian Dunning wrote:
> Hey all -
>
> I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's=
PHP API, so everyone who has FileMaker Server is already set up to use it,=
but very few of them have any knowledge of how to set up a server or do an=
ything PHP related. But I do want to add some level of code obfuscation to =
prevent them from making simple changes to my code that allow them to excee=
d the privileges they've purchased.
>
> I've looked at custom code encryption services like Ioncube and phpCipher=
, but in my estimation, deploying the needed server-side code for these is =
going to be beyond the capabilities of a large segment of my customers. I w=
ould rather have a few customers cheat me than offer a product that most cu=
stomers are unable to figure out how to run.
>
> So I was thinking of doing something like base64_encoding the crucial chu=
nk of my code (maybe 20 lines worth) and using eval(base64_decode($that_con=
tent)) to run it. I figure that will scare away most of the customers who m=
ight be able to edit my code. Can anyone suggest something that goes one be=
tter?
>
> - Brian
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

For simple obfuscation, then maybe making a PHAR app may be of use here.

http://docs.php.net/phar


--=20
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=3DZEND002498&r=3D213474=
731
ZOPA : http://uk.zopa.com/member/RQuadling

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 09.02.2010 00:47:00 von Ashley Sheridan

--=-rrgRFtE2OzS7KzsAYLFf
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Mon, 2010-02-08 at 23:13 +0000, Richard Quadling wrote:

> On 8 February 2010 19:32, Brian Dunning wrote:
> > Hey all -
> >
> > I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's PHP API, so everyone who has FileMaker Server is already set up to use it, but very few of them have any knowledge of how to set up a server or do anything PHP related. But I do want to add some level of code obfuscation to prevent them from making simple changes to my code that allow them to exceed the privileges they've purchased.
> >
> > I've looked at custom code encryption services like Ioncube and phpCipher, but in my estimation, deploying the needed server-side code for these is going to be beyond the capabilities of a large segment of my customers. I would rather have a few customers cheat me than offer a product that most customers are unable to figure out how to run.
> >
> > So I was thinking of doing something like base64_encoding the crucial chunk of my code (maybe 20 lines worth) and using eval(base64_decode($that_content)) to run it. I figure that will scare away most of the customers who might be able to edit my code. Can anyone suggest something that goes one better?
> >
> > - Brian
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> For simple obfuscation, then maybe making a PHAR app may be of use here.
>
> http://docs.php.net/phar
>
>
> --
> -----
> Richard Quadling
> "Standing on the shoulders of some very clever giants!"
> EE : http://www.experts-exchange.com/M_248814.html
> EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
> Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
> ZOPA : http://uk.zopa.com/member/RQuadling
>


You could move some of the code to a binary package compiled from your
PHP script. This would limit who could use your system, for example, if
you compiled it for Windows then non-Windows users couldn't use it
unless you also compiled some binaries for them too. Of course,
requiring FileMaker does limit your audience too I believe, but that's
another topic.

I've seen this practice of binaries used before, and it seems to work
well. There are countless pieces of software out there that can create
installable programs, which will aid you immensely. You just have to put
one of those together and people can easily install your software with
just a few clicks.

The other route is to use remote scripts. So they would install a base
system on their own servers, but scripts crucial to the system are
accessed remotely. Doing this will mean you have to make sure your
script is watertight from a security point of view though, and ensure
you encrypt traffic going between any servers.

Lastly, you could offer some sort of hosted solution. This may not be
suitable I guess from what you've described of your system, but if it
is, you can then deem exactly what goes on.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-rrgRFtE2OzS7KzsAYLFf--

Re: Simple code obfuscation

am 09.02.2010 01:21:29 von Phpster

On Feb 8, 2010, at 2:32 PM, Brian Dunning
wrote:

> Hey all -
>
> I'm selling a custom PHP solution to FileMaker users. It uses
> FileMaker's PHP API, so everyone who has FileMaker Server is already
> set up to use it, but very few of them have any knowledge of how to
> set up a server or do anything PHP related. But I do want to add
> some level of code obfuscation to prevent them from making simple
> changes to my code that allow them to exceed the privileges they've
> purchased.
>
> I've looked at custom code encryption services like Ioncube and
> phpCipher, but in my estimation, deploying the needed server-side
> code for these is going to be beyond the capabilities of a large
> segment of my customers. I would rather have a few customers cheat
> me than offer a product that most customers are unable to figure out
> how to run.
>
> So I was thinking of doing something like base64_encoding the
> crucial chunk of my code (maybe 20 lines worth) and using eval
> (base64_decode($that_content)) to run it. I figure that will scare
> away most of the customers who might be able to edit my code. Can
> anyone suggest something that goes one better?
>
> - Brian
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

What about an md5 license hash check for certain modules/ functions?
It could be kept in a client specific config file and read in during
the appropriate script execution.

Bastien

Sent from my iPod

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 09.02.2010 05:50:37 von Manuel Lemos

Hello,

on 02/08/2010 05:32 PM Brian Dunning said the following:
> Hey all -
>
> I'm selling a custom PHP solution to FileMaker users. It uses
> FileMaker's PHP API, so everyone who has FileMaker Server is already
> set up to use it, but very few of them have any knowledge of how to
> set up a server or do anything PHP related. But I do want to add some
> level of code obfuscation to prevent them from making simple changes
> to my code that allow them to exceed the privileges they've
> purchased.
>
> I've looked at custom code encryption services like Ioncube and
> phpCipher, but in my estimation, deploying the needed server-side
> code for these is going to be beyond the capabilities of a large
> segment of my customers. I would rather have a few customers cheat me
> than offer a product that most customers are unable to figure out how
> to run.
>
> So I was thinking of doing something like base64_encoding the crucial
> chunk of my code (maybe 20 lines worth) and using
> eval(base64_decode($that_content)) to run it. I figure that will
> scare away most of the customers who might be able to edit my code.
> Can anyone suggest something that goes one better?

You may want to try some of these code obfuscation classes:

http://www.phpclasses.org/searchtag/obfuscator/by/package/ta g/obfuscator/

--

Regards,
Manuel Lemos

Find and post PHP jobs
http://www.phpclasses.org/jobs/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 10.02.2010 15:33:00 von daniel danon

Try http://www.seekposition.net/php-encode
Ignore everything, just enter the code and check if it still works.

On 2/8/10, Brian Dunning wrote:
> Hey all -
>
> I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's
> PHP API, so everyone who has FileMaker Server is already set up to use it,
> but very few of them have any knowledge of how to set up a server or do
> anything PHP related. But I do want to add some level of code obfuscation to
> prevent them from making simple changes to my code that allow them to exceed
> the privileges they've purchased.
>
> I've looked at custom code encryption services like Ioncube and phpCipher,
> but in my estimation, deploying the needed server-side code for these is
> going to be beyond the capabilities of a large segment of my customers. I
> would rather have a few customers cheat me than offer a product that most
> customers are unable to figure out how to run.
>
> So I was thinking of doing something like base64_encoding the crucial chunk
> of my code (maybe 20 lines worth) and using
> eval(base64_decode($that_content)) to run it. I figure that will scare away
> most of the customers who might be able to edit my code. Can anyone suggest
> something that goes one better?
>
> - Brian
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
Sent from my mobile device

Use ROT26 for best security

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 10.02.2010 17:48:28 von Richard Quadling

On 10 February 2010 14:33, דניאל דנ=D7=
•×=9F wrote:
> Sent from my mobile device
>
> Use ROT26 for best security

I can't read a word of that!


--=20
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=3DZEND002498&r=3D213474=
731
ZOPA : http://uk.zopa.com/member/RQuadling

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Simple code obfuscation

am 10.02.2010 19:58:24 von daniel danon

--00504501754469caf8047f439e7a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

That meaning the message? I'll re-send it now:

Try http://www.seekposition.net/php-encode
Ignore everything, just enter the code and check if the code still works.

On Wed, Feb 10, 2010 at 6:48 PM, Richard Quadling
wrote:

> On 10 February 2010 14:33, דניאל דנ=D7=
•×=9F wrote:
> > Sent from my mobile device
> >
> > Use ROT26 for best security
>
> I can't read a word of that!
>
>
> --
> -----
> Richard Quadling
> "Standing on the shoulders of some very clever giants!"
> EE : http://www.experts-exchange.com/M_248814.html
> EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
> Zend Certified Engineer : http://zend.com/zce.php?c=3DZEND002498&r=3D2134=
74731
> ZOPA : http://uk.zopa.com/member/RQuadling
>



--=20
Use ROT26 for best security

--00504501754469caf8047f439e7a--

Re: Simple code obfuscation

am 10.02.2010 21:22:23 von Skylinux

Brian Dunning wrote:
> .... But I do want to add some level of code obfuscation to prevent them
> from making simple changes to my code that allow them to exceed the
> privileges they've purchased.....

I have used PHP Processor 1.5 from http://gridinsoft.com for this. Back
when I was looking around it was the only offering which did not require
me to modify my source code and it does not require the clients to
install anything. This one is not free but it is very reasonably priced.

It is also a PHP editor but I never used it for that. You can simply
import a fully project, I used to run a project with multiple subdirs
and about 1.5MB of source code through it.
It can remove all newline and linefeed chars, replace $variable with
$asdFDG and do the same with functions and classes.

You can exclude global variables, functions or classes by using a simple
checkbox list.

This program has performed very well but I stopped using it because
sometimes it clashed with pages containing javascript, PHP and html so I
would have to test everything twice.
Using it on pure PHP scripts should work flawless and I will probably
start using this program again for my license handling class.

I know that this tool is available for "free" on some websites but make
sure you purchase the latest edition. The program had a bug when
generating random variables or function names. I reported it and they
fixed it, so get the patched version or you will not be very happy :)

--
John
RIP jacky.network-technologies.org
[root@jacky /]# uptime
05:09:18 up 607 days, 23:17

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php