Is it still worth it to encode PHP scripts? Code protection dilema :(

Tea_J

Hi Guys,

I do web applications, and I've never needed to encode my php before since I usually host my products myself... but now I am doing a software I plan to sell and it's meant to run OFFLINE (intranet) and needs to be installed at clients' servers... I didn't think this would be a problem since at the back of my head i knew there are lots of encoders (Zend, ionCube, SourceGuardian, etc) i can apply later on.

Now that it's time to deploy, i was shopping around for a good encoder... and then i discovered that these encoders, even the expensive ones, are pretty much useless!

On deZender, decrypt, and other sites, they offer very effective decoding! (deZender's forum shows a lot successful decoding in just minutes

I mean I KNOW THERE IS NO 100% bullet proof way to protect our codes, specially w/ a very persistent hacker.. that's ok, but at least I hoped these encoders would make it DIFFICULT enough to deter attempts (specially since my software isnt' really that expensive of a value) .. but decoded in minutes?maybe even seconds? Are these Encoders just selling to suckers?

So now, i'm stomped.. I dunno how to protect my software anymore.. it seems that OBFUSCATING php code is better than Encoding because at least obfuscating makes it difficult to reconstruct..

So what are your methods of protecting your PHP Code guys?

My strategy at the moment is drastically redesigning the relationships between my php files and function / libraries and making multiple PHP files and mixing them up in includes just to run 1 page and then adding a bunch of php scripts into the www/ folder from my old projects just to confuse people even more.. then OBFUSCATE and ENCODE all of those scripts! .. a bit of a brute force but meh...

disappointed.

laserlight

What value does your software provide? If it is specific to a particular client, then there's nothing to worry about: sell the client the code and forget about it. If it is more generic, how likely are would-be customers to pirate your software? Maybe what you can do is offer cheap licenses with paid support add-on.

Tea_J wrote:
My strategy at the moment is drastically redesigning the relationships between my php files and function / libraries and making multiple PHP files and mixing them up in includes just to run 1 page and then adding a bunch of php scripts into the www/ folder from my old projects just to confuse people even more.. then OBFUSCATE and ENCODE all of those scripts! .. a bit of a brute force but meh...

What are you protecting against?

Tea_J

hi Laserlight,

It's a standard Human Resource software w/c businesses can use ... I'm not worried about the customer, but it's his IT staff that i'm concerned with.. they may get an idea of copying the software and selling to other companies .. I have a "secret" licensing technique that they won't be able to crack and if they run my WAMP/LAMP package on another machine it wont work.. I'm super confident w/ my technique but it all relies on them not being able to read my code! (of course)

And regardless of the "piratability" of the software, it's also about SECURITY. I don't want hacker wanabes studying and fiddling with my base codes and figuring out how i do things and injecting their own little backdoors to it.

So there are many WHYs to this question w/c im sure other people share with me... it's the HOW that is the real problem sigh

laserlight

Tea_J wrote:
It's a standard Human Resource software w/c businesses can use ...

Are you sure that you cannot offer it as an online service?

Tea_J wrote:
I'm not worried about the customer, but it's his IT staff that i'm concerned with.. they may get an idea of copying the software and selling to other companies .. I have a "secret" licensing technique that they won't be able to crack and if they run my WAMP/LAMP package on another machine it wont work.. I'm super confident w/ my technique but it all relies on them not being able to read my code! (of course)

I see. What is the technique that you are using?

Tea_J wrote:
And regardless of the "piratability" of the software, it's also about SECURITY. I don't want hacker wanabes studying and fiddling with my base codes and figuring out how i do things and injecting their own little backdoors to it.

That does not make sense: your customer's IT staff already have access, so they do not need to insert backdoors. Furthermore, secure code is secure; insecure code that is obfuscated is still insecure, i.e., security through obscurity is not the way to go. Tools like Zend Guard offer automated obfuscation besides translating the PHP code into some kind of bytecode, and this added obfuscation is fine since you still have your original source code. If the obfuscation tool does its job properly, then it should not be feasible to undo it simply because human readable information would have been discarded during the process. You could always test say, Zend Guard and deZender to see if indeed Zend Guard performs proper obfuscation despite decoding by deZender.

Tea_J

laserlight;11042479 wrote:
Are you sure that you cannot offer it as an online service?

I see. What is the technique that you are using?

That does not make sense: your customer's IT staff already have access, so they do not need to insert backdoors. Furthermore, secure code is secure; insecure code that is obfuscated is still insecure, i.e., security through obscurity is not the way to go. Tools like Zend Guard offer automated obfuscation besides translating the PHP code into some kind of bytecode, and this added obfuscation is fine since you still have your original source code. If the obfuscation tool does its job properly, then it should not be feasible to undo it simply because human readable information would have been discarded during the process. You could always test say, Zend Guard and deZender to see if indeed Zend Guard performs proper obfuscation despite decoding by deZender.

1) very sure. this needs to work offline since it is integrated w/ biometrics hardware which needs to be local specially since "speed" is key. Customer can't have people pausing at the door while the internet loads. and plus i expect some areas w/o internet as well. NOT EVERYTHING can be cloud based you know.

2) Can't really disclose the technique here, it's nothing fancy, just smart.. and it's hugely based on machine / server IDing (more than just a simple machine ID or MAC ID) .. but if my code is readable then all that is pretty useless.. so it all boils down to making code unreadable or nothing.

3) I think you're missing the point. They have limited access to the system and the logic is harder to understand w/o seeing the code.. and direct database manipulation will certainly cause errors sooner or later.. and ultimately, and more importantly, they must not be able to sell the software to other companies. if they copy the scripts, or even the whole LAMP/WAMP folder, or even if they CLONE the darn machine, it will not work --- unless they are able to see my code and remove my checks..

and about the encoders i've been researching and testing for almost a month now.. and i have to say it's disappointing... at the moment i think code obfuscation is even more effective than encoding because ENCODING can easily be reversed as per my testing.. I tried the popular encoders and they all got reversed to some extent. (you can even try it yourself, dezender will decode any file for you partly, before you pay for the whole file, but it's enough for you to realize these encoders are all smoke, no fire.

Obfuscation however, even just plain minification, seems to be more of a challenge or time consuming for crackers since it's almost certainly one way .. it's not necessarily harder but will deter most from spending the time understanding the code.. vs 1 click decoding ..

I plan to combine obfuscation and bytecode encoding of ion or source guardian, but im back to my very first question.. what's the point of encoding when it's not that hard to reverse at all.

PS
This has always been my problem since im more of an intranet/offline web application developer...

laserlight

Tea_J wrote:
2) Can't really disclose the technique here, it's nothing fancy, just smart.. and it's hugely based on machine / server IDing (more than just a simple machine ID or MAC ID) .. but if my code is readable then all that is pretty useless.. so it all boils down to making code unreadable or nothing.

You cannot disclose the technique because of legal reasons or because your technique depends on it being unknown? For the former, that's fine; for the latter, it means that you should change technique since even without being able to read the code, an attacker in possession of obfuscated code and who is able to observe the code in action may still be able to discover how it works. The idea here is similiar to cryptography: the security should not depend on the algorithm being unknown.

Tea_J wrote:
3) I think you're missing the point. They have limited access to the system and the logic is harder to understand w/o seeing the code.. and direct database manipulation will certainly cause errors sooner or later..

No, I am not missing the point here. I am pointing out that "it's also about SECURITY" is a poor reason for obfuscation. Thinking that "direct database manipulation will certainly cause errors sooner or later" is sloppy where security is concerned. If it is about security, then untrusted personnel should have no access at all, not just "limited access to the system" and worse still, write access to the database.

If the IT staff have access to the server and you have good reason not to trust the IT staff, then the right approach is to convince the customer that their staff cannot be trusted and hence they should outsource the server to you, in which case your problem disappears too since the IT staff would control the infrastructure but have no access to the server in their intranet... but I doubt the customer will be convinced.

Tea_J wrote:
and ultimately, and more importantly, they must not be able to sell the software to other companies. if they copy the scripts, or even the whole LAMP/WAMP folder, or even if they CLONE the darn machine, it will not work --- unless they are able to see my code and remove my checks..

Yes, this reason is fine.

Tea_J wrote:
at the moment i think code obfuscation is even more effective than encoding because ENCODING can easily be reversed as per my testing

Did you enable obfuscation on those encoders that you tested, if they provided such an option?

Tea_J wrote:
im back to my very first question.. what's the point of encoding when it's not that hard to reverse at all.

Encoding has never been about preventing the code from being read. Rather, it is a form of optimisation for deployment. Consider: if you write a C program, you would compile it and distribute the executable. Generally, it is faster for the computer to execute the executable code than for an interpreter to interpret source code and cause it to be executed. The executable code looks obfuscated, but chances are, it isn't. You could use a tool to turn it into assembly language, and then if you were skilled at reading assembly language, you would have a good chance of understanding the code (though it wouldn't be exactly the same as the source code due to compiler-applied optimisations). Hence, the idea is to turn PHP source code into bytecode that can be more readily executed.

EDIT:

Tea_J wrote:
Obfuscation however, even just plain minification, seems to be more of a challenge or time consuming for crackers since it's almost certainly one way

Minification of code can be somewhat undone, e.g., by running the minified code through a source code formatter. It is also a form of optimisation for deployment, though in the case of PHP the improvement is negligible. However, if the minification amalgamates source and include files into as few source files as possible (with undescriptive names), then in combination with basic obfuscation techniques like renaming, the code will be difficult to understand because human readable context will have been lost. The thing is, a quick check shows that Zend Guard at least claims to be able to do those basic obfuscation techniques, which leads me to suspect that you simply have not enabled them.

Tea_J

laserlight;11042485 wrote:
You cannot disclose the technique because of legal reasons or because your technique depends on it being unknown? For the former, that's fine; for the latter, it means that you should change technique since even without being able to read the code, an attacker in possession of obfuscated code and who is able to observe the code in action may still be able to discover how it works. The idea here is similiar to cryptography: the security should not depend on the algorithm being unknown.

you can argue different methods of security, nothing is ever that secure.. hence i developed my own, crude way, but yes it depends on it BEING unknown. sure spend a month on it you'll probably crack it.. but if you can't read/decipher my code properly you'l go nuts and find it not worth cracking at all. it's a matter of comparing license file w/ hashes in the project folder, plus machine environment variables etc.. AS LONG AS YOU CAN'T READ MY CODE you wont crack it i can almost guarantee you. i've had people try to already.. in fact i hired some of my peers to, some w/c are even way better than me. but it's just w/ the recent realizations that my weak link is the encoded file being decoded so easily in the first place and w/ an exposed code, it's going to be clear how i mixed things up.

I've been using Zend Encoder, and iONcube to do this and have always slept well , until i decided to dig deeper in the decoding world (just to see how safe my code really was) and hence, my great disappointment.

laserlight;11042485 wrote:
No, I am not missing the point here. I am pointing out that "it's also about SECURITY" is a poor reason for obfuscation. Thinking that "direct database manipulation will certainly cause errors sooner or later" is sloppy where security is concerned. If it is about security, then untrusted personnel should have no access at all, not just "limited access to the system" and worse still, write access to the database.

If the IT staff have access to the server and you have good reason not to trust the IT staff, then the right approach is to convince the customer that their staff cannot be trusted and hence they should outsource the server to you, in which case your problem disappears too since the IT staff would control the infrastructure but have no access to the server in their intranet... but I doubt the customer will be convinced.

Sorry but you are... sort of. you seem to head off to a different direction in the discussion.. for example, we can discuss all day about selecting the right IT Staff , one that can be trusted, forcing the client to let me manage and host it, and other things, but that's not really the point here.. (dont get me wrong i do appreciate the feedbacks still) .... My point is regardless of those things, or try to accept that sometimes WE DON'T HAVE that control over the situation, how do we protect ourselves when our stuff is out there out of our control? Database can always be manipulated if others have access to it.. i can't deal w/ that anymore all i can do is secure my code, my functions,routines, and ultimately my intellectual property.

-- and to answer you quickly about it, NO i dont want to manage the client's IT dept/server/system. I plan to sell this and leave it to client.. i dont make enough profit from each deployment to even bother to.. and i will never be able to guarantee an honest IT admin handling the server .. that part of the war is lost.. i just need to look inward and protect my work, that's all.

laserlight;11042485 wrote:
Did you enable obfuscation on those encoders that you tested, if they provided such an option?

Yes i actually did, and more. i actually generated encoded php files using different techs (zend, ion, sourceguardian), and enabled obfuscation.. and then sent samples to decoders posing as an interested customer.. and sure enough they sent back decoded files.. the bytecode encoding was USELESS and there were no TRACES of it once the files where returned to me.. (even eval and php based crypto obfuscation was useless) .. the only thing that seemed to stick are the plain/simple obfuscation because obviously, there's no way for the crackers to reverse the string, var, function, class, etc obfuscations, and at least that makes it a bit harder for someone trying to figure out my scripts.. that's why i was asking about the worth of these bytecode encoders at all? might as well just plain obfuscate. 🙁

laserlight;11042485 wrote:
Encoding has never been about preventing the code from being read. Rather, it is a form of optimisation for deployment. Consider: if you write a C program, you would compile it and distribute the executable. Generally, it is faster for the computer to execute the executable code than for an interpreter to interpret source code and cause it to be executed. The executable code looks obfuscated, but chances are, it isn't. You could use a tool to turn it into assembly language, and then if you were skilled at reading assembly language, you would have a good chance of understanding the code (though it wouldn't be exactly the same as the source code due to compiler-applied optimisations). Hence, the idea is to turn PHP source code into bytecode that can be more readily executed.

I think you're wrong here.. perhaps at the begining people compiled for performance. but if you're like me who's spent a ton of time reviewing different encoding products, you'll know it's pretty obvious that CODE PROTECTION is #1 priority and performance is #2... at least for PHP it is. in fact, there are options in encoders w/ very strong encoding that slows down performance. CODE PROTECTION is so important nowadays for security (such as my example of IT staff not able to inject their own code in the software) , copyright protection, licensing, etc...

laserlight;11042485 wrote:
EDIT:

Minification of code can be somewhat undone, e.g., by running the minified code through a source code formatter. It is also a form of optimisation for deployment, though in the case of PHP the improvement is negligible. However, if the minification amalgamates source and include files into as few source files as possible (with undescriptive names), then in combination with basic obfuscation techniques like renaming, the code will be difficult to understand because human readable context will have been lost. The thing is, a quick check shows that Zend Guard at least claims to be able to do those basic obfuscation techniques, which leads me to suspect that you simply have not enabled them.

[/quote]

yeh true.. obfuscation can somewhat be undone, at least to a certain level. but I think that's enough for most , or i guess it's the best we got at the moment <- i guess this is the moment.

🙁

laserlight

Tea_J wrote:
you can argue different methods of security, nothing is ever that secure.. hence i developed my own, crude way, but yes it depends on it BEING unknown. sure spend a month on it you'll probably crack it.. but if you can't read/decipher my code properly you'l go nuts and find it not worth cracking at all. it's a matter of comparing license file w/ hashes in the project folder, plus machine environment variables etc.. AS LONG AS YOU CAN'T READ MY CODE you wont crack it i can almost guarantee you. i've had people try to already.. in fact i hired some of my peers to, some w/c are even way better than me. but it's just w/ the recent realizations that my weak link is the encoded file being decoded so easily in the first place and w/ an exposed code, it's going to be clear how i mixed things up.

You are right to say that security is a matter of margin, and indeed it is so in practice. Because you have to put everything on the server, you cannot really have a secret key: whatever you use will have to be on the server too, i.e., it will not be truly secret. So yes, to some extent your licensing verification scheme must depend on the code being unreadable to the attacker, otherwise the attacker will easily discover secret keys and learn how to spoof data from the environment.

Yet, if indeed your scheme is secure under the assumption that the code is unreadable, then the same principle of the algorithm being known should apply. But nah, you don't have to reveal it if you don't want to. I was just concerned that you're using a very naive scheme under the assumption that the code being unreadable would be enough.

Tea_J wrote:
Sorry but you are... sort of. you seem to head off to a different direction in the discussion.. for example, we can discuss all day about selecting the right IT Staff , one that can be trusted, forcing the client to let me manage and host it, and other things, but that's not really the point here.. (dont get me wrong i do appreciate the feedbacks still) .... My point is regardless of those things, or try to accept that sometimes WE DON'T HAVE that control over the situation, how do we protect ourselves when our stuff is out there out of our control? Database can always be manipulated if others have access to it.. i can't deal w/ that anymore all i can do is secure my code, my functions,routines, and ultimately my intellectual property.

It is necessary to check that you have indeed explored other avenues. Just because they seem obvious to you and me does not mean that someone else would not miss it. Furthermore, it is necessary to be clear on just what you're protecting and against who. You want to protect your code from being pirated by those with access to the server that you will install it to. That's great, but that's a different issue from whether or not your code is secure.

Tea_J wrote:
the bytecode encoding was USELESS and there were no TRACES of it once the files where returned to me.. (even eval and php based crypto obfuscation was useless) ..

If you see obfuscation that relies on say, encrypting and then decrypting, then that is rubbish: the secret key for decryption must be on the server for the code to work, which also means that an attacker can decrypt it.

Tea_J wrote:
the only thing that seemed to stick are the plain/simple obfuscation because obviously, there's no way for the crackers to reverse the string, var, function, class, etc obfuscations, and at least that makes it a bit harder for someone trying to figure out my scripts..

Yes, that is what I meant: the human readable information is lost, so that works for obfuscation.

Tea_J wrote:
I think you're wrong here.. perhaps at the begining people compiled for performance. but if you're like me who's spent a ton of time reviewing different encoding products, you'll know it's pretty obvious that CODE PROTECTION is #1 priority and performance is #2... at least for PHP it is. in fact, there are options in encoders w/ very strong encoding that slows down performance. CODE PROTECTION is so important nowadays for security (such as my example of IT staff not able to inject their own code in the software) , copyright protection, licensing, etc...

You're confusing the concepts of "encoding/compiling to bytecode" and "automated obfuscation", but I cannot really blame you because these "PHP encoder" tools often conflate the two: ionCube's website is not explicit about the difference; Zend Guard's website does explain it, though it also claims to "prevent reverse engineering through PHP encoding (and obfuscation)", but at least there's an official forum post that clarifies: Zend Guard and "decoding tools".

Tea_J wrote:
that's why i was asking about the worth of these bytecode encoders at all? might as well just plain obfuscate.

They automate the obfuscation. That's about it, but that's also the important part: if you're manually "drastically redesigning the relationships between my php files and function / libraries and making multiple PHP files and mixing them up in includes", then you're also making life difficult for yourself.

AndreF

Encoding php without obfuscating is pretty nonsense and useless. You should use ionCube to encode and obfuscate your php. It compiles your code in bytcodes and obfuscate it if you enable the options. PHPLicengine is an automation license management software. With this you can automate your ionCube license generation online, or you can use its remote licensing that you can disable the license remotely, if your user did request for chargeback.

Kudose

@ ... http://www.decry.pt/ ... if not them, someone else has a way to decrypt/decode.

@ ... If you don't want them to see your code; you can't let them have possession of it. Plain and simple. SaaS it.

Tea_J

Gawd it took me a while to get back

@
- extremely valid and valuable points as usual mate thanks..
about the last part, yes i am making it really difficult for myself but i guess i'm used to it.. and if my own familiarity gets me lost in my own code/structure then that's a good thing to protect my code.. im banking on the fact that my software isn't that expensive/valuable anyway for some wise ass to spend so much hours to try and pirate it... so i guess it's never going to be 100% secured but making it EXTREMELY HARD is better than just "bending over" hehe

Oh and i'm a bit happy to report, been chatting w/ ioncube people and challenging their tech and all that and while they are not contesting the hackability of their compiled code they did make sense with regards to the process and expense it takes for another party to reverse it.. and as long as i maintain updates w/ the latest ioncube encoder it will be very difficult for crackers to keep up.. and lastly, it's extra difficult if i use a license key.. so far as i've seen on the decoders' forums, they do seem to ask their customers for the LICENSE key to the ioncube files or else they can't decode it. so that's good news (But means i have to fork $$$$ for their full version, --- i only use their web encoding service )

So hmm. i guess it can still be worth it.. w/ my crazy way of doing things, function /oldschool programming , my own framework, conventions and standards and a bunch of other things that complicate stuff, plus wrapping it all up w/ ioncube.. i guess my work is as safe as it will ever be - good enough...

AndreF;11042509 wrote:
Encoding php without obfuscating is pretty nonsense and useless. You should use ionCube to encode and obfuscate your php. It compiles your code in bytcodes and obfuscate it if you enable the options. PHPLicengine is an automation license management software. With this you can automate your ionCube license generation online, or you can use its remote licensing that you can disable the license remotely, if your user did request for chargeback.

hmm..i agree. tnx!!!

Kudose;11042513 wrote:
@ ... http://www.decry.pt/ ... if not them, someone else has a way to decrypt/decode.

@ ... If you don't want them to see your code; you can't let them have possession of it. Plain and simple. SaaS it.

yeh i've been on that site and more.. i dove into the world of decoders for a while in pursuit of protecting my work, and it was a disgusting ride ..
but see my response to laserlight above .. a small glimmer of hope (or false hope.. sigh)

and yes i would definitely WANT to SaaS it! it's the best way to go about it specially w/ maintaining updates and etc... but alas, there are just some stuffs you can't SaaS such as w/ clients who works on intranet style, or has no internet connection , etc..

PS
also it's worth noting that while a lot of my competitors boast "CLOUD" as a hyped up feature, i use it as their weakness... and my proposal boasts "DOES NOT REQUIRE INTERNET CONNECTION" ... and as per positive outcome, i guess it works.. 😛 and to a lot of people it sounds better than "cloud" hype

dalecosp

I know of at least one PHP package that uses IonCube, but also has some sort of encrypted key-check against a verification server that expects it from a specific IP address.

If that would help at all. Not everyone has the network-fu to spoof IP's, do they?

Tea_J

dalecosp;11042537 wrote:
I know of at least one PHP package that uses IonCube, but also has some sort of encrypted key-check against a verification server that expects it from a specific IP address.

If that would help at all. Not everyone has the network-fu to spoof IP's, do they?

yes that's the ioncube licensing engine (W/c you have to pay for premium though). but so far it seems to be effective against most decoding.. most people i contacted such as decryp.t asks for the license file before they can decode the scripts.. and the license file can purely be license key, domain /IP locked (spoofable yes) or machine locked..

still never gona be 100% secured but at least it's something .. so i guess im thinking about forking some $$ for the full version of the ioncube software. hmmm