I'm a php developer and currently searching for software to protect php code. I know there exist obfuscators and encoders (and both).. but it seems that it's possible to "decrypt" code encoded with some software.
So my question is.. if it is possible to decrypt source code produced by major software companies (zend, ioncube, sourceguardian).. why that produts are still on market?
Why these software continues to sell if anyone can (pay to) decrypt everything in seconds?
Btw, i asked this on ioncube forum and my message was.. deleted.
regards.
You can't. IonCube optimizes, obfuscates, and compiles the source code into bytecode. Any attempts to decode it won't end up being all that useful since you won't end up with the original source code.
The ionCube Loader uses the compile hook to examine a file before the PHP engine compiles it, and takes over the task of processing the file if it is an ionCube file.
Not very secure, but you can use it for avoiding outside interference. I will say it's less than 50% secure out of 100%. There are plenty of tools on the Internet for partially decompiling older versions of ionCube. I recommend you to choose some other encryption tools for protecting your code.
The answer simply reduces to: because there are dumbasses stupid enough to believe that PHP can be "securely encoded", the same way there are people stupid enough to believe that requiring a serial code for an application automatically makes it secure.
ionCube relies on a pretty simplistic implementation - XOR from start to finish, which is hardly a "security measure". It runs as a VM - and is vulnerable to all VM side-channel attacks in addition to flat-out reverse engineering (one presentation here: https://media.blackhat.com/ad-12/Saher/bh-ad-12-stealing-from-thieves-Saher-slides.pdf ). Will ionCube say so? No. Why? Because it dissuades the large majority of script kiddies.
I am not familiar with sourceguardian, but Zend is built in the same fashion, albeit a bit more secure and harder to beat than ionCube. However, whilst they're not trivial, they're not impossible to beat, either.
The following is taken from the Zend Guard page:
Encoding is a process where the PHP source code is converted to an intermediate machine readable format. This format is hard for humans to read and convert back to source code. As a result it protects your code from casual browsing. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes.
In other words, if your user is not casually browsing, this will not hold up. I don't know about you, but I do not know a single non-dev who casually browses source code without the purpose of understanding it, and often, breaking it.
The same thing is true of every single DRM method around. However, they're still on the market. Why? Because, whilst they are not perfect, they're good enough to dissuade the large majority of people.
The law and final word of this is: if you build it, expect it to be broken and plan for it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With