PHP obfuscation

Discussion in 'Free Talk for Website Owners and Webmasters' started by riccardo, Jun 2, 2016.

  1. riccardo

    riccardo New Member

    Joined:
    May 19, 2016
    Messages:
    13
    Hello everybody,

    I'm writing a PHP library to solve a very specific problem and I intend to sell it through my (aMember PRO-powered, of course) Web site.

    In order to protect my IP, I want to obfuscate two specific parts of the library: the core (which is the part that others haven't been able to get done properly so far) and obviously the call-home license check.

    I've found out an online, free PHP obfuscator (http://fopo.com.ar) that seems promising; of course I am open to alternative suggestions, but that's not the main point of this post.

    As soon as I uploaded an obfuscated PHP file on my site, my hosting provider's antivirus blocked it: permissions were set to 0000 so I couldn't even read it. I opened a support ticket and they told me that the presence of obfuscated code was to blame.

    Now, aMember PRO contains an obfuscated PHP file and it has never given me any problem.
    So, maybe I was using the wrong obfuscator? Or did I overlook something else?

    Thanks in advance to anyone who will help me sort this out!

    Best regards
    Riccardo De Agostini
  2. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    493
    There is no code encrypter/obfuscator that is not reversible. The sample one you said from fopo adds a humoungous overhead.

    The next issue is that script kiddies and other bad people use these forms of code hiding to hide trojans, rootbots and other nasties. You may find that your code is blocked from numbers of hosts for security reasons.

    For the license check if it is a function all anyone needs to do is replace that once they work out the required callback values. I help a site by using steganography to protect the IP, as far as I know it has not been broken and I did that about 5 years ago.

    If you want raise a ticket over on my site I may be able to work you out something depending on the code/frequency.

    aMembers protection I will not discuss ;)
  3. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    493
    I built a small 'Hello world' try it on your system

    Attached Files:

  4. riccardo

    riccardo New Member

    Joined:
    May 19, 2016
    Messages:
    13
    Hello jenolan,

    sorry for my late reply. Yesterday's been quite a busy day.

    Of course all obfuscators are reversable. Obfuscated code must be parsable by PHP. ;)
    Still, obfuscation of the core part of a library makes a potential thief at least jumpthrough a couple of hoops.
    Not to mention the psychological effect: it most certainly will not stop anyone really determined and decently skilled, but it discourages people who just don't give a "\x73\x68\x69\x74" about intellectual property and would rather steal software than pay for it as long as it's easy. Which, sadly enough, means a large share of Italian users.

    Thanks a lot for the Hello World example! I just uploaded it on my site. Should it trigger any red light, it should get blocked by tomorrow at last. I'll let you know.

    Best regards
    Riccardo
  5. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    493
    It aint just Italians ... didn't you know code is free!

    Just upload it, run it and you should get the hello world. The code I used to build it is small rather than the fopo example which had way too much overhead to be used on anything loaded on most pages.

    The only thing that would allow more is ioncube but I hate using stuff that requires custom loaders.
  6. riccardo

    riccardo New Member

    Joined:
    May 19, 2016
    Messages:
    13
    I got the hello world. That was the easy part. :p
    Now let's wait a bit and see what my hosting provider's antivirus has to say...
  7. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    493
    For your library ... depending on what it does/is the only real protection is to do it as an api on your site with keys, so the request is made the payload has the auth and you can check ip addresses etc. That's assuming it aint needed for every request.
  8. riccardo

    riccardo New Member

    Joined:
    May 19, 2016
    Messages:
    13
    An online API is an option I had already considered and discarded.
    Man, was I wrong! ;)

    In the past two weeks I've been converting the core of my software into an online API.
    Some things I've stopped worrying about:
    • License management (basic authentication over HTTPS + a database no one else has access to, beat code encryption big time!)
    • Compatibility with WooCommerce / Magento / Prestashop / you name it (just use what's available to make HTTPS request... I personally recommend Guzzle, but HTTP_Request2 works equally well)
    • Having to integrate with invoicing / accounting software (they just use my API, no more exchanging files. nor struggling with 30-years-old, cruft-infested database schemas)
    • Documentation (Swagger totally rules!)
    I guess I owe you a beer, jenolan! :D

Share This Page