Encode PHP

There are a lot of tools to encrypt your PHP files, most of them cost a lot of money. Here are some examples:

Zend Guard $696
ByteRun Protector for PHP $49
ionCube PHP Encoder $199
Source Guardian $199
NuSphere Nu-Coder $299


Besides this you have a lot of free encoders, who are quite useless. You can recognize them on that your encoded PHP file will have a eval() somewhere in it.

<?php $_F=__FILE__;$_X='Pz48P3BocA0KNWNoMiAiSDVsbDIgVzJybGQiOw0KPz4=';
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLC
cxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GS
UxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

If you get this code, it’s pretty easy to decode, you search and replace s/eval\((.*\))/echo $1/;

[richard@sg2 ~]# perl -pi -e 's/eval\((.*)\);/echo $1;/' test.php
[richard@sg2 ~]# php test.php
$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

As you can see there is another eval in it, so I copy/paste this line in my php file and instead of the eval I run echo (i added even some debug’s so you can see whats happening):

$_F=__FILE__;
$_X='Pz48P3BocA0KNWNoMiAiSDVsbDIgVzJybGQiOw0KPz4=';
$_X=base64_decode($_X);
echo "_X = $_X\n";
$_X=strtr($_X,'123456aouie','aouie123456');
echo "_X = $_X\n";
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
echo "_R = $_R\n";
$_R=0;
$_X=0;

[richard@sg2 ~]# php test.php
_X = ?><?php
5ch2 "H5ll2 W2rld";
?>
_X = ?><?php
echo "Hello World";
?>
_R = ?><?php
echo "Hello World";
?>

So as you can see a worthless encryption :)

In my search I found 2 free encoders, One was Turck MMCache for PHP. But according to the download page on sourceforge the latest update was in 2003.The other one is bcompiler. bcompiler is part of PHP itself, which I like very much. But it is stated as experimental, butI haven’t had much problems with it.

The bad part it isn’t in the default yum repo’s of RedHat / CentOS. So you need to install it via pear.

[root@sg2 ~]# yum -y install php-pear php-devel

After that is done, you can install the bcompiler with pear:

[root@sg2 ~]# pear install bcompiler

Now you need to edit your /etc/php.ini so the bcompiler library will be loaded.

[root@sg2 ~]# cat /etc/php.ini
....
extension=bcompiler.so

Now the PHP files can be encoded with PHP itself, here is a very nice script, which makes this possible of the CLI.

[root@www ~]# wget "http://www.falsyana.com/wp-content/uploads/bencoder" -O /usr/bin/bencoder && chmod 755 /usr/bin/bencoder

Now if I want to encrypt the following php code:

date_default_timezone_set('Europe/Amsterdam');
if (file_exists("config-dnsCube.php"))
        include_once('config-dnsCube.php');
include_once('initsmarty.php');
include_once('objects/log.php');
include_once("functions.php");
include_once("ajax.php");
if (! isset($db_host)) {
        require("install.php");
        exit;
}
include_once('objects/db.php');
// Check if the installation is completed....
include_once("objects/objSetting.php");
$setting = new setting();
$dbVersion = $setting->GetValue('db_version');
if (! $dbVersion) {
        include_once("install.php");
        exit;
}
InitializePDNS($setting->GetValue('pdns_dbHost'), $setting->GetValue('pdns_dbUser'), DecryptData($setting->GetValue('pdns_dbPassword')), $setting->GetValue('pdns_dbName'));
include_once("objects/objUser.php");
include_once("init.php");
LoadPage($module, $page);
?>

I run the following:

[root@www ~]# bencoder index.php
BENCODER v1.4 - Encode your PHP script using bcompiler

encoded: index-encoded.php
[root@www ~]# file index-encoded.php
index-encoded.php: data
[root@www ~]# strings index-encoded.php
bcompiler v0.27s
VERSION
define
session_start
Europe/Amsterdam
date_default_timezone_set
config-dnsCube.php
file_exists
config-dnsCube.php
initsmarty.php
objects/log.php
functions.php
ajax.php
install.php
objects/db.php
objects/objSetting.php
setting
GetValue
db_version
install.php
initializepdns
InitializePDNS
GetValue
pdns_dbHost
GetValue
pdns_dbUser
decryptdata
DecryptData
GetValue
pdns_dbPassword
GetValue
pdns_dbName
objects/objUser.php
init.php
loadpage
LoadPage
/root/index.php
db_host(
setting
dbVersion
module
page

If you event don’t want the strings to be visible, you could work with php obfuscators, but it’s damn hard to do anything with this code, except run it. It also makes your code faster to run.

Now place this against some of the highly overpriced products I mentioned before.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>