Published 2005-09-13 06:09:04

Someone just emailed me to comment on something called phpcodelock, (google for it, I'm not going to advertise stupid products)..

It's always funny to see people try and encypt PHP source (or javascript/html for that matter.) As the reality is, encyption is only any good when the end user doesnt get hold of all the keys to open the door.

I've no idea how exactly the product above works (but I'm 100% sure it's not really going to work beyond a superficial look). But it looks similar to another funny effort I saw the other day. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.. = a quick preg while loop on the code solved that one..

So to try and stop stupid people spending (or losing their) money on stupid products, here's a hackers guide to reading encypted PHP code

Step 1: open up the php source code (the one you download from php.net), look for any of the zend engine that parses PHP source, and stick a big printf() ( optionally to a file somewhere..) just before it's parsed.!!!!!!

Opps - that's it (there is only one step!) - almost all encryption methods fall foul of this.!!

Actually the reason someone asked me was because I hacked the apc source into bcompiler quite a few years ago, and since then Val Khokhlov has been doing an excellent job, fixing all my bugs, adding features and making it work with PHP5.

bcompiler does work to some degree as a encyption technique, as you would have great difficulty resurecting the original source code from the opcodes (although you could get something resembling the source out, with alot of work...).

But really, why bother... that's what copyright is for.!! The only justification I can imagine (having seen the crap hidden behind this stuff) is to hide away some horrifically bad code, that the Author was so embarressed to show to the world..

Mentioned By:
forums.whirlpool.net.au : How to decrypt/decode IonCube PHP files - PHP - Web Development (1974 referals)
www.livejournal.com : lj2600: ioncube (885 referals)
google.com : ioncube crack (643 referals)
www.phpdeveloper.org : PHPDeveloper.org: PHP News, Views, and Community (499 referals)
www.codingforums.com : Protect PHP script - CodingForums.com (457 referals)
google.com : decode ioncube (381 referals)
google.com : crack ioncube (346 referals)
google.com : php code encryption (266 referals)
google.com : april (235 referals)
google.com : node/440 (230 referals)
google.com : ioncube decode (229 referals)
google.com : eval(gzinflate(base64_decode (210 referals)
google.com : december (205 referals)
google.com : funny php code (193 referals)
phparch.com : php | architect - The PHP Magazine for PHP Professionals (156 referals)
www.phpdeveloper.org : PHPDeveloper.org: Alan Knowles' Blog: Recovering encoded php files (149 referals)
google.com : encrypt php code (133 referals)
google.com : eval(gzinflate(base64_decode( (118 referals)
www.planet-php.net : Planet PHP (115 referals)
google.com : gzinflate(base64_decode (114 referals)

Comments

I agree and disagree
I disagree with the comment about that is what copyright is for. Most of the smaller players do not have the money or the time to pursue people that have either stolen source code or modifed it when they could not have written it themselves.

While I like producing both types of source (open and encoded) there are reasons for both.

What I agree with is how some people buy products that have extremely wrong techniques about encoding a script. Instead of getting into byte code they just obscure it. Then it is a 5 minute process to have all of the source code in your hands.
#0 - Mike Willbanks ( Link) on 2005-09-13 20:43:13 Delete Comment
How PHPCodeLock works
I had a quick look (downloaded the trial), and it took me about 5 minutes to crack. Let's just say that your example (base64, eval) wasn't far off.

They took a few counter-measures (such as hiding the decryption algo), but armed with a good editor and PHP knowledge, it's extremely easy.
#1 - Joe ( Link) on 2005-09-13 21:36:48 Delete Comment
___
In fact isnt useful to protect your wood-house above the tree with bullet-proof windows and armour-plated doors... because its only a wood-house over a tree... this is why after trying in all the ways to encrypt the code of my "precious" framework i reached your same point of view. And now my code is (nearly) clear.
Making "translucid-box" with a client-side clear code is useless. Two solutions i adopt are: remote activation/download of a part of code (just for statistic usage) or making a php_somewhat extension that keep the key to run in certain server.

I think a good way to protect your code (if its not an open-project) is to make a well formed 20pages contract of utilization/copyrights and to require the sign of your client :-)
#2 - michele ( Link) on 2005-09-13 22:21:43 Delete Comment
ioncube
What about ioncube? I was considering buying this :)
#3 - jason ( Link) on 2005-09-13 22:39:48 Delete Comment
comment
Oh well. Security through obscurity. :)

Though, I don't understand how bcompiler qualifies as encryption, in this case, all C and java compilers offer encyption, hehe :)
#4 - Geoffrey Lee ( Link) on 2005-09-14 12:57:44 Delete Comment
Extremely Easy to Crack
2 seconds...

change...
eval(gzinflate(base64_decode(

to...
echo(gzinflate(base64_decode(

Hello Code!
#5 - tdPro ( Link) on 2005-11-04 12:12:58 Delete Comment
base64_decode
simple techniques...

replace eval's with print's/echo's, etc.

a)
$decoded = base64_decode($string);

b)
$decoded = gzinflate(base64_decode);

Most code encoded with base64_encode, gzdeflate, etc. work against the average end user.
#6 - Shizzle ( Link) on 2005-12-09 13:57:30 Delete Comment
whoops
typo,

b)
$decoded = gzinflate(base64_decode($string));

:-D
#7 - Shizzle ( Link) on 2005-12-09 14:07:47 Delete Comment
Vulcan Opcode dumper
Well I saw an Opcode dumper (Vulcan)
But how do You map the Opcode back to php source ?

Ref:http://blog.php-security.org/archives/14-PHP-Encoders-Protection-where-are-you.html
#8 - JurgenD ( Link) on 2005-12-18 23:22:53 Delete Comment
Decoding eval(gzinflate())
<code>
<?php
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";

echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);

echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents);
eval(preg_replace("/eval/", "\$contents=", $contents));
}

echo "3. Writing decoded.txt\n";
$fp2 = fopen("decoded.txt","w");
fwrite($fp2, trim($contents));
fclose($fp2);
?>
</code>
#9 - JurgenD ( Link) on 2005-12-19 01:27:33 Delete Comment
Mr.
Hi, I am findin your posts very interesting. I am about to purchase the IonCube PHP encoder. I was going to protect my php code with it. So if I did use the latest vrsion would the likes of phprecovery and others be able to decode it and dit my php source script. How exactly do they do this. Ioncube seam to think they it can't be done. I have an example script encoded and would like to try and decode it myself to see how easy it would be. Thanks
#10 - Glav ( Link) on 2006-03-18 00:12:32 Delete Comment
IPRED and DMCA
I think you may have forgetten an important point. Both EU and USA have laws that forbid you to unencrypt source code if it has been implemented to protect copyright (unless you are trying to make the code run on another device - which is unlikely given you have source to PHP itself - you should port PHP and I think a judge would agree).

Europe calls their law `The Intellectual Property Rights Enforcement Directive' of 2004 (IPRED). USA calls their law `The Digital Millennium Copyright Act' of 1998 (DMCA).

Now...

Yes, it is trivial to unencrypt many of the methods talked about. But if you do so, you make yourself a *huge* target for a lawsuit - much more so than a simple copyright infringement. The penalties are much more severe (and can include jail time).
#11 - Jamie ( Link) on 2006-04-17 19:42:43 Delete Comment
And?
How is anyone outside of the site owner going to prove that you've decoded the source of a PHP script unless you pirate it?

As a PHP contractor I've encountered scripts like these all the time and it is indeed trivial to decrypt them. It's simply an annoyance though when one needs to make some code-level change in order to, for example, make a module work with a new version of X-Cart.

Your source really isn't that valuable. Hate to burst your bubble, but very few people care about your code other than those that legitimately need to edit it.
#12 - Spoom ( Link) on 2006-10-21 05:44:01 Delete Comment
Codelock v2 != Useful
Nice ad, it's crap.

I broke codelock V2 by hand for fun.

Sure you have to use Base64 more than once to get the outright source. Running the sourge though layer after layer of base64 decodes doesn't equal encryption or security.

It's silly easy to open.

My reason? To fix crappy code that was released into the public domain "to use any way you want" so way run it through this? The basic principle was good, the exicution was horrid.
#13 - Rip ( Link) on 2007-01-29 15:52:37 Delete Comment
IPRED and DMCA Missed the point
Yes, the US and EU have laws protecting copyrighted software, however, most commonly freelancers are legally "work-for-hire" meaning they are selling their IP to the contractor. Hence, it is - in this case - the owner of the copyright, that wants to decrypt HIS own code... The fact that he did not personally type it is completely moot.

Additionally, not only do most freelancers work with no or little contract protecting/preserving IP and copyright, but again, most that do, do not own the code or IP.

#14 - Bob Jones ( Link) on 2008-03-22 09:24:34 Delete Comment
Futile Attempt
The thing is, copyright owners are in a difficult position. They may have invested time and money into their websites, and have to try something to protect themselves. This is the only option open, so they have to try it. On the same page as an encrypted code will be a copyright warning. Anyone decrypting this code will be doing so illegally.
It is then down to the honesty of the developer whether he persues the decision to decrypt valuable work. Even if the code is crap, it still deserves respect.
#15 - Richard ( Link) on 2008-07-01 20:51:43 Delete Comment
Works on nested encodes, too:
//1) Add this function to your code
//2) Find/replace "eval(" to "haxeval("
//3) Run script and see obfuscated code
//4) Enjoy

function haxeval($str){

$pattern = '/eval/';
$replacement = 'haxeval';
$result = preg_replace($pattern, $replacement, $str);
echo $result;
return eval($result);

}
#16 - Anonymous ( Link) on 2008-12-09 13:20:40 Delete Comment
unfair
well i have read your commets and I m a bit anoyed. I paid to buy a website (nevals.co.uk) and whe I tried to move servers the guy who desiged it would not give me the unencrypted version so its worthless to me. I had asked for the files with out the ioncube stuff and he told me to beat it! 2k for a website I cant change. Who owns the copyright ayway? I paid for the work should it not be me??
#17 - neil ( Link) on 2008-12-15 20:30:27 Delete Comment
I ll own u
well my comment for the guy up their
@IPRED and DMCA Missed the point

do no cares about your law crap, and it their aren't gonna use it to do illegal thing plus it isn't like their downloading mp3 or something, their are decoding it their own source code .
#18 - Bi1ch please gtfo ( Link) on 2009-08-01 01:42:00 Delete Comment
Software is generally licensed, not sold
@neil

As a developer I can tell you that any software that I write for clients is licensed, not sold. I own the IP and copyright forever, no matter what you paid for the license to use it or my services.

I don't know of one developer who does differently, other than the poor souls who allow themselves to work for hire.

Think of it this way. You probably have a computer that runs Micro$oft Windows. You paid for that. Now, who owns the software, you or Micro$oft? (If you think its you, read the license)
#19 - Backslider ( Link) on 2010-01-02 13:58:44 Delete Comment
I wish I could learn from you
I have been reading this article over and over again, trying to understand your server side one step to decode ioncube closed script.. and my limited linux knowledge and challenged coding ability is making it so hard to grasp.. nevertheless I am still trying.. and What I wonder is, could you find in your generous heart the time to point me to a tutorial or point how to build that setup? I will be most appreciative and I shall donate to this blog. thank you in advance.
Kal
#20 - Kal ( Link) on 2010-12-06 14:27:01 Delete Comment
ioncube / support
it is not feasible to reverse engineer ioncube encoded files using the technique discussed. - you can recover the bytecodes, but that's about it, and it's not really that useful

Please contact me directly if you need to decrypt a file, However there must be a legal and legitimate reason.
#21 - Alan Knowles ( Link) on 2010-12-06 14:38:04 Delete Comment
Interesting
Hi,

You write "and stick a big printf()". Could you explain in which file i would need to insert this?
#22 - mrmagne ( Link) on 2014-06-12 06:28:50 Delete Comment
printf
for eval based version..

use runkit_function_copy / runkit_function_define .. on eval...

just print the input to a file...
#23 - Alan ( Link) on 2014-06-12 11:20:14 Delete Comment
Confuse :)
HI there!

Could you post a example on http://pastebin.com/ ? I am not sure i understand :)
#24 - mrmagne ( Link) on 2014-06-14 01:03:44 Delete Comment

Add Your Comment

Follow us on