PHP Security
Code Protection
Web Development

PHP Obfuscators and Encoders

Ali Almahdi

Ali Almahdi

PHP Obfuscators and Encoders

A common problem with Interpreted Languages (eg. PHP, Javascript, Java, Python) is that its really hard to protect the source code. Today, I will talk about PHP Obfuscators and Encoders. Two types of protection can be found for PHP, first type which is the easiest, Obfuscation. Making the code not human readable. An example of such product is ZenCrypt (I wrote a semi-review about it last year). However, a good developer or a reverse engineer can go about that, and alter the code to change its behavior, like bypass the license verification.

The second type is encoding, the encoder encodes the PHP script to some encrypted text (I don't want to go into details here, but that's the general idea). Those encoded scripts requires a loader, this loader decodes the script and runs it via the PHP Interpreter. Those loaders are simply PHP extensions. Example of those are ZendGuard and IonCube.

It is not hard to write a PHP extension, but it wont be adapted easily with most online hosts. Maybe Enterprise! But again, maintaining cross platforms is not an easy task.

Since IonCube and ZendGuard are widely supported with most hosts some came up with the idea of creating a hybrid obfuscator. The idea is to encrypt the code and have a php script to decrypt. But the decrypting script is encoded using ZendGuard or Ioncube. An example of such is phpCipher.

Last year in my post I wrote that I will be writing an encoder, I have been very busy since then. But last week I had the chance to start writing my encoder. I have most of the logic done. Once I am done writing my loader script, I will start writing the desktop app to encode the scripts. I am planing to release it on Mac App Store and online on my website for a small amount of money.

On a side note, I may offer my source for sale.