Page 1 of 1

Code Obfuscation Security Through Obscurity - Protecting your IP Rate Topic: ****- 1 Votes

#1 joeyadms  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Posted 13 June 2008 - 05:30 AM

Code Obfuscation

Introduction
Obviously, whenever you code applications, and open them for use or sell them, there is a possibility of leechers, and others to remove certain areas such as the famouse 'powered by x' flags, or any reference
to the creator of the software.

This is particularly the case with bigger applications that offer a free version with logos, and then a paid version that removes these references.

Obfuscation will also help to filter people looking to reverse engineer your software to find vulnerabilities,though will not stop them, it will make it harder.

The bottom line is, that anyone who can read php can weed through your code to find out where you are outputting this data, and remove those lines.

I am going to show you a few methods of obfuscating your code, so that it is very difficult for individuals to read and decode.

NOTE: All of these functions are done natively in PHP, so remember, this is not 100% protection, due to the interpreted nature of PHP, someone 'could' weed through and eventually decode your software, it is all about making it very hard for them to do so.


The Paid Way
If you have the money, or your company produces a lot of software from many developers, then you may want to look into obfuscation software such as Zend Guard. These work great, but cost moola.

Down and Dirty, Coding it yourself

IMPORTANT: Obfuscation should be done waay after your software goes Gold. This should be the last step before shipping your software. You should test all features of your software, once your ready to release it, then start obfuscating, then test again, then you are ready for release! Always keep un-obfuscated source code for yourself in a safe place.
Do NOT attempt to edit source code for expansion after being obfuscated.


Making code obfuscated is easy to understand, and a nightmare when implementing, but it can be fun. Let's take a look at some widely used methods and how they work.

One letter, Multiple Variables
Can you spot what is happening?
$l = 'powered ';
$ll = 'by ';
$lll = 'joey';
$llll = $l.$ll.$lll;
echo $llll;


Not very obfuscated right, but you can see how using these variables can be confusing. Let's shake things up a bit
$l = 'n';
$ll = 'p';
$lll = 'i';
$llll = 'r';
$lllll = 'tf';
$lllll = $ll.$llll.$lll.$l.$lllll;
$lllll('powered by joey');


Creating out of place string, and making that string a functions name, in this place the function 'printf'. Now take note only functions will work, you cannot call language constructs such as 'echo' and 'print' this way. . But wait. We can easily see the output string.

$l1 = 18;
$l='112|111|';
$ll='99|104|114';
$l.='119|101|11';
$lll='ex';
$l.='4|';
$lll.='pl';
$l.='101|100|32|';
$lll.='ode';
$l.='098|121|32|106|11';
$l.='1|101|121';
$llll='';
$l1=$l1*2-9;
$ll1= $lll('|',$ll);
foreach($ll1 as $l1111){$llll .= chr($l1111);}
$ll1=$lll('|',$l);
foreach($ll1 as $l1111){$llll1 .= $llll($l1111);}
echo $llll1;



Ahh, hurts my eyes. If you look at what is happening, we are creating a long string of numbers, seperated by '|' . then we are exploding these numbers into an array, and looping through and adding the character representation of the number to a string. In the first loop, we come out with chr.

In the second loop we use the obfuscated variable representation of 'char' to created our 'powered by' string. Then we echo our new string.

Now in a real situation you would not echo it but just save it and in another part of your application you would get this value echoed.

Also we are using similiar variables by using 'l' and one '1' back and forth.

This is still readable, so lets throw in some curve balls.

Dummies
Functions, Variables, loops. Create dummies that do absolutely nothing, this will make that decrypter work harder. Just make variables that are similiar looking to what you are using and give them some random value, or use functions or something that do nothing here and there.

Includes
The practice of using includes, is to have a number of files, and each file creates variables or manipulates them but does nothing else. You then include those files into your script and continue from there.

The real power to this method is described in the next method

Redeclaration
Redeclaration is simply, taking variables, and reusing them. Say you create a function name, then use that function, and do not need to use it anymore, you take that variable that held the function name, and make it into something else. When you are done with variables it is best to make them dummies, so one simply cannot echo out the value of it and find/replace strings.

Power with redeclaration is amplified with includes above. This way you can create variables in one page, manipulate and redeclare them in another page, then use them and redeclare them in your original scripts etc. This makes it very hard to decrypt everything. For instance these two variables might output differently.
$ll = 'hello'
echo $ll; // output hello
include('page.php');
echo $ll; // output world



Double Dollar Variables
As there called, it is a variable that is preceeded by 2 dollar signs.
The best way to explain this is a piece of code.
$bar = 'baz';
$foo = 'bar';
echo $$foo; // echos baz



As you see, the double dollar takes the value of the last variable and looks for a variable named the same.

So picture this, just do replacement step by step
$bar = 'baz'; //easy
$foo = 'bar'; //easy
$$foo =  $'bar' = $bar = 'baz'; // :)

[b]BASE 64 and Eval[/b]
Base 64 is extremely common in php obfuscation. You should be aware of 2 functions.
[inline]base64_encode and base64_decode[/inline]
They do exactly what they sound like, encode will convert data to base64, decode will convert data
to original form.

You can encode php code itself and store it, then decode it on another page and execute it. So say you had some code like above with all that obfuscation.
obfuscation.txt
[code]
$l1 = 18;
$l='112|111|';
$ll='99|104|114';
$l.='119|101|11';
$lll='ex';
$l.='4|';
$lll.='pl';
$l.='101|100|32|';
$lll.='ode';
$l.='098|121|32|106|11';
$l.='1|101|121';
$llll='';
$l1=$l1*2-9;
$ll1= $lll('|',$ll);
foreach($ll1 as $l1111){$llll .= chr($l1111);}
$ll1=$lll('|',$l);
foreach($ll1 as $l1111){$llll1 .= $llll($l1111);}



page.php
$str = base64_encode(file_get_contents('obfuscation.txt'));
echo "ENCODED: " . $str;
eval(base64_decode($str));
echo $llll1;



You must use eval() , this will take literal representation and scalar types and execute it as php opcode.

What is mostly done, is creating a great deal of obfuscation code, then encoding it and echo the encoded string. You then would store this string either in a file, a variable, or over the course of an array or multiple variables and then decode that string, and eval it.

Combinations Create-Your-Own
The thing about obfuscation is thinking outside the box, doing something inventive, maybe search strings replace letters then do something else. Or perhaps, have include files that will encode or decode base64 opcode and will declare then redeclare variables once eval()'d.

Now, you can't make variable functions, as there called (storing function names in variables and executing them this way $ff();) out of constructs, however you can create wrapper functions, and then make your wrapper a variable function , like so.
function hello($str){
	echo $str;
}
$l = 'hello';
$l('rawr');




What about cryptology?
Crypting algorithms that are any good are VERY intensive. You code may be running on every page load and needs to be as fast as possible. Simple string replacement, or encoding is fine, but don't go overboard.

Engines
A great idea is to find obfuscation that you like, and then create an engine that will read the file and obfuscate it. This will work very well if you have a piece of software you will continue to work on and offer releases, it will
ensure backwards compatibility with any hacks and addons people throw into the mix, since open source is all about collaboration.

That is the topic for another tutorial, but OOP is the way to go.


Conclusion
Obfuscation is all about your imagination. You can come up with some real tricky ways to make it harder for people to decode your softare. I would like to leave with a couple sub-notes to explain some things.

Interoperability and Open Source
Unless your application is corporate, or for some reason should not be read at all, it is best to only obfuscate signatures and logos you want in your app. I know one thing I love about open source sofware
is the ability to integrate it into existing applications.

Performance
Try to keep your obfuscating to using simple procedures that are just unpleasant to the eye. Once you start using regular expressions and other intensive operations, it will slow your application down. This is why I did not list storing opcode in a database, as not only is it unreliable, it is way to much overhead to add to your application.

Licensing and Documentation
Let people know you don't want your logo or credit removed. If they don't know you want credit, they may just cut off your logos. On the other hand, if you do say you want courtesy or credit, the savvy developer who
integrates it into his app may post credit for it.

Is This A Good Question/Topic? 2
  • +

Replies To: Code Obfuscation

#2 pr4y  Icon User is offline

  • Location: 127.0.0.1
  • member icon

Reputation: 35
  • View blog
  • Posts: 621
  • Joined: 19-September 08

Posted 25 February 2009 - 02:51 PM

Just found this from a reference by CTphpnwb...

Excellent article! Obfuscation is important on many levels, for many different types of projects.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1