Last modified: September 20, 2009 01:54:04.

3 Ways to Protect your Code: Obfuscate, Encrypt, Compile

There are generally 3 methods of protecting your PHP source code:

  1. Obfuscation
  2. Encryption/Encoding
  3. Pre-compilation

Obfuscation

Obfuscation is the process of obscuring your source code from prying eyes. This generally involves converting user-defined function names, variables and constants to meaningless names, thus rendering your source code virtually unreadable to humans. E.g.:

    <?php
        $v75a8fc1d="Hello world";
        function f8795df23($v290be75c) {
            print $v290be75c;
        }
        f8795df23($v75a8fc1d);
    ?>

Although the obfuscated code above is somewhat unreadable, it is still quite discernable. One limitation is that reserved words and standard PHP function names cannot be obfuscated. Obfuscation is not an ideal solution for protecting your scripts, but it's, nonetheless, a useful method for slowing down attempts at reverse-engineering.

POBS (no longer maintained) and Raizlabs PHP Obfuscator are two examples of code obfuscation software. PHP Obfuscator is written in C# for .NET 2.0 and the source is available at http://code.google.com/p/phpobfuscator/. Windows binary downloads are available from the Raizlabs website.

Encryption/Encoding

As you can see from the above example, obfuscation has its limitations; variable contents and PHP function names are still generally discernable to humans.

Encryption or encoding provides an additional mechanism to further obscure your source code. Here's a simple encoded example (using the above example):

    <?php
        $code "JHY3NWE4ZmMxZD0iSGVsbG8gd29ybGQi
        OwpmdW5jdGlvbiBmODc5NWRmMjMoJHYy
        OTBiZTc1YykgewogICAgcHJpbnQgJHYy
        OTBiZTc1YzsKfQpmODc5NWRmMjMoJHY3
        NWE4ZmMxZCk7";
        decode_and_eval($code);
    ?>

Although the code is now virtually unintelligible to humans, encryption presents 2 inherent difficulties:

  1. A decryption stub is required to decode the encrypted code at runtime.
  2. The decryption stub must not reveal the encryption scheme.

For a code encryption/decryption scheme to work securely in PHP, the decoder stub should ideally be an external PHP module or extension. Having the decoder in plain PHP somewhat defeats the whole purpose of encrypting your code in the first place.

One noteable exception, however, is CodeLock, which does a pretty decent job of obscuring the decryption engine in raw PHP code.

Most commercial PHP encoders work this way; the decryption engine is deployed as a compiled dynamic linked library. This serves to secure the encryption scheme and provides performance gains for dynamic decryption - since the decryption stub is in compiled machine code.

The main disadvantage of this method is that the decryption engine is machine or platform dependent - i.e. the decryption stub must be compiled for your particular machine or platform.

Pre-Compilation

Pre-Compilation involves translating your PHP scripts into a machine bytecode. Although PHP is an interpreted language, translation from high-level language syntax to machine-dependent bytecode is still part of the pre-compilation process, whether the language is compiled or interpreted; the difference is WHEN pre-compilation occurs.

The 2 main advantages of pre-compiling your PHP scripts are:

  1. Better performace; and
  2. Better security
Pre-compilation offers the highest level of source code security and protection since it is virtually impossible to reverse-engineer machine bytecode. Pre-compiled machine code also executes faster since the syntax parsing and translation phases have already been done by the pre-compiler.

Generally, most commercial encoders these days provide all 3 methods of protection.

Table of Contents

  1. Introduction
  2. 3 Ways to Protect your Code: Obfuscate, Encrypt, Compile
  3. PHP Encoding Software
    1. Zend Guard
    2. SourceGuardian
    3. ionCube
    4. CodeLock
  4. Summary