Compilation Source code can't be executed directly Need to compile to binary code Can't cross platforms eg. C, Rust, Golang Interpretation Need an interpreter for code execution Source code is needed for interpreter Cross platforms eg. Python, PHP, Ruby Compilation vs Interpretation
Source Code Encoding Obfuscation Encryption Opcode Opcache Encryption Obfuscation VM Customization VM in PHP PHP Extension FFI in PHP Protection Types in PHP with/without extension in Zend VM
PHPFuck Uses only seven different characters It's limited to PHP 7 Published by splitline @SITCON 2021 Source Code Encoding (https://github.com/splitline/PHPFuck)
Obfuscate with AST Analyze code in PHP files Visit all the Nodes in built AST Apply obfuscation strategies based on Node Types Source Code Obfuscation PHP Files PHP Parser AST
PHP Parser by Nikic (without extension) Parsing PHP code into an Abstract Syntax Tree (AST) Dumping the AST in human-readable form Converting an AST back to PHP code Infrastructure to traverse and modify ASTs Resolution of namespaced names Evaluation of constant expressions Builders to simplify AST construction for code generation Converting an AST into JSON and back Source Code Obfuscation
Inline Functions Insert functions to caller functions Source Code Obfuscation (Example Reference: PHP 代码加密技术 of 郭新华 in PHPCON2018 China) It will enlarge code size
md5 _8dec4f04 json_encode _a834509b Built-in Function Names Obfuscation (with extension) Source Code Encryption Function names in error message will become unreadable
OpCode in PHP OPCode OPCode are stored in opcode arrays by different compiled units (eg. file, function, method, closure) Each OPCode contains: handler operand 1 and its type operand 2 and its type result
OpCache in PHP OPCache Compiling to OPCodes takes time Used to cache OPCodes without recompiling again Compilation artifacts will be cached in shared memory Checksum (Adler-32) validation before using cache Optimizations will be applied at this stage as well
OpCache in PHP Facts about OpCache and OpCode OpCache is designed for speeding up the parsing process in PHP's lifecycle OpCode has no fixed standard like Java It may differ in different PHP versions (event minor versions) OpCodes are impossible to be converted back to original source code, but can still be disassembled Modern commercial protection solutions are almost based on OpCodes
OpCache in PHP JIT with OpCache Jited code can't be dumped to opcache files (https://github.com/php/php-src/blob/bb092ab4c6fa36b56c89216f3a127fa763940bf0/ext/opcache/zend_file_cache.c#L1071)
Zend VM Customization Limit PHP to specific version for OpCache's execution More advanced protection techniques can be applied in VM Disable other customized extensions Limit for executing obfuscated code only Apply more obfuscations on this PHP binary Pre-built environment can only be run at specific operating system and CPU architecture Built based on existing open-source projects like: dixyes/phpmicro
Anti-Tracing Detect tracing extensions (xdebug) Check execution time between functions Detect if obfuscated code has been modified Checksum validation Verification before execution Authorized serial number MAC address binding Expiration date with license Detect if pointers in Zend VM are swapped Anti-Traced Techniques
VM in PHP Zend VM PHP VM Bytecode VM implementation in PHP Minimal VM written in PHP PHP script will be compiled to customized bytecode No extensions are required Poor execution performance and limited feature
PHP Extension Native PHP Extensions There's no AOT solution for PHP yet Protect your core logic in extension Core logic (eg. algorithms) can be written in PHP extension Native PHP extensions are developed in C language Not friendly to PHP developers Extensions are hard to maintain You may need to update your extensions by different PHP versions
PHP Extension Zephir Zephir stands for Ze(nd Engine) Ph(p) I(nt)r(mediate) Maintained by Phalcon team High-level/domain specific language for PHP extensions Designed to ease the creation and maintainability of extensions for PHP Similar syntax to PHP language It's both dynamically and statically typed Memory safety, pointers or direct memory management are not allowed
PHP Extension Compilation Scheme of Zephir Zephir offers native code generation (currently via compilation to C) A compiler like gcc/clang/vc++ optimizes and compiles the code down to machine code (https://docs.zephir-lang.com/0.12/en/motivation)
FFI in PHP FFI (Foreign Function Interface) Was introduced in PHP 7.4 Allows the loading of shared libraries (.so), calling of C functions and accessing of C data structures in PHP
Existing Solutions Non-Extension Obfuscators Encoders are just toys, they don't provide any protections for your code Obfuscators which are not based on extensions provide limited protection There are lots of open-sourced obfuscators on GitHub. You can get them easily, so can crackers Security: ★☆☆☆☆ Cost: ★★★★★ (most of them are free) Performance: ★★☆☆☆
Existing Solutions Zend Guard It's maintained by Zend Technology since 2021 No active maintenance by the team Doesn't support PHP7, only PHP 4.2~PHP 5.6 Security: ★★☆☆☆ (It's been cracked) Cost: ★★☆☆☆ (600 annually) Performance: ★★★★☆ (https://github.com/tools2/zend-decoder)
Existing Solutions Source Guardian Since 2002 Active maintenance by the team Support for PHP5, PHP7 and PHP PHP8 Obfuscations based on OpCodes Security: ★★★★☆ (Lower versions got cracked) Cost: ★★★★☆ (249 for fixed version) Performance: ★★★★☆ (https://medium.com/tenable-techblog/dumping-php-opcodes-protected-by-sourceguardian-a0acd8058038) (https://github.com/clouds-flight/php7-vld-sg11-patch)
Existing Solutions ionCube Since 2002 Active maintenance by the team Support for PHP7.4, PHP8.1, and other legacy versions Obfuscations based on OpCodes Security: ★★★★☆ (Lower versions got cracked) Cost: ★★★★☆ (119~449 for fixed version) Performance: ★★★★☆ (https://easytoyou.eu/decoder/demophp72)
Existing Solutions Swoole Compiler Since 2019 Active maintenance by the team Support for PHP 5.4^, PHP7.x, PHP8.x Obfuscations based on OpCodes Security: ★★★★★ Cost: ★★★☆☆ (420 annually or 1365~7000 lifetime) Performance: ★★★★★
albertcht
sugawani
coconala_engineer
ritou
yuhattor
peisuke
nikkei_engineer_recruiting
codenote
oracle4engineer
moritamasami
revcomm_inc
datarian
bluesmoon
sugarenia
iamctodd
jrom
marktimemedia
quramy
wjessup
jponch
paigeccino
panda_program
aki_iinuma
robhawkes