Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Source Code Protection Techniques in PHP

Source Code Protection Techniques in PHP

LaravelVueConf Taiwan 2023

Albert Chen

August 19, 2023

More Decks by Albert Chen

Other Decks in Technology


  1. 02 Source Code Encoding Outline 01 Protection Types in PHP

    03 Source Code Obfuscation 04 OpCode and OpCache in PHP 05 PHP Extension 07 Q&A 06 Existing Solutions
  2. Compilation Source code can't be executed directly Need to compile

    to binary code Can't cross platforms eg. C, Rust, Golang Interpretation Need an interpreter for code execution Source code is needed for interpreter Cross platforms eg. Python, PHP, Ruby Compilation vs Interpretation
  3. Source Code Encoding Obfuscation Encryption Opcode Opcache Encryption Obfuscation VM

    Customization VM in PHP PHP Extension FFI in PHP Protection Types in PHP with/without extension in Zend VM
  4. PHPFuck Uses only seven different characters It's limited to PHP

    7 Published by splitline @SITCON 2021 Source Code Encoding (https://github.com/splitline/PHPFuck)
  5. PHPFuck Numbers [ ] ^ [ ] => 0 [

    ] ^ [ [ ] ] => 1 [ ] ^ [ [ ] ] + [ ] ^ [ [ ] ] => 2 ...... [0, 1, 2, 3, 4, 5, 6, 7, 8, 9] Source Code Encoding
  6. PHPFuck Alphabets (string) [ ] => 'Array' [ ] .

    [ ] => 'ArrayArray' ( [ ] . [ ] ) [0] => 'A' Stringed Numbers (string) 1 => '1' 1 . NULL => '1' 1 . [ ] [ [ ] ] => '1' Source Code Encoding
  7. PHPFuck ASCII Codes 'A' ^ '0' => 'q' 'A' ^

    '1' => 'p' 'A' ^ '2' => 's' ...... Create Function eval cannot be called using variable functions Source Code Encoding 'create_function'( ... 'str_getcsv' (', code') );
  8. encoded string replaced encoded string strtr Dictionary Obfuscation Replace specific

    characters with dictionary mapping Source Code Encoding
  9. Hook zend_compile_string function eval() will call this function in ZendVM

    Dump Encoded Source Code Hook zend_compile_string in RINT stage
  10. Obfuscate with AST Analyze code in PHP files Visit all

    the Nodes in built AST Apply obfuscation strategies based on Node Types Source Code Obfuscation PHP Files PHP Parser AST
  11. PHP Parser by Nikic (without extension) Parsing PHP code into

    an Abstract Syntax Tree (AST) Dumping the AST in human-readable form Converting an AST back to PHP code Infrastructure to traverse and modify ASTs Resolution of namespaced names Evaluation of constant expressions Builders to simplify AST construction for code generation Converting an AST into JSON and back Source Code Obfuscation
  12. Removal of Comment Info Source Code Obfuscation Annotation will not

    function (PHP 代码加密技术_ 郭新华_PHPCON2018)
  13. Dynamic Variables Included Files Compact, Extract Functions Scrambling Scoped Variables

    Source Code Obfuscation (Example Reference: PHP 代码加密技术 of 郭新华 in PHPCON2018 China)
  14. Constant Propogation and Folding Source Code Obfuscation (Example Reference: PHP

    代码加密技术 of 郭新华 in PHPCON2018 China)
  15. Inline Functions Insert functions to caller functions Source Code Obfuscation

    (Example Reference: PHP 代码加密技术 of 郭新华 in PHPCON2018 China) It will enlarge code size
  16. Can't add too much garbage Garbage Code Source Code Obfuscation

    (Example Reference: PHP 代码加密技术 of 郭新华 in PHPCON2018 China)
  17. md5 _8dec4f04 json_encode _a834509b Built-in Function Names Obfuscation (with extension)

    Source Code Encryption Function names in error message will become unreadable
  18. OpCode in PHP OPCode OPCode are stored in opcode arrays

    by different compiled units (eg. file, function, method, closure) Each OPCode contains: handler operand 1 and its type operand 2 and its type result
  19. OpCache in PHP OPCache Compiling to OPCodes takes time Used

    to cache OPCodes without recompiling again Compilation artifacts will be cached in shared memory Checksum (Adler-32) validation before using cache Optimizations will be applied at this stage as well
  20. OpCache in PHP Facts about OpCache and OpCode OpCache is

    designed for speeding up the parsing process in PHP's lifecycle OpCode has no fixed standard like Java It may differ in different PHP versions (event minor versions) OpCodes are impossible to be converted back to original source code, but can still be disassembled Modern commercial protection solutions are almost based on OpCodes
  21. OpCache in PHP JIT with OpCache JIT is built on

    the base of OpCache (https://php.watch/articles/jit-in-depth)
  22. OpCache in PHP JIT with OpCache Jited code can't be

    dumped to opcache files (https://github.com/php/php-src/blob/bb092ab4c6fa36b56c89216f3a127fa763940bf0/ext/opcache/zend_file_cache.c#L1071)
  23. OpCache in PHP Obfuscation in modern solutions PHP Files OpCodes

    Scramble variables Inline functions Garbage code Control flow confusion Encrypt strings Scramble OpCodes Replace function names Add customized OpCodes Add anti-traced technique Encrypt OpCodes compile output obfuscate
  24. Zend VM Customization Limit PHP to specific version for OpCache's

    execution More advanced protection techniques can be applied in VM Disable other customized extensions Limit for executing obfuscated code only Apply more obfuscations on this PHP binary Pre-built environment can only be run at specific operating system and CPU architecture Built based on existing open-source projects like: dixyes/phpmicro
  25. Anti-Tracing Detect tracing extensions (xdebug) Check execution time between functions

    Detect if obfuscated code has been modified Checksum validation Verification before execution Authorized serial number MAC address binding Expiration date with license Detect if pointers in Zend VM are swapped Anti-Traced Techniques
  26. VM in PHP Zend VM PHP VM Bytecode VM implementation

    in PHP Minimal VM written in PHP PHP script will be compiled to customized bytecode No extensions are required Poor execution performance and limited feature
  27. PHP Extension Native PHP Extensions There's no AOT solution for

    PHP yet Protect your core logic in extension Core logic (eg. algorithms) can be written in PHP extension Native PHP extensions are developed in C language Not friendly to PHP developers Extensions are hard to maintain You may need to update your extensions by different PHP versions
  28. PHP Extension Zephir Zephir stands for Ze(nd Engine) Ph(p) I(nt)r(mediate)

    Maintained by Phalcon team High-level/domain specific language for PHP extensions Designed to ease the creation and maintainability of extensions for PHP Similar syntax to PHP language It's both dynamically and statically typed Memory safety, pointers or direct memory management are not allowed
  29. PHP Extension Compilation Scheme of Zephir Zephir offers native code

    generation (currently via compilation to C) A compiler like gcc/clang/vc++ optimizes and compiles the code down to machine code (https://docs.zephir-lang.com/0.12/en/motivation)
  30. FFI in PHP FFI (Foreign Function Interface) Was introduced in

    PHP 7.4 Allows the loading of shared libraries (.so), calling of C functions and accessing of C data structures in PHP
  31. Existing Solutions Non-Extension Obfuscators Encoders are just toys, they don't

    provide any protections for your code Obfuscators which are not based on extensions provide limited protection There are lots of open-sourced obfuscators on GitHub. You can get them easily, so can crackers Security: ★☆☆☆☆ Cost: ★★★★★ (most of them are free) Performance: ★★☆☆☆
  32. Existing Solutions Zend Guard It's maintained by Zend Technology since

    2021 No active maintenance by the team Doesn't support PHP7, only PHP 4.2~PHP 5.6 Security: ★★☆☆☆ (It's been cracked) Cost: ★★☆☆☆ (600 annually) Performance: ★★★★☆ (https://github.com/tools2/zend-decoder)
  33. Existing Solutions Source Guardian Since 2002 Active maintenance by the

    team Support for PHP5, PHP7 and PHP PHP8 Obfuscations based on OpCodes Security: ★★★★☆ (Lower versions got cracked) Cost: ★★★★☆ (249 for fixed version) Performance: ★★★★☆ (https://medium.com/tenable-techblog/dumping-php-opcodes-protected-by-sourceguardian-a0acd8058038) (https://github.com/clouds-flight/php7-vld-sg11-patch)
  34. Existing Solutions ionCube Since 2002 Active maintenance by the team

    Support for PHP7.4, PHP8.1, and other legacy versions Obfuscations based on OpCodes Security: ★★★★☆ (Lower versions got cracked) Cost: ★★★★☆ (119~449 for fixed version) Performance: ★★★★☆ (https://easytoyou.eu/decoder/demophp72)
  35. Existing Solutions Swoole Compiler Since 2019 Active maintenance by the

    team Support for PHP 5.4^, PHP7.x, PHP8.x Obfuscations based on OpCodes Security: ★★★★★ Cost: ★★★☆☆ (420 annually or 1365~7000 lifetime) Performance: ★★★★★
  36. There's no 100% secure protection AI 搭把手,推倒 PHP 加密源碼的高牆 本次的演講將深入探討

    PHP Zend Engine 的執行流 程,以及一種加密殼的運作方式。我們將分享我們 如何解開這種加密殼,並訓練 AI 進行反編譯工作, 讓我們更有效地理解和分析惡意軟體的行為。 李樸/ 官澔 HITCON2023
  37. Q&A