A software developer is faced with a potential troublesome issue. When all the programming is done, and it's time to distribute the actual program, the question arises: How do I protect my intellectual property from being misused, changed and sold by a potential user of my program? Of course there are Copyrights, but not all users might be aware or care about it.
Usually this is not a problem when using ordinary executable files. The customer would have a hard time opening up the file in Notepad, figuring out and modifying the code. This process is called reverse engineering, and for some people this is an art.
The problem is a bit trickier when programming in an open format such as ASP, PHP or any type of scripting. The program is easily readable and sometimes ingenious and potential lucrative algorithms could fall into the wrong hands. But there is a solution. This article is focused on how to protect your PHP scripts using obfuscation techniques that makes the program unreadable for humans - but still fully functional for a computer.
There are several commercial tools that solves this problem for you. A selection of these tools are:
SourceGuardian PRO for PHP is best known as the "PHP Encoder". It is an advanced package with a long list of features for making the resulting code as hard to read as possible. At the time of writing this software lands at $250 for a full license. Some of the main features are: Requires no additions to the running server, Lock to multiple domain names, Full bytecode Encryption and it is PHP5 compatible. In order to test this software you need to register for a single user trial license on their home page.
ionCube PHP Encoder is only one of ionCube's web based software. At the time of writing it is a little bit easier on the wallet compared to SourceGuardian at $199 for the entry level license. Key features: Bytecode encryption, ASCII or binary format and Digital signature encryption. An evaluation version is available after registering on their home page.
Zend are actually the ones responsible and involved in creating PHP from scratch. Their encryption package is at a glance the most advanced software of these three. One drawback is that the running server must run Zend Optimizer in order to parse the encoded scripts, although Zend Optimizer is free for download by anyone.
Let's go Open Source, shall we?
These are all well established commercial programs. This means that in order to protect your product, you need to buy third party software. Luckily there is an option. Say hello to Open Source software!
Open Source means that anyone can view modify and contribute to a program in development. The main benefit for a lone programmer is that it's completely free of charge and can be used to solve this PHP encryption issue.
There is one thing that separates all of these programs. Type One is the programs that needs to have additional software installed on the hosting server in order for it to run. This means that the administrator (most often not you) will have to modify something on the server where the encrypted files will be executed. In turn, this means an additional layer of time consuming stuff when distributing your software. Sometimes this is okay, but most often not.
Type Two is the programs that doesn't need to have additional software installed on the server. PHP Obfuscator falls into this category. Theoretically it is possible to have a higher level of security (and sometimes performance) when using Type One encrypters. In practice, noone will ever put that much effort into trying to reverse engineer your scripts. This is why we chose PHP Obfuscator for this How-To part.
Here are two of the main Open Source PHP encryption tools:
Turck MMCache is an open source software package with many included features, such as PHP accelerator, optimizer, encoder and dynamic content cache. One drawback is that in order to use all these functions you need to have additional software installed on the running server. It is fully compatible with Zend Optimizer, but not recommended.
This is the software package focused on in this arcicle. It does not need additional server PHP modules installed in order to run. It's easy to install and easy to use. The main feature is the actual PHP encryption, with many configuration options. The PHP Obfuscator is available for download from their home page.
How To install POBS
First you need to download it. This is easily done from the home page (see link above). The software is distributed in a .zip file. Just save it to your desktop and open it up. Qouting the INSTALL instructions for POBS:
"Installing POBS is as easy as I could think of. Just unzip the downloaded file and put it a directory that is located under your webserver. POBS is a collection of files in just 1 directory."
Easy as pie! Now, since POBS is itself written using PHP, you need a web server to run the script. A tutorial for installing a web server is easy to find using a favourite web search engine of your choice. Now, let's assume the .zip file is unpacked and the POBS files are residing on your web server, for example in this directory: "c:\wwwroot\pobs".
How To use POBS
Using a favourite web browser of your choice, navigate to your new POBS directory. E.g:"http://www.mysite.com/pobs". When using your local computer, use "localhost" instead of"www.mysite.com". You will be presented with a nice POBS interface screen. Blue and purple/gray seems to be the chosen theme for this program. There are several options consisting of both textboxes and checkboxes. The default values are fine but can be changed as the user (YOU) sees fit. Feel free to experiment with the options. No harm can be done since the program will not run unless source and target directories are different.
How To configure POBS
Let's have a look at the options:
- TimeOut (sec) - This option is not editable. It is read from your PHP configuration and is meant as a safety measure in order to let the web server encrypt the files until it is done. If this value is too small, the encryption will be stopped half way. This might happen if the PHP configuration is set to safe mode, but is often easy to remedy. The default of 5000 secs is fine.
- Source Directory - is the local directory where the PHP files to be encrypted are stored. Note that this is not a "http://" address, but rather a "c:/wwwroot/php" address. One thing to be careful of is the use of"/" instead of "\". An ordinary local address "c:\wwwroot" is written "c:/wwwroot".
- Target Directory - is, of course, the directory where you want the encrypted files to end up. The same rules as source directory apply here.
- Replacements - Here is the good stuff. Checking or unchecking these boxes means that a type of conversion is to be made or not to be made. For example, the "variables" option means that the PHP variables will be substituted with garbage characters, to obfuscate the code and ruin the readability. The more you choose, the better is the encryption. Note that some options might make the code invalid! If any problems occur, try unchecking the boxes one by one until usable code is produced. Avoid that checkbox and everything should work fine.
- Removals - The same principle works here. Mark the boxes in order to further obfuscate the code.
- File System - Here are some vital options.
- Replace edited files only - means that only the encrypted PHP files will be transferred to the target directory.
- Recursive scan - The whole directory tree, including subdirectories of your source directory will be processed. Very useful for encrypting entire web sites.
- Copy all files - Marking this checkbox will make POBS copy all the files in the source directory. Pictures, stylesheets, animations, movies. Everything will end up in the new directory. This is perfect for making the new encrypted PHP site easily integrated into the live environment.
- Copyright Text - Well, since you are making the code closed source, you might as well include a copyright notice. This notice will be readable to the naked eye and hopefully deter any reverse engineering attempts.
How To start the machine
You're ready to go! Click the "Start Processing" button in the bottom of the page. POBS will commence encryption according to your options. This might take a while. Take a break, read the magazine, drink a cup of hot coco and it will be finished when you return.
The final page that POBS shows it the status report. This is a very detailed page displaying everything that has happened and what files that has been processed. Take a few minutes going though this page and check if it looks alright.
Yep, that was it. You have encrypted the PHP files and can distribute and/or sell your software without any concerns about copyright violations. Well done!