search

pk-fr / yakpro-po

YAK Pro - Php Obfuscator
http://www.php-obfuscator.com
Other
1.29k stars 363 forks source link

String used calls #14

Closed DcmsStudio closed 8 years ago

DcmsStudio commented 8 years ago

Example: class test { function out (){ echo 'test text'; } } $t = new test; call_user_func_array ([$t, 'out'], []);

The problem is the string "out" :-( Please fix this bug.

mologie commented 8 years ago

(Not the original author here, but I've read my fair share of the code base.)

This cannot reliably be fixed. While the simple cases may be detectable and fixable with heuristics, imagine more complex ones where a function name is returned by a function. That function possibly is in another file. How should it proceed now? We could go on and say that the function is the result of a native C library, or uses user-provided state.

The only reliable way to translate your "out" string into the obfuscated function name is a lookup table. But adding a lookup table to call_user_func would allow reversing the obfuscation easily, making the obfuscator useless. I advise changing your code instead to not do these kind of indirect calls. (Edit: Removed the code example, won't work with objects.)

pk-fr commented 8 years ago

It is not a bug!

You have to declare all the indirect objects (functions, vars, classes, etc. ) that you use in the $t_ignore_xxx variables of your copy of yakpro-po.cnf configuration file.

Please read carefully the "YOU MUST BE AWARE OF THE FOLLOWING" and "Hints for preparing your Software to be run obfuscated" sections of https://github.com/pk-fr/yakpro-po/blob/master/README.md .