Cannot obfuscate simple WordPress plugin

[baptx]

I cannot obfuscate a simple WordPress plugin (like https://wordpress.org/plugins/disable-google-fonts/) with your tool but it works with other tools (like https://github.com/naneau/php-obfuscator).

In /var/www/html/wordpress/wp-content/plugins, I execute ~/Downloads/yakpro-po/yakpro-po.php disable-google-fonts -o disable-google-fonts-dev

I don't know if we need to keep the files generated in the folder yakpro-po, so I tried to keep them (I got a fatal error message when I tried without keeping the folder).

To keep the yakpro-po folder structure, I created a main file disable-google-fonts.php in the folder disable-google-fonts-dev with these basic informations to load the WordPress plugin:

<?php
/**
 * Plugin Name: Disable Google Fonts Dev
 */

require_once 'yakpro-po/obfuscated/disable-google-fonts.php';

When I try to activate the plugin in the WordPress admin area, I still get the error message (there is no function named WeIzo in the original plugin, it looks like an obfuscated name):

Fatal error: Uncaught Error: Call to undefined function WeIzo() in /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php:8 Stack trace: #0 /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php(8): DcYMB->__construct() #1 /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/disable-google-fonts.php(6): require_once('/var/www/html/w...') #2 /var/www/html/wordpress/wp-admin/includes/plugin.php(1897): include('/var/www/html/w...') #3 /var/www/html/wordpress/wp-admin/plugins.php(172): plugin_sandbox_scrape('disable-google-...') #4 {main} thrown in /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php on line 8

Edit: my copy-paste of the error message referenced several unrelated issues because of the '#' character, I don't know if we can avoid this.

[pk-fr]

yakpro-po has been designed to obfuscate standalone projects only !!!.

if you use external libraries, you have to obfuscate also the libray, and modify it in order to make it run obfuscated... if your program is a Library/plugin of another Software/Framework, the you have to modify/port the external Software/Framework source code in order to obfuscate it and have it run obfuscated. you have also to maintain a specific yakpro-po.cfg whith all things that are not to be obfuscated across each new version of the external Software/Framework

see:

• YOU MUST BE AWARE OF THE FOLLOWING: in README.md
• See Hints for preparing your Software to be run obfuscated section of README.md

If you want to create and maintain a yakpro-po.cfg specific to WordPress plugins ( I think that it is hard work ), I will put a link to your github repository ...

[baptx]

Ok, I saw the readme but it would be nice I you have an idea where the error comes from or how to make your obfuscator work with a WordPress plugin because there was no problem when I used the other obfuscator I shared above (without additional configuration for the plugin I shared). The WordPress plugin repository is not mine but I took this plugin as an example because it is a simple one with a few lines of code, all in one file.

[pk-fr]

the other obfuscator only obfuscates variable names...
disable all the other obfuscation and you will get the same behavior...

When I was looking for a good obfuscator for obfuscating my own big standalone project, I tested naneau but I found that it was very poor obfuscated... so I decided to write my own. it now fits all my needs, and I put it on github for other users that have same expectations...

feel free to fork it and adapt it to your own needs!!!

[baptx]

Thanks for your reply, I managed yo get your obfuscator working by disabling some obfuscation.

I set obfuscate_function_name to false in yakpro-po.cnf because I was using classes / methods only and needed several WordPress function names without obfuscation. I also had to disable obfuscation for some names used by WordPress in t_ignore_constants, t_ignore_variables and t_ignore_classes.

Adding a value in t_ignore_variables to ignore a variable obfuscation was not enough because this WordPress variable used internal properties like $bp->loggedin_user->id. So I had to set obfuscate_property_name to false. Is it possible to automatically disable obfuscation of all properties of a variable that was added in t_ignore_variables?

Do you know if it is possible to obfuscate a PHP callback? I had to set obfuscate_method_name to false because the method was obfuscated but not the callback which is an array with a string like [$this, 'methodName']. Also, is it possible to only obfuscate private methods, like the other PHP obfuscator does?

Obfuscating code can be useful for freelance projects until we get paid entirely. Can we disable the obfuscator comment generated at the beginning of PHP files? The less informations there is, the better the obfuscation is :)

[pk-fr]

it is impossible with only syntax analysis when you call a method to know if it is private or not... you need to have a full semantic analysis which is a huge job that does not provide PHP-Parser...

Also, is it possible to only obfuscate private methods, like the other PHP obfuscator does? which php obfuscator do that ?

[baptx]

@pk-fr I meant the PHP obfuscator from the link of my original message. I see, do you have an idea for my other questions?

[Connum]

@baptx could you post a full config working for WordPress?

[baptx]

@Connum You should be able to make it work with the details I mentioned in a previous comment, I explained all the changes I made. Of course you should only obfuscate a plugin and not the entire WordPress system, which could cause a lot of issues. Your config file may depend on your setup but I found my old config file. If it helps, here is a diff between the original file backup I named yakpro-po.cnf.bak and my file yakpro-po.cnf, made with the command diff yakpro-po.cnf.bak yakpro-po.cnf:

25,26c25,26
< $conf->t_ignore_constants               = null;         // array where values are names to ignore.
< $conf->t_ignore_variables               = null;         // array where values are names to ignore.
---
> $conf->t_ignore_constants               = ['DB_USER', 'DB_PASSWORD', 'DB_HOST'];         // array where values are names to ignore.
> $conf->t_ignore_variables               = ['wpdb', 'bp'];         // array where values are names to ignore.
31c31
< $conf->t_ignore_classes                 = null;         // array where values are names to ignore.
---
> $conf->t_ignore_classes                 = ['wpdb'];         // array where values are names to ignore.
59c59
< $conf->obfuscate_function_name          = true;         // self explanatory
---
> $conf->obfuscate_function_name          = false;         // self explanatory
64,65c64,65
< $conf->obfuscate_property_name          = true;         // self explanatory
< $conf->obfuscate_method_name            = true;         // self explanatory
---
> $conf->obfuscate_property_name          = false;         // self explanatory
> $conf->obfuscate_method_name            = false;         // self explanatory

You can see the lines added (>) and removed (<). If you have other constants, add them to t_ignore_constants (you don't need 'DB_USER', 'DB_PASSWORD', 'DB_HOST' if you don't use them in your plugin). If you don't use wpdb variable and BuddyPress bp variable in your plugin, remove them from t_ignore_variables.

[Connum]

Thanks a lot!