obfuscating and how to proof if the code is 100% running

[Tobias-Conrad]

Hey i like your obfuscating repository. I am a wordpress plugin developer and i like to secure my code. My biggest challange is to get the code 100% running after obfuscating.

Is there a syntax check before obfuscating? to check if the output is still working? i use IonCube loaders/coding at the moment which checks the code before coding. But this needs to habe the IonCube loaders installed on server.

How do you check your work after obfuscating?

[pk-fr]

Hi Tobias,

Thanks for your comments… If you like my project, please star it on github and if you own a blog, or are a regular member of a forum, please let others know it.

First, I will tell you why I wrote this obfuscator. I am developing a new kind of CMS, and for giving it to test to some people, I was using ZendGuard ( IonCube like). I spent more than 3000€ to get a perpetual license…. That is not so perpetual (see: http://forums.zend.com/viewtopic.php?f=57&t=110718&start=50) So I decided to write my own tool.

yakpro-po has been developed under linux, and uses the PHP Parser from nikic to analyse php. To make it short, there are 3 main steps to obfuscate a single file :

1. PHP Parser takes the source code as input and generates an abstract syntax tree.
2. yakpro-po makes changes to this abstract syntax tree, according to your config file.
3. The modified abstract syntax tree, when converted back to source code gives you the obfuscated source.

For answering your first question, PHP Parser checks the syntax of your source code and emits an error during the obfuscation process.

The generated obfuscated code is also syntax error free.

However, if you use yakpro-po to obfuscate a piece of code that you do not obfuscate along with the whole project. (I think that you do not obfuscate wordpress)

You must modify your local copy of the yakpro-po.cnf config file to specify all the elements (variables, classes, functions, constants, etc.) that you share between your plugin and wordpress in the according $conf->t_ignore_xxx and $conf->t_ignore_xxxprefix configuration properties. For example, if all wordpress functions start with wp you can specify : $conf->t_ignorefunctions = array(‘wp’); These configuration parameters are not available on the mini-demo site.

You also have to ignore all functions, variable that you access indirectly.

Be aware that yakpro-po has been developed for obfuscating entire projects of pure php sources. It may work (or not) when you embed php within html, or use multiple <?php … ?> with html between them. My personal advice is not to obfuscate such php or at least try disabling statement shuffling.

There is no problem for embedding html into the php code using the heredoc syntax (echo <<<END ... END; )

For my own debugging, (mainly to find which element I did forget to ignore), I use a combination of the following parameters:

yakpro-po --no-strip-indentation --no-shuffle-statements --no-obfuscate-string-literal

If I have to do further more investigation by dumping the syntax tree I use the –debug parameter.

[Tobias-Conrad]

cool. At the moment i use ioncube. create coded files with the online coder for les than 6$ a plugin. there is no time limit. but i set a version limit and a domain limit. so i can set when a version is old, or not working without updating.

I do not code i am not into php, ... But i know good solutions and have dreams and ideas.

in my plugins i have these line i want to hide: var $activeLicense = null; var $trialPeriod = null; if (!is_null($this->trialPeriod)) { if (is_null($this->activeLicense)) { $this->trialPeriod = null; How can i do it with your online tool?

Would it be possible to upload a plugin/ zip file with php files to bulk code to have the same functions, ...? IDEA: You make a Software as Service out of your online tool. Charge per line of code 0,001 €. Do a testing mode (8 hours) to see if the files are working with the settings. Handle also variables in html files coming with the php files. Just like Ioncube does. Write your name and Link in every file.

[pk-fr]

Hi Tobias,

Thanks for your comments… If you like my project, please star it on github and if you own a blog, or are a regular member of a forum, please let others know it.

If you obfuscate just a few lines of code, it will be not so much hard to do reverse engineering. When the sensitive lines of code are among many others and you obfuscate all of them, it will be quite impossible to figure out what they are. So it is not a good idea to obfuscate only some piece of code.

However, yakpro-po has been developed to obfuscate a whole project. As an example, my mini-demo site has been built with the obfuscated version of my personal CMS, which consists of more than 100 000 lines of php code. And you can see that it works ok with no known bugs.

Concerning your idea to make money through a "Software as a Service" model, I do not know how many people will be ok to pay something to run the program on a web site, posting the source code they want to protect to a third party, when it is free for them to run it on their own machines ....

Stay in touch... I am currently thinking about a way to make it easier for plugin writers to obfuscate their code, with specific config parameters. When it is ok, I will make it available on the demo site.

[Tobias-Conrad]

hi,

This are the only lines i could Not hide with your Online Tool. The Rest will be hiden.

Please enable Option to hide them.

----- Reply message ----- Von: "Pascal KISSIAN" notifications@github.com An: "pk-fr/yakpro-po" yakpro-po@noreply.github.com Cc: "Tobias Conrad" tobiasconrad@leupus.de Betreff: [yakpro-po] obfuscating and how to proof if the code is 100% running (#3) Datum: Mi., Nov. 11, 2015 17:35

Hi Tobias,

Thanks for your comments…

If you like my project, please star it on github and if you own a blog, or are a regular member of a forum, please let others know it.

If you obfuscate just a few lines of code, it will be not so much hard to do reverse engineering.

When the sensitive lines of code are among many others and you obfuscate all of them, it will be quite impossible to figure out what they are.

So it is not a good idea to obfuscate only some piece of code.

However, yakpro-po has been developed to obfuscate a whole project.

As an example, my mini-demo site has been built with the obfuscated version of my personal CMS, which consists of more than 100 000 lines of php code.

And you can see that it works ok with no known bugs.

Concerning your idea to make money through a "Software as a Service" model, I do not know how many people will be ok to pay something to run the program on a web site, posting the source code they want to protect to a third party, when it is free for them to run it on their own machines ....

Stay in touch...

I am currently thinking about a way to make it easier for plugin writers to obfuscate their code, with specific config parameters.

When it is ok, I will make it available to the demo site.

— Reply to this email directly or view it on GitHub.

[pk-fr]

Hi

I do not understand what do you mean by "This are the only lines i could Not hide with your Online Tool" ....

I tried to obfuscate your code and it works!

I completed your code to get not syntax errors...

so I obfuscated this:

<?php
class dummy
{
     var $activeLicense = null;
     var $trialPeriod = null;
     private function dummy()
     {
         if (!is_null($this->trialPeriod)) {
         }
         if (is_null($this->activeLicense)) {
         }
         $this->trialPeriod = null;
     }
}
?>  

and the result is:

<?php
 /*   __________________________________________________
     |      Obfuscated by YAK Pro - Php Obfuscator      |
     |              on 2015-11-11 19:12:55              |
     |    GitHub: https://github.com/pk-fr/yakpro-po    |
     |__________________________________________________|
 */
 class UCMl1 { var $GwGkA = null; var $RaI1b = null; private function IRbdQ() { goto C4BYg; CguQb: if (!is_null($this->GwGkA)) { goto sOkRU; } goto m4KQx; C4BYg: if (is_null($this->RaI1b)) { goto B5BEN; } goto hrUF1; ntsnR: $this->RaI1b = null; goto I73My; m4KQx: sOkRU: goto ntsnR; hrUF1: B5BEN: goto CguQb; I73My: } } ?>

so for me there is no problem!

when this code is included into a much more bigger code it is impossible to understand anything!

[Tobias-Conrad]

what settings do you use? i want to Obfuscate a wordpress plugin, functions and design are separated in classes Wordpress functions still working? Because it is a wordpress plugin. howto interact with html files that take content/strings from the Obfuscated php files?

[pk-fr]

I used the default settings. for wordpress to work you have to create a specific yakpro-po.cnf config file. If you want to use yakpro-po on non-pure php file, please convert them to pure php files before obfuscating them.

[Tobias-Conrad]

HI,

as i can see there is no wp_function to sort all wordpress functions out. https://developer.wordpress.org/reference/ so there is a need to get all the standard connections to wordpress in your specific yakpro-po.cnf config file. That is like antivirus definitions, needed to be updated on every WP release (every 6 months) May also need to implement WooCommerce connections when plugin works with woocommerce. So the idea of building a search engine for gatering all the connections is needed. https://developer.wordpress.org/reference/ https://docs.woothemes.com/wc-apidocs/package-WooCommerce.html

Software as a Service will do great. Just to mention https://www.ioncube.com/online_encoder.php Zend free 30 Day version. but both need to install a loader. so i am out of that, i tried but not sold any secured plugins.

A user workflow would be uploading the plugin files in a zip file to a https page and get a 8 hours test version back for free. Just a php timer, stop when reach + 8 hours. When testing and it is working i pay for my secured code and get the code without a time limit. I pay 6 $ for a small plugin. on every update i have to come back and pay again 6$ price based on files and lines of code.

for now it would be nice to have a function to upload a zip file with php files inside on your online demo at: https://www.php-obfuscator.com/?demo So i could use the one line function for my whole plugin.