search

zephir-lang / zephir

Zephir is a compiled high-level language aimed to ease the creation of C-extensions for PHP
https://zephir-lang.com
MIT License
3.28k stars 466 forks source link

[NFR] Obfuscation #36

Open pgasiorowski opened 10 years ago

pgasiorowski commented 10 years ago

What would be really nice in zephir is a way to obfuscate variables so that they won't be visible as raw string in binary extension thus preventing from easy reverse-engineering.

Raw Strings

Imagine you have something that you need to distribute with your application but need to keep it secret. Like a RSA public keys or some API keys.

Currently one can define these in following way:

class Secret {
   const RSA_PUB_KEY = '------ PUB KEY -------\nBlaBlaBla';
   private _apiName = 'secret Login';
   private _apiKey = 'secret Password';
}

However, both will be visible from compiled binary extension in hex mode. The nice way, for instance could be something like:

class Secret {
   const obf RSA_PUB_KEY = '------ PUB KEY -------\nBlaBlaBla';
   private obf _apiName = 'secret Login';
   private obf _apiKey = 'secret Password';
}

Before compilation a zaphir macro would obfuscate variables declared in such way.

I don't want to start discussion on how safe this is, as almost everyone armed with debugger or reflection would be able to reverse-engineer it (unless there's some technique to prevent this I'm not aware of) but it's a nice and easy way to stop 99% of attacks at the application.

It might or may not be a good way to make things safer and a good alternative to Zend Encoder or IonCube. It could be opensource or a paid add-on for Zephir you could use to make money on it.

What are your thoughts on this?

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

racklin commented 10 years ago

:+1:

lukaszlach commented 10 years ago

Why choose explicitly which variables/consts to obfuscate? I don't think there would be a situation where you would like to obfuscate just some of all variables. But the idea is nice, in my opinion it would be better to add a compiler switch to command line, that will either obfuscate all or none.

pgasiorowski commented 10 years ago

That's a very good point @lukaszlach. I think whichever option is easier/possible to implement would make Zephir a nice competitor to Zend and IonCube.

kbtz commented 10 years ago

:+1:

DaveM2011 commented 10 years ago

:+1:

pgasiorowski commented 10 years ago

Does anyone have any experience with obfuscating to suggest a solution?

DaveM2011 commented 10 years ago

I have a bit but nothing that would be any use in this situation sorry

Siguza commented 9 years ago

How about compression? For someone looking at it in a hex editor, this has the same effect as obfuscation.

For names (variables, functions, classes) the allowed characters are: _, a-z, A-Z and 0-9. That is 1 + 26 + 26 + 10 = 63 characters out of the 256 a byte can hold. So you could encode names to 6-bit chunks instead of 8-bit, hiding them from hexedit-spies and reducing the space they take up.

For string literals (where any character is allowed), I think the best way would be to go with some existing compression algorithm.

pgasiorowski commented 9 years ago

I think the idea is very good. It solves the main issue.

Having said that, compressed strings will keep type of the compression in the first few bytes of the string (eg. 1F8B0808 for gzip) leaving an easy way for auto cracking and extracting them. Still very valuable note

Siguza commented 9 years ago

You could strip the magic header during compilation and add it again at runtime since it's static...

mrqaidi commented 8 years ago

i have this issue too . i have an code and i dont want anyone to see it . any trick to hide ?