Protecting PHP Code - Zend & Ioncube Are CRACKED - GoFuckYourself.com

Babaganoosh · 04-14-2009, 06:18 AM

So Zend Guard and Ioncube have both been cracked. There are applications out there that do a decent job of decoding the files, especially if they were encoded with early versions of Zend or Ioncube. Newer versions are slightly more difficult but definitely possible. There's a site that will decode any encoded PHP script for $15.

Is there anything that actually works for protecting a commercial script?

nation-x · 04-14-2009, 07:02 AM

Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

http://alexking.org/blog/2004/02/07/...ting-php-code/

fris · 04-14-2009, 07:17 AM

http://phpdecoders.com/function.html

saw this being advertised on sitepoint

Babaganoosh · 04-14-2009, 07:28 AM

Quote:

Originally Posted by nation-x

Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

http://alexking.org/blog/2004/02/07/...ting-php-code/

That's a pretty old post. A lot changes in 5 years. I sent a widely used script to a particular site that claims to be able to decode anything and they nailed it in less than an hour. The tools available for download didn't work for this script but these guys were able to do it. That shattered my faith in all of these encoders. I'll try to obfuscate some code, run it through Ioncube and send it to them to see what they come up with. If I had Zend Guard I would try that one too.

BTW, I am gonna be your neighbor pretty soon. I am moving to a little town about an hour away from Charlotte this summer.

leek · 04-14-2009, 07:29 AM

You can't fight technology. Encoding will never be 100% effective - someone, somewhere will always break it.

Your best bet would be determining if your software could be deployed via SaaS. SOA and API's are the future.

brassmonkey · 04-14-2009, 07:30 AM

if a script is good even the thieves will want to buy it

fris · 04-14-2009, 07:31 AM

open source 4 lyfe

leek · 04-14-2009, 07:32 AM

Quote:

Originally Posted by fris

open source 4 lyfe

Babaganoosh · 04-14-2009, 07:34 AM

As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job.

This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing.

Babaganoosh · 04-14-2009, 07:37 AM

Quote:

Originally Posted by fris

open source 4 lyfe

I've been involved in open source projects since the beginning of the movement but no matter what anyone tries to tell you, it's next to impossible to turn a profit. The only people who benefit are the people that use the software. I am a firm believer in "pay to play."

fris · 04-14-2009, 07:39 AM

I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code.

Babaganoosh · 04-14-2009, 09:10 AM

Quote:

Originally Posted by fris

I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code.

That part does make me nervous. I like to see what I am running. I guess now I can.

Klen · 04-14-2009, 09:18 AM

Quote:

Originally Posted by fris

http://phpdecoders.com/function.html

saw this being advertised on sitepoint

I think that is scam site if i remember correctly.Also i do know zend is very easy to decode
but not sure can ioncube and source guardian can be decoded as some other sites says how they can.I bet they are scam same as that phpdecoders.But again it is probably possible but i think right now it is not available to public decoding of ioncube and source guardian.

Sam Granger · 04-14-2009, 09:24 AM

Zend is insecure, it's the way they encrypt. Sourceguardian is very good, same goes for IonCube. They both have been cracked in the past, but they are pretty secure now. I'm sticking with Sourceguardian.

Babaganoosh · 04-14-2009, 09:26 AM

Quote:

Originally Posted by KlenTelaris

I think that is scam site if i remember correctly.Also i do know zend is very easy to decode
but not sure can ioncube and source guardian can be decoded as some other sites says how they can.I bet they are scam same as that phpdecoders.But again it is probably possible but i think right now it is not available to public decoding of ioncube and source guardian.

Email some ioncube encoded code to that URL I posted above and see what happens. It'll cost a little $ but I assure you that it's not a scam site. The guy is actually pretty friendly.

Libertine · 04-14-2009, 09:37 AM

Encrypting PHP code is asinine. All it does is protect incompetent coders from public scrutiny.

Libertine · 04-14-2009, 09:39 AM

Quote:

Originally Posted by Babaganoosh

As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job.

This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing.

A few thousand sites might start using it, but both you and the owners of a fair number of those sites would be facing some serious jailtime.

Meanwhile, most businesses would stick with legal versions. Because, after all, illegally using software is a rather big liability for any serious business.

Babaganoosh · 04-14-2009, 09:48 AM

Quote:

Originally Posted by Libertine

A few thousand sites might start using it, but both you and the owners of a fair number of those sites would be facing some serious jailtime.

Meanwhile, most businesses would stick with legal versions. Because, after all, illegally using software is a rather big liability for any serious business.

If only that were true. I used to sell software written in Perl. Chasing down thieves and pirates was a constant chore. So much so that I stopped selling software. I couldn't even get hosts to shut down clients sites most of the time without jumping through all kinds of hoops. The only code I write is for my own use or on a strictly custom basis.

Most webmasters here will steal something before they'll pay for it. For the few that will happily pay I bet there are a couple hundred who will steal. Everyone knows they won't go to jail for using an unlicensed script.

Libertine · 04-14-2009, 09:59 AM

Quote:

Originally Posted by Babaganoosh

If only that were true. I used to sell software written in Perl. Chasing down thieves and pirates was a constant chore. So much so that I stopped selling software. I couldn't even get hosts to shut down clients sites most of the time without jumping through all kinds of hoops. The only code I write is for my own use or on a strictly custom basis.

Most webmasters here will steal something before they'll pay for it. For the few that will happily pay I bet there are a couple hundred who will steal. Everyone knows they won't go to jail for using an unlicensed script.

Then you must have been focusing on the lower end of the market.

If you focus on the higher end of the market, and build up a relationship with some of the main hosting companies, it gets much easier. A few years back, when I still worked as programmer, I had several hosting companies notify me of people trying to pirate my software on their servers when they spotted it.

Small-time webmasters would try and steal stuff, of course, but professionals usually paid. And a number of the small-timers "upgraded" to legal versions once their business grew, so even the piracy wasn't a full loss.

Babaganoosh · 04-14-2009, 10:06 AM

Quote:

Originally Posted by Libertine

Then you must have been focusing on the lower end of the market.

If you focus on the higher end of the market, and build up a relationship with some of the main hosting companies, it gets much easier. A few years back, when I still worked as programmer, I had several hosting companies notify me of people trying to pirate my software on their servers when they spotted it.

Small-time webmasters would try and steal stuff, of course, but professionals usually paid. And a number of the small-timers "upgraded" to legal versions once their business grew, so even the piracy wasn't a full loss.

Low end or not, there has to be a way to protect code without switching to compiled languages.

My favorite incident was when a little shithead from eastern Europe took my code, modified the admin templates and was selling it as his own creation. I did pursue him until he stopped but that was really a wakeup call for me.

Serge Litehead · 04-14-2009, 10:13 AM

anything compiled can be decompiled in any language and platform, although it is against licensing and tou.

Babaganoosh · 04-14-2009, 10:36 AM

Quote:

Originally Posted by holograph

anything compiled can be decompiled in any language and platform, although it is against licensing and tou.

I have yet to see C++ decompiled accurately. Development time is substantially increased though, especially for me. I'm not smart enough to code C++ quickly.

quantum-x · 04-14-2009, 10:42 AM

Quote:

Originally Posted by Babaganoosh

I have yet to see C++ decompiled accurately. Development time is substantially increased though, especially for me. I'm not smart enough to code C++ quickly.

Right, these things have been cracked for ages.
Both ZendGuard and IonCube.

Only thing you can do: write better code.

Decompiling C++ is one thing, but disassembling it is another thing all together - and been done for ages..

It's a hell of a lot easier to trace into C++/ASM/VB/Whatever than it is PHP

nation-x · 04-14-2009, 10:48 AM

Quote:

Originally Posted by fris

http://phpdecoders.com/function.html

saw this being advertised on sitepoint

Why would you post that fris? Sometimes I wonder about you.

AdultSoftwareSolutions · 04-14-2009, 11:28 AM

Being able to decode and reverse engineer / modify are 2 entirely different things.

Anything that can be run can be disassembled. I used to crack video games in the early 90's using nothing more than a hex editor and knowledge of Intel assembly opcodes. It's very challenging and time consuming though. PHP is more obscure though because nobody cares about the low levels of PHP.

I'm currently developing a few products and when I release them they will be source code or SaaS.

quantum-x · 04-14-2009, 11:36 AM

Quote:

Originally Posted by AdultSoftwareSolutions

PHP is more obscure though because nobody cares about the low levels of PHP.

Don't kid yourself on that one. People are very interested in your PHP source.

2012 · 04-14-2009, 11:42 AM

you could host your "meat and potatoes" code on your own dedicated hardware. anything worth cracking gets cracked ...

AdultSoftwareSolutions · 04-14-2009, 11:49 AM

Quote:

Originally Posted by quantum-x

Don't kid yourself on that one. People are very interested in your PHP source.

I was referring to the C/assembly/opcode level implementation of PHP. I have never met a person in my life who could read compiled PHP code from a hex editor. I know several that can do that with programs compiled to native intel assembly.

k0nr4d · 04-14-2009, 12:32 PM

The php decoders are terrible. They don't get anything even close to the original code...

Babaganoosh · 04-14-2009, 12:43 PM

Quote:

Originally Posted by k0nr4d

The php decoders are terrible. They don't get anything even close to the original code...

Yes they do. Test out the site I posted. I have completely functional code from a previously encoded script.

ladida · 04-14-2009, 12:49 PM

Quote:

Originally Posted by k0nr4d

The php decoders are terrible. They don't get anything even close to the original code...

You've not searched good then. I've had both zend and ioncube decoded completelly acuratelly.

With obfuscation, the code comes up clean aswell, but the function names are messed, however, they still hold same "name", and can be easilly renamed.

quantum-x · 04-14-2009, 01:25 PM

Quote:

Originally Posted by k0nr4d

The php decoders are terrible. They don't get anything even close to the original code...

Yes they do - more often than not with original variable names, too.

quantum-x · 04-14-2009, 01:26 PM

Quote:

Originally Posted by AdultSoftwareSolutions

I was referring to the C/assembly/opcode level implementation of PHP. I have never met a person in my life who could read compiled PHP code from a hex editor. I know several that can do that with programs compiled to native intel assembly.

Sure, but there's not much need, with Zend Platform - you can debug and trace the PHP bitcode anyhow

Tempest · 04-14-2009, 03:31 PM

Quote:

Originally Posted by Babaganoosh

That's a pretty old post. A lot changes in 5 years. I sent a widely used script to a particular site that claims to be able to decode anything and they nailed it in less than an hour. The tools available for download didn't work for this script but these guys were able to do it. That shattered my faith in all of these encoders. I'll try to obfuscate some code, run it through Ioncube and send it to them to see what they come up with. If I had Zend Guard I would try that one too.

Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.

$5 submissions · 04-14-2009, 03:33 PM

Quote:

Originally Posted by nation-x

Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

http://alexking.org/blog/2004/02/07/...ting-php-code/

Great post. Thanks!

quantum-x · 04-14-2009, 03:38 PM

Quote:

Originally Posted by Tempest

Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.

The tests I ran, everything was returned, including original variable names, and formatting.

Babaganoosh · 04-14-2009, 04:53 PM

Quote:

Originally Posted by Tempest

Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.

zendcrack.com

Haven't tried obfuscated code yet. Common sense tells me I will get decoded yet still obfuscated code back. Obfuscated code can be cleaned up and made readable again with a little effort so I'm pretty sure it's not stopping anyone.

2012 · 04-14-2009, 04:58 PM

Quote:

Originally Posted by Babaganoosh

zendcrack.com

Haven't tried obfuscated code yet. Common sense tells me I will get decoded yet still obfuscated code back. Obfuscated code can be cleaned up and made readable again with a little effort so I'm pretty sure it's not stopping anyone.

if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.

Babaganoosh · 04-14-2009, 05:03 PM

Quote:

Originally Posted by fartfly

if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.

Numbnuts, there's nothing you can tell me that I don't already know. Fuck off, turd.

u-Bob · 04-14-2009, 05:27 PM

<----- doesn't trust encoded/encrypted php code.

Klen · 04-14-2009, 05:29 PM

Yep i finded program for decoding ioncube so i have both programs for zend and ioncube now for free.
Which means if i ever will do script i will have to find other solution to encode it.

2012 · 04-14-2009, 05:29 PM

Quote:

Originally Posted by Babaganoosh

Numbnuts, there's nothing you can tell me that I don't already know. Fuck off, turd.

Is it that time of the month again?
"Is there anything that actually works for protecting a commercial script?"

Then why are you asking turd ? I just told you the only way shit for brains ...

now click my sig

quantum-x · 04-14-2009, 05:36 PM

Quote:

Originally Posted by fartfly

if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.

#1 - Your server goes down, you kill a bunch of sites
#2 - You mess up something on you end, you kill a bunch of sites
#3 - You get ddos'd off the planet, you kill a bunch of sites
#4 - You get hacked, and they push code to a bunch of sites, you hack a bunch of sites.

#5 - They decode your app, comment out the dependency, and resume life

2012 · 04-14-2009, 05:38 PM

Quote:

Originally Posted by quantum-x

#1 - Your server goes down, you kill a bunch of sites
#2 - You mess up something on you end, you kill a bunch of sites
#3 - You get ddos'd off the planet, you kill a bunch of sites
#4 - You get hacked, and they push code to a bunch of sites, you hack a bunch of sites.

#5 - They decode your app, comment out the dependency, and resume life

wow, turd. Tell me something I don't already know j/k

So let everyone tell you all this bullshit and I'll tell you what you already know. You can't protect your code. Impossible. ... happy now.

04-14-2009, 07:30 AM	#6
brassmonkey Pay It Forward Industry Role: Join Date: Sep 2005 Location: Yo Mama House Posts: 76,984	if a script is good even the thieves will want to buy it __________________ TRUMP 2025 KEKAW!!! - The Laken Riley Act Is Law! DACA ENDED - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com

04-14-2009, 07:31 AM	#7
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,283	open source 4 lyfe __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

04-14-2009, 07:34 AM	#9
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job. This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing. __________________ I like pie.

04-14-2009, 07:39 AM	#11
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,283	I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

04-14-2009, 09:24 AM	#14
Sam Granger Confirmed User Join Date: Dec 2004 Location: NL (Eindhoven), CZ(Prague), FR(Concarneau) Posts: 3,958	Zend is insecure, it's the way they encrypt. Sourceguardian is very good, same goes for IonCube. They both have been cracked in the past, but they are pretty secure now. I'm sticking with Sourceguardian. __________________ [img]http://**************/sig/fhv3_j2_624x80_2.gif[/img] $35-40 Per Signup, 60-70% Rev Share, over 80 Sites, Exclusive Sites, tons of free content 14,000+ Free hosted Galleries, RSS feeds, Domain Hosting, Embedded Flash Movies Join Fetish Hits now! ICQ:** 358652230

04-14-2009, 06:18 AM	#1
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	Protecting PHP Code - Zend & Ioncube Are CRACKED So Zend Guard and Ioncube have both been cracked. There are applications out there that do a decent job of decoding the files, especially if they were encoded with early versions of Zend or Ioncube. Newer versions are slightly more difficult but definitely possible. There's a site that will decode any encoded PHP script for $15. Is there anything that actually works for protecting a commercial script? __________________ I like pie.

04-14-2009, 07:02 AM	#2
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it. http://alexking.org/blog/2004/02/07/...ting-php-code/

04-14-2009, 07:17 AM	#3
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,283	http://phpdecoders.com/function.html saw this being advertised on sitepoint __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

04-14-2009, 07:29 AM	#5
leek Confirmed User Join Date: May 2008 Location: Charlotte, NC Posts: 342	You can't fight technology. Encoding will never be 100% effective - someone, somewhere will always break it. Your best bet would be determining if your software could be deployed via SaaS. SOA and API's are the future.

04-14-2009, 09:37 AM	#16
Libertine sex dwarf Join Date: May 2002 Posts: 17,860	Encrypting PHP code is asinine. All it does is protect incompetent coders from public scrutiny. __________________ /(bb\|[^b]{2})/

04-14-2009, 10:13 AM	#21
Serge Litehead Confirmed User Industry Role: Join Date: Dec 2002 Location: Behind the scenes Posts: 5,190	anything compiled can be decompiled in any language and platform, although it is against licensing and tou. __________________ SilverCrocodile.com Adult web design since '05 Last edited by Serge Litehead; 04-14-2009 at 10:14 AM..

04-14-2009, 11:28 AM	#25
AdultSoftwareSolutions Confirmed User Join Date: Mar 2009 Posts: 193	Being able to decode and reverse engineer / modify are 2 entirely different things. Anything that can be run can be disassembled. I used to crack video games in the early 90's using nothing more than a hex editor and knowledge of Intel assembly opcodes. It's very challenging and time consuming though. PHP is more obscure though because nobody cares about the low levels of PHP. I'm currently developing a few products and when I release them they will be source code or SaaS. __________________ Adult Software Solutions (ICQ 559884738) PHP, MySQL, Flash, Actionscript, Java, Wowza, CMS, Tube, VOD, CRM, Dating, Social Networks, Paysites, TGPs, Directories and more. If you can think it I can build it.

04-14-2009, 11:42 AM	#27
2012 So Fucking What Industry Role: Join Date: Jul 2006 Posts: 17,189	you could host your "meat and potatoes" code on your own dedicated hardware. anything worth cracking gets cracked ... __________________ best host: Webair \| best sponsor: Kink \| best coder: 688218966 \| Go Fuck Yourself

04-14-2009, 12:32 PM	#29
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	The php decoders are terrible. They don't get anything even close to the original code... __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

04-14-2009, 05:27 PM	#40
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	<----- doesn't trust encoded/encrypted php code.

04-14-2009, 05:29 PM	#41
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	Yep i finded program for decoding ioncube so i have both programs for zend and ioncube now for free. Which means if i ever will do script i will have to find other solution to encode it.