Protecting PHP Code - Zend & Ioncube Are CRACKED
 

So Zend Guard and Ioncube have both been cracked. There are applications out there that do a decent job of decoding the files, especially if they were encoded with early versions of Zend or Ioncube. Newer versions are slightly more difficult but definitely possible. There's a site that will decode any encoded PHP script for $15.

Is there anything that actually works for protecting a commercial script?

Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

http://alexking.org/blog/2004/02/07/...ting-php-code/

http://phpdecoders.com/function.html

saw this being advertised on sitepoint

That's a pretty old post. A lot changes in 5 years. I sent a widely used script to a particular site that claims to be able to decode anything and they nailed it in less than an hour. The tools available for download didn't work for this script but these guys were able to do it. That shattered my faith in all of these encoders. I'll try to obfuscate some code, run it through Ioncube and send it to them to see what they come up with. If I had Zend Guard I would try that one too.

BTW, I am gonna be your neighbor pretty soon. I am moving to a little town about an hour away from Charlotte this summer.

You can't fight technology. Encoding will never be 100% effective - someone, somewhere will always break it.

Your best bet would be determining if your software could be deployed via SaaS. SOA and API's are the future.

if a script is good even the thieves will want to buy it:2 cents:

open source 4 lyfe

:thumbsup:thumbsup

As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job.

This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing.

I've been involved in open source projects since the beginning of the movement but no matter what anyone tries to tell you, it's next to impossible to turn a profit. The only people who benefit are the people that use the software. I am a firm believer in "pay to play."

I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code.

That part does make me nervous. I like to see what I am running. I guess now I can. :1orglaugh:winkwink:

I think that is scam site if i remember correctly.Also i do know zend is very easy to decode
but not sure can ioncube and source guardian can be decoded as some other sites says how they can.I bet they are scam same as that phpdecoders.But again it is probably possible but i think right now it is not available to public decoding of ioncube and source guardian.

Zend is insecure, it's the way they encrypt. Sourceguardian is very good, same goes for IonCube. They both have been cracked in the past, but they are pretty secure now. I'm sticking with Sourceguardian. :thumbsup

Email some ioncube encoded code to that URL I posted above and see what happens. It'll cost a little $ but I assure you that it's not a scam site. The guy is actually pretty friendly.

Encrypting PHP code is asinine. All it does is protect incompetent coders from public scrutiny.

A few thousand sites might start using it, but both you and the owners of a fair number of those sites would be facing some serious jailtime.

Meanwhile, most businesses would stick with legal versions. Because, after all, illegally using software is a rather big liability for any serious business.

If only that were true. I used to sell software written in Perl. Chasing down thieves and pirates was a constant chore. So much so that I stopped selling software. I couldn't even get hosts to shut down clients sites most of the time without jumping through all kinds of hoops. The only code I write is for my own use or on a strictly custom basis.

Most webmasters here will steal something before they'll pay for it. For the few that will happily pay I bet there are a couple hundred who will steal. Everyone knows they won't go to jail for using an unlicensed script.

Then you must have been focusing on the lower end of the market.

If you focus on the higher end of the market, and build up a relationship with some of the main hosting companies, it gets much easier. A few years back, when I still worked as programmer, I had several hosting companies notify me of people trying to pirate my software on their servers when they spotted it.

Small-time webmasters would try and steal stuff, of course, but professionals usually paid. And a number of the small-timers "upgraded" to legal versions once their business grew, so even the piracy wasn't a full loss.

Low end or not, there has to be a way to protect code without switching to compiled languages.

My favorite incident was when a little shithead from eastern Europe took my code, modified the admin templates and was selling it as his own creation. I did pursue him until he stopped but that was really a wakeup call for me.

anything compiled can be decompiled in any language and platform, although it is against licensing and tou.

I have yet to see C++ decompiled accurately. Development time is substantially increased though, especially for me. I'm not smart enough to code C++ quickly.

Right, these things have been cracked for ages.
Both ZendGuard and IonCube.

Only thing you can do: write better code.

Decompiling C++ is one thing, but disassembling it is another thing all together - and been done for ages..

It's a hell of a lot easier to trace into C++/ASM/VB/Whatever than it is PHP :)

Why would you post that fris? Sometimes I wonder about you.

Being able to decode and reverse engineer / modify are 2 entirely different things.

Anything that can be run can be disassembled. I used to crack video games in the early 90's using nothing more than a hex editor and knowledge of Intel assembly opcodes. It's very challenging and time consuming though. PHP is more obscure though because nobody cares about the low levels of PHP.

I'm currently developing a few products and when I release them they will be source code or SaaS.

Don't kid yourself on that one. People are very interested in your PHP source.

you could host your "meat and potatoes" code on your own dedicated hardware. anything worth cracking gets cracked ...

I was referring to the C/assembly/opcode level implementation of PHP. I have never met a person in my life who could read compiled PHP code from a hex editor. I know several that can do that with programs compiled to native intel assembly.

The php decoders are terrible. They don't get anything even close to the original code...

Yes they do. Test out the site I posted. I have completely functional code from a previously encoded script.

You've not searched good then. I've had both zend and ioncube decoded completelly acuratelly.

With obfuscation, the code comes up clean aswell, but the function names are messed, however, they still hold same "name", and can be easilly renamed.

Yes they do - more often than not with original variable names, too.

Sure, but there's not much need, with Zend Platform - you can debug and trace the PHP bitcode anyhow :)

Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.

Great post. Thanks!:thumbsup

The tests I ran, everything was returned, including original variable names, and formatting.

zendcrack.com

Haven't tried obfuscated code yet. Common sense tells me I will get decoded yet still obfuscated code back. Obfuscated code can be cleaned up and made readable again with a little effort so I'm pretty sure it's not stopping anyone.

if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say. :2 cents:

Numbnuts, there's nothing you can tell me that I don't already know. Fuck off, turd.

<----- doesn't trust encoded/encrypted php code.

Yep i finded program for decoding ioncube so i have both programs for zend and ioncube now for free.
Which means if i ever will do script i will have to find other solution to encode it.

Is it that time of the month again?
"Is there anything that actually works for protecting a commercial script?"

Then why are you asking turd ? I just told you the only way shit for brains ...

now click my sig
:321GFY

#1 - Your server goes down, you kill a bunch of sites
#2 - You mess up something on you end, you kill a bunch of sites
#3 - You get ddos'd off the planet, you kill a bunch of sites
#4 - You get hacked, and they push code to a bunch of sites, you hack a bunch of sites.

#5 - They decode your app, comment out the dependency, and resume life

wow, turd. Tell me something I don't already know j/k

So let everyone tell you all this bullshit and I'll tell you what you already know. You can't protect your code. Impossible. ... happy now. :1orglaugh