Page 1 of 1

Question About Using Ioncube's PHP Encoder

Posted: Tue Sep 16, 2008 6:02 pm
by Steve Carsen
I've been asked to package one of my PHP components for sale. This is great but I have never sold my code before. I gave it away loaded with comments so users can customize it to their needs. In order to keep the code for my component from being changed or copied the publisher wants me to encode it with Ioncube's PHP Encoder. They want me to code a 30 day trial, a full release copy and they also need a copy of the cleartext. This is no problem and the encoding appears to handle dynamic fields well enough.
My question is if all of this work and maintaining the encrypted copies is even worth it. I searched Google but couldn't find a definitive answer as to whether or not this is easy for crackers to crack. I think that even if they can crack it, they can only see the compiled code and not my source code. Is this true?

Cheers
Steve

Re: Question About Using Ioncube's PHP Encoder

Posted: Wed Sep 17, 2008 2:52 am
by alex.barylski
ionCube can be decoded but it's better than nothing and will keep 80% of users at bay. Russia and Eastern European countries are the only places that seem to really promote decoding as a service.

Just inform your boss it isn't fool proof. About the only time you get that is if you compile into native machine code...then reverse engineering can only ever return your code to a approximation of what it was.

The best you get from ionCube is:

1. Obfuscation
2. Tricky Encryption

Obfuscation will rename all your logically named variables and classes to something meaningless which makes reverse engineering much harder -- at least the interface/design level. Implementation is not worth hiding IMHO any idea except the most complex "patentable" implementation is easily copied.

Re: Question About Using Ioncube's PHP Encoder

Posted: Wed Sep 17, 2008 6:55 am
by Steve Carsen
That's exactly what I needed to know.

Thanks.
Steve

Re: Question About Using Ioncube's PHP Encoder

Posted: Wed Sep 17, 2008 3:31 pm
by Steve Carsen
Steve Carsen wrote:That's exactly what I needed to know.

Thanks.̣̣̣
Steve
I found a few more sources on it and it seems that it would be easier to just hire someone like me to reverse engineer it rather than try to decode it. I suspect that is what the people who offer cracking really do. :)

Re: Question About Using Ioncube's PHP Encoder

Posted: Thu Sep 18, 2008 1:26 am
by alex.barylski
People that offer cracking...probably crack the encryption...it's easier. Reverse engineering would take forever.

I believe PHP needs the real unencrypted source code inorder to execute so all those encryption tools are simply useless if someone knows there way around PHP internals and can simply dump/record the original source as it's unencrypted.

ionCube and Zend I believe take it a step further by actually encoding the scripts in an intermediary proprietary byte code.

That is why PHP needs either ionCube or Zend encoder extensions installed in order to run the scripts -- PITA as most don't.

The byte code is still possible to gain access to and with enough time...one would learn what each byte code actually meant and thus decompilation would be possible.

Someone out there has probably spent the time tinkering with each byte codes and developed a decompiler if you will.

The modify a version of PHP and intercept the byte codes. Once they have the byte code they run the decompiler on it which converts the byte code into the source code.

Because the byte code is a abstraction on machine code the level to which byte code converts back to source code is quite close to the original source.

Machine code is quite a bit more complex so converting Windows source code to something/anything usuable is not likely. PHP is also a simple language compared to C/C++ so much of the useful abstractions that make code easier to read in C/C++ are also wiped off the slate making it all but impossible to reverse engineer Windows (also it's size doesn't hurt).

Many years ago I played with a VB discompiler. I decompiled the binary and viewed the source...then compared it to the orginal source. Because VB used an intermediary byte code (called p-code) the result was 'OK' but still hard to understand...

I tried the same thing on a C/C++ application and decompiler and it was next to impossible to comprehend anything.

That is why I said...

1. Encryption = Easy to circumvent
2. Encoding = Still possible with enough will
3. Compilation = Virtually impossible to get the same result

When I say "easy" that term is used relative. Decryption is not a trivial matter but because of the way it's used getting at the original source is not that difficult.

Re: Question About Using Ioncube's PHP Encoder

Posted: Fri Sep 26, 2008 12:20 am
by rami
well
i have seen many appliction survive or not cracked using ioncube....
to name few kansoftware price comparision, free lancing radlance and many more....so ioncube seems to be safe for now...