Sunday November 19, 2017

Simple Code Obfuscation with PHP

Date: 04/29/2007
Author: Wayne Eggert

This tutorial will teach you a simple way to obfuscate code in PHP so prying eyes won't easily be able to determine what is going on and steal your work. There are several commercial products that can be used to compile your PHP code available from Zend and IonCube, but if you're only looking to hide a few things from the average joe, investing in one of these commercial products to compile your $10 PHP script seems like overkill.

First Some Real Code
To start off, lets take a look at some real code that we'll want to obfuscate (make obscure or unlcear). The code below will simply assign a URL to a variable, use fopen() to parse the website & store the website data into a variable.

<?php

$zipcode 
"90210";
$url "http://www.weather.com/weather/local/".$zipcode."?lswe=".$zipcode;

$file fopen("$url""r");
$r "";
do {
$data fread($file8192);
if (
strlen($data) == 0) {
   break;
}
$r .= $data;

while (
true);

echo 
$r;
?>

Obfuscated Code
Now say you really don't want people knowing that you're referencing weather.com data within your script. You can make this a little more difficult for people to figure out by obfuscating it a bit.

Here's the code:

<?php

$ei92q717
="90210";$lru="hl:owxtb98e5rctap/ytp.75-g;/wm4e?89hss=";$ei92r717=$lru{160-160}.
$lru{79-65}.$lru{980-974}.$lru{-550+570}.$lru{340-338}.$lru{225-208}.$lru{426-399}.
$lru{40-36}.$lru{650-646}.$lru{199-171}.$lru{721-700}.$lru{103-99}.$lru{285-275}.
$lru{600-585}.$lru{-400+406}.$lru{-200+200}.$lru{442-432}.$lru{60-48}.$lru{-34+55}.
$lru{820-807}.$lru{-950+953}.$lru{276-247}.$lru{200-183}.$lru{-646+650}.$lru{309-278}.
$lru{70-55}.$lru{-19+38}.$lru{135-100}.$lru{696-665}.$lru{117-105}.$lru{126-99}.
$lru{2-1}.$lru{-15+18}.$lru{60-47}.$lru{205-190}.$lru{-93+94}.$lru{522-505}.$ei92q717.
$lru{400-368}.$lru{999-998}.$lru{-740+777}.$lru{-29+57}.$lru{321-311}.$lru{-115+153}.
$ei92q717;


$file fopen($ei92r717"r");
$r "";
do {
$data fread($file8192);
if (
strlen($data) == 0) {
   break;
}
$r .= $data;

while (
true);
echo 
$r;
?>

Where's the URL? It's still there.. just a little bit harder for someone to get to unless they're smart enough to use an ECHO statement on part of the concatenated string that's being built.

First we have:

$ei92q717="90210";

This is just a horrible randomly named variable that is hard-coded to the Beverly Hills zip code.

 

$lru="hl:owxtb98e5rctap/ytp.75-g;/wm4e?89hss=";

Yikes! Yeah this looks like a mess, and it is a mess. It's just a string of random characters, but it's going to be the character map through which we build the URL string again. If you don't know where this is going yet, don't worry.. you'll soon catch up.

 

$ei92r717=$lru{160-160}. $lru{79-65}.$lru{980-974}.$lru{-550+570}.$lru{340-338}.$lru{225-208}.$lru{426-399}. $lru{40-36}.$lru{650-646}.$lru{199-171}.$lru{721-700}.$lru{103-99}.$lru{285-275}. $lru{600-585}.$lru{-400+406}.$lru{-200+200}.$lru{442-432}.$lru{60-48}.$lru{-34+55}. $lru{820-807}.$lru{-950+953}.$lru{276-247}.$lru{200-183}.$lru{-646+650}.$lru{309-278}. $lru{70-55}.$lru{-19+38}.$lru{135-100}.$lru{696-665}.$lru{117-105}.$lru{126-99}. $lru{2-1}.$lru{-15+18}.$lru{60-47}.$lru{205-190}.$lru{-93+94}.$lru{522-505}.$ei92q717. $lru{400-368}.$lru{999-998}.$lru{-740+777}.$lru{-29+57}.$lru{321-311}.$lru{-115+153}. $ei92q717;

Double Yikes! Okay remember that messy string of random characters? This is just a concatenation of individual character references within that string. So, if you take $lru{160-160}, that turns into $lru{0} after the subtraction takes place. The 0th character in the character string is an "h". Then if you take $lru{79-65} that turns into $lru{14}. The 14th character in the character string is a "t". So you get "h" then "t" then "t" then "p" then ":" then "/" then "/" and so on. All that's happening here is we're specifing the position of a character within the messy character map string and building out the URL string.

There you go.. a very simple way to hide some of your code. For anyone that knows PHP, finding the real URL is as simple as echo'ing out the concatenated string -- but for the Average Joe that doesn't know PHP, it helps to obscure your code a little.




Comments:
Re: .
Posted 10/26/07 5:48PM by AceBHound
Correct -- it's not a very secure or elegant solution, but just shown here as a way you can make code a little less readable to prying eyes. Any code that is accessible by someone else to play around with long enough is going to be open to vulnerabilities -- in this case, at some point that URL needs to actually be formed in order to fetch the page contents.
.
Posted 10/16/07 7:09PM by Anonymous Techdoser
If someone has the code, a simple "echo $ei92r717;" tells him the URL...