Simple Code Obfuscation with PHP
Date: 04/29/2007
Author: Wayne Eggert
This tutorial will teach you a simple way to obfuscate code in PHP
so prying eyes won't easily be able to determine what is going on and
steal your work. There are several commercial products that can be used
to compile your PHP code available from Zend and IonCube,
but if you're only looking to hide a few things from the average joe,
investing in one of these commercial products to compile your $10 PHP
script seems like overkill.
First Some Real Code
To start off, lets take a
look at some real code that we'll want to obfuscate (make obscure or
unlcear). The code below will simply assign a URL to a variable, use
fopen() to parse the website & store the website data into a
variable.
<?php
$zipcode = "90210";
$url = "http://www.weather.com/weather/local/".$zipcode."?lswe=".$zipcode;
$file = fopen("$url", "r");
$r = "";
do {
$data = fread($file, 8192);
if (strlen($data) == 0) {
break;
}
$r .= $data;
}
while (true);
echo $r;
?>
Obfuscated Code
Now say you really
don't want people knowing that you're referencing weather.com data
within your script. You can make this a little more difficult for
people to figure out by obfuscating it a bit.
Here's the code:
<?php
$ei92q717="90210";$lru="hl:owxtb98e5rctap/ytp.75-g;/wm4e?89hss=";$ei92r717=$lru{160-160}.
$lru{79-65}.$lru{980-974}.$lru{-550+570}.$lru{340-338}.$lru{225-208}.$lru{426-399}.
$lru{40-36}.$lru{650-646}.$lru{199-171}.$lru{721-700}.$lru{103-99}.$lru{285-275}.
$lru{600-585}.$lru{-400+406}.$lru{-200+200}.$lru{442-432}.$lru{60-48}.$lru{-34+55}.
$lru{820-807}.$lru{-950+953}.$lru{276-247}.$lru{200-183}.$lru{-646+650}.$lru{309-278}.
$lru{70-55}.$lru{-19+38}.$lru{135-100}.$lru{696-665}.$lru{117-105}.$lru{126-99}.
$lru{2-1}.$lru{-15+18}.$lru{60-47}.$lru{205-190}.$lru{-93+94}.$lru{522-505}.$ei92q717.
$lru{400-368}.$lru{999-998}.$lru{-740+777}.$lru{-29+57}.$lru{321-311}.$lru{-115+153}.
$ei92q717;
$file = fopen($ei92r717, "r");
$r = "";
do {
$data = fread($file, 8192);
if (strlen($data) == 0) {
break;
}
$r .= $data;
}
while (true);
echo $r;
?>
Where's the URL? It's still there.. just a little bit harder for someone to get to unless they're smart enough to use an ECHO statement on part of the concatenated string that's being built.
First we have:
This is just a horrible randomly named variable that is hard-coded to the Beverly Hills zip code.
Yikes! Yeah this looks like a mess, and it is a mess. It's just a string of random characters, but it's going to be the character map through which we build the URL string again. If you don't know where this is going yet, don't worry.. you'll soon catch up.
Double Yikes! Okay remember that messy string of random characters?
This is just a concatenation of individual character references within
that string. So, if you take $lru{160-160}, that turns into $lru{0}
after the subtraction takes place. The 0th character in the character
string is an "h". Then if you take $lru{79-65} that turns into
$lru{14}. The 14th character in the character string is a "t". So you
get "h" then "t" then "t" then "p" then ":" then "/" then "/" and so
on. All that's happening here is we're specifing the position of a
character within the messy character map string and building out the
URL string.
There you go.. a very simple way to hide some of your code.
For anyone that knows PHP, finding the real URL is as simple as
echo'ing out the concatenated string -- but for the Average Joe that
doesn't know PHP, it helps to obscure your code a little.
Comments:
Re: . |
Posted 10/26/07 5:48PM by AceBHound |
Correct -- it's not a very secure or elegant solution, but just shown here as a way you can make code a little less readable to prying eyes. Any code that is accessible by someone else to play around with long enough is going to be open to vulnerabilities -- in this case, at some point that URL needs to actually be formed in order to fetch the page contents. |
. |
Posted 10/16/07 7:09PM by Anonymous Techdoser |
If someone has the code, a simple "echo $ei92r717;" tells him the URL... |