Protecting PHP Code - Zend & Ioncube Are CRACKED

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Babaganoosh
    ♥♥♥ Likes Hugs ♥♥♥
    • Nov 2001
    • 15841

    #1

    Protecting PHP Code - Zend & Ioncube Are CRACKED

    So Zend Guard and Ioncube have both been cracked. There are applications out there that do a decent job of decoding the files, especially if they were encoded with early versions of Zend or Ioncube. Newer versions are slightly more difficult but definitely possible. There's a site that will decode any encoded PHP script for $15.

    Is there anything that actually works for protecting a commercial script?
    I like pie.
  • nation-x
    Confirmed User
    • Mar 2004
    • 5370

    #2
    Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

    http://alexking.org/blog/2004/02/07/...ting-php-code/

    Comment

    • fris
      Too lazy to set a custom title
      • Aug 2002
      • 55679

      #3
      http://phpdecoders.com/function.html

      saw this being advertised on sitepoint
      Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

      Comment

      • Babaganoosh
        ♥♥♥ Likes Hugs ♥♥♥
        • Nov 2001
        • 15841

        #4
        Originally posted by nation-x
        Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

        http://alexking.org/blog/2004/02/07/...ting-php-code/
        That's a pretty old post. A lot changes in 5 years. I sent a widely used script to a particular site that claims to be able to decode anything and they nailed it in less than an hour. The tools available for download didn't work for this script but these guys were able to do it. That shattered my faith in all of these encoders. I'll try to obfuscate some code, run it through Ioncube and send it to them to see what they come up with. If I had Zend Guard I would try that one too.

        BTW, I am gonna be your neighbor pretty soon. I am moving to a little town about an hour away from Charlotte this summer.
        I like pie.

        Comment

        • leek
          Confirmed User
          • May 2008
          • 342

          #5
          You can't fight technology. Encoding will never be 100% effective - someone, somewhere will always break it.

          Your best bet would be determining if your software could be deployed via SaaS. SOA and API's are the future.

          Comment

          • brassmonkey
            Pay It Forward
            • Sep 2005
            • 77396

            #6
            if a script is good even the thieves will want to buy it
            TRUMP 2026 KEKAW!!! - The Laken Riley Act Is Law!
            DACA ENDED - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com

            Comment

            • fris
              Too lazy to set a custom title
              • Aug 2002
              • 55679

              #7
              open source 4 lyfe
              Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

              Comment

              • leek
                Confirmed User
                • May 2008
                • 342

                #8
                Originally posted by fris
                open source 4 lyfe

                Comment

                • Babaganoosh
                  ♥♥♥ Likes Hugs ♥♥♥
                  • Nov 2001
                  • 15841

                  #9
                  As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job.

                  This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing.
                  I like pie.

                  Comment

                  • Babaganoosh
                    ♥♥♥ Likes Hugs ♥♥♥
                    • Nov 2001
                    • 15841

                    #10
                    Originally posted by fris
                    open source 4 lyfe
                    I've been involved in open source projects since the beginning of the movement but no matter what anyone tries to tell you, it's next to impossible to turn a profit. The only people who benefit are the people that use the software. I am a firm believer in "pay to play."
                    I like pie.

                    Comment

                    • fris
                      Too lazy to set a custom title
                      • Aug 2002
                      • 55679

                      #11
                      I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code.
                      Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                      Comment

                      • Babaganoosh
                        ♥♥♥ Likes Hugs ♥♥♥
                        • Nov 2001
                        • 15841

                        #12
                        Originally posted by fris
                        I dont mind paying for scripts that use encoders as long as I know the owner or people using them, Hate to see if run some malicious code.
                        That part does make me nervous. I like to see what I am running. I guess now I can.
                        I like pie.

                        Comment

                        • Klen
                          • Aug 2006
                          • 32235

                          #13
                          Originally posted by fris
                          http://phpdecoders.com/function.html

                          saw this being advertised on sitepoint
                          I think that is scam site if i remember correctly.Also i do know zend is very easy to decode
                          but not sure can ioncube and source guardian can be decoded as some other sites says how they can.I bet they are scam same as that phpdecoders.But again it is probably possible but i think right now it is not available to public decoding of ioncube and source guardian.

                          Comment

                          • Sam Granger
                            Confirmed User
                            • Dec 2004
                            • 3958

                            #14
                            Zend is insecure, it's the way they encrypt. Sourceguardian is very good, same goes for IonCube. They both have been cracked in the past, but they are pretty secure now. I'm sticking with Sourceguardian.

                            $35-40 Per Signup, 60-70% Rev Share, over 80 Sites, Exclusive Sites, tons of free content
                            14,000+ Free hosted Galleries, RSS feeds, Domain Hosting, Embedded Flash Movies
                            Join Fetish Hits now!
                            ICQ: 358652230

                            Comment

                            • Babaganoosh
                              ♥♥♥ Likes Hugs ♥♥♥
                              • Nov 2001
                              • 15841

                              #15
                              Originally posted by KlenTelaris
                              I think that is scam site if i remember correctly.Also i do know zend is very easy to decode
                              but not sure can ioncube and source guardian can be decoded as some other sites says how they can.I bet they are scam same as that phpdecoders.But again it is probably possible but i think right now it is not available to public decoding of ioncube and source guardian.
                              Email some ioncube encoded code to that URL I posted above and see what happens. It'll cost a little $ but I assure you that it's not a scam site. The guy is actually pretty friendly.
                              I like pie.

                              Comment

                              • Libertine
                                sex dwarf
                                • May 2002
                                • 17860

                                #16
                                Encrypting PHP code is asinine. All it does is protect incompetent coders from public scrutiny.
                                /(bb|[^b]{2})/

                                Comment

                                • Libertine
                                  sex dwarf
                                  • May 2002
                                  • 17860

                                  #17
                                  Originally posted by Babaganoosh
                                  As long as we're naming names, the site I tried is zendcrack.com and they did a perfect job.

                                  This shit is scary. One of the most used scripts in the adult business can be cracked for a few bucks. If I were a malicious type guy I could put the code up for free download and suddenly there would be thousands and thousands of sites using it. All those dollars invested in design and licenses would be for nothing.
                                  A few thousand sites might start using it, but both you and the owners of a fair number of those sites would be facing some serious jailtime.

                                  Meanwhile, most businesses would stick with legal versions. Because, after all, illegally using software is a rather big liability for any serious business.
                                  /(bb|[^b]{2})/

                                  Comment

                                  • Babaganoosh
                                    ♥♥♥ Likes Hugs ♥♥♥
                                    • Nov 2001
                                    • 15841

                                    #18
                                    Originally posted by Libertine
                                    A few thousand sites might start using it, but both you and the owners of a fair number of those sites would be facing some serious jailtime.

                                    Meanwhile, most businesses would stick with legal versions. Because, after all, illegally using software is a rather big liability for any serious business.
                                    If only that were true. I used to sell software written in Perl. Chasing down thieves and pirates was a constant chore. So much so that I stopped selling software. I couldn't even get hosts to shut down clients sites most of the time without jumping through all kinds of hoops. The only code I write is for my own use or on a strictly custom basis.

                                    Most webmasters here will steal something before they'll pay for it. For the few that will happily pay I bet there are a couple hundred who will steal. Everyone knows they won't go to jail for using an unlicensed script.
                                    I like pie.

                                    Comment

                                    • Libertine
                                      sex dwarf
                                      • May 2002
                                      • 17860

                                      #19
                                      Originally posted by Babaganoosh
                                      If only that were true. I used to sell software written in Perl. Chasing down thieves and pirates was a constant chore. So much so that I stopped selling software. I couldn't even get hosts to shut down clients sites most of the time without jumping through all kinds of hoops. The only code I write is for my own use or on a strictly custom basis.

                                      Most webmasters here will steal something before they'll pay for it. For the few that will happily pay I bet there are a couple hundred who will steal. Everyone knows they won't go to jail for using an unlicensed script.
                                      Then you must have been focusing on the lower end of the market.

                                      If you focus on the higher end of the market, and build up a relationship with some of the main hosting companies, it gets much easier. A few years back, when I still worked as programmer, I had several hosting companies notify me of people trying to pirate my software on their servers when they spotted it.

                                      Small-time webmasters would try and steal stuff, of course, but professionals usually paid. And a number of the small-timers "upgraded" to legal versions once their business grew, so even the piracy wasn't a full loss.
                                      /(bb|[^b]{2})/

                                      Comment

                                      • Babaganoosh
                                        ♥♥♥ Likes Hugs ♥♥♥
                                        • Nov 2001
                                        • 15841

                                        #20
                                        Originally posted by Libertine
                                        Then you must have been focusing on the lower end of the market.

                                        If you focus on the higher end of the market, and build up a relationship with some of the main hosting companies, it gets much easier. A few years back, when I still worked as programmer, I had several hosting companies notify me of people trying to pirate my software on their servers when they spotted it.

                                        Small-time webmasters would try and steal stuff, of course, but professionals usually paid. And a number of the small-timers "upgraded" to legal versions once their business grew, so even the piracy wasn't a full loss.
                                        Low end or not, there has to be a way to protect code without switching to compiled languages.

                                        My favorite incident was when a little shithead from eastern Europe took my code, modified the admin templates and was selling it as his own creation. I did pursue him until he stopped but that was really a wakeup call for me.
                                        I like pie.

                                        Comment

                                        • Serge Litehead
                                          Confirmed User
                                          • Dec 2002
                                          • 5190

                                          #21
                                          anything compiled can be decompiled in any language and platform, although it is against licensing and tou.
                                          Last edited by Serge Litehead; 04-14-2009, 09:14 AM.

                                          Comment

                                          • Babaganoosh
                                            ♥♥♥ Likes Hugs ♥♥♥
                                            • Nov 2001
                                            • 15841

                                            #22
                                            Originally posted by holograph
                                            anything compiled can be decompiled in any language and platform, although it is against licensing and tou.
                                            I have yet to see C++ decompiled accurately. Development time is substantially increased though, especially for me. I'm not smart enough to code C++ quickly.
                                            I like pie.

                                            Comment

                                            • quantum-x
                                              Confirmed User
                                              • Feb 2002
                                              • 6863

                                              #23
                                              Originally posted by Babaganoosh
                                              I have yet to see C++ decompiled accurately. Development time is substantially increased though, especially for me. I'm not smart enough to code C++ quickly.
                                              Right, these things have been cracked for ages.
                                              Both ZendGuard and IonCube.

                                              Only thing you can do: write better code.

                                              Decompiling C++ is one thing, but disassembling it is another thing all together - and been done for ages..

                                              It's a hell of a lot easier to trace into C++/ASM/VB/Whatever than it is PHP
                                              Last edited by quantum-x; 04-14-2009, 09:46 AM. Reason: Less profanity ;)
                                              PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                              Comment

                                              • nation-x
                                                Confirmed User
                                                • Mar 2004
                                                • 5370

                                                #24
                                                Originally posted by fris
                                                http://phpdecoders.com/function.html

                                                saw this being advertised on sitepoint
                                                Why would you post that fris? Sometimes I wonder about you.

                                                Comment

                                                • AdultSoftwareSolutions
                                                  Confirmed User
                                                  • Mar 2009
                                                  • 193

                                                  #25
                                                  Being able to decode and reverse engineer / modify are 2 entirely different things.

                                                  Anything that can be run can be disassembled. I used to crack video games in the early 90's using nothing more than a hex editor and knowledge of Intel assembly opcodes. It's very challenging and time consuming though. PHP is more obscure though because nobody cares about the low levels of PHP.

                                                  I'm currently developing a few products and when I release them they will be source code or SaaS.
                                                  Adult Software Solutions (ICQ 559884738)
                                                  PHP, MySQL, Flash, Actionscript, Java, Wowza, CMS, Tube, VOD, CRM, Dating, Social Networks, Paysites, TGPs, Directories and more.
                                                  If you can think it I can build it.

                                                  Comment

                                                  • quantum-x
                                                    Confirmed User
                                                    • Feb 2002
                                                    • 6863

                                                    #26
                                                    Originally posted by AdultSoftwareSolutions
                                                    PHP is more obscure though because nobody cares about the low levels of PHP.
                                                    Don't kid yourself on that one. People are very interested in your PHP source.
                                                    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                    Comment

                                                    • 2012
                                                      So Fucking What
                                                      • Jul 2006
                                                      • 17189

                                                      #27
                                                      you could host your "meat and potatoes" code on your own dedicated hardware. anything worth cracking gets cracked ...
                                                      best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

                                                      Comment

                                                      • AdultSoftwareSolutions
                                                        Confirmed User
                                                        • Mar 2009
                                                        • 193

                                                        #28
                                                        Originally posted by quantum-x
                                                        Don't kid yourself on that one. People are very interested in your PHP source.
                                                        I was referring to the C/assembly/opcode level implementation of PHP. I have never met a person in my life who could read compiled PHP code from a hex editor. I know several that can do that with programs compiled to native intel assembly.
                                                        Adult Software Solutions (ICQ 559884738)
                                                        PHP, MySQL, Flash, Actionscript, Java, Wowza, CMS, Tube, VOD, CRM, Dating, Social Networks, Paysites, TGPs, Directories and more.
                                                        If you can think it I can build it.

                                                        Comment

                                                        • k0nr4d
                                                          Confirmed User
                                                          • Aug 2006
                                                          • 9231

                                                          #29
                                                          The php decoders are terrible. They don't get anything even close to the original code...
                                                          Mechanical Bunny Media
                                                          Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                          Comment

                                                          • Babaganoosh
                                                            ♥♥♥ Likes Hugs ♥♥♥
                                                            • Nov 2001
                                                            • 15841

                                                            #30
                                                            Originally posted by k0nr4d
                                                            The php decoders are terrible. They don't get anything even close to the original code...
                                                            Yes they do. Test out the site I posted. I have completely functional code from a previously encoded script.
                                                            I like pie.

                                                            Comment

                                                            • ladida
                                                              Confirmed User
                                                              • Nov 2005
                                                              • 2179

                                                              #31
                                                              Originally posted by k0nr4d
                                                              The php decoders are terrible. They don't get anything even close to the original code...
                                                              You've not searched good then. I've had both zend and ioncube decoded completelly acuratelly.

                                                              With obfuscation, the code comes up clean aswell, but the function names are messed, however, they still hold same "name", and can be easilly renamed.
                                                              agentGFY *at* gmail.com

                                                              Comment

                                                              • quantum-x
                                                                Confirmed User
                                                                • Feb 2002
                                                                • 6863

                                                                #32
                                                                Originally posted by k0nr4d
                                                                The php decoders are terrible. They don't get anything even close to the original code...
                                                                Yes they do - more often than not with original variable names, too.
                                                                PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                Comment

                                                                • quantum-x
                                                                  Confirmed User
                                                                  • Feb 2002
                                                                  • 6863

                                                                  #33
                                                                  Originally posted by AdultSoftwareSolutions
                                                                  I was referring to the C/assembly/opcode level implementation of PHP. I have never met a person in my life who could read compiled PHP code from a hex editor. I know several that can do that with programs compiled to native intel assembly.
                                                                  Sure, but there's not much need, with Zend Platform - you can debug and trace the PHP bitcode anyhow
                                                                  PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                  Comment

                                                                  • Tempest
                                                                    Too lazy to set a custom title
                                                                    • May 2004
                                                                    • 10217

                                                                    #34
                                                                    Originally posted by Babaganoosh
                                                                    That's a pretty old post. A lot changes in 5 years. I sent a widely used script to a particular site that claims to be able to decode anything and they nailed it in less than an hour. The tools available for download didn't work for this script but these guys were able to do it. That shattered my faith in all of these encoders. I'll try to obfuscate some code, run it through Ioncube and send it to them to see what they come up with. If I had Zend Guard I would try that one too.
                                                                    Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.

                                                                    Comment

                                                                    • $5 submissions
                                                                      I help you SUCCEED
                                                                      • Nov 2003
                                                                      • 32195

                                                                      #35
                                                                      Originally posted by nation-x
                                                                      Any of the encoders are vulnerable... this is why you should obfuscate your code before you encode it... 9 times out of 10 the decoded versions of the script don't work because decoding isn't perfect... most decoders can't decode the script exactly as you wrote it. If you obfuscate your code they have almost no chance of being able to fix errors after they decode it.

                                                                      http://alexking.org/blog/2004/02/07/...ting-php-code/
                                                                      Great post. Thanks!

                                                                      Comment

                                                                      • quantum-x
                                                                        Confirmed User
                                                                        • Feb 2002
                                                                        • 6863

                                                                        #36
                                                                        Originally posted by Tempest
                                                                        Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.
                                                                        The tests I ran, everything was returned, including original variable names, and formatting.
                                                                        PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                        Comment

                                                                        • Babaganoosh
                                                                          ♥♥♥ Likes Hugs ♥♥♥
                                                                          • Nov 2001
                                                                          • 15841

                                                                          #37
                                                                          Originally posted by Tempest
                                                                          Have you got the results of your obfuscate test yet? Which obfuscator did you use? And what's the link to the site that does the decoding? Think I'm going to need to run some of my own damn tests as well.
                                                                          zendcrack.com

                                                                          Haven't tried obfuscated code yet. Common sense tells me I will get decoded yet still obfuscated code back. Obfuscated code can be cleaned up and made readable again with a little effort so I'm pretty sure it's not stopping anyone.
                                                                          I like pie.

                                                                          Comment

                                                                          • 2012
                                                                            So Fucking What
                                                                            • Jul 2006
                                                                            • 17189

                                                                            #38
                                                                            Originally posted by Babaganoosh
                                                                            zendcrack.com

                                                                            Haven't tried obfuscated code yet. Common sense tells me I will get decoded yet still obfuscated code back. Obfuscated code can be cleaned up and made readable again with a little effort so I'm pretty sure it's not stopping anyone.
                                                                            if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.
                                                                            best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

                                                                            Comment

                                                                            • Babaganoosh
                                                                              ♥♥♥ Likes Hugs ♥♥♥
                                                                              • Nov 2001
                                                                              • 15841

                                                                              #39
                                                                              Originally posted by fartfly
                                                                              if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.
                                                                              Numbnuts, there's nothing you can tell me that I don't already know. Fuck off, turd.
                                                                              I like pie.

                                                                              Comment

                                                                              • u-Bob
                                                                                there's no $$$ in porn
                                                                                • Jul 2005
                                                                                • 33063

                                                                                #40
                                                                                <----- doesn't trust encoded/encrypted php code.

                                                                                Comment

                                                                                • Klen
                                                                                  • Aug 2006
                                                                                  • 32235

                                                                                  #41
                                                                                  Yep i finded program for decoding ioncube so i have both programs for zend and ioncube now for free.
                                                                                  Which means if i ever will do script i will have to find other solution to encode it.

                                                                                  Comment

                                                                                  • 2012
                                                                                    So Fucking What
                                                                                    • Jul 2006
                                                                                    • 17189

                                                                                    #42
                                                                                    Originally posted by Babaganoosh
                                                                                    Numbnuts, there's nothing you can tell me that I don't already know. Fuck off, turd.
                                                                                    Is it that time of the month again?
                                                                                    "Is there anything that actually works for protecting a commercial script?"

                                                                                    Then why are you asking turd ? I just told you the only way shit for brains ...

                                                                                    now click my sig
                                                                                    best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

                                                                                    Comment

                                                                                    • quantum-x
                                                                                      Confirmed User
                                                                                      • Feb 2002
                                                                                      • 6863

                                                                                      #43
                                                                                      Originally posted by fartfly
                                                                                      if you make your app dependent on a service you run from your own server you can have less to worry about as far as someone stealing your code. license the service ... i guess that's part of what I was trying to say.
                                                                                      #1 - Your server goes down, you kill a bunch of sites
                                                                                      #2 - You mess up something on you end, you kill a bunch of sites
                                                                                      #3 - You get ddos'd off the planet, you kill a bunch of sites
                                                                                      #4 - You get hacked, and they push code to a bunch of sites, you hack a bunch of sites.

                                                                                      #5 - They decode your app, comment out the dependency, and resume life
                                                                                      PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                      Comment

                                                                                      • 2012
                                                                                        So Fucking What
                                                                                        • Jul 2006
                                                                                        • 17189

                                                                                        #44
                                                                                        Originally posted by quantum-x
                                                                                        #1 - Your server goes down, you kill a bunch of sites
                                                                                        #2 - You mess up something on you end, you kill a bunch of sites
                                                                                        #3 - You get ddos'd off the planet, you kill a bunch of sites
                                                                                        #4 - You get hacked, and they push code to a bunch of sites, you hack a bunch of sites.

                                                                                        #5 - They decode your app, comment out the dependency, and resume life
                                                                                        wow, turd. Tell me something I don't already know j/k

                                                                                        So let everyone tell you all this bullshit and I'll tell you what you already know. You can't protect your code. Impossible. ... happy now.
                                                                                        best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

                                                                                        Comment

                                                                                        Working...