Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:74415
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98625 invoked from network); 21 May 2014 14:51:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 May 2014 14:51:28 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.216.178 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.216.178 mail-qc0-f178.google.com  
Received: from [209.85.216.178] ([209.85.216.178:60543] helo=mail-qc0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 43/AA-24198-D6DBC735 for <internals@lists.php.net>; Wed, 21 May 2014 10:51:26 -0400
Received: by mail-qc0-f178.google.com with SMTP id l6so3322604qcy.23
        for <internals@lists.php.net>; Wed, 21 May 2014 07:51:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :cc:subject:references:in-reply-to:content-type;
        bh=nnFSgt4BRJAPBWjzXz/0zLTL3AoDI4HmmeBrVGRPKhk=;
        b=AavKhsY3BbkQHD/OBauy5ZcrrqhE6h/93k3u402V0LW1UMaKsLVQV+uhPqI5gl1InC
         NnB7gVz2L98H4SlVmVpClRwL7m6ckxS4fwcocqb9ahWOv6DPNiVxTZ1CmwoyKkQAEYtL
         ohNd87ZGmfC0ENDf5jj9+ZlriuQpD8BafyfaLkajvJVjcc6/6EqtnEpB3WT1EKxe20V0
         WXPetHm9WL+2/X9S7Q9CCdX4O76dRr1JoI1yF/3cLrjQoJU+PxOrFYENK+movoLL2ezu
         FBPCeMDE7Br+ylHAY1n5gGjvZYmn/hBW/D9txWiYTMMFufLg2fBl79hggWAwOfzdGLU8
         IAfg==
X-Gm-Message-State: ALoCoQlmdIVURmSQ6GAF6HR29U28/JVqIJ1kc2+IROqxY3ZBWcszhLQjG2KIpNmdOeyC3S6KOd9L
X-Received: by 10.224.112.74 with SMTP id v10mr68755667qap.28.1400683882565;
        Wed, 21 May 2014 07:51:22 -0700 (PDT)
Received: from [192.168.200.30] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPSA id j1sm2205582qan.32.2014.05.21.07.51.20
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 21 May 2014 07:51:21 -0700 (PDT)
Message-ID: <537CBD67.4000008@lerdorf.com>
Date: Wed, 21 May 2014 07:51:19 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Nicolai Scheer <nicolai.scheer@gmail.com>, Andrea Faulds <ajf@ajf.me>
CC: Kevin Ingwersen <ingwie2000@googlemail.com>, 
 PHP Internals <internals@lists.php.net>
References: <CAOg_pRQxKsJPgFaZ6_y7Rf1i4Bfkbx+FhCxuBtE9PWu58uOfOQ@mail.gmail.com>	<6048BA05-CC13-46DD-8439-9CB4EE29078B@ajf.me>	<9EBA95A7-B9F7-41F0-AE2B-283260753E5A@googlemail.com>	<B58A4DF4-52FE-41D9-896C-5396DDC7CB8B@ajf.me> <CAOg_pRSmVdw1Y9g-RrW8dBNSpBZVHavJQzSGUCjZu5wXhuUMCQ@mail.gmail.com>
In-Reply-To: <CAOg_pRSmVdw1Y9g-RrW8dBNSpBZVHavJQzSGUCjZu5wXhuUMCQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="wpD2PAVIhoGbuITPdvIAK2jogex8rldwd"
Subject: Re: [PHP-DEV] encode php scripts with opcache compatibility
From: rasmus@lerdorf.com (Rasmus Lerdorf)

--wpD2PAVIhoGbuITPdvIAK2jogex8rldwd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 5/21/14, 7:27 AM, Nicolai Scheer wrote:
> Hi,
>=20
> yes, we are shipping code to customers and they should not read the sou=
rce.
> The level of protection gained from obfuscated code is not enough, but =
just
> delivering the opcodes would be ok.
>=20
> I know that the opcode array might be dumped, this is just to raise the=

> bar. If I just obfuscate the code there's still the possibilty left to =
edit
> the code directly.
>=20

It is completely trivial to turn opcodes back into PHP code. Sure, it
won't look exactly like the original, but it will run exactly the same
and can easily be modified. There are tools out there that let even a
complete neophyte do it.

If you truly want to protect your code, ship a signed compiled C/C++
extension and put key components of your application in it. That is much
harder to reverse (anything can be reversed, of course) and it has the
added advantage of likely making your application faster.

-Rasmus


--wpD2PAVIhoGbuITPdvIAK2jogex8rldwd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlN8vWgACgkQlxayKTuqOuDzTQCfSgALNKyTHkp8fqn5UsFCrVKd
OFgAn3vpAPKU5whaeX05wrhIdRv9Z7oN
=xegY
-----END PGP SIGNATURE-----

--wpD2PAVIhoGbuITPdvIAK2jogex8rldwd--