PHP Obfuscation 101

Last Update Article: 2022-02-02 10:12:19


PHP Obfuscation 101

PHP is a programming language that focuses on developing a web application but PHP lately not only focuses on web development, nowadays PHP used to make something like automation / or any process backend not related to web development, such as Botting maybe on curl process or something like that. For me (writer) PHP is used for solving a simple problem or complex problem that needs automation for continubility, now or whenever.

Today at this time when writer write that (2 February 2022) the current stable version of PHP is 8.1.2

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-1.png

Self Documentation Links

When PHP reach on version 8.X.X it’s so much new features who can make PHP programmer more easily to code something (at least for writer), faster than before >8.x.x (claims on that article also by score). So yeah that’s a prolog for a PHP programming language. Now let’s move on to the next topic, what’s Obfuscation? I think (IMHO) obfuscation is a way to make source code hard to read for others than the developer himself, for the purpose to make the code can’t be edited or can’t be duplicated for license reasons. But the words (can’t) it’s just for a non l33t person (not hacker person), for the hacker person obfuscation just to make it slower to edit or duplicate (IMHO). Obfuscation makes code not easy to read but at all does not change the flow of the program, just make long-long code at all, like that example:

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-2.png

Personal Documentation [1]

Like the code above the function is simply to concat every parameter to a new long string. And the variable is clearly defined, the variable “$nama” the value is name, variable “$hobi” the value is the hobbys. In the “$indentitas” variable is call a function name “Indentitas” with 3 parameters is $nama,$hobi,$bias, and last things from code above is printing. Looks normal and readable right? can be easily identified and edited as we want to, so the writer will make that code above a bit obfuscated (writer version) so make it hard to read (I hope).

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-3.png

Personal Documentation [2]

Code above is from Personal Documentation [1] same flow of the program but different how it looks at all, what do you think? it’s a bit harder to understand isn’t it? i know it’s not that much hard to read, but still “readable” for most senior programmers. But my main point here is showing what the obfuscated code looks like. The flow is the same, if both of the code running it will show the same result. The main things on my own obfuscated code is delete the function called “Identitas” and make it a new anonymous function and make the 3 variables defined straight make it a bit encoded. So just it how’s PHP obfuscated? no PHP can make it more cooler

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-4.png

Reference

PHP have much options to support obfuscated a script, such like chaining much encoding method like 10 times encode base64 or base64 + gzdeflate or much much much options make it more worst (hard to read). Just it? No! We can create a variable containing a name from the PHP internal api, and call the variable as a function, oh wow isn’t it? I give an example

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-5.png

Personal Documentation [3]

It’s how normal programmers call an internal function of PHP right? we directly just call the name of the function. But we can store the name of a function on a variable than call that like a function, similar like anonymous function at the top.

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-6.png

Personal Documentation [4]

We can call a function like that, oh so cool right? we can make our code more worst to read like that maybe

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-7.png

Personal Documentation [5]

Flow of the program is still the same, like Personal Documentation [3] but can a normal PHP programmer read that? yeah probably can still read that a bit of struggle. But let the writer explain for you, in the first line variable $l is array from A-Z (uppercase) and second line $ll is array from a-z (lowercase). Next variable is $i,$ii,$iii is an array containing the index of each letter which when combined will become the name of an internal api. Next variable, $f1,$f2,$f3 is a process that converts every array of $i,$ii,$iii to a string named internal API’s. The writer use array_map to make it more short syntax, if the long way it’s look like that

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-8.png

Personal Documentation [6]

So cool right? for me it’s so cool when make the source code can’t be read easily, but there’s many more cool things to make our “private” source code more not readable, but there’s one things i can give you a example how we can obfuscate the code so the “normal” person can easily edit or duplicate our code, as i mentioned before we can encode the whole script but idc how many encode method and the last step it we just eval() the code. So in short eval is a function that can run mathematical operations and can run a string containing a php syntax.

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-9.png

Personal Documentation [7]

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-10.png

Personal Documentation [8]

Eval is almost available in every programming language and has the same function as other programming languages. So with eval we can run obfuscated code with much encoding method such like that example

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-11.png

Personal Documentation [9]

This is the basic code of how license key simulation works, there’s one input from user can check the user input with if statement if the user input same with string called “We_Can_Read” it will passed and showing the print “License Benar” and if the user input is not same it will print “License Salah!”. Easy to understand isn’t it?

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-12.png

Personal Documentation [10]

Oke what if the code is obfuscated with base64 encode and executed with eval, could a normal person read that? This the code looks alike

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-13.png

Personal Documentation [11]

The flow of the program is the same like Personal Documentation [10] but it is encoded with base64 and executed by eval, it’s cool right? make our code a bit hard to read by a normal person who doesn’t understand programming or encode-decode works. See the screenshot below

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-14.png

Personal Documentation [12]

The code runs well and gives the same result as Personal Documentation [10]. So, if we are facing eval php with a strange encoding method, what we must do, to understand the flow of the programs? We can easily debug with change the syntax eval to echo, like that

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-15.png

Personal Documentation [13]

And voila, the code is showing up isn’t it? look easy right? Yeah, but sometimes it can’t work well, so there’s one more option except reverse one by one the encoding algorithm. We can use a utility called EvalHooks to debug what eval is running in the script. First of all we need to install the utility, in the evalhooks repo there’s clean documentation on how to install it, but is the writer short documentation how to install it

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-16.png

Personal Documentation [13]

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-17.png

Personal Documentation [14]

And how to run the code with “evalhooks” ? we can run in CLI (Command Line Interface) like that

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-18.png

Personal Documentation [15]

The code showing up clearly without changing anything, so cools right? We can debug it one by one. For example i encode 2 times the code, and evalhooks still can debug it one by one.

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-19.png

Personal Documentation [16]

So yeah, in PHP we can “trying” so hard to obfuscate our code so others can’t steal or modify our code, but it just slow them down, not make they “can’t” edit our code, as long as our code is held by the client, it is only a matter of time until the code can be modified by the client even though it is in an obfuscated. “So the obfuscation is useless” for me no, there are many providers that provide obfuscator and anti-deobfuscator for source code. But still it’s just about the time till the “obfuscator” can be cracked at all. But yeah the writer still believes the provider of premium obfuscators will improve again and again to make their client source code more secure.

https://blog.nikkoenggaliano.my.id/wp-content/uploads/2022/02/word-image-20.png

Source

Oke thank you for reading this article, the writer hopes that there is something that can enlighten the readers and get something that can be applied in the daily life of the readers. Once again, thank you. *This is the first time a writer wrote a whole article in english.

Reference: