4

I'm interested if anyone knows exactly how effective/safe/protected PHP's bcompiler is against reverse engineering. The introduction page makes a bold claim:

In terms of code protection, it is safe to say that it would be impossible to recreate the exact source code that it was built from, and without the accompanying source code comments. It would effectively be useless to use the bcompiler bytecodes to recreate and modify a class.

Perhaps the key word is "exact" -- how true is their claim if you remove it?

PS - Please, no lectures about compilation/obfuscation versus licensing. :)

tckmn
  • 57,719
  • 27
  • 114
  • 156
user1264579
  • 75
  • 1
  • 4

2 Answers2

9

It is just as safe as compiling C++ to ASM. It CAN be reverse engineered or understood by careful reading and logic, and can be edited to, for example, add 10 coins instead of 5 very easily. However, it takes a long time to understand even a short piece of the byte code, and the original source code could only be re-written by hand. The variables names and such would be unrecoverable in most cases.

In other words, PHP is the pizza recipe, the bytecode is the hot fresh pizza. You COULD find out the original recipe but it would take very long, be very difficult, and you would not know that the chef nicknamed pepperoni "Roni".

DanRedux
  • 9,119
  • 6
  • 23
  • 41
  • Note, however, that while the bytecode is compiled, it is **not** encrypted. Any strings or other constants are visible in the compiled file, and can be edited with little difficulty. –  Apr 17 '12 at 23:28
  • 2
    That was what I meant when I said a "5" could easily be turned into a "10". – DanRedux Apr 17 '12 at 23:28
  • Does that mean that any compiler that changes PHP into bytecode is going to be just as "safe" (what you describe is appropriate/satisfactory for me) as any other? – user1264579 Apr 18 '12 at 00:54
  • @user1264579: No. Some other PHP bytecode obfuscators (e.g, Zend Guard, Ioncube, *etc*) do encrypt the bytecode and data such that it cannot be easily disassembled or modified. –  Apr 18 '12 at 04:36
  • @duskwuff Could one approximate those others by using an obfuscator first and then compiling with bcompiler? (I'm not sure if there are any free/OSS obfuscators though) – user1264579 Apr 18 '12 at 08:35
  • 1
    Not very well. Most of the effects of a source code obfuscator (e.g, changed variable names, unnecessary hex escaping, removed whitespace/comments) are lost when compiling anyway; more complex runtime obfuscators generally have a significant performance impact. –  Apr 18 '12 at 10:15
  • While the bytecode can be edited (e.g. 10 pizzas instead of 5), what about algorithms? How hard is it to discern those from the bytecode? Thanks! – user1264579 Apr 18 '12 at 21:17
  • 1
    Very hard. Only those very experienced in ASM or equivalent bytecode experience could decipher them, especially complex algorithms. They are harder to read/write by a huge factor than PHP. In fact, even the constants are much harder to change as it's not so obvious what that constant does, but an entire algorithm would be close to impossible to decipher. – DanRedux Apr 19 '12 at 05:26
1

Bcompiler is now decompiled, see the link (registration is required)!

However check the archived version.

The files are called: ModeBIphp53Updated2.rar, ModeBIphp52ts.rar and MMcache+EA.rar.

kenorb
  • 155,785
  • 88
  • 678
  • 743
user956584
  • 5,316
  • 3
  • 40
  • 50