0

Is there a way to locate PHP files within a source tree that have been encoded using Zend Guard?

There are existing questions about attempting to decode Zend-encoded files, but I've inherited a large PHP app that must be using a Zend-encoded file somewhere in some remote library because I keep getting the following output in my application's error log:

//Copyright UserScape, Inc. 2005-2008

<html><body>
<a href="http://www.zend.com/products/zend_guard">
<img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right">
</a>
<center><h1>Zend Optimizer not installed</h1></center>
<p>This file was encoded by the
<a href="http://www.zend.com/products/zend_guard">Zend Guard</a>. 
In order to run it, please install the 
<a href="http://www.zend.com/products/zend_optimizer">Zend Optimizer</a> 
(available without charge), version 3.0.0 or later. </p>
<h2>Seeing this message instead of the website you expected?</h2>
This means that this webserver is not configured correctly. 
In order to view this website properly, please contact the 
website's system administrator/webmaster with the following 
message:<br><br>
<tt>The component "Zend Optimizer" is not installed on the
Web Server and therefore cannot service encoded files. 
Please download and install the Zend Optimizer (available 
without charge) on the Web Server.</tt><br><br>
<b>Note</b>: Zend Technologies cannot resolve issues related
to this message appearing on websites not belonging to 
<a href="http://www.zend.com">Zend Technologies</a>. 
<h2>What is the Zend Optimizer?</h2>
<p>The Zend Optimizer is one of the most popular PHP plugins 
for performance-improvement, and has been available without 
charge, since the early days of PHP 4. It improves performance 
by scanning PHP's intermediate code and passing it through 
multiple Optimization Passes to replace inefficient code 
patterns with more efficient code blocks. The replaced code 
blocks perform exactly the same operations as the original 
code, only faster. </p>
<p>In addition to improving performance, the Zend Optimizer 
also enables PHP to transparently load files encoded by the 
Zend Guard. </p>
<p>The Zend Optimizer is a free product available for download 
from <a href="http://www.zend.com">Zend Technologies</a>. 
Zend Technologies also developed the PHP scripting engine, 
known as the <a href="http://www.zend.com/products/zend_engine">Zend Engine</a>.</p>
</body></html>

I have no idea where this file is in the app! I've been unable to locate any information on characteristics of files that have been encoded by Zend Guard, so I don't know what to search the filesystem for. Google has been unhelpful. Simple greps for "userscape" "helpspot" (apparently a product of UserScape) and even "zend" come up blank.

EDIT: However, according to the FAQ Zend Guard uses public key crypto, so I'm fairly sure the files won't have any recognizable PHP code in them anyway.

Is there a generic way to locate Zend Guard-encoded PHP files in a filesystem? Are there common properties of the files that are searchable?

Community
  • 1
  • 1
beporter
  • 3,740
  • 3
  • 37
  • 45
  • Without knowing exactly how it obfuscates the file, I can't be sure, but I'd suggest grepping for things like `eval`, `preg_replace /e`, and `base64_decode` – andrewsi Jun 19 '13 at 16:51
  • Good thinking, unfortunately `eval` only returns a ton of [SimpleTest](http://www.simpletest.org/) and Javascript hits. – beporter Jun 19 '13 at 17:00
  • Do you get anything with the others? You can also do something like `grep -r eval * | grep php` to recursively look for files containing `eval`, and then grep the results for php - that might help skip the javascript. – andrewsi Jun 19 '13 at 17:03
  • Nothing of consequence. My (limited) understanding of Zend Optimizer is that you have to have a PHP extension installed in order to process these files, so I doubt there is anything detectable at the source code level. In other words, I expect the file to be complete gibberish in a plain text editor. I'm pretty sure what I need is help identifying some common characteristic of those files. I mean, the Optimizer must have a way of recognizing them. – beporter Jun 19 '13 at 17:09
  • According to [the FAQ](http://www.zend.com/en/products/guard/faq#faq4), Zend Guard uses [public key crypto](http://en.wikipedia.org/wiki/Public-key_cryptography), so I'm even more sure the files won't have any recognizable PHP code in them. – beporter Jun 19 '13 at 17:14
  • Ah, I'd not realised that they obfuscated quite that much. And of course for you to be able to figure out the characterstics of your file, you'd need to know where it was already. I guess you could always download Zend Guard and install it? – andrewsi Jun 19 '13 at 17:15

1 Answers1

1

I believe most Zend Optimizer encoded files will begin with a header resembling:

<?php @Zend;

They will also contain all of the text that you're seeing in the error message, including the words "Zend Optimizer". So you can just search for that. :)

  • The question already states that a project-wide search for "zend" returns no results. Searching for "@Zend" likewise returns no results. Can you point to any public examples of Zend-encoded files to substantiate your assertion? – beporter Jun 27 '13 at 13:20
  • @beporter: [Here's one example](https://gist.github.com/duskwuff/080b474bf423a4a0b852). ([source](http://www.webhostingtalk.com/showthread.php?t=485880)) –  Jun 27 '13 at 14:57
  • Yep, that sure does look a lot like the output I'm seeing the log. In desperation, I ran the grep on the server's entire filesystem and found "helpspot" files in a completely different Apache vhost folder! That solves THIS question, but the mystery of how these files are adding entries to my app's logs remains (as a completely different issue of course). Thanks! – beporter Jun 27 '13 at 15:05