Under pure PHP we can use something like ioncube/else with obfuscation. Under pre-HHVM we can use already compiled code without sources. But under current HHVM can we somehow hide our sources?
Asked
Active
Viewed 889 times
1 Answers
3
@paulbliss:
You could compile a bytecode repository and run that, but it's not something that would be difficult to reverse engineer. ... There isn't any great documentation on building repos. The wrapper script in tools/hhvm_wrapper.php has some useful shortcuts, you can look at the help options. There really isn't a great option for obfuscation, but repo-authoritative is probably your best bet as it will do some optimizations on top of the bytecode.
@see https://github.com/facebook/hhvm/issues/4929#issuecomment-76751039
howto
Ini settings for hhvm and it's server: https://github.com/facebook/hhvm/wiki/INI-Settings
Complete shell that compiles, removes sources and run from optimized repo: https://gist.github.com/garex/b0fa539903746e67ad6c
So as a workaround you can have compiled sources under root user but run hh server under www-data. So even if attacker will break you through web -- it will not see sources there.
gaRex
- 4,144
- 25
- 37
-
Existing options for obfuscating PHP source will work on HHVM too. AFAIK though, all of the "compiled source" options for PHP are really just bytecode caches same as recommended above, and are equally reverse engineer-able. You can obfuscate, but there really isn't a way to totally hide your source, under either the PHP or HHVM runtime. – Josh Watzman Mar 03 '15 at 05:26
-
@JoshWatzman what about pre-hhvm option that like an AOT compiler (I mean hhpc)? – gaRex Mar 03 '15 at 05:29
-
The AOT compiler that predated HHVM, now called HPHPc, is long dead. – Josh Watzman Mar 04 '15 at 04:16