0

We are considering offering a small PHP application with all it's files encrypted using ionCube encoder.

Our question is this:

If a customer or a third party has access to a licence file, and thus can deploy and operate the application, is there any way he can get access to the source code?

I think the 'official' answer is no - what I want to know is if there are any 'hackish' methods - if he can actually do it somehow.

frustrated_george
  • 109
  • 1
  • 11
  • possible duplicate of [Are Ioncube encoded files decodable by any chance?](http://stackoverflow.com/questions/1917245/are-ioncube-encoded-files-decodable-by-any-chance) – ajreal Dec 05 '11 at 13:44

2 Answers2

2

You can reverse engineer anything if you have the know-how. (As I understand it) the license actually has no bearing on whether they can do it in your particular case - the license key is not used to "encrypt" (actually, the code is not "encrypted" as such) the ionCube files.

Any program can be reduced to a set of machine code instructions, then (if you know how) you can build it up to assembler, and from there (again, if you know how) you can translate it into just about any language at any level you want. However, in order to do this you need to have an intimate knowledge of very low level programming, and the kind of people who are capable of doing this (of which I am not one) are highly unlikely to care about your specific application. Unless you are making multiple millions of [insert currency unit here] from your application you are pretty safe.

There are programs that will assist one in doing this, but there is no way to retrieve things like variable/function names so what you end up with is pretty un-readable.

To sum up, you can never be 100% sure that no-one can retrieve the source code of any program built in any language. But you can be 100% sure that it is ridiculously unlikely that anyone will bother to try, and even more unlikely that they would be successful.

DaveRandom
  • 87,921
  • 11
  • 154
  • 174
  • Thanks DaveRandom, this is fine, but is too general to answer my question, and I already know that. What I am looking for is if there are any publicly avaliable methods to decode the files - especially provided that the licence exists - which means that the files are actually legitimately decoded at runtime by the server. – frustrated_george Dec 05 '11 at 13:59
  • @frustrated_george While they are decoded at runtime, they are decoded to PHP byte code, not to human-readable source code files. There may be some tools available to extract the source code (such as [this one](http://dezender.net/) yielded with a Google search...) but I cannot vouch for the efficacy of any of them (or even the existence - that site has the feel of a Phishing scam to me). To be honest, the limited amount of research I have done in this field in the past has told me that if you want to protect your source code PHP is not a good language to work in. – DaveRandom Dec 05 '11 at 14:08
  • @frustrated_george Maybe [HipHop](http://developers.facebook.com/blog/post/358/) will suit your needs? This actually produces a compiled program, not interpretable byte-code, so it would be much harder to reverse engineer. Although it is somewhat situation specific, and is not a one-solution-fits-all approach. – DaveRandom Dec 05 '11 at 14:10
  • @DaveRandom, I feel it deserves mentioning, that bytecode is much, much easier to convert back into readable high level (PHP) language than assembly. – Oleg V. Volkov Sep 01 '12 at 08:53
  • There are free programs around that decrypt ionCube files in around 1/4 of a second, keeping the variable names and function name case intact. – uınbɐɥs Sep 16 '12 at 18:17
1

ionCube, as quick online search indicates, provides obfuscation and compiling to bytecode. Any high-level language bytecode is much easier to revert back to readable form in same original language than assembly. Considering that ionCube is a popular enough tool, you can also no longer depend on "nobody bothered to study it" thinking and can be pretty sure that even its obfuscation is studied and good places to dump bytecode in runtime when it is already deobfuscated are found as well.

Therefore, yes, it is possible to decrypt encoded files and everything depends on if it is worth to bother doing that instead of obtaining them from you "legal" way and if you can force legal action for this or not.

Oleg V. Volkov
  • 21,719
  • 4
  • 44
  • 68