I recently ran into an occurance of an application called "PHPLockit". It supposedly hides your PHP code in a tangled mess of compression and encryption, allowing it to both run perfectly normal as well as hide its source code from whoever may be running it. Naturally, this seemed like a prime example of relying on security through obscurity, because it shouldn't be possible for the PHP code to run without having, well, the PHP code. The site lists this program as a one time fee of $29.99 USD, so on the other hand I figured there might possibly be some merit to it. I started tinkering with some of the "protected" code I had come across.
It's quite lengthy, so you can find the code here
It's quite the jumbled mess, isn't it? PHPLockIt also apparently obfuscates variable names with replacement mixtures of zeroes and capital "O"'s, which makes finding your way through it a little messy when the code really gets deep. The second line of the program doesn't immediately appeared to be executed, because PHP calls "return;" before hand, however the first line will give us a place to start.
$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=3996;eval(gzuncompress(base64_decode('eNplj1dvwjAAhP9MpNgiCJMFUZQH9sbs9VJlOAOysDMgv76gVm2l6u7pdPdJx2GEEH4JGW6SkhhwGOOvQOCpxUO99IOQgHqdw+/i29D1SMYA9zMVmkiUof4vlpGmQv1F/F4aXpXHdhKllDAGLJMRVf5wiJ04BLCMZhS4lJjOX4QiqVDg74NaT0xKzB5mF1V+sBydVkdNKmZUvqX9q3IZW20nm+d2PDx0mm4YNZ7rnbfdkPNkul+0VIMX+E631x8MR+PJdDZfLPFqvdnu9ofj6XwxLdshrucH11sYxUl6pyzLi/LxrFBTlGRFbbW1WoOHEOqkMEPwewjqn85iXyI=')));return;?>
It marks the three variables at the start: the location of the script, the current line number in the file, and the number 3996. It then decodes some base64 encoded data, uncompresses it, and runs the result. I decided to replace eval() with var_dump(), so we can see what it is about to run instead.
string(320) "$O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);$OO00O00O0=gzuncompress(base64_decode(strtr(fread($O000O0O00,536),'qE+C2owOsxaB0zhiNGXPW93vKr4kpDj5ZHb8dtLucnFVA1flm/yQTgSReYIJUM76=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);"
The code above, when executed, opens itself for reading, skips ahead a line, reads the rest into memory, and replaces:
'qE+C2owOsxaB0zhiNGXPW93vKr4kpDj5ZHb8dtLucnFVA1flm/yQTgSReYIJUM76='
with the equivalent character in string:
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'.
It then takes that data and decodes it as base64 before decompressing, just like earlier. Once finished that, it again executes the resulting text. The var_dump() output of the next level of code is shown below.
string(548) "if(!function_exists('gzuncompress'))die('The PHP zlib module is required to run this script. Please see http://www.php.net/manual/en/ref.zlib.php');if(time()>1207008000)die('This script has expired.');$OO00O00O0=ereg_replace('__FILE__',"'".$OOO0O0O00."'",gzuncompress(base64_decode(strtr(fread($O000O0O00,$OO00O0000),'qE+C2owOsxaB0zhiNGXPW93vKr4kpDj5ZHb8dtLucnFVA1flm/yQTgSReYIJUM76=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'))));fclose($O000O0O00);eval($OO00O00O0);"
Interestingly enough, it now checks for the function gzuncompress(), and halts execution if it is missing. This is a rather useless check, as the program has already used the function gzuncompress() twice now and would not have been able to execute that code to check for it without having used it twice sucessfully already. The website boasts of the ability to forcefully stop execution of the file after a specified date, and in this code we can see the method he used to achieve this. It simply takes the time() of the PHP server and compares it to a value presumably set by the user who "encrypted" this PHP file. This can be easily manuevered around by either changing your system time, or completely removing the check from the code altogether.
After that, the code (yet again) searches to replace members of one string with the corresponding character in the translation string, and then passes that data through a base64 decode and decompression. Finally, we have our resulting code in the clear. It searches the code, replaces all instances of "__FILE__" with the current filename, and executes it.
Here is the final code, completely in the clear, with all of its "encryption" removed: link.
Unfortunately, this method of obfuscation is somewhere along the lines of 3rd graders who pass notes. It could possibly pass off as a amature cryptography experiment for someone new to coding. But seeing this presesnted with the acclaimed level of unbreakable security and false professionalism that the creator of the application boasts? It's almost painful to envision people paying good money for this "product", to be brutally honest.
Either way, I quite enjoyed playing with it for a little while. I hope the writeup kept you resonably entertained as well :)
In the next week or so I will upload a web app to decode PHPLockIt-encoded files, in case anyone might need to decode some that they have come across.